]>
Commit | Line | Data |
---|---|---|
91447636 | 1 | /* |
5ba3f43e | 2 | * Copyright (c) 2008-2017 Apple Computer, Inc. All rights reserved. |
91447636 | 3 | * |
2d21ac55 | 4 | * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ |
0a7de745 | 5 | * |
2d21ac55 A |
6 | * This file contains Original Code and/or Modifications of Original Code |
7 | * as defined in and that are subject to the Apple Public Source License | |
8 | * Version 2.0 (the 'License'). You may not use this file except in | |
9 | * compliance with the License. The rights granted to you under the License | |
10 | * may not be used to create, or enable the creation or redistribution of, | |
11 | * unlawful or unlicensed copies of an Apple operating system, or to | |
12 | * circumvent, violate, or enable the circumvention or violation of, any | |
13 | * terms of an Apple operating system software license agreement. | |
0a7de745 | 14 | * |
2d21ac55 A |
15 | * Please obtain a copy of the License at |
16 | * http://www.opensource.apple.com/apsl/ and read it before using this file. | |
0a7de745 | 17 | * |
2d21ac55 A |
18 | * The Original Code and all software distributed under the License are |
19 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER | |
8f6c56a5 A |
20 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
21 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, | |
2d21ac55 A |
22 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
23 | * Please see the License for the specific language governing rights and | |
24 | * limitations under the License. | |
0a7de745 | 25 | * |
2d21ac55 | 26 | * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ |
91447636 A |
27 | */ |
28 | /*! | |
0a7de745 A |
29 | * @header kpi_socketfilter.h |
30 | * This header defines an API for intercepting communications at the | |
31 | * socket layer. | |
32 | * | |
33 | * For the most part, socket filters want to do three things: Filter | |
34 | * data in and out, watch for state changes, and intercept a few calls | |
35 | * for security. The number of function pointers supplied by a socket | |
36 | * filter has been significantly reduced. The filter no longer has any | |
37 | * knowledge of socket buffers. The filter no longer intercepts nearly | |
38 | * every internal socket call. There are two data filters, an in | |
39 | * filter, and an out filter. The in filter occurs before data is | |
40 | * placed in the receive socket buffer. This is done to avoid waking | |
41 | * the process unnecessarily. The out filter occurs before the data is | |
42 | * appended to the send socket buffer. This should cover inbound and | |
43 | * outbound data. For monitoring state changes, we've added a notify | |
44 | * function that will be called when various events that the filter can | |
45 | * not intercept occur. In addition, we've added a few functions that a | |
46 | * filter may use to intercept common operations. These functions are: | |
47 | * connect (inbound), connect (outbound), bind, set socket option, | |
48 | * get socket option, and listen. Bind, listen, connect in, and connect | |
49 | * out could be used together to build a fairly comprehensive firewall | |
50 | * without having to do much with individual packets. | |
91447636 A |
51 | */ |
52 | #ifndef __KPI_SOCKETFILTER__ | |
53 | #define __KPI_SOCKETFILTER__ | |
54 | ||
55 | #include <sys/kernel_types.h> | |
56 | #include <sys/kpi_socket.h> | |
57 | ||
cb323159 A |
58 | #ifndef PRIVATE |
59 | #include <Availability.h> | |
60 | #define __NKE_API_DEPRECATED __API_DEPRECATED("Network Kernel Extension KPI is deprecated", macos(10.4, 10.15)) | |
61 | #else | |
62 | #define __NKE_API_DEPRECATED | |
63 | #endif /* PRIVATE */ | |
64 | ||
91447636 A |
65 | struct sockaddr; |
66 | ||
67 | /*! | |
0a7de745 A |
68 | * @enum sflt_flags |
69 | * @abstract Constants defining mbuf flags. Only the flags listed below | |
70 | * can be set or retrieved. | |
71 | * @constant SFLT_GLOBAL Indicates this socket filter should be | |
72 | * attached to all new sockets when they're created. | |
73 | * @constant SFLT_PROG Indicates this socket filter should be attached | |
74 | * only when request by the application using the SO_NKE socket | |
75 | * option. | |
76 | * @constant SFLT_EXTENDED Indicates that this socket filter utilizes | |
77 | * the extended fields within the sflt_filter structure. | |
78 | * @constant SFLT_EXTENDED_REGISTRY Indicates that this socket filter | |
79 | * wants to attach to all the sockets already present on the | |
80 | * system. It will also receive notifications for these sockets. | |
