]> git.saurik.com Git - apple/xnu.git/blame - bsd/netinet/kpi_ipfilter.h
xnu-1486.2.11.tar.gz
[apple/xnu.git] / bsd / netinet / kpi_ipfilter.h
CommitLineData
91447636 1/*
b0d623f7 2 * Copyright (c) 2008 Apple Computer, Inc. All rights reserved.
91447636 3 *
2d21ac55 4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
91447636 5 *
2d21ac55
A
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
8f6c56a5 14 *
2d21ac55
A
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
8f6c56a5
A
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
2d21ac55
A
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
8f6c56a5 25 *
2d21ac55 26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
91447636
A
27 */
28/*!
29 @header kpi_ipfilter.h
30 This header defines an API to attach IP filters. IP filters may be
31 attached to intercept either IPv4 or IPv6 packets. The filters can
32 intercept all IP packets in to and out of the host regardless of
33 interface.
34 */
35
36#ifndef __KPI_IPFILTER__
37#define __KPI_IPFILTER__
38
39#include <sys/kernel_types.h>
40
41/*
42 * ipf_pktopts
43 *
44 * Options for outgoing packets. The options need to be preserved when
45 * re-injecting a packet.
46 */
47struct ipf_pktopts {
48 u_int32_t ippo_flags;
49 ifnet_t ippo_mcast_ifnet;
b0d623f7 50 int ippo_mcast_loop;
91447636
A
51 u_int8_t ippo_mcast_ttl;
52};
53#define IPPOF_MCAST_OPTS 0x1
54
b0d623f7 55typedef struct ipf_pktopts *ipf_pktopts_t;
91447636 56
2d21ac55
A
57__BEGIN_DECLS
58
91447636
A
59/*!
60 @typedef ipf_input_func
b0d623f7 61
91447636
A
62 @discussion ipf_input_func is used to filter incoming ip packets.
63 The IP filter is called for packets from all interfaces. The
64 filter is called between when the general IP processing is
65 handled and when the packet is passed up to the next layer
66 protocol such as udp or tcp. In the case of encapsulation, such
67 as UDP in ESP (IPSec), your filter will be called once for ESP
68 and then again for UDP. This will give your filter an
69 opportunity to process the ESP header as well as the decrypted
70 packet. Offset and protocol are used to determine where in the
71 packet processing is currently occuring. If you're only
72 interested in TCP or UDP packets, just return 0 if protocol
73 doesn't match TCP or UDP.
74 @param cookie The cookie specified when your filter was attached.
75 @param data The reassembled ip packet, data will start at the ip
76 header.
77 @param offset An offset to the next header
78 (udp/tcp/icmp/esp/etc...).
79 @param protocol The protocol type (udp/tcp/icmp/etc...) of the IP packet
80 @result Return:
b0d623f7
A
81 0 - The caller will continue with normal processing of the
82 packet.
83 EJUSTRETURN - The caller will stop processing the packet,
84 the packet will not be freed.
85 Anything Else - The caller will free the packet and stop
86 processing.
91447636 87*/
b0d623f7
A
88typedef errno_t (*ipf_input_func)(void *cookie, mbuf_t *data, int offset,
89 u_int8_t protocol);
91447636
A
90
91/*!
92 @typedef ipf_output_func
b0d623f7 93
91447636
A
94 @discussion ipf_output_func is used to filter outbound ip packets.
95 The IP filter is called for packets to all interfaces. The
96 filter is called before fragmentation and IPSec processing. If
97 you need to change the destination IP address, call
98 ipf_inject_output and return EJUSTRETURN.
99 @param cookie The cookie specified when your filter was attached.
100 @param data The ip packet, will contain an IP header followed by the
101 rest of the IP packet.
102 @result Return:
b0d623f7
A
103 0 - The caller will continue with normal processing of the
104 packet.
105 EJUSTRETURN - The caller will stop processing the packet,
106 the packet will not be freed.
107 Anything Else - The caller will free the packet and stop
108 processing.
91447636 109*/
b0d623f7
A
110typedef errno_t (*ipf_output_func)(void *cookie, mbuf_t *data,
111 ipf_pktopts_t options);
91447636
A
112
113/*!
