]> git.saurik.com Git - apple/xnu.git/blob - bsd/netinet/ip_divert.c
projects / apple / xnu.git / blob
? search:


512c65ca78c857f068d7f5d7abec49dc3bfa7c19
[apple/xnu.git] / bsd / netinet / ip_divert.c
1 /*
2 * Copyright (c) 2000 Apple Computer, Inc. All rights reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * Copyright (c) 1999-2003 Apple Computer, Inc. All Rights Reserved.
7 *
8 * This file contains Original Code and/or Modifications of Original Code
9 * as defined in and that are subject to the Apple Public Source License
10 * Version 2.0 (the 'License'). You may not use this file except in
11 * compliance with the License. Please obtain a copy of the License at
12 * http://www.opensource.apple.com/apsl/ and read it before using this
13 * file.
14 *
15 * The Original Code and all software distributed under the License are
16 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
17 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
18 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
19 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
20 * Please see the License for the specific language governing rights and
21 * limitations under the License.
22 *
23 * @APPLE_LICENSE_HEADER_END@
24 */
25 /*
26 * Copyright (c) 1982, 1986, 1988, 1993
27 * The Regents of the University of California. All rights reserved.
28 *
29 * Redistribution and use in source and binary forms, with or without
30 * modification, are permitted provided that the following conditions
31 * are met:
32 * 1. Redistributions of source code must retain the above copyright
33 * notice, this list of conditions and the following disclaimer.
34 * 2. Redistributions in binary form must reproduce the above copyright
35 * notice, this list of conditions and the following disclaimer in the
36 * documentation and/or other materials provided with the distribution.
37 * 3. All advertising materials mentioning features or use of this software
38 * must display the following acknowledgement:
39 * This product includes software developed by the University of
40 * California, Berkeley and its contributors.
41 * 4. Neither the name of the University nor the names of its contributors
42 * may be used to endorse or promote products derived from this software
43 * without specific prior written permission.
44 *
45 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
46 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
47 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
48 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
49 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
50 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
51 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
52 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
53 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
54 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
55 * SUCH DAMAGE.
56 *
57 * $FreeBSD: src/sys/netinet/ip_divert.c,v 1.42.2.4 2001/07/29 19:32:40 ume Exp $
58 */
59
60
61 #ifndef INET
62 #error "IPDIVERT requires INET."
63 #endif
64
65 #include <sys/param.h>
66 #include <sys/kernel.h>
67 #include <sys/malloc.h>
68 #include <sys/mbuf.h>
69 #include <sys/socket.h>
70 #include <sys/protosw.h>
71 #include <sys/socketvar.h>
72 #include <sys/sysctl.h>
73 #include <sys/systm.h>
74 #include <sys/proc.h>
75
76
77 #include <net/if.h>
78 #include <net/route.h>
79
80 #include <netinet/in.h>
81 #include <netinet/in_systm.h>
82 #include <netinet/ip.h>
83 #include <netinet/in_pcb.h>
84 #include <netinet/in_var.h>
85 #include <netinet/ip_var.h>
86
87 /*
88 * Divert sockets
89 */
90
91 /*
92 * Allocate enough space to hold a full IP packet
93 */
94 #define DIVSNDQ (65536 + 100)
95 #define DIVRCVQ (65536 + 100)
96
97 /*
98 * A 16 bit cookie is passed to and from the user process.
99 * The user process can send it back to help the caller know
100 * something about where the packet originally came from.
101 *
102 * In the case of ipfw, then the cookie is the rule that sent
103 * us here. On reinjection is is the rule after which processing
104 * should continue. Leaving it the same will make processing start
105 * at the rule number after that which sent it here. Setting it to
106 * 0 will restart processing at the beginning.
107 *
108 * For divert_packet(), ip_divert_cookie is an input value only.
109 * For div_output(), ip_divert_cookie is an output value only.
