[apple/xnu.git] / bsd / netinet / kpi_ipfilter.c

/*
 * Copyright (c) 2003 Apple Computer, Inc. All rights reserved.
 *
 * @APPLE_LICENSE_HEADER_START@
 * 
 * The contents of this file constitute Original Code as defined in and
 * are subject to the Apple Public Source License Version 1.1 (the
 * "License").  You may not use this file except in compliance with the
 * License.  Please obtain a copy of the License at
 * http://www.apple.com/publicsource and read it before using this file.
 * 
 * This Original Code and all software distributed under the License are
 * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT.  Please see the
 * License for the specific language governing rights and limitations
 * under the License.
 * 
 * @APPLE_LICENSE_HEADER_END@
 */

#include <sys/param.h>	/* for definition of NULL */
#include <sys/errno.h>
#include <sys/malloc.h>
#include <sys/socket.h>
#include <sys/mbuf.h>
#include <sys/systm.h>

#define _IP_VHL
#include <net/if_var.h>
#include <net/route.h>
#include <net/kpi_protocol.h>

#include <netinet/in_systm.h>
#include <netinet/in.h>
#include <netinet/in_var.h>
#include <netinet6/in6_var.h>
#include <netinet/ip.h>
#include <netinet/ip6.h>
#include <netinet/ip_var.h>
#include <netinet6/ip6_var.h>
#include <netinet/kpi_ipfilter_var.h>

/*
 * kipf_lock and kipf_ref protect the linkage of the list of IP filters
 * An IP filter can be removed only when kipf_ref is zero
 * If an IP filter cannot be removed because kipf_ref is not null, then 
 * the IP filter is marjed and kipf_delayed_remove is set so that when 
 * kipf_ref eventually goes down to zero, the IP filter is removed
 */
static lck_mtx_t *kipf_lock = 0;
static unsigned long kipf_ref = 0;
static unsigned long kipf_delayed_remove = 0;

__private_extern__ struct ipfilter_list	ipv4_filters = TAILQ_HEAD_INITIALIZER(ipv4_filters);
__private_extern__ struct ipfilter_list	ipv6_filters = TAILQ_HEAD_INITIALIZER(ipv6_filters);
__private_extern__ struct ipfilter_list	tbr_filters = TAILQ_HEAD_INITIALIZER(tbr_filters);

__private_extern__ void
ipf_ref(void)
{
	lck_mtx_lock(kipf_lock);
    kipf_ref++;
	lck_mtx_unlock(kipf_lock);
}

__private_extern__ void
ipf_unref(void)
{
	lck_mtx_lock(kipf_lock);

    if (kipf_ref == 0)
    	panic("ipf_unref: kipf_ref == 0\n");
    	
    kipf_ref--;
    if (kipf_ref == 0 && kipf_delayed_remove != 0) {
    	struct ipfilter *filter;

		while ((filter = TAILQ_FIRST(&tbr_filters))) {
			ipf_detach_func ipf_detach = filter->ipf_filter.ipf_detach;
			void* cookie = filter->ipf_filter.cookie;
			
			TAILQ_REMOVE(filter->ipf_head, filter, ipf_link);
			TAILQ_REMOVE(&tbr_filters, filter, ipf_tbr);
			kipf_delayed_remove--;

			if (ipf_detach) {
				lck_mtx_unlock(kipf_lock);
				ipf_detach(cookie);
				lck_mtx_lock(kipf_lock);
				/* In case some filter got to run while we released the lock */
				if (kipf_ref != 0)
					break;
			}			
		}
   	} 
	lck_mtx_unlock(kipf_lock);
}

static errno_t
ipf_add(
	const struct ipf_filter* filter,
	ipfilter_t *filter_ref,
	struct ipfilter_list *head)
{
	struct ipfilter	*new_filter;
	if (filter->name == NULL || (filter->ipf_input == NULL && filter->ipf_output == NULL))
		return EINVAL;
	
	MALLOC(new_filter, struct ipfilter*, sizeof(*new_filter), M_IFADDR, M_WAITOK);
	if (new_filter == NULL)
		return ENOMEM;
	
	lck_mtx_lock(kipf_lock);
	new_filter->ipf_filter = *filter;
	new_filter->ipf_head = head;
	
	/*
	 * 3957298
	 * Make sure third parties have a chance to filter packets before
	 * SharedIP. Always SharedIP at the end of the list.
	 */
	if (filter->name != NULL &&
		strcmp(filter->name, "com.apple.nke.SharedIP") == 0) {
		TAILQ_INSERT_TAIL(head, new_filter, ipf_link);
	}
	else {
		TAILQ_INSERT_HEAD(head, new_filter, ipf_link);
	}
	
	lck_mtx_unlock(kipf_lock);
	
	*filter_ref = (ipfilter_t)new_filter;
	return 0;
}

errno_t
ipf_addv4(
	const struct ipf_filter* filter,
	ipfilter_t *filter_ref)
{
	return ipf_add(filter, filter_ref, &ipv4_filters);
}

errno_t
ipf_addv6(
	const struct ipf_filter* filter,
	ipfilter_t *filter_ref)
{
	return ipf_add(filter, filter_ref, &ipv6_filters);
}

errno_t
ipf_remove(
	ipfilter_t filter_ref)
{
	struct ipfilter	*match = (struct ipfilter*)filter_ref;
	struct ipfilter_list *head;
	
	if (match == 0 || (match->ipf_head != &ipv4_filters && match->ipf_head != &ipv6_filters))
		return EINVAL;
	
	head = match->ipf_head;
	
	lck_mtx_lock(kipf_lock);
	TAILQ_FOREACH(match, head, ipf_link) {
		if (match == (struct ipfilter*)filter_ref) {
			ipf_detach_func ipf_detach = match->ipf_filter.ipf_detach;
			void* cookie = match->ipf_filter.cookie;
			
			/*
			 * Cannot detach when they are filters running
			 */
			if (kipf_ref) {
				kipf_delayed_remove++;
				TAILQ_INSERT_TAIL(&tbr_filters, match, ipf_tbr);
				match->ipf_filter.ipf_input = 0;
				match->ipf_filter.ipf_output = 0;
				lck_mtx_unlock(kipf_lock);
			} else {
				TAILQ_REMOVE(head, match, ipf_link);
				lck_mtx_unlock(kipf_lock);
				if (ipf_detach)
					ipf_detach(cookie);
				FREE(match, M_IFADDR);
			}
			return 0;
		}
	}
	lck_mtx_unlock(kipf_lock);
	
	return ENOENT;
}

int log_for_en1 = 0;

errno_t
ipf_inject_input(
	mbuf_t data,
	ipfilter_t filter_ref)
{
	struct mbuf	*m = (struct mbuf*)data;
	struct m_tag *mtag = 0;
	struct ip *ip = mtod(m, struct ip *);
	u_int8_t	vers;
	int hlen;
	errno_t error = 0;
	protocol_family_t proto;

	vers = IP_VHL_V(ip->ip_vhl);
	
	switch (vers) {
		case 4:
			proto = PF_INET;
			break;
		case 6:
			proto = PF_INET6;
			break;
		default:
			error = ENOTSUP;
			goto done;
	}
	
	if (filter_ref == 0 && m->m_pkthdr.rcvif == 0) {
		m->m_pkthdr.rcvif = ifunit("lo0");
		m->m_pkthdr.csum_data = 0;
		m->m_pkthdr.csum_flags = 0;
		if (vers == 4) {
			hlen = IP_VHL_HL(ip->ip_vhl) << 2;
			ip->ip_sum = 0;
			ip->ip_sum = in_cksum(m, hlen);
		}
	}
	if (filter_ref != 0) {
		mtag = m_tag_alloc(KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPFILT,
					 	   sizeof (ipfilter_t), M_NOWAIT);
		if (mtag == NULL) {
			error = ENOMEM;
			goto done;
		}	
		*(ipfilter_t*)(mtag+1) = filter_ref;
		m_tag_prepend(m, mtag);
	}
	
	error = proto_inject(proto, data);

done:
	return error;
}

static errno_t
ipf_injectv4_out(
	mbuf_t data,
	ipfilter_t filter_ref,
	ipf_pktopts_t options)
{
	struct route ro;
	struct sockaddr_in	*sin = (struct sockaddr_in*)&ro.ro_dst;
	struct ip	*ip;
	struct mbuf	*m = (struct mbuf*)data;
	errno_t error = 0;
	struct m_tag *mtag = 0;
	struct ip_moptions *imo = 0, ip_moptions;
	
	/* Make the IP header contiguous in the mbuf */
	if ((size_t)m->m_len < sizeof(struct ip)) {
		m = m_pullup(m, sizeof(struct ip));
		if (m == NULL) return ENOMEM;
	}
	ip = (struct ip*)m_mtod(m);
	
	if (filter_ref != 0) {
		mtag = m_tag_alloc(KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPFILT,
					 	   sizeof (ipfilter_t), M_NOWAIT);
		if (mtag == NULL) {
			m_freem(m);
			return ENOMEM;
		}
		*(ipfilter_t*)(mtag+1) = filter_ref;
		m_tag_prepend(m, mtag);
	}
	
	if (options && (options->ippo_flags & IPPOF_MCAST_OPTS)) {
		imo = &ip_moptions;
		
		bzero(imo, sizeof(struct ip6_moptions));
		imo->imo_multicast_ifp = options->ippo_mcast_ifnet;
		imo->imo_multicast_ttl = options->ippo_mcast_ttl;
		imo->imo_multicast_loop = options->ippo_mcast_loop;
	}
	
	/* Fill out a route structure and get a route */
	bzero(&ro, sizeof(struct route));
	sin->sin_len = sizeof(struct sockaddr_in);
	sin->sin_family = AF_INET;
	sin->sin_port = 0;
	sin->sin_addr = ip->ip_dst;
	rtalloc(&ro);
	if (ro.ro_rt == NULL) {
		m_freem(m);
		return ENETUNREACH;
	}
	/* Send  */
	error = ip_output(m, NULL, &ro, IP_ALLOWBROADCAST | IP_RAWOUTPUT, imo);
	
	/* Release the route */
	if (ro.ro_rt)
		rtfree(ro.ro_rt);
	
	return error;
}

static errno_t
ipf_injectv6_out(
	mbuf_t data,
	ipfilter_t filter_ref,
	ipf_pktopts_t options)
{
	struct route_in6 ro;
	struct sockaddr_in6	*sin6 = &ro.ro_dst;
	struct ip6_hdr	*ip6;
	struct mbuf	*m = (struct mbuf*)data;
	errno_t error = 0;
	struct m_tag *mtag = 0;
	struct ip6_moptions *im6o = 0, ip6_moptions;
	
	/* Make the IP header contiguous in the mbuf */
	if ((size_t)m->m_len < sizeof(struct ip6_hdr)) {
		m = m_pullup(m, sizeof(struct ip6_hdr));
		if (m == NULL) return ENOMEM;
	}
	ip6 = (struct ip6_hdr*)m_mtod(m);

	if (filter_ref != 0) {
		mtag = m_tag_alloc(KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPFILT,
					 	   sizeof (ipfilter_t), M_NOWAIT);
		if (mtag == NULL) {
			m_freem(m);
			return ENOMEM;
		}
		*(ipfilter_t*)(mtag+1) = filter_ref;
		m_tag_prepend(m, mtag);
	}
	
	if (options && (options->ippo_flags & IPPOF_MCAST_OPTS)) {
		im6o = &ip6_moptions;
		
		bzero(im6o, sizeof(struct ip6_moptions));
		im6o->im6o_multicast_ifp = options->ippo_mcast_ifnet;
		im6o->im6o_multicast_hlim = options->ippo_mcast_ttl;
		im6o->im6o_multicast_loop = options->ippo_mcast_loop;
	}
	
	
	/* Fill out a route structure and get a route */
	bzero(&ro, sizeof(struct route_in6));
	sin6->sin6_len = sizeof(struct sockaddr_in6);
	sin6->sin6_family = AF_INET6;
	sin6->sin6_addr = ip6->ip6_dst;
#if 0
	/* This is breaks loopback multicast! */
	/* The scope ID should already at s6_addr16[1] */
	if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) {
		/* Hack, pull the scope_id out of the dest addr */
		sin6->sin6_scope_id = ntohs(ip6->ip6_dst.s6_addr16[1]);
		ip6->ip6_dst.s6_addr16[1] = 0;
	} else
		sin6->sin6_scope_id = 0;
#endif
	rtalloc((struct route*)&ro);
	if (ro.ro_rt == NULL) {
		m_freem(m);
		return ENETUNREACH;
	}
	
	/* Send  */
	error = ip6_output(m, NULL, &ro, 0, im6o, NULL, 0);
	
	/* Release the route */
	if (ro.ro_rt)
		rtfree(ro.ro_rt);
	
	return error;
}

errno_t
ipf_inject_output(
	mbuf_t data,
	ipfilter_t filter_ref,
	ipf_pktopts_t options)
{
	struct mbuf	*m = (struct mbuf*)data;
	u_int8_t	vers;
	errno_t		error = 0;

	/* Make one byte of the header contiguous in the mbuf */
	if (m->m_len < 1) {
		m = m_pullup(m, 1);
		if (m == NULL) 
			goto done;
	}
	
	vers = (*(u_int8_t*)m_mtod(m)) >> 4;
	switch (vers)
	{
		case 4:
			error = ipf_injectv4_out(data, filter_ref, options);
			break;
		case 6:
			error = ipf_injectv6_out(data, filter_ref, options);
			break;
		default:
			m_freem(m);
			error = ENOTSUP;
			break;
	}

done:	
	return error;
}

__private_extern__ ipfilter_t
ipf_get_inject_filter(struct mbuf *m)
{
	ipfilter_t filter_ref = 0;
	struct m_tag *mtag;
	
	mtag = m_tag_locate(m, KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPFILT, NULL);
	if (mtag) {
		filter_ref = *(ipfilter_t *)(mtag+1);
		
		m_tag_delete(m, mtag);
	}
	return filter_ref;
}

__private_extern__ int
ipf_init(void)
{
	int error = 0;
	lck_grp_attr_t *grp_attributes = 0;
	lck_attr_t *lck_attributes = 0;
	lck_grp_t *lck_grp = 0;
	
	grp_attributes = lck_grp_attr_alloc_init();
	if (grp_attributes == 0) {
		printf("ipf_init: lck_grp_attr_alloc_init failed\n");
		error = ENOMEM;
		goto done;
	}
	lck_grp_attr_setdefault(grp_attributes);
	
	lck_grp = lck_grp_alloc_init("IP Filter", grp_attributes);
	if (lck_grp == 0) {
		printf("ipf_init: lck_grp_alloc_init failed\n");
		error = ENOMEM;
		goto done;
	}
	
	lck_attributes = lck_attr_alloc_init();
	if (lck_attributes == 0) {
		printf("ipf_init: lck_attr_alloc_init failed\n");
		error = ENOMEM;
		goto done;
	}
	lck_attr_setdefault(lck_attributes);
	
	kipf_lock = lck_mtx_alloc_init(lck_grp, lck_attributes);
	if (kipf_lock == 0) {
		printf("ipf_init: lck_mtx_alloc_init failed\n");
		error = ENOMEM;
		goto done;
	}
	done:
	if (error != 0) {
		if (kipf_lock) {
			lck_mtx_free(kipf_lock, lck_grp);
			kipf_lock = 0;
		}
	}
	if (lck_grp) {
		lck_grp_free(lck_grp);
		lck_grp = 0;
	}
	if (grp_attributes) {
		lck_grp_attr_free(grp_attributes);
		grp_attributes = 0;
	}
	if (lck_attributes) {
		lck_attr_free(lck_attributes);
		lck_attributes = 0;
	}
	
	return error;
}
Commit	Line	Data
91447636	1	/*
5d5c5d0d A	2	* Copyright (c) 2003 Apple Computer, Inc. All rights reserved.
5d5c5d0d A	3	*
6601e61a	4	* @APPLE_LICENSE_HEADER_START@
91447636	5	*
6601e61a A	6	* The contents of this file constitute Original Code as defined in and
	7	* are subject to the Apple Public Source License Version 1.1 (the
	8	* "License"). You may not use this file except in compliance with the
	9	* License. Please obtain a copy of the License at
	10	* http://www.apple.com/publicsource and read it before using this file.
8f6c56a5	11	*
6601e61a A	12	* This Original Code and all software distributed under the License are
6601e61a A	13	* distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER
8f6c56a5 A	14	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
8f6c56a5 A	15	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
6601e61a A	16	* FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the
	17	* License for the specific language governing rights and limitations
	18	* under the License.
8f6c56a5	19	*
6601e61a	20	* @APPLE_LICENSE_HEADER_END@
91447636 A	21	*/
	22
	23	#include <sys/param.h> /* for definition of NULL */
	24	#include <sys/errno.h>
	25	#include <sys/malloc.h>
	26	#include <sys/socket.h>
	27	#include <sys/mbuf.h>
	28	#include <sys/systm.h>
	29
	30	#define _IP_VHL
	31	#include <net/if_var.h>
	32	#include <net/route.h>
	33	#include <net/kpi_protocol.h>
	34
	35	#include <netinet/in_systm.h>
	36	#include <netinet/in.h>
	37	#include <netinet/in_var.h>
	38	#include <netinet6/in6_var.h>
	39	#include <netinet/ip.h>
	40	#include <netinet/ip6.h>
	41	#include <netinet/ip_var.h>
	42	#include <netinet6/ip6_var.h>
	43	#include <netinet/kpi_ipfilter_var.h>
	44
	45	/*
	46	* kipf_lock and kipf_ref protect the linkage of the list of IP filters
	47	* An IP filter can be removed only when kipf_ref is zero
	48	* If an IP filter cannot be removed because kipf_ref is not null, then
	49	* the IP filter is marjed and kipf_delayed_remove is set so that when
	50	* kipf_ref eventually goes down to zero, the IP filter is removed
	51	*/
	52	static lck_mtx_t *kipf_lock = 0;
	53	static unsigned long kipf_ref = 0;
	54	static unsigned long kipf_delayed_remove = 0;
	55
	56	__private_extern__ struct ipfilter_list ipv4_filters = TAILQ_HEAD_INITIALIZER(ipv4_filters);
	57	__private_extern__ struct ipfilter_list ipv6_filters = TAILQ_HEAD_INITIALIZER(ipv6_filters);
	58	__private_extern__ struct ipfilter_list tbr_filters = TAILQ_HEAD_INITIALIZER(tbr_filters);
	59
	60	__private_extern__ void
	61	ipf_ref(void)
	62	{
	63	lck_mtx_lock(kipf_lock);
	64	kipf_ref++;
	65	lck_mtx_unlock(kipf_lock);
	66	}
	67
	68	__private_extern__ void
	69	ipf_unref(void)
	70	{
	71	lck_mtx_lock(kipf_lock);
	72
	73	if (kipf_ref == 0)
	74	panic("ipf_unref: kipf_ref == 0\n");
	75
	76	kipf_ref--;
	77	if (kipf_ref == 0 && kipf_delayed_remove != 0) {
	78	struct ipfilter *filter;
	79
	80	while ((filter = TAILQ_FIRST(&tbr_filters))) {
	81	ipf_detach_func ipf_detach = filter->ipf_filter.ipf_detach;
	82	void* cookie = filter->ipf_filter.cookie;
	83
	84	TAILQ_REMOVE(filter->ipf_head, filter, ipf_link);
85	TAILQ_REMOVE(&tbr_filters, filter, ipf_tbr);
86	kipf_delayed_remove--;
87
88	if (ipf_detach) {
89	lck_mtx_unlock(kipf_lock);
90	ipf_detach(cookie);
91	lck_mtx_lock(kipf_lock);
92	/* In case some filter got to run while we released the lock */
93	if (kipf_ref != 0)
94	break;
95	}
96	}
97	}
98	lck_mtx_unlock(kipf_lock);
99	}
100
101	static errno_t
102	ipf_add(
103	const struct ipf_filter* filter,
104	ipfilter_t *filter_ref,
105	struct ipfilter_list *head)
106	{
107	struct ipfilter *new_filter;
108	if (filter->name == NULL \|\| (filter->ipf_input == NULL && filter->ipf_output == NULL))
109	return EINVAL;
110
111	MALLOC(new_filter, struct ipfilter, sizeof(new_filter), M_IFADDR, M_WAITOK);
112	if (new_filter == NULL)
113	return ENOMEM;
114
115	lck_mtx_lock(kipf_lock);
116	new_filter->ipf_filter = *filter;
117	new_filter->ipf_head = head;
118
119	/*
120	* 3957298
121	* Make sure third parties have a chance to filter packets before
122	* SharedIP. Always SharedIP at the end of the list.
123	*/
124	if (filter->name != NULL &&
125	strcmp(filter->name, "com.apple.nke.SharedIP") == 0) {
126	TAILQ_INSERT_TAIL(head, new_filter, ipf_link);
127	}
128	else {
129	TAILQ_INSERT_HEAD(head, new_filter, ipf_link);
130	}
131
132	lck_mtx_unlock(kipf_lock);
133
134	*filter_ref = (ipfilter_t)new_filter;
135	return 0;
136	}
137
138	errno_t
139	ipf_addv4(
140	const struct ipf_filter* filter,
141	ipfilter_t *filter_ref)
142	{
143	return ipf_add(filter, filter_ref, &ipv4_filters);
144	}
145
146	errno_t
147	ipf_addv6(
148	const struct ipf_filter* filter,
149	ipfilter_t *filter_ref)
150	{
151	return ipf_add(filter, filter_ref, &ipv6_filters);
152	}
153
154	errno_t
155	ipf_remove(
156	ipfilter_t filter_ref)
157	{
158	struct ipfilter match = (struct ipfilter)filter_ref;
159	struct ipfilter_list *head;
160
161	if (match == 0 \|\| (match->ipf_head != &ipv4_filters && match->ipf_head != &ipv6_filters))
162	return EINVAL;
163
164	head = match->ipf_head;
165
166	lck_mtx_lock(kipf_lock);
167	TAILQ_FOREACH(match, head, ipf_link) {
168	if (match == (struct ipfilter*)filter_ref) {
169	ipf_detach_func ipf_detach = match->ipf_filter.ipf_detach;
170	void* cookie = match->ipf_filter.cookie;
171
172	/*
173	* Cannot detach when they are filters running
174	*/
175	if (kipf_ref) {
176	kipf_delayed_remove++;
177	TAILQ_INSERT_TAIL(&tbr_filters, match, ipf_tbr);
178	match->ipf_filter.ipf_input = 0;
179	match->ipf_filter.ipf_output = 0;
180	lck_mtx_unlock(kipf_lock);
181	} else {
182	TAILQ_REMOVE(head, match, ipf_link);
183	lck_mtx_unlock(kipf_lock);
184	if (ipf_detach)
185	ipf_detach(cookie);
186	FREE(match, M_IFADDR);
187	}
188	return 0;
189	}
190	}
191	lck_mtx_unlock(kipf_lock);
192
193	return ENOENT;
194	}
195
196	int log_for_en1 = 0;
197
198	errno_t
199	ipf_inject_input(
200	mbuf_t data,
201	ipfilter_t filter_ref)
202	{
203	struct mbuf m = (struct mbuf)data;
204	struct m_tag *mtag = 0;
205	struct ip ip = mtod(m, struct ip );
206	u_int8_t vers;
207	int hlen;
208	errno_t error = 0;
209	protocol_family_t proto;
210
211	vers = IP_VHL_V(ip->ip_vhl);
212
213	switch (vers) {
214	case 4:
215	proto = PF_INET;
216	break;
217	case 6:
218	proto = PF_INET6;
219	break;
220	default:
221	error = ENOTSUP;
222	goto done;
223	}
224
225	if (filter_ref == 0 && m->m_pkthdr.rcvif == 0) {
226	m->m_pkthdr.rcvif = ifunit("lo0");
227	m->m_pkthdr.csum_data = 0;
228	m->m_pkthdr.csum_flags = 0;
229	if (vers == 4) {
230	hlen = IP_VHL_HL(ip->ip_vhl) << 2;
231	ip->ip_sum = 0;
232	ip->ip_sum = in_cksum(m, hlen);
233	}
234	}
235	if (filter_ref != 0) {
236	mtag = m_tag_alloc(KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPFILT,
237	sizeof (ipfilter_t), M_NOWAIT);
238	if (mtag == NULL) {
239	error = ENOMEM;
240	goto done;
241	}
242	(ipfilter_t)(mtag+1) = filter_ref;
243	m_tag_prepend(m, mtag);
244	}
245
246	error = proto_inject(proto, data);
247
248	done:
249	return error;
250	}
251
252	static errno_t
253	ipf_injectv4_out(
254	mbuf_t data,
255	ipfilter_t filter_ref,
256	ipf_pktopts_t options)
257	{
258	struct route ro;
259	struct sockaddr_in sin = (struct sockaddr_in)&ro.ro_dst;
260	struct ip *ip;
261	struct mbuf m = (struct mbuf)data;
262	errno_t error = 0;
263	struct m_tag *mtag = 0;
264	struct ip_moptions *imo = 0, ip_moptions;
265
266	/* Make the IP header contiguous in the mbuf */
267	if ((size_t)m->m_len < sizeof(struct ip)) {
268	m = m_pullup(m, sizeof(struct ip));
269	if (m == NULL) return ENOMEM;
270	}
271	ip = (struct ip*)m_mtod(m);
272
273	if (filter_ref != 0) {
274	mtag = m_tag_alloc(KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPFILT,
275	sizeof (ipfilter_t), M_NOWAIT);
276	if (mtag == NULL) {
277	m_freem(m);
278	return ENOMEM;
279	}
280	(ipfilter_t)(mtag+1) = filter_ref;
281	m_tag_prepend(m, mtag);
282	}
283
284	if (options && (options->ippo_flags & IPPOF_MCAST_OPTS)) {
285	imo = &ip_moptions;
286
287	bzero(imo, sizeof(struct ip6_moptions));
288	imo->imo_multicast_ifp = options->ippo_mcast_ifnet;
289	imo->imo_multicast_ttl = options->ippo_mcast_ttl;
290	imo->imo_multicast_loop = options->ippo_mcast_loop;
291	}
292
293	/* Fill out a route structure and get a route */
294	bzero(&ro, sizeof(struct route));
295	sin->sin_len = sizeof(struct sockaddr_in);
296	sin->sin_family = AF_INET;
297	sin->sin_port = 0;
298	sin->sin_addr = ip->ip_dst;
299	rtalloc(&ro);
300	if (ro.ro_rt == NULL) {
301	m_freem(m);
302	return ENETUNREACH;
303	}
304	/* Send */
305	error = ip_output(m, NULL, &ro, IP_ALLOWBROADCAST \| IP_RAWOUTPUT, imo);
306
307	/* Release the route */
308	if (ro.ro_rt)
309	rtfree(ro.ro_rt);
310
311	return error;
312	}
313
314	static errno_t
315	ipf_injectv6_out(
316	mbuf_t data,
317	ipfilter_t filter_ref,
318	ipf_pktopts_t options)
319	{
320	struct route_in6 ro;
321	struct sockaddr_in6 *sin6 = &ro.ro_dst;
322	struct ip6_hdr *ip6;
323	struct mbuf m = (struct mbuf)data;
324	errno_t error = 0;
325	struct m_tag *mtag = 0;
326	struct ip6_moptions *im6o = 0, ip6_moptions;
327
328	/* Make the IP header contiguous in the mbuf */
329	if ((size_t)m->m_len < sizeof(struct ip6_hdr)) {
330	m = m_pullup(m, sizeof(struct ip6_hdr));
331	if (m == NULL) return ENOMEM;
332	}
333	ip6 = (struct ip6_hdr*)m_mtod(m);
334
335	if (filter_ref != 0) {
336	mtag = m_tag_alloc(KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPFILT,
337	sizeof (ipfilter_t), M_NOWAIT);
338	if (mtag == NULL) {
339	m_freem(m);
340	return ENOMEM;
341	}
342	(ipfilter_t)(mtag+1) = filter_ref;
343	m_tag_prepend(m, mtag);
344	}
345
346	if (options && (options->ippo_flags & IPPOF_MCAST_OPTS)) {
347	im6o = &ip6_moptions;
348
349	bzero(im6o, sizeof(struct ip6_moptions));
350	im6o->im6o_multicast_ifp = options->ippo_mcast_ifnet;
351	im6o->im6o_multicast_hlim = options->ippo_mcast_ttl;
352	im6o->im6o_multicast_loop = options->ippo_mcast_loop;
353	}
354
355
356	/* Fill out a route structure and get a route */
357	bzero(&ro, sizeof(struct route_in6));
358	sin6->sin6_len = sizeof(struct sockaddr_in6);
359	sin6->sin6_family = AF_INET6;
360	sin6->sin6_addr = ip6->ip6_dst;
361	#if 0
362	/* This is breaks loopback multicast! */
363	/* The scope ID should already at s6_addr16[1] */
364	if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) {
365	/* Hack, pull the scope_id out of the dest addr */
366	sin6->sin6_scope_id = ntohs(ip6->ip6_dst.s6_addr16[1]);
367	ip6->ip6_dst.s6_addr16[1] = 0;
368	} else
369	sin6->sin6_scope_id = 0;
370	#endif
371	rtalloc((struct route*)&ro);
372	if (ro.ro_rt == NULL) {
373	m_freem(m);
374	return ENETUNREACH;
375	}
376
377	/* Send */
378	error = ip6_output(m, NULL, &ro, 0, im6o, NULL, 0);
379
380	/* Release the route */
381	if (ro.ro_rt)
382	rtfree(ro.ro_rt);
383
384	return error;
385	}
386
387	errno_t
388	ipf_inject_output(
389	mbuf_t data,
390	ipfilter_t filter_ref,
391	ipf_pktopts_t options)
392	{
393	struct mbuf m = (struct mbuf)data;
394	u_int8_t vers;
395	errno_t error = 0;
396
397	/* Make one byte of the header contiguous in the mbuf */
398	if (m->m_len < 1) {
399	m = m_pullup(m, 1);
400	if (m == NULL)
401	goto done;
402	}
403
404	vers = ((u_int8_t)m_mtod(m)) >> 4;
405	switch (vers)
406	{
407	case 4:
408	error = ipf_injectv4_out(data, filter_ref, options);
409	break;
410	case 6:
411	error = ipf_injectv6_out(data, filter_ref, options);
412	break;
413	default:
414	m_freem(m);
415	error = ENOTSUP;
416	break;
417	}
418
419	done:
420	return error;
421	}
422
423	__private_extern__ ipfilter_t
424	ipf_get_inject_filter(struct mbuf *m)
425	{
426	ipfilter_t filter_ref = 0;
427	struct m_tag *mtag;
428
429	mtag = m_tag_locate(m, KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPFILT, NULL);
430	if (mtag) {
431	filter_ref = (ipfilter_t )(mtag+1);
432
433	m_tag_delete(m, mtag);
434	}
435	return filter_ref;
436	}
437
438	__private_extern__ int
439	ipf_init(void)
440	{
441	int error = 0;
442	lck_grp_attr_t *grp_attributes = 0;
443	lck_attr_t *lck_attributes = 0;
444	lck_grp_t *lck_grp = 0;
445
446	grp_attributes = lck_grp_attr_alloc_init();
447	if (grp_attributes == 0) {
448	printf("ipf_init: lck_grp_attr_alloc_init failed\n");
449	error = ENOMEM;
450	goto done;
451	}
6601e61a	452	lck_grp_attr_setdefault(grp_attributes);
91447636 A	453
	454	lck_grp = lck_grp_alloc_init("IP Filter", grp_attributes);
	455	if (lck_grp == 0) {
	456	printf("ipf_init: lck_grp_alloc_init failed\n");
	457	error = ENOMEM;
	458	goto done;
	459	}
	460
	461	lck_attributes = lck_attr_alloc_init();
	462	if (lck_attributes == 0) {
	463	printf("ipf_init: lck_attr_alloc_init failed\n");
	464	error = ENOMEM;
	465	goto done;
	466	}
6601e61a	467	lck_attr_setdefault(lck_attributes);
91447636 A	468
	469	kipf_lock = lck_mtx_alloc_init(lck_grp, lck_attributes);
	470	if (kipf_lock == 0) {
	471	printf("ipf_init: lck_mtx_alloc_init failed\n");
	472	error = ENOMEM;
	473	goto done;
	474	}
	475	done:
	476	if (error != 0) {
	477	if (kipf_lock) {
	478	lck_mtx_free(kipf_lock, lck_grp);
	479	kipf_lock = 0;
	480	}
	481	}
	482	if (lck_grp) {
	483	lck_grp_free(lck_grp);
	484	lck_grp = 0;
	485	}
	486	if (grp_attributes) {
	487	lck_grp_attr_free(grp_attributes);
	488	grp_attributes = 0;
	489	}
	490	if (lck_attributes) {
	491	lck_attr_free(lck_attributes);
	492	lck_attributes = 0;
	493	}
	494
	495	return error;
	496	}