]> git.saurik.com Git - apple/xnu.git/blob - bsd/net/iptap.c
projects / apple / xnu.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
xnu-4570.1.46.tar.gz
[apple/xnu.git] / bsd / net / iptap.c
1 /*
2 * Copyright (c) 1999-2017 Apple Inc. All rights reserved.
3 *
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
14 *
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
25 *
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 */
28
29 #include <kern/locks.h>
30
31 #include <sys/types.h>
32 #include <sys/kernel_types.h>
33 #include <sys/kauth.h>
34 #include <sys/socket.h>
35 #include <sys/socketvar.h>
36 #include <sys/sockio.h>
37 #include <sys/sysctl.h>
38 #include <sys/proc.h>
39
40 #include <net/if.h>
41 #include <net/if_var.h>
42 #include <net/if_types.h>
43 #include <net/bpf.h>
44 #include <net/net_osdep.h>
45 #include <net/pktap.h>
46 #include <net/iptap.h>
47
48 #include <netinet/in_pcb.h>
49 #include <netinet/tcp.h>
50 #include <netinet/tcp_var.h>
51 #define _IP_VHL
52 #include <netinet/ip.h>
53 #include <netinet/ip_var.h>
54 #include <netinet/udp.h>
55 #include <netinet/udp_var.h>
56
57 #include <netinet/ip6.h>
58 #include <netinet6/in6_pcb.h>
59
60 #include <netinet/kpi_ipfilter.h>
61
62 #include <libkern/OSAtomic.h>
63
64 #include <kern/debug.h>
65
66 #include <sys/mcache.h>
67
68 #include <string.h>
69
70 struct iptap_softc {
71 LIST_ENTRY(iptap_softc) iptap_link;
72 uint32_t iptap_unit;
73 uint32_t iptap_dlt_raw_count;
74 uint32_t iptap_dlt_pkttap_count;
75 struct ifnet *iptap_ifp;
76 };
77
78 static LIST_HEAD(iptap_list, iptap_softc) iptap_list = LIST_HEAD_INITIALIZER(iptap_list);
79
80 static void iptap_lock_shared(void);
81 static void iptap_lock_exclusive(void);
82 static void iptap_lock_done(void);
83 static void iptap_alloc_lock(void);
84
85 decl_lck_rw_data(static, iptap_lck_rw);
86 static lck_grp_t *iptap_grp;
87
88 errno_t iptap_if_output(ifnet_t, mbuf_t);
89 errno_t iptap_demux(ifnet_t , mbuf_t, char *, protocol_family_t *);
90 errno_t iptap_add_proto(ifnet_t, protocol_family_t, const struct ifnet_demux_desc *,
91 u_int32_t);
92 errno_t iptap_del_proto(ifnet_t, protocol_family_t);
93 errno_t iptap_getdrvspec(ifnet_t , struct ifdrv64 *);
94 errno_t iptap_ioctl(ifnet_t, unsigned long, void *);
95 void iptap_detach(ifnet_t);
96 errno_t iptap_tap_callback(ifnet_t , u_int32_t , bpf_tap_mode );
97 int iptap_clone_create(struct if_clone *, u_int32_t, void *);
98 int iptap_clone_destroy(struct ifnet *);
99
100 static int iptap_ipf_register(void);
101 static int iptap_ipf_unregister(void);
102 static errno_t iptap_ipf_input(void *, mbuf_t *, int, u_int8_t);
103 static errno_t iptap_ipf_output(void *, mbuf_t *, ipf_pktopts_t);
104 static void iptap_ipf_detach(void *);
105
106 static ipfilter_t iptap_ipf4, iptap_ipf6;
107
