[apple/xnu.git] / bsd / netinet / kpi_ipfilter.c

/*
 * Copyright (c) 2003 Apple Computer, Inc. All rights reserved.
 *
 * @APPLE_LICENSE_OSREFERENCE_HEADER_START@
 * 
 * This file contains Original Code and/or Modifications of Original Code 
 * as defined in and that are subject to the Apple Public Source License 
 * Version 2.0 (the 'License'). You may not use this file except in 
 * compliance with the License.  The rights granted to you under the 
 * License may not be used to create, or enable the creation or 
 * redistribution of, unlawful or unlicensed copies of an Apple operating 
 * system, or to circumvent, violate, or enable the circumvention or 
 * violation of, any terms of an Apple operating system software license 
 * agreement.
 *
 * Please obtain a copy of the License at 
 * http://www.opensource.apple.com/apsl/ and read it before using this 
 * file.
 *
 * The Original Code and all software distributed under the License are 
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 
 * Please see the License for the specific language governing rights and 
 * limitations under the License.
 *
 * @APPLE_LICENSE_OSREFERENCE_HEADER_END@
 */

#include <sys/param.h>	/* for definition of NULL */
#include <sys/errno.h>
#include <sys/malloc.h>
#include <sys/socket.h>
#include <sys/mbuf.h>
#include <sys/systm.h>

#define _IP_VHL
#include <net/if_var.h>
#include <net/route.h>
#include <net/kpi_protocol.h>

#include <netinet/in_systm.h>
#include <netinet/in.h>
#include <netinet/in_var.h>
#include <netinet6/in6_var.h>
#include <netinet/ip.h>
#include <netinet/ip6.h>
#include <netinet/ip_var.h>
#include <netinet6/ip6_var.h>
#include <netinet/kpi_ipfilter_var.h>

/*
 * kipf_lock and kipf_ref protect the linkage of the list of IP filters
 * An IP filter can be removed only when kipf_ref is zero
 * If an IP filter cannot be removed because kipf_ref is not null, then 
 * the IP filter is marjed and kipf_delayed_remove is set so that when 
 * kipf_ref eventually goes down to zero, the IP filter is removed
 */
static lck_mtx_t *kipf_lock = 0;
static unsigned long kipf_ref = 0;
static unsigned long kipf_delayed_remove = 0;

__private_extern__ struct ipfilter_list	ipv4_filters = TAILQ_HEAD_INITIALIZER(ipv4_filters);
__private_extern__ struct ipfilter_list	ipv6_filters = TAILQ_HEAD_INITIALIZER(ipv6_filters);
__private_extern__ struct ipfilter_list	tbr_filters = TAILQ_HEAD_INITIALIZER(tbr_filters);

__private_extern__ void
ipf_ref(void)
{
	lck_mtx_lock(kipf_lock);
    kipf_ref++;
	lck_mtx_unlock(kipf_lock);
}

__private_extern__ void
ipf_unref(void)
{
	lck_mtx_lock(kipf_lock);

    if (kipf_ref == 0)
    	panic("ipf_unref: kipf_ref == 0\n");
    	
    kipf_ref--;
    if (kipf_ref == 0 && kipf_delayed_remove != 0) {
    	struct ipfilter *filter;

		while ((filter = TAILQ_FIRST(&tbr_filters))) {
			ipf_detach_func ipf_detach = filter->ipf_filter.ipf_detach;
			void* cookie = filter->ipf_filter.cookie;
			
			TAILQ_REMOVE(filter->ipf_head, filter, ipf_link);
			TAILQ_REMOVE(&tbr_filters, filter, ipf_tbr);
			kipf_delayed_remove--;

			if (ipf_detach) {
				lck_mtx_unlock(kipf_lock);
				ipf_detach(cookie);
				lck_mtx_lock(kipf_lock);
				/* In case some filter got to run while we released the lock */
				if (kipf_ref != 0)
					break;
			}			
		}
   	} 
	lck_mtx_unlock(kipf_lock);
}

static errno_t
ipf_add(
	const struct ipf_filter* filter,
	ipfilter_t *filter_ref,
	struct ipfilter_list *head)
{
	struct ipfilter	*new_filter;
	if (filter->name == NULL || (filter->ipf_input == NULL && filter->ipf_output == NULL))
		return EINVAL;
	