81 | */ | |
91447636 | 82 | enum { |
0a7de745 A |
83 | SFLT_GLOBAL = 0x01, |
84 | SFLT_PROG = 0x02, | |
85 | SFLT_EXTENDED = 0x04, | |
86 | SFLT_EXTENDED_REGISTRY = 0x08 | |
91447636 | 87 | }; |
0a7de745 A |
88 | typedef u_int32_t sflt_flags; |
89 | ||
90 | /*! | |
91 | * @typedef sflt_handle | |
92 | * @abstract A 4 byte identifier used with the SO_NKE socket option to | |
93 | * identify the socket filter to be attached. | |
94 | */ | |
95 | typedef u_int32_t sflt_handle; | |
96 | ||
97 | /*! | |
98 | * @enum sflt_event_t | |
99 | * @abstract Events notify a filter of state changes and other various | |
100 | * events related to the socket. These events cannot be prevented | |
101 | * or intercepted, only observed. | |
102 | * @constant sock_evt_connected Indicates this socket has moved to the | |
103 | * connected state. | |
104 | * @constant sock_evt_disconnected Indicates this socket has moved to | |
105 | * the disconnected state. | |
106 | * @constant sock_evt_flush_read The read socket buffer has been | |
107 | * flushed. | |
108 | * @constant sock_evt_shutdown The read and or write side(s) of the | |
109 | * connection have been shutdown. The param will point to an | |
110 | * integer that indicates the direction that has been shutdown. See | |
111 | * 'man 2 shutdown' for more information. | |
112 | * @constant sock_evt_cantrecvmore Indicates the socket cannot receive | |
113 | * more data. | |
114 | * @constant sock_evt_cantsendmore Indicates the socket cannot send | |
115 | * more data. | |
116 | * @constant sock_evt_closing Indicates the socket is closing. | |
117 | * @constant sock_evt_bound Indicates this socket has moved to the | |
118 | * bound state (only for PF_INET/PF_INET6 domain). | |
119 | */ | |
91447636 | 120 | enum { |
0a7de745 A |
121 | sock_evt_connecting = 1, |
122 | sock_evt_connected = 2, | |
123 | sock_evt_disconnecting = 3, | |
124 | sock_evt_disconnected = 4, | |
125 | sock_evt_flush_read = 5, | |
126 | sock_evt_shutdown = 6, /* param points to an integer specifying how (read, write, or both) see man 2 shutdown */ | |
127 | sock_evt_cantrecvmore = 7, | |
128 | sock_evt_cantsendmore = 8, | |
129 | sock_evt_closing = 9, | |
130 | sock_evt_bound = 10 | |
91447636 | 131 | }; |
0a7de745 A |
132 | typedef u_int32_t sflt_event_t; |
133 | ||
134 | /*! | |
135 | * @enum sflt_data_flag_t | |
136 | * @abstract Inbound and outbound data filters may handle many | |
137 | * different types of incoming and outgoing data. These flags help | |
138 | * distinguish between normal data, out-of-band data, and records. | |
139 | * @constant sock_data_filt_flag_oob Indicates this data is out-of-band | |
140 | * data. | |
141 | * @constant sock_data_filt_flag_record Indicates this data is a | |
142 | * record. This flag is only ever seen on inbound data. | |
143 | */ | |
91447636 | 144 | enum { |
0a7de745 A |
145 | sock_data_filt_flag_oob = 1, |
146 | sock_data_filt_flag_record = 2 | |
91447636 | 147 | }; |
0a7de745 | 148 | typedef u_int32_t sflt_data_flag_t; |
91447636 | 149 | |
2d21ac55 A |
150 | __BEGIN_DECLS |
151 | ||
91447636 | 152 | /*! |
0a7de745 A |
153 | * @typedef sf_unregistered_func |
154 | * | |
155 | * @discussion sf_unregistered_func is called to notify the filter it | |
156 | * has been unregistered. This is the last function the stack will | |
157 | * call and this function will only be called once all other | |
158 | * function calls in to your filter have completed. Once this | |
159 | * function has been called, your kext may safely unload. | |
160 | * @param handle The socket filter handle used to identify this filter. | |
161 | */ | |
162 | typedef void (*sf_unregistered_func)(sflt_handle handle); | |
163 | ||
164 | /*! | |
165 | * @typedef sf_attach_func | |
166 | * | |
167 | * @discussion sf_attach_func is called to notify the filter it has | |
168 | * been attached to a socket. The filter may allocate memory for | |
169 | * this attachment and use the cookie to track it. This filter is | |
170 | * called in one of two cases: | |
171 | * 1) You've installed a global filter and a new socket was created. | |
172 | * 2) Your non-global socket filter is being attached using the SO_NKE | |
173 | * socket option. | |
174 | * @param cookie Used to allow the socket filter to set the cookie for | |
175 | * this attachment. | |
176 | * @param so The socket the filter is being attached to. | |
177 | * @result If you return a non-zero value, your filter will not be | |
178 | * attached to this socket. | |
179 | */ | |
180 | typedef errno_t (*sf_attach_func)(void **cookie, socket_t so); | |
