script to get xet xhyve working with all vpn interfaces

masq.sh

#!/bin/bash
interfaces=( $(netstat -in | egrep 'utun\d .*\d+\.\d+\.\d+\.\d+' | cut -d ' ' -f 1) )
rulefile="rules.tmp"
echo "" > $rulefile
sudo pfctl -a com.apple/tun -F nat
for i in "${interfaces[@]}"
do
  RULE="nat on ${i} proto {tcp, udp, icmp} from 192.168.64.0/24 to any -> ${i}"
  echo $RULE >> $rulefile
done
sudo pfctl -a com.apple/tun -f $rulefile

Checks all utun devices via netstat that have an associated address, creates a mask rule, appends it to a file, then runs pfctl to to set the nat rules

thank you so much !!!
if someone is like me getting the following error:

No ALTQ support in kernel
ALTQ related functions disabled
nat cleared
pfctl: Use of -f option, could result in flushing of rules
present in the main ruleset added by the system at startup.
See /etc/pf.conf for further details.

To fix this, simply go To: Mac Preferences -> Security -> FIrewall and Enable the Firewall. rerun the script and it should fix.

I enabled Firewall and I'm still seeing this:

$ bash masq.sh 
No ALTQ support in kernel
ALTQ related functions disabled
nat cleared
pfctl: Use of -f option, could result in flushing of rules
present in the main ruleset added by the system at startup.
See /etc/pf.conf for further details.

No ALTQ support in kernel
ALTQ related functions disabled

Any ideas?

In my case I had to change the interface from utun1 to utun16 in rules.tmp as utun16 is the one that serving the VPN on my machine.

@mindanh Does modifying the regex to interfaces=( $(netstat -in | egrep 'utun\d+ .*\d+\.\d+\.\d+\.\d+' | cut -d ' ' -f 1) ) work?

The firewall in high sierra (10.13.1 (17B48)) is different, how can I make it work for that?

I was able to make it work on MacOS Sierra by changing my VPN settings: allowing local LAN access but disabling blocking connections to untrusted servers

I can confirm this works with macOS 10.13.2 (high sierra)

@hayderimran7 Your script is not working bc it is missing the anchor "tun". Follow this guide to add it.
https://apple.stackexchange.com/questions/312400/pfctl-howto-add-an-anchor-and-make-it-active-load-it

I tried this under macOS 10.5.5 Catalina and also get this "No ALTQ support in kernel" message.
Unfortunately also @clemcke 's tipp is not working under this version.

I also have a question to the rule itself:
What is it exactly doing?
What does this 192.168.64.0/24 mean?

I need a way to prevent calls to a remote network to where I'm connected over a pulse secure vpn client for a specific ip range (10.211.55.0/24).
Would this script do this for me (if it would work in generell) and if I would change the "192.168.64.0/24" part to "10.211.55.0/24"?
Or is this working the other way around, so only ip's in the range 192.168.64.0/24 get routed to the remote net?