[apple/xnu.git] / bsd / netinet / kpi_ipfilter.c

/*
 * Copyright (c) 2003 Apple Computer, Inc. All rights reserved.
 *
 * @APPLE_LICENSE_HEADER_START@
 * 
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 * 
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 * 
 * @APPLE_LICENSE_HEADER_END@
 */

#include <sys/param.h>	/* for definition of NULL */
#include <sys/errno.h>
#include <sys/malloc.h>
#include <sys/socket.h>
#include <sys/mbuf.h>
#include <sys/systm.h>

#define _IP_VHL
#include <net/if_var.h>
#include <net/route.h>
#include <net/kpi_protocol.h>

#include <netinet/in_systm.h>
#include <netinet/in.h>
#include <netinet/in_var.h>
#include <netinet6/in6_var.h>
#include <netinet/ip.h>
#include <netinet/ip6.h>
#include <netinet/ip_var.h>
#include <netinet6/ip6_var.h>
#include <netinet/kpi_ipfilter_var.h>

/*
 * kipf_lock and kipf_ref protect the linkage of the list of IP filters
 * An IP filter can be removed only when kipf_ref is zero
 * If an IP filter cannot be removed because kipf_ref is not null, then 
 * the IP filter is marjed and kipf_delayed_remove is set so that when 
 * kipf_ref eventually goes down to zero, the IP filter is removed
 */
static lck_mtx_t *kipf_lock = 0;
static unsigned long kipf_ref = 0;
static unsigned long kipf_delayed_remove = 0;

__private_extern__ struct ipfilter_list	ipv4_filters = TAILQ_HEAD_INITIALIZER(ipv4_filters);
__private_extern__ struct ipfilter_list	ipv6_filters = TAILQ_HEAD_INITIALIZER(ipv6_filters);
__private_extern__ struct ipfilter_list	tbr_filters = TAILQ_HEAD_INITIALIZER(tbr_filters);

__private_extern__ void
ipf_ref(void)
{
	lck_mtx_lock(kipf_lock);
    kipf_ref++;
	lck_mtx_unlock(kipf_lock);
}

__private_extern__ void
ipf_unref(void)
{
	lck_mtx_lock(kipf_lock);

    if (kipf_ref == 0)
    	panic("ipf_unref: kipf_ref == 0\n");
    	
    kipf_ref--;
    if (kipf_ref == 0 && kipf_delayed_remove != 0) {
    	struct ipfilter *filter;

		while ((filter = TAILQ_FIRST(&tbr_filters))) {
			ipf_detach_func ipf_detach = filter->ipf_filter.ipf_detach;
			void* cookie = filter->ipf_filter.cookie;
			
			TAILQ_REMOVE(filter->ipf_head, filter, ipf_link);
			TAILQ_REMOVE(&tbr_filters, filter, ipf_tbr);
			kipf_delayed_remove--;

			if (ipf_detach) {
				lck_mtx_unlock(kipf_lock);
				ipf_detach(cookie);
				lck_mtx_lock(kipf_lock);
				/* In case some filter got to run while we released the lock */
				if (kipf_ref != 0)
					break;
			}			
		}
   	} 
	lck_mtx_unlock(kipf_lock);
}

static errno_t
ipf_add(
	const struct ipf_filter* filter,
	ipfilter_t *filter_ref,
	struct ipfilter_list *head)
{
	struct ipfilter	*new_filter;
	if (filter->name == NULL || (filter->ipf_input == NULL && filter->ipf_output == NULL))
		return EINVAL;
	
	MALLOC(new_filter, struct ipfilter*, sizeof(*new_filter), M_IFADDR, M_WAITOK);
	if (new_filter == NULL)
		return ENOMEM;
	
	lck_mtx_lock(kipf_lock);
	new_filter->ipf_filter = *filter;
	new_filter->ipf_head = head;
	
	/*
	 * 3957298
	 * Make sure third parties have a chance to filter packets before
	 * SharedIP. Always SharedIP at the end of the list.
	 */
	if (filter->name != NULL &&
		strcmp(filter->name, "com.apple.nke.SharedIP") == 0) {
		TAILQ_INSERT_TAIL(head, new_filter, ipf_link);
	}
	else {
		TAILQ_INSERT_HEAD(head, new_filter, ipf_link);
	}
	
	lck_mtx_unlock(kipf_lock);
	
