> Nowadays, you can't even have multiple routing tables on the latter, the firewall code was probably last updated in Snow Leopard
Apple uses OpenBSD's Packet Filter [1]; I doubt multiple routing tables are a problem. Back in the Snow Leopard days, it was FreeBSD's IPFW, which is also no slouch.
Yes, I meant pf. Indeed, it was there in the source tree in 10.6 but they only flipped it on it in release builds in 10.7. My bad. Either way, it has hardly changed since then, while the OpenBSD upstream continued to progress.
> I doubt multiple routing tables are a problem.
The lack of them is a limitation for me (complex VM + VPN setup), which requires me to do pretty unholy static routing and address rewriting with pf.
I think even Apple has come across this; they added "scoped routing" (which IMO is a hacky workaround providing some of the functionality you'd get with multiple routing tables) just before iOS shipped with MMS support. Android, for comparison, uses Linux's routing policies and tables to send and receive MMS.
Apple uses OpenBSD's Packet Filter [1]; I doubt multiple routing tables are a problem. Back in the Snow Leopard days, it was FreeBSD's IPFW, which is also no slouch.
Whatever a firewall can do, PF can do it.
You can also get a nice GUI for PF [2].
[1]: https://www.openbsd.org/faq/pf/index.html
[2]: https://www.murusfirewall.com/murus/