Hoping for some tips as to which type of NKE I should create. I'm looking to do iproute2-style routing of packets on OS X, or perhaps I should say "macOS". By default, on macOS, the "route" command appears to be limited to IP address. I'd like my routes to be based on ports.
To expand, I'm in a corporate network where only port 80 and 443 are allowed, but there's a second network that is very slow but allows all traffic. I'd like to direct all traffic on 80/443 over the faster corporate network and everything else over the slower network, with one exception: traffic that is trying to talk to the corporate network over its local network ip range. I know on a case-by-case basis I could configure my apps to use certain interfaces over others, and I could also use a proxy attached to an interface to "forward" traffic to another interface if it matches on a filter, but I've had issues in the past with memory/disk usage and local proxies.
So I had a crazy idea, since I can't modify macOS routing by port, what if I could make my own virtual network interface that would sit at the top of the service order and direct traffic? Presumably this means forwarding packets, possibly recreating them, and so I'm not 100% sure this is the best approach. Alternatively I could listen on an existing interface for traffic I want to redirect, and just modify those redirected packets to a different interface.
Reading NKE documentation, such as NKE documentation on Apple's website, I'm finding myself in the same position as this un-answered poster to Apple's mailing list, in which I'm trying to figure out how to "design custom routing". The examples given tend to focus on firewalls or rewriting packets (like NAT) rather than re-assigning the interface to use. Even otherwise nice books cannot help me.
If this is possible with PF, I'd like to do it there, because not writing kernel extensions is safer. I'm also aware of IPNetSentryX but it's supposedly end-of-life, which means maybe it used IPFW after all? It says it used NKE though, so I presume it's possible?
Thoughts? I've searched Github but all I found were two repos for rooting a machine's network traffic, a bunch of VPN clones that use TunTap code, and this read-me on building an extension to listen for router advertisements. Sadly, no examples of routing, or changing interfaces for traffic. Thoughts?
Update 1: Checked the docs on PF for BSD 4.3 and it doesn't appear to have what we'd need for routing. Looking at IPNetRouterX's help page on Alternate Routes, it looks like I'd want to use an Apple Network Kext Interface Filter.
Update 2: There are 3 relevant talks from WWDC on Kext development, at least of those online since roughly 2010:
- WWDC 2010 Session 203 I/O Kit Device Drivers for Mac OS X
- WWDC 2013 Session 707 What’s New in Kext Development (the last third covers new debugging flags & changes in 10.9)
- WWDC 2015 Session 706 Security and Your Apps (which briefly mentions kexts)
Given how much work it is to maintain a second VM for testing kexts, I'm not sure I want to go through with this in kext. It's effectively just a line or two under Linux with iproute2 userspace tools, but it seems impossible in Mac without kernel development. This is basically the first time where I've been annoyed at my choice of OS X over Linux on a desktop computer.
Still, if anyone has any kext network routing on macOS development pointers, I'm all ears. This might make a fun weekend project just to see if I can do it.