	MALLOC(new_filter, struct ipfilter*, sizeof(*new_filter), M_IFADDR, M_WAITOK);
	if (new_filter == NULL)
		return ENOMEM;
	
	lck_mtx_lock(kipf_lock);
	new_filter->ipf_filter = *filter;
	new_filter->ipf_head = head;
	
	/*
	 * 3957298
	 * Make sure third parties have a chance to filter packets before
	 * SharedIP. Always SharedIP at the end of the list.
	 */
	if (filter->name != NULL &&
		strcmp(filter->name, "com.apple.nke.SharedIP") == 0) {
		TAILQ_INSERT_TAIL(head, new_filter, ipf_link);
	}
	else {
		TAILQ_INSERT_HEAD(head, new_filter, ipf_link);
	}
	
	lck_mtx_unlock(kipf_lock);
	
	*filter_ref = (ipfilter_t)new_filter;
	return 0;
}

errno_t
ipf_addv4(
	const struct ipf_filter* filter,
	ipfilter_t *filter_ref)
{
	return ipf_add(filter, filter_ref, &ipv4_filters);
}

errno_t
ipf_addv6(
	const struct ipf_filter* filter,
	ipfilter_t *filter_ref)
{
	return ipf_add(filter, filter_ref, &ipv6_filters);
}

errno_t
ipf_remove(
	ipfilter_t filter_ref)
{
	struct ipfilter	*match = (struct ipfilter*)filter_ref;
	struct ipfilter_list *head;
	
	if (match == 0 || (match->ipf_head != &ipv4_filters && match->ipf_head != &ipv6_filters))
		return EINVAL;
	
	head = match->ipf_head;
	
	lck_mtx_lock(kipf_lock);
	TAILQ_FOREACH(match, head, ipf_link) {
		if (match == (struct ipfilter*)filter_ref) {
			ipf_detach_func ipf_detach = match->ipf_filter.ipf_detach;
			void* cookie = match->ipf_filter.cookie;
			
			/*
			 * Cannot detach when they are filters running
			 */
			if (kipf_ref) {
				kipf_delayed_remove++;
				TAILQ_INSERT_TAIL(&tbr_filters, match, ipf_tbr);
				match->ipf_filter.ipf_input = 0;
				match->ipf_filter.ipf_output = 0;
				lck_mtx_unlock(kipf_lock);
			} else {
				TAILQ_REMOVE(head, match, ipf_link);
				lck_mtx_unlock(kipf_lock);
				if (ipf_detach)
					ipf_detach(cookie);
				FREE(match, M_IFADDR);
			}
			return 0;
		}
	}
	lck_mtx_unlock(kipf_lock);
	
	return ENOENT;
}

int log_for_en1 = 0;

errno_t
ipf_inject_input(
	mbuf_t data,
	ipfilter_t filter_ref)
{
	struct mbuf	*m = (struct mbuf*)data;
	struct m_tag *mtag = 0;
	struct ip *ip = mtod(m, struct ip *);
	u_int8_t	vers;
	int hlen;
	errno_t error = 0;
	protocol_family_t proto;

	vers = IP_VHL_V(ip->ip_vhl);
	
	switch (vers) {
		case 4:
			proto = PF_INET;
			break;
		case 6:
			proto = PF_INET6;
			break;
		default:
			error = ENOTSUP;
			goto done;
	}
	
	if (filter_ref == 0 && m->m_pkthdr.rcvif == 0) {
		m->m_pkthdr.rcvif = ifunit("lo0");
		m->m_pkthdr.csum_data = 0;
		m->m_pkthdr.csum_flags = 0;
		if (vers == 4) {
			hlen = IP_VHL_HL(ip->ip_vhl) << 2;
			ip->ip_sum = 0;
			ip->ip_sum = in_cksum(m, hlen);
		}
	}
	if (filter_ref != 0) {
		mtag = m_tag_alloc(KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPFILT,
					 	   sizeof (ipfilter_t), M_NOWAIT);
		if (mtag == NULL) {
			error = ENOMEM;
			goto done;
		}	
		*(ipfilter_t*)(mtag+1) = filter_ref;
		m_tag_prepend(m, mtag);
	}
	
	error = proto_inject(proto, data);

done:
	return error;
}

static errno_t
ipf_injectv4_out(
	mbuf_t data,
	ipfilter_t filter_ref,
	ipf_pktopts_t options)
{
	struct route ro;
	struct sockaddr_in	*sin = (struct sockaddr_in*)&ro.ro_dst;
	struct ip	*ip;
	struct mbuf	*m = (struct mbuf*)data;
	errno_t error = 0;
	struct m_tag *mtag = 0;
	struct ip_moptions *imo = 0, ip_moptions;
	
