Skip to content

Instantly share code, notes, and snippets.

@mowings
Last active September 25, 2023 20:00
Show Gist options
  • Star 31 You must be signed in to star a gist
  • Fork 13 You must be signed in to fork a gist
  • Save mowings/633a16372fb30ee652336c8417091222 to your computer and use it in GitHub Desktop.
Save mowings/633a16372fb30ee652336c8417091222 to your computer and use it in GitHub Desktop.
script to get xet xhyve working with all vpn interfaces
#!/bin/bash
interfaces=( $(netstat -in | egrep 'utun\d .*\d+\.\d+\.\d+\.\d+' | cut -d ' ' -f 1) )
rulefile="rules.tmp"
echo "" > $rulefile
sudo pfctl -a com.apple/tun -F nat
for i in "${interfaces[@]}"
do
RULE="nat on ${i} proto {tcp, udp, icmp} from 192.168.64.0/24 to any -> ${i}"
echo $RULE >> $rulefile
done
sudo pfctl -a com.apple/tun -f $rulefile
@mowings
Copy link
Author

mowings commented Jan 4, 2017

Checks all utun devices via netstat that have an associated address, creates a mask rule, appends it to a file, then runs pfctl to to set the nat rules

@hayderimran7
Copy link

thank you so much !!!
if someone is like me getting the following error:

No ALTQ support in kernel
ALTQ related functions disabled
nat cleared
pfctl: Use of -f option, could result in flushing of rules
present in the main ruleset added by the system at startup.
See /etc/pf.conf for further details.

To fix this, simply go To: Mac Preferences -> Security -> FIrewall and Enable the Firewall. rerun the script and it should fix.

@tetherit
Copy link

I enabled Firewall and I'm still seeing this:

$ bash masq.sh 
No ALTQ support in kernel
ALTQ related functions disabled
nat cleared
pfctl: Use of -f option, could result in flushing of rules
present in the main ruleset added by the system at startup.
See /etc/pf.conf for further details.

No ALTQ support in kernel
ALTQ related functions disabled

Any ideas?

@minhdanh
Copy link

In my case I had to change the interface from utun1 to utun16 in rules.tmp as utun16 is the one that serving the VPN on my machine.

@jrnt30
Copy link

jrnt30 commented Aug 20, 2017

@mindanh Does modifying the regex to interfaces=( $(netstat -in | egrep 'utun\d+ .*\d+\.\d+\.\d+\.\d+' | cut -d ' ' -f 1) ) work?

@lindenle
Copy link

The firewall in high sierra (10.13.1 (17B48)) is different, how can I make it work for that?

@clemcke
Copy link

clemcke commented Jan 5, 2018

I was able to make it work on MacOS Sierra by changing my VPN settings: allowing local LAN access but disabling blocking connections to untrusted servers

@joaosa
Copy link

joaosa commented Jul 16, 2018

I can confirm this works with macOS 10.13.2 (high sierra)

@andypham
Copy link

@hayderimran7 Your script is not working bc it is missing the anchor "tun". Follow this guide to add it.
https://apple.stackexchange.com/questions/312400/pfctl-howto-add-an-anchor-and-make-it-active-load-it

@mediaessenz
Copy link

mediaessenz commented May 27, 2020

I tried this under macOS 10.5.5 Catalina and also get this "No ALTQ support in kernel" message.
Unfortunately also @clemcke 's tipp is not working under this version.

I also have a question to the rule itself:
What is it exactly doing?
What does this 192.168.64.0/24 mean?

I need a way to prevent calls to a remote network to where I'm connected over a pulse secure vpn client for a specific ip range (10.211.55.0/24).
Would this script do this for me (if it would work in generell) and if I would change the "192.168.64.0/24" part to "10.211.55.0/24"?
Or is this working the other way around, so only ip's in the range 192.168.64.0/24 get routed to the remote net?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment