Geek Answers Handbook

Changing the package interface using NKE

I am developing a VPN application that I was looking to route specific applications from the default en0 interface. I was wondering if I can achieve this using NKE?

Let's say all the data from Safari goes through the ppp0 interface, and all the data from Chrome goes through en0.

+7
kernel sockets macos kernel-extension
source share
1 answer

I can’t give you a 100% answer, since I have never had to solve this specific problem before, and it seems that this is not documented anywhere. I can point you to some things in which I would focus my research if I was instructed to implement such functionality.

  • Starting with WWDC 2017, network core extensions are deprecated. Apple wants you to create Network Extensions for user space. There are special VPN classes that you can implement. Theoretically, this allows rules for each application ( see "Per-App VPN" ), but in practice they seem to be tied to MDM, which seems like a weird solution. You can contact Apple about changing this if it is contrary to what you are trying to do. They actively request input into the Network Extension API.
  • Network Core Extensions (NKEs) are a more mature API. Routing occurs between the IP Filter and Interface Filter steps. I'm not sure that you can directly influence them through any of these filtering steps. Perhaps removing packages using the interface filter on the default interface and entering them into your VPN interface? However, I'm not sure if this is reasonable, and you might have problems matching packets with the process that sent them at this point in the network stack.
  • You can try to bind a socket to a specific interface (using IP_BOUND_IF) from the NKE socket filter.
  • The Berkeley Packet Filter (BPF) is also a feasible solution.
+2
source share

More articles:


All Articles