Lines Matching refs:kernel_policy
4707 struct necp_kernel_socket_policy *kernel_policy = NULL; in necp_kernel_socket_policy_find() local
4714 LIST_FOREACH_SAFE(kernel_policy, &necp_kernel_socket_policies, chain, tmp_kernel_policy) { in necp_kernel_socket_policy_find()
4715 if (kernel_policy->id == policy_id) { in necp_kernel_socket_policy_find()
4716 return kernel_policy; in necp_kernel_socket_policy_find()
5241 struct necp_kernel_socket_policy *kernel_policy = NULL; in necp_kernel_socket_policies_reprocess() local
5273 LIST_FOREACH(kernel_policy, &necp_kernel_socket_policies, chain) { in necp_kernel_socket_policies_reprocess()
5275 necp_kernel_application_policies_condition_mask |= kernel_policy->condition_mask; in necp_kernel_socket_policies_reprocess()
5279 if ((kernel_policy->condition_mask & NECP_KERNEL_CONDITION_AGENT_TYPE)) { in necp_kernel_socket_policies_reprocess()
5285 necp_kernel_socket_policies_condition_mask |= kernel_policy->condition_mask; in necp_kernel_socket_policies_reprocess()
5288 if (!(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_APP_ID) || in necp_kernel_socket_policies_reprocess()
5289 kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_APP_ID) { in necp_kernel_socket_policies_reprocess()
5295 …necp_kernel_socket_policies_map_counts[NECP_SOCKET_MAP_APP_ID_TO_BUCKET(kernel_policy->cond_app_id… in necp_kernel_socket_policies_reprocess()
5318 LIST_FOREACH(kernel_policy, &necp_kernel_socket_policies, chain) { in necp_kernel_socket_policies_reprocess()
5320 …if (!necp_dedup_policies || !necp_kernel_socket_policy_is_unnecessary(kernel_policy, necp_kernel_s… in necp_kernel_socket_policies_reprocess()
5321 necp_kernel_socket_policies_app_layer_map[app_layer_current_free_index] = kernel_policy; in necp_kernel_socket_policies_reprocess()
5326 if ((kernel_policy->condition_mask & NECP_KERNEL_CONDITION_AGENT_TYPE)) { in necp_kernel_socket_policies_reprocess()
5332 if (!(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_APP_ID) || in necp_kernel_socket_policies_reprocess()
5333 kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_APP_ID) { in necp_kernel_socket_policies_reprocess()
5335 …if (!necp_dedup_policies || !necp_kernel_socket_policy_is_unnecessary(kernel_policy, necp_kernel_s… in necp_kernel_socket_policies_reprocess()
5336 (necp_kernel_socket_policies_map[app_i])[(bucket_current_free_index[app_i])] = kernel_policy; in necp_kernel_socket_policies_reprocess()
5342 app_i = NECP_SOCKET_MAP_APP_ID_TO_BUCKET(kernel_policy->cond_app_id); in necp_kernel_socket_policies_reprocess()
5343 …if (!necp_dedup_policies || !necp_kernel_socket_policy_is_unnecessary(kernel_policy, necp_kernel_s… in necp_kernel_socket_policies_reprocess()
5344 (necp_kernel_socket_policies_map[app_i])[(bucket_current_free_index[app_i])] = kernel_policy; in necp_kernel_socket_policies_reprocess()
6437 struct necp_kernel_ip_output_policy *kernel_policy = NULL; in necp_kernel_ip_output_policy_find() local
6444 LIST_FOREACH_SAFE(kernel_policy, &necp_kernel_ip_output_policies, chain, tmp_kernel_policy) { in necp_kernel_ip_output_policy_find()
6445 if (kernel_policy->id == policy_id) { in necp_kernel_ip_output_policy_find()
6446 return kernel_policy; in necp_kernel_ip_output_policy_find()
6655 struct necp_kernel_ip_output_policy *kernel_policy = NULL; in necp_kernel_ip_output_policies_reprocess() local
6676 LIST_FOREACH(kernel_policy, &necp_kernel_ip_output_policies, chain) { in necp_kernel_ip_output_policies_reprocess()
6678 necp_kernel_ip_output_policies_condition_mask |= kernel_policy->condition_mask; in necp_kernel_ip_output_policies_reprocess()
6685 if (!(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_POLICY_ID) || in necp_kernel_ip_output_policies_reprocess()
6686 (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_NETWORKS) || in necp_kernel_ip_output_policies_reprocess()
6687 kernel_policy->result == NECP_KERNEL_POLICY_RESULT_SKIP) { in necp_kernel_ip_output_policies_reprocess()