108 void iptap_bpf_tap(struct mbuf *m, u_int32_t proto, int outgoing);
109
110 static struct if_clone iptap_cloner =
111 IF_CLONE_INITIALIZER(IPTAP_IFNAME,
112 iptap_clone_create,
113 iptap_clone_destroy,
114 0,
115 IF_MAXUNIT);
116
117 SYSCTL_DECL(_net_link);
118 SYSCTL_NODE(_net_link, OID_AUTO, iptap, CTLFLAG_RW|CTLFLAG_LOCKED, 0,
119 "iptap virtual interface");
120
121 static int iptap_total_tap_count = 0;
122 SYSCTL_INT(_net_link_iptap, OID_AUTO, total_tap_count, CTLFLAG_RD | CTLFLAG_LOCKED,
123 &iptap_total_tap_count, 0, "");
124
125 static int iptap_log = 0;
126 SYSCTL_INT(_net_link_iptap, OID_AUTO, log, CTLFLAG_RW | CTLFLAG_LOCKED,
127 &iptap_log, 0, "");
128
129 #define IPTAP_LOG(fmt, ...) \
130 do { \
131 if ((iptap_log)) \
132 printf("%s:%d " fmt, __FUNCTION__, __LINE__, ##__VA_ARGS__); \
133 } while(false)
134
135 __private_extern__ void
136 iptap_init(void)
137 {
138 errno_t error;
139
140 iptap_alloc_lock();
141
142 error = if_clone_attach(&iptap_cloner);
143 if (error != 0)
144 panic("%s: if_clone_attach() failed, error %d\n", __func__, error);
145 }
146
147 static void
148 iptap_alloc_lock(void)
149 {
150 lck_grp_attr_t *grp_attr;
151 lck_attr_t *attr;
152
153 grp_attr = lck_grp_attr_alloc_init();
154 lck_grp_attr_setdefault(grp_attr);
155 iptap_grp = lck_grp_alloc_init(IPTAP_IFNAME, grp_attr);
156 lck_grp_attr_free(grp_attr);
157
158 attr = lck_attr_alloc_init();
159 lck_attr_setdefault(attr);
160
161 lck_rw_init(&iptap_lck_rw, iptap_grp, attr);
162 lck_attr_free(attr);
163 }
164
165 static void
166 iptap_lock_shared(void)
167 {
168 lck_rw_lock_shared(&iptap_lck_rw);
169 }
170
171 static void
172 iptap_lock_exclusive(void)
173 {
174 lck_rw_lock_exclusive(&iptap_lck_rw);
175 }
176
177 static void
178 iptap_lock_done(void)
179 {
180 lck_rw_done(&iptap_lck_rw);
181 }
182
183 __private_extern__ int
184 iptap_clone_create(struct if_clone *ifc, u_int32_t unit, void *params)
185 {
186 #pragma unused(params)
187
188 int error = 0;
189 struct iptap_softc *iptap = NULL;
190 struct ifnet_init_eparams if_init;
191
192 iptap = _MALLOC(sizeof(struct iptap_softc), M_DEVBUF, M_WAITOK | M_ZERO);
193 if (iptap == NULL) {
194 printf("%s: _MALLOC failed\n", __func__);
195 error = ENOMEM;
196 goto done;
197 }
198 iptap->iptap_unit = unit;
199
200 /*
201 * We do not use a set_bpf_tap() function as we rather rely on the more
202 * accurate callback passed to bpf_attach()
203 */
204 bzero(&if_init, sizeof(if_init));
205 if_init.ver = IFNET_INIT_CURRENT_VERSION;
206 if_init.len = sizeof (if_init);
207 if_init.flags = IFNET_INIT_LEGACY;
208 if_init.name = ifc->ifc_name;
209 if_init.unit = unit;
210 if_init.type = IFT_OTHER;
211 if_init.family = IFNET_FAMILY_LOOPBACK;
212 if_init.output = iptap_if_output;
213 if_init.demux = iptap_demux;
214 if_init.add_proto = iptap_add_proto;