110 */
111 u_int16_t ip_divert_cookie;
112
113 /* Internal variables */
114 static struct inpcbhead divcb;
115 static struct inpcbinfo divcbinfo;
116
117 static u_long div_sendspace = DIVSNDQ; /* XXX sysctl ? */
118 static u_long div_recvspace = DIVRCVQ; /* XXX sysctl ? */
119
120 /* Optimization: have this preinitialized */
121 static struct sockaddr_in divsrc = { sizeof(divsrc), AF_INET };
122
123 /* Internal functions */
124 static int div_output(struct socket *so,
125 struct mbuf *m, struct sockaddr *addr, struct mbuf *control);
126
127 /*
128 * Initialize divert connection block queue.
129 */
130 void
131 div_init(void)
132 {
133 LIST_INIT(&divcb);
134 divcbinfo.listhead = &divcb;
135 /*
136 * XXX We don't use the hash list for divert IP, but it's easier
137 * to allocate a one entry hash list than it is to check all
138 * over the place for hashbase == NULL.
139 */
140 divcbinfo.hashbase = hashinit(1, M_PCB, &divcbinfo.hashmask);
141 divcbinfo.porthashbase = hashinit(1, M_PCB, &divcbinfo.porthashmask);
142 divcbinfo.ipi_zone = (void *) zinit(sizeof(struct inpcb),(maxsockets * sizeof(struct inpcb)),
143 4096, "divzone");
144
145 /*
146 * ### LD 08/03: init IP forwarding at this point [ipfw is not a module yet]
147 */
148 #if !IPFIREWALL_KEXT
149 ip_fw_init();
150 #endif
151 }
152
153 /*
154 * IPPROTO_DIVERT is not a real IP protocol; don't allow any packets
155 * with that protocol number to enter the system from the outside.
156 */
157 void
158 div_input(struct mbuf *m, int off)
159 {
160 ipstat.ips_noproto++;
161 m_freem(m);
162 }
163
164 /*
165 * Divert a packet by passing it up to the divert socket at port 'port'.
166 *
167 * Setup generic address and protocol structures for div_input routine,
168 * then pass them along with mbuf chain.
169 */
170 void
171 divert_packet(struct mbuf *m, int incoming, int port)
172 {
173 struct ip *ip;
174 struct inpcb *inp;
175 struct socket *sa;
176 u_int16_t nport;
177
178 /* Sanity check */
179 KASSERT(port != 0, ("%s: port=0", __FUNCTION__));
180
181 /* Record and reset divert cookie */
182 divsrc.sin_port = ip_divert_cookie;
183 ip_divert_cookie = 0;
184
185 /* Assure header */
186 if (m->m_len < sizeof(struct ip) &&
187 (m = m_pullup(m, sizeof(struct ip))) == 0) {
188 return;
189 }
190 ip = mtod(m, struct ip *);
191
192 /*
193 * Record receive interface address, if any.
194 * But only for incoming packets.
195 */
196 divsrc.sin_addr.s_addr = 0;
197 if (incoming) {
198 struct ifaddr *ifa;
199
200 /* Sanity check */
201 KASSERT((m->m_flags & M_PKTHDR), ("%s: !PKTHDR", __FUNCTION__));
202
203 /* Find IP address for receive interface */
204 TAILQ_FOREACH(ifa, &m->m_pkthdr.rcvif->if_addrhead, ifa_link) {
205 if (ifa->ifa_addr == NULL)
206 continue;
207 if (ifa->ifa_addr->sa_family != AF_INET)
208 continue;
209 divsrc.sin_addr =
210 ((struct sockaddr_in *) ifa->ifa_addr)->sin_addr;
211 break;
212 }
213 }
214 /*
215 * Record the incoming interface name whenever we have one.
216 */
217 bzero(&divsrc.sin_zero, sizeof(divsrc.sin_zero));
218 if (m->m_pkthdr.rcvif) {
219 /*
220 * Hide the actual interface name in there in the
221 * sin_zero array. XXX This needs to be moved to a
222 * different sockaddr type for divert, e.g.
223 * sockaddr_div with multiple fields like
224 * sockaddr_dl. Presently we have only 7 bytes
225 * but that will do for now as most interfaces
226 * are 4 or less + 2 or less bytes for unit.