6692 if (!(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_POLICY_ID)) { in necp_kernel_ip_output_policies_reprocess()
6695 …necp_kernel_ip_output_policies_map_counts[NECP_IP_OUTPUT_MAP_ID_TO_BUCKET(kernel_policy->cond_poli… in necp_kernel_ip_output_policies_reprocess()
6714 LIST_FOREACH(kernel_policy, &necp_kernel_ip_output_policies, chain) { in necp_kernel_ip_output_policies_reprocess()
6718 if (current_session_order != kernel_policy->session_order) { in necp_kernel_ip_output_policies_reprocess()
6719 current_session_order = kernel_policy->session_order; in necp_kernel_ip_output_policies_reprocess()
6738 if (kernel_policy->result == NECP_KERNEL_POLICY_RESULT_SKIP) { in necp_kernel_ip_output_policies_reprocess()
6743 if (kernel_policy->order >= current_session_last_non_skip_policy) { in necp_kernel_ip_output_policies_reprocess()
6750 if (!(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_POLICY_ID) || in necp_kernel_ip_output_policies_reprocess()
6751 (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_NETWORKS) || in necp_kernel_ip_output_policies_reprocess()
6752 kernel_policy->result == NECP_KERNEL_POLICY_RESULT_SKIP) { in necp_kernel_ip_output_policies_reprocess()
6754 …if (!necp_dedup_policies || !necp_kernel_ip_output_policy_is_unnecessary(kernel_policy, necp_kerne… in necp_kernel_ip_output_policies_reprocess()
6755 (necp_kernel_ip_output_policies_map[i])[(bucket_current_free_index[i])] = kernel_policy; in necp_kernel_ip_output_policies_reprocess()
6761 i = NECP_IP_OUTPUT_MAP_ID_TO_BUCKET(kernel_policy->cond_policy_id); in necp_kernel_ip_output_policies_reprocess()
6762 …if (!necp_dedup_policies || !necp_kernel_ip_output_policy_is_unnecessary(kernel_policy, necp_kerne… in necp_kernel_ip_output_policies_reprocess()
6763 (necp_kernel_ip_output_policies_map[i])[(bucket_current_free_index[i])] = kernel_policy; in necp_kernel_ip_output_policies_reprocess()
8331 necp_socket_check_policy(struct necp_kernel_socket_policy *kernel_policy, necp_app_id app_id, necp_… in necp_socket_check_policy() argument
8333 if (!(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_ALL_INTERFACES)) { in necp_socket_check_policy()
8334 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE) { in necp_socket_check_policy()
8335 …u_int32_t cond_bound_interface_index = kernel_policy->cond_bound_interface ? kernel_policy->cond_b… in necp_socket_check_policy()
8336 …NECP_DATA_TRACE_LOG_CONDITION(debug, "SOCKET", kernel_policy->condition_negated_mask & NECP_KERNEL… in necp_socket_check_policy()
8338 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE) { in necp_socket_check_policy()
8350 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE_FLAGS) { in necp_socket_check_policy()
8351 …NECP_DATA_TRACE_LOG_CONDITION(debug, "SOCKET", kernel_policy->condition_negated_mask & NECP_KERNEL… in necp_socket_check_policy()
8352 …"NECP_KERNEL_CONDITION_BOUND_INTERFACE_FLAGS - flags", kernel_policy->cond_bound_interface_flags, … in necp_socket_check_policy()
8353 …NECP_DATA_TRACE_LOG_CONDITION(debug, "SOCKET", kernel_policy->condition_negated_mask & NECP_KERNEL… in necp_socket_check_policy()
8354 …"NECP_KERNEL_CONDITION_BOUND_INTERFACE_FLAGS - eflags", kernel_policy->cond_bound_interface_eflags… in necp_socket_check_policy()
8355 …NECP_DATA_TRACE_LOG_CONDITION(debug, "SOCKET", kernel_policy->condition_negated_mask & NECP_KERNEL… in necp_socket_check_policy()
8356 …"NECP_KERNEL_CONDITION_BOUND_INTERFACE_FLAGS - xflags", kernel_policy->cond_bound_interface_xflags… in necp_socket_check_policy()
8357 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE_FLAGS) { in necp_socket_check_policy()
8358 …if ((kernel_policy->cond_bound_interface_flags && (bound_interface_flags & kernel_policy->cond_bou… in necp_socket_check_policy()
8359 …(kernel_policy->cond_bound_interface_eflags && (bound_interface_eflags & kernel_policy->cond_bound… in necp_socket_check_policy()
8360 …(kernel_policy->cond_bound_interface_xflags && (bound_interface_xflags & kernel_policy->cond_bound… in necp_socket_check_policy()