181 | ||
182 | /*! | |
183 | * @typedef sf_detach_func | |
184 | * | |
185 | * @discussion sf_detach_func is called to notify the filter it has | |
186 | * been detached from a socket. If the filter allocated any memory | |
187 | * for this attachment, it should be freed. This function will | |
188 | * be called when the socket is disposed of. | |
189 | * @param cookie Cookie value specified when the filter attach was | |
190 | * called. | |
191 | * @param so The socket the filter is attached to. | |
192 | * @discussion If you return a non-zero value, your filter will not be | |
193 | * attached to this socket. | |
194 | */ | |
195 | typedef void (*sf_detach_func)(void *cookie, socket_t so); | |
196 | ||
197 | /*! | |
198 | * @typedef sf_notify_func | |
199 | * | |
200 | * @discussion sf_notify_func is called to notify the filter of various | |
201 | * state changes and other events occuring on the socket. | |
202 | * @param cookie Cookie value specified when the filter attach was | |
203 | * called. | |
204 | * @param so The socket the filter is attached to. | |
205 | * @param event The type of event that has occurred. | |
206 | * @param param Additional information about the event. | |
207 | */ | |
208 | typedef void (*sf_notify_func)(void *cookie, socket_t so, sflt_event_t event, | |
b0d623f7 | 209 | void *param); |
91447636 A |
210 | |
211 | /*! | |
0a7de745 A |
212 | * @typedef sf_getpeername_func |
213 | * | |
214 | * @discussion sf_getpeername_func is called to allow a filter to | |
215 | * to intercept the getpeername function. When called, sa will | |
216 | * point to a pointer to a socket address that was malloced | |
217 | * in zone M_SONAME. If you want to replace this address, either | |
218 | * modify the currenty copy or allocate a new one and free the | |
219 | * old one. | |
220 | * @param cookie Cookie value specified when the filter attach was | |
221 | * called. | |
222 | * @param so The socket the filter is attached to. | |
223 | * @param sa A pointer to a socket address pointer. | |
224 | * @result If you return a non-zero value, processing will stop. If | |
225 | * you return EJUSTRETURN, no further filters will be called | |
226 | * but a result of zero will be returned to the caller of | |
227 | * getpeername. | |
228 | */ | |
229 | typedef int (*sf_getpeername_func)(void *cookie, socket_t so, | |
b0d623f7 | 230 | struct sockaddr **sa); |
91447636 A |
231 | |
232 | /*! | |
0a7de745 A |
233 | * @typedef sf_getsockname_func |
234 | * | |
235 | * @discussion sf_getsockname_func is called to allow a filter to | |
236 | * to intercept the getsockname function. When called, sa will | |
237 | * point to a pointer to a socket address that was malloced | |
238 | * in zone M_SONAME. If you want to replace this address, either | |
239 | * modify the currenty copy or allocate a new one and free the | |
240 | * old one. | |
241 | * @param cookie Cookie value specified when the filter attach was | |
242 | * called. | |
243 | * @param so The socket the filter is attached to. | |
244 | * @param sa A pointer to a socket address pointer. | |
245 | * @result If you return a non-zero value, processing will stop. If | |
246 | * you return EJUSTRETURN, no further filters will be called | |
247 | * but a result of zero will be returned to the caller of | |
248 | * getsockname. | |
249 | */ | |
250 | typedef int (*sf_getsockname_func)(void *cookie, socket_t so, | |
b0d623f7 | 251 | struct sockaddr **sa); |
91447636 A |
252 | |
253 | /*! | |
0a7de745 A |
254 | * @typedef sf_data_in_func |
255 | * | |
256 | * @discussion sf_data_in_func is called to filter incoming data. If your | |
257 | * filter intercepts data for later reinjection, it must queue | |
258 | * all incoming data to preserve the order of the data. Use | |
259 | * sock_inject_data_in to later reinject this data if you return | |
260 | * EJUSTRETURN. Warning: This filter is on the data path. Do not | |
261 | * spend excesive time. Do not wait for data on another socket. | |
262 | * @param cookie Cookie value specified when the filter attach was | |
263 | * called. | |
264 | * @param so The socket the filter is attached to. | |
265 | * @param from The addres the data is from, may be NULL if the socket | |
266 | * is connected. | |
267 | * @param data The data being received. Control data may appear in the | |
268 | * mbuf chain, be sure to check the mbuf types to find control | |
269 | * data. | |
270 | * @param control Control data being passed separately from the data. | |
271 | * @param flags Flags to indicate if this is out of band data or a | |
