]> git.saurik.com Git - apple/xnu.git/blob - bsd/netinet/kpi_ipfilter.c
projects / apple / xnu.git / blob
? search:


ea54abae4069b899d0396c033c9f6fc02c379669
[apple/xnu.git] / bsd / netinet / kpi_ipfilter.c
1 /*
2 * Copyright (c) 2004-2018 Apple Inc. All rights reserved.
3 *
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
14 *
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
25 *
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 */
28
29 #include <sys/param.h> /* for definition of NULL */
30 #include <sys/errno.h>
31 #include <sys/malloc.h>
32 #include <sys/socket.h>
33 #include <sys/mbuf.h>
34 #include <sys/systm.h>
35 #include <libkern/OSAtomic.h>
36
37 #include <machine/endian.h>
38
39 #define _IP_VHL
40 #include <net/if_var.h>
41 #include <net/route.h>
42 #include <net/kpi_protocol.h>
43 #include <net/net_api_stats.h>
44
45 #include <netinet/in_systm.h>
46 #include <netinet/in.h>
47 #include <netinet/in_var.h>
48 #include <netinet6/in6_var.h>
49 #include <netinet/ip.h>
50 #include <netinet/ip6.h>
51 #include <netinet/ip_var.h>
52 #include <netinet6/ip6_var.h>
53 #include <netinet/kpi_ipfilter_var.h>
54
55 #include <stdbool.h>
56
57 /*
58 * kipf_lock and kipf_ref protect the linkage of the list of IP filters
59 * An IP filter can be removed only when kipf_ref is zero
60 * If an IP filter cannot be removed because kipf_ref is not null, then
61 * the IP filter is marjed and kipf_delayed_remove is set so that when
62 * kipf_ref eventually goes down to zero, the IP filter is removed
63 */
64 decl_lck_mtx_data(static, kipf_lock_data);
65 static lck_mtx_t *kipf_lock = &kipf_lock_data;
66 static u_int32_t kipf_ref = 0;
67 static u_int32_t kipf_delayed_remove = 0;
68 u_int32_t kipf_count = 0;
69
70 __private_extern__ struct ipfilter_list ipv4_filters = TAILQ_HEAD_INITIALIZER(ipv4_filters);
71 __private_extern__ struct ipfilter_list ipv6_filters = TAILQ_HEAD_INITIALIZER(ipv6_filters);
72 __private_extern__ struct ipfilter_list tbr_filters = TAILQ_HEAD_INITIALIZER(tbr_filters);
73
74 #undef ipf_addv4
75 #undef ipf_addv6
76 extern errno_t ipf_addv4(const struct ipf_filter *filter,
77 ipfilter_t *filter_ref);
78 extern errno_t ipf_addv6(const struct ipf_filter *filter,
79 ipfilter_t *filter_ref);
80
81 static errno_t ipf_add(const struct ipf_filter *filter,
82 ipfilter_t *filter_ref, struct ipfilter_list *head, bool is_internal);
83
84 __private_extern__ void
85 ipf_ref(void)
86 {
87 lck_mtx_lock(kipf_lock);
88 kipf_ref++;
89 lck_mtx_unlock(kipf_lock);
90 }
91
92 __private_extern__ void
93 ipf_unref(void)
94 {
95 lck_mtx_lock(kipf_lock);
96
97 if (kipf_ref == 0)
98 panic("ipf_unref: kipf_ref == 0\n");
99
100 kipf_ref--;
101 if (kipf_ref == 0 && kipf_delayed_remove != 0) {
102 struct ipfilter *filter;
103
104 while ((filter = TAILQ_FIRST(&tbr_filters))) {
105 VERIFY(OSDecrementAtomic64(&net_api_stats.nas_ipf_add_count) > 0);
106
107 ipf_detach_func ipf_detach = filter->ipf_filter.ipf_detach;
108 void* cookie = filter->ipf_filter.cookie;
109
110 TAILQ_REMOVE(filter->ipf_head, filter, ipf_link);
111 TAILQ_REMOVE(&tbr_filters, filter, ipf_tbr);
112 kipf_delayed_remove--;
113
114 if (ipf_detach) {