114 @typedef ipf_detach_func
b0d623f7 115
91447636
A
116 @discussion ipf_detach_func is called to notify your filter that it
117 has been detached.
118 @param cookie The cookie specified when your filter was attached.
119*/
b0d623f7 120typedef void (*ipf_detach_func)(void *cookie);
91447636
A
121
122/*!
123 @typedef ipf_filter
124 @discussion This structure is used to define an IP filter for
125 use with the ipf_addv4 or ipf_addv6 function.
126 @field cookie A kext defined cookie that will be passed to all
127 filter functions.
128 @field name A filter name used for debugging purposes.
129 @field ipf_input The filter function to handle inbound packets.
130 @field ipf_output The filter function to handle outbound packets.
131 @field ipf_detach The filter function to notify of a detach.
132*/
133struct ipf_filter {
b0d623f7
A
134 void *cookie;
135 const char *name;
91447636
A
136 ipf_input_func ipf_input;
137 ipf_output_func ipf_output;
138 ipf_detach_func ipf_detach;
139};
140
141struct opaque_ipfilter;
b0d623f7 142typedef struct opaque_ipfilter *ipfilter_t;
91447636
A
143
144/*!
145 @function ipf_addv4
146 @discussion Attaches an IPv4 ip filter.
147 @param filter A structure defining the filter.
148 @param filter_ref A reference to the filter used to detach it.
149 @result 0 on success otherwise the errno error.
150 */
b0d623f7
A
151extern errno_t ipf_addv4(const struct ipf_filter *filter,
152 ipfilter_t *filter_ref);
91447636
A
153
154/*!
155 @function ipf_addv6
156 @discussion Attaches an IPv6 ip filter.
157 @param filter A structure defining the filter.
158 @param filter_ref A reference to the filter used to detach it.
159 @result 0 on success otherwise the errno error.
160 */
b0d623f7
A
161extern errno_t ipf_addv6(const struct ipf_filter *filter,
162 ipfilter_t *filter_ref);
91447636
A
163
164/*!
165 @function ipf_remove
166 @discussion Detaches an IPv4 or IPv6 filter.
167 @param filter_ref The reference to the filter returned from ipf_addv4 or
168 ipf_addv6.
169 @result 0 on success otherwise the errno error.
170 */
b0d623f7 171extern errno_t ipf_remove(ipfilter_t filter_ref);
91447636
A
172
173/*!
174 @function ipf_inject_input
175 @discussion Inject an IP packet as though it had just been
176 reassembled in ip_input. When re-injecting a packet intercepted
177 by the filter's ipf_input function, an IP filter can pass its
178 reference to avoid processing the packet twice. This also
179 prevents ip filters installed before this filter from
180 getting a chance to process the packet. If the filter modified
181 the packet, it should not specify the filter ref to give other
182 filters a chance to process the new packet.
b0d623f7 183
91447636
A
184 Caller is responsible for freeing mbuf chain in the event that
185 ipf_inject_input returns an error.
186 @param data The complete IPv4 or IPv6 packet, receive interface must
187 be set.
188 @param filter_ref The reference to the filter injecting the data
189 @result 0 on success otherwise the errno error.
190 */
b0d623f7 191extern errno_t ipf_inject_input(mbuf_t data, ipfilter_t filter_ref);
91447636
A
192
193/*!
194 @function ipf_inject_output
195 @discussion Inject an IP packet as though it had just been sent to
196 ip_output. When re-injecting a packet intercepted by the
197 filter's ipf_output function, an IP filter can pass its
198 reference to avoid processing the packet twice. This also
199 prevents ip filters installed before this filter from getting a
200 chance to process the packet. If the filter modified the packet,
201 it should not specify the filter ref to give other filters a
202 chance to process the new packet.
203 @param data The complete IPv4 or IPv6 packet.
204 @param filter_ref The reference to the filter injecting the data
205 @param options Output options for the packet
206 @result 0 on success otherwise the errno error. ipf_inject_output
207 will always free the mbuf.
208 */
b0d623f7
A
209extern errno_t ipf_inject_output(mbuf_t data, ipfilter_t filter_ref,
210 ipf_pktopts_t options);
91447636 211
2d21ac55 212__END_DECLS
91447636 213#endif /* __KPI_IPFILTER__ */