272 | * record. | |
273 | * @result Return: | |
274 | * 0 - The caller will continue with normal processing of the data. | |
275 | * EJUSTRETURN - The caller will stop processing the data, the | |
276 | * data will not be freed. | |
277 | * Anything Else - The caller will free the data and stop | |
278 | * processing. | |
279 | */ | |
280 | typedef errno_t (*sf_data_in_func)(void *cookie, socket_t so, | |
b0d623f7 A |
281 | const struct sockaddr *from, mbuf_t *data, mbuf_t *control, |
282 | sflt_data_flag_t flags); | |
91447636 A |
283 | |
284 | /*! | |
0a7de745 A |
285 | * @typedef sf_data_out_func |
286 | * | |
287 | * @discussion sf_data_out_func is called to filter outbound data. If | |
288 | * your filter intercepts data for later reinjection, it must queue | |
289 | * all outbound data to preserve the order of the data when | |
290 | * reinjecting. Use sock_inject_data_out to later reinject this | |
291 | * data. | |
292 | * @param cookie Cookie value specified when the filter attach was | |
293 | * called. | |
294 | * @param so The socket the filter is attached to. | |
295 | * @param to The address the data is to, may be NULL if the socket | |
296 | * is connected. | |
297 | * @param data The data being received. Control data may appear in the | |
298 | * mbuf chain, be sure to check the mbuf types to find control | |
299 | * data. | |
300 | * @param control Control data being passed separately from the data. | |
301 | * @param flags Flags to indicate if this is out of band data or a | |
302 | * record. | |
303 | * @result Return: | |
304 | * 0 - The caller will continue with normal processing of the data. | |
305 | * EJUSTRETURN - The caller will stop processing the data, | |
306 | * the data will not be freed. | |
307 | * Anything Else - The caller will free the data and stop | |
308 | * processing. | |
309 | */ | |
310 | typedef errno_t (*sf_data_out_func)(void *cookie, socket_t so, | |
b0d623f7 A |
311 | const struct sockaddr *to, mbuf_t *data, mbuf_t *control, |
312 | sflt_data_flag_t flags); | |
91447636 A |
313 | |
314 | /*! | |
0a7de745 A |
315 | * @typedef sf_connect_in_func |
316 | * | |
317 | * @discussion sf_connect_in_func is called to filter inbound connections. | |
318 | * A protocol will call this before accepting an incoming | |
319 | * connection and placing it on the queue of completed connections. | |
320 | * Warning: This filter is on the data path. Do not spend excesive | |
321 | * time. Do not wait for data on another socket. | |
322 | * @param cookie Cookie value specified when the filter attach was | |
323 | * called. | |
324 | * @param so The socket the filter is attached to. | |
325 | * @param from The address the incoming connection is from. | |
326 | * @result Return: | |
327 | * 0 - The caller will continue with normal processing of the | |
328 | * connection. | |
329 | * Anything Else - The caller will rejecting the incoming | |
330 | * connection. | |
331 | */ | |
332 | typedef errno_t (*sf_connect_in_func)(void *cookie, socket_t so, | |
b0d623f7 | 333 | const struct sockaddr *from); |
91447636 A |
334 | |
335 | /*! | |
0a7de745 A |
336 | * @typedef sf_connect_out_func |
337 | * | |
338 | * @discussion sf_connect_out_func is called to filter outbound | |
339 | * connections. A protocol will call this before initiating an | |
340 | * outbound connection. | |
341 | * @param cookie Cookie value specified when the filter attach was | |
342 | * called. | |
343 | * @param so The socket the filter is attached to. | |
344 | * @param to The remote address of the outbound connection. | |
345 | * @result Return: | |
346 | * 0 - The caller will continue with normal processing of the | |
347 | * connection. | |
348 | * EJUSTRETURN - The caller will return with a value of 0 (no error) | |
349 | * from that point without further processing the connect command. The | |
350 | * protocol layer will not see the call. | |
351 | * Anything Else - The caller will rejecting the outbound | |
352 | * connection. | |
353 | */ | |
354 | typedef errno_t (*sf_connect_out_func)(void *cookie, socket_t so, | |
b0d623f7 | 355 | const struct sockaddr *to); |
91447636 A |
356 | |
357 | /*! | |
0a7de745 A |
358 | * @typedef sf_bind_func |
359 | * | |
360 | * @discussion sf_bind_func is called before performing a bind | |
361 | * operation on a socket. | |
362 | * @param cookie Cookie value specified when the filter attach was | |
363 | * called. | |
364 | * @param so The socket the filter is attached to. | |
365 | * @param to The local address of the socket will be bound to. | |
