]> git.saurik.com Git - apple/xnu.git/blob - bsd/netinet/kpi_ipfilter.c
projects / apple / xnu.git / blob
? search:


07ac305729985a53b735917fe898b05d93d2684b
[apple/xnu.git] / bsd / netinet / kpi_ipfilter.c
1 /*
2 * Copyright (c) 2004-2018 Apple Inc. All rights reserved.
3 *
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
14 *
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
25 *
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 */
28
29 #include <sys/param.h> /* for definition of NULL */
30 #include <sys/errno.h>
31 #include <sys/malloc.h>
32 #include <sys/socket.h>
33 #include <sys/mbuf.h>
34 #include <sys/systm.h>
35 #include <libkern/OSAtomic.h>
36
37 #include <machine/endian.h>
38
39 #define _IP_VHL
40 #include <net/if_var.h>
41 #include <net/route.h>
42 #include <net/kpi_protocol.h>
43 #include <net/net_api_stats.h>
44
45 #include <netinet/in_systm.h>
46 #include <netinet/in.h>
47 #include <netinet/in_var.h>
48 #include <netinet6/in6_var.h>
49 #include <netinet/ip.h>
50 #include <netinet/ip6.h>
51 #include <netinet/ip_var.h>
52 #include <netinet6/ip6_var.h>
53 #include <netinet/kpi_ipfilter_var.h>
54
55 #include <stdbool.h>
56
57 /*
58 * kipf_lock and kipf_ref protect the linkage of the list of IP filters
59 * An IP filter can be removed only when kipf_ref is zero
60 * If an IP filter cannot be removed because kipf_ref is not null, then
61 * the IP filter is marjed and kipf_delayed_remove is set so that when
62 * kipf_ref eventually goes down to zero, the IP filter is removed
63 */
64 decl_lck_mtx_data(static, kipf_lock_data);
65 static lck_mtx_t *kipf_lock = &kipf_lock_data;
66 static u_int32_t kipf_ref = 0;
67 static u_int32_t kipf_delayed_remove = 0;
68 u_int32_t kipf_count = 0;
69
70 __private_extern__ struct ipfilter_list ipv4_filters = TAILQ_HEAD_INITIALIZER(ipv4_filters);
71 __private_extern__ struct ipfilter_list ipv6_filters = TAILQ_HEAD_INITIALIZER(ipv6_filters);
72 __private_extern__ struct ipfilter_list tbr_filters = TAILQ_HEAD_INITIALIZER(tbr_filters);
73
74 #undef ipf_addv4
75 #undef ipf_addv6
76 extern errno_t ipf_addv4(const struct ipf_filter *filter,
77 ipfilter_t *filter_ref);
78 extern errno_t ipf_addv6(const struct ipf_filter *filter,
79 ipfilter_t *filter_ref);
80
81 static errno_t ipf_add(const struct ipf_filter *filter,
82 ipfilter_t *filter_ref, struct ipfilter_list *head, bool is_internal);
83
84 __private_extern__ void
85 ipf_ref(void)
86 {
87 lck_mtx_lock(kipf_lock);
88 kipf_ref++;
89 lck_mtx_unlock(kipf_lock);
90 }
91
92 __private_extern__ void
93 ipf_unref(void)
94 {
95 lck_mtx_lock(kipf_lock);
96
97 if (kipf_ref == 0) {
98 panic("ipf_unref: kipf_ref == 0\n");
99 }
100
101 kipf_ref--;
102 if (kipf_ref == 0 && kipf_delayed_remove != 0) {
103 struct ipfilter *filter;
104
