[apple/xnu.git] / bsd / netinet / kpi_ipfilter.c

/*
 * Copyright (c) 2004-2016 Apple Inc. All rights reserved.
 *
 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
 * 
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. The rights granted to you under the License
 * may not be used to create, or enable the creation or redistribution of,
 * unlawful or unlicensed copies of an Apple operating system, or to
 * circumvent, violate, or enable the circumvention or violation of, any
 * terms of an Apple operating system software license agreement.
 * 
 * Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this file.
 * 
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 * 
 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
 */

#include <sys/param.h>	/* for definition of NULL */
#include <sys/errno.h>
#include <sys/malloc.h>
#include <sys/socket.h>
#include <sys/mbuf.h>
#include <sys/systm.h>
#include <libkern/OSAtomic.h>

#include <machine/endian.h>

#define _IP_VHL
#include <net/if_var.h>
#include <net/route.h>
#include <net/kpi_protocol.h>

#include <netinet/in_systm.h>
#include <netinet/in.h>
#include <netinet/in_var.h>
#include <netinet6/in6_var.h>
#include <netinet/ip.h>
#include <netinet/ip6.h>
#include <netinet/ip_var.h>
#include <netinet6/ip6_var.h>
#include <netinet/kpi_ipfilter_var.h>


/*
 * kipf_lock and kipf_ref protect the linkage of the list of IP filters
 * An IP filter can be removed only when kipf_ref is zero
 * If an IP filter cannot be removed because kipf_ref is not null, then 
 * the IP filter is marjed and kipf_delayed_remove is set so that when 
 * kipf_ref eventually goes down to zero, the IP filter is removed
 */
decl_lck_mtx_data(static, kipf_lock_data);
static lck_mtx_t *kipf_lock = &kipf_lock_data;
static u_int32_t kipf_ref = 0;
static u_int32_t kipf_delayed_remove = 0;
u_int32_t kipf_count = 0;

__private_extern__ struct ipfilter_list	ipv4_filters = TAILQ_HEAD_INITIALIZER(ipv4_filters);
__private_extern__ struct ipfilter_list	ipv6_filters = TAILQ_HEAD_INITIALIZER(ipv6_filters);
__private_extern__ struct ipfilter_list	tbr_filters = TAILQ_HEAD_INITIALIZER(tbr_filters);

__private_extern__ void
ipf_ref(void)
{
	lck_mtx_lock(kipf_lock);
    kipf_ref++;
	lck_mtx_unlock(kipf_lock);
}

__private_extern__ void
ipf_unref(void)
{
	lck_mtx_lock(kipf_lock);

    if (kipf_ref == 0)
    	panic("ipf_unref: kipf_ref == 0\n");
    	
    kipf_ref--;
    if (kipf_ref == 0 && kipf_delayed_remove != 0) {
    	struct ipfilter *filter;

		while ((filter = TAILQ_FIRST(&tbr_filters))) {
			ipf_detach_func ipf_detach = filter->ipf_filter.ipf_detach;
			void* cookie = filter->ipf_filter.cookie;
			
			TAILQ_REMOVE(filter->ipf_head, filter, ipf_link);
			TAILQ_REMOVE(&tbr_filters, filter, ipf_tbr);
			kipf_delayed_remove--;

			if (ipf_detach) {
				lck_mtx_unlock(kipf_lock);
				ipf_detach(cookie);
				lck_mtx_lock(kipf_lock);
				/* In case some filter got to run while we released the lock */
				if (kipf_ref != 0)
					break;
			}			
		}
   	} 
	lck_mtx_unlock(kipf_lock);
}

static errno_t
ipf_add(
	const struct ipf_filter* filter,
	ipfilter_t *filter_ref,
	struct ipfilter_list *head)
{
	struct ipfilter	*new_filter;
	if (filter->name == NULL || (filter->ipf_input == NULL && filter->ipf_output == NULL))
		return EINVAL;
	
	MALLOC(new_filter, struct ipfilter*, sizeof(*new_filter), M_IFADDR, M_WAITOK);
	if (new_filter == NULL)
		return ENOMEM;
	
	lck_mtx_lock(kipf_lock);
	new_filter->ipf_filter = *filter;
	new_filter->ipf_head = head;
	
	TAILQ_INSERT_HEAD(head, new_filter, ipf_link);
	
	lck_mtx_unlock(kipf_lock);
	
	*filter_ref = (ipfilter_t)new_filter;

	/* This will force TCP to re-evaluate its use of TSO */
	OSAddAtomic(1, &kipf_count);
	routegenid_update();

	return 0;
}

errno_t
ipf_addv4(
	const struct ipf_filter* filter,
	ipfilter_t *filter_ref)
{
	return ipf_add(filter, filter_ref, &ipv4_filters);
}

errno_t
ipf_addv6(
	const struct ipf_filter* filter,
	ipfilter_t *filter_ref)
{
	return ipf_add(filter, filter_ref, &ipv6_filters);
}

static errno_t
ipf_input_detached(void *cookie, mbuf_t *data, int offset, u_int8_t protocol)
{
#pragma unused(cookie, data, offset, protocol)