	/* Make the IP header contiguous in the mbuf */
	if ((size_t)m->m_len < sizeof(struct ip)) {
		m = m_pullup(m, sizeof(struct ip));
		if (m == NULL) return ENOMEM;
	}
	ip = (struct ip*)m_mtod(m);
	
	if (filter_ref != 0) {
		mtag = m_tag_alloc(KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPFILT,
					 	   sizeof (ipfilter_t), M_NOWAIT);
		if (mtag == NULL) {
			m_freem(m);
			return ENOMEM;
		}
		*(ipfilter_t*)(mtag+1) = filter_ref;
		m_tag_prepend(m, mtag);
	}
	
	if (options && (options->ippo_flags & IPPOF_MCAST_OPTS)) {
		imo = &ip_moptions;
		
		bzero(imo, sizeof(struct ip6_moptions));
		imo->imo_multicast_ifp = options->ippo_mcast_ifnet;
		imo->imo_multicast_ttl = options->ippo_mcast_ttl;
		imo->imo_multicast_loop = options->ippo_mcast_loop;
	}
	
	/* Fill out a route structure and get a route */
	bzero(&ro, sizeof(struct route));
	sin->sin_len = sizeof(struct sockaddr_in);
	sin->sin_family = AF_INET;
	sin->sin_port = 0;
	sin->sin_addr = ip->ip_dst;
	rtalloc(&ro);
	if (ro.ro_rt == NULL) {
		m_freem(m);
		return ENETUNREACH;
	}
	
	/* Put ip_len and ip_off in host byte order, ip_output expects that */
	NTOHS(ip->ip_len);
	NTOHS(ip->ip_off);
	
	/* Send  */
	error = ip_output(m, NULL, &ro, IP_ALLOWBROADCAST | IP_RAWOUTPUT, imo);
	
	/* Release the route */
	if (ro.ro_rt)
		rtfree(ro.ro_rt);
	
	return error;
}

static errno_t
ipf_injectv6_out(
	mbuf_t data,
	ipfilter_t filter_ref,
	ipf_pktopts_t options)
{
	struct route_in6 ro;
	struct sockaddr_in6	*sin6 = &ro.ro_dst;
	struct ip6_hdr	*ip6;
	struct mbuf	*m = (struct mbuf*)data;
	errno_t error = 0;
	struct m_tag *mtag = 0;
	struct ip6_moptions *im6o = 0, ip6_moptions;
	
	/* Make the IP header contiguous in the mbuf */
	if ((size_t)m->m_len < sizeof(struct ip6_hdr)) {
		m = m_pullup(m, sizeof(struct ip6_hdr));
		if (m == NULL) return ENOMEM;
	}
	ip6 = (struct ip6_hdr*)m_mtod(m);

	if (filter_ref != 0) {
		mtag = m_tag_alloc(KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPFILT,
					 	   sizeof (ipfilter_t), M_NOWAIT);
		if (mtag == NULL) {
			m_freem(m);
			return ENOMEM;
		}
		*(ipfilter_t*)(mtag+1) = filter_ref;
		m_tag_prepend(m, mtag);
	}
	
	if (options && (options->ippo_flags & IPPOF_MCAST_OPTS)) {
		im6o = &ip6_moptions;
		
		bzero(im6o, sizeof(struct ip6_moptions));
		im6o->im6o_multicast_ifp = options->ippo_mcast_ifnet;
		im6o->im6o_multicast_hlim = options->ippo_mcast_ttl;
		im6o->im6o_multicast_loop = options->ippo_mcast_loop;
	}
	
	
	/* Fill out a route structure and get a route */
	bzero(&ro, sizeof(struct route_in6));
	sin6->sin6_len = sizeof(struct sockaddr_in6);
	sin6->sin6_family = AF_INET6;
	sin6->sin6_addr = ip6->ip6_dst;
#if 0
	/* This is breaks loopback multicast! */
	/* The scope ID should already at s6_addr16[1] */
	if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) {
		/* Hack, pull the scope_id out of the dest addr */
		sin6->sin6_scope_id = ntohs(ip6->ip6_dst.s6_addr16[1]);
		ip6->ip6_dst.s6_addr16[1] = 0;
	} else
		sin6->sin6_scope_id = 0;
#endif
	rtalloc((struct route*)&ro);
	if (ro.ro_rt == NULL) {
		m_freem(m);
		return ENETUNREACH;
	}
	