366 | * @result Return: | |
367 | * 0 - The caller will continue with normal processing of the bind. | |
368 | * EJUSTRETURN - The caller will return with a value of 0 (no error) | |
369 | * from that point without further processing the bind command. The | |
370 | * protocol layer will not see the call. | |
371 | * Anything Else - The caller will rejecting the bind. | |
372 | */ | |
373 | typedef errno_t (*sf_bind_func)(void *cookie, socket_t so, | |
b0d623f7 | 374 | const struct sockaddr *to); |
91447636 A |
375 | |
376 | /*! | |
0a7de745 A |
377 | * @typedef sf_setoption_func |
378 | * | |
379 | * @discussion sf_setoption_func is called before performing setsockopt | |
380 | * on a socket. | |
381 | * @param cookie Cookie value specified when the filter attach was | |
382 | * called. | |
383 | * @param so The socket the filter is attached to. | |
384 | * @param opt The socket option to set. | |
385 | * @result Return: | |
386 | * 0 - The caller will continue with normal processing of the | |
387 | * setsockopt. | |
388 | * EJUSTRETURN - The caller will return with a value of 0 (no error) | |
389 | * from that point without further propagating the set option | |
390 | * command. The socket and protocol layers will not see the call. | |
391 | * Anything Else - The caller will stop processing and return | |
392 | * this error. | |
393 | */ | |
394 | typedef errno_t (*sf_setoption_func)(void *cookie, socket_t so, sockopt_t opt); | |
395 | ||
396 | /*! | |
397 | * @typedef sf_getoption_func | |
398 | * | |
399 | * @discussion sf_getoption_func is called before performing getsockopt | |
400 | * on a socket. | |
401 | * @param cookie Cookie value specified when the filter attach was | |
402 | * called. | |
403 | * @param so The socket the filter is attached to. | |
404 | * @param opt The socket option to get. | |
405 | * @result Return: | |
406 | * 0 - The caller will continue with normal processing of the | |
407 | * getsockopt. | |
408 | * EJUSTRETURN - The caller will return with a value of 0 (no error) | |
409 | * from that point without further propagating the get option | |
410 | * command. The socket and protocol layers will not see the call. | |
411 | * Anything Else - The caller will stop processing and return | |
412 | * this error. | |
413 | */ | |
414 | typedef errno_t (*sf_getoption_func)(void *cookie, socket_t so, sockopt_t opt); | |
415 | ||
416 | /*! | |
417 | * @typedef sf_listen_func | |
418 | * | |
419 | * @discussion sf_listen_func is called before performing listen | |
420 | * on a socket. | |
421 | * @param cookie Cookie value specified when the filter attach was | |
422 | * called. | |
423 | * @param so The socket the filter is attached to. | |
424 | * @result Return: | |
425 | * 0 - The caller will continue with normal processing of listen. | |
426 | * EJUSTRETURN - The caller will return with a value of 0 (no error) | |
427 | * from that point without further processing the listen command. The | |
428 | * protocol will not see the call. | |
429 | * Anything Else - The caller will stop processing and return | |
430 | * this error. | |
431 | */ | |
432 | typedef errno_t (*sf_listen_func)(void *cookie, socket_t so); | |
433 | ||
434 | /*! | |
435 | * @typedef sf_ioctl_func | |
436 | * | |
437 | * @discussion sf_ioctl_func is called before performing an ioctl | |
438 | * on a socket. | |
439 | * | |
440 | * All undefined ioctls are reserved for future use by Apple. If | |
441 | * you need to communicate with your kext using an ioctl, please | |
442 | * use SIOCSIFKPI and SIOCGIFKPI. | |
443 | * @param cookie Cookie value specified when the filter attach was | |
444 | * called. | |
445 | * @param so The socket the filter is attached to. | |
446 | * @param request The ioctl name. | |
447 | * @param argp A pointer to the ioctl parameter. | |
448 | * @result Return: | |
449 | * 0 - The caller will continue with normal processing of | |
450 | * this ioctl. | |
451 | * EJUSTRETURN - The caller will return with a value of 0 (no error) | |
452 | * from that point without further processing or propogating | |
453 | * the ioctl. | |
454 | * Anything Else - The caller will stop processing and return | |
455 | * this error. | |
456 | */ | |
457 | typedef errno_t (*sf_ioctl_func)(void *cookie, socket_t so, | |
b0d623f7 | 458 | unsigned long request, const char* argp); |
91447636 | 459 | |
2d21ac55 | 460 | /*! |
0a7de745 A |
461 | * @typedef sf_accept_func |
462 | * | |
463 | * @discussion sf_accept_func is called after a socket is dequeued | |
464 | * off the completed (incoming) connection list and before | |