227 * There is probably a faster way of doing this,
228 * possibly taking it from the sockaddr_dl on the iface.
229 * This solves the problem of a P2P link and a LAN interface
230 * having the same address, which can result in the wrong
231 * interface being assigned to the packet when fed back
232 * into the divert socket. Theoretically if the daemon saves
233 * and re-uses the sockaddr_in as suggested in the man pages,
234 * this iface name will come along for the ride.
235 * (see div_output for the other half of this.)
236 */
237 snprintf(divsrc.sin_zero, sizeof(divsrc.sin_zero),
238 "%s%d", m->m_pkthdr.rcvif->if_name,
239 m->m_pkthdr.rcvif->if_unit);
240 }
241
242 /* Put packet on socket queue, if any */
243 sa = NULL;
244 nport = htons((u_int16_t)port);
245 LIST_FOREACH(inp, &divcb, inp_list) {
246 if (inp->inp_lport == nport)
247 sa = inp->inp_socket;
248 }
249 if (sa) {
250 if (sbappendaddr(&sa->so_rcv, (struct sockaddr *)&divsrc,
251 m, (struct mbuf *)0) == 0)
252 m_freem(m);
253 else
254 sorwakeup(sa);
255 } else {
256 m_freem(m);
257 ipstat.ips_noproto++;
258 ipstat.ips_delivered--;
259 }
260 }
261
262 /*
263 * Deliver packet back into the IP processing machinery.
264 *
265 * If no address specified, or address is 0.0.0.0, send to ip_output();
266 * otherwise, send to ip_input() and mark as having been received on
267 * the interface with that address.
268 */
269 static int
270 div_output(so, m, addr, control)
271 struct socket *so;
272 register struct mbuf *m;
273 struct sockaddr *addr;
274 struct mbuf *control;
275 {
276 register struct inpcb *const inp = sotoinpcb(so);
277 register struct ip *const ip = mtod(m, struct ip *);
278 struct sockaddr_in *sin = (struct sockaddr_in *)addr;
279 int error = 0;
280
281 if (control)
282 m_freem(control); /* XXX */
283
284 /* Loopback avoidance and state recovery */
285 if (sin) {
286 int len = 0;
287 char *c = sin->sin_zero;
288
289 ip_divert_cookie = sin->sin_port;
290
291 /*
292 * Find receive interface with the given name or IP address.
293 * The name is user supplied data so don't trust it's size or
294 * that it is zero terminated. The name has priority.
295 * We are presently assuming that the sockaddr_in
296 * has not been replaced by a sockaddr_div, so we limit it
297 * to 16 bytes in total. the name is stuffed (if it exists)
298 * in the sin_zero[] field.
299 */
300 while (*c++ && (len++ < sizeof(sin->sin_zero)));
301 if ((len > 0) && (len < sizeof(sin->sin_zero)))
302 m->m_pkthdr.rcvif = ifunit(sin->sin_zero);
303 } else {
304 ip_divert_cookie = 0;
305 }
306
307 /* Reinject packet into the system as incoming or outgoing */
308 if (!sin || sin->sin_addr.s_addr == 0) {
309 /*
310 * Don't allow both user specified and setsockopt options,
311 * and don't allow packet length sizes that will crash
312 */
313 if (((ip->ip_hl != (sizeof (*ip) >> 2)) && inp->inp_options) ||
314 ((u_short)ntohs(ip->ip_len) > m->m_pkthdr.len)) {
315 error = EINVAL;
316 goto cantsend;
317 }
318
319 /* Convert fields to host order for ip_output() */
320 NTOHS(ip->ip_len);
321 NTOHS(ip->ip_off);
322
323 /* Send packet to output processing */
324 ipstat.ips_rawout++; /* XXX */
325 error = ip_output(m, inp->inp_options, &inp->inp_route,
326 (so->so_options & SO_DONTROUTE) |
327 IP_ALLOWBROADCAST | IP_RAWOUTPUT,
328 inp->inp_moptions);
329 } else {
330 struct ifaddr *ifa;
331
332 /* If no luck with the name above. check by IP address. */
333 if (m->m_pkthdr.rcvif == NULL) {
334 /*
335 * Make sure there are no distractions
336 * for ifa_ifwithaddr. Clear the port and the ifname.