115 lck_mtx_unlock(kipf_lock);
116 ipf_detach(cookie);
117 lck_mtx_lock(kipf_lock);
118 /* In case some filter got to run while we released the lock */
119 if (kipf_ref != 0)
120 break;
121 }
122 }
123 }
124 lck_mtx_unlock(kipf_lock);
125 }
126
127 static errno_t
128 ipf_add(
129 const struct ipf_filter *filter,
130 ipfilter_t *filter_ref,
131 struct ipfilter_list *head,
132 bool is_internal)
133 {
134 struct ipfilter *new_filter;
135 if (filter->name == NULL || (filter->ipf_input == NULL && filter->ipf_output == NULL))
136 return (EINVAL);
137
138 MALLOC(new_filter, struct ipfilter *, sizeof(*new_filter), M_IFADDR, M_WAITOK);
139 if (new_filter == NULL)
140 return (ENOMEM);
141
142 lck_mtx_lock(kipf_lock);
143 new_filter->ipf_filter = *filter;
144 new_filter->ipf_head = head;
145
146 TAILQ_INSERT_HEAD(head, new_filter, ipf_link);
147
148 OSIncrementAtomic64(&net_api_stats.nas_ipf_add_count);
149 INC_ATOMIC_INT64_LIM(net_api_stats.nas_ipf_add_total);
150 if (is_internal) {
151 INC_ATOMIC_INT64_LIM(net_api_stats.nas_ipf_add_os_total);
152 }
153
154 lck_mtx_unlock(kipf_lock);
155
156 *filter_ref = (ipfilter_t)new_filter;
157
158 /* This will force TCP to re-evaluate its use of TSO */
159 OSAddAtomic(1, &kipf_count);
160 routegenid_update();
161
162 return (0);
163 }
164
165 errno_t
166 ipf_addv4_internal(
167 const struct ipf_filter *filter,
168 ipfilter_t *filter_ref)
169 {
170 return (ipf_add(filter, filter_ref, &ipv4_filters, true));
171 }
172
173 errno_t
174 ipf_addv4(
175 const struct ipf_filter *filter,
176 ipfilter_t *filter_ref)
177 {
178 return (ipf_add(filter, filter_ref, &ipv4_filters, false));
179 }
180
181 errno_t
182 ipf_addv6_internal(
183 const struct ipf_filter *filter,
184 ipfilter_t *filter_ref)
185 {
186 return (ipf_add(filter, filter_ref, &ipv6_filters, true));
187 }
188
189 errno_t
190 ipf_addv6(
191 const struct ipf_filter *filter,
192 ipfilter_t *filter_ref)
193 {
194 return (ipf_add(filter, filter_ref, &ipv6_filters, false));
195 }
196
197 static errno_t
198 ipf_input_detached(void *cookie, mbuf_t *data, int offset, u_int8_t protocol)
199 {
200 #pragma unused(cookie, data, offset, protocol)
201
202 #if DEBUG
203 printf("ipf_input_detached\n");
204 #endif /* DEBUG */
205
206 return (0);
207 }
208
209 static errno_t
210 ipf_output_detached(void *cookie, mbuf_t *data, ipf_pktopts_t options)
211 {
212 #pragma unused(cookie, data, options)
213
214 #if DEBUG
215 printf("ipf_output_detached\n");
216 #endif /* DEBUG */
217
218 return (0);
219 }
220
221 errno_t
222 ipf_remove(
223 ipfilter_t filter_ref)
224 {
225 struct ipfilter *match = (struct ipfilter *)filter_ref;
226 struct ipfilter_list *head;
227
228 if (match == 0 || (match->ipf_head != &ipv4_filters && match->ipf_head != &ipv6_filters))
229 return (EINVAL);
230
231 head = match->ipf_head;
232
233 lck_mtx_lock(kipf_lock);
234 TAILQ_FOREACH(match, head, ipf_link) {
235 if (match == (struct ipfilter *)filter_ref) {
236 ipf_detach_func ipf_detach = match->ipf_filter.ipf_detach;
237 void* cookie = match->ipf_filter.cookie;
238
239 /*
240 * Cannot detach when they are filters running
241 */
242 if (kipf_ref) {
243 kipf_delayed_remove++;