	*filter_ref = (ipfilter_t)new_filter;
	return 0;
}

errno_t
ipf_addv4(
	const struct ipf_filter* filter,
	ipfilter_t *filter_ref)
{
	return ipf_add(filter, filter_ref, &ipv4_filters);
}

errno_t
ipf_addv6(
	const struct ipf_filter* filter,
	ipfilter_t *filter_ref)
{
	return ipf_add(filter, filter_ref, &ipv6_filters);
}

errno_t
ipf_remove(
	ipfilter_t filter_ref)
{
	struct ipfilter	*match = (struct ipfilter*)filter_ref;
	struct ipfilter_list *head;
	
	if (match == 0 || (match->ipf_head != &ipv4_filters && match->ipf_head != &ipv6_filters))
		return EINVAL;
	
	head = match->ipf_head;
	
	lck_mtx_lock(kipf_lock);
	TAILQ_FOREACH(match, head, ipf_link) {
		if (match == (struct ipfilter*)filter_ref) {
			ipf_detach_func ipf_detach = match->ipf_filter.ipf_detach;
			void* cookie = match->ipf_filter.cookie;
			
			/*
			 * Cannot detach when they are filters running
			 */
			if (kipf_ref) {
				kipf_delayed_remove++;
				TAILQ_INSERT_TAIL(&tbr_filters, match, ipf_tbr);
				match->ipf_filter.ipf_input = 0;
				match->ipf_filter.ipf_output = 0;
				lck_mtx_unlock(kipf_lock);
			} else {
				TAILQ_REMOVE(head, match, ipf_link);
				lck_mtx_unlock(kipf_lock);
				if (ipf_detach)
					ipf_detach(cookie);
				FREE(match, M_IFADDR);
			}
			return 0;
		}
	}
	lck_mtx_unlock(kipf_lock);
	
	return ENOENT;
}

int log_for_en1 = 0;

errno_t
ipf_inject_input(
	mbuf_t data,
	ipfilter_t filter_ref)
{
	struct mbuf	*m = (struct mbuf*)data;
	struct m_tag *mtag = 0;
	struct ip *ip = mtod(m, struct ip *);
	u_int8_t	vers;
	int hlen;
	errno_t error = 0;
	protocol_family_t proto;

	vers = IP_VHL_V(ip->ip_vhl);
	
	switch (vers) {
		case 4:
			proto = PF_INET;
			break;
		case 6:
			proto = PF_INET6;
			break;
		default:
			error = ENOTSUP;
			goto done;
	}
	
	if (filter_ref == 0 && m->m_pkthdr.rcvif == 0) {
		m->m_pkthdr.rcvif = ifunit("lo0");
		m->m_pkthdr.csum_data = 0;
		m->m_pkthdr.csum_flags = 0;
		if (vers == 4) {
			hlen = IP_VHL_HL(ip->ip_vhl) << 2;
			ip->ip_sum = 0;
			ip->ip_sum = in_cksum(m, hlen);
		}
	}
	if (filter_ref != 0) {
		mtag = m_tag_alloc(KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPFILT,
					 	   sizeof (ipfilter_t), M_NOWAIT);
		if (mtag == NULL) {
			error = ENOMEM;
			goto done;
		}	
		*(ipfilter_t*)(mtag+1) = filter_ref;
		m_tag_prepend(m, mtag);
	}
	
	error = proto_inject(proto, data);

done:
	return error;
}

static errno_t
ipf_injectv4_out(
	mbuf_t data,
	ipfilter_t filter_ref,
	ipf_pktopts_t options)
{
	struct route ro;
	struct sockaddr_in	*sin = (struct sockaddr_in*)&ro.ro_dst;
	struct ip	*ip;
	struct mbuf	*m = (struct mbuf*)data;
	errno_t error = 0;
	struct m_tag *mtag = 0;
	struct ip_moptions *imo = 0, ip_moptions;
	
