]> git.saurik.com Git - apple/xnu.git/blame - bsd/netinet/kpi_ipfilter.c
xnu-1699.32.7.tar.gz
[apple/xnu.git] / bsd / netinet / kpi_ipfilter.c
CommitLineData
91447636 1/*
6d2010ae 2 * Copyright (c) 2004-2011 Apple Inc. All rights reserved.
5d5c5d0d 3 *
2d21ac55 4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
91447636 5 *
2d21ac55
A
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
8f6c56a5 14 *
2d21ac55
A
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
8f6c56a5
A
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
2d21ac55
A
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
8f6c56a5 25 *
2d21ac55 26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
91447636
A
27 */
28
29#include <sys/param.h> /* for definition of NULL */
30#include <sys/errno.h>
31#include <sys/malloc.h>
32#include <sys/socket.h>
33#include <sys/mbuf.h>
34#include <sys/systm.h>
b0d623f7
A
35#include <libkern/OSAtomic.h>
36
37#include <machine/endian.h>
91447636
A
38
39#define _IP_VHL
40#include <net/if_var.h>
41#include <net/route.h>
42#include <net/kpi_protocol.h>
43
44#include <netinet/in_systm.h>
45#include <netinet/in.h>
46#include <netinet/in_var.h>
47#include <netinet6/in6_var.h>
48#include <netinet/ip.h>
49#include <netinet/ip6.h>
50#include <netinet/ip_var.h>
51#include <netinet6/ip6_var.h>
52#include <netinet/kpi_ipfilter_var.h>
53
b0d623f7 54
91447636
A
55/*
56 * kipf_lock and kipf_ref protect the linkage of the list of IP filters
57 * An IP filter can be removed only when kipf_ref is zero
58 * If an IP filter cannot be removed because kipf_ref is not null, then
59 * the IP filter is marjed and kipf_delayed_remove is set so that when
60 * kipf_ref eventually goes down to zero, the IP filter is removed
61 */
62static lck_mtx_t *kipf_lock = 0;
b0d623f7
A
63static u_int32_t kipf_ref = 0;
64static u_int32_t kipf_delayed_remove = 0;
65u_int32_t kipf_count = 0;
91447636
A
66
67__private_extern__ struct ipfilter_list ipv4_filters = TAILQ_HEAD_INITIALIZER(ipv4_filters);
68__private_extern__ struct ipfilter_list ipv6_filters = TAILQ_HEAD_INITIALIZER(ipv6_filters);
69__private_extern__ struct ipfilter_list tbr_filters = TAILQ_HEAD_INITIALIZER(tbr_filters);
70
71__private_extern__ void
72ipf_ref(void)
73{
74 lck_mtx_lock(kipf_lock);
75 kipf_ref++;
76 lck_mtx_unlock(kipf_lock);
77}
78
79__private_extern__ void
80ipf_unref(void)
81{
82 lck_mtx_lock(kipf_lock);
83
84 if (kipf_ref == 0)
85 panic("ipf_unref: kipf_ref == 0\n");
86
87 kipf_ref--;
88 if (kipf_ref == 0 && kipf_delayed_remove != 0) {
89 struct ipfilter *filter;
90
91 while ((filter = TAILQ_FIRST(&tbr_filters))) {
92 ipf_detach_func ipf_detach = filter->ipf_filter.ipf_detach;
93 void* cookie = filter->ipf_filter.cookie;
94
95 TAILQ_REMOVE(filter->ipf_head, filter, ipf_link);
96 TAILQ_REMOVE(&tbr_filters, filter, ipf_tbr);
97 kipf_delayed_remove--;
98
99 if (ipf_detach) {
100 lck_mtx_unlock(kipf_lock);
101 ipf_detach(cookie);
102 lck_mtx_lock(kipf_lock);
103 /* In case some filter got to run while we released the lock */
104 if (kipf_ref != 0)
105 break;
106 }
107 }
108 }
109 lck_mtx_unlock(kipf_lock);
110}
111
112static errno_t
113ipf_add(
114 const struct ipf_filter* filter,
115 ipfilter_t *filter_ref,
116 struct ipfilter_list *head)
117{
118 struct ipfilter *new_filter;
119 if (filter->name == NULL || (filter->ipf_input == NULL && filter->ipf_output == NULL))
120 return EINVAL;
121
122 MALLOC(new_filter, struct ipfilter*, sizeof(*new_filter), M_IFADDR, M_WAITOK);
123 if (new_filter == NULL)
124 return ENOMEM;
125
126 lck_mtx_lock(kipf_lock);
127 new_filter->ipf_filter = *filter;
128 new_filter->ipf_head = head;
129