465 | * the file descriptor is associated with it. A filter can | |
466 | * utilize this callback to intercept the accepted socket | |
467 | * in order to examine it, prior to returning the socket to | |
468 | * the caller of accept. Such a filter may also choose to | |
469 | * discard the accepted socket if it wishes to do so. | |
470 | * @param cookie Cookie value specified when the filter attach was called. | |
471 | * @param so_listen The listening socket. | |
472 | * @param so The socket that is about to be accepted. | |
473 | * @param local The local address of the about to be accepted socket. | |
474 | * @param remote The remote address of the about to be accepted socket. | |
475 | * @result Return: | |
476 | * 0 - The caller will continue with normal processing of accept. | |
477 | * EJUSTRETURN - The to be accepted socket will be disconnected | |
478 | * prior to being returned to the caller of accept. No further | |
479 | * control or data operations on the socket will be allowed. | |
480 | * This is the recommended return value as it has the least | |
481 | * amount of impact, especially to applications which don't | |
482 | * check the error value returned by accept. | |
483 | * Anything Else - The to be accepted socket will be closed and | |
484 | * the error will be returned to the caller of accept. | |
485 | * Note that socket filter developers are advised to exercise | |
486 | * caution when returning non-zero values to the caller, | |
487 | * since some applications don't check the error value | |
488 | * returned by accept and therefore risk breakage. | |
2d21ac55 A |
489 | */ |
490 | typedef errno_t (*sf_accept_func)(void *cookie, socket_t so_listen, socket_t so, | |
491 | const struct sockaddr *local, const struct sockaddr *remote); | |
492 | ||
91447636 | 493 | /*! |
0a7de745 A |
494 | * @struct sflt_filter |
495 | * @discussion This structure is used to define a socket filter. | |
496 | * @field sf_handle A value used to find socket filters by | |
497 | * applications. An application can use this value to specify that | |
498 | * this filter should be attached when using the SO_NKE socket | |
499 | * option. | |
500 | * @field sf_flags Indicate whether this filter should be attached to | |
501 | * all new sockets or just those that request the filter be | |
502 | * attached using the SO_NKE socket option. If this filter | |
503 | * utilizes the socket filter extension fields, it must also | |
504 | * set SFLT_EXTENDED. | |
505 | * @field sf_name A name used for debug purposes. | |
506 | * @field sf_unregistered Your function for being notified when your | |
507 | * filter has been unregistered. | |
508 | * @field sf_attach Your function for handling attaches to sockets. | |
509 | * @field sf_detach Your function for handling detaches from sockets. | |
510 | * @field sf_notify Your function for handling events. May be null. | |
511 | * @field sf_data_in Your function for handling incoming data. May be | |
512 | * null. | |
513 | * @field sf_data_out Your function for handling outgoing data. May be | |
514 | * null. | |
515 | * @field sf_connect_in Your function for handling inbound | |
516 | * connections. May be null. | |
517 | * @field sf_connect_out Your function for handling outbound | |
518 | * connections. May be null. | |
519 | * @field sf_bind Your function for handling binds. May be null. | |
520 | * @field sf_setoption Your function for handling setsockopt. May be null. | |
521 | * @field sf_getoption Your function for handling getsockopt. May be null. | |
522 | * @field sf_listen Your function for handling listen. May be null. | |
523 | * @field sf_ioctl Your function for handling ioctls. May be null. | |
524 | * @field sf_len Length of socket filter extension structure; developers | |
525 | * must initialize this to sizeof sflt_filter_ext structure. | |
526 | * This field and all fields following it will only be valid | |
527 | * if SFLT_EXTENDED flag is set in sf_flags field. | |
528 | * @field sf_ext_accept Your function for handling inbound connections | |
529 | * at accept time. May be null. | |
530 | * @field sf_ext_rsvd Reserved for future use; you must initialize | |
531 | * the reserved fields with zeroes. | |
532 | */ | |
91447636 | 533 | struct sflt_filter { |
0a7de745 A |
534 | sflt_handle sf_handle; |
535 | int sf_flags; | |
536 | char *sf_name; | |
537 | ||
538 | sf_unregistered_func sf_unregistered; | |
539 | sf_attach_func sf_attach; | |
540 | sf_detach_func sf_detach; | |
541 | ||
542 | sf_notify_func sf_notify; | |
543 | sf_getpeername_func sf_getpeername; | |