	/* Send  */
	error = ip6_output(m, NULL, &ro, 0, im6o, NULL, 0);
	
	/* Release the route */
	if (ro.ro_rt)
		rtfree(ro.ro_rt);
	
	return error;
}

errno_t
ipf_inject_output(
	mbuf_t data,
	ipfilter_t filter_ref,
	ipf_pktopts_t options)
{
	struct mbuf	*m = (struct mbuf*)data;
	u_int8_t	vers;
	errno_t		error = 0;

	/* Make one byte of the header contiguous in the mbuf */
	if (m->m_len < 1) {
		m = m_pullup(m, 1);
		if (m == NULL) 
			goto done;
	}
	
	vers = (*(u_int8_t*)m_mtod(m)) >> 4;
	switch (vers)
	{
		case 4:
			error = ipf_injectv4_out(data, filter_ref, options);
			break;
		case 6:
			error = ipf_injectv6_out(data, filter_ref, options);
			break;
		default:
			m_freem(m);
			error = ENOTSUP;
			break;
	}

done:	
	return error;
}

__private_extern__ ipfilter_t
ipf_get_inject_filter(struct mbuf *m)
{
	ipfilter_t filter_ref = 0;
	struct m_tag *mtag;
	
	mtag = m_tag_locate(m, KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPFILT, NULL);
	if (mtag) {
		filter_ref = *(ipfilter_t *)(mtag+1);
		
		m_tag_delete(m, mtag);
	}
	return filter_ref;
}

__private_extern__ int
ipf_init(void)
{
	int error = 0;
	lck_grp_attr_t *grp_attributes = 0;
	lck_attr_t *lck_attributes = 0;
	lck_grp_t *lck_grp = 0;
	
	grp_attributes = lck_grp_attr_alloc_init();
	if (grp_attributes == 0) {
		printf("ipf_init: lck_grp_attr_alloc_init failed\n");
		error = ENOMEM;
		goto done;
	}
	
	lck_grp = lck_grp_alloc_init("IP Filter", grp_attributes);
	if (lck_grp == 0) {
		printf("ipf_init: lck_grp_alloc_init failed\n");
		error = ENOMEM;
		goto done;
	}
	
	lck_attributes = lck_attr_alloc_init();
	if (lck_attributes == 0) {
		printf("ipf_init: lck_attr_alloc_init failed\n");
		error = ENOMEM;
		goto done;
	}
	
	kipf_lock = lck_mtx_alloc_init(lck_grp, lck_attributes);
	if (kipf_lock == 0) {
		printf("ipf_init: lck_mtx_alloc_init failed\n");
		error = ENOMEM;
		goto done;
	}
	done:
	if (error != 0) {
		if (kipf_lock) {
			lck_mtx_free(kipf_lock, lck_grp);
			kipf_lock = 0;
		}
	}
	if (lck_grp) {
		lck_grp_free(lck_grp);
		lck_grp = 0;
	}
	if (grp_attributes) {
		lck_grp_attr_free(grp_attributes);
		grp_attributes = 0;
	}
	if (lck_attributes) {
		lck_attr_free(lck_attributes);
		lck_attributes = 0;
	}
	