	/* Make the IP header contiguous in the mbuf */
	if ((size_t)m->m_len < sizeof(struct ip)) {
		m = m_pullup(m, sizeof(struct ip));
		if (m == NULL) return ENOMEM;
	}
	ip = (struct ip*)m_mtod(m);
	
	if (filter_ref != 0) {
		mtag = m_tag_alloc(KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPFILT,
					 	   sizeof (ipfilter_t), M_NOWAIT);
		if (mtag == NULL) {
			m_freem(m);
			return ENOMEM;
		}
		*(ipfilter_t*)(mtag+1) = filter_ref;
		m_tag_prepend(m, mtag);
	}
	
	if (options && (options->ippo_flags & IPPOF_MCAST_OPTS)) {
		imo = &ip_moptions;
		
		bzero(imo, sizeof(struct ip6_moptions));
		imo->imo_multicast_ifp = options->ippo_mcast_ifnet;
		imo->imo_multicast_ttl = options->ippo_mcast_ttl;
		imo->imo_multicast_loop = options->ippo_mcast_loop;
	}
	
	/* Fill out a route structure and get a route */
	bzero(&ro, sizeof(struct route));
	sin->sin_len = sizeof(struct sockaddr_in);
	sin->sin_family = AF_INET;
	sin->sin_port = 0;
	sin->sin_addr = ip->ip_dst;
	rtalloc(&ro);
	if (ro.ro_rt == NULL) {
		m_freem(m);
		return ENETUNREACH;
	}
	/* Send  */
	error = ip_output(m, NULL, &ro, IP_ALLOWBROADCAST | IP_RAWOUTPUT, imo);
	
	/* Release the route */
	if (ro.ro_rt)
		rtfree(ro.ro_rt);
	
	return error;
}

static errno_t
ipf_injectv6_out(
	mbuf_t data,
	ipfilter_t filter_ref,
	ipf_pktopts_t options)
{
	struct route_in6 ro;
	struct sockaddr_in6	*sin6 = &ro.ro_dst;
	struct ip6_hdr	*ip6;
	struct mbuf	*m = (struct mbuf*)data;
	errno_t error = 0;
	struct m_tag *mtag = 0;
	struct ip6_moptions *im6o = 0, ip6_moptions;
	
	/* Make the IP header contiguous in the mbuf */
	if ((size_t)m->m_len < sizeof(struct ip6_hdr)) {
		m = m_pullup(m, sizeof(struct ip6_hdr));
		if (m == NULL) return ENOMEM;
	}
	ip6 = (struct ip6_hdr*)m_mtod(m);

	if (filter_ref != 0) {
		mtag = m_tag_alloc(KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPFILT,
					 	   sizeof (ipfilter_t), M_NOWAIT);
		if (mtag == NULL) {
			m_freem(m);
			return ENOMEM;
		}
		*(ipfilter_t*)(mtag+1) = filter_ref;
		m_tag_prepend(m, mtag);
	}
	
	if (options && (options->ippo_flags & IPPOF_MCAST_OPTS)) {
		im6o = &ip6_moptions;
		
		bzero(im6o, sizeof(struct ip6_moptions));
		im6o->im6o_multicast_ifp = options->ippo_mcast_ifnet;
		im6o->im6o_multicast_hlim = options->ippo_mcast_ttl;
		im6o->im6o_multicast_loop = options->ippo_mcast_loop;
	}
	
	
	/* Fill out a route structure and get a route */
	bzero(&ro, sizeof(struct route_in6));
	sin6->sin6_len = sizeof(struct sockaddr_in6);
	sin6->sin6_family = AF_INET6;
	sin6->sin6_addr = ip6->ip6_dst;
#if 0
	/* This is breaks loopback multicast! */
	/* The scope ID should already at s6_addr16[1] */
	if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) {
		/* Hack, pull the scope_id out of the dest addr */
		sin6->sin6_scope_id = ntohs(ip6->ip6_dst.s6_addr16[1]);
		ip6->ip6_dst.s6_addr16[1] = 0;
	} else
		sin6->sin6_scope_id = 0;
#endif
	rtalloc((struct route*)&ro);
	if (ro.ro_rt == NULL) {
		m_freem(m);
		return ENETUNREACH;
	}
	
