2 * Copyright (c) 2004-2020 Apple Inc. All rights reserved.
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
29 #include <sys/param.h> /* for definition of NULL */
30 #include <sys/errno.h>
31 #include <sys/malloc.h>
32 #include <sys/socket.h>
34 #include <sys/systm.h>
35 #include <libkern/OSAtomic.h>
37 #include <machine/endian.h>
40 #include <net/if_var.h>
41 #include <net/route.h>
42 #include <net/kpi_protocol.h>
43 #include <net/net_api_stats.h>
45 #include <netinet/in_systm.h>
46 #include <netinet/in.h>
47 #include <netinet/in_var.h>
48 #include <netinet6/in6_var.h>
49 #include <netinet/ip.h>
50 #include <netinet/ip6.h>
51 #include <netinet/ip_var.h>
52 #include <netinet6/ip6_var.h>
53 #include <netinet/kpi_ipfilter_var.h>
58 * kipf_lock and kipf_ref protect the linkage of the list of IP filters
59 * An IP filter can be removed only when kipf_ref is zero
60 * If an IP filter cannot be removed because kipf_ref is not null, then
61 * the IP filter is marjed and kipf_delayed_remove is set so that when
62 * kipf_ref eventually goes down to zero, the IP filter is removed
64 decl_lck_mtx_data(static, kipf_lock_data
);
65 static lck_mtx_t
*kipf_lock
= &kipf_lock_data
;
66 static u_int32_t kipf_ref
= 0;
67 static u_int32_t kipf_delayed_remove
= 0;
68 u_int32_t kipf_count
= 0;
70 __private_extern__
struct ipfilter_list ipv4_filters
= TAILQ_HEAD_INITIALIZER(ipv4_filters
);
71 __private_extern__
struct ipfilter_list ipv6_filters
= TAILQ_HEAD_INITIALIZER(ipv6_filters
);
72 __private_extern__
struct ipfilter_list tbr_filters
= TAILQ_HEAD_INITIALIZER(tbr_filters
);
76 extern errno_t
ipf_addv4(const struct ipf_filter
*filter
,
77 ipfilter_t
*filter_ref
);
78 extern errno_t
ipf_addv6(const struct ipf_filter
*filter
,
79 ipfilter_t
*filter_ref
);
81 static errno_t
ipf_add(const struct ipf_filter
*filter
,
82 ipfilter_t
*filter_ref
, struct ipfilter_list
*head
, bool is_internal
);
84 __private_extern__
void
87 lck_mtx_lock(kipf_lock
);
88 if (os_inc_overflow(&kipf_ref
)) {
89 panic("kipf_ref overflow");
91 lck_mtx_unlock(kipf_lock
);
94 __private_extern__
void
97 lck_mtx_lock(kipf_lock
);
99 if (os_dec_overflow(&kipf_ref
)) {
100 panic("kipf_ref underflow");
103 if (kipf_ref
== 0 && kipf_delayed_remove
!= 0) {
104 struct ipfilter
*filter
;
106 while ((filter
= TAILQ_FIRST(&tbr_filters
))) {
107 VERIFY(OSDecrementAtomic64(&net_api_stats
.nas_ipf_add_count
) > 0);
109 ipf_detach_func ipf_detach
= filter
->ipf_filter
.ipf_detach
;
110 void* cookie
= filter
->ipf_filter
.cookie
;
112 TAILQ_REMOVE(filter
->ipf_head
, filter
