1*8d741a5dSApple OSS Distributions /*
2*8d741a5dSApple OSS Distributions * Copyright (c) 2004-2024 Apple Inc. All rights reserved.
3*8d741a5dSApple OSS Distributions *
4*8d741a5dSApple OSS Distributions * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5*8d741a5dSApple OSS Distributions *
6*8d741a5dSApple OSS Distributions * This file contains Original Code and/or Modifications of Original Code
7*8d741a5dSApple OSS Distributions * as defined in and that are subject to the Apple Public Source License
8*8d741a5dSApple OSS Distributions * Version 2.0 (the 'License'). You may not use this file except in
9*8d741a5dSApple OSS Distributions * compliance with the License. The rights granted to you under the License
10*8d741a5dSApple OSS Distributions * may not be used to create, or enable the creation or redistribution of,
11*8d741a5dSApple OSS Distributions * unlawful or unlicensed copies of an Apple operating system, or to
12*8d741a5dSApple OSS Distributions * circumvent, violate, or enable the circumvention or violation of, any
13*8d741a5dSApple OSS Distributions * terms of an Apple operating system software license agreement.
14*8d741a5dSApple OSS Distributions *
15*8d741a5dSApple OSS Distributions * Please obtain a copy of the License at
16*8d741a5dSApple OSS Distributions * http://www.opensource.apple.com/apsl/ and read it before using this file.
17*8d741a5dSApple OSS Distributions *
18*8d741a5dSApple OSS Distributions * The Original Code and all software distributed under the License are
19*8d741a5dSApple OSS Distributions * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20*8d741a5dSApple OSS Distributions * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21*8d741a5dSApple OSS Distributions * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22*8d741a5dSApple OSS Distributions * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23*8d741a5dSApple OSS Distributions * Please see the License for the specific language governing rights and
24*8d741a5dSApple OSS Distributions * limitations under the License.
25*8d741a5dSApple OSS Distributions *
26*8d741a5dSApple OSS Distributions * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27*8d741a5dSApple OSS Distributions */
28*8d741a5dSApple OSS Distributions
29*8d741a5dSApple OSS Distributions #include <sys/param.h> /* for definition of NULL */
30*8d741a5dSApple OSS Distributions #include <sys/errno.h>
31*8d741a5dSApple OSS Distributions #include <sys/malloc.h>
32*8d741a5dSApple OSS Distributions #include <sys/socket.h>
33*8d741a5dSApple OSS Distributions #include <sys/mbuf.h>
34*8d741a5dSApple OSS Distributions #include <sys/systm.h>
35*8d741a5dSApple OSS Distributions #include <libkern/OSAtomic.h>
36*8d741a5dSApple OSS Distributions
37*8d741a5dSApple OSS Distributions #include <machine/endian.h>
38*8d741a5dSApple OSS Distributions
39*8d741a5dSApple OSS Distributions #define _IP_VHL
40*8d741a5dSApple OSS Distributions #include <net/if_var.h>
41*8d741a5dSApple OSS Distributions #include <net/route.h>
42*8d741a5dSApple OSS Distributions #include <net/kpi_protocol.h>
43*8d741a5dSApple OSS Distributions #include <net/net_api_stats.h>
44*8d741a5dSApple OSS Distributions #if SKYWALK
45*8d741a5dSApple OSS Distributions #include <skywalk/lib/net_filter_event.h>
46*8d741a5dSApple OSS Distributions #endif /* SKYWALK */
47*8d741a5dSApple OSS Distributions
48*8d741a5dSApple OSS Distributions #include <netinet/in_systm.h>
49*8d741a5dSApple OSS Distributions #include <netinet/in.h>
50*8d741a5dSApple OSS Distributions #include <netinet/in_var.h>
51*8d741a5dSApple OSS Distributions #include <netinet6/in6_var.h>
52*8d741a5dSApple OSS Distributions #include <netinet/ip.h>
53*8d741a5dSApple OSS Distributions #include <netinet/ip6.h>
54*8d741a5dSApple OSS Distributions #include <netinet/ip_var.h>
55*8d741a5dSApple OSS Distributions #include <netinet6/ip6_var.h>
56*8d741a5dSApple OSS Distributions #include <netinet/kpi_ipfilter_var.h>
57*8d741a5dSApple OSS Distributions
58*8d741a5dSApple OSS Distributions #include <stdbool.h>
59*8d741a5dSApple OSS Distributions
60*8d741a5dSApple OSS Distributions #if SKYWALK
61*8d741a5dSApple OSS Distributions #include <skywalk/core/skywalk_var.h>
62*8d741a5dSApple OSS Distributions #endif /* SKYWALK */
63*8d741a5dSApple OSS Distributions
64*8d741a5dSApple OSS Distributions /*
65*8d741a5dSApple OSS Distributions * kipf_lock and kipf_ref protect the linkage of the list of IP filters
66*8d741a5dSApple OSS Distributions * An IP filter can be removed only when kipf_ref is zero
67*8d741a5dSApple OSS Distributions * If an IP filter cannot be removed because kipf_ref is not null, then
68*8d741a5dSApple OSS Distributions * the IP filter is marjed and kipf_delayed_remove is set so that when
69*8d741a5dSApple OSS Distributions * kipf_ref eventually goes down to zero, the IP filter is removed
70*8d741a5dSApple OSS Distributions */
71*8d741a5dSApple OSS Distributions static LCK_GRP_DECLARE(kipf_lock_grp, "IP Filter");
72*8d741a5dSApple OSS Distributions static LCK_MTX_DECLARE(kipf_lock, &kipf_lock_grp);
73*8d741a5dSApple OSS Distributions static u_int32_t kipf_ref = 0;
74*8d741a5dSApple OSS Distributions static u_int32_t kipf_delayed_remove = 0;
75*8d741a5dSApple OSS Distributions u_int32_t kipf_count = 0;
76*8d741a5dSApple OSS Distributions
77*8d741a5dSApple OSS Distributions __private_extern__ struct ipfilter_list ipv4_filters = TAILQ_HEAD_INITIALIZER(ipv4_filters);