215 if_init.del_proto = iptap_del_proto;
216 if_init.softc = iptap;
217 if_init.ioctl = iptap_ioctl;
218 if_init.detach = iptap_detach;
219
220 error = ifnet_allocate_extended(&if_init, &iptap->iptap_ifp);
221 if (error != 0) {
222 printf("%s: ifnet_allocate failed, error %d\n", __func__, error);
223 goto done;
224 }
225
226 ifnet_set_flags(iptap->iptap_ifp, IFF_UP, IFF_UP);
227
228 error = ifnet_attach(iptap->iptap_ifp, NULL);
229 if (error != 0) {
230 printf("%s: ifnet_attach failed - error %d\n", __func__, error);
231 ifnet_release(iptap->iptap_ifp);
232 goto done;
233 }
234
235 /*
236 * Attach by default as DLT_PKTAP for packet metadata
237 * Provide DLT_RAW for legacy
238 */
239 bpf_attach(iptap->iptap_ifp, DLT_PKTAP, sizeof(struct pktap_header), NULL,
240 iptap_tap_callback);
241 bpf_attach(iptap->iptap_ifp, DLT_RAW, 0, NULL,
242 iptap_tap_callback);
243
244 /* Take a reference and add to the global list */
245 ifnet_reference(iptap->iptap_ifp);
246
247 iptap_lock_exclusive();
248
249 if (LIST_EMPTY(&iptap_list))
250 iptap_ipf_register();
251 LIST_INSERT_HEAD(&iptap_list, iptap, iptap_link);
252 iptap_lock_done();
253 done:
254 if (error != 0) {
255 if (iptap != NULL)
256 _FREE(iptap, M_DEVBUF);
257 }
258 return (error);
259 }
260
261 __private_extern__ int
262 iptap_clone_destroy(struct ifnet *ifp)
263 {
264 int error = 0;
265
266 (void) ifnet_detach(ifp);
267
268 return (error);
269 }
270
271 /*
272 * This function is called whenever a DLT is set on the interface:
273 * - When interface is attached to a BPF device via BIOCSETIF for the default DLT
274 * - Whenever a new DLT is selected via BIOCSDLT
275 * - When the interface is detached from a BPF device (direction is zero)
276 */
277 __private_extern__ errno_t
278 iptap_tap_callback(ifnet_t ifp, u_int32_t dlt, bpf_tap_mode direction)
279 {
280 struct iptap_softc *iptap;
281
282 iptap = ifp->if_softc;
283 if (iptap == NULL) {
284 printf("%s: if_softc is NULL for ifp %s\n", __func__,
285 ifp->if_xname);
286 goto done;
287 }
288 switch (dlt) {
289 case DLT_RAW:
290 if (direction == 0) {
291 if (iptap->iptap_dlt_raw_count > 0) {
292 iptap->iptap_dlt_raw_count--;
293 OSAddAtomic(-1, &iptap_total_tap_count);
294
295 }
296 } else {
297 iptap->iptap_dlt_raw_count++;
298 OSAddAtomic(1, &iptap_total_tap_count);
299 }
300 break;
301 case DLT_PKTAP:
302 if (direction == 0) {
303 if (iptap->iptap_dlt_pkttap_count > 0) {
304 iptap->iptap_dlt_pkttap_count--;
305 OSAddAtomic(-1, &iptap_total_tap_count);
306 }
307 } else {
308 iptap->iptap_dlt_pkttap_count++;
309 OSAddAtomic(1, &iptap_total_tap_count);
310 }
311 break;
312 }
313 done:
314 /*
315 * Attachements count must be positive and we're in trouble
316 * if we have more that 2**31 attachements
317 */
318 VERIFY(iptap_total_tap_count >= 0);
319
320 return (0);