544 | sf_getsockname_func sf_getsockname; | |
545 | sf_data_in_func sf_data_in; | |
546 | sf_data_out_func sf_data_out; | |
547 | sf_connect_in_func sf_connect_in; | |
548 | sf_connect_out_func sf_connect_out; | |
549 | sf_bind_func sf_bind; | |
550 | sf_setoption_func sf_setoption; | |
551 | sf_getoption_func sf_getoption; | |
552 | sf_listen_func sf_listen; | |
553 | sf_ioctl_func sf_ioctl; | |
2d21ac55 A |
554 | /* |
555 | * The following are valid only if SFLT_EXTENDED flag is set. | |
556 | * Initialize sf_ext_len to sizeof sflt_filter_ext structure. | |
557 | * Filters must also initialize reserved fields with zeroes. | |
558 | */ | |
559 | struct sflt_filter_ext { | |
0a7de745 A |
560 | unsigned int sf_ext_len; |
561 | sf_accept_func sf_ext_accept; | |
562 | void *sf_ext_rsvd[5]; /* Reserved */ | |
2d21ac55 | 563 | } sf_ext; |
0a7de745 A |
564 | #define sf_len sf_ext.sf_ext_len |
565 | #define sf_accept sf_ext.sf_ext_accept | |
91447636 A |
566 | }; |
567 | ||
568 | /*! | |
0a7de745 A |
569 | * @function sflt_register |
570 | * @discussion Registers a socket filter. See 'man 2 socket' for a | |
571 | * desciption of domain, type, and protocol. | |
572 | * @param filter A structure describing the filter. | |
573 | * @param domain The protocol domain these filters will be attached to. | |
574 | * Only PF_INET & PF_INET6 domains are supported. | |
575 | * @param type The socket type these filters will be attached to. | |
576 | * @param protocol The protocol these filters will be attached to. | |
577 | * @result 0 on success otherwise the errno error. | |
91447636 | 578 | */ |
5ba3f43e A |
579 | #ifdef KERNEL_PRIVATE |
580 | extern errno_t sflt_register_internal(const struct sflt_filter *filter, | |
581 | int domain, int type, int protocol); | |
582 | ||
0a7de745 | 583 | #define sflt_register(filter, domain, type, protocol) \ |
5ba3f43e A |
584 | sflt_register_internal((filter), (domain), (type), (protocol)) |
585 | #else | |
b0d623f7 | 586 | extern errno_t sflt_register(const struct sflt_filter *filter, int domain, |
cb323159 A |
587 | int type, int protocol) |
588 | __NKE_API_DEPRECATED; | |
5ba3f43e | 589 | #endif /* KERNEL_PRIVATE */ |
91447636 A |
590 | |
591 | /*! | |
0a7de745 A |
592 | * @function sflt_unregister |
593 | * @discussion Unregisters a socket filter. This will not detach the | |
594 | * socket filter from all sockets it may be attached to at the | |
595 | * time, it will just prevent the socket filter from being attached | |
596 | * to any new sockets. | |
597 | * @param handle The sf_handle of the socket filter to unregister. | |
598 | * @result 0 on success otherwise the errno error. | |
91447636 | 599 | */ |
cb323159 A |
600 | extern errno_t sflt_unregister(sflt_handle handle) |
601 | __NKE_API_DEPRECATED; | |
91447636 A |
602 | |
603 | /*! | |
0a7de745 A |
604 | * @function sflt_attach |
605 | * @discussion Attaches a socket filter to the specified socket. A | |
606 | * filter must be registered before it can be attached. | |
607 | * @param socket The socket the filter should be attached to. | |
608 | * @param handle The handle of the registered filter to be attached. | |
609 | * @result 0 on success otherwise the errno error. | |
91447636 | 610 | */ |
cb323159 A |
611 | extern errno_t sflt_attach(socket_t socket, sflt_handle handle) |
612 | __NKE_API_DEPRECATED; | |
91447636 A |
613 | |
614 | /*! | |
0a7de745 A |
615 | * @function sflt_detach |
616 | * @discussion Detaches a socket filter from a specified socket. | |
617 | * @param socket The socket the filter should be detached from. | |
618 | * @param handle The handle of the registered filter to be detached. | |
619 | * @result 0 on success otherwise the errno error. | |
91447636 | 620 | */ |
cb323159 A |
621 | extern errno_t sflt_detach(socket_t socket, sflt_handle handle) |
622 | __NKE_API_DEPRECATED; | |
91447636 A |
623 | |
624 | /* Functions for manipulating sockets */ | |
625 | /* | |
626 | * Inject data in to the receive buffer of the socket as if it | |
627 | * had come from the network. | |
628 | * | |
629 | * flags should match sflt_data_flag_t | |
630 | */ | |
631 | ||
632 | /*! | |
0a7de745 A |
633 | * @function sock_inject_data_in |
634 | * @discussion Inject data in to the receive buffer of the socket as if | |
635 | * it had come from the network. | |
636 | * @param so The socket to inject the data on. | |
637 | * @param from The address the data is from, only necessary on | |
638 | * un-connected sockets. A copy of the address will be made, caller | |
