]> git.saurik.com Git - apple/xnu.git/blob - bsd/netinet/ip_divert.c
projects / apple / xnu.git / blob
? search:


acfd471bfedf01e8c23813af7afac667796f876f
[apple/xnu.git] / bsd / netinet / ip_divert.c
1 /*
2 * Copyright (c) 2000 Apple Computer, Inc. All rights reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * The contents of this file constitute Original Code as defined in and
7 * are subject to the Apple Public Source License Version 1.1 (the
8 * "License"). You may not use this file except in compliance with the
9 * License. Please obtain a copy of the License at
10 * http://www.apple.com/publicsource and read it before using this file.
11 *
12 * This Original Code and all software distributed under the License are
13 * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER
14 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
15 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
16 * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the
17 * License for the specific language governing rights and limitations
18 * under the License.
19 *
20 * @APPLE_LICENSE_HEADER_END@
21 */
22 /*
23 * Copyright (c) 1982, 1986, 1988, 1993
24 * The Regents of the University of California. All rights reserved.
25 *
26 * Redistribution and use in source and binary forms, with or without
27 * modification, are permitted provided that the following conditions
28 * are met:
29 * 1. Redistributions of source code must retain the above copyright
30 * notice, this list of conditions and the following disclaimer.
31 * 2. Redistributions in binary form must reproduce the above copyright
32 * notice, this list of conditions and the following disclaimer in the
33 * documentation and/or other materials provided with the distribution.
34 * 3. All advertising materials mentioning features or use of this software
35 * must display the following acknowledgement:
36 * This product includes software developed by the University of
37 * California, Berkeley and its contributors.
38 * 4. Neither the name of the University nor the names of its contributors
39 * may be used to endorse or promote products derived from this software
40 * without specific prior written permission.
41 *
42 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
43 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
44 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
45 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
46 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
47 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
48 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
49 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
50 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
51 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
52 * SUCH DAMAGE.
53 *
54 */
55
56 #if ISFB31
57 #include "opt_inet.h"
58 #include "opt_ipfw.h"
59 #include "opt_ipdivert.h"
60 #endif
61
62 #ifndef INET
63 #error "IPDIVERT requires INET."
64 #endif
65
66 #include <sys/param.h>
67 #include <sys/malloc.h>
68 #include <sys/mbuf.h>
69 #include <sys/socket.h>
70 #include <sys/protosw.h>
71 #include <sys/socketvar.h>
72 #include <sys/systm.h>
73 #include <sys/proc.h>
74
75 #if ISFB31
76 #include <vm/vm_zone.h>
77 #endif
78
79 #include <net/if.h>
80 #include <net/route.h>
81
82 #include <netinet/in.h>
83 #include <netinet/in_systm.h>
84 #include <netinet/ip.h>
85 #include <netinet/in_pcb.h>
86 #include <netinet/in_var.h>
87 #include <netinet/ip_var.h>
88
89 /*
90 * Divert sockets
91 */
92
93 /*
94 * Allocate enough space to hold a full IP packet
95 */
96 #define DIVSNDQ (65536 + 100)
97 #define DIVRCVQ (65536 + 100)
98
99 /* Global variables */
100
101 /*
102 * ip_input() and ip_output() set this secret value before calling us to
103 * let us know which divert port to divert a packet to; this is done so
104 * we can use the existing prototype for struct protosw's pr_input().
105 * This is stored in host order.
106 */
107 u_short ip_divert_port;
108
109 /*
110 * A 16 bit cookie is passed to the user process.
111 * The user process can send it back to help the caller know something
112 * about where the packet came from.
113 *
114 * If IPFW is the caller then the cookie is the rule that sent
115 * us here. On reinjection is is the rule after which processing
116 * should continue. Leaving it the same will make processing start
117 * at the rule number after that which sent it here. Setting it to
118 * 0 will restart processing at the beginning.