78*8d741a5dSApple OSS Distributions __private_extern__ struct ipfilter_list ipv6_filters = TAILQ_HEAD_INITIALIZER(ipv6_filters);
79*8d741a5dSApple OSS Distributions __private_extern__ struct ipfilter_list tbr_filters = TAILQ_HEAD_INITIALIZER(tbr_filters);
80*8d741a5dSApple OSS Distributions
81*8d741a5dSApple OSS Distributions #undef ipf_addv4
82*8d741a5dSApple OSS Distributions #undef ipf_addv6
83*8d741a5dSApple OSS Distributions extern errno_t ipf_addv4(const struct ipf_filter *filter,
84*8d741a5dSApple OSS Distributions ipfilter_t *filter_ref);
85*8d741a5dSApple OSS Distributions extern errno_t ipf_addv6(const struct ipf_filter *filter,
86*8d741a5dSApple OSS Distributions ipfilter_t *filter_ref);
87*8d741a5dSApple OSS Distributions
88*8d741a5dSApple OSS Distributions static errno_t ipf_add(const struct ipf_filter *filter,
89*8d741a5dSApple OSS Distributions ipfilter_t *filter_ref, struct ipfilter_list *head, bool is_internal);
90*8d741a5dSApple OSS Distributions
91*8d741a5dSApple OSS Distributions #if SKYWALK
92*8d741a5dSApple OSS Distributions static bool net_check_compatible_ipf(void);
93*8d741a5dSApple OSS Distributions #endif /* SKYWALK */
94*8d741a5dSApple OSS Distributions
95*8d741a5dSApple OSS Distributions __private_extern__ void
ipf_ref(void)96*8d741a5dSApple OSS Distributions ipf_ref(void)
97*8d741a5dSApple OSS Distributions {
98*8d741a5dSApple OSS Distributions lck_mtx_lock(&kipf_lock);
99*8d741a5dSApple OSS Distributions if (os_inc_overflow(&kipf_ref)) {
100*8d741a5dSApple OSS Distributions panic("kipf_ref overflow");
101*8d741a5dSApple OSS Distributions }
102*8d741a5dSApple OSS Distributions lck_mtx_unlock(&kipf_lock);
103*8d741a5dSApple OSS Distributions }
104*8d741a5dSApple OSS Distributions
105*8d741a5dSApple OSS Distributions __private_extern__ void
ipf_unref(void)106*8d741a5dSApple OSS Distributions ipf_unref(void)
107*8d741a5dSApple OSS Distributions {
108*8d741a5dSApple OSS Distributions lck_mtx_lock(&kipf_lock);
109*8d741a5dSApple OSS Distributions
110*8d741a5dSApple OSS Distributions if (os_dec_overflow(&kipf_ref)) {
111*8d741a5dSApple OSS Distributions panic("kipf_ref underflow");
112*8d741a5dSApple OSS Distributions }
113*8d741a5dSApple OSS Distributions
114*8d741a5dSApple OSS Distributions if (kipf_ref == 0 && kipf_delayed_remove != 0) {
115*8d741a5dSApple OSS Distributions struct ipfilter *filter;
116*8d741a5dSApple OSS Distributions
117*8d741a5dSApple OSS Distributions while ((filter = TAILQ_FIRST(&tbr_filters))) {
118*8d741a5dSApple OSS Distributions VERIFY(OSDecrementAtomic64(&net_api_stats.nas_ipf_add_count) > 0);
119*8d741a5dSApple OSS Distributions if (filter->ipf_flags & IPFF_INTERNAL) {
120*8d741a5dSApple OSS Distributions VERIFY(OSDecrementAtomic64(&net_api_stats.nas_ipf_add_os_count) > 0);
121*8d741a5dSApple OSS Distributions }
122*8d741a5dSApple OSS Distributions
123*8d741a5dSApple OSS Distributions ipf_detach_func ipf_detach = filter->ipf_filter.ipf_detach;
124*8d741a5dSApple OSS Distributions void *__single cookie = filter->ipf_filter.cookie;
125*8d741a5dSApple OSS Distributions
126*8d741a5dSApple OSS Distributions TAILQ_REMOVE(filter->ipf_head, filter, ipf_link);
127*8d741a5dSApple OSS Distributions TAILQ_REMOVE(&tbr_filters, filter, ipf_tbr);
128*8d741a5dSApple OSS Distributions kipf_delayed_remove--;
129*8d741a5dSApple OSS Distributions
130*8d741a5dSApple OSS Distributions if (ipf_detach) {
131*8d741a5dSApple OSS Distributions lck_mtx_unlock(&kipf_lock);
132*8d741a5dSApple OSS Distributions ipf_detach(cookie);
133*8d741a5dSApple OSS Distributions lck_mtx_lock(&kipf_lock);
134*8d741a5dSApple OSS Distributions /* In case some filter got to run while we released the lock */
135*8d741a5dSApple OSS Distributions if (kipf_ref != 0) {
136*8d741a5dSApple OSS Distributions break;
137*8d741a5dSApple OSS Distributions }
138*8d741a5dSApple OSS Distributions }
139*8d741a5dSApple OSS Distributions }
140*8d741a5dSApple OSS Distributions }
141*8d741a5dSApple OSS Distributions #if SKYWALK
142*8d741a5dSApple OSS Distributions if (kernel_is_macos_or_server()) {
143*8d741a5dSApple OSS Distributions net_filter_event_mark(NET_FILTER_EVENT_IP,
144*8d741a5dSApple OSS Distributions net_check_compatible_ipf());
145*8d741a5dSApple OSS Distributions }
146*8d741a5dSApple OSS Distributions #endif /* SKYWALK */
147*8d741a5dSApple OSS Distributions lck_mtx_unlock(&kipf_lock);
148*8d741a5dSApple OSS Distributions }
149*8d741a5dSApple OSS Distributions
150*8d741a5dSApple OSS Distributions static errno_t
ipf_add(const struct ipf_filter * filter,ipfilter_t * filter_ref,struct ipfilter_list * head,bool is_internal)151*8d741a5dSApple OSS Distributions ipf_add(
152*8d741a5dSApple OSS Distributions const struct ipf_filter *filter,
153*8d741a5dSApple OSS Distributions ipfilter_t *filter_ref,
154*8d741a5dSApple OSS Distributions struct ipfilter_list *head,
155*8d741a5dSApple OSS Distributions bool is_internal)
156*8d741a5dSApple OSS Distributions {
157*8d741a5dSApple OSS Distributions struct ipfilter *new_filter;
158*8d741a5dSApple OSS Distributions if (filter->name == NULL || (filter->ipf_input == NULL && filter->ipf_output == NULL)) {
159*8d741a5dSApple OSS Distributions return EINVAL;
160*8d741a5dSApple OSS Distributions }
161*8d741a5dSApple OSS Distributions
162*8d741a5dSApple OSS Distributions new_filter = kalloc_type(struct ipfilter, Z_WAITOK | Z_NOFAIL);
163*8d741a5dSApple OSS Distributions
164*8d741a5dSApple OSS Distributions lck_mtx_lock(&kipf_lock);
165*8d741a5dSApple OSS Distributions new_filter->ipf_filter = *filter;