#if DEBUG
	printf("ipf_input_detached\n");
#endif /* DEBUG */

	return (0);
}

static errno_t
ipf_output_detached(void *cookie, mbuf_t *data, ipf_pktopts_t options)
{
#pragma unused(cookie, data, options)

#if DEBUG
	printf("ipf_output_detached\n");
#endif /* DEBUG */

	return (0);
}

errno_t
ipf_remove(
	ipfilter_t filter_ref)
{
	struct ipfilter	*match = (struct ipfilter*)filter_ref;
	struct ipfilter_list *head;
	
	if (match == 0 || (match->ipf_head != &ipv4_filters && match->ipf_head != &ipv6_filters))
		return EINVAL;
	
	head = match->ipf_head;
	
	lck_mtx_lock(kipf_lock);
	TAILQ_FOREACH(match, head, ipf_link) {
		if (match == (struct ipfilter*)filter_ref) {
			ipf_detach_func ipf_detach = match->ipf_filter.ipf_detach;
			void* cookie = match->ipf_filter.cookie;
			
			/*
			 * Cannot detach when they are filters running
			 */
			if (kipf_ref) {
				kipf_delayed_remove++;
				TAILQ_INSERT_TAIL(&tbr_filters, match, ipf_tbr);
				match->ipf_filter.ipf_input = ipf_input_detached;
				match->ipf_filter.ipf_output = ipf_output_detached;
				lck_mtx_unlock(kipf_lock);
			} else {
				TAILQ_REMOVE(head, match, ipf_link);
				lck_mtx_unlock(kipf_lock);
				if (ipf_detach)
					ipf_detach(cookie);
				FREE(match, M_IFADDR);

				/* This will force TCP to re-evaluate its use of TSO */
				OSAddAtomic(-1, &kipf_count);
				routegenid_update();

			}
			return 0;
		}
	}
	lck_mtx_unlock(kipf_lock);
	
	return ENOENT;
}

int log_for_en1 = 0;

errno_t
ipf_inject_input(
	mbuf_t data,
	ipfilter_t filter_ref)
{
	struct mbuf	*m = (struct mbuf*)data;
	struct m_tag *mtag = 0;
	struct ip *ip = mtod(m, struct ip *);
	u_int8_t	vers;
	int hlen;
	errno_t error = 0;
	protocol_family_t proto;

	vers = IP_VHL_V(ip->ip_vhl);
	
	switch (vers) {
		case 4:
			proto = PF_INET;
			break;
		case 6:
			proto = PF_INET6;
			break;
		default:
			error = ENOTSUP;
			goto done;
	}
	
	if (filter_ref == 0 && m->m_pkthdr.rcvif == 0) {
		m->m_pkthdr.rcvif = lo_ifp;
		m->m_pkthdr.csum_data = 0;
		m->m_pkthdr.csum_flags = 0;
		if (vers == 4) {
			hlen = IP_VHL_HL(ip->ip_vhl) << 2;
			ip->ip_sum = 0;
			ip->ip_sum = in_cksum(m, hlen);
		}
	}
	if (filter_ref != 0) {
		mtag = m_tag_create(KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPFILT,
					 	   sizeof (ipfilter_t), M_NOWAIT, m);
		if (mtag == NULL) {
			error = ENOMEM;
			goto done;
		}	
		*(ipfilter_t*)(mtag+1) = filter_ref;
		m_tag_prepend(m, mtag);
	}
	
	error = proto_inject(proto, data);

done:
	return error;
}

static errno_t
ipf_injectv4_out(mbuf_t data, ipfilter_t filter_ref, ipf_pktopts_t options)
{
	struct route ro;
	struct ip	*ip;
	struct mbuf	*m = (struct mbuf*)data;
	errno_t error = 0;
	struct m_tag *mtag = NULL;
	struct ip_moptions *imo = NULL;
	struct ip_out_args ipoa = { IFSCOPE_NONE, { 0 }, 0, 0,
		SO_TC_UNSPEC, _NET_SERVICE_TYPE_UNSPEC };

	/* Make the IP header contiguous in the mbuf */
	if ((size_t)m->m_len < sizeof (struct ip)) {
		m = m_pullup(m, sizeof (struct ip));
		if (m == NULL)
			return (ENOMEM);
	}
	ip = (struct ip *)m_mtod(m);

	if (filter_ref != 0) {
		mtag = m_tag_create(KERNEL_MODULE_TAG_ID,
		    KERNEL_TAG_TYPE_IPFILT, sizeof (ipfilter_t), M_NOWAIT, m);
		if (mtag == NULL) {
			m_freem(m);
			return (ENOMEM);
		}
		*(ipfilter_t *)(mtag + 1) = filter_ref;
		m_tag_prepend(m, mtag);
	}

	if (options != NULL && (options->ippo_flags & IPPOF_MCAST_OPTS) &&
	    (imo = ip_allocmoptions(M_DONTWAIT)) != NULL) {
		imo->imo_multicast_ifp = options->ippo_mcast_ifnet;
		imo->imo_multicast_ttl = options->ippo_mcast_ttl;
		imo->imo_multicast_loop = options->ippo_mcast_loop;
	}

	if (options != NULL) {
		if (options->ippo_flags & IPPOF_SELECT_SRCIF)
			ipoa.ipoa_flags |= IPOAF_SELECT_SRCIF;
		if (options->ippo_flags & IPPOF_BOUND_IF) {
			ipoa.ipoa_flags |= IPOAF_BOUND_IF;
			ipoa.ipoa_boundif = options->ippo_flags >>
			    IPPOF_SHIFT_IFSCOPE;
		}
		if (options->ippo_flags & IPPOF_NO_IFT_CELLULAR)
			ipoa.ipoa_flags |= IPOAF_NO_CELLULAR;
		if (options->ippo_flags & IPPOF_BOUND_SRCADDR)
			ipoa.ipoa_flags |= IPOAF_BOUND_SRCADDR;
		if (options->ippo_flags & IPPOF_NO_IFF_EXPENSIVE)
			ipoa.ipoa_flags |= IPOAF_NO_EXPENSIVE;
	}

	bzero(&ro, sizeof(struct route));

	/* Put ip_len and ip_off in host byte order, ip_output expects that */

#if BYTE_ORDER != BIG_ENDIAN
	NTOHS(ip->ip_len);
	NTOHS(ip->ip_off);
#endif

	/* Send; enforce source interface selection via IP_OUTARGS flag */
	error = ip_output(m, NULL, &ro,
	    IP_ALLOWBROADCAST | IP_RAWOUTPUT | IP_OUTARGS, imo, &ipoa);

	/* Release the route */
	ROUTE_RELEASE(&ro);

	if (imo != NULL)
		IMO_REMREF(imo);

	return (error);
}

#if INET6
static errno_t
ipf_injectv6_out(mbuf_t data, ipfilter_t filter_ref, ipf_pktopts_t options)
{
	struct route_in6 ro;
	struct ip6_hdr	*ip6;
	struct mbuf	*m = (struct mbuf*)data;
	errno_t error = 0;
	struct m_tag *mtag = NULL;
	struct ip6_moptions *im6o = NULL;
	struct ip6_out_args ip6oa = { IFSCOPE_NONE, { 0 }, 0, 0,
		SO_TC_UNSPEC, _NET_SERVICE_TYPE_UNSPEC };

	/* Make the IP header contiguous in the mbuf */
	if ((size_t)m->m_len < sizeof(struct ip6_hdr)) {
		m = m_pullup(m, sizeof(struct ip6_hdr));
		if (m == NULL)
			return (ENOMEM);
	}
	ip6 = (struct ip6_hdr*)m_mtod(m);

	if (filter_ref != 0) {
		mtag = m_tag_create(KERNEL_MODULE_TAG_ID,
		    KERNEL_TAG_TYPE_IPFILT, sizeof (ipfilter_t), M_NOWAIT, m);
		if (mtag == NULL) {
			m_freem(m);
			return (ENOMEM);
		}
		*(ipfilter_t *)(mtag + 1) = filter_ref;
		m_tag_prepend(m, mtag);
	}

	if (options != NULL && (options->ippo_flags & IPPOF_MCAST_OPTS) &&
	    (im6o = ip6_allocmoptions(M_DONTWAIT)) != NULL) {
		im6o->im6o_multicast_ifp = options->ippo_mcast_ifnet;
		im6o->im6o_multicast_hlim = options->ippo_mcast_ttl;
		im6o->im6o_multicast_loop = options->ippo_mcast_loop;
	}

	if (options != NULL) {
		if (options->ippo_flags & IPPOF_SELECT_SRCIF)
			ip6oa.ip6oa_flags |= IP6OAF_SELECT_SRCIF;
		if (options->ippo_flags & IPPOF_BOUND_IF) {
			ip6oa.ip6oa_flags |= IP6OAF_BOUND_IF;
			ip6oa.ip6oa_boundif = options->ippo_flags >>
			    IPPOF_SHIFT_IFSCOPE;
		}
		if (options->ippo_flags & IPPOF_NO_IFT_CELLULAR)
			ip6oa.ip6oa_flags |= IP6OAF_NO_CELLULAR;
		if (options->ippo_flags & IPPOF_BOUND_SRCADDR)
			ip6oa.ip6oa_flags |= IP6OAF_BOUND_SRCADDR;
		if (options->ippo_flags & IPPOF_NO_IFF_EXPENSIVE)
			ip6oa.ip6oa_flags |= IP6OAF_NO_EXPENSIVE;
	}

	bzero(&ro, sizeof(struct route_in6));

	/*
	 * Send  mbuf and ifscope information. Check for correctness
	 * of ifscope information is done while searching for a route in 
	 * ip6_output.
	 */
	error = ip6_output(m, NULL, &ro, IPV6_OUTARGS, im6o, NULL, &ip6oa);

	/* Release the route */
	ROUTE_RELEASE(&ro);

	if (im6o != NULL)
		IM6O_REMREF(im6o);

	return (error);
}
#endif /* INET6 */

errno_t
ipf_inject_output(
	mbuf_t data,
	ipfilter_t filter_ref,
	ipf_pktopts_t options)
{
	struct mbuf	*m = (struct mbuf*)data;
	u_int8_t	vers;
	errno_t		error = 0;

	/* Make one byte of the header contiguous in the mbuf */
	if (m->m_len < 1) {
		m = m_pullup(m, 1);
		if (m == NULL) 
			goto done;
	}
	
	vers = (*(u_int8_t*)m_mtod(m)) >> 4;
	switch (vers)
	{
		case 4:
			error = ipf_injectv4_out(data, filter_ref, options);
			break;
#if INET6
		case 6:
			error = ipf_injectv6_out(data, filter_ref, options);
			break;
#endif
		default:
			m_freem(m);
			error = ENOTSUP;
			break;
	}

done:	
	return error;
}

__private_extern__ ipfilter_t
ipf_get_inject_filter(struct mbuf *m)
{
	ipfilter_t filter_ref = 0;
	struct m_tag *mtag;
	
	mtag = m_tag_locate(m, KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPFILT, NULL);
	if (mtag) {
		filter_ref = *(ipfilter_t *)(mtag+1);
		
		m_tag_delete(m, mtag);
	}
	return filter_ref;
}

__private_extern__ int
ipf_init(void)
{
	int error = 0;
	lck_grp_attr_t *grp_attributes = 0;
	lck_attr_t *lck_attributes = 0;
	lck_grp_t *lck_grp = 0;
	
	grp_attributes = lck_grp_attr_alloc_init();
	if (grp_attributes == 0) {
		printf("ipf_init: lck_grp_attr_alloc_init failed\n");
		error = ENOMEM;
		goto done;
	}
	
	lck_grp = lck_grp_alloc_init("IP Filter", grp_attributes);
	if (lck_grp == 0) {
		printf("ipf_init: lck_grp_alloc_init failed\n");
		error = ENOMEM;
		goto done;
	}
	
	lck_attributes = lck_attr_alloc_init();
	if (lck_attributes == 0) {
		printf("ipf_init: lck_attr_alloc_init failed\n");
		error = ENOMEM;
		goto done;
	}
	
	lck_mtx_init(kipf_lock, lck_grp, lck_attributes);

	done:
	if (lck_grp) {
		lck_grp_free(lck_grp);
		lck_grp = 0;
	}
	if (grp_attributes) {
		lck_grp_attr_free(grp_attributes);
		grp_attributes = 0;
	}
	if (lck_attributes) {
		lck_attr_free(lck_attributes);
		lck_attributes = 0;
	}
	
	return error;
}
Commit	Line	Data
91447636	1	/*
39037602	2	* Copyright (c) 2004-2016 Apple Inc. All rights reserved.
5d5c5d0d	3	*
2d21ac55	4	* @APPLE_OSREFERENCE_LICENSE_HEADER_START@
91447636	5	*
2d21ac55 A	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. The rights granted to you under the License
	10	* may not be used to create, or enable the creation or redistribution of,
	11	* unlawful or unlicensed copies of an Apple operating system, or to
	12	* circumvent, violate, or enable the circumvention or violation of, any
	13	* terms of an Apple operating system software license agreement.
8f6c56a5	14	*
2d21ac55 A	15	* Please obtain a copy of the License at
	16	* http://www.opensource.apple.com/apsl/ and read it before using this file.
	17	*
	18	* The Original Code and all software distributed under the License are
	19	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
8f6c56a5 A	20	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
8f6c56a5 A	21	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
2d21ac55 A	22	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	23	* Please see the License for the specific language governing rights and
	24	* limitations under the License.
8f6c56a5	25	*
2d21ac55	26	* @APPLE_OSREFERENCE_LICENSE_HEADER_END@
91447636 A	27	*/
	28
	29	#include <sys/param.h> /* for definition of NULL */
	30	#include <sys/errno.h>
	31	#include <sys/malloc.h>
	32	#include <sys/socket.h>
	33	#include <sys/mbuf.h>
	34	#include <sys/systm.h>
b0d623f7 A	35	#include <libkern/OSAtomic.h>
	36
	37	#include <machine/endian.h>
91447636 A	38
	39	#define _IP_VHL
	40	#include <net/if_var.h>
	41	#include <net/route.h>
	42	#include <net/kpi_protocol.h>
	43
	44	#include <netinet/in_systm.h>
	45	#include <netinet/in.h>
	46	#include <netinet/in_var.h>
	47	#include <netinet6/in6_var.h>
	48	#include <netinet/ip.h>
	49	#include <netinet/ip6.h>
	50	#include <netinet/ip_var.h>
	51	#include <netinet6/ip6_var.h>
	52	#include <netinet/kpi_ipfilter_var.h>
	53
b0d623f7	54
91447636 A	55	/*
	56	* kipf_lock and kipf_ref protect the linkage of the list of IP filters
	57	* An IP filter can be removed only when kipf_ref is zero
	58	* If an IP filter cannot be removed because kipf_ref is not null, then
	59	* the IP filter is marjed and kipf_delayed_remove is set so that when
	60	* kipf_ref eventually goes down to zero, the IP filter is removed
	61	*/
316670eb A	62	decl_lck_mtx_data(static, kipf_lock_data);
316670eb A	63	static lck_mtx_t *kipf_lock = &kipf_lock_data;
b0d623f7 A	64	static u_int32_t kipf_ref = 0;
	65	static u_int32_t kipf_delayed_remove = 0;
	66	u_int32_t kipf_count = 0;
91447636 A	67
	68	__private_extern__ struct ipfilter_list ipv4_filters = TAILQ_HEAD_INITIALIZER(ipv4_filters);
	69	__private_extern__ struct ipfilter_list ipv6_filters = TAILQ_HEAD_INITIALIZER(ipv6_filters);
	70	__private_extern__ struct ipfilter_list tbr_filters = TAILQ_HEAD_INITIALIZER(tbr_filters);
	71
	72	__private_extern__ void
	73	ipf_ref(void)
	74	{
	75	lck_mtx_lock(kipf_lock);
	76	kipf_ref++;
	77	lck_mtx_unlock(kipf_lock);
	78	}
	79
	80	__private_extern__ void
	81	ipf_unref(void)
	82	{
	83	lck_mtx_lock(kipf_lock);
	84
	85	if (kipf_ref == 0)
	86	panic("ipf_unref: kipf_ref == 0\n");
	87
	88	kipf_ref--;
	89	if (kipf_ref == 0 && kipf_delayed_remove != 0) {
	90	struct ipfilter *filter;
	91
	92	while ((filter = TAILQ_FIRST(&tbr_filters))) {
	93	ipf_detach_func ipf_detach = filter->ipf_filter.ipf_detach;
	94	void* cookie = filter->ipf_filter.cookie;
	95
	96	TAILQ_REMOVE(filter->ipf_head, filter, ipf_link);
	97	TAILQ_REMOVE(&tbr_filters, filter, ipf_tbr);
	98	kipf_delayed_remove--;
	99
	100	if (ipf_detach) {
	101	lck_mtx_unlock(kipf_lock);
	102	ipf_detach(cookie);
	103	lck_mtx_lock(kipf_lock);
	104	/* In case some filter got to run while we released the lock */
	105	if (kipf_ref != 0)
	106	break;
	107	}
	108	}
	109	}
	110	lck_mtx_unlock(kipf_lock);
	111	}
	112
	113	static errno_t
	114	ipf_add(
	115	const struct ipf_filter* filter,
	116	ipfilter_t *filter_ref,
	117	struct ipfilter_list *head)
	118	{
	119	struct ipfilter *new_filter;
	120	if (filter->name == NULL \|\| (filter->ipf_input == NULL && filter->ipf_output == NULL))
	121	return EINVAL;
	122
	123	MALLOC(new_filter, struct ipfilter, sizeof(new_filter), M_IFADDR, M_WAITOK);
	124	if (new_filter == NULL)
	125	return ENOMEM;
	126
	127	lck_mtx_lock(kipf_lock);
	128	new_filter->ipf_filter = *filter;
	129	new_filter->ipf_head = head;
	130
b0d623f7	131	TAILQ_INSERT_HEAD(head, new_filter, ipf_link);
91447636 A	132
	133	lck_mtx_unlock(kipf_lock);
	134
	135	*filter_ref = (ipfilter_t)new_filter;
b0d623f7 A	136
	137	/* This will force TCP to re-evaluate its use of TSO */
	138	OSAddAtomic(1, &kipf_count);
39236c6e	139	routegenid_update();
b0d623f7	140
91447636 A	141	return 0;
	142	}
	143
	144	errno_t
	145	ipf_addv4(
	146	const struct ipf_filter* filter,
	147	ipfilter_t *filter_ref)
	148	{
	149	return ipf_add(filter, filter_ref, &ipv4_filters);
	150	}
	151
	152	errno_t
	153	ipf_addv6(
	154	const struct ipf_filter* filter,
	155	ipfilter_t *filter_ref)
	156	{
	157	return ipf_add(filter, filter_ref, &ipv6_filters);
	158	}
	159
fe8ab488 A	160	static errno_t
	161	ipf_input_detached(void cookie, mbuf_t data, int offset, u_int8_t protocol)
	162	{
	163	#pragma unused(cookie, data, offset, protocol)
	164
	165	#if DEBUG
	166	printf("ipf_input_detached\n");
	167	#endif /* DEBUG */
	168
	169	return (0);
	170	}
	171
	172	static errno_t
	173	ipf_output_detached(void cookie, mbuf_t data, ipf_pktopts_t options)
	174	{
	175	#pragma unused(cookie, data, options)
	176
	177	#if DEBUG
	178	printf("ipf_output_detached\n");
	179	#endif /* DEBUG */
	180
	181	return (0);
	182	}
	183
91447636 A	184	errno_t
	185	ipf_remove(
	186	ipfilter_t filter_ref)
	187	{
	188	struct ipfilter match = (struct ipfilter)filter_ref;
	189	struct ipfilter_list *head;
	190
	191	if (match == 0 \|\| (match->ipf_head != &ipv4_filters && match->ipf_head != &ipv6_filters))
	192	return EINVAL;
	193
	194	head = match->ipf_head;
	195
	196	lck_mtx_lock(kipf_lock);
	197	TAILQ_FOREACH(match, head, ipf_link) {
	198	if (match == (struct ipfilter*)filter_ref) {
	199	ipf_detach_func ipf_detach = match->ipf_filter.ipf_detach;
	200	void* cookie = match->ipf_filter.cookie;
	201
	202	/*
	203	* Cannot detach when they are filters running
	204	*/
	205	if (kipf_ref) {
	206	kipf_delayed_remove++;
	207	TAILQ_INSERT_TAIL(&tbr_filters, match, ipf_tbr);
fe8ab488 A	208	match->ipf_filter.ipf_input = ipf_input_detached;
fe8ab488 A	209	match->ipf_filter.ipf_output = ipf_output_detached;
91447636 A	210	lck_mtx_unlock(kipf_lock);
	211	} else {
	212	TAILQ_REMOVE(head, match, ipf_link);
	213	lck_mtx_unlock(kipf_lock);
	214	if (ipf_detach)
	215	ipf_detach(cookie);
	216	FREE(match, M_IFADDR);
b0d623f7 A	217
	218	/* This will force TCP to re-evaluate its use of TSO */
	219	OSAddAtomic(-1, &kipf_count);
39236c6e	220	routegenid_update();
b0d623f7	221
91447636 A	222	}
	223	return 0;
	224	}
	225	}
	226	lck_mtx_unlock(kipf_lock);
	227
	228	return ENOENT;
	229	}
	230
	231	int log_for_en1 = 0;
	232
	233	errno_t
	234	ipf_inject_input(
	235	mbuf_t data,
	236	ipfilter_t filter_ref)
	237	{
	238	struct mbuf m = (struct mbuf)data;
	239	struct m_tag *mtag = 0;
	240	struct ip ip = mtod(m, struct ip );
	241	u_int8_t vers;
	242	int hlen;
	243	errno_t error = 0;
	244	protocol_family_t proto;
	245
	246	vers = IP_VHL_V(ip->ip_vhl);
	247
	248	switch (vers) {
	249	case 4:
	250	proto = PF_INET;
	251	break;
	252	case 6:
	253	proto = PF_INET6;
	254	break;
	255	default:
	256	error = ENOTSUP;
	257	goto done;
	258	}
	259
	260	if (filter_ref == 0 && m->m_pkthdr.rcvif == 0) {
6d2010ae	261	m->m_pkthdr.rcvif = lo_ifp;
91447636 A	262	m->m_pkthdr.csum_data = 0;
	263	m->m_pkthdr.csum_flags = 0;
	264	if (vers == 4) {
	265	hlen = IP_VHL_HL(ip->ip_vhl) << 2;
	266	ip->ip_sum = 0;
	267	ip->ip_sum = in_cksum(m, hlen);
	268	}
	269	}
	270	if (filter_ref != 0) {
6d2010ae A	271	mtag = m_tag_create(KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPFILT,
6d2010ae A	272	sizeof (ipfilter_t), M_NOWAIT, m);
91447636 A	273	if (mtag == NULL) {
	274	error = ENOMEM;
	275	goto done;
	276	}
	277	(ipfilter_t)(mtag+1) = filter_ref;
	278	m_tag_prepend(m, mtag);
	279	}
	280
	281	error = proto_inject(proto, data);
	282
	283	done:
	284	return error;
	285	}
	286
	287	static errno_t
6d2010ae	288	ipf_injectv4_out(mbuf_t data, ipfilter_t filter_ref, ipf_pktopts_t options)
91447636 A	289	{
91447636 A	290	struct route ro;
91447636 A	291	struct ip *ip;
	292	struct mbuf m = (struct mbuf)data;
	293	errno_t error = 0;
6d2010ae A	294	struct m_tag *mtag = NULL;
6d2010ae A	295	struct ip_moptions *imo = NULL;
39037602 A	296	struct ip_out_args ipoa = { IFSCOPE_NONE, { 0 }, 0, 0,
39037602 A	297	SO_TC_UNSPEC, _NET_SERVICE_TYPE_UNSPEC };
6d2010ae	298
91447636	299	/* Make the IP header contiguous in the mbuf */
6d2010ae A	300	if ((size_t)m->m_len < sizeof (struct ip)) {
	301	m = m_pullup(m, sizeof (struct ip));
	302	if (m == NULL)
	303	return (ENOMEM);
91447636	304	}
6d2010ae A	305	ip = (struct ip *)m_mtod(m);
6d2010ae A	306
91447636	307	if (filter_ref != 0) {
6d2010ae A	308	mtag = m_tag_create(KERNEL_MODULE_TAG_ID,
6d2010ae A	309	KERNEL_TAG_TYPE_IPFILT, sizeof (ipfilter_t), M_NOWAIT, m);
91447636 A	310	if (mtag == NULL) {
91447636 A	311	m_freem(m);
6d2010ae	312	return (ENOMEM);
91447636	313	}
6d2010ae	314	(ipfilter_t )(mtag + 1) = filter_ref;
91447636 A	315	m_tag_prepend(m, mtag);
91447636 A	316	}
6d2010ae A	317
	318	if (options != NULL && (options->ippo_flags & IPPOF_MCAST_OPTS) &&
	319	(imo = ip_allocmoptions(M_DONTWAIT)) != NULL) {
91447636 A	320	imo->imo_multicast_ifp = options->ippo_mcast_ifnet;
	321	imo->imo_multicast_ttl = options->ippo_mcast_ttl;
	322	imo->imo_multicast_loop = options->ippo_mcast_loop;
	323	}
6d2010ae	324
316670eb A	325	if (options != NULL) {
	326	if (options->ippo_flags & IPPOF_SELECT_SRCIF)
	327	ipoa.ipoa_flags \|= IPOAF_SELECT_SRCIF;
6d2010ae	328	if (options->ippo_flags & IPPOF_BOUND_IF) {
316670eb	329	ipoa.ipoa_flags \|= IPOAF_BOUND_IF;
6d2010ae A	330	ipoa.ipoa_boundif = options->ippo_flags >>
	331	IPPOF_SHIFT_IFSCOPE;
	332	}
	333	if (options->ippo_flags & IPPOF_NO_IFT_CELLULAR)
316670eb A	334	ipoa.ipoa_flags \|= IPOAF_NO_CELLULAR;
	335	if (options->ippo_flags & IPPOF_BOUND_SRCADDR)
	336	ipoa.ipoa_flags \|= IPOAF_BOUND_SRCADDR;
fe8ab488 A	337	if (options->ippo_flags & IPPOF_NO_IFF_EXPENSIVE)
fe8ab488 A	338	ipoa.ipoa_flags \|= IPOAF_NO_EXPENSIVE;
91447636	339	}
6d2010ae A	340
	341	bzero(&ro, sizeof(struct route));
	342
0c530ab8	343	/* Put ip_len and ip_off in host byte order, ip_output expects that */
b0d623f7 A	344
b0d623f7 A	345	#if BYTE_ORDER != BIG_ENDIAN
0c530ab8 A	346	NTOHS(ip->ip_len);
0c530ab8 A	347	NTOHS(ip->ip_off);
b0d623f7 A	348	#endif
b0d623f7 A	349
6d2010ae A	350	/* Send; enforce source interface selection via IP_OUTARGS flag */
	351	error = ip_output(m, NULL, &ro,
	352	IP_ALLOWBROADCAST \| IP_RAWOUTPUT \| IP_OUTARGS, imo, &ipoa);
	353
91447636	354	/* Release the route */
39236c6e	355	ROUTE_RELEASE(&ro);
6d2010ae A	356
	357	if (imo != NULL)
	358	IMO_REMREF(imo);
	359
	360	return (error);
91447636 A	361	}
91447636 A	362
2d21ac55	363	#if INET6
91447636	364	static errno_t
6d2010ae	365	ipf_injectv6_out(mbuf_t data, ipfilter_t filter_ref, ipf_pktopts_t options)
91447636 A	366	{
91447636 A	367	struct route_in6 ro;
91447636 A	368	struct ip6_hdr *ip6;
	369	struct mbuf m = (struct mbuf)data;
	370	errno_t error = 0;
6d2010ae A	371	struct m_tag *mtag = NULL;
6d2010ae A	372	struct ip6_moptions *im6o = NULL;
39037602 A	373	struct ip6_out_args ip6oa = { IFSCOPE_NONE, { 0 }, 0, 0,
39037602 A	374	SO_TC_UNSPEC, _NET_SERVICE_TYPE_UNSPEC };
6d2010ae	375
91447636 A	376	/* Make the IP header contiguous in the mbuf */
	377	if ((size_t)m->m_len < sizeof(struct ip6_hdr)) {
	378	m = m_pullup(m, sizeof(struct ip6_hdr));
6d2010ae A	379	if (m == NULL)
6d2010ae A	380	return (ENOMEM);
91447636 A	381	}
	382	ip6 = (struct ip6_hdr*)m_mtod(m);
	383
	384	if (filter_ref != 0) {
6d2010ae A	385	mtag = m_tag_create(KERNEL_MODULE_TAG_ID,
6d2010ae A	386	KERNEL_TAG_TYPE_IPFILT, sizeof (ipfilter_t), M_NOWAIT, m);
91447636 A	387	if (mtag == NULL) {
91447636 A	388	m_freem(m);
