[apple/xnu.git] / bsd / netinet / kpi_ipfilter.c

/*
 * Copyright (c) 2004-2018 Apple Inc. All rights reserved.
 *
 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
 *
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. The rights granted to you under the License
 * may not be used to create, or enable the creation or redistribution of,
 * unlawful or unlicensed copies of an Apple operating system, or to
 * circumvent, violate, or enable the circumvention or violation of, any
 * terms of an Apple operating system software license agreement.
 *
 * Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this file.
 *
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 *
 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
 */

#include <sys/param.h>	/* for definition of NULL */
#include <sys/errno.h>
#include <sys/malloc.h>
#include <sys/socket.h>
#include <sys/mbuf.h>
#include <sys/systm.h>
#include <libkern/OSAtomic.h>

#include <machine/endian.h>

#define	_IP_VHL
#include <net/if_var.h>
#include <net/route.h>
#include <net/kpi_protocol.h>
#include <net/net_api_stats.h>

#include <netinet/in_systm.h>
#include <netinet/in.h>
#include <netinet/in_var.h>
#include <netinet6/in6_var.h>
#include <netinet/ip.h>
#include <netinet/ip6.h>
#include <netinet/ip_var.h>
#include <netinet6/ip6_var.h>
#include <netinet/kpi_ipfilter_var.h>

#include <stdbool.h>

/*
 * kipf_lock and kipf_ref protect the linkage of the list of IP filters
 * An IP filter can be removed only when kipf_ref is zero
 * If an IP filter cannot be removed because kipf_ref is not null, then
 * the IP filter is marjed and kipf_delayed_remove is set so that when
 * kipf_ref eventually goes down to zero, the IP filter is removed
 */
decl_lck_mtx_data(static, kipf_lock_data);
static lck_mtx_t *kipf_lock = &kipf_lock_data;
static u_int32_t kipf_ref = 0;
static u_int32_t kipf_delayed_remove = 0;
u_int32_t kipf_count = 0;

__private_extern__ struct ipfilter_list	ipv4_filters = TAILQ_HEAD_INITIALIZER(ipv4_filters);
__private_extern__ struct ipfilter_list	ipv6_filters = TAILQ_HEAD_INITIALIZER(ipv6_filters);
__private_extern__ struct ipfilter_list	tbr_filters = TAILQ_HEAD_INITIALIZER(tbr_filters);

#undef ipf_addv4
#undef ipf_addv6
extern errno_t ipf_addv4(const struct ipf_filter *filter,
    ipfilter_t *filter_ref);
extern errno_t ipf_addv6(const struct ipf_filter *filter,
    ipfilter_t *filter_ref);

static errno_t ipf_add(const struct ipf_filter *filter,
    ipfilter_t *filter_ref, struct ipfilter_list *head, bool is_internal);

__private_extern__ void
ipf_ref(void)
{
	lck_mtx_lock(kipf_lock);
	kipf_ref++;
	lck_mtx_unlock(kipf_lock);
}

__private_extern__ void
ipf_unref(void)
{
	lck_mtx_lock(kipf_lock);

	if (kipf_ref == 0)
		panic("ipf_unref: kipf_ref == 0\n");

	kipf_ref--;
	if (kipf_ref == 0 && kipf_delayed_remove != 0) {
		struct ipfilter *filter;

		while ((filter = TAILQ_FIRST(&tbr_filters))) {
			VERIFY(OSDecrementAtomic64(&net_api_stats.nas_ipf_add_count) > 0);

			ipf_detach_func ipf_detach = filter->ipf_filter.ipf_detach;
			void* cookie = filter->ipf_filter.cookie;

			TAILQ_REMOVE(filter->ipf_head, filter, ipf_link);
			TAILQ_REMOVE(&tbr_filters, filter, ipf_tbr);
			kipf_delayed_remove--;

			if (ipf_detach) {
				lck_mtx_unlock(kipf_lock);
				ipf_detach(cookie);
				lck_mtx_lock(kipf_lock);
				/* In case some filter got to run while we released the lock */
				if (kipf_ref != 0)
					break;
			}
		}
	}
	lck_mtx_unlock(kipf_lock);
}

static errno_t
ipf_add(
	const struct ipf_filter *filter,
	ipfilter_t *filter_ref,
	struct ipfilter_list *head,
	bool is_internal)
{
	struct ipfilter	*new_filter;
	if (filter->name == NULL || (filter->ipf_input == NULL && filter->ipf_output == NULL))
		return (EINVAL);

	MALLOC(new_filter, struct ipfilter *, sizeof(*new_filter), M_IFADDR, M_WAITOK);
	if (new_filter == NULL)
		return (ENOMEM);

	lck_mtx_lock(kipf_lock);
	new_filter->ipf_filter = *filter;
	new_filter->ipf_head = head;

	TAILQ_INSERT_HEAD(head, new_filter, ipf_link);

	OSIncrementAtomic64(&net_api_stats.nas_ipf_add_count);
	INC_ATOMIC_INT64_LIM(net_api_stats.nas_ipf_add_total);
	if (is_internal) {
		INC_ATOMIC_INT64_LIM(net_api_stats.nas_ipf_add_os_total);
	}

	lck_mtx_unlock(kipf_lock);

	*filter_ref = (ipfilter_t)new_filter;

	/* This will force TCP to re-evaluate its use of TSO */
	OSAddAtomic(1, &kipf_count);
	routegenid_update();

	return (0);
}

errno_t
ipf_addv4_internal(
	const struct ipf_filter *filter,
	ipfilter_t *filter_ref)
{
	return (ipf_add(filter, filter_ref, &ipv4_filters, true));
}

errno_t
ipf_addv4(
	const struct ipf_filter *filter,
	ipfilter_t *filter_ref)
{
	return (ipf_add(filter, filter_ref, &ipv4_filters, false));
}

errno_t
ipf_addv6_internal(
	const struct ipf_filter *filter,
	ipfilter_t *filter_ref)
{
	return (ipf_add(filter, filter_ref, &ipv6_filters, true));
}

errno_t
ipf_addv6(
	const struct ipf_filter *filter,
	ipfilter_t *filter_ref)
{
	return (ipf_add(filter, filter_ref, &ipv6_filters, false));
}

static errno_t
ipf_input_detached(void *cookie, mbuf_t *data, int offset, u_int8_t protocol)
{
#pragma unused(cookie, data, offset, protocol)

