1*aca3beaaSApple OSS Distributions /*
2*aca3beaaSApple OSS Distributions * Copyright (c) 2004-2021 Apple Inc. All rights reserved.
3*aca3beaaSApple OSS Distributions *
4*aca3beaaSApple OSS Distributions * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5*aca3beaaSApple OSS Distributions *
6*aca3beaaSApple OSS Distributions * This file contains Original Code and/or Modifications of Original Code
7*aca3beaaSApple OSS Distributions * as defined in and that are subject to the Apple Public Source License
8*aca3beaaSApple OSS Distributions * Version 2.0 (the 'License'). You may not use this file except in
9*aca3beaaSApple OSS Distributions * compliance with the License. The rights granted to you under the License
10*aca3beaaSApple OSS Distributions * may not be used to create, or enable the creation or redistribution of,
11*aca3beaaSApple OSS Distributions * unlawful or unlicensed copies of an Apple operating system, or to
12*aca3beaaSApple OSS Distributions * circumvent, violate, or enable the circumvention or violation of, any
13*aca3beaaSApple OSS Distributions * terms of an Apple operating system software license agreement.
14*aca3beaaSApple OSS Distributions *
15*aca3beaaSApple OSS Distributions * Please obtain a copy of the License at
16*aca3beaaSApple OSS Distributions * http://www.opensource.apple.com/apsl/ and read it before using this file.
17*aca3beaaSApple OSS Distributions *
18*aca3beaaSApple OSS Distributions * The Original Code and all software distributed under the License are
19*aca3beaaSApple OSS Distributions * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20*aca3beaaSApple OSS Distributions * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21*aca3beaaSApple OSS Distributions * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22*aca3beaaSApple OSS Distributions * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23*aca3beaaSApple OSS Distributions * Please see the License for the specific language governing rights and
24*aca3beaaSApple OSS Distributions * limitations under the License.
25*aca3beaaSApple OSS Distributions *
26*aca3beaaSApple OSS Distributions * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27*aca3beaaSApple OSS Distributions */
28*aca3beaaSApple OSS Distributions
29*aca3beaaSApple OSS Distributions #include <sys/param.h> /* for definition of NULL */
30*aca3beaaSApple OSS Distributions #include <sys/errno.h>
31*aca3beaaSApple OSS Distributions #include <sys/malloc.h>
32*aca3beaaSApple OSS Distributions #include <sys/socket.h>
33*aca3beaaSApple OSS Distributions #include <sys/mbuf.h>
34*aca3beaaSApple OSS Distributions #include <sys/systm.h>
35*aca3beaaSApple OSS Distributions #include <libkern/OSAtomic.h>
36*aca3beaaSApple OSS Distributions
37*aca3beaaSApple OSS Distributions #include <machine/endian.h>
38*aca3beaaSApple OSS Distributions
39*aca3beaaSApple OSS Distributions #define _IP_VHL
40*aca3beaaSApple OSS Distributions #include <net/if_var.h>
41*aca3beaaSApple OSS Distributions #include <net/route.h>
42*aca3beaaSApple OSS Distributions #include <net/kpi_protocol.h>
43*aca3beaaSApple OSS Distributions #include <net/net_api_stats.h>
44*aca3beaaSApple OSS Distributions #if SKYWALK && defined(XNU_TARGET_OS_OSX)
45*aca3beaaSApple OSS Distributions #include <skywalk/lib/net_filter_event.h>
46*aca3beaaSApple OSS Distributions #endif /* SKYWALK && XNU_TARGET_OS_OSX */
47*aca3beaaSApple OSS Distributions
48*aca3beaaSApple OSS Distributions #include <netinet/in_systm.h>
49*aca3beaaSApple OSS Distributions #include <netinet/in.h>
