Assume my Mac Mini (Sierra/High Sierra, doesn't matter) has two defined users: user1 and user2.
The machine has two IPs assigned via Ethernet:
en7: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=4<VLAN_MTU>
...
inet 192.168.1.24 netmask 0xffffff00 broadcast 192.168.1.255
inet 192.168.1.25 netmask 0xffffff00 broadcast 192.168.1.255
...
status: active
Is it possible restricting user1 to 192.168.1.24 and user2 to 192.168.1.25?
i.e, when user1 performs any network actions on the machine, the source IP would be 192.168.1.24.
Both users can be logged in to the machine at the same time via SSH.
UPDATE
So it's possible to perform source IP NAT translation by adding the following rule to pfctl
nat on en0 inet from any to any -> 192.168.1.24
But nat-rules do not support filtering (by specific user) – in contrary to block/pass rules, so I need to keep digging
Best Answer
The solution was to implement a Network Kernel Extension that changes the source IP of the socket based on the user ID.
More on NKEs can be found here