105 while ((filter = TAILQ_FIRST(&tbr_filters))) {
106 VERIFY(OSDecrementAtomic64(&net_api_stats.nas_ipf_add_count) > 0);
107
108 ipf_detach_func ipf_detach = filter->ipf_filter.ipf_detach;
109 void* cookie = filter->ipf_filter.cookie;
110
111 TAILQ_REMOVE(filter->ipf_head, filter, ipf_link);
112 TAILQ_REMOVE(&tbr_filters, filter, ipf_tbr);
113 kipf_delayed_remove--;
114
115 if (ipf_detach) {
116 lck_mtx_unlock(kipf_lock);
117 ipf_detach(cookie);
118 lck_mtx_lock(kipf_lock);
119 /* In case some filter got to run while we released the lock */
120 if (kipf_ref != 0) {
121 break;
122 }
123 }
124 }
125 }
126 lck_mtx_unlock(kipf_lock);
127 }
128
129 static errno_t
130 ipf_add(
131 const struct ipf_filter *filter,
132 ipfilter_t *filter_ref,
133 struct ipfilter_list *head,
134 bool is_internal)
135 {
136 struct ipfilter *new_filter;
137 if (filter->name == NULL || (filter->ipf_input == NULL && filter->ipf_output == NULL)) {
138 return EINVAL;
139 }
140
141 MALLOC(new_filter, struct ipfilter *, sizeof(*new_filter), M_IFADDR, M_WAITOK);
142 if (new_filter == NULL) {
143 return ENOMEM;
144 }
145
146 lck_mtx_lock(kipf_lock);
147 new_filter->ipf_filter = *filter;
148 new_filter->ipf_head = head;
149
150 TAILQ_INSERT_HEAD(head, new_filter, ipf_link);
151
152 OSIncrementAtomic64(&net_api_stats.nas_ipf_add_count);
153 INC_ATOMIC_INT64_LIM(net_api_stats.nas_ipf_add_total);
154 if (is_internal) {
155 INC_ATOMIC_INT64_LIM(net_api_stats.nas_ipf_add_os_total);
156 }
157
158 lck_mtx_unlock(kipf_lock);
159
160 *filter_ref = (ipfilter_t)new_filter;
161
162 /* This will force TCP to re-evaluate its use of TSO */
163 OSAddAtomic(1, &kipf_count);
164 routegenid_update();
165
166 return 0;
167 }
168
169 errno_t
170 ipf_addv4_internal(
171 const struct ipf_filter *filter,
172 ipfilter_t *filter_ref)
173 {
174 return ipf_add(filter, filter_ref, &ipv4_filters, true);
175 }
176
177 errno_t
178 ipf_addv4(
179 const struct ipf_filter *filter,
180 ipfilter_t *filter_ref)
181 {
182 return ipf_add(filter, filter_ref, &ipv4_filters, false);
183 }
184
185 errno_t
186 ipf_addv6_internal(
187 const struct ipf_filter *filter,
188 ipfilter_t *filter_ref)
189 {
190 return ipf_add(filter, filter_ref, &ipv6_filters, true);
191 }
192
193 errno_t
194 ipf_addv6(
195 const struct ipf_filter *filter,
196 ipfilter_t *filter_ref)
197 {
198 return ipf_add(filter, filter_ref, &ipv6_filters, false);
199 }
200
201 static errno_t
202 ipf_input_detached(void *cookie, mbuf_t *data, int offset, u_int8_t protocol)
203 {
204 #pragma unused(cookie, data, offset, protocol)
205
206 #if DEBUG
207 printf("ipf_input_detached\n");
208 #endif /* DEBUG */
209
210 return 0;
211 }
212
213 static errno_t
214 ipf_output_detached(void *cookie, mbuf_t *data, ipf_pktopts_t options)
215 {