	/* Send  */
	error = ip6_output(m, NULL, &ro, 0, im6o, NULL, 0);
	
	/* Release the route */
	if (ro.ro_rt)
		rtfree(ro.ro_rt);
	
	return error;
}

errno_t
ipf_inject_output(
	mbuf_t data,
	ipfilter_t filter_ref,
	ipf_pktopts_t options)
{
	struct mbuf	*m = (struct mbuf*)data;
	u_int8_t	vers;
	errno_t		error = 0;

	/* Make one byte of the header contiguous in the mbuf */
	if (m->m_len < 1) {
		m = m_pullup(m, 1);
		if (m == NULL) 
			goto done;
	}
	
	vers = (*(u_int8_t*)m_mtod(m)) >> 4;
	switch (vers)
	{
		case 4:
			error = ipf_injectv4_out(data, filter_ref, options);
			break;
		case 6:
			error = ipf_injectv6_out(data, filter_ref, options);
			break;
		default:
			m_freem(m);
			error = ENOTSUP;
			break;
	}

done:	
	return error;
}

__private_extern__ ipfilter_t
ipf_get_inject_filter(struct mbuf *m)
{
	ipfilter_t filter_ref = 0;
	struct m_tag *mtag;
	
	mtag = m_tag_locate(m, KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPFILT, NULL);
	if (mtag) {
		filter_ref = *(ipfilter_t *)(mtag+1);
		
		m_tag_delete(m, mtag);
	}
	return filter_ref;
}

__private_extern__ int
ipf_init(void)
{
	int error = 0;
	lck_grp_attr_t *grp_attributes = 0;
	lck_attr_t *lck_attributes = 0;
	lck_grp_t *lck_grp = 0;
	
	grp_attributes = lck_grp_attr_alloc_init();
	if (grp_attributes == 0) {
		printf("ipf_init: lck_grp_attr_alloc_init failed\n");
		error = ENOMEM;
		goto done;
	}
	lck_grp_attr_setdefault(grp_attributes);
	
	lck_grp = lck_grp_alloc_init("IP Filter", grp_attributes);
	if (lck_grp == 0) {
		printf("ipf_init: lck_grp_alloc_init failed\n");
		error = ENOMEM;
		goto done;
	}
	
	lck_attributes = lck_attr_alloc_init();
	if (lck_attributes == 0) {
		printf("ipf_init: lck_attr_alloc_init failed\n");
		error = ENOMEM;
		goto done;
	}
	lck_attr_setdefault(lck_attributes);
	
	kipf_lock = lck_mtx_alloc_init(lck_grp, lck_attributes);
	if (kipf_lock == 0) {
		printf("ipf_init: lck_mtx_alloc_init failed\n");
		error = ENOMEM;
		goto done;
	}
	done:
	if (error != 0) {
		if (kipf_lock) {
			lck_mtx_free(kipf_lock, lck_grp);
			kipf_lock = 0;
		}
	}
	if (lck_grp) {
		lck_grp_free(lck_grp);
		lck_grp = 0;
	}
	if (grp_attributes) {
		lck_grp_attr_free(grp_attributes);
		grp_attributes = 0;
	}
	if (lck_attributes) {
		lck_attr_free(lck_attributes);
		lck_attributes = 0;
	}
	