50*aca3beaaSApple OSS Distributions #include <netinet/in_var.h>
51*aca3beaaSApple OSS Distributions #include <netinet6/in6_var.h>
52*aca3beaaSApple OSS Distributions #include <netinet/ip.h>
53*aca3beaaSApple OSS Distributions #include <netinet/ip6.h>
54*aca3beaaSApple OSS Distributions #include <netinet/ip_var.h>
55*aca3beaaSApple OSS Distributions #include <netinet6/ip6_var.h>
56*aca3beaaSApple OSS Distributions #include <netinet/kpi_ipfilter_var.h>
57*aca3beaaSApple OSS Distributions
58*aca3beaaSApple OSS Distributions #include <stdbool.h>
59*aca3beaaSApple OSS Distributions
60*aca3beaaSApple OSS Distributions #if SKYWALK
61*aca3beaaSApple OSS Distributions #include <skywalk/core/skywalk_var.h>
62*aca3beaaSApple OSS Distributions #endif /* SKYWALK */
63*aca3beaaSApple OSS Distributions
64*aca3beaaSApple OSS Distributions /*
65*aca3beaaSApple OSS Distributions * kipf_lock and kipf_ref protect the linkage of the list of IP filters
66*aca3beaaSApple OSS Distributions * An IP filter can be removed only when kipf_ref is zero
67*aca3beaaSApple OSS Distributions * If an IP filter cannot be removed because kipf_ref is not null, then
68*aca3beaaSApple OSS Distributions * the IP filter is marjed and kipf_delayed_remove is set so that when
69*aca3beaaSApple OSS Distributions * kipf_ref eventually goes down to zero, the IP filter is removed
70*aca3beaaSApple OSS Distributions */
71*aca3beaaSApple OSS Distributions static LCK_GRP_DECLARE(kipf_lock_grp, "IP Filter");
72*aca3beaaSApple OSS Distributions static LCK_MTX_DECLARE(kipf_lock, &kipf_lock_grp);
73*aca3beaaSApple OSS Distributions static u_int32_t kipf_ref = 0;
74*aca3beaaSApple OSS Distributions static u_int32_t kipf_delayed_remove = 0;
75*aca3beaaSApple OSS Distributions u_int32_t kipf_count = 0;
76*aca3beaaSApple OSS Distributions
77*aca3beaaSApple OSS Distributions __private_extern__ struct ipfilter_list ipv4_filters = TAILQ_HEAD_INITIALIZER(ipv4_filters);
78*aca3beaaSApple OSS Distributions __private_extern__ struct ipfilter_list ipv6_filters = TAILQ_HEAD_INITIALIZER(ipv6_filters);
79*aca3beaaSApple OSS Distributions __private_extern__ struct ipfilter_list tbr_filters = TAILQ_HEAD_INITIALIZER(tbr_filters);
80*aca3beaaSApple OSS Distributions
81*aca3beaaSApple OSS Distributions #undef ipf_addv4
82*aca3beaaSApple OSS Distributions #undef ipf_addv6
83*aca3beaaSApple OSS Distributions extern errno_t ipf_addv4(const struct ipf_filter *filter,
84*aca3beaaSApple OSS Distributions ipfilter_t *filter_ref);
85*aca3beaaSApple OSS Distributions extern errno_t ipf_addv6(const struct ipf_filter *filter,
86*aca3beaaSApple OSS Distributions ipfilter_t *filter_ref);
87*aca3beaaSApple OSS Distributions
88*aca3beaaSApple OSS Distributions static errno_t ipf_add(const struct ipf_filter *filter,
89*aca3beaaSApple OSS Distributions ipfilter_t *filter_ref, struct ipfilter_list *head, bool is_internal);
90*aca3beaaSApple OSS Distributions
91*aca3beaaSApple OSS Distributions #if SKYWALK && defined(XNU_TARGET_OS_OSX)
92*aca3beaaSApple OSS Distributions static bool net_check_compatible_ipf(void);
93*aca3beaaSApple OSS Distributions #endif /* SKYWALK && XNU_TARGET_OS_OSX */
94*aca3beaaSApple OSS Distributions
95*aca3beaaSApple OSS Distributions __private_extern__ void
ipf_ref(void)96*aca3beaaSApple OSS Distributions ipf_ref(void)
97*aca3beaaSApple OSS Distributions {
98*aca3beaaSApple OSS Distributions lck_mtx_lock(&kipf_lock);
99*aca3beaaSApple OSS Distributions if (os_inc_overflow(&kipf_ref)) {
100*aca3beaaSApple OSS Distributions panic("kipf_ref overflow");
101*aca3beaaSApple OSS Distributions }