8365 …if ((kernel_policy->cond_bound_interface_flags && !(bound_interface_flags & kernel_policy->cond_bo… in necp_socket_check_policy()
8366 …(kernel_policy->cond_bound_interface_eflags && !(bound_interface_eflags & kernel_policy->cond_boun… in necp_socket_check_policy()
8367 …(kernel_policy->cond_bound_interface_xflags && !(bound_interface_xflags & kernel_policy->cond_boun… in necp_socket_check_policy()
8373 if (!(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE) && in necp_socket_check_policy()
8374 !(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE_FLAGS)) { in necp_socket_check_policy()
8383 if (kernel_policy->condition_mask == 0) { in necp_socket_check_policy()
8387 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_APP_ID) { in necp_socket_check_policy()
8388 …NECP_DATA_TRACE_LOG_CONDITION(debug, "SOCKET", kernel_policy->condition_negated_mask & NECP_KERNEL… in necp_socket_check_policy()
8389 "NECP_KERNEL_CONDITION_APP_ID", kernel_policy->cond_app_id, app_id); in necp_socket_check_policy()
8390 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_APP_ID) { in necp_socket_check_policy()
8391 if (app_id == kernel_policy->cond_app_id) { in necp_socket_check_policy()
8396 if (app_id != kernel_policy->cond_app_id) { in necp_socket_check_policy()
8403 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_SIGNING_IDENTIFIER || in necp_socket_check_policy()
8404 kernel_policy->condition_mask & NECP_KERNEL_CONDITION_SIGNING_IDENTIFIER) { in necp_socket_check_policy()
8407 …NECP_DATA_TRACE_LOG_CONDITION_STR(debug, "SOCKET", kernel_policy->condition_negated_mask & NECP_KE… in necp_socket_check_policy()
8409 kernel_policy->cond_signing_identifier ? kernel_policy->cond_signing_identifier : "<n/a>", in necp_socket_check_policy()
8413 if (memcmp(signing_id, kernel_policy->cond_signing_identifier, signing_id_size) == 0) { in necp_socket_check_policy()
8418 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_SIGNING_IDENTIFIER) { in necp_socket_check_policy()
8430 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REAL_APP_ID) { in necp_socket_check_policy()
8431 …NECP_DATA_TRACE_LOG_CONDITION(debug, "SOCKET", kernel_policy->condition_negated_mask & NECP_KERNEL… in necp_socket_check_policy()
8433 kernel_policy->cond_real_app_id, real_app_id); in necp_socket_check_policy()
8434 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_REAL_APP_ID) { in necp_socket_check_policy()
8435 if (real_app_id == kernel_policy->cond_real_app_id) { in necp_socket_check_policy()
8440 if (real_app_id != kernel_policy->cond_real_app_id) { in necp_socket_check_policy()
8447 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_HAS_CLIENT) { in necp_socket_check_policy()
8454 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_ENTITLEMENT) { in necp_socket_check_policy()
8462 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_PLATFORM_BINARY) { in necp_socket_check_policy()
8470 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_SYSTEM_SIGNED_RESULT) { in necp_socket_check_policy()
8478 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_SDK_VERSION) { in necp_socket_check_policy()
8481 kernel_policy->cond_sdk_version.platform, in necp_socket_check_policy()
8482 kernel_policy->cond_sdk_version.min_version, in necp_socket_check_policy()
8483 kernel_policy->cond_sdk_version.version, in necp_socket_check_policy()
8487 if (kernel_policy->cond_sdk_version.platform != 0) { in necp_socket_check_policy()
8488 if (kernel_policy->cond_sdk_version.platform != proc_platform(proc)) { in necp_socket_check_policy()
8494 if (kernel_policy->cond_sdk_version.min_version != 0) { in necp_socket_check_policy()
8495 if (kernel_policy->cond_sdk_version.min_version > proc_min_sdk(proc)) { in necp_socket_check_policy()
8501 if (kernel_policy->cond_sdk_version.version != 0) { in necp_socket_check_policy()
8502 if (kernel_policy->cond_sdk_version.version > proc_sdk(proc)) { in necp_socket_check_policy()
8510 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_CUSTOM_ENTITLEMENT) { in necp_socket_check_policy()