#if DEBUG
	printf("ipf_input_detached\n");
#endif /* DEBUG */

	return (0);
}

static errno_t
ipf_output_detached(void *cookie, mbuf_t *data, ipf_pktopts_t options)
{
#pragma unused(cookie, data, options)

#if DEBUG
	printf("ipf_output_detached\n");
#endif /* DEBUG */

	return (0);
}

errno_t
ipf_remove(
	ipfilter_t filter_ref)
{
	struct ipfilter	*match = (struct ipfilter *)filter_ref;
	struct ipfilter_list *head;

	if (match == 0 || (match->ipf_head != &ipv4_filters && match->ipf_head != &ipv6_filters))
		return (EINVAL);

	head = match->ipf_head;

	lck_mtx_lock(kipf_lock);
	TAILQ_FOREACH(match, head, ipf_link) {
		if (match == (struct ipfilter *)filter_ref) {
			ipf_detach_func ipf_detach = match->ipf_filter.ipf_detach;
			void* cookie = match->ipf_filter.cookie;

			/*
			 * Cannot detach when they are filters running
			 */
			if (kipf_ref) {
				kipf_delayed_remove++;
				TAILQ_INSERT_TAIL(&tbr_filters, match, ipf_tbr);
				match->ipf_filter.ipf_input = ipf_input_detached;
				match->ipf_filter.ipf_output = ipf_output_detached;
				lck_mtx_unlock(kipf_lock);
			} else {
				VERIFY(OSDecrementAtomic64(&net_api_stats.nas_ipf_add_count) > 0);

				TAILQ_REMOVE(head, match, ipf_link);
				lck_mtx_unlock(kipf_lock);

				if (ipf_detach)
					ipf_detach(cookie);
				FREE(match, M_IFADDR);

				/* This will force TCP to re-evaluate its use of TSO */
				OSAddAtomic(-1, &kipf_count);
				routegenid_update();

			}
			return (0);
		}
	}
	lck_mtx_unlock(kipf_lock);

	return (ENOENT);
}

int log_for_en1 = 0;

errno_t
ipf_inject_input(
	mbuf_t data,
	ipfilter_t filter_ref)
{
	struct mbuf *m = (struct mbuf *)data;
	struct m_tag *mtag = 0;
	struct ip *ip = mtod(m, struct ip *);
	struct ip6_hdr *ip6;
	u_int8_t	vers;
	int hlen;
	errno_t error = 0;
	protocol_family_t proto;
	struct in_ifaddr *ia = NULL;
	struct in_addr *pkt_dst = NULL;
	struct in6_ifaddr *ia6 = NULL;
	struct sockaddr_in6 pkt_dst6;

	vers = IP_VHL_V(ip->ip_vhl);

	switch (vers) {
		case 4:
			proto = PF_INET;
			break;
		case 6:
			proto = PF_INET6;
			break;
		default:
			error = ENOTSUP;
			goto done;
	}

	if (filter_ref == 0 && m->m_pkthdr.rcvif == 0) {
		/*
		 * Search for interface with the local address
		 */
		switch (proto) {
			case PF_INET:
				pkt_dst = &ip->ip_dst;
				lck_rw_lock_shared(in_ifaddr_rwlock);
				TAILQ_FOREACH(ia, INADDR_HASH(pkt_dst->s_addr), ia_hash) {
					if (IA_SIN(ia)->sin_addr.s_addr == pkt_dst->s_addr) {
						m->m_pkthdr.rcvif = ia->ia_ifp;
						break;
					}
				}
				lck_rw_done(in_ifaddr_rwlock);
				break;

			case PF_INET6:
				ip6 = mtod(m, struct ip6_hdr *);
				pkt_dst6.sin6_addr = ip6->ip6_dst;
				lck_rw_lock_shared(&in6_ifaddr_rwlock);
				for (ia6 = in6_ifaddrs; ia6 != NULL; ia6 = ia6->ia_next) {
					if (IN6_ARE_ADDR_EQUAL(&ia6->ia_addr.sin6_addr, &pkt_dst6.sin6_addr)) {
						m->m_pkthdr.rcvif = ia6->ia_ifp;
						break;
					}
				}
				lck_rw_done(&in6_ifaddr_rwlock);
				break;

			default:
				break;
		}

		/*
		 * If none found, fallback to loopback
		 */
		if (m->m_pkthdr.rcvif == NULL) {
			m->m_pkthdr.rcvif = lo_ifp;
		}

		m->m_pkthdr.csum_data = 0;
		m->m_pkthdr.csum_flags = 0;
		if (vers == 4) {
			hlen = IP_VHL_HL(ip->ip_vhl) << 2;
			ip->ip_sum = 0;
			ip->ip_sum = in_cksum(m, hlen);
		}
	}
	if (filter_ref != 0) {
		mtag = m_tag_create(KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPFILT,
		    sizeof (ipfilter_t), M_NOWAIT, m);
		if (mtag == NULL) {
			error = ENOMEM;
			goto done;
		}
		*(ipfilter_t *)(mtag+1) = filter_ref;
		m_tag_prepend(m, mtag);
	}

	error = proto_inject(proto, data);

done:
	return (error);
}

static errno_t
ipf_injectv4_out(mbuf_t data, ipfilter_t filter_ref, ipf_pktopts_t options)
{
	struct route ro;
	struct ip *ip;
	struct mbuf *m = (struct mbuf *)data;
	errno_t error = 0;
	struct m_tag *mtag = NULL;
	struct ip_moptions *imo = NULL;
	struct ip_out_args ipoa;

	bzero(&ipoa, sizeof(ipoa));
	ipoa.ipoa_boundif = IFSCOPE_NONE;
	ipoa.ipoa_sotc = SO_TC_UNSPEC;
	ipoa.ipoa_netsvctype = _NET_SERVICE_TYPE_UNSPEC;

