netfil

This is a experimental beginner Network Kernel Extention (NKE) with a menu bar application. It can filter by process identifier, IP, or network interfaces using a i/o byte limit.

This project is NOT meant to be run on a production machine - use at your own risk! Tested on macOS 10.12.1

This is a kernel level alternative to netman.

The following NKE filters are used:

• Socket Filters - Filter all sockets by process identitifier
• IP Filters - Filter IP traffic by address
• Interface Filters - Filter all traffic happening on specified interfaces

Example use cases

• Create a socket filter to ensure an application only uploads X bytes
• Create an interface filter to ensure you don't go over your data limit when tethering
• Create an IP filter to manage your bandwidth usage to an external host

KEXT

You can load the KEXT with the ./reload.sh iffilter.kext com.company.netfil command. Note: Loading unsigned kernel extensions requires System Integrity Protection (SIP) to be turn off.

System Controls

This NKE uses sysctl to cross boundaries between kernel code and appliactions.

You can communicate directly with them using the sysctl command. To view most system controls run sysctl -a net.netfil

Interface Filter

• net.netfil.interface.list <struct CCArray>: size is the number of interfaces; names contains a list of null-terminated network interface names.
• net.netfil.interface.ibyte <int>
• net.netfil.interface.obyte <int>
• net.netfil.interface.iobyte <int>
• net.netfil.interface.status <int>: 0 is "off", 1 is "on"

Socket Filter

• net.netfil.socket.pid <int>
• net.netfil.socket.ibyte <int>
• net.netfil.socket.obyte <int>
• net.netfil.socket.iobyte <int>
• net.netfil.socket.status <int>: 0 is "off", 1 is "on"

IP Filter

• net.netfil.ip.addr <struct in_addr> or <struct in6_addr>
• net.netfil.ip.ibyte <int>
• net.netfil.ip.obyte <int>
• net.netfil.ip.iobyte <int>
• net.netfil.ip.status <int>: 0 is "off", 1 is "on"

Note: You cannot set the net.netfil.ip.addr or the net.netfil.interface.list via commandline.

To run a fitler, first set its' options then change its' status to 1. It is always smart to validate your options before you start.

For iobyte, ibyte, and obyte, a zero value represents unmetered/unlimited (no filtering).

Menu Bar / GUI Application

You can use the menu bar application to control the KEXT. A green icon with a dot means the filter is "on", a red icon with a line means the filter is "off", a gray icon with a radar-like symobl means the KEXT is probably not loaded or there is an error. Icon are from Oxygen Team.

Limitations

KEXT

• Right now you can only run one socket, interface, or IP filter at a time.
• Does not add new interfaces to filter (mac policy might be able to help with this?)
• Anyone can change the variables as root permission is not required. This is very dangerous!
• Not signed so have to jump thru some hoops to get this loaded on your machine.

GUI

• Application will only filter IPv4 addresses for the IP filter.
• Application will not be alerted instantly on KEXT changes.

Useful Resources

• https://github.com/gdbinit/tcplognke
• https://github.com/ikob/i-Path
• https://github.com/tesseract2048/netfat/
• https://github.com/applesrc/SharedIP/
• https://github.com/williamluke/peerguardian-linux
• http://phrack.org/issues/69/7.html
• http://soundly.me/discovering-source-folder-when-hiding-files-in-osx-kernel-rootkits/
• kernel debugging ** http://lightbulbone.com/2016/10/04/intro-to-macos-kernel-debugging.html
• mac policies ** https://www.synack.com/2015/11/17/monitoring-process-creation-via-the-kernel-part-i/ ** https://developer.apple.com/reference/kernel/mpo_ifnet_label_associate_t?language=objc
• Icons from the Oxygen Icon pack under the GNU Lesser General Public License

License

See LICENSE.

Disclaimer

See DISCLAIMER.