This version adds support for application-based split tunneling.
With the following configuration in a profile, egress traffic is routed through the desired device.
{
"network": {
"outbound_interface": "<device name>"
}
}This feature requires root or CAP_NET_ADMIN permissions.
How it works under the hood:
- The routing table is searched for routes through the target device.
- Matching routes are copied to a secondary routing table.
- Packets originating from pallium's interface are marked using
fwmark. - Policy-based routing is set up for packets matching the mark to use the secondary routing table.