321 }
322
323 __private_extern__ errno_t
324 iptap_if_output(ifnet_t ifp, mbuf_t m)
325 {
326 #pragma unused(ifp)
327
328 mbuf_freem(m);
329 return (ENOTSUP);
330 }
331
332 __private_extern__ errno_t
333 iptap_demux(ifnet_t ifp, mbuf_t m, char *header,
334 protocol_family_t *ppf)
335 {
336 #pragma unused(ifp)
337 #pragma unused(m)
338 #pragma unused(header)
339 #pragma unused(ppf)
340
341 return (ENOTSUP);
342 }
343
344 __private_extern__ errno_t
345 iptap_add_proto(ifnet_t ifp, protocol_family_t pf,
346 const struct ifnet_demux_desc *dmx, u_int32_t cnt)
347 {
348 #pragma unused(ifp)
349 #pragma unused(pf)
350 #pragma unused(dmx)
351 #pragma unused(cnt)
352
353 return (0);
354 }
355
356 __private_extern__ errno_t
357 iptap_del_proto(ifnet_t ifp, protocol_family_t pf)
358 {
359 #pragma unused(ifp)
360 #pragma unused(pf)
361
362 return (0);
363 }
364
365 __private_extern__ errno_t
366 iptap_getdrvspec(ifnet_t ifp, struct ifdrv64 *ifd)
367 {
368 errno_t error = 0;
369 struct iptap_softc *iptap;
370
371 iptap = ifp->if_softc;
372 if (iptap == NULL) {
373 error = ENOENT;
374 printf("%s: iptap NULL - error %d\n", __func__, error);
375 goto done;
376 }
377
378 switch (ifd->ifd_cmd) {
379 case PKTP_CMD_TAP_COUNT: {
380 uint32_t tap_count = iptap->iptap_dlt_raw_count + iptap->iptap_dlt_pkttap_count;
381
382 if (ifd->ifd_len < sizeof(tap_count)) {
383 printf("%s: PKTP_CMD_TAP_COUNT ifd_len %llu too small - error %d\n",
384 __func__, ifd->ifd_len, error);
385 error = EINVAL;
386 break;
387 }
388 error = copyout(&tap_count, ifd->ifd_data, sizeof(tap_count));
389 if (error) {
390 printf("%s: PKTP_CMD_TAP_COUNT copyout - error %d\n", __func__, error);
391 goto done;
392 }
393 break;
394 }
395 default:
396 error = EINVAL;
397 break;
398 }
399
400 done:
401 return (error);
402 }
403
404 __private_extern__ errno_t
405 iptap_ioctl(ifnet_t ifp, unsigned long cmd, void *data)
406 {
407 errno_t error = 0;
408
409 if ((cmd & IOC_IN)) {
410 error = kauth_authorize_generic(kauth_cred_get(), KAUTH_GENERIC_ISSUSER);
411 if (error) {
412 goto done;
413 }
414 }
415
416 switch (cmd) {
417 case SIOCGDRVSPEC32: {
418 struct ifdrv64 ifd;
419 struct ifdrv32 *ifd32 = (struct ifdrv32 *)data;
420
421 memcpy(ifd.ifd_name, ifd32->ifd_name, sizeof(ifd.ifd_name));
422 ifd.ifd_cmd = ifd32->ifd_cmd;
423 ifd.ifd_len = ifd32->ifd_len;
424 ifd.ifd_data = ifd32->ifd_data;
425
426 error = iptap_getdrvspec(ifp, &ifd);
427
428 break;
429 }
430 case SIOCGDRVSPEC64: {
431 struct ifdrv64 *ifd64 = (struct ifdrv64 *)data;
432
433 error = iptap_getdrvspec(ifp, ifd64);
434
435 break;
436 }
437 default:
438 error = ENOTSUP;
439 break;
440 }
441 done:
442 return (error);
443 }
444
445 __private_extern__ void
446 iptap_detach(ifnet_t ifp)
447 {
448 struct iptap_softc *iptap;
449
450 iptap_lock_exclusive();
451