b0d623f7 130 TAILQ_INSERT_HEAD(head, new_filter, ipf_link);
91447636
A
131
132 lck_mtx_unlock(kipf_lock);
133
134 *filter_ref = (ipfilter_t)new_filter;
b0d623f7
A
135
136 /* This will force TCP to re-evaluate its use of TSO */
137 OSAddAtomic(1, &kipf_count);
138 if (use_routegenid)
139 routegenid_update();
140
91447636
A
141 return 0;
142}
143
144errno_t
145ipf_addv4(
146 const struct ipf_filter* filter,
147 ipfilter_t *filter_ref)
148{
149 return ipf_add(filter, filter_ref, &ipv4_filters);
150}
151
152errno_t
153ipf_addv6(
154 const struct ipf_filter* filter,
155 ipfilter_t *filter_ref)
156{
157 return ipf_add(filter, filter_ref, &ipv6_filters);
158}
159
160errno_t
161ipf_remove(
162 ipfilter_t filter_ref)
163{
164 struct ipfilter *match = (struct ipfilter*)filter_ref;
165 struct ipfilter_list *head;
166
167 if (match == 0 || (match->ipf_head != &ipv4_filters && match->ipf_head != &ipv6_filters))
168 return EINVAL;
169
170 head = match->ipf_head;
171
172 lck_mtx_lock(kipf_lock);
173 TAILQ_FOREACH(match, head, ipf_link) {
174 if (match == (struct ipfilter*)filter_ref) {
175 ipf_detach_func ipf_detach = match->ipf_filter.ipf_detach;
176 void* cookie = match->ipf_filter.cookie;
177
178 /*
179 * Cannot detach when they are filters running
180 */
181 if (kipf_ref) {
182 kipf_delayed_remove++;
183 TAILQ_INSERT_TAIL(&tbr_filters, match, ipf_tbr);
184 match->ipf_filter.ipf_input = 0;
185 match->ipf_filter.ipf_output = 0;
186 lck_mtx_unlock(kipf_lock);
187 } else {
188 TAILQ_REMOVE(head, match, ipf_link);
189 lck_mtx_unlock(kipf_lock);
190 if (ipf_detach)
191 ipf_detach(cookie);
192 FREE(match, M_IFADDR);
b0d623f7
A
193
194 /* This will force TCP to re-evaluate its use of TSO */
195 OSAddAtomic(-1, &kipf_count);
196 if (use_routegenid)
197 routegenid_update();
198
91447636
A
199 }
200 return 0;
201 }
202 }
203 lck_mtx_unlock(kipf_lock);
204
205 return ENOENT;
206}
207
208int log_for_en1 = 0;
209
210errno_t
211ipf_inject_input(
212 mbuf_t data,
213 ipfilter_t filter_ref)
214{
215 struct mbuf *m = (struct mbuf*)data;
216 struct m_tag *mtag = 0;
217 struct ip *ip = mtod(m, struct ip *);
218 u_int8_t vers;
219 int hlen;
220 errno_t error = 0;
221 protocol_family_t proto;
222
223 vers = IP_VHL_V(ip->ip_vhl);
224
225 switch (vers) {
226 case 4:
227 proto = PF_INET;
228 break;
229 case 6:
230 proto = PF_INET6;
231 break;
232 default:
233 error = ENOTSUP;
234 goto done;
235 }
236
237 if (filter_ref == 0 && m->m_pkthdr.rcvif == 0) {
6d2010ae 238 m->m_pkthdr.rcvif = lo_ifp;
91447636
A
239 m->m_pkthdr.csum_data = 0;
240 m->m_pkthdr.csum_flags = 0;
241 if (vers == 4) {
242 hlen = IP_VHL_HL(ip->ip_vhl) << 2;
243 ip->ip_sum = 0;
244 ip->ip_sum = in_cksum(m, hlen);
245 }
246 }
247 if (filter_ref != 0) {
6d2010ae
A
248 mtag = m_tag_create(KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPFILT,
249 sizeof (ipfilter_t), M_NOWAIT, m);
91447636
A
250 if (mtag == NULL) {
251 error = ENOMEM;
252 goto done;
253 }
254 *(ipfilter_t*)(mtag+1) = filter_ref;
255 m_tag_prepend(m, mtag);
256 }
257
258 error = proto_inject(proto, data);
259
260done:
261 return error;
262}
263
264static errno_t
6d2010ae 265ipf_injectv4_out(mbuf_t data, ipfilter_t filter_ref, ipf_pktopts_t options)
91447636
A
266{
267 struct route ro;
91447636
A
268 struct ip *ip;
269 struct mbuf *m = (struct mbuf*)data;
270 errno_t error = 0;
6d2010ae
A
271 struct m_tag *mtag = NULL;
272 struct ip_moptions *imo = NULL;
273 struct ip_out_args ipoa = { IFSCOPE_NONE, 0 };
274
91447636 275 /* Make the IP header contiguous in the mbuf */
6d2010ae
A
276 if ((size_t)m->m_len < sizeof (struct ip)) {
277 m = m_pullup(m, sizeof (struct ip));
278 if (m == NULL)