244 TAILQ_INSERT_TAIL(&tbr_filters, match, ipf_tbr);
245 match->ipf_filter.ipf_input = ipf_input_detached;
246 match->ipf_filter.ipf_output = ipf_output_detached;
247 lck_mtx_unlock(kipf_lock);
248 } else {
249 VERIFY(OSDecrementAtomic64(&net_api_stats.nas_ipf_add_count) > 0);
250
251 TAILQ_REMOVE(head, match, ipf_link);
252 lck_mtx_unlock(kipf_lock);
253
254 if (ipf_detach)
255 ipf_detach(cookie);
256 FREE(match, M_IFADDR);
257
258 /* This will force TCP to re-evaluate its use of TSO */
259 OSAddAtomic(-1, &kipf_count);
260 routegenid_update();
261
262 }
263 return (0);
264 }
265 }
266 lck_mtx_unlock(kipf_lock);
267
268 return (ENOENT);
269 }
270
271 int log_for_en1 = 0;
272
273 errno_t
274 ipf_inject_input(
275 mbuf_t data,
276 ipfilter_t filter_ref)
277 {
278 struct mbuf *m = (struct mbuf *)data;
279 struct m_tag *mtag = 0;
280 struct ip *ip = mtod(m, struct ip *);
281 u_int8_t vers;
282 int hlen;
283 errno_t error = 0;
284 protocol_family_t proto;
285
286 vers = IP_VHL_V(ip->ip_vhl);
287
288 switch (vers) {
289 case 4:
290 proto = PF_INET;
291 break;
292 case 6:
293 proto = PF_INET6;
294 break;
295 default:
296 error = ENOTSUP;
297 goto done;
298 }
299
300 if (filter_ref == 0 && m->m_pkthdr.rcvif == 0) {
301 m->m_pkthdr.rcvif = lo_ifp;
302 m->m_pkthdr.csum_data = 0;
303 m->m_pkthdr.csum_flags = 0;
304 if (vers == 4) {
305 hlen = IP_VHL_HL(ip->ip_vhl) << 2;
306 ip->ip_sum = 0;
307 ip->ip_sum = in_cksum(m, hlen);
308 }
309 }
310 if (filter_ref != 0) {
311 mtag = m_tag_create(KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPFILT,
312 sizeof (ipfilter_t), M_NOWAIT, m);
313 if (mtag == NULL) {
314 error = ENOMEM;
315 goto done;
316 }
317 *(ipfilter_t *)(mtag+1) = filter_ref;
318 m_tag_prepend(m, mtag);
319 }
320
321 error = proto_inject(proto, data);
322
323 done:
324 return (error);
325 }
326
327 static errno_t
328 ipf_injectv4_out(mbuf_t data, ipfilter_t filter_ref, ipf_pktopts_t options)
329 {
330 struct route ro;
331 struct ip *ip;
332 struct mbuf *m = (struct mbuf *)data;
333 errno_t error = 0;
334 struct m_tag *mtag = NULL;
335 struct ip_moptions *imo = NULL;
336 struct ip_out_args ipoa;
337
338 bzero(&ipoa, sizeof(ipoa));
339 ipoa.ipoa_boundif = IFSCOPE_NONE;
340 ipoa.ipoa_sotc = SO_TC_UNSPEC;
341 ipoa.ipoa_netsvctype = _NET_SERVICE_TYPE_UNSPEC;
342
343 /* Make the IP header contiguous in the mbuf */
344 if ((size_t)m->m_len < sizeof (struct ip)) {
345 m = m_pullup(m, sizeof (struct ip));
346 if (m == NULL)
347 return (ENOMEM);
348 }
349 ip = (struct ip *)m_mtod(m);
350
351 if (filter_ref != 0) {
352 mtag = m_tag_create(KERNEL_MODULE_TAG_ID,
353 KERNEL_TAG_TYPE_IPFILT, sizeof (ipfilter_t), M_NOWAIT, m);
354 if (mtag == NULL) {
355 m_freem(m);
356 return (ENOMEM);
357 }
358 *(ipfilter_t *)(mtag + 1) = filter_ref;
359 m_tag_prepend(m, mtag);
360 }
361
362 if (options != NULL && (options->ippo_flags & IPPOF_MCAST_OPTS) &&
363 (imo = ip_allocmoptions(M_DONTWAIT)) != NULL) {
364 imo->imo_multicast_ifp = options->ippo_mcast_ifnet;
365 imo->imo_multicast_ttl = options->ippo_mcast_ttl;
366 imo->imo_multicast_loop = options->ippo_mcast_loop;
367 }
368
369 if (options != NULL) {
370 if (options->ippo_flags & IPPOF_SELECT_SRCIF)