119 */
120 u_int16_t ip_divert_cookie;
121
122 /* Internal variables */
123
124 static struct inpcbhead divcb;
125 static struct inpcbinfo divcbinfo;
126
127 static u_long div_sendspace = DIVSNDQ; /* XXX sysctl ? */
128 static u_long div_recvspace = DIVRCVQ; /* XXX sysctl ? */
129
130 /* Optimization: have this preinitialized */
131 static struct sockaddr_in divsrc = { sizeof(divsrc), AF_INET };
132
133 /* Internal functions */
134
135 static int div_output(struct socket *so,
136 struct mbuf *m, struct sockaddr *addr, struct mbuf *control);
137
138 /*
139 * Initialize divert connection block queue.
140 */
141 void
142 div_init(void)
143 {
144 LIST_INIT(&divcb);
145 divcbinfo.listhead = &divcb;
146 /*
147 * XXX We don't use the hash list for divert IP, but it's easier
148 * to allocate a one entry hash list than it is to check all
149 * over the place for hashbase == NULL.
150 */
151 divcbinfo.hashbase = hashinit(1, M_PCB, &divcbinfo.hashmask);
152 divcbinfo.porthashbase = hashinit(1, M_PCB, &divcbinfo.porthashmask);
153 divcbinfo.ipi_zone = (void *) zinit(sizeof(struct inpcb),(maxsockets * sizeof(struct inpcb)),
154 4096, "divzone");
155
156 /*
157 * ### LD 08/03: init IP forwarding at this point [ipfw is not a module yet]
158 */
159 #if !IPFIREWALL_KEXT
160 ip_fw_init();
161 #endif
162 }
163
164 /*
165 * Setup generic address and protocol structures
166 * for div_input routine, then pass them along with
167 * mbuf chain. ip->ip_len is assumed to have had
168 * the header length (hlen) subtracted out already.
169 * We tell whether the packet was incoming or outgoing
170 * by seeing if hlen == 0, which is a hack.
171 */
172 void
173 div_input(struct mbuf *m, int hlen)
174 {
175 struct ip *ip;
176 struct inpcb *inp;
177 struct socket *sa;
178
179 /* Sanity check */
180 if (ip_divert_port == 0)
181 panic("div_input: port is 0");
182
183 /* Assure header */
184 if (m->m_len < sizeof(struct ip) &&
185 (m = m_pullup(m, sizeof(struct ip))) == 0) {
186 return;
187 }
188 ip = mtod(m, struct ip *);
189
190 /* Record divert cookie */
191 divsrc.sin_port = ip_divert_cookie;
192 ip_divert_cookie = 0;
193
194 /* Restore packet header fields */
195 ip->ip_len += hlen;
196 HTONS(ip->ip_len);
197 HTONS(ip->ip_off);
198
199 /*
200 * Record receive interface address, if any
201 * But only for incoming packets.
202 */
203 divsrc.sin_addr.s_addr = 0;
204 if (hlen) {
205 struct ifaddr *ifa;
206
207 #if DIAGNOSTIC
208 /* Sanity check */
209 if (!(m->m_flags & M_PKTHDR))
210 panic("div_input: no pkt hdr");
211 #endif
212
213 /* More fields affected by ip_input() */
214 HTONS(ip->ip_id);
215
216 /* Find IP address for receive interface */
217 for (ifa = m->m_pkthdr.rcvif->if_addrhead.tqh_first;
218 ifa != NULL; ifa = ifa->ifa_link.tqe_next) {
219 if (ifa->ifa_addr == NULL)
220 continue;
221 if (ifa->ifa_addr->sa_family != AF_INET)
222 continue;
223 divsrc.sin_addr =
224 ((struct sockaddr_in *) ifa->ifa_addr)->sin_addr;
225 break;
226 }
227 }
228 /*
229 * Record the incoming interface name whenever we have one.
230 */
231 bzero(&divsrc.sin_zero, sizeof(divsrc.sin_zero));
232 if (m->m_pkthdr.rcvif) {
233 /*
234 * Hide the actual interface name in there in the
235 * sin_zero array. XXX This needs to be moved to a
236 * different sockaddr type for divert, e.g.
237 * sockaddr_div with multiple fields like
238 * sockaddr_dl. Presently we have only 7 bytes
239 * but that will do for now as most interfaces
240 * are 4 or less + 2 or less bytes for unit.
241 * There is probably a faster way of doing this,
242 * possibly taking it from the sockaddr_dl on the iface.