, ipf_link
);
113 TAILQ_REMOVE(&tbr_filters
, filter
, ipf_tbr
);
114 kipf_delayed_remove
--;
117 lck_mtx_unlock(kipf_lock
);
119 lck_mtx_lock(kipf_lock
);
120 /* In case some filter got to run while we released the lock */
127 lck_mtx_unlock(kipf_lock
);
132 const struct ipf_filter
*filter
,
133 ipfilter_t
*filter_ref
,
134 struct ipfilter_list
*head
,
137 struct ipfilter
*new_filter
;
138 if (filter
->name
== NULL
|| (filter
->ipf_input
== NULL
&& filter
->ipf_output
== NULL
)) {
142 MALLOC(new_filter
, struct ipfilter
*, sizeof(*new_filter
), M_IFADDR
, M_WAITOK
);
143 if (new_filter
== NULL
) {
147 lck_mtx_lock(kipf_lock
);
148 new_filter
->ipf_filter
= *filter
;
149 new_filter
->ipf_head
= head
;
151 TAILQ_INSERT_HEAD(head
, new_filter
, ipf_link
);
153 OSIncrementAtomic64(&net_api_stats
.nas_ipf_add_count
);
154 INC_ATOMIC_INT64_LIM(net_api_stats
.nas_ipf_add_total
);
156 INC_ATOMIC_INT64_LIM(net_api_stats
.nas_ipf_add_os_total
);
159 lck_mtx_unlock(kipf_lock
);
161 *filter_ref
= (ipfilter_t
)new_filter
;
163 /* This will force TCP to re-evaluate its use of TSO */
164 OSAddAtomic(1, &kipf_count
);
172 const struct ipf_filter
*filter
,
173 ipfilter_t
*filter_ref
)
175 return ipf_add(filter
, filter_ref
, &ipv4_filters
, true);
180 const struct ipf_filter
*filter
,
181 ipfilter_t
*filter_ref
)
183 return ipf_add(filter
, filter_ref
, &ipv4_filters
, false);
188 const struct ipf_filter
*filter
,
189 ipfilter_t
*filter_ref
)
191 return ipf_add(filter
, filter_ref
, &ipv6_filters
, true);
196 const struct ipf_filter
*filter
,
197 ipfilter_t
*filter_ref
)
199 return ipf_add(filter
, filter_ref
, &ipv6_filters
, false);
203 ipf_input_detached(void *cookie
, mbuf_t
*data
, int offset
, u_int8_t protocol
)
205 #pragma unused(cookie, data, offset, protocol)
208 printf("ipf_input_detached\n");
215 ipf_output_detached(void *cookie
, mbuf_t
*data
, ipf_pktopts_t options
)
217 #pragma unused(cookie, data, options)
220 printf("ipf_output_detached\n");
228 ipfilter_t filter_ref
)
230 struct ipfilter
*match
= (struct ipfilter
*)filter_ref
;
231 struct ipfilter_list
*head
;
233 if (match
== 0 || (match
->ipf_head
!= &ipv4_filters
&& match
->ipf_head
!= &ipv6_filters
)) {
237 head
= match
->ipf_head
;
239 lck_mtx_lock(kipf_lock
);
240 TAILQ_FOREACH(match
, head
, ipf_link
) {
241 if (match
== (struct ipfilter
*)filter_ref
) {
242 ipf_detach_func ipf_detach
= match
->ipf_filter
.ipf_detach
;
243 void* cookie
= match
->ipf_filter
.cookie
;
246 * Cannot detach when they are filters running
249 kipf_delayed_remove
++;