166*8d741a5dSApple OSS Distributions new_filter->ipf_head = head;
167*8d741a5dSApple OSS Distributions
168*8d741a5dSApple OSS Distributions TAILQ_INSERT_HEAD(head, new_filter, ipf_link);
169*8d741a5dSApple OSS Distributions
170*8d741a5dSApple OSS Distributions OSIncrementAtomic64(&net_api_stats.nas_ipf_add_count);
171*8d741a5dSApple OSS Distributions INC_ATOMIC_INT64_LIM(net_api_stats.nas_ipf_add_total);
172*8d741a5dSApple OSS Distributions if (is_internal) {
173*8d741a5dSApple OSS Distributions new_filter->ipf_flags = IPFF_INTERNAL;
174*8d741a5dSApple OSS Distributions OSIncrementAtomic64(&net_api_stats.nas_ipf_add_os_count);
175*8d741a5dSApple OSS Distributions INC_ATOMIC_INT64_LIM(net_api_stats.nas_ipf_add_os_total);
176*8d741a5dSApple OSS Distributions }
177*8d741a5dSApple OSS Distributions #if SKYWALK
178*8d741a5dSApple OSS Distributions if (kernel_is_macos_or_server()) {
179*8d741a5dSApple OSS Distributions net_filter_event_mark(NET_FILTER_EVENT_IP,
180*8d741a5dSApple OSS Distributions net_check_compatible_ipf());
181*8d741a5dSApple OSS Distributions }
182*8d741a5dSApple OSS Distributions #endif /* SKYWALK */
183*8d741a5dSApple OSS Distributions
184*8d741a5dSApple OSS Distributions lck_mtx_unlock(&kipf_lock);
185*8d741a5dSApple OSS Distributions
186*8d741a5dSApple OSS Distributions *filter_ref = (ipfilter_t)new_filter;
187*8d741a5dSApple OSS Distributions
188*8d741a5dSApple OSS Distributions /* This will force TCP to re-evaluate its use of TSO */
189*8d741a5dSApple OSS Distributions OSAddAtomic(1, &kipf_count);
190*8d741a5dSApple OSS Distributions routegenid_update();
191*8d741a5dSApple OSS Distributions
192*8d741a5dSApple OSS Distributions return 0;
193*8d741a5dSApple OSS Distributions }
194*8d741a5dSApple OSS Distributions
195*8d741a5dSApple OSS Distributions errno_t
ipf_addv4_internal(const struct ipf_filter * filter,ipfilter_t * filter_ref)196*8d741a5dSApple OSS Distributions ipf_addv4_internal(
197*8d741a5dSApple OSS Distributions const struct ipf_filter *filter,
198*8d741a5dSApple OSS Distributions ipfilter_t *filter_ref)
199*8d741a5dSApple OSS Distributions {
200*8d741a5dSApple OSS Distributions return ipf_add(filter, filter_ref, &ipv4_filters, true);
201*8d741a5dSApple OSS Distributions }
202*8d741a5dSApple OSS Distributions
203*8d741a5dSApple OSS Distributions errno_t
ipf_addv4(const struct ipf_filter * filter,ipfilter_t * filter_ref)204*8d741a5dSApple OSS Distributions ipf_addv4(
205*8d741a5dSApple OSS Distributions const struct ipf_filter *filter,
206*8d741a5dSApple OSS Distributions ipfilter_t *filter_ref)
207*8d741a5dSApple OSS Distributions {
208*8d741a5dSApple OSS Distributions return ipf_add(filter, filter_ref, &ipv4_filters, false);
209*8d741a5dSApple OSS Distributions }
210*8d741a5dSApple OSS Distributions
211*8d741a5dSApple OSS Distributions errno_t
ipf_addv6_internal(const struct ipf_filter * filter,ipfilter_t * filter_ref)212*8d741a5dSApple OSS Distributions ipf_addv6_internal(
213*8d741a5dSApple OSS Distributions const struct ipf_filter *filter,
214*8d741a5dSApple OSS Distributions ipfilter_t *filter_ref)
215*8d741a5dSApple OSS Distributions {
216*8d741a5dSApple OSS Distributions return ipf_add(filter, filter_ref, &ipv6_filters, true);
217*8d741a5dSApple OSS Distributions }
218*8d741a5dSApple OSS Distributions
219*8d741a5dSApple OSS Distributions errno_t
ipf_addv6(const struct ipf_filter * filter,ipfilter_t * filter_ref)220*8d741a5dSApple OSS Distributions ipf_addv6(
221*8d741a5dSApple OSS Distributions const struct ipf_filter *filter,
222*8d741a5dSApple OSS Distributions ipfilter_t *filter_ref)
223*8d741a5dSApple OSS Distributions {
224*8d741a5dSApple OSS Distributions return ipf_add(filter, filter_ref, &ipv6_filters, false);
225*8d741a5dSApple OSS Distributions }
226*8d741a5dSApple OSS Distributions
227*8d741a5dSApple OSS Distributions static errno_t
ipf_input_detached(void * cookie,mbuf_t * data,int offset,u_int8_t protocol)228*8d741a5dSApple OSS Distributions ipf_input_detached(void *cookie, mbuf_t *data, int offset, u_int8_t protocol)
229*8d741a5dSApple OSS Distributions {
230*8d741a5dSApple OSS Distributions #pragma unused(cookie, data, offset, protocol)
231*8d741a5dSApple OSS Distributions
232*8d741a5dSApple OSS Distributions #if DEBUG
233*8d741a5dSApple OSS Distributions printf("ipf_input_detached\n");
234*8d741a5dSApple OSS Distributions #endif /* DEBUG */
235*8d741a5dSApple OSS Distributions
236*8d741a5dSApple OSS Distributions return 0;
237*8d741a5dSApple OSS Distributions }
238*8d741a5dSApple OSS Distributions
239*8d741a5dSApple OSS Distributions static errno_t
ipf_output_detached(void * cookie,mbuf_t * data,ipf_pktopts_t options)240*8d741a5dSApple OSS Distributions ipf_output_detached(void *cookie, mbuf_t *data, ipf_pktopts_t options)
241*8d741a5dSApple OSS Distributions {
242*8d741a5dSApple OSS Distributions #pragma unused(cookie, data, options)
243*8d741a5dSApple OSS Distributions
244*8d741a5dSApple OSS Distributions #if DEBUG
245*8d741a5dSApple OSS Distributions printf("ipf_output_detached\n");
246*8d741a5dSApple OSS Distributions #endif /* DEBUG */
247*8d741a5dSApple OSS Distributions
248*8d741a5dSApple OSS Distributions return 0;
249*8d741a5dSApple OSS Distributions }
250*8d741a5dSApple OSS Distributions
251*8d741a5dSApple OSS Distributions errno_t
ipf_remove(ipfilter_t filter_ref)252*8d741a5dSApple OSS Distributions ipf_remove(
253*8d741a5dSApple OSS Distributions ipfilter_t filter_ref)