	return error;
}
Commit	Line	Data
91447636	1	/*
5d5c5d0d A	2	* Copyright (c) 2003 Apple Computer, Inc. All rights reserved.
5d5c5d0d A	3	*
8ad349bb	4	* @APPLE_LICENSE_OSREFERENCE_HEADER_START@
91447636	5	*
8ad349bb A	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. The rights granted to you under the
	10	* License may not be used to create, or enable the creation or
	11	* redistribution of, unlawful or unlicensed copies of an Apple operating
	12	* system, or to circumvent, violate, or enable the circumvention or
	13	* violation of, any terms of an Apple operating system software license
	14	* agreement.
	15	*
	16	* Please obtain a copy of the License at
	17	* http://www.opensource.apple.com/apsl/ and read it before using this
	18	* file.
	19	*
	20	* The Original Code and all software distributed under the License are
	21	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	22	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	23	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	24	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	25	* Please see the License for the specific language governing rights and
	26	* limitations under the License.
	27	*
	28	* @APPLE_LICENSE_OSREFERENCE_HEADER_END@
91447636 A	29	*/
	30
	31	#include <sys/param.h> /* for definition of NULL */
	32	#include <sys/errno.h>
	33	#include <sys/malloc.h>
	34	#include <sys/socket.h>
	35	#include <sys/mbuf.h>
	36	#include <sys/systm.h>
	37
	38	#define _IP_VHL
	39	#include <net/if_var.h>
	40	#include <net/route.h>
	41	#include <net/kpi_protocol.h>
	42
	43	#include <netinet/in_systm.h>
	44	#include <netinet/in.h>
	45	#include <netinet/in_var.h>
	46	#include <netinet6/in6_var.h>
	47	#include <netinet/ip.h>
	48	#include <netinet/ip6.h>
	49	#include <netinet/ip_var.h>
	50	#include <netinet6/ip6_var.h>
	51	#include <netinet/kpi_ipfilter_var.h>
	52
	53	/*
	54	* kipf_lock and kipf_ref protect the linkage of the list of IP filters
	55	* An IP filter can be removed only when kipf_ref is zero
	56	* If an IP filter cannot be removed because kipf_ref is not null, then
	57	* the IP filter is marjed and kipf_delayed_remove is set so that when
	58	* kipf_ref eventually goes down to zero, the IP filter is removed
	59	*/
	60	static lck_mtx_t *kipf_lock = 0;
	61	static unsigned long kipf_ref = 0;
	62	static unsigned long kipf_delayed_remove = 0;
	63
	64	__private_extern__ struct ipfilter_list ipv4_filters = TAILQ_HEAD_INITIALIZER(ipv4_filters);
	65	__private_extern__ struct ipfilter_list ipv6_filters = TAILQ_HEAD_INITIALIZER(ipv6_filters);
	66	__private_extern__ struct ipfilter_list tbr_filters = TAILQ_HEAD_INITIALIZER(tbr_filters);
	67
	68	__private_extern__ void
	69	ipf_ref(void)
	70	{
	71	lck_mtx_lock(kipf_lock);
	72	kipf_ref++;
	73	lck_mtx_unlock(kipf_lock);
	74	}
	75
	76	__private_extern__ void
	77	ipf_unref(void)
	78	{
	79	lck_mtx_lock(kipf_lock);
	80
	81	if (kipf_ref == 0)
	82	panic("ipf_unref: kipf_ref == 0\n");
	83
	84	kipf_ref--;
	85	if (kipf_ref == 0 && kipf_delayed_remove != 0) {
	86	struct ipfilter *filter;
	87
	88	while ((filter = TAILQ_FIRST(&tbr_filters))) {
	89	ipf_detach_func ipf_detach = filter->ipf_filter.ipf_detach;
	90	void* cookie = filter->ipf_filter.cookie;
	91
	92	TAILQ_REMOVE(filter->ipf_head, filter, ipf_link);
93	TAILQ_REMOVE(&tbr_filters, filter, ipf_tbr);
94	kipf_delayed_remove--;
95
96	if (ipf_detach) {
97	lck_mtx_unlock(kipf_lock);