8511 …, "SOCKET", false, "NECP_KERNEL_CONDITION_CUSTOM_ENTITLEMENT", "n/a", kernel_policy->cond_custom_e… in necp_socket_check_policy()
8512 if (kernel_policy->cond_custom_entitlement != NULL) { in necp_socket_check_policy()
8519 !IOTaskHasEntitlement(task, kernel_policy->cond_custom_entitlement)) { in necp_socket_check_policy()
8526 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_EXACT_DOMAIN) { in necp_socket_check_policy()
8527 …NECP_DATA_TRACE_LOG_CONDITION_STR(debug, "SOCKET", kernel_policy->condition_negated_mask & NECP_KE… in necp_socket_check_policy()
8528 "NECP_KERNEL_CONDITION_EXACT_DOMAIN", kernel_policy->cond_domain, domain.string); in necp_socket_check_policy()
8530 bool domain_matches = (domain_dot_count == kernel_policy->cond_domain_dot_count && in necp_socket_check_policy()
8531 …necp_hostname_matches_domain(domain, domain_dot_count, kernel_policy->cond_domain, kernel_policy->… in necp_socket_check_policy()
8532 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_EXACT_DOMAIN) { in necp_socket_check_policy()
8543 } else if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_DOMAIN) { in necp_socket_check_policy()
8544 …NECP_DATA_TRACE_LOG_CONDITION_STR(debug, "SOCKET", kernel_policy->condition_negated_mask & NECP_KE… in necp_socket_check_policy()
8545 "NECP_KERNEL_CONDITION_DOMAIN", kernel_policy->cond_domain, domain.string); in necp_socket_check_policy()
8546 … necp_hostname_matches_domain(domain, domain_dot_count, kernel_policy->cond_domain, kernel_policy-… in necp_socket_check_policy()
8547 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_DOMAIN) { in necp_socket_check_policy()
8560 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_DOMAIN_FILTER) { in necp_socket_check_policy()
8561 … *filter = necp_lookup_domain_filter(&necp_global_domain_filter_list, kernel_policy->cond_domain_f… in necp_socket_check_policy()
8564 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_DOMAIN_FILTER) { in necp_socket_check_policy()
8578 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_URL) { in necp_socket_check_policy()
8579 …NECP_DATA_TRACE_LOG_CONDITION_STR(debug, "SOCKET", kernel_policy->condition_negated_mask & NECP_KE… in necp_socket_check_policy()
8580 "NECP_KERNEL_CONDITION_URL", kernel_policy->cond_url, url); in necp_socket_check_policy()
8581 …bool url_matches = (url ? strncasecmp(kernel_policy->cond_url, url, strlen(kernel_policy->cond_url… in necp_socket_check_policy()
8582 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_URL) { in necp_socket_check_policy()
8595 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_ACCOUNT_ID) { in necp_socket_check_policy()
8596 …NECP_DATA_TRACE_LOG_CONDITION(debug, "SOCKET", kernel_policy->condition_negated_mask & NECP_KERNEL… in necp_socket_check_policy()
8598 kernel_policy->cond_account_id, account_id); in necp_socket_check_policy()
8599 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_ACCOUNT_ID) { in necp_socket_check_policy()
8600 if (account_id == kernel_policy->cond_account_id) { in necp_socket_check_policy()
8605 if (account_id != kernel_policy->cond_account_id) { in necp_socket_check_policy()
8612 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_PID) { in necp_socket_check_policy()
8613 …NECP_DATA_TRACE_LOG_CONDITION(debug, "SOCKET", kernel_policy->condition_negated_mask & NECP_KERNEL… in necp_socket_check_policy()
8615 kernel_policy->cond_pid, pid); in necp_socket_check_policy()
8616 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_PID) { in necp_socket_check_policy()
8617 if (pid == kernel_policy->cond_pid) { in necp_socket_check_policy()
8621 if (kernel_policy->cond_pid_version != 0 && pid_version == kernel_policy->cond_pid_version) { in necp_socket_check_policy()
8625 if (pid != kernel_policy->cond_pid) { in necp_socket_check_policy()
8629 if (kernel_policy->cond_pid_version != 0 && pid_version != kernel_policy->cond_pid_version) { in necp_socket_check_policy()