	return error;
}
Commit	Line	Data
91447636 A	1	/*
	2	* Copyright (c) 2003 Apple Computer, Inc. All rights reserved.
	3	*
	4	* @APPLE_LICENSE_HEADER_START@
	5	*
ff6e181a A	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. Please obtain a copy of the License at
	10	* http://www.opensource.apple.com/apsl/ and read it before using this
	11	* file.
91447636	12	*
ff6e181a A	13	* The Original Code and all software distributed under the License are
ff6e181a A	14	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
91447636 A	15	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
91447636 A	16	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
ff6e181a A	17	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	18	* Please see the License for the specific language governing rights and
	19	* limitations under the License.
91447636 A	20	*
	21	* @APPLE_LICENSE_HEADER_END@
	22	*/
	23
	24	#include <sys/param.h> /* for definition of NULL */
	25	#include <sys/errno.h>
	26	#include <sys/malloc.h>
	27	#include <sys/socket.h>
	28	#include <sys/mbuf.h>
	29	#include <sys/systm.h>
	30
	31	#define _IP_VHL
	32	#include <net/if_var.h>
	33	#include <net/route.h>
	34	#include <net/kpi_protocol.h>
	35
	36	#include <netinet/in_systm.h>
	37	#include <netinet/in.h>
	38	#include <netinet/in_var.h>
	39	#include <netinet6/in6_var.h>
	40	#include <netinet/ip.h>
	41	#include <netinet/ip6.h>
	42	#include <netinet/ip_var.h>
	43	#include <netinet6/ip6_var.h>
	44	#include <netinet/kpi_ipfilter_var.h>
	45
	46	/*
	47	* kipf_lock and kipf_ref protect the linkage of the list of IP filters
	48	* An IP filter can be removed only when kipf_ref is zero
	49	* If an IP filter cannot be removed because kipf_ref is not null, then
	50	* the IP filter is marjed and kipf_delayed_remove is set so that when
	51	* kipf_ref eventually goes down to zero, the IP filter is removed
	52	*/
	53	static lck_mtx_t *kipf_lock = 0;
	54	static unsigned long kipf_ref = 0;
	55	static unsigned long kipf_delayed_remove = 0;
	56
	57	__private_extern__ struct ipfilter_list ipv4_filters = TAILQ_HEAD_INITIALIZER(ipv4_filters);
	58	__private_extern__ struct ipfilter_list ipv6_filters = TAILQ_HEAD_INITIALIZER(ipv6_filters);
	59	__private_extern__ struct ipfilter_list tbr_filters = TAILQ_HEAD_INITIALIZER(tbr_filters);
	60
	61	__private_extern__ void
	62	ipf_ref(void)
	63	{
	64	lck_mtx_lock(kipf_lock);
	65	kipf_ref++;
	66	lck_mtx_unlock(kipf_lock);
	67	}
	68
	69	__private_extern__ void
	70	ipf_unref(void)
	71	{
	72	lck_mtx_lock(kipf_lock);
	73
	74	if (kipf_ref == 0)
	75	panic("ipf_unref: kipf_ref == 0\n");
	76
	77	kipf_ref--;
	78	if (kipf_ref == 0 && kipf_delayed_remove != 0) {
	79	struct ipfilter *filter;
	80
	81	while ((filter = TAILQ_FIRST(&tbr_filters))) {
	82	ipf_detach_func ipf_detach = filter->ipf_filter.ipf_detach;
	83	void* cookie = filter->ipf_filter.cookie;
84
85	TAILQ_REMOVE(filter->ipf_head, filter, ipf_link);
86	TAILQ_REMOVE(&tbr_filters, filter, ipf_tbr);
87	kipf_delayed_remove--;
88
89	if (ipf_detach) {
90	lck_mtx_unlock(kipf_lock);
91	ipf_detach(cookie);
92	lck_mtx_lock(kipf_lock);
93	/* In case some filter got to run while we released the lock */
94	if (kipf_ref != 0)
95	break;
96	}
97	}
98	}
99	lck_mtx_unlock(kipf_lock);
100	}
101
