Efficient raw packet processing on live network traffic

Question

Created 1w

Replies 1

Boosts 0

Participants 2

Hi, I'm responsible for extending my company's Firewall application with MacOS support. The easiest and fastest way requires a simple API similar to netmap/nfq in Unix/Linux systems or NDIS/WinDivert in Windows platform where

All network traffic passing NIC's or WiFi adapter should beforwarded to our FW application,
FW application should process the raw packets with its own connection tracking mechanism, modify them if needed, generate new ones if needed,
FW application should inject forwarded or new packets to continue their ways.

In other words, the required API should stand between NIC/WiFi driver and networking stack and allow packet manipulation. My questions follow:

I can't decide on which method to focus further, throughout three alternatives;

kext - It can satisfy the requirements, but deprecated, difficult to progress and have no guarantee to be applicable in future versions of MacOS, am I right ?
networkingdriverkit - It can satisfy the requirements, am I right ?
networkextension - can it satisfy the requirements? Also there is a serious performance problem as mentioned in https://developer.apple.com/forums/thread/757071.

Can anyone help me to decide on the most proper method for? Thanks.

Answered by Systems Engineer in 794589022

kext - It can satisfy the requirements, but deprecated, difficult to progress and have no guarantee to be applicable in future versions of MacOS, am I right ?

Yes, using a NKE (kext) is not the recommended solution here as these have been deprecated across the board starting in macOS 10.15.

Regarding:

networkingdriverkit

This API is really intended for building drivers for custom network hardware, for example, an ethernet USB adapter.

Regarding:

networkextension - can it satisfy the requirements?

NEFilterPacketProvider, is what you are looking for here. Yes, there are performance implications here as there is with any firewall that inspects every single packet because the packet makes a trip to user space first so your code can filter it, so be mindful of that. Also, one more thing I will mention is that its easy to fall into using PF for this sort of thing, but that is not the recommended approach here either as PF is not an officially supported API.

Matt Eaton - Networking

Boost

Answer 1

Systems Engineer OP

Apple

1w

Recommended

kext - It can satisfy the requirements, but deprecated, difficult to progress and have no guarantee to be applicable in future versions of MacOS, am I right ?

Yes, using a NKE (kext) is not the recommended solution here as these have been deprecated across the board starting in macOS 10.15.

Regarding:

networkingdriverkit

This API is really intended for building drivers for custom network hardware, for example, an ethernet USB adapter.

Regarding:

networkextension - can it satisfy the requirements?

NEFilterPacketProvider, is what you are looking for here. Yes, there are performance implications here as there is with any firewall that inspects every single packet because the packet makes a trip to user space first so your code can filter it, so be mindful of that. Also, one more thing I will mention is that its easy to fall into using PF for this sort of thing, but that is not the recommended approach here either as PF is not an officially supported API.

Matt Eaton - Networking

0