macOS PF forwarding rules are incompatible with Docker Desktop and some VPN apps

[oleg-vinted]

On macOS, Invoker uses PF to set up forwarding rules (80 -> 23401, 443 -> 23402)*. Sometimes this setup conflicts with other applications that manage firewall rules, such as some VPN apps and Docker Desktop.

These applications set the PF option set skip on lo0 which skips any processing on the loopback interface, effectively disabling Invoker's forwarding rules. The way you can check if you're affected by this exact issue is:

sudo pfctl -s Interfaces -v 2>/dev/null | grep lo0

If it says just lo0, forwarding should work. If it says lo0 (skip) then the forwarding rules will not work.

Workaround: reset PF options by running sudo pfctl -O -f /etc/pf.conf.

A possible solution is to switch to userspace forwarding, like the socat-based solution Invoker uses on Linux.

* Ports are set dynamically during setup depending on port availability, you might have different target ports.