102	static errno_t
103	ipf_add(
104	const struct ipf_filter* filter,
105	ipfilter_t *filter_ref,
106	struct ipfilter_list *head)
107	{
108	struct ipfilter *new_filter;
109	if (filter->name == NULL \|\| (filter->ipf_input == NULL && filter->ipf_output == NULL))
110	return EINVAL;
111
112	MALLOC(new_filter, struct ipfilter, sizeof(new_filter), M_IFADDR, M_WAITOK);
113	if (new_filter == NULL)
114	return ENOMEM;
115
116	lck_mtx_lock(kipf_lock);
117	new_filter->ipf_filter = *filter;
118	new_filter->ipf_head = head;
119
120	/*
121	* 3957298
122	* Make sure third parties have a chance to filter packets before
123	* SharedIP. Always SharedIP at the end of the list.
124	*/
125	if (filter->name != NULL &&
126	strcmp(filter->name, "com.apple.nke.SharedIP") == 0) {
127	TAILQ_INSERT_TAIL(head, new_filter, ipf_link);
128	}
129	else {
130	TAILQ_INSERT_HEAD(head, new_filter, ipf_link);
131	}
132
133	lck_mtx_unlock(kipf_lock);
134
135	*filter_ref = (ipfilter_t)new_filter;
136	return 0;
137	}
138
139	errno_t
140	ipf_addv4(
141	const struct ipf_filter* filter,
142	ipfilter_t *filter_ref)
143	{
144	return ipf_add(filter, filter_ref, &ipv4_filters);
145	}
146
147	errno_t
148	ipf_addv6(
149	const struct ipf_filter* filter,
150	ipfilter_t *filter_ref)
151	{
152	return ipf_add(filter, filter_ref, &ipv6_filters);
153	}
154
155	errno_t
156	ipf_remove(
157	ipfilter_t filter_ref)
158	{
159	struct ipfilter match = (struct ipfilter)filter_ref;
160	struct ipfilter_list *head;
161
162	if (match == 0 \|\| (match->ipf_head != &ipv4_filters && match->ipf_head != &ipv6_filters))
163	return EINVAL;
164
165	head = match->ipf_head;
166
167	lck_mtx_lock(kipf_lock);
168	TAILQ_FOREACH(match, head, ipf_link) {
169	if (match == (struct ipfilter*)filter_ref) {
170	ipf_detach_func ipf_detach = match->ipf_filter.ipf_detach;
171	void* cookie = match->ipf_filter.cookie;
172
173	/*
174	* Cannot detach when they are filters running
175	*/
176	if (kipf_ref) {
177	kipf_delayed_remove++;
178	TAILQ_INSERT_TAIL(&tbr_filters, match, ipf_tbr);
179	match->ipf_filter.ipf_input = 0;
180	match->ipf_filter.ipf_output = 0;
181	lck_mtx_unlock(kipf_lock);
182	} else {
183	TAILQ_REMOVE(head, match, ipf_link);
184	lck_mtx_unlock(kipf_lock);
185	if (ipf_detach)
186	ipf_detach(cookie);
187	FREE(match, M_IFADDR);
188	}
189	return 0;
190	}
191	}
192	lck_mtx_unlock(kipf_lock);
193
194	return ENOENT;
195	}
196
197	int log_for_en1 = 0;
198
199	errno_t
200	ipf_inject_input(
201	mbuf_t data,
202	ipfilter_t filter_ref)
203	{
204	struct mbuf m = (struct mbuf)data;
205	struct m_tag *mtag = 0;
206	struct ip ip = mtod(m, struct ip );
207	u_int8_t vers;
208	int hlen;
209	errno_t error = 0;
210	protocol_family_t proto;
211
212	vers = IP_VHL_V(ip->ip_vhl);
213
214	switch (vers) {
215	case 4:
216	proto = PF_INET;
217	break;
218	case 6:
219	proto = PF_INET6;
220	break;
221	default:
222	error = ENOTSUP;
223	goto done;
224	}
225
226	if (filter_ref == 0 && m->m_pkthdr.rcvif == 0) {
227	m->m_pkthdr.rcvif = ifunit("lo0");
228	m->m_pkthdr.csum_data = 0;
229	m->m_pkthdr.csum_flags = 0;
230	if (vers == 4) {
231	hlen = IP_VHL_HL(ip->ip_vhl) << 2;
232	ip->ip_sum = 0;
233	ip->ip_sum = in_cksum(m, hlen);
234	}
235	}
236	if (filter_ref != 0) {
237	mtag = m_tag_alloc(KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPFILT,