	/* Make the IP header contiguous in the mbuf */
	if ((size_t)m->m_len < sizeof (struct ip)) {
		m = m_pullup(m, sizeof (struct ip));
		if (m == NULL)
			return (ENOMEM);
	}
	ip = (struct ip *)m_mtod(m);

	if (filter_ref != 0) {
		mtag = m_tag_create(KERNEL_MODULE_TAG_ID,
		    KERNEL_TAG_TYPE_IPFILT, sizeof (ipfilter_t), M_NOWAIT, m);
		if (mtag == NULL) {
			m_freem(m);
			return (ENOMEM);
		}
		*(ipfilter_t *)(mtag + 1) = filter_ref;
		m_tag_prepend(m, mtag);
	}

	if (options != NULL && (options->ippo_flags & IPPOF_MCAST_OPTS) &&
	    (imo = ip_allocmoptions(M_DONTWAIT)) != NULL) {
		imo->imo_multicast_ifp = options->ippo_mcast_ifnet;
		imo->imo_multicast_ttl = options->ippo_mcast_ttl;
		imo->imo_multicast_loop = options->ippo_mcast_loop;
	}

	if (options != NULL) {
		if (options->ippo_flags & IPPOF_SELECT_SRCIF)
			ipoa.ipoa_flags |= IPOAF_SELECT_SRCIF;
		if (options->ippo_flags & IPPOF_BOUND_IF) {
			ipoa.ipoa_flags |= IPOAF_BOUND_IF;
			ipoa.ipoa_boundif = options->ippo_flags >>
			    IPPOF_SHIFT_IFSCOPE;
		}
		if (options->ippo_flags & IPPOF_NO_IFT_CELLULAR)
			ipoa.ipoa_flags |= IPOAF_NO_CELLULAR;
		if (options->ippo_flags & IPPOF_BOUND_SRCADDR)
			ipoa.ipoa_flags |= IPOAF_BOUND_SRCADDR;
		if (options->ippo_flags & IPPOF_NO_IFF_EXPENSIVE)
			ipoa.ipoa_flags |= IPOAF_NO_EXPENSIVE;
	}

	bzero(&ro, sizeof(struct route));

	/* Put ip_len and ip_off in host byte order, ip_output expects that */

#if BYTE_ORDER != BIG_ENDIAN
	NTOHS(ip->ip_len);
	NTOHS(ip->ip_off);
#endif

	/* Send; enforce source interface selection via IP_OUTARGS flag */
	error = ip_output(m, NULL, &ro,
	    IP_ALLOWBROADCAST | IP_RAWOUTPUT | IP_OUTARGS, imo, &ipoa);

	/* Release the route */
	ROUTE_RELEASE(&ro);

	if (imo != NULL)
		IMO_REMREF(imo);

	return (error);
}

#if INET6
static errno_t
ipf_injectv6_out(mbuf_t data, ipfilter_t filter_ref, ipf_pktopts_t options)
{
	struct route_in6 ro;
	struct ip6_hdr *ip6;
	struct mbuf *m = (struct mbuf *)data;
	errno_t error = 0;
	struct m_tag *mtag = NULL;
	struct ip6_moptions *im6o = NULL;
	struct ip6_out_args ip6oa;

	bzero(&ip6oa, sizeof(ip6oa));
	ip6oa.ip6oa_boundif = IFSCOPE_NONE;
	ip6oa.ip6oa_sotc = SO_TC_UNSPEC;
	ip6oa.ip6oa_netsvctype = _NET_SERVICE_TYPE_UNSPEC;

	/* Make the IP header contiguous in the mbuf */
	if ((size_t)m->m_len < sizeof(struct ip6_hdr)) {
		m = m_pullup(m, sizeof(struct ip6_hdr));
		if (m == NULL)
			return (ENOMEM);
	}
	ip6 = (struct ip6_hdr *)m_mtod(m);

	if (filter_ref != 0) {
		mtag = m_tag_create(KERNEL_MODULE_TAG_ID,
		    KERNEL_TAG_TYPE_IPFILT, sizeof (ipfilter_t), M_NOWAIT, m);
		if (mtag == NULL) {
			m_freem(m);
			return (ENOMEM);
		}
		*(ipfilter_t *)(mtag + 1) = filter_ref;
		m_tag_prepend(m, mtag);
	}

	if (options != NULL && (options->ippo_flags & IPPOF_MCAST_OPTS) &&
	    (im6o = ip6_allocmoptions(M_DONTWAIT)) != NULL) {
		im6o->im6o_multicast_ifp = options->ippo_mcast_ifnet;
		im6o->im6o_multicast_hlim = options->ippo_mcast_ttl;
		im6o->im6o_multicast_loop = options->ippo_mcast_loop;
	}

	if (options != NULL) {
		if (options->ippo_flags & IPPOF_SELECT_SRCIF)
			ip6oa.ip6oa_flags |= IP6OAF_SELECT_SRCIF;
		if (options->ippo_flags & IPPOF_BOUND_IF) {
			ip6oa.ip6oa_flags |= IP6OAF_BOUND_IF;
			ip6oa.ip6oa_boundif = options->ippo_flags >>
			    IPPOF_SHIFT_IFSCOPE;
		}
		if (options->ippo_flags & IPPOF_NO_IFT_CELLULAR)
			ip6oa.ip6oa_flags |= IP6OAF_NO_CELLULAR;
		if (options->ippo_flags & IPPOF_BOUND_SRCADDR)
			ip6oa.ip6oa_flags |= IP6OAF_BOUND_SRCADDR;
		if (options->ippo_flags & IPPOF_NO_IFF_EXPENSIVE)
			ip6oa.ip6oa_flags |= IP6OAF_NO_EXPENSIVE;
	}

	bzero(&ro, sizeof(struct route_in6));

	/*
	 * Send  mbuf and ifscope information. Check for correctness
	 * of ifscope information is done while searching for a route in
	 * ip6_output.
	 */
	error = ip6_output(m, NULL, &ro, IPV6_OUTARGS, im6o, NULL, &ip6oa);

	/* Release the route */
	ROUTE_RELEASE(&ro);

	if (im6o != NULL)
		IM6O_REMREF(im6o);

	return (error);
}
#endif /* INET6 */

errno_t
ipf_inject_output(
	mbuf_t data,
	ipfilter_t filter_ref,
	ipf_pktopts_t options)
{
	struct mbuf	*m = (struct mbuf *)data;
	u_int8_t	vers;
	errno_t		error = 0;