243 * This solves the problem of a P2P link and a LAN interface
244 * having the same address, which can result in the wrong
245 * interface being assigned to the packet when fed back
246 * into the divert socket. Theoretically if the daemon saves
247 * and re-uses the sockaddr_in as suggested in the man pages,
248 * this iface name will come along for the ride.
249 * (see div_output for the other half of this.)
250 */
251 snprintf(divsrc.sin_zero, sizeof(divsrc.sin_zero),
252 "%s%d", m->m_pkthdr.rcvif->if_name,
253 m->m_pkthdr.rcvif->if_unit);
254 }
255
256 /* Put packet on socket queue, if any */
257 sa = NULL;
258 for (inp = divcb.lh_first; inp != NULL; inp = inp->inp_list.le_next) {
259 if (inp->inp_lport == htons(ip_divert_port))
260 sa = inp->inp_socket;
261 }
262 ip_divert_port = 0;
263 if (sa) {
264 if (sbappendaddr(&sa->so_rcv, (struct sockaddr *)&divsrc,
265 m, (struct mbuf *)0) == 0)
266 m_freem(m);
267 else
268 sorwakeup(sa);
269 } else {
270 m_freem(m);
271 ipstat.ips_noproto++;
272 ipstat.ips_delivered--;
273 }
274 }
275
276 /*
277 * Deliver packet back into the IP processing machinery.
278 *
279 * If no address specified, or address is 0.0.0.0, send to ip_output();
280 * otherwise, send to ip_input() and mark as having been received on
281 * the interface with that address.
282 */
283 static int
284 div_output(so, m, addr, control)
285 struct socket *so;
286 register struct mbuf *m;
287 struct sockaddr *addr;
288 struct mbuf *control;
289 {
290 register struct inpcb *const inp = sotoinpcb(so);
291 register struct ip *const ip = mtod(m, struct ip *);
292 struct sockaddr_in *sin = (struct sockaddr_in *)addr;
293 int error = 0;
294
295 if (control)
296 m_freem(control); /* XXX */
297
298 /* Loopback avoidance and state recovery */
299 if (sin) {
300 int len = 0;
301 char *c = sin->sin_zero;
302
303 ip_divert_cookie = sin->sin_port;
304
305 /*
306 * Find receive interface with the given name or IP address.
307 * The name is user supplied data so don't trust it's size or
308 * that it is zero terminated. The name has priority.
309 * We are presently assuming that the sockaddr_in
310 * has not been replaced by a sockaddr_div, so we limit it
311 * to 16 bytes in total. the name is stuffed (if it exists)
312 * in the sin_zero[] field.
313 */
314 while (*c++ && (len++ < sizeof(sin->sin_zero)));
315 if ((len > 0) && (len < sizeof(sin->sin_zero)))
316 m->m_pkthdr.rcvif = ifunit(sin->sin_zero);
317 } else {
318 ip_divert_cookie = 0;
319 }
320
321 /* Reinject packet into the system as incoming or outgoing */
322 if (!sin || sin->sin_addr.s_addr == 0) {
323 /*
324 * Don't allow both user specified and setsockopt options,
325 * and don't allow packet length sizes that will crash
326 */
327 if (((ip->ip_hl != (sizeof (*ip) >> 2)) && inp->inp_options) ||
328 ((u_short)ntohs(ip->ip_len) > m->m_pkthdr.len)) {
329 error = EINVAL;
330 goto cantsend;
331 }
332
333 /* Convert fields to host order for ip_output() */
334 NTOHS(ip->ip_len);
335 NTOHS(ip->ip_off);
336
337 /* Send packet to output processing */
338 ipstat.ips_rawout++; /* XXX */
339 error = ip_output(m, inp->inp_options, &inp->inp_route,
340 (so->so_options & SO_DONTROUTE) |
341 IP_ALLOWBROADCAST | IP_RAWOUTPUT, inp->inp_moptions);
342 } else {
343 struct ifaddr *ifa;
344
345 /* If no luck with the name above. check by IP address. */
346 if (m->m_pkthdr.rcvif == NULL) {
347 /*
348 * Make sure there are no distractions
349 * for ifa_ifwithaddr. Clear the port and the ifname.