98	ipf_detach(cookie);
99	lck_mtx_lock(kipf_lock);
100	/* In case some filter got to run while we released the lock */
101	if (kipf_ref != 0)
102	break;
103	}
104	}
105	}
106	lck_mtx_unlock(kipf_lock);
107	}
108
109	static errno_t
110	ipf_add(
111	const struct ipf_filter* filter,
112	ipfilter_t *filter_ref,
113	struct ipfilter_list *head)
114	{
115	struct ipfilter *new_filter;
116	if (filter->name == NULL \|\| (filter->ipf_input == NULL && filter->ipf_output == NULL))
117	return EINVAL;
118
119	MALLOC(new_filter, struct ipfilter, sizeof(new_filter), M_IFADDR, M_WAITOK);
120	if (new_filter == NULL)
121	return ENOMEM;
122
123	lck_mtx_lock(kipf_lock);
124	new_filter->ipf_filter = *filter;
125	new_filter->ipf_head = head;
126
127	/*
128	* 3957298
129	* Make sure third parties have a chance to filter packets before
130	* SharedIP. Always SharedIP at the end of the list.
131	*/
132	if (filter->name != NULL &&
133	strcmp(filter->name, "com.apple.nke.SharedIP") == 0) {
134	TAILQ_INSERT_TAIL(head, new_filter, ipf_link);
135	}
136	else {
137	TAILQ_INSERT_HEAD(head, new_filter, ipf_link);
138	}
139
140	lck_mtx_unlock(kipf_lock);
141
142	*filter_ref = (ipfilter_t)new_filter;
143	return 0;
144	}
145
146	errno_t
147	ipf_addv4(
148	const struct ipf_filter* filter,
149	ipfilter_t *filter_ref)
150	{
151	return ipf_add(filter, filter_ref, &ipv4_filters);
152	}
153
154	errno_t
155	ipf_addv6(
156	const struct ipf_filter* filter,
157	ipfilter_t *filter_ref)
158	{
159	return ipf_add(filter, filter_ref, &ipv6_filters);
160	}
161
162	errno_t
163	ipf_remove(
164	ipfilter_t filter_ref)
165	{
166	struct ipfilter match = (struct ipfilter)filter_ref;
167	struct ipfilter_list *head;
168
169	if (match == 0 \|\| (match->ipf_head != &ipv4_filters && match->ipf_head != &ipv6_filters))
170	return EINVAL;
171
172	head = match->ipf_head;
173
174	lck_mtx_lock(kipf_lock);
175	TAILQ_FOREACH(match, head, ipf_link) {
176	if (match == (struct ipfilter*)filter_ref) {
177	ipf_detach_func ipf_detach = match->ipf_filter.ipf_detach;
178	void* cookie = match->ipf_filter.cookie;
179
180	/*
181	* Cannot detach when they are filters running
182	*/
183	if (kipf_ref) {
184	kipf_delayed_remove++;
185	TAILQ_INSERT_TAIL(&tbr_filters, match, ipf_tbr);
186	match->ipf_filter.ipf_input = 0;
187	match->ipf_filter.ipf_output = 0;
188	lck_mtx_unlock(kipf_lock);
189	} else {
190	TAILQ_REMOVE(head, match, ipf_link);
191	lck_mtx_unlock(kipf_lock);
192	if (ipf_detach)
193	ipf_detach(cookie);
194	FREE(match, M_IFADDR);
195	}
196	return 0;
197	}
198	}
199	lck_mtx_unlock(kipf_lock);
200
201	return ENOENT;
202	}
203
204	int log_for_en1 = 0;
205
206	errno_t
207	ipf_inject_input(
208	mbuf_t data,
209	ipfilter_t filter_ref)
210	{
211	struct mbuf m = (struct mbuf)data;
212	struct m_tag *mtag = 0;
213	struct ip ip = mtod(m, struct ip );
214	u_int8_t vers;
215	int hlen;
216	errno_t error = 0;
217	protocol_family_t proto;
218
219	vers = IP_VHL_V(ip->ip_vhl);
220
221	switch (vers) {
222	case 4:
223	proto = PF_INET;
224	break;
225	case 6:
226	proto = PF_INET6;
227	break;
228	default:
229	error = ENOTSUP;
230	goto done;
231	}
232
233	if (filter_ref == 0 && m->m_pkthdr.rcvif == 0) {
234	m->m_pkthdr.rcvif = ifunit("lo0");
235	m->m_pkthdr.csum_data = 0;
236	m->m_pkthdr.csum_flags = 0;
237	if (vers == 4) {
238	hlen = IP_VHL_HL(ip->ip_vhl) << 2;
239	ip->ip_sum = 0;
240	ip->ip_sum = in_cksum(m, hlen);
241	}