6d2010ae	389	return (ENOMEM);
91447636	390	}
6d2010ae	391	(ipfilter_t )(mtag + 1) = filter_ref;
91447636 A	392	m_tag_prepend(m, mtag);
91447636 A	393	}
6d2010ae A	394
	395	if (options != NULL && (options->ippo_flags & IPPOF_MCAST_OPTS) &&
	396	(im6o = ip6_allocmoptions(M_DONTWAIT)) != NULL) {
91447636 A	397	im6o->im6o_multicast_ifp = options->ippo_mcast_ifnet;
	398	im6o->im6o_multicast_hlim = options->ippo_mcast_ttl;
	399	im6o->im6o_multicast_loop = options->ippo_mcast_loop;
	400	}
6d2010ae	401
316670eb A	402	if (options != NULL) {
	403	if (options->ippo_flags & IPPOF_SELECT_SRCIF)
	404	ip6oa.ip6oa_flags \|= IP6OAF_SELECT_SRCIF;
6d2010ae	405	if (options->ippo_flags & IPPOF_BOUND_IF) {
316670eb	406	ip6oa.ip6oa_flags \|= IP6OAF_BOUND_IF;
6d2010ae A	407	ip6oa.ip6oa_boundif = options->ippo_flags >>
	408	IPPOF_SHIFT_IFSCOPE;
	409	}
	410	if (options->ippo_flags & IPPOF_NO_IFT_CELLULAR)
316670eb A	411	ip6oa.ip6oa_flags \|= IP6OAF_NO_CELLULAR;
	412	if (options->ippo_flags & IPPOF_BOUND_SRCADDR)
	413	ip6oa.ip6oa_flags \|= IP6OAF_BOUND_SRCADDR;
fe8ab488 A	414	if (options->ippo_flags & IPPOF_NO_IFF_EXPENSIVE)
fe8ab488 A	415	ip6oa.ip6oa_flags \|= IP6OAF_NO_EXPENSIVE;
91447636	416	}
6d2010ae A	417
	418	bzero(&ro, sizeof(struct route_in6));
	419
	420	/*
	421	* Send mbuf and ifscope information. Check for correctness
	422	* of ifscope information is done while searching for a route in
	423	* ip6_output.
	424	*/
	425	error = ip6_output(m, NULL, &ro, IPV6_OUTARGS, im6o, NULL, &ip6oa);
	426
91447636	427	/* Release the route */
39236c6e	428	ROUTE_RELEASE(&ro);
6d2010ae A	429
	430	if (im6o != NULL)
	431	IM6O_REMREF(im6o);
	432
	433	return (error);
91447636	434	}
2d21ac55	435	#endif /* INET6 */
91447636 A	436
	437	errno_t
	438	ipf_inject_output(
	439	mbuf_t data,
	440	ipfilter_t filter_ref,
	441	ipf_pktopts_t options)
	442	{
	443	struct mbuf m = (struct mbuf)data;
	444	u_int8_t vers;
	445	errno_t error = 0;
	446
	447	/* Make one byte of the header contiguous in the mbuf */
	448	if (m->m_len < 1) {
	449	m = m_pullup(m, 1);
	450	if (m == NULL)
	451	goto done;
	452	}
	453
	454	vers = ((u_int8_t)m_mtod(m)) >> 4;
	455	switch (vers)
	456	{
	457	case 4:
	458	error = ipf_injectv4_out(data, filter_ref, options);
	459	break;
2d21ac55	460	#if INET6
91447636 A	461	case 6:
	462	error = ipf_injectv6_out(data, filter_ref, options);
	463	break;
2d21ac55	464	#endif
91447636 A	465	default:
	466	m_freem(m);
	467	error = ENOTSUP;
	468	break;
	469	}
	470
	471	done:
	472	return error;
	473	}
	474
	475	__private_extern__ ipfilter_t
	476	ipf_get_inject_filter(struct mbuf *m)
	477	{
	478	ipfilter_t filter_ref = 0;
	479	struct m_tag *mtag;
	480
	481	mtag = m_tag_locate(m, KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPFILT, NULL);
	482	if (mtag) {
	483	filter_ref = (ipfilter_t )(mtag+1);
	484
	485	m_tag_delete(m, mtag);
	486	}
	487	return filter_ref;
	488	}
	489
	490	__private_extern__ int
	491	ipf_init(void)
	492	{
	493	int error = 0;
	494	lck_grp_attr_t *grp_attributes = 0;
	495	lck_attr_t *lck_attributes = 0;
	496	lck_grp_t *lck_grp = 0;
	497
	498	grp_attributes = lck_grp_attr_alloc_init();
	499	if (grp_attributes == 0) {
	500	printf("ipf_init: lck_grp_attr_alloc_init failed\n");
	501	error = ENOMEM;
	502	goto done;
	503	}
91447636 A	504
	505	lck_grp = lck_grp_alloc_init("IP Filter", grp_attributes);
	506	if (lck_grp == 0) {
	507	printf("ipf_init: lck_grp_alloc_init failed\n");
	508	error = ENOMEM;
	509	goto done;
	510	}
	511
	512	lck_attributes = lck_attr_alloc_init();
	513	if (lck_attributes == 0) {
	514	printf("ipf_init: lck_attr_alloc_init failed\n");
	515	error = ENOMEM;
	516	goto done;
	517	}
91447636	518
316670eb A	519	lck_mtx_init(kipf_lock, lck_grp, lck_attributes);
316670eb A	520
91447636	521	done:
91447636 A	522	if (lck_grp) {
	523	lck_grp_free(lck_grp);
	524	lck_grp = 0;
	525	}
	526	if (grp_attributes) {
	527	lck_grp_attr_free(grp_attributes);
	528	grp_attributes = 0;
	529	}
	530	if (lck_attributes) {
	531	lck_attr_free(lck_attributes);
	532	lck_attributes = 0;
	533	}
	534
	535	return error;
	536	}