]> git.saurik.com Git - apple/xnu.git/blob - bsd/netinet/kpi_ipfilter.c
xnu-1228.15.4.tar.gz
[apple/xnu.git] / bsd / netinet / kpi_ipfilter.c
1 /*
2 * Copyright (c) 2003 Apple Computer, Inc. All rights reserved.
3 *
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
14 *
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
25 *
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 */
28
29 #include <sys/param.h> /* for definition of NULL */
30 #include <sys/errno.h>
31 #include <sys/malloc.h>
32 #include <sys/socket.h>
33 #include <sys/mbuf.h>
34 #include <sys/systm.h>
35
36 #define _IP_VHL
37 #include <net/if_var.h>
38 #include <net/route.h>
39 #include <net/kpi_protocol.h>
40
41 #include <netinet/in_systm.h>
42 #include <netinet/in.h>
43 #include <netinet/in_var.h>
44 #include <netinet6/in6_var.h>
45 #include <netinet/ip.h>
46 #include <netinet/ip6.h>
47 #include <netinet/ip_var.h>
48 #include <netinet6/ip6_var.h>
49 #include <netinet/kpi_ipfilter_var.h>
50
51 /*
52 * kipf_lock and kipf_ref protect the linkage of the list of IP filters
53 * An IP filter can be removed only when kipf_ref is zero
54 * If an IP filter cannot be removed because kipf_ref is not null, then
55 * the IP filter is marjed and kipf_delayed_remove is set so that when
56 * kipf_ref eventually goes down to zero, the IP filter is removed
57 */
58 static lck_mtx_t *kipf_lock = 0;
59 static unsigned long kipf_ref = 0;
60 static unsigned long kipf_delayed_remove = 0;
61
62 __private_extern__ struct ipfilter_list ipv4_filters = TAILQ_HEAD_INITIALIZER(ipv4_filters);
63 __private_extern__ struct ipfilter_list ipv6_filters = TAILQ_HEAD_INITIALIZER(ipv6_filters);
64 __private_extern__ struct ipfilter_list tbr_filters = TAILQ_HEAD_INITIALIZER(tbr_filters);
65
66 __private_extern__ void
67 ipf_ref(void)
68 {
69 lck_mtx_lock(kipf_lock);
70 kipf_ref++;
71 lck_mtx_unlock(kipf_lock);
72 }
73
74 __private_extern__ void
75 ipf_unref(void)
76 {
77 lck_mtx_lock(kipf_lock);
78
79 if (kipf_ref == 0)
80 panic("ipf_unref: kipf_ref == 0\n");
81
82 kipf_ref--;
83 if (kipf_ref == 0 && kipf_delayed_remove != 0) {
84 struct ipfilter *filter;
85
86 while ((filter = TAILQ_FIRST(&tbr_filters))) {
87 ipf_detach_func ipf_detach = filter->ipf_filter.ipf_detach;
88 void* cookie = filter->ipf_filter.cookie;
89
90 TAILQ_REMOVE(filter->ipf_head, filter, ipf_link);
91 TAILQ_REMOVE(&tbr_filters, filter, ipf_tbr);
92 kipf_delayed_remove--;
93
94 if (ipf_detach) {
95 lck_mtx_unlock(kipf_lock);
96 ipf_detach(cookie);
97 lck_mtx_lock(kipf_lock);
98 /* In case some filter got to run while we released the lock */
99 if (kipf_ref != 0)
100 break;
101 }
102 }
103 }
104 lck_mtx_unlock(kipf_lock);
105 }
106
107 static errno_t
108 ipf_add(
109 const struct ipf_filter* filter,
110 ipfilter_t *filter_ref,
111 struct ipfilter_list *head)
112 {
113 struct ipfilter *new_filter;
114 if (filter->name == NULL || (filter->ipf_input == NULL && filter->ipf_output == NULL))
115 return EINVAL;
116
117 MALLOC(new_filter, struct ipfilter*, sizeof(*new_filter), M_IFADDR, M_WAITOK);
118 if (new_filter == NULL)
119 return ENOMEM;
120
121 lck_mtx_lock(kipf_lock);
122 new_filter->ipf_filter = *filter;
123 new_filter->ipf_head = head;
124
125 /*
126 * 3957298
127 * Make sure third parties have a chance to filter packets before
128 * SharedIP. Always SharedIP at the end of the list.