254*8d741a5dSApple OSS Distributions {
255*8d741a5dSApple OSS Distributions struct ipfilter *match = (struct ipfilter *)filter_ref;
256*8d741a5dSApple OSS Distributions struct ipfilter_list *head;
257*8d741a5dSApple OSS Distributions
258*8d741a5dSApple OSS Distributions if (match == 0 || (match->ipf_head != &ipv4_filters && match->ipf_head != &ipv6_filters)) {
259*8d741a5dSApple OSS Distributions return EINVAL;
260*8d741a5dSApple OSS Distributions }
261*8d741a5dSApple OSS Distributions
262*8d741a5dSApple OSS Distributions head = match->ipf_head;
263*8d741a5dSApple OSS Distributions
264*8d741a5dSApple OSS Distributions lck_mtx_lock(&kipf_lock);
265*8d741a5dSApple OSS Distributions TAILQ_FOREACH(match, head, ipf_link) {
266*8d741a5dSApple OSS Distributions if (match == (struct ipfilter *)filter_ref) {
267*8d741a5dSApple OSS Distributions ipf_detach_func ipf_detach = match->ipf_filter.ipf_detach;
268*8d741a5dSApple OSS Distributions void *__single cookie = match->ipf_filter.cookie;
269*8d741a5dSApple OSS Distributions
270*8d741a5dSApple OSS Distributions /*
271*8d741a5dSApple OSS Distributions * Cannot detach when they are filters running
272*8d741a5dSApple OSS Distributions */
273*8d741a5dSApple OSS Distributions if (kipf_ref) {
274*8d741a5dSApple OSS Distributions kipf_delayed_remove++;
275*8d741a5dSApple OSS Distributions TAILQ_INSERT_TAIL(&tbr_filters, match, ipf_tbr);
276*8d741a5dSApple OSS Distributions match->ipf_filter.ipf_input = ipf_input_detached;
277*8d741a5dSApple OSS Distributions match->ipf_filter.ipf_output = ipf_output_detached;
278*8d741a5dSApple OSS Distributions lck_mtx_unlock(&kipf_lock);
279*8d741a5dSApple OSS Distributions } else {
280*8d741a5dSApple OSS Distributions VERIFY(OSDecrementAtomic64(&net_api_stats.nas_ipf_add_count) > 0);
281*8d741a5dSApple OSS Distributions if (match->ipf_flags & IPFF_INTERNAL) {
282*8d741a5dSApple OSS Distributions VERIFY(OSDecrementAtomic64(&net_api_stats.nas_ipf_add_os_count) > 0);
283*8d741a5dSApple OSS Distributions }
284*8d741a5dSApple OSS Distributions
285*8d741a5dSApple OSS Distributions TAILQ_REMOVE(head, match, ipf_link);
286*8d741a5dSApple OSS Distributions lck_mtx_unlock(&kipf_lock);
287*8d741a5dSApple OSS Distributions
288*8d741a5dSApple OSS Distributions if (ipf_detach) {
289*8d741a5dSApple OSS Distributions ipf_detach(cookie);
290*8d741a5dSApple OSS Distributions }
291*8d741a5dSApple OSS Distributions kfree_type(struct ipfilter, match);
292*8d741a5dSApple OSS Distributions
293*8d741a5dSApple OSS Distributions /* This will force TCP to re-evaluate its use of TSO */
294*8d741a5dSApple OSS Distributions OSAddAtomic(-1, &kipf_count);
295*8d741a5dSApple OSS Distributions routegenid_update();
296*8d741a5dSApple OSS Distributions }
297*8d741a5dSApple OSS Distributions return 0;
298*8d741a5dSApple OSS Distributions }
299*8d741a5dSApple OSS Distributions }
300*8d741a5dSApple OSS Distributions #if SKYWALK
301*8d741a5dSApple OSS Distributions if (kernel_is_macos_or_server()) {
302*8d741a5dSApple OSS Distributions net_filter_event_mark(NET_FILTER_EVENT_IP,
303*8d741a5dSApple OSS Distributions net_check_compatible_ipf());
304*8d741a5dSApple OSS Distributions }
305*8d741a5dSApple OSS Distributions #endif /* SKYWALK */
306*8d741a5dSApple OSS Distributions
307*8d741a5dSApple OSS Distributions lck_mtx_unlock(&kipf_lock);
308*8d741a5dSApple OSS Distributions
309*8d741a5dSApple OSS Distributions return ENOENT;
310*8d741a5dSApple OSS Distributions }
311*8d741a5dSApple OSS Distributions
312*8d741a5dSApple OSS Distributions int log_for_en1 = 0;
313*8d741a5dSApple OSS Distributions
314*8d741a5dSApple OSS Distributions errno_t
ipf_inject_input(mbuf_t data,ipfilter_t filter_ref)315*8d741a5dSApple OSS Distributions ipf_inject_input(
316*8d741a5dSApple OSS Distributions mbuf_t data,
317*8d741a5dSApple OSS Distributions ipfilter_t filter_ref)
318*8d741a5dSApple OSS Distributions {
319*8d741a5dSApple OSS Distributions struct mbuf *m = (struct mbuf *)data;
320*8d741a5dSApple OSS Distributions struct m_tag *mtag = 0;
321*8d741a5dSApple OSS Distributions struct ip *ip = mtod(m, struct ip *);
322*8d741a5dSApple OSS Distributions struct ip6_hdr *ip6;
323*8d741a5dSApple OSS Distributions u_int8_t vers;
324*8d741a5dSApple OSS Distributions int hlen;
325*8d741a5dSApple OSS Distributions errno_t error = 0;
326*8d741a5dSApple OSS Distributions protocol_family_t proto;
327*8d741a5dSApple OSS Distributions struct in_ifaddr *ia = NULL;
328*8d741a5dSApple OSS Distributions struct in_addr *pkt_dst = NULL;
329*8d741a5dSApple OSS Distributions struct in6_ifaddr *ia6 = NULL;
330*8d741a5dSApple OSS Distributions struct sockaddr_in6 pkt_dst6;
331*8d741a5dSApple OSS Distributions
332*8d741a5dSApple OSS Distributions vers = IP_VHL_V(ip->ip_vhl);
333*8d741a5dSApple OSS Distributions
334*8d741a5dSApple OSS Distributions switch (vers) {
335*8d741a5dSApple OSS Distributions case 4:
336*8d741a5dSApple OSS Distributions proto = PF_INET;
337*8d741a5dSApple OSS Distributions break;
338*8d741a5dSApple OSS Distributions case 6:
339*8d741a5dSApple OSS Distributions proto = PF_INET6;
340*8d741a5dSApple OSS Distributions break;
341*8d741a5dSApple OSS Distributions default:
342*8d741a5dSApple OSS Distributions error = ENOTSUP;
343*8d741a5dSApple OSS Distributions goto done;
344*8d741a5dSApple OSS Distributions }
345*8d741a5dSApple OSS Distributions
346*8d741a5dSApple OSS Distributions if (filter_ref == 0 && m->m_pkthdr.rcvif == 0) {
347*8d741a5dSApple OSS Distributions /*