337 * Maybe zap all 8 bytes at once using a 64bit write?
338 */
339 bzero(sin->sin_zero, sizeof(sin->sin_zero));
340 /* *((u_int64_t *)sin->sin_zero) = 0; */ /* XXX ?? */
341 sin->sin_port = 0;
342 if (!(ifa = ifa_ifwithaddr((struct sockaddr *) sin))) {
343 error = EADDRNOTAVAIL;
344 goto cantsend;
345 }
346 m->m_pkthdr.rcvif = ifa->ifa_ifp;
347 }
348
349 /* Send packet to input processing */
350 ip_input(m);
351 }
352
353 /* paranoid: Reset for next time (and other packets) */
354 /* almost definitly already done in the ipfw filter but.. */
355 ip_divert_cookie = 0;
356 return error;
357
358 cantsend:
359 m_freem(m);
360 ip_divert_cookie = 0;
361 return error;
362 }
363
364 static int
365 div_attach(struct socket *so, int proto, struct proc *p)
366 {
367 struct inpcb *inp;
368 int error, s;
369
370 inp = sotoinpcb(so);
371 if (inp)
372 panic("div_attach");
373 if (p && (error = suser(p->p_ucred, &p->p_acflag)) != 0)
374 return error;
375
376 error = soreserve(so, div_sendspace, div_recvspace);
377 if (error)
378 return error;
379 s = splnet();
380 error = in_pcballoc(so, &divcbinfo, p);
381 splx(s);
382 if (error)
383 return error;
384 inp = (struct inpcb *)so->so_pcb;
385 inp->inp_ip_p = proto;
386 inp->inp_vflag |= INP_IPV4;
387 inp->inp_flags |= INP_HDRINCL;
388 /* The socket is always "connected" because
389 we always know "where" to send the packet */
390 so->so_state |= SS_ISCONNECTED;
391 return 0;
392 }
393
394 static int
395 div_detach(struct socket *so)
396 {
397 struct inpcb *inp;
398
399 inp = sotoinpcb(so);
400 if (inp == 0)
401 panic("div_detach");
402 in_pcbdetach(inp);
403 return 0;
404 }
405
406 static int
407 div_abort(struct socket *so)
408 {
409 soisdisconnected(so);
410 return div_detach(so);
411 }
412
413 static int
414 div_disconnect(struct socket *so)
415 {
416 if ((so->so_state & SS_ISCONNECTED) == 0)
417 return ENOTCONN;
418 return div_abort(so);
419 }
420
421 static int
422 div_bind(struct socket *so, struct sockaddr *nam, struct proc *p)
423 {
424 struct inpcb *inp;
425 int s;
426 int error;
427
428 s = splnet();
429 inp = sotoinpcb(so);
430 /* in_pcbbind assumes that the socket is a sockaddr_in
431 * and in_pcbbind requires a valid address. Since divert
432 * sockets don't we need to make sure the address is
433 * filled in properly.
434 * XXX -- divert should not be abusing in_pcbind
435 * and should probably have its own family.
436 */
437 if (nam->sa_family != AF_INET) {
438 error = EAFNOSUPPORT;
439 } else {
440 ((struct sockaddr_in *)nam)->sin_addr.s_addr = INADDR_ANY;
441 error = in_pcbbind(inp, nam, p);
442 }
443 splx(s);
444 return error;
445 }
446
447 static int
448 div_shutdown(struct socket *so)
449 {
450 socantsendmore(so);
451 return 0;
452 }
453
454 static int
455 div_send(struct socket *so, int flags, struct mbuf *m, struct sockaddr *nam,
456 struct mbuf *control, struct proc *p)
457 {
458 /* Packet must have a header (but that's about it) */
459 if (m->m_len < sizeof (struct ip) &&
460 (m = m_pullup(m, sizeof (struct ip))) == 0) {
461 ipstat.ips_toosmall++;
462 m_freem(m);
463 return EINVAL;
464 }
465
466 /* Send packet */
467 return div_output(so, m, nam, control);
468 }
469
470 static int
471 div_pcblist SYSCTL_HANDLER_ARGS
472 {
473 int error, i, n, s;
474 struct inpcb *inp, **inp_list;
475 inp_gen_t gencnt;
476 struct xinpgen xig;
477
478 /*
479 * The process of preparing the TCB list is too time-consuming and
480 * resource-intensive to repeat twice on every request.