452 iptap = ifp->if_softc;
453 ifp->if_softc = NULL;
454 LIST_REMOVE(iptap, iptap_link);
455
456 if (LIST_EMPTY(&iptap_list))
457 iptap_ipf_unregister();
458
459 iptap_lock_done();
460
461 /* Drop reference as it's no more on the global list */
462 ifnet_release(ifp);
463
464 _FREE(iptap, M_DEVBUF);
465
466 /* This is for the reference taken by ifnet_attach() */
467 (void) ifnet_release(ifp);
468 }
469
470 static int
471 iptap_ipf_register(void)
472 {
473 struct ipf_filter iptap_ipfinit;
474 int err = 0;
475
476 IPTAP_LOG("\n");
477
478 bzero(&iptap_ipfinit, sizeof (iptap_ipfinit));
479 iptap_ipfinit.name = IPTAP_IFNAME;
480 iptap_ipfinit.cookie = &iptap_ipf4;
481 iptap_ipfinit.ipf_input = iptap_ipf_input;
482 iptap_ipfinit.ipf_output = iptap_ipf_output;
483 iptap_ipfinit.ipf_detach = iptap_ipf_detach;
484
485 err = ipf_addv4(&iptap_ipfinit, &iptap_ipf4);
486 if (err != 0) {
487 printf("%s: ipf_addv4 for %s0 failed - %d\n",
488 __func__, IPTAP_IFNAME, err);
489 goto done;
490 }
491
492 iptap_ipfinit.cookie = &iptap_ipf6;
493 err = ipf_addv6(&iptap_ipfinit, &iptap_ipf6);
494 if (err != 0) {
495 printf("%s: ipf_addv6 for %s0 failed - %d\n",
496 __func__, IPTAP_IFNAME, err);
497 (void) ipf_remove(iptap_ipf4);
498 iptap_ipf4 = NULL;
499 goto done;
500 }
501
502 done:
503 return (err);
504 }
505
506 static int
507 iptap_ipf_unregister(void)
508 {
509 int err = 0;
510
511 IPTAP_LOG("\n");
512
513 if (iptap_ipf4 != NULL) {
514 err = ipf_remove(iptap_ipf4);
515 if (err != 0) {
516 printf("%s: ipf_remove (ipv4) for %s0 failed - %d\n",
517 __func__, IPTAP_IFNAME, err);
518 goto done;
519 }
520 iptap_ipf4 = NULL;
521 }
522
523 if (iptap_ipf6 != NULL) {
524 err = ipf_remove(iptap_ipf6);
525 if (err != 0) {
526 printf("%s: ipf_remove (ipv6) for %s0 failed - %d\n",
527 __func__, IPTAP_IFNAME, err);
528 goto done;
529 }
530 iptap_ipf6 = NULL;
531 }
532 done:
533 return (err);
534 }
535
536 static errno_t
537 iptap_ipf_input(void *arg, mbuf_t *mp, int off, u_int8_t proto)
538 {
539 #pragma unused(off)
540 #pragma unused(proto)
541
542 if (arg == (void *)&iptap_ipf4)
543 iptap_bpf_tap(*mp, AF_INET, 0);
544 else if (arg == (void *)&iptap_ipf6)
545 iptap_bpf_tap(*mp, AF_INET6, 0);
546 else
547 IPTAP_LOG("%s:%d bad cookie 0x%llx &iptap_ipf4 0x%llx "
548 "&iptap_ipf6 0x%llx\n", __func__, __LINE__,
549 (uint64_t)VM_KERNEL_ADDRPERM(arg),
550 (uint64_t)VM_KERNEL_ADDRPERM(&iptap_ipf4),
551 (uint64_t)VM_KERNEL_ADDRPERM(&iptap_ipf6));
552
553 return (0);
554 }
555
556 static errno_t
557 iptap_ipf_output(void *arg, mbuf_t *mp, ipf_pktopts_t opt)
558 {
559 #pragma unused(opt)
560
561 if (arg == (void *)&iptap_ipf4)
562 iptap_bpf_tap(*mp, AF_INET, 1);
563 else if (arg == (void *)&iptap_ipf6)
564 iptap_bpf_tap(*mp, AF_INET6, 1);
565 else
566 IPTAP_LOG("%s:%d bad cookie 0x%llx &iptap_ipf4 0x%llx "