348*8d741a5dSApple OSS Distributions * Search for interface with the local address
349*8d741a5dSApple OSS Distributions */
350*8d741a5dSApple OSS Distributions switch (proto) {
351*8d741a5dSApple OSS Distributions case PF_INET:
352*8d741a5dSApple OSS Distributions pkt_dst = &ip->ip_dst;
353*8d741a5dSApple OSS Distributions lck_rw_lock_shared(&in_ifaddr_rwlock);
354*8d741a5dSApple OSS Distributions TAILQ_FOREACH(ia, INADDR_HASH(pkt_dst->s_addr), ia_hash) {
355*8d741a5dSApple OSS Distributions if (IA_SIN(ia)->sin_addr.s_addr == pkt_dst->s_addr) {
356*8d741a5dSApple OSS Distributions m->m_pkthdr.rcvif = ia->ia_ifp;
357*8d741a5dSApple OSS Distributions break;
358*8d741a5dSApple OSS Distributions }
359*8d741a5dSApple OSS Distributions }
360*8d741a5dSApple OSS Distributions lck_rw_done(&in_ifaddr_rwlock);
361*8d741a5dSApple OSS Distributions break;
362*8d741a5dSApple OSS Distributions
363*8d741a5dSApple OSS Distributions case PF_INET6:
364*8d741a5dSApple OSS Distributions ip6 = mtod(m, struct ip6_hdr *);
365*8d741a5dSApple OSS Distributions pkt_dst6.sin6_addr = ip6->ip6_dst;
366*8d741a5dSApple OSS Distributions lck_rw_lock_shared(&in6_ifaddr_rwlock);
367*8d741a5dSApple OSS Distributions TAILQ_FOREACH(ia6, IN6ADDR_HASH(&pkt_dst6.sin6_addr), ia6_hash) {
368*8d741a5dSApple OSS Distributions if (IN6_ARE_ADDR_EQUAL(&ia6->ia_addr.sin6_addr, &pkt_dst6.sin6_addr)) {
369*8d741a5dSApple OSS Distributions m->m_pkthdr.rcvif = ia6->ia_ifp;
370*8d741a5dSApple OSS Distributions break;
371*8d741a5dSApple OSS Distributions }
372*8d741a5dSApple OSS Distributions }
373*8d741a5dSApple OSS Distributions lck_rw_done(&in6_ifaddr_rwlock);
374*8d741a5dSApple OSS Distributions break;
375*8d741a5dSApple OSS Distributions
376*8d741a5dSApple OSS Distributions default:
377*8d741a5dSApple OSS Distributions break;
378*8d741a5dSApple OSS Distributions }
379*8d741a5dSApple OSS Distributions
380*8d741a5dSApple OSS Distributions /*
381*8d741a5dSApple OSS Distributions * If none found, fallback to loopback
382*8d741a5dSApple OSS Distributions */
383*8d741a5dSApple OSS Distributions if (m->m_pkthdr.rcvif == NULL) {
384*8d741a5dSApple OSS Distributions m->m_pkthdr.rcvif = lo_ifp;
385*8d741a5dSApple OSS Distributions }
386*8d741a5dSApple OSS Distributions
387*8d741a5dSApple OSS Distributions m->m_pkthdr.csum_data = 0;
388*8d741a5dSApple OSS Distributions m->m_pkthdr.csum_flags = 0;
389*8d741a5dSApple OSS Distributions if (vers == 4) {
390*8d741a5dSApple OSS Distributions hlen = IP_VHL_HL(ip->ip_vhl) << 2;
391*8d741a5dSApple OSS Distributions ip->ip_sum = 0;
392*8d741a5dSApple OSS Distributions ip->ip_sum = in_cksum(m, hlen);
393*8d741a5dSApple OSS Distributions }
394*8d741a5dSApple OSS Distributions }
395*8d741a5dSApple OSS Distributions if (filter_ref != 0) {
396*8d741a5dSApple OSS Distributions mtag = m_tag_create(KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPFILT,
397*8d741a5dSApple OSS Distributions sizeof(ipfilter_t), M_NOWAIT, m);
398*8d741a5dSApple OSS Distributions if (mtag == NULL) {
399*8d741a5dSApple OSS Distributions error = ENOMEM;
400*8d741a5dSApple OSS Distributions goto done;
401*8d741a5dSApple OSS Distributions }
402*8d741a5dSApple OSS Distributions *(ipfilter_t *)(mtag->m_tag_data) = filter_ref;
403*8d741a5dSApple OSS Distributions m_tag_prepend(m, mtag);
404*8d741a5dSApple OSS Distributions }
405*8d741a5dSApple OSS Distributions
406*8d741a5dSApple OSS Distributions error = proto_inject(proto, data);
407*8d741a5dSApple OSS Distributions
408*8d741a5dSApple OSS Distributions done:
409*8d741a5dSApple OSS Distributions return error;
410*8d741a5dSApple OSS Distributions }
411*8d741a5dSApple OSS Distributions
412*8d741a5dSApple OSS Distributions static errno_t
ipf_injectv4_out(mbuf_t data,ipfilter_t filter_ref,ipf_pktopts_t options)413*8d741a5dSApple OSS Distributions ipf_injectv4_out(mbuf_t data, ipfilter_t filter_ref, ipf_pktopts_t options)
414*8d741a5dSApple OSS Distributions {
415*8d741a5dSApple OSS Distributions struct route ro;
416*8d741a5dSApple OSS Distributions struct ip *ip;
417*8d741a5dSApple OSS Distributions struct mbuf *m = (struct mbuf *)data;
418*8d741a5dSApple OSS Distributions errno_t error = 0;
419*8d741a5dSApple OSS Distributions struct m_tag *mtag = NULL;
420*8d741a5dSApple OSS Distributions struct ip_moptions *imo = NULL;
421*8d741a5dSApple OSS Distributions struct ip_out_args ipoa;
422*8d741a5dSApple OSS Distributions
423*8d741a5dSApple OSS Distributions bzero(&ipoa, sizeof(ipoa));
424*8d741a5dSApple OSS Distributions ipoa.ipoa_boundif = IFSCOPE_NONE;
425*8d741a5dSApple OSS Distributions ipoa.ipoa_sotc = SO_TC_UNSPEC;
426*8d741a5dSApple OSS Distributions ipoa.ipoa_netsvctype = _NET_SERVICE_TYPE_UNSPEC;
427*8d741a5dSApple OSS Distributions
428*8d741a5dSApple OSS Distributions /* Make the IP header contiguous in the mbuf */
429*8d741a5dSApple OSS Distributions if ((size_t)m->m_len < sizeof(struct ip)) {
430*8d741a5dSApple OSS Distributions m = m_pullup(m, sizeof(struct ip));
431*8d741a5dSApple OSS Distributions if (m == NULL) {
432*8d741a5dSApple OSS Distributions return ENOMEM;
433*8d741a5dSApple OSS Distributions }
434*8d741a5dSApple OSS Distributions }
435*8d741a5dSApple OSS Distributions ip = mtod(m, struct ip *);
436*8d741a5dSApple OSS Distributions
437*8d741a5dSApple OSS Distributions if (filter_ref != 0) {
438*8d741a5dSApple OSS Distributions mtag = m_tag_create(KERNEL_MODULE_TAG_ID,
439*8d741a5dSApple OSS Distributions KERNEL_TAG_TYPE_IPFILT, sizeof(ipfilter_t), M_NOWAIT, m);