639 | * is responsible for freeing the address after calling this | |
640 | * function. | |
641 | * @param data The data and possibly control mbufs. | |
642 | * @param control The separate control mbufs. | |
643 | * @param flags Flags indicating the type of data. | |
644 | * @result 0 on success otherwise the errno error. If the function | |
645 | * returns an error, the caller is responsible for freeing the | |
646 | * mbuf. | |
91447636 | 647 | */ |
b0d623f7 | 648 | extern errno_t sock_inject_data_in(socket_t so, const struct sockaddr *from, |
cb323159 A |
649 | mbuf_t data, mbuf_t control, sflt_data_flag_t flags) |
650 | __NKE_API_DEPRECATED; | |
91447636 A |
651 | |
652 | /*! | |
0a7de745 A |
653 | * @function sock_inject_data_out |
654 | * @discussion Inject data in to the send buffer of the socket as if it | |
655 | * had come from the client. | |
656 | * @param so The socket to inject the data on. | |
657 | * @param to The address the data should be sent to, only necessary on | |
658 | * un-connected sockets. The caller is responsible for freeing the | |
659 | * to address after sock_inject_data_out returns. | |
660 | * @param data The data and possibly control mbufs. | |
661 | * @param control The separate control mbufs. | |
662 | * @param flags Flags indicating the type of data. | |
663 | * @result 0 on success otherwise the errno error. The data and control | |
664 | * values are always freed regardless of return value. | |
91447636 | 665 | */ |
b0d623f7 | 666 | extern errno_t sock_inject_data_out(socket_t so, const struct sockaddr *to, |
cb323159 A |
667 | mbuf_t data, mbuf_t control, sflt_data_flag_t flags) |
668 | __NKE_API_DEPRECATED; | |
91447636 A |
669 | |
670 | ||
671 | /* | |
672 | * sockopt_t accessors | |
673 | */ | |
674 | ||
675 | enum { | |
0a7de745 A |
676 | sockopt_get = 1, |
677 | sockopt_set = 2 | |
91447636 A |
678 | }; |
679 | typedef u_int8_t sockopt_dir; | |
680 | ||
681 | /*! | |
0a7de745 A |
682 | * @function sockopt_direction |
683 | * @discussion Retrieves the direction of the socket option (Get or | |
684 | * Set). | |
685 | * @param sopt The socket option. | |
686 | * @result sock_opt_get or sock_opt_set. | |
91447636 | 687 | */ |
cb323159 A |
688 | extern sockopt_dir sockopt_direction(sockopt_t sopt) |
689 | __NKE_API_DEPRECATED; | |
91447636 A |
690 | |
691 | /*! | |
0a7de745 A |
692 | * @function sockopt_level |
693 | * @discussion Retrieves the socket option level. (SOL_SOCKET, etc). | |
694 | * @param sopt The socket option. | |
695 | * @result The socket option level. See man 2 setsockopt | |
91447636 | 696 | */ |
cb323159 A |
697 | extern int sockopt_level(sockopt_t sopt) |
698 | __NKE_API_DEPRECATED; | |
91447636 A |
699 | |
700 | /*! | |
0a7de745 A |
701 | * @function sockopt_name |
702 | * @discussion Retrieves the socket option name. (SO_SNDBUF, etc). | |
703 | * @param sopt The socket option. | |
704 | * @result The socket option name. See man 2 setsockopt | |
91447636 | 705 | */ |
cb323159 A |
706 | extern int sockopt_name(sockopt_t sopt) |
707 | __NKE_API_DEPRECATED; | |
91447636 A |
708 | |
709 | /*! | |
0a7de745 A |
710 | * @function sockopt_valsize |
711 | * @discussion Retrieves the size of the socket option data. | |
712 | * @param sopt The socket option. | |
713 | * @result The length, in bytes, of the data. | |
91447636 | 714 | */ |
cb323159 A |
715 | extern size_t sockopt_valsize(sockopt_t sopt) |
716 | __NKE_API_DEPRECATED; | |
91447636 A |
717 | |
718 | /*! | |
0a7de745 A |
719 | * @function sockopt_copyin |
720 | * @discussion Copies the data from the socket option to a buffer. | |
721 | * @param sopt The socket option. | |
722 | * @param data A pointer to the buffer to copy the data in to. | |
723 | * @param length The number of bytes to copy. | |
724 | * @result An errno error or zero upon success. | |
91447636 | 725 | */ |
cb323159 A |
726 | extern errno_t sockopt_copyin(sockopt_t sopt, void *data, size_t length) |
727 | __NKE_API_DEPRECATED; | |
91447636 A |
728 | |
729 | /*! | |
0a7de745 A |
730 | * @function sockopt_copyout |
731 | * @discussion Copies the data from a buffer to a socket option. | |
732 | * @param sopt The socket option. | |
733 | * @param data A pointer to the buffer to copy the data out of. | |
734 | * @param length The number of bytes to copy. | |
735 | * @result An errno error or zero upon success. | |
91447636 | 736 | */ |
cb323159 A |
737 | extern errno_t sockopt_copyout(sockopt_t sopt, void *data, size_t length) |
738 | __NKE_API_DEPRECATED; | |
6601e61a | 739 | |
2d21ac55 | 740 | __END_DECLS |
b0d623f7 | 741 | #endif /* __KPI_SOCKETFILTER__ */ |