Skip to content
This repository has been archived by the owner. It is now read-only.
A kernel network manager with monitoring and limiting capabilities for macOS. #nsacyber
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


This is a experimental beginner Network Kernel Extention (NKE) with a menu bar application. It can filter by process identifier, IP, or network interfaces using a i/o byte limit.

This project is NOT meant to be run on a production machine - use at your own risk! Tested on macOS 10.12.1

This is a kernel level alternative to netman.

The following NKE filters are used:

Example use cases

  • Create a socket filter to ensure an application only uploads X bytes
  • Create an interface filter to ensure you don't go over your data limit when tethering
  • Create an IP filter to manage your bandwidth usage to an external host


You can load the KEXT with the ./ iffilter.kext command. Note: Loading unsigned kernel extensions requires System Integrity Protection (SIP) to be turn off.

System Controls

This NKE uses sysctl to cross boundaries between kernel code and appliactions.

You can communicate directly with them using the sysctl command. To view most system controls run sysctl -a net.netfil

Interface Filter

  • net.netfil.interface.list <struct CCArray>: size is the number of interfaces; names contains a list of null-terminated network interface names.
  • net.netfil.interface.ibyte <int>
  • net.netfil.interface.obyte <int>
  • net.netfil.interface.iobyte <int>
  • net.netfil.interface.status <int>: 0 is "off", 1 is "on"

Socket Filter

  • <int>
  • net.netfil.socket.ibyte <int>
  • net.netfil.socket.obyte <int>
  • net.netfil.socket.iobyte <int>
  • net.netfil.socket.status <int>: 0 is "off", 1 is "on"

IP Filter

  • net.netfil.ip.addr <struct in_addr> or <struct in6_addr>
  • net.netfil.ip.ibyte <int>
  • net.netfil.ip.obyte <int>
  • net.netfil.ip.iobyte <int>
  • net.netfil.ip.status <int>: 0 is "off", 1 is "on"

Note: You cannot set the net.netfil.ip.addr or the net.netfil.interface.list via commandline.

To run a fitler, first set its' options then change its' status to 1. It is always smart to validate your options before you start.

For iobyte, ibyte, and obyte, a zero value represents unmetered/unlimited (no filtering).

Menu Bar / GUI Application

You can use the menu bar application to control the KEXT. A green icon with a dot means the filter is "on", a red icon with a line means the filter is "off", a gray icon with a radar-like symobl means the KEXT is probably not loaded or there is an error. Icon are from Oxygen Team.



  • Right now you can only run one socket, interface, or IP filter at a time.
  • Does not add new interfaces to filter (mac policy might be able to help with this?)
  • Anyone can change the variables as root permission is not required. This is very dangerous!
  • Not signed so have to jump thru some hoops to get this loaded on your machine.


  • Application will only filter IPv4 addresses for the IP filter.
  • Application will not be alerted instantly on KEXT changes.

Useful Resources





You can’t perform that action at this time.