567 "&iptap_ipf6 0x%llx\n", __func__, __LINE__,
568 (uint64_t)VM_KERNEL_ADDRPERM(arg),
569 (uint64_t)VM_KERNEL_ADDRPERM(&iptap_ipf4),
570 (uint64_t)VM_KERNEL_ADDRPERM(&iptap_ipf6));
571
572 return (0);
573 }
574
575 static void
576 iptap_ipf_detach(void *arg)
577 {
578 #pragma unused(arg)
579 }
580
581 __private_extern__ void
582 iptap_bpf_tap(struct mbuf *m, u_int32_t proto, int outgoing)
583 {
584 struct iptap_softc *iptap;
585 void (*bpf_tap_func)(ifnet_t , u_int32_t , mbuf_t , void * , size_t ) =
586 outgoing ? bpf_tap_out : bpf_tap_in;
587 uint16_t src_scope_id = 0;
588 uint16_t dst_scope_id = 0;
589
590 if (proto == AF_INET6) {
591 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *);
592 /*
593 * Clear the embedded scope ID
594 */
595 if (IN6_IS_SCOPE_EMBED(&ip6->ip6_src)) {
596 src_scope_id = ip6->ip6_src.s6_addr16[1];
597 ip6->ip6_src.s6_addr16[1] = 0;
598 }
599 if (IN6_IS_SCOPE_EMBED(&ip6->ip6_dst)) {
600 dst_scope_id = ip6->ip6_dst.s6_addr16[1];
601 ip6->ip6_dst.s6_addr16[1] = 0;
602 }
603 }
604
605 iptap_lock_shared();
606
607 LIST_FOREACH(iptap, &iptap_list, iptap_link) {
608 if (iptap->iptap_dlt_raw_count > 0) {
609 bpf_tap_func(iptap->iptap_ifp, DLT_RAW, m,
610 NULL, 0);
611 }
612 if (iptap->iptap_dlt_pkttap_count > 0) {
613 struct {
614 struct pktap_header hdr;
615 u_int32_t proto;
616 } hdr_buffer;
617 struct pktap_header *hdr = &hdr_buffer.hdr;
618 size_t hdr_size = sizeof(hdr_buffer);
619 struct ifnet *ifp = outgoing ? NULL : m->m_pkthdr.rcvif;
620
621 /* Verify the structure is packed */
622 _CASSERT(sizeof(hdr_buffer) == sizeof(struct pktap_header) + sizeof(u_int32_t));
623
624 bzero(hdr, sizeof(hdr_buffer));
625 hdr->pth_length = sizeof(struct pktap_header);
626 hdr->pth_type_next = PTH_TYPE_PACKET;
627 hdr->pth_dlt = DLT_NULL;
628 if (ifp != NULL)
629 snprintf(hdr->pth_ifname, sizeof(hdr->pth_ifname), "%s",
630 ifp->if_xname);
631 hdr_buffer.proto = proto;
632 hdr->pth_flags = outgoing ? PTH_FLAG_DIR_OUT : PTH_FLAG_DIR_IN;
633 hdr->pth_protocol_family = proto;
634 hdr->pth_frame_pre_length = 0;
635 hdr->pth_frame_post_length = 0;
636 hdr->pth_iftype = ifp != NULL ? ifp->if_type : 0;
637 hdr->pth_ifunit = ifp != NULL ? ifp->if_unit : 0;
638
639 pktap_fill_proc_info(hdr, proto, m, 0, outgoing, ifp);
640
641 hdr->pth_svc = so_svc2tc(m->m_pkthdr.pkt_svc);
642
643 bpf_tap_func(iptap->iptap_ifp, DLT_PKTAP, m, hdr, hdr_size);
644 }
645 }
646
647 iptap_lock_done();
648
649 if (proto == AF_INET6) {
650 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *);
651
652 /*
653 * Restore the embedded scope ID
654 */
655 if (IN6_IS_SCOPE_EMBED(&ip6->ip6_src)) {
656 ip6->ip6_src.s6_addr16[1] = src_scope_id;
657 }
658 if (IN6_IS_SCOPE_EMBED(&ip6->ip6_dst)) {
659 ip6->ip6_dst.s6_addr16[1] = dst_scope_id;
660 }
661 }
662 }
mirror of XNU