216 #pragma unused(cookie, data, options)
217
218 #if DEBUG
219 printf("ipf_output_detached\n");
220 #endif /* DEBUG */
221
222 return 0;
223 }
224
225 errno_t
226 ipf_remove(
227 ipfilter_t filter_ref)
228 {
229 struct ipfilter *match = (struct ipfilter *)filter_ref;
230 struct ipfilter_list *head;
231
232 if (match == 0 || (match->ipf_head != &ipv4_filters && match->ipf_head != &ipv6_filters)) {
233 return EINVAL;
234 }
235
236 head = match->ipf_head;
237
238 lck_mtx_lock(kipf_lock);
239 TAILQ_FOREACH(match, head, ipf_link) {
240 if (match == (struct ipfilter *)filter_ref) {
241 ipf_detach_func ipf_detach = match->ipf_filter.ipf_detach;
242 void* cookie = match->ipf_filter.cookie;
243
244 /*
245 * Cannot detach when they are filters running
246 */
247 if (kipf_ref) {
248 kipf_delayed_remove++;
249 TAILQ_INSERT_TAIL(&tbr_filters, match, ipf_tbr);
250 match->ipf_filter.ipf_input = ipf_input_detached;
251 match->ipf_filter.ipf_output = ipf_output_detached;
252 lck_mtx_unlock(kipf_lock);
253 } else {
254 VERIFY(OSDecrementAtomic64(&net_api_stats.nas_ipf_add_count) > 0);
255
256 TAILQ_REMOVE(head, match, ipf_link);
257 lck_mtx_unlock(kipf_lock);
258
259 if (ipf_detach) {
260 ipf_detach(cookie);
261 }
262 FREE(match, M_IFADDR);
263
264 /* This will force TCP to re-evaluate its use of TSO */
265 OSAddAtomic(-1, &kipf_count);
266 routegenid_update();
267 }
268 return 0;
269 }
270 }
271 lck_mtx_unlock(kipf_lock);
272
273 return ENOENT;
274 }
275
276 int log_for_en1 = 0;
277
278 errno_t
279 ipf_inject_input(
280 mbuf_t data,
281 ipfilter_t filter_ref)
282 {
283 struct mbuf *m = (struct mbuf *)data;
284 struct m_tag *mtag = 0;
285 struct ip *ip = mtod(m, struct ip *);
286 struct ip6_hdr *ip6;
287 u_int8_t vers;
288 int hlen;
289 errno_t error = 0;
290 protocol_family_t proto;
291 struct in_ifaddr *ia = NULL;
292 struct in_addr *pkt_dst = NULL;
293 struct in6_ifaddr *ia6 = NULL;
294 struct sockaddr_in6 pkt_dst6;
295
296 vers = IP_VHL_V(ip->ip_vhl);
297
298 switch (vers) {
299 case 4:
300 proto = PF_INET;
301 break;
302 case 6:
303 proto = PF_INET6;
304 break;
305 default:
306 error = ENOTSUP;
307 goto done;
308 }
309
310 if (filter_ref == 0 && m->m_pkthdr.rcvif == 0) {
311 /*
312 * Search for interface with the local address
313 */
314 switch (proto) {
315 case PF_INET:
316 pkt_dst = &ip->ip_dst;
317 lck_rw_lock_shared(in_ifaddr_rwlock);
318 TAILQ_FOREACH(ia, INADDR_HASH(pkt_dst->s_addr), ia_hash) {
319 if (IA_SIN(ia)->sin_addr.s_addr == pkt_dst->s_addr) {
320 m->m_pkthdr.rcvif = ia->ia_ifp;
321 break;
322 }
323 }
324 lck_rw_done(in_ifaddr_rwlock);
325 break;
326
327 case PF_INET6:
328 ip6 = mtod(m, struct ip6_hdr *);
329 pkt_dst6.sin6_addr = ip6->ip6_dst;
330 lck_rw_lock_shared(&in6_ifaddr_rwlock);
331 for (ia6 = in6_ifaddrs; ia6 != NULL; ia6 = ia6->ia_next) {