129 */
130 if (filter->name != NULL &&
131 strcmp(filter->name, "com.apple.nke.SharedIP") == 0) {
132 TAILQ_INSERT_TAIL(head, new_filter, ipf_link);
133 }
134 else {
135 TAILQ_INSERT_HEAD(head, new_filter, ipf_link);
136 }
137
138 lck_mtx_unlock(kipf_lock);
139
140 *filter_ref = (ipfilter_t)new_filter;
141 return 0;
142 }
143
144 errno_t
145 ipf_addv4(
146 const struct ipf_filter* filter,
147 ipfilter_t *filter_ref)
148 {
149 return ipf_add(filter, filter_ref, &ipv4_filters);
150 }
151
152 errno_t
153 ipf_addv6(
154 const struct ipf_filter* filter,
155 ipfilter_t *filter_ref)
156 {
157 return ipf_add(filter, filter_ref, &ipv6_filters);
158 }
159
160 errno_t
161 ipf_remove(
162 ipfilter_t filter_ref)
163 {
164 struct ipfilter *match = (struct ipfilter*)filter_ref;
165 struct ipfilter_list *head;
166
167 if (match == 0 || (match->ipf_head != &ipv4_filters && match->ipf_head != &ipv6_filters))
168 return EINVAL;
169
170 head = match->ipf_head;
171
172 lck_mtx_lock(kipf_lock);
173 TAILQ_FOREACH(match, head, ipf_link) {
174 if (match == (struct ipfilter*)filter_ref) {
175 ipf_detach_func ipf_detach = match->ipf_filter.ipf_detach;
176 void* cookie = match->ipf_filter.cookie;
177
178 /*
179 * Cannot detach when they are filters running
180 */
181 if (kipf_ref) {
182 kipf_delayed_remove++;
183 TAILQ_INSERT_TAIL(&tbr_filters, match, ipf_tbr);
184 match->ipf_filter.ipf_input = 0;
185 match->ipf_filter.ipf_output = 0;
186 lck_mtx_unlock(kipf_lock);
187 } else {
188 TAILQ_REMOVE(head, match, ipf_link);
189 lck_mtx_unlock(kipf_lock);
190 if (ipf_detach)
191 ipf_detach(cookie);
192 FREE(match, M_IFADDR);
193 }
194 return 0;
195 }
196 }
197 lck_mtx_unlock(kipf_lock);
198
199 return ENOENT;
200 }
201
202 int log_for_en1 = 0;
203
204 errno_t
205 ipf_inject_input(
206 mbuf_t data,
207 ipfilter_t filter_ref)
208 {
209 struct mbuf *m = (struct mbuf*)data;
210 struct m_tag *mtag = 0;
211 struct ip *ip = mtod(m, struct ip *);
212 u_int8_t vers;
213 int hlen;
214 errno_t error = 0;
215 protocol_family_t proto;
216
217 vers = IP_VHL_V(ip->ip_vhl);
218
219 switch (vers) {
220 case 4:
221 proto = PF_INET;
222 break;
223 case 6:
224 proto = PF_INET6;
225 break;
226 default:
227 error = ENOTSUP;
228 goto done;
229 }
230
231 if (filter_ref == 0 && m->m_pkthdr.rcvif == 0) {
232 m->m_pkthdr.rcvif = ifunit("lo0");
233 m->m_pkthdr.csum_data = 0;
234 m->m_pkthdr.csum_flags = 0;
235 if (vers == 4) {
236 hlen = IP_VHL_HL(ip->ip_vhl) << 2;
237 ip->ip_sum = 0;
238 ip->ip_sum = in_cksum(m, hlen);
239 }
240 }
241 if (filter_ref != 0) {
242 mtag = m_tag_alloc(KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPFILT,
243 sizeof (ipfilter_t), M_NOWAIT);
244 if (mtag == NULL) {
245 error = ENOMEM;
246 goto done;
247 }
248 *(ipfilter_t*)(mtag+1) = filter_ref;
249 m_tag_prepend(m, mtag);
250 }
251
252 error = proto_inject(proto, data);
253
254 done:
255 return error;
256 }
257
258 static errno_t
259 ipf_injectv4_out(
260 mbuf_t data,
261 ipfilter_t filter_ref,
262 ipf_pktopts_t options)
263 {
264 struct route ro;
265 struct sockaddr_in *sin = (struct sockaddr_in*)&ro.ro_dst;