8635 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_UID) { in necp_socket_check_policy()
8636 …NECP_DATA_TRACE_LOG_CONDITION(debug, "SOCKET", kernel_policy->condition_negated_mask & NECP_KERNEL… in necp_socket_check_policy()
8638 kernel_policy->cond_uid, uid); in necp_socket_check_policy()
8639 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_UID) { in necp_socket_check_policy()
8640 if (uid == kernel_policy->cond_uid) { in necp_socket_check_policy()
8645 if (uid != kernel_policy->cond_uid) { in necp_socket_check_policy()
8652 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REAL_UID) { in necp_socket_check_policy()
8653 …NECP_DATA_TRACE_LOG_CONDITION(debug, "SOCKET", kernel_policy->condition_negated_mask & NECP_KERNEL… in necp_socket_check_policy()
8655 kernel_policy->cond_real_uid, real_uid); in necp_socket_check_policy()
8656 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_REAL_UID) { in necp_socket_check_policy()
8657 if (real_uid == kernel_policy->cond_real_uid) { in necp_socket_check_policy()
8662 if (real_uid != kernel_policy->cond_real_uid) { in necp_socket_check_policy()
8669 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_TRAFFIC_CLASS) { in necp_socket_check_policy()
8671 kernel_policy->cond_traffic_class.start_tc, kernel_policy->cond_traffic_class.end_tc, 0, in necp_socket_check_policy()
8673 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_TRAFFIC_CLASS) { in necp_socket_check_policy()
8674 if (traffic_class >= kernel_policy->cond_traffic_class.start_tc && in necp_socket_check_policy()
8675 traffic_class <= kernel_policy->cond_traffic_class.end_tc) { in necp_socket_check_policy()
8680 if (traffic_class < kernel_policy->cond_traffic_class.start_tc || in necp_socket_check_policy()
8681 traffic_class > kernel_policy->cond_traffic_class.end_tc) { in necp_socket_check_policy()
8688 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_PROTOCOL) { in necp_socket_check_policy()
8689 …NECP_DATA_TRACE_LOG_CONDITION(debug, "SOCKET", kernel_policy->condition_negated_mask & NECP_KERNEL… in necp_socket_check_policy()
8691 kernel_policy->cond_protocol, protocol); in necp_socket_check_policy()
8692 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_PROTOCOL) { in necp_socket_check_policy()
8693 if (protocol == kernel_policy->cond_protocol) { in necp_socket_check_policy()
8698 if (protocol != kernel_policy->cond_protocol) { in necp_socket_check_policy()
8705 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_AGENT_TYPE) { in necp_socket_check_policy()
8707 kernel_policy->cond_agent_type.agent_domain, kernel_policy->cond_agent_type.agent_type, "n/a", in necp_socket_check_policy()
8712 if ((strlen(kernel_policy->cond_agent_type.agent_domain) == 0 || in necp_socket_check_policy()
8713 …strncmp(required_agent_type->netagent_domain, kernel_policy->cond_agent_type.agent_domain, NETAGEN… in necp_socket_check_policy()
8714 (strlen(kernel_policy->cond_agent_type.agent_type) == 0 || in necp_socket_check_policy()
8715 …strncmp(required_agent_type->netagent_type, kernel_policy->cond_agent_type.agent_type, NETAGENT_TY… in necp_socket_check_policy()
8726 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_NETWORKS) { in necp_socket_check_policy()
8744 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_START) { in necp_socket_check_policy()
8745 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_END) { in necp_socket_check_policy()
8746 …ruct sockaddr *)local, (struct sockaddr *)&kernel_policy->cond_local_start, (struct sockaddr *)&ke… in necp_socket_check_policy()
8747 …NECP_DATA_TRACE_LOG_CONDITION(debug, "SOCKET", kernel_policy->condition_negated_mask & NECP_KERNEL… in necp_socket_check_policy()
8748 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_LOCAL_END) { in necp_socket_check_policy()
8757 } else if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_PREFIX) { in necp_socket_check_policy()
8758 …subnet((struct sockaddr *)local, (struct sockaddr *)&kernel_policy->cond_local_start, kernel_polic… in necp_socket_check_policy()
