Hello! I would like to ask the community here if there is a solution or alternative approach to what I am trying to achieve as I will described below.
My goal is to achieve packet level filtering on Mac using existing architecture that my team has already developed at the company I work for.
A bit of background:
What we have achieved in Windows (full packet filtering) I would like to carry over to Mac using our existing filtering architecture. On Windows I have created a packet redirector (C++) that intercepts packets from all applications (using WinDivert) and forwards them to a modified SOCKS5 server (Java) that does the filtering. Yes, WinDivert also intercepts packets from the SOCKS5 server on their final leg out to a remote machine but I have solved that problem. The SOCKS5 server (modified for verdict filtering) is the common component which we wish to also use on Mac in addition to Windows. The only components that are platform specific are the packet redirectors.
What I have currently developed for Mac:
Basically, exactly the same as Windows mentioned above but, using NEPacketTunnelProvider instead of WinDivert. I was able to carry over all of my C++ code to Mac from Windows for the packet redirector with minimal modification and it works fine, to a point...
As others have discovered...
... the PacketTunnelProvider was not designed to send packets to arbitrary destination IP addresses. It was only designed to send packets to one remote tunnel server.
To summarise; the NEPacketTunnelProvider is reintercepting its own packets. The links above explain why. This only happens when I set net.inet.ip.forwarding=1. When net.inet.ip.forwarding=0 the packets don't enter into a loop but the packets still don't reach the physical interface and consequently never reaches the remote machine. This is the pain point.
To me it seems this is a dead-end approach unless someone here has some ideas. Alternative approaches are also welcome and I have the feeling someone will mention Content Filter Providers (https://developer.apple.com/documentation/networkextension/content_filter_providers). The problem with this approach is the filter data provider is sandboxed and consequently will not be able to communicate with our separate SOCKS5 server filtering process. This basically means a re-architect of our filtering solution specially for Mac, which is highly undesirable. We want to use what we have already created.
Thanks for reading my post and I look forward to reading your replies.