371 ipoa.ipoa_flags |= IPOAF_SELECT_SRCIF;
372 if (options->ippo_flags & IPPOF_BOUND_IF) {
373 ipoa.ipoa_flags |= IPOAF_BOUND_IF;
374 ipoa.ipoa_boundif = options->ippo_flags >>
375 IPPOF_SHIFT_IFSCOPE;
376 }
377 if (options->ippo_flags & IPPOF_NO_IFT_CELLULAR)
378 ipoa.ipoa_flags |= IPOAF_NO_CELLULAR;
379 if (options->ippo_flags & IPPOF_BOUND_SRCADDR)
380 ipoa.ipoa_flags |= IPOAF_BOUND_SRCADDR;
381 if (options->ippo_flags & IPPOF_NO_IFF_EXPENSIVE)
382 ipoa.ipoa_flags |= IPOAF_NO_EXPENSIVE;
383 }
384
385 bzero(&ro, sizeof(struct route));
386
387 /* Put ip_len and ip_off in host byte order, ip_output expects that */
388
389 #if BYTE_ORDER != BIG_ENDIAN
390 NTOHS(ip->ip_len);
391 NTOHS(ip->ip_off);
392 #endif
393
394 /* Send; enforce source interface selection via IP_OUTARGS flag */
395 error = ip_output(m, NULL, &ro,
396 IP_ALLOWBROADCAST | IP_RAWOUTPUT | IP_OUTARGS, imo, &ipoa);
397
398 /* Release the route */
399 ROUTE_RELEASE(&ro);
400
401 if (imo != NULL)
402 IMO_REMREF(imo);
403
404 return (error);
405 }
406
407 #if INET6
408 static errno_t
409 ipf_injectv6_out(mbuf_t data, ipfilter_t filter_ref, ipf_pktopts_t options)
410 {
411 struct route_in6 ro;
412 struct ip6_hdr *ip6;
413 struct mbuf *m = (struct mbuf *)data;
414 errno_t error = 0;
415 struct m_tag *mtag = NULL;
416 struct ip6_moptions *im6o = NULL;
417 struct ip6_out_args ip6oa;
418
419 bzero(&ip6oa, sizeof(ip6oa));
420 ip6oa.ip6oa_boundif = IFSCOPE_NONE;
421 ip6oa.ip6oa_sotc = SO_TC_UNSPEC;
422 ip6oa.ip6oa_netsvctype = _NET_SERVICE_TYPE_UNSPEC;
423
424 /* Make the IP header contiguous in the mbuf */
425 if ((size_t)m->m_len < sizeof(struct ip6_hdr)) {
426 m = m_pullup(m, sizeof(struct ip6_hdr));
427 if (m == NULL)
428 return (ENOMEM);
429 }
430 ip6 = (struct ip6_hdr *)m_mtod(m);
431
432 if (filter_ref != 0) {
433 mtag = m_tag_create(KERNEL_MODULE_TAG_ID,
434 KERNEL_TAG_TYPE_IPFILT, sizeof (ipfilter_t), M_NOWAIT, m);
435 if (mtag == NULL) {
436 m_freem(m);
437 return (ENOMEM);
438 }
439 *(ipfilter_t *)(mtag + 1) = filter_ref;
440 m_tag_prepend(m, mtag);
441 }
442
443 if (options != NULL && (options->ippo_flags & IPPOF_MCAST_OPTS) &&
444 (im6o = ip6_allocmoptions(M_DONTWAIT)) != NULL) {
445 im6o->im6o_multicast_ifp = options->ippo_mcast_ifnet;
446 im6o->im6o_multicast_hlim = options->ippo_mcast_ttl;
447 im6o->im6o_multicast_loop = options->ippo_mcast_loop;
448 }
449
450 if (options != NULL) {
451 if (options->ippo_flags & IPPOF_SELECT_SRCIF)
452 ip6oa.ip6oa_flags |= IP6OAF_SELECT_SRCIF;
453 if (options->ippo_flags & IPPOF_BOUND_IF) {
454 ip6oa.ip6oa_flags |= IP6OAF_BOUND_IF;
455 ip6oa.ip6oa_boundif = options->ippo_flags >>
456 IPPOF_SHIFT_IFSCOPE;
457 }
458 if (options->ippo_flags & IPPOF_NO_IFT_CELLULAR)
459 ip6oa.ip6oa_flags |= IP6OAF_NO_CELLULAR;
460 if (options->ippo_flags & IPPOF_BOUND_SRCADDR)
461 ip6oa.ip6oa_flags |= IP6OAF_BOUND_SRCADDR;
462 if (options->ippo_flags & IPPOF_NO_IFF_EXPENSIVE)
463 ip6oa.ip6oa_flags |= IP6OAF_NO_EXPENSIVE;
464 }
465
466 bzero(&ro, sizeof(struct route_in6));
467
468 /*
469 * Send mbuf and ifscope information. Check for correctness
470 * of ifscope information is done while searching for a route in
471 * ip6_output.
