MacOSX support is broken

[basil00]

The MacOSX version of ReQrypt depends on ipfw which has been deprecated. See #2.

[basil00]

It might be possible to build and run ReQrypt on MacOSX again. Although, I do not have access to a Mac so cannot test. It seems to work for BSD.

Note however, it is not very user-friendly. You need to do the following steps (as root):

1. Edit /etc/pf.conf and add the line anchor reqrypt.
2. Reload the file: pfctl -f /etc/pf.conf

Now it should be possible to run ReQrypt as root, and this should tunnel outbound traffic for all users.

[yaroslav-v]

Hi there.

Thanks for your work. I just want to let you know that I've tried to build this project on macOS 10.13.6 but had no luck.

There is a compilation error:

gcc -DCLIENT -DMACOSX -maes -Wall -O2 -I "/Users/user/Development/workspace_other/reqrypt/src/"   -c -o macosx/misc.o macosx/misc.c
macosx/capture.c:60:37: error: expected ',' or ';' before 'PFCONF_FILENAME'
     "/sbin/pactl -a " ANCHOR " -f " PFCONF_FILENAME;

The full log is in pastebin.

[yaroslav-v]

A small update. I was able to build the project, it's just necessary to define PFCONF_FILENAME for MACOSX in misc.h

Hovewer, it doesn't work as expected even after applying the changes you've proposed for /etc/pf.conf (IPv6 is disabled as well).

Here is the log:

$ sudo ./reqrypt 
ReQrypt 1.4.1 [macosx] Copyright (C) 2017 basil
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

log: [macosx] executing pfctl command "/sbin/pactl -a reqrypt -f reqrypt.pf.conf"
log: starting reqrypt user interface http://localhost:40404/
pactl: Use of -f option, could result in flushing of rules
present in the main ruleset added by the system at startup.
See /etc/pf.conf for further details.

No ALTQ support in kernel
ALTQ related functions disabled
reqrypt.pf.conf:17: syntax error
reqrypt.pf.conf:18: syntax error
reqrypt.pf.conf:19: syntax error
reqrypt.pf.conf:20: syntax error
pactl: Syntax error in config file: pf rules not loaded
error: pfctl command returned non-zero exit status 256
warning: unable to accept incoming connection to configuration server localhost:40404 from non-local address

[yaroslav-v]

Another update. Looks like pf in macOS doesn't support the divert-packet command.

I've found no really useful information regarding this question, but here is a thread on Reddit about divert sockets in macOS.

Hope you'll be able to find a different approach for macOS :).

[basil00]

From memory you need to enable the firewall under Security and Privacy in System Settings.

[yaroslav-v]

Yes, pf is disabled by default in macOS.

However, it's not enough to just enable the firewall to turn on pf. It's necessary to enable an additional option in System Preferences -> Security & Privacy -> Firewall -> Firewall options -> Check "Enable stealth mode". Probably it enables pf to filter data on low level. Besides there is an option to enable pf via $sudo pfctl -e.

Anyway, this doesn't help much because we're getting the same error reqrypt.pf.conf:17: syntax error, for all lines where divert-packet command is used.

[basil00]

Yes, I also cannot find any information on how to enable divert sockets on modern MacOS, or even if it is supported at all. I did notice that man divert still brings up the divert socket man page, which is encouraging, but this only provides information about the programming API.

So is it possible that support was silently dropped?

[yaroslav-v]

I've spent some time reading manuals and it looks like pf on macOS is based on OpenBSD 4.5/4.6 and this version doesn't support the divert-packet command as modern OpenBSD versions.

Here is an article regarding pf on macOS with some information on the matter. Probably Apple's implementation isn't complete or it's just outdated.

[basil00]

One idea is to figure out the ioctl (or other) interface that pf uses and see if it is possible to enable divert sockets that way. This is probably the better way of implementing it anyway, if possible. This assumes that divert sockets are even supported by the kernel, which is not clear.

Otherwise, ReQrypt MacOS support will be dead.