	/* Make one byte of the header contiguous in the mbuf */
	if (m->m_len < 1) {
		m = m_pullup(m, 1);
		if (m == NULL)
			goto done;
	}

	vers = (*(u_int8_t *)m_mtod(m)) >> 4;
	switch (vers) {
		case 4:
			error = ipf_injectv4_out(data, filter_ref, options);
			break;
#if INET6
		case 6:
			error = ipf_injectv6_out(data, filter_ref, options);
			break;
#endif
		default:
			m_freem(m);
			error = ENOTSUP;
			break;
	}

done:
	return (error);
}

__private_extern__ ipfilter_t
ipf_get_inject_filter(struct mbuf *m)
{
	ipfilter_t filter_ref = 0;
	struct m_tag *mtag;

	mtag = m_tag_locate(m, KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPFILT, NULL);
	if (mtag) {
		filter_ref = *(ipfilter_t *)(mtag+1);

		m_tag_delete(m, mtag);
	}
	return (filter_ref);
}

__private_extern__ int
ipf_init(void)
{
	int error = 0;
	lck_grp_attr_t *grp_attributes = 0;
	lck_attr_t *lck_attributes = 0;
	lck_grp_t *lck_grp = 0;

	grp_attributes = lck_grp_attr_alloc_init();
	if (grp_attributes == 0) {
		printf("ipf_init: lck_grp_attr_alloc_init failed\n");
		error = ENOMEM;
		goto done;
	}

	lck_grp = lck_grp_alloc_init("IP Filter", grp_attributes);
	if (lck_grp == 0) {
		printf("ipf_init: lck_grp_alloc_init failed\n");
		error = ENOMEM;
		goto done;
	}

	lck_attributes = lck_attr_alloc_init();
	if (lck_attributes == 0) {
		printf("ipf_init: lck_attr_alloc_init failed\n");
		error = ENOMEM;
		goto done;
	}

	lck_mtx_init(kipf_lock, lck_grp, lck_attributes);

	done:
	if (lck_grp) {
		lck_grp_free(lck_grp);
		lck_grp = 0;
	}
	if (grp_attributes) {
		lck_grp_attr_free(grp_attributes);
		grp_attributes = 0;
	}
	if (lck_attributes) {
		lck_attr_free(lck_attributes);
		lck_attributes = 0;
	}