279 return (ENOMEM);
91447636 280 }
6d2010ae
A
281 ip = (struct ip *)m_mtod(m);
282
91447636 283 if (filter_ref != 0) {
6d2010ae
A
284 mtag = m_tag_create(KERNEL_MODULE_TAG_ID,
285 KERNEL_TAG_TYPE_IPFILT, sizeof (ipfilter_t), M_NOWAIT, m);
91447636
A
286 if (mtag == NULL) {
287 m_freem(m);
6d2010ae 288 return (ENOMEM);
91447636 289 }
6d2010ae 290 *(ipfilter_t *)(mtag + 1) = filter_ref;
91447636
A
291 m_tag_prepend(m, mtag);
292 }
6d2010ae
A
293
294 if (options != NULL && (options->ippo_flags & IPPOF_MCAST_OPTS) &&
295 (imo = ip_allocmoptions(M_DONTWAIT)) != NULL) {
91447636
A
296 imo->imo_multicast_ifp = options->ippo_mcast_ifnet;
297 imo->imo_multicast_ttl = options->ippo_mcast_ttl;
298 imo->imo_multicast_loop = options->ippo_mcast_loop;
299 }
6d2010ae
A
300
301 if (options != NULL &&
302 (options->ippo_flags & (IPPOF_BOUND_IF | IPPOF_NO_IFT_CELLULAR))) {
303 if (options->ippo_flags & IPPOF_BOUND_IF) {
304 ipoa.ipoa_boundif = options->ippo_flags >>
305 IPPOF_SHIFT_IFSCOPE;
306 }
307 if (options->ippo_flags & IPPOF_NO_IFT_CELLULAR)
308 ipoa.ipoa_nocell = 1;
91447636 309 }
6d2010ae
A
310
311 bzero(&ro, sizeof(struct route));
312
0c530ab8 313 /* Put ip_len and ip_off in host byte order, ip_output expects that */
b0d623f7
A
314
315#if BYTE_ORDER != BIG_ENDIAN
0c530ab8
A
316 NTOHS(ip->ip_len);
317 NTOHS(ip->ip_off);
b0d623f7
A
318#endif
319
6d2010ae
A
320 /* Send; enforce source interface selection via IP_OUTARGS flag */
321 error = ip_output(m, NULL, &ro,
322 IP_ALLOWBROADCAST | IP_RAWOUTPUT | IP_OUTARGS, imo, &ipoa);
323
91447636 324 /* Release the route */
b0d623f7 325 if (ro.ro_rt)
91447636 326 rtfree(ro.ro_rt);
6d2010ae
A
327
328 if (imo != NULL)
329 IMO_REMREF(imo);
330
331 return (error);
91447636
A
332}
333
2d21ac55 334#if INET6
91447636 335static errno_t
6d2010ae 336ipf_injectv6_out(mbuf_t data, ipfilter_t filter_ref, ipf_pktopts_t options)
91447636
A
337{
338 struct route_in6 ro;
91447636
A
339 struct ip6_hdr *ip6;
340 struct mbuf *m = (struct mbuf*)data;
341 errno_t error = 0;
6d2010ae
A
342 struct m_tag *mtag = NULL;
343 struct ip6_moptions *im6o = NULL;
344 struct ip6_out_args ip6oa = { IFSCOPE_NONE, 0 };
345
91447636
A
346 /* Make the IP header contiguous in the mbuf */
347 if ((size_t)m->m_len < sizeof(struct ip6_hdr)) {
348 m = m_pullup(m, sizeof(struct ip6_hdr));
6d2010ae
A
349 if (m == NULL)
350 return (ENOMEM);
91447636
A
351 }
352 ip6 = (struct ip6_hdr*)m_mtod(m);
353
354 if (filter_ref != 0) {
6d2010ae
A
355 mtag = m_tag_create(KERNEL_MODULE_TAG_ID,
356 KERNEL_TAG_TYPE_IPFILT, sizeof (ipfilter_t), M_NOWAIT, m);
91447636
A
357 if (mtag == NULL) {
358 m_freem(m);
6d2010ae 359 return (ENOMEM);
91447636 360 }
6d2010ae 361 *(ipfilter_t *)(mtag + 1) = filter_ref;
91447636
A
362 m_tag_prepend(m, mtag);
363 }
6d2010ae
A
364
365 if (options != NULL && (options->ippo_flags & IPPOF_MCAST_OPTS) &&
366 (im6o = ip6_allocmoptions(M_DONTWAIT)) != NULL) {
91447636
A
367 im6o->im6o_multicast_ifp = options->ippo_mcast_ifnet;
368 im6o->im6o_multicast_hlim = options->ippo_mcast_ttl;
369 im6o->im6o_multicast_loop = options->ippo_mcast_loop;
370 }
6d2010ae
A
371
372 if (options != NULL &&
373 (options->ippo_flags & (IPPOF_BOUND_IF | IPPOF_NO_IFT_CELLULAR))) {
374 if (options->ippo_flags & IPPOF_BOUND_IF) {
375 ip6oa.ip6oa_boundif = options->ippo_flags >>
376 IPPOF_SHIFT_IFSCOPE;
377 }
378 if (options->ippo_flags & IPPOF_NO_IFT_CELLULAR)
379 ip6oa.ip6oa_nocell = 1;
91447636 380 }
6d2010ae
A
381
382 bzero(&ro, sizeof(struct route_in6));
383
384 /*
385 * Send mbuf and ifscope information. Check for correctness
386 * of ifscope information is done while searching for a route in
387 * ip6_output.