242	}
243	if (filter_ref != 0) {
244	mtag = m_tag_alloc(KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPFILT,
245	sizeof (ipfilter_t), M_NOWAIT);
246	if (mtag == NULL) {
247	error = ENOMEM;
248	goto done;
249	}
250	(ipfilter_t)(mtag+1) = filter_ref;
251	m_tag_prepend(m, mtag);
252	}
253
254	error = proto_inject(proto, data);
255
256	done:
257	return error;
258	}
259
260	static errno_t
261	ipf_injectv4_out(
262	mbuf_t data,
263	ipfilter_t filter_ref,
264	ipf_pktopts_t options)
265	{
266	struct route ro;
267	struct sockaddr_in sin = (struct sockaddr_in)&ro.ro_dst;
268	struct ip *ip;
269	struct mbuf m = (struct mbuf)data;
270	errno_t error = 0;
271	struct m_tag *mtag = 0;
272	struct ip_moptions *imo = 0, ip_moptions;
273
274	/* Make the IP header contiguous in the mbuf */
275	if ((size_t)m->m_len < sizeof(struct ip)) {
276	m = m_pullup(m, sizeof(struct ip));
277	if (m == NULL) return ENOMEM;
278	}
279	ip = (struct ip*)m_mtod(m);
280
281	if (filter_ref != 0) {
282	mtag = m_tag_alloc(KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPFILT,
283	sizeof (ipfilter_t), M_NOWAIT);
284	if (mtag == NULL) {
285	m_freem(m);
286	return ENOMEM;
287	}
288	(ipfilter_t)(mtag+1) = filter_ref;
289	m_tag_prepend(m, mtag);
290	}
291
292	if (options && (options->ippo_flags & IPPOF_MCAST_OPTS)) {
293	imo = &ip_moptions;
294
295	bzero(imo, sizeof(struct ip6_moptions));
296	imo->imo_multicast_ifp = options->ippo_mcast_ifnet;
297	imo->imo_multicast_ttl = options->ippo_mcast_ttl;
298	imo->imo_multicast_loop = options->ippo_mcast_loop;
299	}
300
301	/* Fill out a route structure and get a route */
302	bzero(&ro, sizeof(struct route));
303	sin->sin_len = sizeof(struct sockaddr_in);
304	sin->sin_family = AF_INET;
305	sin->sin_port = 0;
306	sin->sin_addr = ip->ip_dst;
307	rtalloc(&ro);
308	if (ro.ro_rt == NULL) {
309	m_freem(m);
310	return ENETUNREACH;
311	}
5d5c5d0d A	312
	313	/* Put ip_len and ip_off in host byte order, ip_output expects that */
	314	NTOHS(ip->ip_len);
	315	NTOHS(ip->ip_off);
	316
91447636 A	317	/* Send */
	318	error = ip_output(m, NULL, &ro, IP_ALLOWBROADCAST \| IP_RAWOUTPUT, imo);
	319
	320	/* Release the route */
	321	if (ro.ro_rt)
	322	rtfree(ro.ro_rt);
	323
	324	return error;
	325	}
	326
	327	static errno_t
	328	ipf_injectv6_out(
	329	mbuf_t data,
	330	ipfilter_t filter_ref,
	331	ipf_pktopts_t options)
	332	{
	333	struct route_in6 ro;
	334	struct sockaddr_in6 *sin6 = &ro.ro_dst;
	335	struct ip6_hdr *ip6;
	336	struct mbuf m = (struct mbuf)data;
	337	errno_t error = 0;
	338	struct m_tag *mtag = 0;
	339	struct ip6_moptions *im6o = 0, ip6_moptions;
	340
	341	/* Make the IP header contiguous in the mbuf */
	342	if ((size_t)m->m_len < sizeof(struct ip6_hdr)) {
	343	m = m_pullup(m, sizeof(struct ip6_hdr));
	344	if (m == NULL) return ENOMEM;
	345	}
	346	ip6 = (struct ip6_hdr*)m_mtod(m);
	347
	348	if (filter_ref != 0) {
	349	mtag = m_tag_alloc(KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPFILT,
	350	sizeof (ipfilter_t), M_NOWAIT);
	351	if (mtag == NULL) {
	352	m_freem(m);
	353	return ENOMEM;
	354	}
	355	(ipfilter_t)(mtag+1) = filter_ref;
	356	m_tag_prepend(m, mtag);
	357	}
	358
	359	if (options && (options->ippo_flags & IPPOF_MCAST_OPTS)) {
	360	im6o = &ip6_moptions;
	361
	362	bzero(im6o, sizeof(struct ip6_moptions));
	363	im6o->im6o_multicast_ifp = options->ippo_mcast_ifnet;
	364	im6o->im6o_multicast_hlim = options->ippo_mcast_ttl;