332 if (IN6_ARE_ADDR_EQUAL(&ia6->ia_addr.sin6_addr, &pkt_dst6.sin6_addr)) {
333 m->m_pkthdr.rcvif = ia6->ia_ifp;
334 break;
335 }
336 }
337 lck_rw_done(&in6_ifaddr_rwlock);
338 break;
339
340 default:
341 break;
342 }
343
344 /*
345 * If none found, fallback to loopback
346 */
347 if (m->m_pkthdr.rcvif == NULL) {
348 m->m_pkthdr.rcvif = lo_ifp;
349 }
350
351 m->m_pkthdr.csum_data = 0;
352 m->m_pkthdr.csum_flags = 0;
353 if (vers == 4) {
354 hlen = IP_VHL_HL(ip->ip_vhl) << 2;
355 ip->ip_sum = 0;
356 ip->ip_sum = in_cksum(m, hlen);
357 }
358 }
359 if (filter_ref != 0) {
360 mtag = m_tag_create(KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPFILT,
361 sizeof(ipfilter_t), M_NOWAIT, m);
362 if (mtag == NULL) {
363 error = ENOMEM;
364 goto done;
365 }
366 *(ipfilter_t *)(mtag + 1) = filter_ref;
367 m_tag_prepend(m, mtag);
368 }
369
370 error = proto_inject(proto, data);
371
372 done:
373 return error;
374 }
375
376 static errno_t
377 ipf_injectv4_out(mbuf_t data, ipfilter_t filter_ref, ipf_pktopts_t options)
378 {
379 struct route ro;
380 struct ip *ip;
381 struct mbuf *m = (struct mbuf *)data;
382 errno_t error = 0;
383 struct m_tag *mtag = NULL;
384 struct ip_moptions *imo = NULL;
385 struct ip_out_args ipoa;
386
387 bzero(&ipoa, sizeof(ipoa));
388 ipoa.ipoa_boundif = IFSCOPE_NONE;
389 ipoa.ipoa_sotc = SO_TC_UNSPEC;
390 ipoa.ipoa_netsvctype = _NET_SERVICE_TYPE_UNSPEC;
391
392 /* Make the IP header contiguous in the mbuf */
393 if ((size_t)m->m_len < sizeof(struct ip)) {
394 m = m_pullup(m, sizeof(struct ip));
395 if (m == NULL) {
396 return ENOMEM;
397 }
398 }
399 ip = (struct ip *)m_mtod(m);
400
401 if (filter_ref != 0) {
402 mtag = m_tag_create(KERNEL_MODULE_TAG_ID,
403 KERNEL_TAG_TYPE_IPFILT, sizeof(ipfilter_t), M_NOWAIT, m);
404 if (mtag == NULL) {
405 m_freem(m);
406 return ENOMEM;
407 }
408 *(ipfilter_t *)(mtag + 1) = filter_ref;
409 m_tag_prepend(m, mtag);
410 }
411
412 if (options != NULL && (options->ippo_flags & IPPOF_MCAST_OPTS) &&
413 (imo = ip_allocmoptions(M_DONTWAIT)) != NULL) {
414 imo->imo_multicast_ifp = options->ippo_mcast_ifnet;
415 imo->imo_multicast_ttl = options->ippo_mcast_ttl;
416 imo->imo_multicast_loop = options->ippo_mcast_loop;
417 }
418
419 if (options != NULL) {
420 if (options->ippo_flags & IPPOF_SELECT_SRCIF) {
421 ipoa.ipoa_flags |= IPOAF_SELECT_SRCIF;
422 }
423 if (options->ippo_flags & IPPOF_BOUND_IF) {
424 ipoa.ipoa_flags |= IPOAF_BOUND_IF;
425 ipoa.ipoa_boundif = options->ippo_flags >>
426 IPPOF_SHIFT_IFSCOPE;
427 }
428 if (options->ippo_flags & IPPOF_NO_IFT_CELLULAR) {
429 ipoa.ipoa_flags |= IPOAF_NO_CELLULAR;
430 }
431 if (options->ippo_flags & IPPOF_BOUND_SRCADDR) {
432 ipoa.ipoa_flags |= IPOAF_BOUND_SRCADDR;
433 }
434 if (options->ippo_flags & IPPOF_NO_IFF_EXPENSIVE) {