238	sizeof (ipfilter_t), M_NOWAIT);
239	if (mtag == NULL) {
240	error = ENOMEM;
241	goto done;
242	}
243	(ipfilter_t)(mtag+1) = filter_ref;
244	m_tag_prepend(m, mtag);
245	}
246
247	error = proto_inject(proto, data);
248
249	done:
250	return error;
251	}
252
253	static errno_t
254	ipf_injectv4_out(
255	mbuf_t data,
256	ipfilter_t filter_ref,
257	ipf_pktopts_t options)
258	{
259	struct route ro;
260	struct sockaddr_in sin = (struct sockaddr_in)&ro.ro_dst;
261	struct ip *ip;
262	struct mbuf m = (struct mbuf)data;
263	errno_t error = 0;
264	struct m_tag *mtag = 0;
265	struct ip_moptions *imo = 0, ip_moptions;
266
267	/* Make the IP header contiguous in the mbuf */
268	if ((size_t)m->m_len < sizeof(struct ip)) {
269	m = m_pullup(m, sizeof(struct ip));
270	if (m == NULL) return ENOMEM;
271	}
272	ip = (struct ip*)m_mtod(m);
273
274	if (filter_ref != 0) {
275	mtag = m_tag_alloc(KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPFILT,
276	sizeof (ipfilter_t), M_NOWAIT);
277	if (mtag == NULL) {
278	m_freem(m);
279	return ENOMEM;
280	}
281	(ipfilter_t)(mtag+1) = filter_ref;
282	m_tag_prepend(m, mtag);
283	}
284
285	if (options && (options->ippo_flags & IPPOF_MCAST_OPTS)) {
286	imo = &ip_moptions;
287
288	bzero(imo, sizeof(struct ip6_moptions));
289	imo->imo_multicast_ifp = options->ippo_mcast_ifnet;
290	imo->imo_multicast_ttl = options->ippo_mcast_ttl;
291	imo->imo_multicast_loop = options->ippo_mcast_loop;
292	}
293
294	/* Fill out a route structure and get a route */
295	bzero(&ro, sizeof(struct route));
296	sin->sin_len = sizeof(struct sockaddr_in);
297	sin->sin_family = AF_INET;
298	sin->sin_port = 0;
299	sin->sin_addr = ip->ip_dst;
300	rtalloc(&ro);
301	if (ro.ro_rt == NULL) {
302	m_freem(m);
303	return ENETUNREACH;
304	}
305	/* Send */
306	error = ip_output(m, NULL, &ro, IP_ALLOWBROADCAST \| IP_RAWOUTPUT, imo);
307
308	/* Release the route */
309	if (ro.ro_rt)
310	rtfree(ro.ro_rt);
311
312	return error;
313	}
314
315	static errno_t
316	ipf_injectv6_out(
317	mbuf_t data,
318	ipfilter_t filter_ref,
319	ipf_pktopts_t options)
320	{
321	struct route_in6 ro;
322	struct sockaddr_in6 *sin6 = &ro.ro_dst;
323	struct ip6_hdr *ip6;
324	struct mbuf m = (struct mbuf)data;
325	errno_t error = 0;
326	struct m_tag *mtag = 0;
327	struct ip6_moptions *im6o = 0, ip6_moptions;
328
329	/* Make the IP header contiguous in the mbuf */
330	if ((size_t)m->m_len < sizeof(struct ip6_hdr)) {
331	m = m_pullup(m, sizeof(struct ip6_hdr));
332	if (m == NULL) return ENOMEM;
333	}
334	ip6 = (struct ip6_hdr*)m_mtod(m);
335
336	if (filter_ref != 0) {
337	mtag = m_tag_alloc(KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPFILT,
338	sizeof (ipfilter_t), M_NOWAIT);
339	if (mtag == NULL) {
340	m_freem(m);
341	return ENOMEM;
342	}
343	(ipfilter_t)(mtag+1) = filter_ref;
344	m_tag_prepend(m, mtag);
345	}
346
347	if (options && (options->ippo_flags & IPPOF_MCAST_OPTS)) {
348	im6o = &ip6_moptions;
349
350	bzero(im6o, sizeof(struct ip6_moptions));
351	im6o->im6o_multicast_ifp = options->ippo_mcast_ifnet;
352	im6o->im6o_multicast_hlim = options->ippo_mcast_ttl;
353	im6o->im6o_multicast_loop = options->ippo_mcast_loop;
354	}
355
356
357	/* Fill out a route structure and get a route */