	return (error);
}
Commit	Line	Data
91447636	1	/*
a39ff7e2	2	* Copyright (c) 2004-2018 Apple Inc. All rights reserved.
5d5c5d0d	3	*
2d21ac55	4	* @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5ba3f43e	5	*
2d21ac55 A	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. The rights granted to you under the License
	10	* may not be used to create, or enable the creation or redistribution of,
	11	* unlawful or unlicensed copies of an Apple operating system, or to
	12	* circumvent, violate, or enable the circumvention or violation of, any
	13	* terms of an Apple operating system software license agreement.
5ba3f43e	14	*
2d21ac55 A	15	* Please obtain a copy of the License at
2d21ac55 A	16	* http://www.opensource.apple.com/apsl/ and read it before using this file.
5ba3f43e	17	*
2d21ac55 A	18	* The Original Code and all software distributed under the License are
2d21ac55 A	19	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
8f6c56a5 A	20	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
8f6c56a5 A	21	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
2d21ac55 A	22	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	23	* Please see the License for the specific language governing rights and
	24	* limitations under the License.
5ba3f43e	25	*
2d21ac55	26	* @APPLE_OSREFERENCE_LICENSE_HEADER_END@
91447636 A	27	*/
	28
	29	#include <sys/param.h> /* for definition of NULL */
	30	#include <sys/errno.h>
	31	#include <sys/malloc.h>
	32	#include <sys/socket.h>
	33	#include <sys/mbuf.h>
	34	#include <sys/systm.h>
b0d623f7 A	35	#include <libkern/OSAtomic.h>
	36
	37	#include <machine/endian.h>
91447636	38
5ba3f43e	39	#define _IP_VHL
91447636 A	40	#include <net/if_var.h>
	41	#include <net/route.h>
	42	#include <net/kpi_protocol.h>
5ba3f43e	43	#include <net/net_api_stats.h>
91447636 A	44
	45	#include <netinet/in_systm.h>
	46	#include <netinet/in.h>
	47	#include <netinet/in_var.h>
	48	#include <netinet6/in6_var.h>
	49	#include <netinet/ip.h>
	50	#include <netinet/ip6.h>
	51	#include <netinet/ip_var.h>
	52	#include <netinet6/ip6_var.h>
	53	#include <netinet/kpi_ipfilter_var.h>
	54
5ba3f43e	55	#include <stdbool.h>
b0d623f7	56
91447636 A	57	/*
	58	* kipf_lock and kipf_ref protect the linkage of the list of IP filters
	59	* An IP filter can be removed only when kipf_ref is zero
5ba3f43e A	60	* If an IP filter cannot be removed because kipf_ref is not null, then
5ba3f43e A	61	* the IP filter is marjed and kipf_delayed_remove is set so that when
91447636 A	62	* kipf_ref eventually goes down to zero, the IP filter is removed
91447636 A	63	*/
316670eb A	64	decl_lck_mtx_data(static, kipf_lock_data);
316670eb A	65	static lck_mtx_t *kipf_lock = &kipf_lock_data;
b0d623f7 A	66	static u_int32_t kipf_ref = 0;
	67	static u_int32_t kipf_delayed_remove = 0;
	68	u_int32_t kipf_count = 0;
91447636 A	69
	70	__private_extern__ struct ipfilter_list ipv4_filters = TAILQ_HEAD_INITIALIZER(ipv4_filters);
	71	__private_extern__ struct ipfilter_list ipv6_filters = TAILQ_HEAD_INITIALIZER(ipv6_filters);
	72	__private_extern__ struct ipfilter_list tbr_filters = TAILQ_HEAD_INITIALIZER(tbr_filters);
	73
5ba3f43e A	74	#undef ipf_addv4
	75	#undef ipf_addv6
	76	extern errno_t ipf_addv4(const struct ipf_filter *filter,
	77	ipfilter_t *filter_ref);
	78	extern errno_t ipf_addv6(const struct ipf_filter *filter,
	79	ipfilter_t *filter_ref);
	80
	81	static errno_t ipf_add(const struct ipf_filter *filter,
	82	ipfilter_t filter_ref, struct ipfilter_list head, bool is_internal);
	83
91447636 A	84	__private_extern__ void
	85	ipf_ref(void)
	86	{
	87	lck_mtx_lock(kipf_lock);
5ba3f43e	88	kipf_ref++;
91447636 A	89	lck_mtx_unlock(kipf_lock);
	90	}
	91
	92	__private_extern__ void
	93	ipf_unref(void)
	94	{
	95	lck_mtx_lock(kipf_lock);
	96
5ba3f43e A	97	if (kipf_ref == 0)
	98	panic("ipf_unref: kipf_ref == 0\n");
	99
	100	kipf_ref--;
	101	if (kipf_ref == 0 && kipf_delayed_remove != 0) {
	102	struct ipfilter *filter;
91447636 A	103
91447636 A	104	while ((filter = TAILQ_FIRST(&tbr_filters))) {
5ba3f43e A	105	VERIFY(OSDecrementAtomic64(&net_api_stats.nas_ipf_add_count) > 0);
5ba3f43e A	106
91447636 A	107	ipf_detach_func ipf_detach = filter->ipf_filter.ipf_detach;
91447636 A	108	void* cookie = filter->ipf_filter.cookie;
5ba3f43e	109
91447636 A	110	TAILQ_REMOVE(filter->ipf_head, filter, ipf_link);
	111	TAILQ_REMOVE(&tbr_filters, filter, ipf_tbr);
	112	kipf_delayed_remove--;
	113
	114	if (ipf_detach) {
	115	lck_mtx_unlock(kipf_lock);
	116	ipf_detach(cookie);
	117	lck_mtx_lock(kipf_lock);
	118	/* In case some filter got to run while we released the lock */
	119	if (kipf_ref != 0)
	120	break;
5ba3f43e	121	}
91447636	122	}
5ba3f43e	123	}
91447636 A	124	lck_mtx_unlock(kipf_lock);
	125	}
	126
	127	static errno_t
	128	ipf_add(
5ba3f43e	129	const struct ipf_filter *filter,
91447636	130	ipfilter_t *filter_ref,
5ba3f43e A	131	struct ipfilter_list *head,
5ba3f43e A	132	bool is_internal)
91447636 A	133	{
	134	struct ipfilter *new_filter;
	135	if (filter->name == NULL \|\| (filter->ipf_input == NULL && filter->ipf_output == NULL))