350 * Maybe zap all 8 bytes at once using a 64bit write?
351 */
352 bzero(sin->sin_zero, sizeof(sin->sin_zero));
353 /* *((u_int64_t *)sin->sin_zero) = 0; */ /* XXX ?? */
354 sin->sin_port = 0;
355 if (!(ifa = ifa_ifwithaddr((struct sockaddr *) sin))) {
356 error = EADDRNOTAVAIL;
357 goto cantsend;
358 }
359 m->m_pkthdr.rcvif = ifa->ifa_ifp;
360 }
361
362 /* Send packet to input processing */
363 ip_input(m);
364 }
365
366 /* paranoid: Reset for next time (and other packets) */
367 /* almost definitly already done in the ipfw filter but.. */
368 ip_divert_cookie = 0;
369 return error;
370
371 cantsend:
372 ip_divert_cookie = 0;
373 m_freem(m);
374 return error;
375 }
376
377 static int
378 div_attach(struct socket *so, int proto, struct proc *p)
379 {
380 struct inpcb *inp;
381 int error, s;
382
383 inp = sotoinpcb(so);
384 if (inp)
385 panic("div_attach");
386 if (p && (error = suser(p->p_ucred, &p->p_acflag)) != 0)
387 return error;
388
389 s = splnet();
390 error = in_pcballoc(so, &divcbinfo, p);
391 splx(s);
392 if (error)
393 return error;
394 error = soreserve(so, div_sendspace, div_recvspace);
395 if (error)
396 return error;
397 inp = (struct inpcb *)so->so_pcb;
398 inp->inp_ip_p = proto;
399 inp->inp_flags |= INP_HDRINCL | INP_IPV4;
400 /* The socket is always "connected" because
401 we always know "where" to send the packet */
402 so->so_state |= SS_ISCONNECTED;
403 #if IPSEC
404 error = ipsec_init_policy(so, &inp->inp_sp);
405 if (error != 0) {
406 in_pcbdetach(inp);
407 return error;
408 }
409 #endif /*IPSEC*/
410 return 0;
411 }
412
413 static int
414 div_detach(struct socket *so)
415 {
416 struct inpcb *inp;
417
418 inp = sotoinpcb(so);
419 if (inp == 0)
420 panic("div_detach");
421 in_pcbdetach(inp);
422 return 0;
423 }
424
425 static int
426 div_abort(struct socket *so)
427 {
428 soisdisconnected(so);
429 return div_detach(so);
430 }
431
432 static int
433 div_disconnect(struct socket *so)
434 {
435 if ((so->so_state & SS_ISCONNECTED) == 0)
436 return ENOTCONN;
437 return div_abort(so);
438 }
439
440 static int
441 div_bind(struct socket *so, struct sockaddr *nam, struct proc *p)
442 {
443 struct inpcb *inp;
444 int s;
445 int error;
446
447 s = splnet();
448 inp = sotoinpcb(so);
449 error = in_pcbbind(inp, nam, p);
450 splx(s);
451 return 0;
452 }
453
454 static int
455 div_shutdown(struct socket *so)
456 {
457 socantsendmore(so);
458 return 0;
459 }
460
461 static int
462 div_send(struct socket *so, int flags, struct mbuf *m, struct sockaddr *nam,
463 struct mbuf *control, struct proc *p)
464 {
465 /* Packet must have a header (but that's about it) */
466 if (m->m_len < sizeof (struct ip) ||
467 (m = m_pullup(m, sizeof (struct ip))) == 0) {
468 ipstat.ips_toosmall++;
469 m_freem(m);
470 return EINVAL;
471 }
472
473 /* Send packet */
474 return div_output(so, m, nam, control);
475 }
476
477 struct pr_usrreqs div_usrreqs = {
478 div_abort, pru_accept_notsupp, div_attach, div_bind,
479 pru_connect_notsupp, pru_connect2_notsupp, in_control, div_detach,
480 div_disconnect, pru_listen_notsupp, in_setpeeraddr, pru_rcvd_notsupp,
481 pru_rcvoob_notsupp, div_send, pru_sense_null, div_shutdown,
482 in_setsockaddr, sosend, soreceive, sopoll
483 };
mirror of XNU