266 struct ip *ip;
267 struct mbuf *m = (struct mbuf*)data;
268 errno_t error = 0;
269 struct m_tag *mtag = 0;
270 struct ip_moptions *imo = 0, ip_moptions;
271
272 /* Make the IP header contiguous in the mbuf */
273 if ((size_t)m->m_len < sizeof(struct ip)) {
274 m = m_pullup(m, sizeof(struct ip));
275 if (m == NULL) return ENOMEM;
276 }
277 ip = (struct ip*)m_mtod(m);
278
279 if (filter_ref != 0) {
280 mtag = m_tag_alloc(KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPFILT,
281 sizeof (ipfilter_t), M_NOWAIT);
282 if (mtag == NULL) {
283 m_freem(m);
284 return ENOMEM;
285 }
286 *(ipfilter_t*)(mtag+1) = filter_ref;
287 m_tag_prepend(m, mtag);
288 }
289
290 if (options && (options->ippo_flags & IPPOF_MCAST_OPTS)) {
291 imo = &ip_moptions;
292
293 bzero(imo, sizeof(struct ip6_moptions));
294 imo->imo_multicast_ifp = options->ippo_mcast_ifnet;
295 imo->imo_multicast_ttl = options->ippo_mcast_ttl;
296 imo->imo_multicast_loop = options->ippo_mcast_loop;
297 }
298
299 /* Fill out a route structure and get a route */
300 bzero(&ro, sizeof(struct route));
301 sin->sin_len = sizeof(struct sockaddr_in);
302 sin->sin_family = AF_INET;
303 sin->sin_port = 0;
304 sin->sin_addr = ip->ip_dst;
305 rtalloc(&ro);
306 if (ro.ro_rt == NULL) {
307 m_freem(m);
308 return ENETUNREACH;
309 }
310
311 /* Put ip_len and ip_off in host byte order, ip_output expects that */
312 NTOHS(ip->ip_len);
313 NTOHS(ip->ip_off);
314
315 /* Send */
316 error = ip_output(m, NULL, &ro, IP_ALLOWBROADCAST | IP_RAWOUTPUT, imo, NULL);
317
318 /* Release the route */
319 if (ro.ro_rt) {
320 rtfree(ro.ro_rt);
321 ro.ro_rt = NULL;
322 }
323
324 return error;
325 }
326
327 #if INET6
328 static errno_t
329 ipf_injectv6_out(
330 mbuf_t data,
331 ipfilter_t filter_ref,
332 ipf_pktopts_t options)
333 {
334 struct route_in6 ro;
335 struct sockaddr_in6 *sin6 = &ro.ro_dst;
336 struct ip6_hdr *ip6;
337 struct mbuf *m = (struct mbuf*)data;
338 errno_t error = 0;
339 struct m_tag *mtag = 0;
340 struct ip6_moptions *im6o = 0, ip6_moptions;
341
342 /* Make the IP header contiguous in the mbuf */
343 if ((size_t)m->m_len < sizeof(struct ip6_hdr)) {
344 m = m_pullup(m, sizeof(struct ip6_hdr));
345 if (m == NULL) return ENOMEM;
346 }
347 ip6 = (struct ip6_hdr*)m_mtod(m);
348
349 if (filter_ref != 0) {
350 mtag = m_tag_alloc(KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPFILT,
351 sizeof (ipfilter_t), M_NOWAIT);
352 if (mtag == NULL) {
353 m_freem(m);
354 return ENOMEM;
355 }
356 *(ipfilter_t*)(mtag+1) = filter_ref;
357 m_tag_prepend(m, mtag);
358 }
359
360 if (options && (options->ippo_flags & IPPOF_MCAST_OPTS)) {
361 im6o = &ip6_moptions;
362
363 bzero(im6o, sizeof(struct ip6_moptions));
364 im6o->im6o_multicast_ifp = options->ippo_mcast_ifnet;
365 im6o->im6o_multicast_hlim = options->ippo_mcast_ttl;
366 im6o->im6o_multicast_loop = options->ippo_mcast_loop;
367 }
368
369
370 /* Fill out a route structure and get a route */
371 bzero(&ro, sizeof(struct route_in6));
372 sin6->sin6_len = sizeof(struct sockaddr_in6);
373 sin6->sin6_family = AF_INET6;
374 sin6->sin6_addr = ip6->ip6_dst;