358	bzero(&ro, sizeof(struct route_in6));
359	sin6->sin6_len = sizeof(struct sockaddr_in6);
360	sin6->sin6_family = AF_INET6;
361	sin6->sin6_addr = ip6->ip6_dst;
362	#if 0
363	/* This is breaks loopback multicast! */
364	/* The scope ID should already at s6_addr16[1] */
365	if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) {
366	/* Hack, pull the scope_id out of the dest addr */
367	sin6->sin6_scope_id = ntohs(ip6->ip6_dst.s6_addr16[1]);
368	ip6->ip6_dst.s6_addr16[1] = 0;
369	} else
370	sin6->sin6_scope_id = 0;
371	#endif
372	rtalloc((struct route*)&ro);
373	if (ro.ro_rt == NULL) {
374	m_freem(m);
375	return ENETUNREACH;
376	}
377
378	/* Send */
379	error = ip6_output(m, NULL, &ro, 0, im6o, NULL, 0);
380
381	/* Release the route */
382	if (ro.ro_rt)
383	rtfree(ro.ro_rt);
384
385	return error;
386	}
387
388	errno_t
389	ipf_inject_output(
390	mbuf_t data,
391	ipfilter_t filter_ref,
392	ipf_pktopts_t options)
393	{
394	struct mbuf m = (struct mbuf)data;
395	u_int8_t vers;
396	errno_t error = 0;
397
398	/* Make one byte of the header contiguous in the mbuf */
399	if (m->m_len < 1) {
400	m = m_pullup(m, 1);
401	if (m == NULL)
402	goto done;
403	}
404
405	vers = ((u_int8_t)m_mtod(m)) >> 4;
406	switch (vers)
407	{
408	case 4:
409	error = ipf_injectv4_out(data, filter_ref, options);
410	break;
411	case 6:
412	error = ipf_injectv6_out(data, filter_ref, options);
413	break;
414	default:
415	m_freem(m);
416	error = ENOTSUP;
417	break;
418	}
419
420	done:
421	return error;
422	}
423
424	__private_extern__ ipfilter_t
425	ipf_get_inject_filter(struct mbuf *m)
426	{
427	ipfilter_t filter_ref = 0;
428	struct m_tag *mtag;
429
430	mtag = m_tag_locate(m, KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPFILT, NULL);
431	if (mtag) {
432	filter_ref = (ipfilter_t )(mtag+1);
433
434	m_tag_delete(m, mtag);
435	}
436	return filter_ref;
437	}
438
439	__private_extern__ int
440	ipf_init(void)
441	{
442	int error = 0;
443	lck_grp_attr_t *grp_attributes = 0;
444	lck_attr_t *lck_attributes = 0;
445	lck_grp_t *lck_grp = 0;
446
447	grp_attributes = lck_grp_attr_alloc_init();
448	if (grp_attributes == 0) {
449	printf("ipf_init: lck_grp_attr_alloc_init failed\n");
450	error = ENOMEM;
451	goto done;
452	}
453	lck_grp_attr_setdefault(grp_attributes);
454
455	lck_grp = lck_grp_alloc_init("IP Filter", grp_attributes);
456	if (lck_grp == 0) {
457	printf("ipf_init: lck_grp_alloc_init failed\n");
458	error = ENOMEM;
459	goto done;
460	}
461
462	lck_attributes = lck_attr_alloc_init();
463	if (lck_attributes == 0) {
464	printf("ipf_init: lck_attr_alloc_init failed\n");
465	error = ENOMEM;
466	goto done;
467	}
468	lck_attr_setdefault(lck_attributes);
469
470	kipf_lock = lck_mtx_alloc_init(lck_grp, lck_attributes);
471	if (kipf_lock == 0) {
472	printf("ipf_init: lck_mtx_alloc_init failed\n");
473	error = ENOMEM;
474	goto done;
475	}
476	done:
477	if (error != 0) {
478	if (kipf_lock) {
479	lck_mtx_free(kipf_lock, lck_grp);
480	kipf_lock = 0;
481	}
482	}
483	if (lck_grp) {
484	lck_grp_free(lck_grp);
485	lck_grp = 0;
486	}
487	if (grp_attributes) {
488	lck_grp_attr_free(grp_attributes);
489	grp_attributes = 0;
490	}
491	if (lck_attributes) {
492	lck_attr_free(lck_attributes);
493	lck_attributes = 0;
494	}
495
496	return error;
497	}