8759 …NECP_DATA_TRACE_LOG_CONDITION(debug, "SOCKET", kernel_policy->condition_negated_mask & NECP_KERNEL… in necp_socket_check_policy()
8760 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_LOCAL_PREFIX) { in necp_socket_check_policy()
8772 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_START) { in necp_socket_check_policy()
8773 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_END) { in necp_socket_check_policy()
8774 …uct sockaddr *)remote, (struct sockaddr *)&kernel_policy->cond_remote_start, (struct sockaddr *)&k… in necp_socket_check_policy()
8775 …NECP_DATA_TRACE_LOG_CONDITION(debug, "SOCKET", kernel_policy->condition_negated_mask & NECP_KERNEL… in necp_socket_check_policy()
8776 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_REMOTE_END) { in necp_socket_check_policy()
8785 } else if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_PREFIX) { in necp_socket_check_policy()
8786 …ubnet((struct sockaddr *)remote, (struct sockaddr *)&kernel_policy->cond_remote_start, kernel_poli… in necp_socket_check_policy()
8787 …NECP_DATA_TRACE_LOG_CONDITION(debug, "SOCKET", kernel_policy->condition_negated_mask & NECP_KERNEL… in necp_socket_check_policy()
8788 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_REMOTE_PREFIX) { in necp_socket_check_policy()
8800 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_CLIENT_FLAGS) { in necp_socket_check_policy()
8801 …NECP_DATA_TRACE_LOG_CONDITION(debug, "SOCKET", kernel_policy->condition_negated_mask & NECP_KERNEL… in necp_socket_check_policy()
8803 kernel_policy->cond_client_flags, client_flags); in necp_socket_check_policy()
8804 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_CLIENT_FLAGS) { in necp_socket_check_policy()
8805 if ((client_flags & kernel_policy->cond_client_flags) == kernel_policy->cond_client_flags) { in necp_socket_check_policy()
8810 if ((client_flags & kernel_policy->cond_client_flags) != kernel_policy->cond_client_flags) { in necp_socket_check_policy()
8817 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_EMPTY) { in necp_socket_check_policy()
8819 …NECP_DATA_TRACE_LOG_CONDITION(debug, "SOCKET", kernel_policy->condition_negated_mask & NECP_KERNEL… in necp_socket_check_policy()
8822 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_LOCAL_EMPTY) { in necp_socket_check_policy()
8833 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_EMPTY) { in necp_socket_check_policy()
8835 …NECP_DATA_TRACE_LOG_CONDITION(debug, "SOCKET", kernel_policy->condition_negated_mask & NECP_KERNEL… in necp_socket_check_policy()
8838 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_REMOTE_EMPTY) { in necp_socket_check_policy()
8849 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_SCHEME_PORT) { in necp_socket_check_policy()
8854 …NECP_DATA_TRACE_LOG_CONDITION(debug, "SOCKET", kernel_policy->condition_negated_mask & NECP_KERNEL… in necp_socket_check_policy()
8857 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_SCHEME_PORT) { in necp_socket_check_policy()
8858 if (kernel_policy->cond_scheme_port == scheme_port || in necp_socket_check_policy()
8859 kernel_policy->cond_scheme_port == remote_port) { in necp_socket_check_policy()
8863 if (kernel_policy->cond_scheme_port != scheme_port && in necp_socket_check_policy()
8864 kernel_policy->cond_scheme_port != remote_port) { in necp_socket_check_policy()
8870 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_PACKET_FILTER_TAGS) { in necp_socket_check_policy()
8871 …NECP_DATA_TRACE_LOG_CONDITION(debug, "SOCKET", kernel_policy->condition_negated_mask & NECP_KERNEL… in necp_socket_check_policy()
8873 kernel_policy->cond_packet_filter_tags, in necp_socket_check_policy()
8876 if (kernel_policy->cond_packet_filter_tags & NECP_POLICY_CONDITION_PACKET_FILTER_TAG_STACK_DROP) { in necp_socket_check_policy()
8882 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_PACKET_FILTER_TAGS) { in necp_socket_check_policy()
8893 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_IS_LOOPBACK) { in necp_socket_check_policy()
