I see a feature disparity post Kext deprication. With Kext extension we could add IP filter hooking using which we were able to intercept IP packets without adding any special ip route entry. At this layer (in ip filter hooking) we were able to collect IP packets for tunnelling (VPN). Please Note with Kext:
- Using Packet metadata, there were multiple filtering options available. At this layer, we could filter IP Packet based on mac addresses, ip addresses, ports, process names, traffic direction and so on) to take a decision to tunnel the IP packet or not.
- Also as mentioned earlier this didnt require any special IP route entry
- With Kext this filtering was completely opaque from user
- With above flexibility an IP packet with same destination, may or may not be able to put in tunnel.
A replacement which is offered from BigSur is System Extension: PacketTunnelProvider. But this limits all our flexibility, also it requires us to define tunnel settings that adds route entries in the route table which no longer keeps it opaque and also disrupts the route table. It also creates a special utun interface stopping which terminates the tunnel connection.
Above limitation is not there in other OS platforms. IPFiltering can be achieved in Windows by using their WDM framework without have any special route entry or interface. Same can also be done on Linux platform with packet marking and iptable entries.
Could you please let me know if I can use anything else apart from PacketTunnel Provider which removes above limitations? if not then it will limit developers capability for developing security/filtering/firewall services for Mac which can be done for Windows and Linux. This will add feature disparity between platforms.