5ba3f43e A	136	return (EINVAL);
	137
	138	MALLOC(new_filter, struct ipfilter , sizeof(new_filter), M_IFADDR, M_WAITOK);
91447636	139	if (new_filter == NULL)
5ba3f43e A	140	return (ENOMEM);
5ba3f43e A	141
91447636 A	142	lck_mtx_lock(kipf_lock);
	143	new_filter->ipf_filter = *filter;
	144	new_filter->ipf_head = head;
5ba3f43e	145
b0d623f7	146	TAILQ_INSERT_HEAD(head, new_filter, ipf_link);
5ba3f43e A	147
	148	OSIncrementAtomic64(&net_api_stats.nas_ipf_add_count);
	149	INC_ATOMIC_INT64_LIM(net_api_stats.nas_ipf_add_total);
	150	if (is_internal) {
	151	INC_ATOMIC_INT64_LIM(net_api_stats.nas_ipf_add_os_total);
	152	}
	153
91447636	154	lck_mtx_unlock(kipf_lock);
5ba3f43e	155
91447636	156	*filter_ref = (ipfilter_t)new_filter;
b0d623f7 A	157
	158	/* This will force TCP to re-evaluate its use of TSO */
	159	OSAddAtomic(1, &kipf_count);
39236c6e	160	routegenid_update();
b0d623f7	161
5ba3f43e A	162	return (0);
	163	}
	164
	165	errno_t
	166	ipf_addv4_internal(
	167	const struct ipf_filter *filter,
	168	ipfilter_t *filter_ref)
	169	{
	170	return (ipf_add(filter, filter_ref, &ipv4_filters, true));
91447636 A	171	}
	172
	173	errno_t
	174	ipf_addv4(
5ba3f43e A	175	const struct ipf_filter *filter,
	176	ipfilter_t *filter_ref)
	177	{
	178	return (ipf_add(filter, filter_ref, &ipv4_filters, false));
	179	}
	180
	181	errno_t
	182	ipf_addv6_internal(
	183	const struct ipf_filter *filter,
91447636 A	184	ipfilter_t *filter_ref)
91447636 A	185	{
5ba3f43e	186	return (ipf_add(filter, filter_ref, &ipv6_filters, true));
91447636 A	187	}
	188
	189	errno_t
	190	ipf_addv6(
5ba3f43e	191	const struct ipf_filter *filter,
91447636 A	192	ipfilter_t *filter_ref)
91447636 A	193	{
5ba3f43e	194	return (ipf_add(filter, filter_ref, &ipv6_filters, false));
91447636 A	195	}
91447636 A	196
fe8ab488 A	197	static errno_t
	198	ipf_input_detached(void cookie, mbuf_t data, int offset, u_int8_t protocol)
	199	{
	200	#pragma unused(cookie, data, offset, protocol)
	201
	202	#if DEBUG
	203	printf("ipf_input_detached\n");
	204	#endif /* DEBUG */
	205
	206	return (0);
	207	}
	208
	209	static errno_t
	210	ipf_output_detached(void cookie, mbuf_t data, ipf_pktopts_t options)
	211	{
	212	#pragma unused(cookie, data, options)
	213
	214	#if DEBUG
	215	printf("ipf_output_detached\n");
	216	#endif /* DEBUG */
	217
	218	return (0);
	219	}
	220
91447636 A	221	errno_t
	222	ipf_remove(
	223	ipfilter_t filter_ref)
	224	{
5ba3f43e	225	struct ipfilter match = (struct ipfilter )filter_ref;
91447636	226	struct ipfilter_list *head;
5ba3f43e	227
91447636	228	if (match == 0 \|\| (match->ipf_head != &ipv4_filters && match->ipf_head != &ipv6_filters))
5ba3f43e A	229	return (EINVAL);
5ba3f43e A	230
91447636	231	head = match->ipf_head;
5ba3f43e	232
91447636 A	233	lck_mtx_lock(kipf_lock);
91447636 A	234	TAILQ_FOREACH(match, head, ipf_link) {
5ba3f43e	235	if (match == (struct ipfilter *)filter_ref) {
91447636 A	236	ipf_detach_func ipf_detach = match->ipf_filter.ipf_detach;
91447636 A	237	void* cookie = match->ipf_filter.cookie;
5ba3f43e	238
91447636 A	239	/*
	240	* Cannot detach when they are filters running
	241	*/
	242	if (kipf_ref) {
	243	kipf_delayed_remove++;
	244	TAILQ_INSERT_TAIL(&tbr_filters, match, ipf_tbr);
fe8ab488 A	245	match->ipf_filter.ipf_input = ipf_input_detached;
fe8ab488 A	246	match->ipf_filter.ipf_output = ipf_output_detached;
91447636 A	247	lck_mtx_unlock(kipf_lock);
91447636 A	248	} else {
5ba3f43e A	249	VERIFY(OSDecrementAtomic64(&net_api_stats.nas_ipf_add_count) > 0);
5ba3f43e A	250
91447636 A	251	TAILQ_REMOVE(head, match, ipf_link);
91447636 A	252	lck_mtx_unlock(kipf_lock);
5ba3f43e	253
91447636 A	254	if (ipf_detach)
	255	ipf_detach(cookie);
	256	FREE(match, M_IFADDR);
b0d623f7 A	257
	258	/* This will force TCP to re-evaluate its use of TSO */
	259	OSAddAtomic(-1, &kipf_count);
39236c6e	260	routegenid_update();
b0d623f7	261
91447636	262	}
5ba3f43e	263	return (0);
91447636 A	264	}
	265	}
	266	lck_mtx_unlock(kipf_lock);
5ba3f43e A	267
5ba3f43e A	268	return (ENOENT);
91447636 A	269	}
	270
	271	int log_for_en1 = 0;
	272
	273	errno_t
	274	ipf_inject_input(
	275	mbuf_t data,
	276	ipfilter_t filter_ref)
	277	{
5ba3f43e	278	struct mbuf m = (struct mbuf )data;
91447636 A	279	struct m_tag *mtag = 0;
91447636 A	280	struct ip ip = mtod(m, struct ip );
d9a64523	281	struct ip6_hdr *ip6;
91447636 A	282	u_int8_t vers;
	283	int hlen;
	284	errno_t error = 0;
	285	protocol_family_t proto;
d9a64523 A	286	struct in_ifaddr *ia = NULL;
	287	struct in_addr *pkt_dst = NULL;
	288	struct in6_ifaddr *ia6 = NULL;
	289	struct sockaddr_in6 pkt_dst6;
91447636 A	290
91447636 A	291	vers = IP_VHL_V(ip->ip_vhl);
5ba3f43e	292
91447636 A	293	switch (vers) {
	294	case 4:
	295	proto = PF_INET;
	296	break;
	297	case 6:
	298	proto = PF_INET6;
	299	break;
	300	default:
	301	error = ENOTSUP;
	302	goto done;
	303	}
5ba3f43e	304
91447636	305	if (filter_ref == 0 && m->m_pkthdr.rcvif == 0) {
d9a64523 A	306	/*
	307	* Search for interface with the local address
	308	*/
	309	switch (proto) {