8894 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_IS_LOOPBACK) { in necp_socket_check_policy()
8905 …if (is_delegated && (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_DELEGATE_IS_PLATFORM_BI… in necp_socket_check_policy()
8906 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_DELEGATE_IS_PLATFORM_BINARY) { in necp_socket_check_policy()
9935 necp_ip_output_check_policy(struct necp_kernel_ip_output_policy *kernel_policy, necp_kernel_policy_… in necp_ip_output_check_policy() argument
9941 if (!(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_ALL_INTERFACES)) { in necp_ip_output_check_policy()
9942 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE) { in necp_ip_output_check_policy()
9943 …u_int32_t cond_bound_interface_index = kernel_policy->cond_bound_interface ? kernel_policy->cond_b… in necp_ip_output_check_policy()
9944 …NECP_DATA_TRACE_LOG_CONDITION(debug, "IP", kernel_policy->condition_negated_mask & NECP_KERNEL_CON… in necp_ip_output_check_policy()
9947 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE) { in necp_ip_output_check_policy()
9959 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE_FLAGS) { in necp_ip_output_check_policy()
9971 …NECP_DATA_TRACE_LOG_CONDITION(debug, "IP", kernel_policy->condition_negated_mask & NECP_KERNEL_CON… in necp_ip_output_check_policy()
9972 …"NECP_KERNEL_CONDITION_BOUND_INTERFACE_FLAGS - flags", kernel_policy->cond_bound_interface_flags, … in necp_ip_output_check_policy()
9973 …NECP_DATA_TRACE_LOG_CONDITION(debug, "IP", kernel_policy->condition_negated_mask & NECP_KERNEL_CON… in necp_ip_output_check_policy()
9974 …"NECP_KERNEL_CONDITION_BOUND_INTERFACE_FLAGS - eflags", kernel_policy->cond_bound_interface_eflags… in necp_ip_output_check_policy()
9975 …NECP_DATA_TRACE_LOG_CONDITION(debug, "IP", kernel_policy->condition_negated_mask & NECP_KERNEL_CON… in necp_ip_output_check_policy()
9976 …"NECP_KERNEL_CONDITION_BOUND_INTERFACE_FLAGS - xflags", kernel_policy->cond_bound_interface_xflags… in necp_ip_output_check_policy()
9977 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE_FLAGS) { in necp_ip_output_check_policy()
9978 …if ((kernel_policy->cond_bound_interface_flags && (bound_interface_flags & kernel_policy->cond_bou… in necp_ip_output_check_policy()
9979 …(kernel_policy->cond_bound_interface_eflags && (bound_interface_eflags & kernel_policy->cond_bound… in necp_ip_output_check_policy()
9980 …(kernel_policy->cond_bound_interface_xflags && (bound_interface_xflags & kernel_policy->cond_bound… in necp_ip_output_check_policy()
9985 …if ((kernel_policy->cond_bound_interface_flags && !(bound_interface_flags & kernel_policy->cond_bo… in necp_ip_output_check_policy()
9986 …(kernel_policy->cond_bound_interface_eflags && !(bound_interface_eflags & kernel_policy->cond_boun… in necp_ip_output_check_policy()
9987 …(kernel_policy->cond_bound_interface_xflags && !(bound_interface_xflags & kernel_policy->cond_boun… in necp_ip_output_check_policy()
9993 if (!(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE) && in necp_ip_output_check_policy()
9994 !(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE_FLAGS)) { in necp_ip_output_check_policy()
10003 if (kernel_policy->condition_mask == 0) { in necp_ip_output_check_policy()
10007 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_POLICY_ID) { in necp_ip_output_check_policy()
10009 …kernel_policy->result == NECP_KERNEL_POLICY_RESULT_SKIP ? socket_skip_policy_id : socket_policy_id; in necp_ip_output_check_policy()
10012 kernel_policy->cond_policy_id, 0, 0, in necp_ip_output_check_policy()
10014 if (matched_policy_id != kernel_policy->cond_policy_id) { in necp_ip_output_check_policy()
10020 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LAST_INTERFACE) { in necp_ip_output_check_policy()
10023 kernel_policy->cond_last_interface_index, last_interface_index); in necp_ip_output_check_policy()
10024 if (last_interface_index != kernel_policy->cond_last_interface_index) { in necp_ip_output_check_policy()