388 */
389 error = ip6_output(m, NULL, &ro, IPV6_OUTARGS, im6o, NULL, &ip6oa);
390
91447636 391 /* Release the route */
b0d623f7 392 if (ro.ro_rt)
91447636 393 rtfree(ro.ro_rt);
6d2010ae
A
394
395 if (im6o != NULL)
396 IM6O_REMREF(im6o);
397
398 return (error);
91447636 399}
2d21ac55 400#endif /* INET6 */
91447636
A
401
402errno_t
403ipf_inject_output(
404 mbuf_t data,
405 ipfilter_t filter_ref,
406 ipf_pktopts_t options)
407{
408 struct mbuf *m = (struct mbuf*)data;
409 u_int8_t vers;
410 errno_t error = 0;
411
412 /* Make one byte of the header contiguous in the mbuf */
413 if (m->m_len < 1) {
414 m = m_pullup(m, 1);
415 if (m == NULL)
416 goto done;
417 }
418
419 vers = (*(u_int8_t*)m_mtod(m)) >> 4;
420 switch (vers)
421 {
422 case 4:
423 error = ipf_injectv4_out(data, filter_ref, options);
424 break;
2d21ac55 425#if INET6
91447636
A
426 case 6:
427 error = ipf_injectv6_out(data, filter_ref, options);
428 break;
2d21ac55 429#endif
91447636
A
430 default:
431 m_freem(m);
432 error = ENOTSUP;
433 break;
434 }
435
436done:
437 return error;
438}
439
440__private_extern__ ipfilter_t
441ipf_get_inject_filter(struct mbuf *m)
442{
443 ipfilter_t filter_ref = 0;
444 struct m_tag *mtag;
445
446 mtag = m_tag_locate(m, KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPFILT, NULL);
447 if (mtag) {
448 filter_ref = *(ipfilter_t *)(mtag+1);
449
450 m_tag_delete(m, mtag);
451 }
452 return filter_ref;
453}
454
455__private_extern__ int
456ipf_init(void)
457{
458 int error = 0;
459 lck_grp_attr_t *grp_attributes = 0;
460 lck_attr_t *lck_attributes = 0;
461 lck_grp_t *lck_grp = 0;
462
463 grp_attributes = lck_grp_attr_alloc_init();
464 if (grp_attributes == 0) {
465 printf("ipf_init: lck_grp_attr_alloc_init failed\n");
466 error = ENOMEM;
467 goto done;
468 }
91447636
A
469
470 lck_grp = lck_grp_alloc_init("IP Filter", grp_attributes);
471 if (lck_grp == 0) {
472 printf("ipf_init: lck_grp_alloc_init failed\n");
473 error = ENOMEM;
474 goto done;
475 }
476
477 lck_attributes = lck_attr_alloc_init();
478 if (lck_attributes == 0) {
479 printf("ipf_init: lck_attr_alloc_init failed\n");
480 error = ENOMEM;
481 goto done;
482 }
91447636
A
483
484 kipf_lock = lck_mtx_alloc_init(lck_grp, lck_attributes);
485 if (kipf_lock == 0) {
486 printf("ipf_init: lck_mtx_alloc_init failed\n");
487 error = ENOMEM;
488 goto done;
489 }
490 done:
491 if (error != 0) {
492 if (kipf_lock) {
493 lck_mtx_free(kipf_lock, lck_grp);
494 kipf_lock = 0;
495 }
496 }
497 if (lck_grp) {
498 lck_grp_free(lck_grp);
499 lck_grp = 0;
500 }
501 if (grp_attributes) {
502 lck_grp_attr_free(grp_attributes);
503 grp_attributes = 0;
504 }
505 if (lck_attributes) {
506 lck_attr_free(lck_attributes);
507 lck_attributes = 0;
508 }
509
510 return error;
511}