search

fbion / macos.safe

5 stars 2 forks source link

macos 互联网共享 原理 #33

Open fbion opened 2 years ago

fbion commented 2 years ago

macos internet sharing pfctl

pfdump.sh 

                                    r     scrub-anchor "com.apple/*" all fragment reassemble
                                    r     anchor "com.apple/*" all
                                    n     nat-anchor "com.apple/*" all
                                    n     rdr-anchor "com.apple/*" all
                                    A       com.apple
                                    A       com.apple.internet-sharing
                                    A       custompf.conf

com.apple r anchor "200.AirDrop/" all com.apple r anchor "250.ApplicationFirewall/" all com.apple A com.apple/200.AirDrop com.apple A com.apple/250.ApplicationFirewall com.apple A com.apple/HTTP com.apple/200.AirDrop A com.apple/200.AirDrop/Bonjour com.apple/200.AirDrop/Bonjour r pass in on p2p0 inet6 proto udp from any to any port = 5353 keep state com.apple/200.AirDrop/Bonjour r pass out on p2p0 proto tcp all flags any keep state com.apple/HTTP r scrub-anchor "com.apple/" all fragment reassemble com.apple/HTTP r anchor "com.apple/" all com.apple/HTTP r anchor "custompf.conf" all com.apple/HTTP n nat-anchor "com.apple/" all com.apple/HTTP n nat-anchor "custompf.conf" all com.apple/HTTP n rdr-anchor "com.apple/" all com.apple/HTTP n rdr-anchor "custompf.conf" all com.apple/HTTP A com.apple/HTTP/com.apple com.apple/HTTP A com.apple/HTTP/custompf.conf com.apple.internet-sharing r scrub-anchor "base_v4" all fragment reassemble com.apple.internet-sharing r anchor "base_v4" all com.apple.internet-sharing n nat-anchor "base_v4" all com.apple.internet-sharing n rdr-anchor "base_v4" all com.apple.internet-sharing A com.apple.internet-sharing/base_v4 com.apple.internet-sharing/base_v4 r scrub on en0 all no-df fragment reassemble com.apple.internet-sharing/base_v4 r scrub on bridge100 all no-df max-mss 1460 fragment reassemble com.apple.internet-sharing/base_v4 r scrub on bridge100 proto esp all no-df fragment reassemble com.apple.internet-sharing/base_v4 r pass on en0 all flags any keep state com.apple.internet-sharing/base_v4 r pass on en0 proto esp all no state com.apple.internet-sharing/base_v4 r pass on bridge100 all flags any keep state rtable 4 com.apple.internet-sharing/base_v4 n nat on en0 inet from 192.168.2.0/24 to any -> (en0:0) extfilter ei com.apple.internet-sharing/base_v4 n no nat on bridge100 inet from 192.168.2.1 to 192.168.2.0/24 com.apple.internet-sharing/base_v4 n rdr on bridge100 inet proto tcp from 192.168.2.0/24 to any port = 21 -> 127.0.0.1 port 8021

Turns out there is an issue with Big Sur. It does not allow through traffic.

As a temporary fix, ran the following commands:

sudo pfctl -a com.apple.internet-sharing/shared_v4 -s nat 2>/dev/null >newrules.conf

echo "nat on utun2 inet from 192.168.13.0/24 to any -> (utun2) extfilter ei" >>newrules.conf

sudo pfctl -a com.apple.internet-sharing/shared_v4 -N -f newrules.conf 2>/dev/null

Here 192.168.13.0/24 is the ip range where my VM is.

This needs to run every time the VM is restarted.

fbion commented 2 years ago

InternetSharing(8) BSD System Manager's Manual InternetSharing(8)

NAME InternetSharing -- daemon for Internet Sharing.

SYNOPSIS NONE (launched by launchd)

DESCRIPTION InternetSharing is a system daemon which sets up Internet Sharing.

 This command is not intended to be invoked directly.

FILES /usr/libexec/InternetSharing

 natpmpd -- NAT Port mapping daemon.

SYNOPSIS natpmpd [-d] [-k mssclamp] [-x/y privateIfName] publicIfName

DESCRIPTION natpmpd is a daemon implementing NAT-PMP. NAT-PMP is a protocol for han- dling port forwarding requests from clients behind a NAT. It is normally invoked by InternetSharing(8)

 The options are as follows:

 -x/y publicinterface
         The private interfaces that need the use the service.

NOTES com.apple/100.InternetSharing/natpmp PF anchor is required for this dae- mon to correctly function.

natpmpd -d -y bride0 en0

fbion commented 2 years ago

http://www.developerit.com/2013/11/01/how-do-i-send-traffic-from-my-macs-wifi-to-my-vpn-client https://blog.dwlee.info/post/51762725540/internet-sharing-on-mac-os-x-my-voip-phone https://discussions.apple.com/thread/4394472 https://soundofsyntax.wordpress.com/2012/02/09/osx-internet-sharing-under-the-hood/

Dantee296 commented 1 year ago

@fbion hey , were u able to make it work ? "internet sharing " feature enabled without manually changing from UI ?

fbion commented 1 year ago

@fbion hey , were u able to make it work ? "internet sharing " feature enabled without manually changing from UI ?

no , internet sharing " feature is not good