375 #if 0
376 /* This is breaks loopback multicast! */
377 /* The scope ID should already at s6_addr16[1] */
378 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) {
379 /* Hack, pull the scope_id out of the dest addr */
380 sin6->sin6_scope_id = ntohs(ip6->ip6_dst.s6_addr16[1]);
381 ip6->ip6_dst.s6_addr16[1] = 0;
382 } else
383 sin6->sin6_scope_id = 0;
384 #endif
385 rtalloc((struct route*)&ro);
386 if (ro.ro_rt == NULL) {
387 m_freem(m);
388 return ENETUNREACH;
389 }
390
391 /* Send */
392 error = ip6_output(m, NULL, &ro, 0, im6o, NULL, 0);
393
394 /* Release the route */
395 if (ro.ro_rt) {
396 rtfree(ro.ro_rt);
397 ro.ro_rt = NULL;
398 }
399
400 return error;
401 }
402 #endif /* INET6 */
403
404 errno_t
405 ipf_inject_output(
406 mbuf_t data,
407 ipfilter_t filter_ref,
408 ipf_pktopts_t options)
409 {
410 struct mbuf *m = (struct mbuf*)data;
411 u_int8_t vers;
412 errno_t error = 0;
413
414 /* Make one byte of the header contiguous in the mbuf */
415 if (m->m_len < 1) {
416 m = m_pullup(m, 1);
417 if (m == NULL)
418 goto done;
419 }
420
421 vers = (*(u_int8_t*)m_mtod(m)) >> 4;
422 switch (vers)
423 {
424 case 4:
425 error = ipf_injectv4_out(data, filter_ref, options);
426 break;
427 #if INET6
428 case 6:
429 error = ipf_injectv6_out(data, filter_ref, options);
430 break;
431 #endif
432 default:
433 m_freem(m);
434 error = ENOTSUP;
435 break;
436 }
437
438 done:
439 return error;
440 }
441
442 __private_extern__ ipfilter_t
443 ipf_get_inject_filter(struct mbuf *m)
444 {
445 ipfilter_t filter_ref = 0;
446 struct m_tag *mtag;
447
448 mtag = m_tag_locate(m, KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPFILT, NULL);
449 if (mtag) {
450 filter_ref = *(ipfilter_t *)(mtag+1);
451
452 m_tag_delete(m, mtag);
453 }
454 return filter_ref;
455 }
456
457 __private_extern__ int
458 ipf_init(void)
459 {
460 int error = 0;
461 lck_grp_attr_t *grp_attributes = 0;
462 lck_attr_t *lck_attributes = 0;
463 lck_grp_t *lck_grp = 0;
464
465 grp_attributes = lck_grp_attr_alloc_init();
466 if (grp_attributes == 0) {
467 printf("ipf_init: lck_grp_attr_alloc_init failed\n");
468 error = ENOMEM;
469 goto done;
470 }
471
472 lck_grp = lck_grp_alloc_init("IP Filter", grp_attributes);
473 if (lck_grp == 0) {
474 printf("ipf_init: lck_grp_alloc_init failed\n");
475 error = ENOMEM;
476 goto done;
477 }
478
479 lck_attributes = lck_attr_alloc_init();
480 if (lck_attributes == 0) {
481 printf("ipf_init: lck_attr_alloc_init failed\n");
482 error = ENOMEM;
483 goto done;
484 }
485
486 kipf_lock = lck_mtx_alloc_init(lck_grp, lck_attributes);
487 if (kipf_lock == 0) {
488 printf("ipf_init: lck_mtx_alloc_init failed\n");
489 error = ENOMEM;
490 goto done;
491 }
492 done:
493 if (error != 0) {
494 if (kipf_lock) {
495 lck_mtx_free(kipf_lock, lck_grp);
496 kipf_lock = 0;
497 }
498 }
499 if (lck_grp) {
500 lck_grp_free(lck_grp);
501 lck_grp = 0;
502 }
503 if (grp_attributes) {
504 lck_grp_attr_free(grp_attributes);
505 grp_attributes = 0;
506 }
507 if (lck_attributes) {
508 lck_attr_free(lck_attributes);
509 lck_attributes = 0;
510 }
511
512 return error;
513 }