250 TAILQ_INSERT_TAIL(&tbr_filters
, match
, ipf_tbr
);
251 match
->ipf_filter
.ipf_input
= ipf_input_detached
;
252 match
->ipf_filter
.ipf_output
= ipf_output_detached
;
253 lck_mtx_unlock(kipf_lock
);
255 VERIFY(OSDecrementAtomic64(&net_api_stats
.nas_ipf_add_count
) > 0);
257 TAILQ_REMOVE(head
, match
, ipf_link
);
258 lck_mtx_unlock(kipf_lock
);
263 FREE(match
, M_IFADDR
);
265 /* This will force TCP to re-evaluate its use of TSO */
266 OSAddAtomic(-1, &kipf_count
);
272 lck_mtx_unlock(kipf_lock
);
282 ipfilter_t filter_ref
)
284 struct mbuf
*m
= (struct mbuf
*)data
;
285 struct m_tag
*mtag
= 0;
286 struct ip
*ip
= mtod(m
, struct ip
*);
291 protocol_family_t proto
;
292 struct in_ifaddr
*ia
= NULL
;
293 struct in_addr
*pkt_dst
= NULL
;
294 struct in6_ifaddr
*ia6
= NULL
;
295 struct sockaddr_in6 pkt_dst6
;
297 vers
= IP_VHL_V(ip
->ip_vhl
);
311 if (filter_ref
== 0 && m
->m_pkthdr
.rcvif
== 0) {
313 * Search for interface with the local address
317 pkt_dst
= &ip
->ip_dst
;
318 lck_rw_lock_shared(in_ifaddr_rwlock
);
319 TAILQ_FOREACH(ia
, INADDR_HASH(pkt_dst
->s_addr
), ia_hash
) {
320 if (IA_SIN(ia
)->sin_addr
.s_addr
== pkt_dst
->s_addr
) {
321 m
->m_pkthdr
.rcvif
= ia
->ia_ifp
;
325 lck_rw_done(in_ifaddr_rwlock
);
329 ip6
= mtod(m
, struct ip6_hdr
*);
330 pkt_dst6
.sin6_addr
= ip6
->ip6_dst
;
331 lck_rw_lock_shared(&in6_ifaddr_rwlock
);
332 TAILQ_FOREACH(ia6
, IN6ADDR_HASH(&pkt_dst6
.sin6_addr
), ia6_hash
) {
333 if (IN6_ARE_ADDR_EQUAL(&ia6
->ia_addr
.sin6_addr
, &pkt_dst6
.sin6_addr
)) {
334 m
->m_pkthdr
.rcvif
= ia6
->ia_ifp
;
338 lck_rw_done(&in6_ifaddr_rwlock
);
346 * If none found, fallback to loopback
348 if (m
->m_pkthdr
.rcvif
== NULL
) {
349 m
->m_pkthdr
.rcvif
= lo_ifp
;
352 m
->m_pkthdr
.csum_data
= 0;
353 m
->m_pkthdr
.csum_flags
= 0;
355 hlen
= IP_VHL_HL(ip
->ip_vhl
) << 2;
357 ip
->ip_sum
= in_cksum(m
, hlen
);
360 if (filter_ref
!= 0) {
361 mtag
= m_tag_create(KERNEL_MODULE_TAG_ID
, KERNEL_TAG_TYPE_IPFILT
,
362 sizeof(ipfilter_t
), M_NOWAIT
, m
);
367 *(ipfilter_t
*)(mtag
+ 1) = filter_ref
;
368 m_tag_prepend(m
, mtag
);
371 error
= proto_inject(proto
, data
);
378 ipf_injectv4_out(mbuf_t data
, ipfilter_t filter_ref
, ipf_pktopts_t options
)
382 struct mbuf
*m
= (struct mbuf
*)data
;
384 struct m_tag
*mtag
= NULL
;
385 struct ip_moptions
*imo
= NULL
;
386 struct ip_out_args ipoa
;
388 bzero(&ipoa
, sizeof(ipoa
));
389 ipoa
.ipoa_boundif
= IFSCOPE_NONE
;
390 ipoa
.ipoa_sotc
= SO_TC_UNSPEC
;
391 ipoa
.ipoa_netsvctype
= _NET_SERVICE_TYPE_UNSPEC
;
393 /* Make the IP header contiguous in the mbuf */