440*8d741a5dSApple OSS Distributions if (mtag == NULL) {
441*8d741a5dSApple OSS Distributions m_freem(m);
442*8d741a5dSApple OSS Distributions return ENOMEM;
443*8d741a5dSApple OSS Distributions }
444*8d741a5dSApple OSS Distributions *(ipfilter_t *)(mtag->m_tag_data) = filter_ref;
445*8d741a5dSApple OSS Distributions m_tag_prepend(m, mtag);
446*8d741a5dSApple OSS Distributions }
447*8d741a5dSApple OSS Distributions
448*8d741a5dSApple OSS Distributions if (options != NULL && (options->ippo_flags & IPPOF_MCAST_OPTS) &&
449*8d741a5dSApple OSS Distributions (imo = ip_allocmoptions(Z_NOWAIT)) != NULL) {
450*8d741a5dSApple OSS Distributions imo->imo_multicast_ifp = options->ippo_mcast_ifnet;
451*8d741a5dSApple OSS Distributions imo->imo_multicast_ttl = options->ippo_mcast_ttl;
452*8d741a5dSApple OSS Distributions imo->imo_multicast_loop = (u_char)options->ippo_mcast_loop;
453*8d741a5dSApple OSS Distributions }
454*8d741a5dSApple OSS Distributions
455*8d741a5dSApple OSS Distributions if (options != NULL) {
456*8d741a5dSApple OSS Distributions if (options->ippo_flags & IPPOF_SELECT_SRCIF) {
457*8d741a5dSApple OSS Distributions ipoa.ipoa_flags |= IPOAF_SELECT_SRCIF;
458*8d741a5dSApple OSS Distributions }
459*8d741a5dSApple OSS Distributions if (options->ippo_flags & IPPOF_BOUND_IF) {
460*8d741a5dSApple OSS Distributions ipoa.ipoa_flags |= IPOAF_BOUND_IF;
461*8d741a5dSApple OSS Distributions ipoa.ipoa_boundif = options->ippo_flags >>
462*8d741a5dSApple OSS Distributions IPPOF_SHIFT_IFSCOPE;
463*8d741a5dSApple OSS Distributions }
464*8d741a5dSApple OSS Distributions if (options->ippo_flags & IPPOF_NO_IFT_CELLULAR) {
465*8d741a5dSApple OSS Distributions ipoa.ipoa_flags |= IPOAF_NO_CELLULAR;
466*8d741a5dSApple OSS Distributions }
467*8d741a5dSApple OSS Distributions if (options->ippo_flags & IPPOF_BOUND_SRCADDR) {
468*8d741a5dSApple OSS Distributions ipoa.ipoa_flags |= IPOAF_BOUND_SRCADDR;
469*8d741a5dSApple OSS Distributions }
470*8d741a5dSApple OSS Distributions if (options->ippo_flags & IPPOF_NO_IFF_EXPENSIVE) {
471*8d741a5dSApple OSS Distributions ipoa.ipoa_flags |= IPOAF_NO_EXPENSIVE;
472*8d741a5dSApple OSS Distributions }
473*8d741a5dSApple OSS Distributions if (options->ippo_flags & IPPOF_NO_IFF_CONSTRAINED) {
474*8d741a5dSApple OSS Distributions ipoa.ipoa_flags |= IPOAF_NO_CONSTRAINED;
475*8d741a5dSApple OSS Distributions }
476*8d741a5dSApple OSS Distributions }
477*8d741a5dSApple OSS Distributions
478*8d741a5dSApple OSS Distributions bzero(&ro, sizeof(struct route));
479*8d741a5dSApple OSS Distributions
480*8d741a5dSApple OSS Distributions /* Put ip_len and ip_off in host byte order, ip_output expects that */
481*8d741a5dSApple OSS Distributions
482*8d741a5dSApple OSS Distributions #if BYTE_ORDER != BIG_ENDIAN
483*8d741a5dSApple OSS Distributions NTOHS(ip->ip_len);
484*8d741a5dSApple OSS Distributions NTOHS(ip->ip_off);
485*8d741a5dSApple OSS Distributions #endif
486*8d741a5dSApple OSS Distributions
487*8d741a5dSApple OSS Distributions /* Send; enforce source interface selection via IP_OUTARGS flag */
488*8d741a5dSApple OSS Distributions error = ip_output(m, NULL, &ro,
489*8d741a5dSApple OSS Distributions IP_ALLOWBROADCAST | IP_RAWOUTPUT | IP_OUTARGS, imo, &ipoa);
490*8d741a5dSApple OSS Distributions
491*8d741a5dSApple OSS Distributions /* Release the route */
492*8d741a5dSApple OSS Distributions ROUTE_RELEASE(&ro);
493*8d741a5dSApple OSS Distributions
494*8d741a5dSApple OSS Distributions if (imo != NULL) {
495*8d741a5dSApple OSS Distributions IMO_REMREF(imo);
496*8d741a5dSApple OSS Distributions }
497*8d741a5dSApple OSS Distributions
498*8d741a5dSApple OSS Distributions return error;
499*8d741a5dSApple OSS Distributions }
500*8d741a5dSApple OSS Distributions
501*8d741a5dSApple OSS Distributions static errno_t
ipf_injectv6_out(mbuf_t data,ipfilter_t filter_ref,ipf_pktopts_t options)502*8d741a5dSApple OSS Distributions ipf_injectv6_out(mbuf_t data, ipfilter_t filter_ref, ipf_pktopts_t options)
503*8d741a5dSApple OSS Distributions {
504*8d741a5dSApple OSS Distributions struct route_in6 ro;
505*8d741a5dSApple OSS Distributions struct ip6_hdr *ip6;
506*8d741a5dSApple OSS Distributions struct mbuf *m = (struct mbuf *)data;
507*8d741a5dSApple OSS Distributions errno_t error = 0;
508*8d741a5dSApple OSS Distributions struct m_tag *mtag = NULL;
509*8d741a5dSApple OSS Distributions struct ip6_moptions *im6o = NULL;
510*8d741a5dSApple OSS Distributions struct ip6_out_args ip6oa;
511*8d741a5dSApple OSS Distributions
512*8d741a5dSApple OSS Distributions bzero(&ip6oa, sizeof(ip6oa));
513*8d741a5dSApple OSS Distributions ip6oa.ip6oa_boundif = IFSCOPE_NONE;
514*8d741a5dSApple OSS Distributions ip6oa.ip6oa_sotc = SO_TC_UNSPEC;
515*8d741a5dSApple OSS Distributions ip6oa.ip6oa_netsvctype = _NET_SERVICE_TYPE_UNSPEC;
516*8d741a5dSApple OSS Distributions
517*8d741a5dSApple OSS Distributions /* Make the IP header contiguous in the mbuf */
518*8d741a5dSApple OSS Distributions if ((size_t)m->m_len < sizeof(struct ip6_hdr)) {
519*8d741a5dSApple OSS Distributions m = m_pullup(m, sizeof(struct ip6_hdr));
520*8d741a5dSApple OSS Distributions if (m == NULL) {
521*8d741a5dSApple OSS Distributions return ENOMEM;
522*8d741a5dSApple OSS Distributions }
523*8d741a5dSApple OSS Distributions }
524*8d741a5dSApple OSS Distributions ip6 = mtod(m, struct ip6_hdr *);
525*8d741a5dSApple OSS Distributions
526*8d741a5dSApple OSS Distributions if (filter_ref != 0) {