481 */
482 if (req->oldptr == 0) {
483 n = divcbinfo.ipi_count;
484 req->oldidx = 2 * (sizeof xig)
485 + (n + n/8) * sizeof(struct xinpcb);
486 return 0;
487 }
488
489 if (req->newptr != 0)
490 return EPERM;
491
492 /*
493 * OK, now we're committed to doing something.
494 */
495 s = splnet();
496 gencnt = divcbinfo.ipi_gencnt;
497 n = divcbinfo.ipi_count;
498 splx(s);
499
500 xig.xig_len = sizeof xig;
501 xig.xig_count = n;
502 xig.xig_gen = gencnt;
503 xig.xig_sogen = so_gencnt;
504 error = SYSCTL_OUT(req, &xig, sizeof xig);
505 if (error)
506 return error;
507
508 inp_list = _MALLOC(n * sizeof *inp_list, M_TEMP, M_WAITOK);
509 if (inp_list == 0)
510 return ENOMEM;
511
512 s = splnet();
513 for (inp = LIST_FIRST(divcbinfo.listhead), i = 0; inp && i < n;
514 inp = LIST_NEXT(inp, inp_list)) {
515 #ifdef __APPLE__
516 if (inp->inp_gencnt <= gencnt)
517 #else
518 if (inp->inp_gencnt <= gencnt && !prison_xinpcb(req->p, inp))
519 #endif
520 inp_list[i++] = inp;
521 }
522 splx(s);
523 n = i;
524
525 error = 0;
526 for (i = 0; i < n; i++) {
527 inp = inp_list[i];
528 if (inp->inp_gencnt <= gencnt) {
529 struct xinpcb xi;
530 xi.xi_len = sizeof xi;
531 /* XXX should avoid extra copy */
532 bcopy(inp, &xi.xi_inp, sizeof *inp);
533 if (inp->inp_socket)
534 sotoxsocket(inp->inp_socket, &xi.xi_socket);
535 error = SYSCTL_OUT(req, &xi, sizeof xi);
536 }
537 }
538 if (!error) {
539 /*
540 * Give the user an updated idea of our state.
541 * If the generation differs from what we told
542 * her before, she knows that something happened
543 * while we were processing this request, and it
544 * might be necessary to retry.
545 */
546 s = splnet();
547 xig.xig_gen = divcbinfo.ipi_gencnt;
548 xig.xig_sogen = so_gencnt;
549 xig.xig_count = divcbinfo.ipi_count;
550 splx(s);
551 error = SYSCTL_OUT(req, &xig, sizeof xig);
552 }
553 FREE(inp_list, M_TEMP);
554 return error;
555 }
556
557 #warning Fix SYSCTL net_inet_divert
558 #if 0
559 SYSCTL_DECL(_net_inet_divert);
560 SYSCTL_PROC(_net_inet_divert, OID_AUTO, pcblist, CTLFLAG_RD, 0, 0,
561 div_pcblist, "S,xinpcb", "List of active divert sockets");
562 #endif
563
564 struct pr_usrreqs div_usrreqs = {
565 div_abort, pru_accept_notsupp, div_attach, div_bind,
566 pru_connect_notsupp, pru_connect2_notsupp, in_control, div_detach,
567 div_disconnect, pru_listen_notsupp, in_setpeeraddr, pru_rcvd_notsupp,
568 pru_rcvoob_notsupp, div_send, pru_sense_null, div_shutdown,
569 in_setsockaddr, sosend, soreceive, sopoll
570 };
mirror of XNU