394 if ((size_t)m
->m_len
< sizeof(struct ip
)) {
395 m
= m_pullup(m
, sizeof(struct ip
));
400 ip
= (struct ip
*)m_mtod(m
);
402 if (filter_ref
!= 0) {
403 mtag
= m_tag_create(KERNEL_MODULE_TAG_ID
,
404 KERNEL_TAG_TYPE_IPFILT
, sizeof(ipfilter_t
), M_NOWAIT
, m
);
409 *(ipfilter_t
*)(mtag
+ 1) = filter_ref
;
410 m_tag_prepend(m
, mtag
);
413 if (options
!= NULL
&& (options
->ippo_flags
& IPPOF_MCAST_OPTS
) &&
414 (imo
= ip_allocmoptions(Z_NOWAIT
)) != NULL
) {
415 imo
->imo_multicast_ifp
= options
->ippo_mcast_ifnet
;
416 imo
->imo_multicast_ttl
= options
->ippo_mcast_ttl
;
417 imo
->imo_multicast_loop
= (u_char
)options
->ippo_mcast_loop
;
420 if (options
!= NULL
) {
421 if (options
->ippo_flags
& IPPOF_SELECT_SRCIF
) {
422 ipoa
.ipoa_flags
|= IPOAF_SELECT_SRCIF
;
424 if (options
->ippo_flags
& IPPOF_BOUND_IF
) {
425 ipoa
.ipoa_flags
|= IPOAF_BOUND_IF
;
426 ipoa
.ipoa_boundif
= options
->ippo_flags
>>
429 if (options
->ippo_flags
& IPPOF_NO_IFT_CELLULAR
) {
430 ipoa
.ipoa_flags
|= IPOAF_NO_CELLULAR
;
432 if (options
->ippo_flags
& IPPOF_BOUND_SRCADDR
) {
433 ipoa
.ipoa_flags
|= IPOAF_BOUND_SRCADDR
;
435 if (options
->ippo_flags
& IPPOF_NO_IFF_EXPENSIVE
) {
436 ipoa
.ipoa_flags
|= IPOAF_NO_EXPENSIVE
;
438 if (options
->ippo_flags
& IPPOF_NO_IFF_CONSTRAINED
) {
439 ipoa
.ipoa_flags
|= IPOAF_NO_CONSTRAINED
;
443 bzero(&ro
, sizeof(struct route
));
445 /* Put ip_len and ip_off in host byte order, ip_output expects that */
447 #if BYTE_ORDER != BIG_ENDIAN
452 /* Send; enforce source interface selection via IP_OUTARGS flag */
453 error
= ip_output(m
, NULL
, &ro
,
454 IP_ALLOWBROADCAST
| IP_RAWOUTPUT
| IP_OUTARGS
, imo
, &ipoa
);
456 /* Release the route */
467 ipf_injectv6_out(mbuf_t data
, ipfilter_t filter_ref
, ipf_pktopts_t options
)
471 struct mbuf
*m
= (struct mbuf
*)data
;
473 struct m_tag
*mtag
= NULL
;
474 struct ip6_moptions
*im6o
= NULL
;
475 struct ip6_out_args ip6oa
;
477 bzero(&ip6oa
, sizeof(ip6oa
));
478 ip6oa
.ip6oa_boundif
= IFSCOPE_NONE
;
479 ip6oa
.ip6oa_sotc
= SO_TC_UNSPEC
;
480 ip6oa
.ip6oa_netsvctype
= _NET_SERVICE_TYPE_UNSPEC
;
482 /* Make the IP header contiguous in the mbuf */
483 if ((size_t)m
->m_len
< sizeof(struct ip6_hdr
)) {
484 m
= m_pullup(m
, sizeof(struct ip6_hdr
));
489 ip6
= (struct ip6_hdr
*)m_mtod(m
);
491 if (filter_ref
!= 0) {
492 mtag
= m_tag_create(KERNEL_MODULE_TAG_ID
,
493 KERNEL_TAG_TYPE_IPFILT
, sizeof(ipfilter_t
), M_NOWAIT
, m
);
498 *(ipfilter_t
*)(mtag
+ 1) = filter_ref
;
499 m_tag_prepend(m
, mtag
);
502 if (options
!= NULL
&& (options
->ippo_flags
& IPPOF_MCAST_OPTS