	365	im6o->im6o_multicast_loop = options->ippo_mcast_loop;
	366	}
	367
	368
	369	/* Fill out a route structure and get a route */
	370	bzero(&ro, sizeof(struct route_in6));
	371	sin6->sin6_len = sizeof(struct sockaddr_in6);
	372	sin6->sin6_family = AF_INET6;
	373	sin6->sin6_addr = ip6->ip6_dst;
	374	#if 0
	375	/* This is breaks loopback multicast! */
	376	/* The scope ID should already at s6_addr16[1] */
	377	if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) {
	378	/* Hack, pull the scope_id out of the dest addr */
	379	sin6->sin6_scope_id = ntohs(ip6->ip6_dst.s6_addr16[1]);
	380	ip6->ip6_dst.s6_addr16[1] = 0;
381	} else
382	sin6->sin6_scope_id = 0;
383	#endif
384	rtalloc((struct route*)&ro);
385	if (ro.ro_rt == NULL) {
386	m_freem(m);
387	return ENETUNREACH;
388	}
389
390	/* Send */
391	error = ip6_output(m, NULL, &ro, 0, im6o, NULL, 0);
392
393	/* Release the route */
394	if (ro.ro_rt)
395	rtfree(ro.ro_rt);
396
397	return error;
398	}
399
400	errno_t
401	ipf_inject_output(
402	mbuf_t data,
403	ipfilter_t filter_ref,
404	ipf_pktopts_t options)
405	{
406	struct mbuf m = (struct mbuf)data;
407	u_int8_t vers;
408	errno_t error = 0;
409
410	/* Make one byte of the header contiguous in the mbuf */
411	if (m->m_len < 1) {
412	m = m_pullup(m, 1);
413	if (m == NULL)
414	goto done;
415	}
416
417	vers = ((u_int8_t)m_mtod(m)) >> 4;
418	switch (vers)
419	{
420	case 4:
421	error = ipf_injectv4_out(data, filter_ref, options);
422	break;
423	case 6:
424	error = ipf_injectv6_out(data, filter_ref, options);
425	break;
426	default:
427	m_freem(m);
428	error = ENOTSUP;
429	break;
430	}
431
432	done:
433	return error;
434	}
435
436	__private_extern__ ipfilter_t
437	ipf_get_inject_filter(struct mbuf *m)
438	{
439	ipfilter_t filter_ref = 0;
440	struct m_tag *mtag;
441
442	mtag = m_tag_locate(m, KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPFILT, NULL);
443	if (mtag) {
444	filter_ref = (ipfilter_t )(mtag+1);
445
446	m_tag_delete(m, mtag);
447	}
448	return filter_ref;
449	}
450
451	__private_extern__ int
452	ipf_init(void)
453	{
454	int error = 0;
455	lck_grp_attr_t *grp_attributes = 0;
456	lck_attr_t *lck_attributes = 0;
457	lck_grp_t *lck_grp = 0;
458
459	grp_attributes = lck_grp_attr_alloc_init();
460	if (grp_attributes == 0) {
461	printf("ipf_init: lck_grp_attr_alloc_init failed\n");
462	error = ENOMEM;
463	goto done;
464	}
91447636 A	465
	466	lck_grp = lck_grp_alloc_init("IP Filter", grp_attributes);
	467	if (lck_grp == 0) {
	468	printf("ipf_init: lck_grp_alloc_init failed\n");
	469	error = ENOMEM;
	470	goto done;
	471	}
	472
	473	lck_attributes = lck_attr_alloc_init();
	474	if (lck_attributes == 0) {
	475	printf("ipf_init: lck_attr_alloc_init failed\n");
	476	error = ENOMEM;
	477	goto done;
	478	}
91447636 A	479
	480	kipf_lock = lck_mtx_alloc_init(lck_grp, lck_attributes);
	481	if (kipf_lock == 0) {
	482	printf("ipf_init: lck_mtx_alloc_init failed\n");
	483	error = ENOMEM;
	484	goto done;
	485	}
	486	done:
	487	if (error != 0) {
	488	if (kipf_lock) {
	489	lck_mtx_free(kipf_lock, lck_grp);
	490	kipf_lock = 0;
	491	}
	492	}
	493	if (lck_grp) {
	494	lck_grp_free(lck_grp);
	495	lck_grp = 0;
	496	}
	497	if (grp_attributes) {
	498	lck_grp_attr_free(grp_attributes);
	499	grp_attributes = 0;
	500	}
	501	if (lck_attributes) {
	502	lck_attr_free(lck_attributes);
	503	lck_attributes = 0;
	504	}
	505
	506	return error;
	507	}