	310	case PF_INET:
	311	pkt_dst = &ip->ip_dst;
	312	lck_rw_lock_shared(in_ifaddr_rwlock);
	313	TAILQ_FOREACH(ia, INADDR_HASH(pkt_dst->s_addr), ia_hash) {
	314	if (IA_SIN(ia)->sin_addr.s_addr == pkt_dst->s_addr) {
	315	m->m_pkthdr.rcvif = ia->ia_ifp;
	316	break;
	317	}
	318	}
	319	lck_rw_done(in_ifaddr_rwlock);
	320	break;
	321
	322	case PF_INET6:
	323	ip6 = mtod(m, struct ip6_hdr *);
	324	pkt_dst6.sin6_addr = ip6->ip6_dst;
	325	lck_rw_lock_shared(&in6_ifaddr_rwlock);
	326	for (ia6 = in6_ifaddrs; ia6 != NULL; ia6 = ia6->ia_next) {
	327	if (IN6_ARE_ADDR_EQUAL(&ia6->ia_addr.sin6_addr, &pkt_dst6.sin6_addr)) {
	328	m->m_pkthdr.rcvif = ia6->ia_ifp;
	329	break;
	330	}
	331	}
	332	lck_rw_done(&in6_ifaddr_rwlock);
	333	break;
	334
	335	default:
	336	break;
	337	}
	338
	339	/*
	340	* If none found, fallback to loopback
	341	*/
	342	if (m->m_pkthdr.rcvif == NULL) {
	343	m->m_pkthdr.rcvif = lo_ifp;
	344	}
	345
91447636 A	346	m->m_pkthdr.csum_data = 0;
	347	m->m_pkthdr.csum_flags = 0;
	348	if (vers == 4) {
	349	hlen = IP_VHL_HL(ip->ip_vhl) << 2;
	350	ip->ip_sum = 0;
	351	ip->ip_sum = in_cksum(m, hlen);
	352	}
	353	}
	354	if (filter_ref != 0) {
6d2010ae	355	mtag = m_tag_create(KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPFILT,
5ba3f43e	356	sizeof (ipfilter_t), M_NOWAIT, m);
91447636 A	357	if (mtag == NULL) {
	358	error = ENOMEM;
	359	goto done;
5ba3f43e A	360	}
5ba3f43e A	361	(ipfilter_t )(mtag+1) = filter_ref;
91447636 A	362	m_tag_prepend(m, mtag);
91447636 A	363	}
5ba3f43e	364
91447636 A	365	error = proto_inject(proto, data);
	366
	367	done:
5ba3f43e	368	return (error);
91447636 A	369	}
	370
	371	static errno_t
6d2010ae	372	ipf_injectv4_out(mbuf_t data, ipfilter_t filter_ref, ipf_pktopts_t options)
91447636 A	373	{
91447636 A	374	struct route ro;
5ba3f43e A	375	struct ip *ip;
5ba3f43e A	376	struct mbuf m = (struct mbuf )data;
91447636	377	errno_t error = 0;
6d2010ae A	378	struct m_tag *mtag = NULL;
6d2010ae A	379	struct ip_moptions *imo = NULL;
a39ff7e2 A	380	struct ip_out_args ipoa;
	381
	382	bzero(&ipoa, sizeof(ipoa));
	383	ipoa.ipoa_boundif = IFSCOPE_NONE;
	384	ipoa.ipoa_sotc = SO_TC_UNSPEC;
	385	ipoa.ipoa_netsvctype = _NET_SERVICE_TYPE_UNSPEC;
6d2010ae	386
91447636	387	/* Make the IP header contiguous in the mbuf */
6d2010ae A	388	if ((size_t)m->m_len < sizeof (struct ip)) {
	389	m = m_pullup(m, sizeof (struct ip));
	390	if (m == NULL)
	391	return (ENOMEM);
91447636	392	}
6d2010ae A	393	ip = (struct ip *)m_mtod(m);
6d2010ae A	394
91447636	395	if (filter_ref != 0) {
6d2010ae A	396	mtag = m_tag_create(KERNEL_MODULE_TAG_ID,
6d2010ae A	397	KERNEL_TAG_TYPE_IPFILT, sizeof (ipfilter_t), M_NOWAIT, m);
91447636 A	398	if (mtag == NULL) {
91447636 A	399	m_freem(m);
6d2010ae	400	return (ENOMEM);
91447636	401	}
6d2010ae	402	(ipfilter_t )(mtag + 1) = filter_ref;
91447636 A	403	m_tag_prepend(m, mtag);
91447636 A	404	}
6d2010ae A	405
	406	if (options != NULL && (options->ippo_flags & IPPOF_MCAST_OPTS) &&
	407	(imo = ip_allocmoptions(M_DONTWAIT)) != NULL) {
91447636 A	408	imo->imo_multicast_ifp = options->ippo_mcast_ifnet;
	409	imo->imo_multicast_ttl = options->ippo_mcast_ttl;
	410	imo->imo_multicast_loop = options->ippo_mcast_loop;
	411	}
6d2010ae	412
316670eb A	413	if (options != NULL) {
	414	if (options->ippo_flags & IPPOF_SELECT_SRCIF)
	415	ipoa.ipoa_flags \|= IPOAF_SELECT_SRCIF;
6d2010ae	416	if (options->ippo_flags & IPPOF_BOUND_IF) {
316670eb	417	ipoa.ipoa_flags \|= IPOAF_BOUND_IF;
6d2010ae A	418	ipoa.ipoa_boundif = options->ippo_flags >>
	419	IPPOF_SHIFT_IFSCOPE;
	420	}
	421	if (options->ippo_flags & IPPOF_NO_IFT_CELLULAR)
316670eb A	422	ipoa.ipoa_flags \|= IPOAF_NO_CELLULAR;
	423	if (options->ippo_flags & IPPOF_BOUND_SRCADDR)
	424	ipoa.ipoa_flags \|= IPOAF_BOUND_SRCADDR;
fe8ab488 A	425	if (options->ippo_flags & IPPOF_NO_IFF_EXPENSIVE)
fe8ab488 A	426	ipoa.ipoa_flags \|= IPOAF_NO_EXPENSIVE;
91447636	427	}
6d2010ae A	428
	429	bzero(&ro, sizeof(struct route));
	430
0c530ab8	431	/* Put ip_len and ip_off in host byte order, ip_output expects that */
b0d623f7 A	432
b0d623f7 A	433	#if BYTE_ORDER != BIG_ENDIAN
0c530ab8 A	434	NTOHS(ip->ip_len);
0c530ab8 A	435	NTOHS(ip->ip_off);
b0d623f7 A	436	#endif
b0d623f7 A	437
6d2010ae A	438	/* Send; enforce source interface selection via IP_OUTARGS flag */
	439	error = ip_output(m, NULL, &ro,
	440	IP_ALLOWBROADCAST \| IP_RAWOUTPUT \| IP_OUTARGS, imo, &ipoa);
	441
91447636	442	/* Release the route */
39236c6e	443	ROUTE_RELEASE(&ro);
6d2010ae A	444
	445	if (imo != NULL)
	446	IMO_REMREF(imo);
	447
	448	return (error);
91447636 A	449	}
91447636 A	450
2d21ac55	451	#if INET6
91447636	452	static errno_t
6d2010ae	453	ipf_injectv6_out(mbuf_t data, ipfilter_t filter_ref, ipf_pktopts_t options)
91447636 A	454	{
91447636 A	455	struct route_in6 ro;
5ba3f43e A	456	struct ip6_hdr *ip6;
5ba3f43e A	457	struct mbuf m = (struct mbuf )data;
91447636	458	errno_t error = 0;
6d2010ae A	459	struct m_tag *mtag = NULL;
6d2010ae A	460	struct ip6_moptions *im6o = NULL;
a39ff7e2 A	461	struct ip6_out_args ip6oa;
	462
