以Mac Serria 10.12.5 有线上网为例,共享WIFI给其它设备使用,共享WIFI对应的虚拟网卡为bridge100
在/usr/local/bin 目录下新建一个pfdump文件,粘贴以下内容:
#!/bin/bash
function pfprint() {
if [ -n "$1" ];then
sudo pfctl -a "$2" -s"$1" 2>/dev/null
else
sudo pfctl -s"$1" 2>/dev/null
fi
}
function print_all() {
local p=$(printf "%-40s" $1)
(
pfprint r "$1" | sed "s,^,r ,"
pfprint n "$1" | sed "s,^,n ,"
pfprint A "$1" | sed "s,^,A ,"
) | sed "s,^,$p,"
for a in `pfprint A "$1"`; do
print_all "$a"
done
}
print_all
保存,然后chmod +x pfdump
,执行pfdump命令,得到如下结果:
r scrub-anchor "com.apple/*" all fragment reassemble
r anchor "com.apple/*" all
n nat-anchor "com.apple/*" all
n rdr-anchor "com.apple/*" all
A com.apple
A com.apple.internet-sharing
A custompf.conf
com.apple r anchor "200.AirDrop/*" all
com.apple r anchor "250.ApplicationFirewall/*" all
com.apple A com.apple/200.AirDrop
com.apple A com.apple/250.ApplicationFirewall
com.apple A com.apple/HTTP
com.apple/200.AirDrop A com.apple/200.AirDrop/Bonjour
com.apple/200.AirDrop/Bonjour r pass in on p2p0 inet6 proto udp from any to any port = 5353 keep state
com.apple/200.AirDrop/Bonjour r pass out on p2p0 proto tcp all flags any keep state
com.apple/HTTP r scrub-anchor "com.apple/*" all fragment reassemble
com.apple/HTTP r anchor "com.apple/*" all
com.apple/HTTP r anchor "custompf.conf" all
com.apple/HTTP n nat-anchor "com.apple/*" all
com.apple/HTTP n nat-anchor "custompf.conf" all
com.apple/HTTP n rdr-anchor "com.apple/*" all
com.apple/HTTP n rdr-anchor "custompf.conf" all
com.apple/HTTP A com.apple/HTTP/com.apple
com.apple/HTTP A com.apple/HTTP/custompf.conf
com.apple.internet-sharing r scrub-anchor "base_v4" all fragment reassemble
com.apple.internet-sharing r anchor "base_v4" all
com.apple.internet-sharing n nat-anchor "base_v4" all
com.apple.internet-sharing n rdr-anchor "base_v4" all
com.apple.internet-sharing A com.apple.internet-sharing/base_v4
com.apple.internet-sharing/base_v4 r scrub on en0 all no-df fragment reassemble
com.apple.internet-sharing/base_v4 r scrub on bridge100 all no-df max-mss 1460 fragment reassemble
com.apple.internet-sharing/base_v4 r scrub on bridge100 proto esp all no-df fragment reassemble
com.apple.internet-sharing/base_v4 r pass on en0 all flags any keep state
com.apple.internet-sharing/base_v4 r pass on en0 proto esp all no state
com.apple.internet-sharing/base_v4 r pass on bridge100 all flags any keep state rtable 4
com.apple.internet-sharing/base_v4 n nat on en0 inet from 192.168.2.0/24 to any -> (en0:0) extfilter ei
com.apple.internet-sharing/base_v4 n no nat on bridge100 inet from 192.168.2.1 to 192.168.2.0/24
com.apple.internet-sharing/base_v4 n rdr on bridge100 inet proto tcp from 192.168.2.0/24 to any port = 21 -> 127.0.0.1 port 8021
其中en0对应的是有线网卡,可以看到共享网络能本地有线上网,实质上是利用pf进行了网络包转发