Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MacOSX support is broken #3

Open
basil00 opened this issue Aug 12, 2017 · 9 comments
Open

MacOSX support is broken #3

basil00 opened this issue Aug 12, 2017 · 9 comments

Comments

@basil00
Copy link
Owner

basil00 commented Aug 12, 2017

The MacOSX version of ReQrypt depends on ipfw which has been deprecated. See #2.
@basil00 basil00 mentioned this issue Mar 20, 2018
Closed
basil00 added a commit that referenced this issue Apr 30, 2018
@basil00
Replace IPFW with PF.
f7e1b7f 
- Make ReQrypt compatible with BSD and MacOSX.
- WIP solution for #3.
basil00 added a commit that referenced this issue May 1, 2018
@basil00
Add pf.conf file for MacOSX/BSD
f5c20f5 
- See issue #3.
@basil00
Copy link
Owner Author

basil00 commented May 1, 2018

It might be possible to build and run ReQrypt on MacOSX again. Although, I do not have access to a Mac so cannot test. It seems to work for BSD.

Note however, it is not very user-friendly. You need to do the following steps (as root):

  1. Edit /etc/pf.conf and add the line anchor reqrypt.
  2. Reload the file: pfctl -f /etc/pf.conf

Now it should be possible to run ReQrypt as root, and this should tunnel outbound traffic for all users.

@yaroslav-v
Copy link

Hi there.

Thanks for your work. I just want to let you know that I've tried to build this project on macOS 10.13.6 but had no luck.

There is a compilation error:

gcc -DCLIENT -DMACOSX -maes -Wall -O2 -I "/Users/user/Development/workspace_other/reqrypt/src/"   -c -o macosx/misc.o macosx/misc.c
macosx/capture.c:60:37: error: expected ',' or ';' before 'PFCONF_FILENAME'
     "/sbin/pactl -a " ANCHOR " -f " PFCONF_FILENAME;

The full log is in pastebin.

@yaroslav-v
Copy link

A small update. I was able to build the project, it's just necessary to define PFCONF_FILENAME for MACOSX in misc.h

Hovewer, it doesn't work as expected even after applying the changes you've proposed for /etc/pf.conf (IPv6 is disabled as well).

Here is the log:

$ sudo ./reqrypt 
ReQrypt 1.4.1 [macosx] Copyright (C) 2017 basil
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

log: [macosx] executing pfctl command "/sbin/pactl -a reqrypt -f reqrypt.pf.conf"
log: starting reqrypt user interface http://localhost:40404/
pactl: Use of -f option, could result in flushing of rules
present in the main ruleset added by the system at startup.
See /etc/pf.conf for further details.

No ALTQ support in kernel
ALTQ related functions disabled
reqrypt.pf.conf:17: syntax error
reqrypt.pf.conf:18: syntax error
reqrypt.pf.conf:19: syntax error
reqrypt.pf.conf:20: syntax error
pactl: Syntax error in config file: pf rules not loaded
error: pfctl command returned non-zero exit status 256
warning: unable to accept incoming connection to configuration server localhost:40404 from non-local address

@yaroslav-v
Copy link

Another update. Looks like pf in macOS doesn't support the divert-packet command.

I've found no really useful information regarding this question, but here is a thread on Reddit about divert sockets in macOS.

Hope you'll be able to find a different approach for macOS :).

@basil00
Copy link
Owner Author

basil00 commented Apr 17, 2019

From memory you need to enable the firewall under Security and Privacy in System Settings.

@yaroslav-v
Copy link

yaroslav-v commented Apr 18, 2019
edited
Loading

Yes, pf is disabled by default in macOS.

However, it's not enough to just enable the firewall to turn on pf. It's necessary to enable an additional option in System Preferences -> Security & Privacy -> Firewall -> Firewall options -> Check "Enable stealth mode". Probably it enables pf to filter data on low level. Besides there is an option to enable pf via $sudo pfctl -e.

Anyway, this doesn't help much because we're getting the same error reqrypt.pf.conf:17: syntax error, for all lines where divert-packet command is used.

@basil00
Copy link
Owner Author

basil00 commented Apr 19, 2019

Yes, I also cannot find any information on how to enable divert sockets on modern MacOS, or even if it is supported at all. I did notice that man divert still brings up the divert socket man page, which is encouraging, but this only provides information about the programming API.

So is it possible that support was silently dropped?

@yaroslav-v
Copy link

yaroslav-v commented Apr 19, 2019
edited
Loading

I've spent some time reading manuals and it looks like pf on macOS is based on OpenBSD 4.5/4.6 and this version doesn't support the divert-packet command as modern OpenBSD versions.

Here is an article regarding pf on macOS with some information on the matter. Probably Apple's implementation isn't complete or it's just outdated.

@basil00
Copy link
Owner Author

basil00 commented Apr 20, 2019

One idea is to figure out the ioctl (or other) interface that pf uses and see if it is possible to enable divert sockets that way. This is probably the better way of implementing it anyway, if possible. This assumes that divert sockets are even supported by the kernel, which is not clear.

Otherwise, ReQrypt MacOS support will be dead.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@basil00 @yaroslav-v