	463	bzero(&ip6oa, sizeof(ip6oa));
	464	ip6oa.ip6oa_boundif = IFSCOPE_NONE;
	465	ip6oa.ip6oa_sotc = SO_TC_UNSPEC;
	466	ip6oa.ip6oa_netsvctype = _NET_SERVICE_TYPE_UNSPEC;
6d2010ae	467
91447636 A	468	/* Make the IP header contiguous in the mbuf */
	469	if ((size_t)m->m_len < sizeof(struct ip6_hdr)) {
	470	m = m_pullup(m, sizeof(struct ip6_hdr));
6d2010ae A	471	if (m == NULL)
6d2010ae A	472	return (ENOMEM);
91447636	473	}
5ba3f43e	474	ip6 = (struct ip6_hdr *)m_mtod(m);
91447636 A	475
91447636 A	476	if (filter_ref != 0) {
6d2010ae A	477	mtag = m_tag_create(KERNEL_MODULE_TAG_ID,
6d2010ae A	478	KERNEL_TAG_TYPE_IPFILT, sizeof (ipfilter_t), M_NOWAIT, m);
91447636 A	479	if (mtag == NULL) {
91447636 A	480	m_freem(m);
6d2010ae	481	return (ENOMEM);
91447636	482	}
6d2010ae	483	(ipfilter_t )(mtag + 1) = filter_ref;
91447636 A	484	m_tag_prepend(m, mtag);
91447636 A	485	}
6d2010ae A	486
	487	if (options != NULL && (options->ippo_flags & IPPOF_MCAST_OPTS) &&
	488	(im6o = ip6_allocmoptions(M_DONTWAIT)) != NULL) {
91447636 A	489	im6o->im6o_multicast_ifp = options->ippo_mcast_ifnet;
	490	im6o->im6o_multicast_hlim = options->ippo_mcast_ttl;
	491	im6o->im6o_multicast_loop = options->ippo_mcast_loop;
	492	}
6d2010ae	493
316670eb A	494	if (options != NULL) {
	495	if (options->ippo_flags & IPPOF_SELECT_SRCIF)
	496	ip6oa.ip6oa_flags \|= IP6OAF_SELECT_SRCIF;
6d2010ae	497	if (options->ippo_flags & IPPOF_BOUND_IF) {
316670eb	498	ip6oa.ip6oa_flags \|= IP6OAF_BOUND_IF;
6d2010ae A	499	ip6oa.ip6oa_boundif = options->ippo_flags >>
	500	IPPOF_SHIFT_IFSCOPE;
	501	}
	502	if (options->ippo_flags & IPPOF_NO_IFT_CELLULAR)
316670eb A	503	ip6oa.ip6oa_flags \|= IP6OAF_NO_CELLULAR;
	504	if (options->ippo_flags & IPPOF_BOUND_SRCADDR)
	505	ip6oa.ip6oa_flags \|= IP6OAF_BOUND_SRCADDR;
fe8ab488 A	506	if (options->ippo_flags & IPPOF_NO_IFF_EXPENSIVE)
fe8ab488 A	507	ip6oa.ip6oa_flags \|= IP6OAF_NO_EXPENSIVE;
91447636	508	}
6d2010ae A	509
	510	bzero(&ro, sizeof(struct route_in6));
	511
	512	/*
	513	* Send mbuf and ifscope information. Check for correctness
5ba3f43e	514	* of ifscope information is done while searching for a route in
6d2010ae A	515	* ip6_output.
	516	*/
	517	error = ip6_output(m, NULL, &ro, IPV6_OUTARGS, im6o, NULL, &ip6oa);
	518
91447636	519	/* Release the route */
39236c6e	520	ROUTE_RELEASE(&ro);
6d2010ae A	521
	522	if (im6o != NULL)
	523	IM6O_REMREF(im6o);
	524
	525	return (error);
91447636	526	}
2d21ac55	527	#endif /* INET6 */
91447636 A	528
	529	errno_t
	530	ipf_inject_output(
	531	mbuf_t data,
	532	ipfilter_t filter_ref,
	533	ipf_pktopts_t options)
	534	{
5ba3f43e	535	struct mbuf m = (struct mbuf )data;
91447636 A	536	u_int8_t vers;
	537	errno_t error = 0;
	538
	539	/* Make one byte of the header contiguous in the mbuf */
	540	if (m->m_len < 1) {
	541	m = m_pullup(m, 1);
5ba3f43e	542	if (m == NULL)
91447636 A	543	goto done;
91447636 A	544	}
5ba3f43e A	545
	546	vers = ((u_int8_t )m_mtod(m)) >> 4;
	547	switch (vers) {
91447636 A	548	case 4:
	549	error = ipf_injectv4_out(data, filter_ref, options);
	550	break;
2d21ac55	551	#if INET6
91447636 A	552	case 6:
	553	error = ipf_injectv6_out(data, filter_ref, options);
	554	break;
2d21ac55	555	#endif
91447636 A	556	default:
	557	m_freem(m);
	558	error = ENOTSUP;
	559	break;
	560	}
	561
5ba3f43e A	562	done:
5ba3f43e A	563	return (error);
91447636 A	564	}
	565
	566	__private_extern__ ipfilter_t
	567	ipf_get_inject_filter(struct mbuf *m)
	568	{
	569	ipfilter_t filter_ref = 0;
	570	struct m_tag *mtag;
5ba3f43e	571
91447636 A	572	mtag = m_tag_locate(m, KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPFILT, NULL);
	573	if (mtag) {
	574	filter_ref = (ipfilter_t )(mtag+1);
5ba3f43e	575
91447636 A	576	m_tag_delete(m, mtag);
91447636 A	577	}
5ba3f43e	578	return (filter_ref);
91447636 A	579	}
	580
	581	__private_extern__ int
	582	ipf_init(void)
	583	{
	584	int error = 0;
	585	lck_grp_attr_t *grp_attributes = 0;
	586	lck_attr_t *lck_attributes = 0;
	587	lck_grp_t *lck_grp = 0;
5ba3f43e	588
91447636 A	589	grp_attributes = lck_grp_attr_alloc_init();
	590	if (grp_attributes == 0) {
	591	printf("ipf_init: lck_grp_attr_alloc_init failed\n");
	592	error = ENOMEM;
	593	goto done;
	594	}
5ba3f43e	595
91447636 A	596	lck_grp = lck_grp_alloc_init("IP Filter", grp_attributes);
	597	if (lck_grp == 0) {
	598	printf("ipf_init: lck_grp_alloc_init failed\n");
	599	error = ENOMEM;
	600	goto done;
	601	}
5ba3f43e	602
91447636 A	603	lck_attributes = lck_attr_alloc_init();
	604	if (lck_attributes == 0) {
	605	printf("ipf_init: lck_attr_alloc_init failed\n");
	606	error = ENOMEM;
	607	goto done;
	608	}
5ba3f43e	609
316670eb A	610	lck_mtx_init(kipf_lock, lck_grp, lck_attributes);
316670eb A	611
91447636	612	done:
91447636 A	613	if (lck_grp) {
	614	lck_grp_free(lck_grp);
	615	lck_grp = 0;
	616	}
	617	if (grp_attributes) {
	618	lck_grp_attr_free(grp_attributes);
	619	grp_attributes = 0;
	620	}
	621	if (lck_attributes) {
	622	lck_attr_free(lck_attributes);
	623	lck_attributes = 0;
	624	}
5ba3f43e A	625
5ba3f43e A	626	return (error);
91447636	627	}