435 ipoa.ipoa_flags |= IPOAF_NO_EXPENSIVE;
436 }
437 }
438
439 bzero(&ro, sizeof(struct route));
440
441 /* Put ip_len and ip_off in host byte order, ip_output expects that */
442
443 #if BYTE_ORDER != BIG_ENDIAN
444 NTOHS(ip->ip_len);
445 NTOHS(ip->ip_off);
446 #endif
447
448 /* Send; enforce source interface selection via IP_OUTARGS flag */
449 error = ip_output(m, NULL, &ro,
450 IP_ALLOWBROADCAST | IP_RAWOUTPUT | IP_OUTARGS, imo, &ipoa);
451
452 /* Release the route */
453 ROUTE_RELEASE(&ro);
454
455 if (imo != NULL) {
456 IMO_REMREF(imo);
457 }
458
459 return error;
460 }
461
462 #if INET6
463 static errno_t
464 ipf_injectv6_out(mbuf_t data, ipfilter_t filter_ref, ipf_pktopts_t options)
465 {
466 struct route_in6 ro;
467 struct ip6_hdr *ip6;
468 struct mbuf *m = (struct mbuf *)data;
469 errno_t error = 0;
470 struct m_tag *mtag = NULL;
471 struct ip6_moptions *im6o = NULL;
472 struct ip6_out_args ip6oa;
473
474 bzero(&ip6oa, sizeof(ip6oa));
475 ip6oa.ip6oa_boundif = IFSCOPE_NONE;
476 ip6oa.ip6oa_sotc = SO_TC_UNSPEC;
477 ip6oa.ip6oa_netsvctype = _NET_SERVICE_TYPE_UNSPEC;
478
479 /* Make the IP header contiguous in the mbuf */
480 if ((size_t)m->m_len < sizeof(struct ip6_hdr)) {
481 m = m_pullup(m, sizeof(struct ip6_hdr));
482 if (m == NULL) {
483 return ENOMEM;
484 }
485 }
486 ip6 = (struct ip6_hdr *)m_mtod(m);
487
488 if (filter_ref != 0) {
489 mtag = m_tag_create(KERNEL_MODULE_TAG_ID,
490 KERNEL_TAG_TYPE_IPFILT, sizeof(ipfilter_t), M_NOWAIT, m);
491 if (mtag == NULL) {
492 m_freem(m);
493 return ENOMEM;
494 }
495 *(ipfilter_t *)(mtag + 1) = filter_ref;
496 m_tag_prepend(m, mtag);
497 }
498
499 if (options != NULL && (options->ippo_flags & IPPOF_MCAST_OPTS) &&
500 (im6o = ip6_allocmoptions(M_DONTWAIT)) != NULL) {
501 im6o->im6o_multicast_ifp = options->ippo_mcast_ifnet;
502 im6o->im6o_multicast_hlim = options->ippo_mcast_ttl;
503 im6o->im6o_multicast_loop = options->ippo_mcast_loop;
504 }
505
506 if (options != NULL) {
507 if (options->ippo_flags & IPPOF_SELECT_SRCIF) {
508 ip6oa.ip6oa_flags |= IP6OAF_SELECT_SRCIF;
509 }
510 if (options->ippo_flags & IPPOF_BOUND_IF) {
511 ip6oa.ip6oa_flags |= IP6OAF_BOUND_IF;
512 ip6oa.ip6oa_boundif = options->ippo_flags >>
513 IPPOF_SHIFT_IFSCOPE;
514 }
515 if (options->ippo_flags & IPPOF_NO_IFT_CELLULAR) {
516 ip6oa.ip6oa_flags |= IP6OAF_NO_CELLULAR;
517 }
518 if (options->ippo_flags & IPPOF_BOUND_SRCADDR) {
519 ip6oa.ip6oa_flags |= IP6OAF_BOUND_SRCADDR;
520 }
521 if (options->ippo_flags & IPPOF_NO_IFF_EXPENSIVE) {
522 ip6oa.ip6oa_flags |= IP6OAF_NO_EXPENSIVE;
523 }
524 }
525
526 bzero(&ro, sizeof(struct route_in6));
527
528 /*
529 * Send mbuf and ifscope information. Check for correctness
530 * of ifscope information is done while searching for a route in
531 * ip6_output.