) &&
503 (im6o
= ip6_allocmoptions(Z_NOWAIT
)) != NULL
) {
504 im6o
->im6o_multicast_ifp
= options
->ippo_mcast_ifnet
;
505 im6o
->im6o_multicast_hlim
= options
->ippo_mcast_ttl
;
506 im6o
->im6o_multicast_loop
= (u_char
)options
->ippo_mcast_loop
;
509 if (options
!= NULL
) {
510 if (options
->ippo_flags
& IPPOF_SELECT_SRCIF
) {
511 ip6oa
.ip6oa_flags
|= IP6OAF_SELECT_SRCIF
;
513 if (options
->ippo_flags
& IPPOF_BOUND_IF
) {
514 ip6oa
.ip6oa_flags
|= IP6OAF_BOUND_IF
;
515 ip6oa
.ip6oa_boundif
= options
->ippo_flags
>>
518 if (options
->ippo_flags
& IPPOF_NO_IFT_CELLULAR
) {
519 ip6oa
.ip6oa_flags
|= IP6OAF_NO_CELLULAR
;
521 if (options
->ippo_flags
& IPPOF_BOUND_SRCADDR
) {
522 ip6oa
.ip6oa_flags
|= IP6OAF_BOUND_SRCADDR
;
524 if (options
->ippo_flags
& IPPOF_NO_IFF_EXPENSIVE
) {
525 ip6oa
.ip6oa_flags
|= IP6OAF_NO_EXPENSIVE
;
527 if (options
->ippo_flags
& IPPOF_NO_IFF_CONSTRAINED
) {
528 ip6oa
.ip6oa_flags
|= IP6OAF_NO_CONSTRAINED
;
532 bzero(&ro
, sizeof(struct route_in6
));
535 * Send mbuf and ifscope information. Check for correctness
536 * of ifscope information is done while searching for a route in
539 error
= ip6_output(m
, NULL
, &ro
, IPV6_OUTARGS
, im6o
, NULL
, &ip6oa
);
541 /* Release the route */
554 ipfilter_t filter_ref
,
555 ipf_pktopts_t options
)
557 struct mbuf
*m
= (struct mbuf
*)data
;
561 /* Make one byte of the header contiguous in the mbuf */
569 vers
= (*(u_int8_t
*)m_mtod(m
)) >> 4;
572 error
= ipf_injectv4_out(data
, filter_ref
, options
);
575 error
= ipf_injectv6_out(data
, filter_ref
, options
);
587 __private_extern__ ipfilter_t
588 ipf_get_inject_filter(struct mbuf
*m
)
590 ipfilter_t filter_ref
= 0;
593 mtag
= m_tag_locate(m
, KERNEL_MODULE_TAG_ID
, KERNEL_TAG_TYPE_IPFILT
, NULL
);
595 filter_ref
= *(ipfilter_t
*)(mtag
+ 1);
597 m_tag_delete(m
, mtag
);
602 __private_extern__
int
606 lck_grp_attr_t
*grp_attributes
= 0;
607 lck_attr_t
*lck_attributes
= 0;
608 lck_grp_t
*lck_grp
= 0;
610 grp_attributes
= lck_grp_attr_alloc_init();
611 if (grp_attributes
== 0) {
612 printf("ipf_init: lck_grp_attr_alloc_init failed\n");
617 lck_grp
= lck_grp_alloc_init("IP Filter", grp_attributes
);
619 printf("ipf_init: lck_grp_alloc_init failed\n");
624 lck_attributes
= lck_attr_alloc_init();
625 if (lck_attributes
== 0) {
626 printf("ipf_init: lck_attr_alloc_init failed\n");
631 lck_mtx_init(kipf_lock
, lck_grp
, lck_attributes
);
635 lck_grp_free(lck_grp
);
638 if (grp_attributes
) {
639 lck_grp_attr_free(grp_attributes
);
642 if (lck_attributes
) {
643 lck_attr_free(lck_attributes
);