10029 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_PROTOCOL) { in necp_ip_output_check_policy()
10030 …NECP_DATA_TRACE_LOG_CONDITION(debug, "IP", kernel_policy->condition_negated_mask & NECP_KERNEL_CON… in necp_ip_output_check_policy()
10032 kernel_policy->cond_protocol, protocol); in necp_ip_output_check_policy()
10033 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_PROTOCOL) { in necp_ip_output_check_policy()
10034 if (protocol == kernel_policy->cond_protocol) { in necp_ip_output_check_policy()
10039 if (protocol != kernel_policy->cond_protocol) { in necp_ip_output_check_policy()
10046 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_NETWORKS) { in necp_ip_output_check_policy()
10061 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_START) { in necp_ip_output_check_policy()
10062 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_END) { in necp_ip_output_check_policy()
10063 …ruct sockaddr *)local, (struct sockaddr *)&kernel_policy->cond_local_start, (struct sockaddr *)&ke… in necp_ip_output_check_policy()
10064 …NECP_DATA_TRACE_LOG_CONDITION(debug, "IP", kernel_policy->condition_negated_mask & NECP_KERNEL_CON… in necp_ip_output_check_policy()
10065 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_LOCAL_END) { in necp_ip_output_check_policy()
10074 } else if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_PREFIX) { in necp_ip_output_check_policy()
10075 …subnet((struct sockaddr *)local, (struct sockaddr *)&kernel_policy->cond_local_start, kernel_polic… in necp_ip_output_check_policy()
10076 …NECP_DATA_TRACE_LOG_CONDITION(debug, "IP", kernel_policy->condition_negated_mask & NECP_KERNEL_CON… in necp_ip_output_check_policy()
10077 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_LOCAL_PREFIX) { in necp_ip_output_check_policy()
10089 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_START) { in necp_ip_output_check_policy()
10090 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_END) { in necp_ip_output_check_policy()
10091 …uct sockaddr *)remote, (struct sockaddr *)&kernel_policy->cond_remote_start, (struct sockaddr *)&k… in necp_ip_output_check_policy()
10092 …NECP_DATA_TRACE_LOG_CONDITION(debug, "IP", kernel_policy->condition_negated_mask & NECP_KERNEL_CON… in necp_ip_output_check_policy()
10093 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_REMOTE_END) { in necp_ip_output_check_policy()
10102 } else if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_PREFIX) { in necp_ip_output_check_policy()
10103 …ubnet((struct sockaddr *)remote, (struct sockaddr *)&kernel_policy->cond_remote_start, kernel_poli… in necp_ip_output_check_policy()
10104 …NECP_DATA_TRACE_LOG_CONDITION(debug, "IP", kernel_policy->condition_negated_mask & NECP_KERNEL_CON… in necp_ip_output_check_policy()
10105 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_REMOTE_PREFIX) { in necp_ip_output_check_policy()
10117 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_SCHEME_PORT) { in necp_ip_output_check_policy()
10122 …NECP_DATA_TRACE_LOG_CONDITION(debug, "IP", kernel_policy->condition_negated_mask & NECP_KERNEL_CON… in necp_ip_output_check_policy()
10125 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_SCHEME_PORT) { in necp_ip_output_check_policy()
10126 if (kernel_policy->cond_scheme_port == remote_port) { in necp_ip_output_check_policy()
10130 if (kernel_policy->cond_scheme_port != remote_port) { in necp_ip_output_check_policy()
10136 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_PACKET_FILTER_TAGS) { in necp_ip_output_check_policy()
10138 …NECP_DATA_TRACE_LOG_CONDITION(debug, "IP", kernel_policy->condition_negated_mask & NECP_KERNEL_CON… in necp_ip_output_check_policy()
10140 kernel_policy->cond_packet_filter_tags, pf_tag); in necp_ip_output_check_policy()
10141 if (kernel_policy->cond_packet_filter_tags & NECP_POLICY_CONDITION_PACKET_FILTER_TAG_STACK_DROP) { in necp_ip_output_check_policy()
10146 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_PACKET_FILTER_TAGS) { in necp_ip_output_check_policy()