In some countries, the government deploys DPI (deep packet inspection) systems for censorship. These systems usually don't implement TCP completely and thus can be tricked pretty easily into allowing a connection to a blocked resource to go through, e.g. by fragmenting a ClientHello and optionally shuffling the fragments around.
There exists this app for Windows: https://github.com/ValdikSS/GoodbyeDPI
It uses WinDivert to intercept the network traffic and modify it as needed. I'd like to build a similar tool for macOS but I struggle to understand which of the many APIs I should use.
I need two main features from the API in question:
- The ability to drop a packet sent by an application and send something else, e.g. several TCP fragments with the same data, instead.
- The ability to drop incoming packets because some DPI equipment works by sending RST before the origin server has time to respond.
- Ideally, I'd filter the connections by destination IP address and only work on those that deal with blocked resources, leaving the other ones to be dealt with completely by to system so that there's no needless performance regression caused by all traffic passing through my code.
So which API do I use for this? NetworkExtension — which kind? BPF? Some other unix API? Or I'll have to resort to making it a kernel extension?