472 */
473 error = ip6_output(m, NULL, &ro, IPV6_OUTARGS, im6o, NULL, &ip6oa);
474
475 /* Release the route */
476 ROUTE_RELEASE(&ro);
477
478 if (im6o != NULL)
479 IM6O_REMREF(im6o);
480
481 return (error);
482 }
483 #endif /* INET6 */
484
485 errno_t
486 ipf_inject_output(
487 mbuf_t data,
488 ipfilter_t filter_ref,
489 ipf_pktopts_t options)
490 {
491 struct mbuf *m = (struct mbuf *)data;
492 u_int8_t vers;
493 errno_t error = 0;
494
495 /* Make one byte of the header contiguous in the mbuf */
496 if (m->m_len < 1) {
497 m = m_pullup(m, 1);
498 if (m == NULL)
499 goto done;
500 }
501
502 vers = (*(u_int8_t *)m_mtod(m)) >> 4;
503 switch (vers) {
504 case 4:
505 error = ipf_injectv4_out(data, filter_ref, options);
506 break;
507 #if INET6
508 case 6:
509 error = ipf_injectv6_out(data, filter_ref, options);
510 break;
511 #endif
512 default:
513 m_freem(m);
514 error = ENOTSUP;
515 break;
516 }
517
518 done:
519 return (error);
520 }
521
522 __private_extern__ ipfilter_t
523 ipf_get_inject_filter(struct mbuf *m)
524 {
525 ipfilter_t filter_ref = 0;
526 struct m_tag *mtag;
527
528 mtag = m_tag_locate(m, KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPFILT, NULL);
529 if (mtag) {
530 filter_ref = *(ipfilter_t *)(mtag+1);
531
532 m_tag_delete(m, mtag);
533 }
534 return (filter_ref);
535 }
536
537 __private_extern__ int
538 ipf_init(void)
539 {
540 int error = 0;
541 lck_grp_attr_t *grp_attributes = 0;
542 lck_attr_t *lck_attributes = 0;
543 lck_grp_t *lck_grp = 0;
544
545 grp_attributes = lck_grp_attr_alloc_init();
546 if (grp_attributes == 0) {
547 printf("ipf_init: lck_grp_attr_alloc_init failed\n");
548 error = ENOMEM;
549 goto done;
550 }
551
552 lck_grp = lck_grp_alloc_init("IP Filter", grp_attributes);
553 if (lck_grp == 0) {
554 printf("ipf_init: lck_grp_alloc_init failed\n");
555 error = ENOMEM;
556 goto done;
557 }
558
559 lck_attributes = lck_attr_alloc_init();
560 if (lck_attributes == 0) {
561 printf("ipf_init: lck_attr_alloc_init failed\n");
562 error = ENOMEM;
563 goto done;
564 }
565
566 lck_mtx_init(kipf_lock, lck_grp, lck_attributes);
567
568 done:
569 if (lck_grp) {
570 lck_grp_free(lck_grp);
571 lck_grp = 0;
572 }
573 if (grp_attributes) {
574 lck_grp_attr_free(grp_attributes);
575 grp_attributes = 0;
576 }
577 if (lck_attributes) {
578 lck_attr_free(lck_attributes);
579 lck_attributes = 0;
580 }
581
582 return (error);
583 }
mirror of XNU