532 */
533 error = ip6_output(m, NULL, &ro, IPV6_OUTARGS, im6o, NULL, &ip6oa);
534
535 /* Release the route */
536 ROUTE_RELEASE(&ro);
537
538 if (im6o != NULL) {
539 IM6O_REMREF(im6o);
540 }
541
542 return error;
543 }
544 #endif /* INET6 */
545
546 errno_t
547 ipf_inject_output(
548 mbuf_t data,
549 ipfilter_t filter_ref,
550 ipf_pktopts_t options)
551 {
552 struct mbuf *m = (struct mbuf *)data;
553 u_int8_t vers;
554 errno_t error = 0;
555
556 /* Make one byte of the header contiguous in the mbuf */
557 if (m->m_len < 1) {
558 m = m_pullup(m, 1);
559 if (m == NULL) {
560 goto done;
561 }
562 }
563
564 vers = (*(u_int8_t *)m_mtod(m)) >> 4;
565 switch (vers) {
566 case 4:
567 error = ipf_injectv4_out(data, filter_ref, options);
568 break;
569 #if INET6
570 case 6:
571 error = ipf_injectv6_out(data, filter_ref, options);
572 break;
573 #endif
574 default:
575 m_freem(m);
576 error = ENOTSUP;
577 break;
578 }
579
580 done:
581 return error;
582 }
583
584 __private_extern__ ipfilter_t
585 ipf_get_inject_filter(struct mbuf *m)
586 {
587 ipfilter_t filter_ref = 0;
588 struct m_tag *mtag;
589
590 mtag = m_tag_locate(m, KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPFILT, NULL);
591 if (mtag) {
592 filter_ref = *(ipfilter_t *)(mtag + 1);
593
594 m_tag_delete(m, mtag);
595 }
596 return filter_ref;
597 }
598
599 __private_extern__ int
600 ipf_init(void)
601 {
602 int error = 0;
603 lck_grp_attr_t *grp_attributes = 0;
604 lck_attr_t *lck_attributes = 0;
605 lck_grp_t *lck_grp = 0;
606
607 grp_attributes = lck_grp_attr_alloc_init();
608 if (grp_attributes == 0) {
609 printf("ipf_init: lck_grp_attr_alloc_init failed\n");
610 error = ENOMEM;
611 goto done;
612 }
613
614 lck_grp = lck_grp_alloc_init("IP Filter", grp_attributes);
615 if (lck_grp == 0) {
616 printf("ipf_init: lck_grp_alloc_init failed\n");
617 error = ENOMEM;
618 goto done;
619 }
620
621 lck_attributes = lck_attr_alloc_init();
622 if (lck_attributes == 0) {
623 printf("ipf_init: lck_attr_alloc_init failed\n");
624 error = ENOMEM;
625 goto done;
626 }
627
628 lck_mtx_init(kipf_lock, lck_grp, lck_attributes);
629
630 done:
631 if (lck_grp) {
632 lck_grp_free(lck_grp);
633 lck_grp = 0;
634 }
635 if (grp_attributes) {
636 lck_grp_attr_free(grp_attributes);
637 grp_attributes = 0;
638 }
639 if (lck_attributes) {
640 lck_attr_free(lck_attributes);
641 lck_attributes = 0;
642 }
643
644 return error;
645 }
mirror of XNU