527*8d741a5dSApple OSS Distributions mtag = m_tag_create(KERNEL_MODULE_TAG_ID,
528*8d741a5dSApple OSS Distributions KERNEL_TAG_TYPE_IPFILT, sizeof(ipfilter_t), M_NOWAIT, m);
529*8d741a5dSApple OSS Distributions if (mtag == NULL) {
530*8d741a5dSApple OSS Distributions m_freem(m);
531*8d741a5dSApple OSS Distributions return ENOMEM;
532*8d741a5dSApple OSS Distributions }
533*8d741a5dSApple OSS Distributions *(ipfilter_t *)(mtag->m_tag_data) = filter_ref;
534*8d741a5dSApple OSS Distributions m_tag_prepend(m, mtag);
535*8d741a5dSApple OSS Distributions }
536*8d741a5dSApple OSS Distributions
537*8d741a5dSApple OSS Distributions if (options != NULL && (options->ippo_flags & IPPOF_MCAST_OPTS) &&
538*8d741a5dSApple OSS Distributions (im6o = ip6_allocmoptions(Z_NOWAIT)) != NULL) {
539*8d741a5dSApple OSS Distributions im6o->im6o_multicast_ifp = options->ippo_mcast_ifnet;
540*8d741a5dSApple OSS Distributions im6o->im6o_multicast_hlim = options->ippo_mcast_ttl;
541*8d741a5dSApple OSS Distributions im6o->im6o_multicast_loop = (u_char)options->ippo_mcast_loop;
542*8d741a5dSApple OSS Distributions }
543*8d741a5dSApple OSS Distributions
544*8d741a5dSApple OSS Distributions if (options != NULL) {
545*8d741a5dSApple OSS Distributions if (options->ippo_flags & IPPOF_SELECT_SRCIF) {
546*8d741a5dSApple OSS Distributions ip6oa.ip6oa_flags |= IP6OAF_SELECT_SRCIF;
547*8d741a5dSApple OSS Distributions }
548*8d741a5dSApple OSS Distributions if (options->ippo_flags & IPPOF_BOUND_IF) {
549*8d741a5dSApple OSS Distributions ip6oa.ip6oa_flags |= IP6OAF_BOUND_IF;
550*8d741a5dSApple OSS Distributions ip6oa.ip6oa_boundif = options->ippo_flags >>
551*8d741a5dSApple OSS Distributions IPPOF_SHIFT_IFSCOPE;
552*8d741a5dSApple OSS Distributions }
553*8d741a5dSApple OSS Distributions if (options->ippo_flags & IPPOF_NO_IFT_CELLULAR) {
554*8d741a5dSApple OSS Distributions ip6oa.ip6oa_flags |= IP6OAF_NO_CELLULAR;
555*8d741a5dSApple OSS Distributions }
556*8d741a5dSApple OSS Distributions if (options->ippo_flags & IPPOF_BOUND_SRCADDR) {
557*8d741a5dSApple OSS Distributions ip6oa.ip6oa_flags |= IP6OAF_BOUND_SRCADDR;
558*8d741a5dSApple OSS Distributions }
559*8d741a5dSApple OSS Distributions if (options->ippo_flags & IPPOF_NO_IFF_EXPENSIVE) {
560*8d741a5dSApple OSS Distributions ip6oa.ip6oa_flags |= IP6OAF_NO_EXPENSIVE;
561*8d741a5dSApple OSS Distributions }
562*8d741a5dSApple OSS Distributions if (options->ippo_flags & IPPOF_NO_IFF_CONSTRAINED) {
563*8d741a5dSApple OSS Distributions ip6oa.ip6oa_flags |= IP6OAF_NO_CONSTRAINED;
564*8d741a5dSApple OSS Distributions }
565*8d741a5dSApple OSS Distributions }
566*8d741a5dSApple OSS Distributions
567*8d741a5dSApple OSS Distributions bzero(&ro, sizeof(struct route_in6));
568*8d741a5dSApple OSS Distributions
569*8d741a5dSApple OSS Distributions /*
570*8d741a5dSApple OSS Distributions * Send mbuf and ifscope information. Check for correctness
571*8d741a5dSApple OSS Distributions * of ifscope information is done while searching for a route in
572*8d741a5dSApple OSS Distributions * ip6_output.
573*8d741a5dSApple OSS Distributions */
574*8d741a5dSApple OSS Distributions ip6_output_setsrcifscope(m, IFSCOPE_UNKNOWN, NULL);
575*8d741a5dSApple OSS Distributions ip6_output_setdstifscope(m, IFSCOPE_UNKNOWN, NULL);
576*8d741a5dSApple OSS Distributions error = ip6_output(m, NULL, &ro, IPV6_OUTARGS, im6o, NULL, &ip6oa);
577*8d741a5dSApple OSS Distributions
578*8d741a5dSApple OSS Distributions /* Release the route */
579*8d741a5dSApple OSS Distributions ROUTE_RELEASE(&ro);
580*8d741a5dSApple OSS Distributions
581*8d741a5dSApple OSS Distributions if (im6o != NULL) {
582*8d741a5dSApple OSS Distributions IM6O_REMREF(im6o);
583*8d741a5dSApple OSS Distributions }
584*8d741a5dSApple OSS Distributions
585*8d741a5dSApple OSS Distributions return error;
586*8d741a5dSApple OSS Distributions }
587*8d741a5dSApple OSS Distributions
588*8d741a5dSApple OSS Distributions errno_t
ipf_inject_output(mbuf_t data,ipfilter_t filter_ref,ipf_pktopts_t options)589*8d741a5dSApple OSS Distributions ipf_inject_output(
590*8d741a5dSApple OSS Distributions mbuf_t data,
591*8d741a5dSApple OSS Distributions ipfilter_t filter_ref,
592*8d741a5dSApple OSS Distributions ipf_pktopts_t options)
593*8d741a5dSApple OSS Distributions {
594*8d741a5dSApple OSS Distributions struct mbuf *m = (struct mbuf *)data;
595*8d741a5dSApple OSS Distributions u_int8_t vers;
596*8d741a5dSApple OSS Distributions errno_t error = 0;
597*8d741a5dSApple OSS Distributions
598*8d741a5dSApple OSS Distributions #if SKYWALK
599*8d741a5dSApple OSS Distributions sk_protect_t protect = sk_async_transmit_protect();
600*8d741a5dSApple OSS Distributions #endif /* SKYWALK */
601*8d741a5dSApple OSS Distributions
602*8d741a5dSApple OSS Distributions /* Make one byte of the header contiguous in the mbuf */
603*8d741a5dSApple OSS Distributions if (m->m_len < 1) {
604*8d741a5dSApple OSS Distributions m = m_pullup(m, 1);
605*8d741a5dSApple OSS Distributions if (m == NULL) {
606*8d741a5dSApple OSS Distributions goto done;
607*8d741a5dSApple OSS Distributions }
608*8d741a5dSApple OSS Distributions }
609*8d741a5dSApple OSS Distributions
610*8d741a5dSApple OSS Distributions vers = (*(u_int8_t *)m_mtod(m)) >> 4;
611*8d741a5dSApple OSS Distributions switch (vers) {
612*8d741a5dSApple OSS Distributions case 4:
613*8d741a5dSApple OSS Distributions error = ipf_injectv4_out(data, filter_ref, options);
614*8d741a5dSApple OSS Distributions break;
615*8d741a5dSApple OSS Distributions case 6:
616*8d741a5dSApple OSS Distributions error = ipf_injectv6_out(data, filter_ref, options);
617*8d741a5dSApple OSS Distributions break;
618*8d741a5dSApple OSS Distributions default:
619*8d741a5dSApple OSS Distributions m_freem(m);
620*8d741a5dSApple OSS Distributions error = ENOTSUP;
621*8d741a5dSApple OSS Distributions break;
622*8d741a5dSApple OSS Distributions }
623*8d741a5dSApple OSS Distributions
624*8d741a5dSApple OSS Distributions done:
625*8d741a5dSApple OSS Distributions #if SKYWALK
626*8d741a5dSApple OSS Distributions sk_async_transmit_unprotect(protect);
627*8d741a5dSApple OSS Distributions #endif /* SKYWALK */
628*8d741a5dSApple OSS Distributions
629*8d741a5dSApple OSS Distributions return error;
630*8d741a5dSApple OSS Distributions }
631*8d741a5dSApple OSS Distributions
632*8d741a5dSApple OSS Distributions __private_extern__ ipfilter_t
ipf_get_inject_filter(struct mbuf * m)633*8d741a5dSApple OSS Distributions ipf_get_inject_filter(struct mbuf *m)
634*8d741a5dSApple OSS Distributions {
635*8d741a5dSApple OSS Distributions ipfilter_t __single filter_ref = 0;
636*8d741a5dSApple OSS Distributions struct m_tag *mtag;
637*8d741a5dSApple OSS Distributions
638*8d741a5dSApple OSS Distributions mtag = m_tag_locate(m, KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPFILT);
639*8d741a5dSApple OSS Distributions if (mtag) {
640*8d741a5dSApple OSS Distributions filter_ref = *(ipfilter_t *)(mtag->m_tag_data);
641*8d741a5dSApple OSS Distributions
642*8d741a5dSApple OSS Distributions m_tag_delete(m, mtag);
643*8d741a5dSApple OSS Distributions }
644*8d741a5dSApple OSS Distributions return filter_ref;
645*8d741a5dSApple OSS Distributions }
646*8d741a5dSApple OSS Distributions
647*8d741a5dSApple OSS Distributions struct ipfilt_tag_container {
648*8d741a5dSApple OSS Distributions struct m_tag ipft_m_tag;
649*8d741a5dSApple OSS Distributions ipfilter_t ipft_filter_ref;
650*8d741a5dSApple OSS Distributions };
651*8d741a5dSApple OSS Distributions
652*8d741a5dSApple OSS Distributions static struct m_tag *
m_tag_kalloc_ipfilt(u_int32_t id,u_int16_t type,uint16_t len,int wait)653*8d741a5dSApple OSS Distributions m_tag_kalloc_ipfilt(u_int32_t id, u_int16_t type, uint16_t len, int wait)
654*8d741a5dSApple OSS Distributions {
655*8d741a5dSApple OSS Distributions struct ipfilt_tag_container *tag_container;
656*8d741a5dSApple OSS Distributions struct m_tag *tag = NULL;
657*8d741a5dSApple OSS Distributions
658*8d741a5dSApple OSS Distributions assert3u(id, ==, KERNEL_MODULE_TAG_ID);
659*8d741a5dSApple OSS Distributions assert3u(type, ==, KERNEL_TAG_TYPE_IPFILT);
660*8d741a5dSApple OSS Distributions assert3u(len, ==, sizeof(ipfilter_t));
661*8d741a5dSApple OSS Distributions
662*8d741a5dSApple OSS Distributions if (len != sizeof(ipfilter_t)) {
663*8d741a5dSApple OSS Distributions return NULL;
664*8d741a5dSApple OSS Distributions }
665*8d741a5dSApple OSS Distributions
666*8d741a5dSApple OSS Distributions tag_container = kalloc_type(struct ipfilt_tag_container, wait | M_ZERO);
667*8d741a5dSApple OSS Distributions if (tag_container != NULL) {
668*8d741a5dSApple OSS Distributions tag = &tag_container->ipft_m_tag;
669*8d741a5dSApple OSS Distributions
670*8d741a5dSApple OSS Distributions assert3p(tag, ==, tag_container);
671*8d741a5dSApple OSS Distributions
672*8d741a5dSApple OSS Distributions M_TAG_INIT(tag, id, type, len, &tag_container->ipft_filter_ref, NULL);
673*8d741a5dSApple OSS Distributions }
674*8d741a5dSApple OSS Distributions
675*8d741a5dSApple OSS Distributions return tag;
676*8d741a5dSApple OSS Distributions }
677*8d741a5dSApple OSS Distributions
678*8d741a5dSApple OSS Distributions static void
m_tag_kfree_ipfilt(struct m_tag * tag)679*8d741a5dSApple OSS Distributions m_tag_kfree_ipfilt(struct m_tag *tag)
680*8d741a5dSApple OSS Distributions {
681*8d741a5dSApple OSS Distributions struct ipfilt_tag_container *tag_container = (struct ipfilt_tag_container *)tag;
682*8d741a5dSApple OSS Distributions
683*8d741a5dSApple OSS Distributions assert3u(tag->m_tag_len, ==, sizeof(ipfilter_t));
684*8d741a5dSApple OSS Distributions
685*8d741a5dSApple OSS Distributions kfree_type(struct ipfilt_tag_container, tag_container);
686*8d741a5dSApple OSS Distributions }
687*8d741a5dSApple OSS Distributions
688*8d741a5dSApple OSS Distributions void
ipfilter_register_m_tag(void)689*8d741a5dSApple OSS Distributions ipfilter_register_m_tag(void)
690*8d741a5dSApple OSS Distributions {
691*8d741a5dSApple OSS Distributions int error;
692*8d741a5dSApple OSS Distributions
693*8d741a5dSApple OSS Distributions error = m_register_internal_tag_type(KERNEL_TAG_TYPE_IPFILT, sizeof(ipfilter_t),
694*8d741a5dSApple OSS Distributions m_tag_kalloc_ipfilt, m_tag_kfree_ipfilt);
695*8d741a5dSApple OSS Distributions
696*8d741a5dSApple OSS Distributions assert3u(error, ==, 0);
697*8d741a5dSApple OSS Distributions }
698*8d741a5dSApple OSS Distributions
699*8d741a5dSApple OSS Distributions #if SKYWALK
700*8d741a5dSApple OSS Distributions bool
net_check_compatible_ipf(void)701*8d741a5dSApple OSS Distributions net_check_compatible_ipf(void)
702*8d741a5dSApple OSS Distributions {
703*8d741a5dSApple OSS Distributions if (net_api_stats.nas_ipf_add_count > net_api_stats.nas_ipf_add_os_count) {
704*8d741a5dSApple OSS Distributions return false;
705*8d741a5dSApple OSS Distributions }
706*8d741a5dSApple OSS Distributions return true;
707*8d741a5dSApple OSS Distributions }
708*8d741a5dSApple OSS Distributions #endif /* SKYWALK */
709