102*aca3beaaSApple OSS Distributions lck_mtx_unlock(&kipf_lock);
103*aca3beaaSApple OSS Distributions }
104*aca3beaaSApple OSS Distributions
105*aca3beaaSApple OSS Distributions __private_extern__ void
ipf_unref(void)106*aca3beaaSApple OSS Distributions ipf_unref(void)
107*aca3beaaSApple OSS Distributions {
108*aca3beaaSApple OSS Distributions lck_mtx_lock(&kipf_lock);
109*aca3beaaSApple OSS Distributions
110*aca3beaaSApple OSS Distributions if (os_dec_overflow(&kipf_ref)) {
111*aca3beaaSApple OSS Distributions panic("kipf_ref underflow");
112*aca3beaaSApple OSS Distributions }
113*aca3beaaSApple OSS Distributions
114*aca3beaaSApple OSS Distributions if (kipf_ref == 0 && kipf_delayed_remove != 0) {
115*aca3beaaSApple OSS Distributions struct ipfilter *filter;
116*aca3beaaSApple OSS Distributions
117*aca3beaaSApple OSS Distributions while ((filter = TAILQ_FIRST(&tbr_filters))) {
118*aca3beaaSApple OSS Distributions VERIFY(OSDecrementAtomic64(&net_api_stats.nas_ipf_add_count) > 0);
119*aca3beaaSApple OSS Distributions if (filter->ipf_flags & IPFF_INTERNAL) {
120*aca3beaaSApple OSS Distributions VERIFY(OSDecrementAtomic64(&net_api_stats.nas_ipf_add_os_count) > 0);
121*aca3beaaSApple OSS Distributions }
122*aca3beaaSApple OSS Distributions
123*aca3beaaSApple OSS Distributions ipf_detach_func ipf_detach = filter->ipf_filter.ipf_detach;
124*aca3beaaSApple OSS Distributions void* cookie = filter->ipf_filter.cookie;
125*aca3beaaSApple OSS Distributions
126*aca3beaaSApple OSS Distributions TAILQ_REMOVE(filter->ipf_head, filter, ipf_link);
127*aca3beaaSApple OSS Distributions TAILQ_REMOVE(&tbr_filters, filter, ipf_tbr);
128*aca3beaaSApple OSS Distributions kipf_delayed_remove--;
129*aca3beaaSApple OSS Distributions
130*aca3beaaSApple OSS Distributions if (ipf_detach) {
131*aca3beaaSApple OSS Distributions lck_mtx_unlock(&kipf_lock);
132*aca3beaaSApple OSS Distributions ipf_detach(cookie);
133*aca3beaaSApple OSS Distributions lck_mtx_lock(&kipf_lock);
134*aca3beaaSApple OSS Distributions /* In case some filter got to run while we released the lock */
135*aca3beaaSApple OSS Distributions if (kipf_ref != 0) {
136*aca3beaaSApple OSS Distributions break;
137*aca3beaaSApple OSS Distributions }
138*aca3beaaSApple OSS Distributions }
139*aca3beaaSApple OSS Distributions }
140*aca3beaaSApple OSS Distributions }
141*aca3beaaSApple OSS Distributions #if SKYWALK && defined(XNU_TARGET_OS_OSX)
142*aca3beaaSApple OSS Distributions net_filter_event_mark(NET_FILTER_EVENT_IP,
143*aca3beaaSApple OSS Distributions net_check_compatible_ipf());
144*aca3beaaSApple OSS Distributions #endif /* SKYWALK && XNU_TARGET_OS_OSX */
145*aca3beaaSApple OSS Distributions lck_mtx_unlock(&kipf_lock);
146*aca3beaaSApple OSS Distributions }
147*aca3beaaSApple OSS Distributions
148*aca3beaaSApple OSS Distributions static errno_t
ipf_add(const struct ipf_filter * filter,ipfilter_t * filter_ref,struct ipfilter_list * head,bool is_internal)149*aca3beaaSApple OSS Distributions ipf_add(
150*aca3beaaSApple OSS Distributions const struct ipf_filter *filter,
151*aca3beaaSApple OSS Distributions ipfilter_t *filter_ref,
152*aca3beaaSApple OSS Distributions struct ipfilter_list *head,
153*aca3beaaSApple OSS Distributions bool is_internal)
154*aca3beaaSApple OSS Distributions {
155*aca3beaaSApple OSS Distributions struct ipfilter *new_filter;
156*aca3beaaSApple OSS Distributions if (filter->name == NULL || (filter->ipf_input == NULL && filter->ipf_output == NULL)) {
157*aca3beaaSApple OSS Distributions return EINVAL;
158*aca3beaaSApple OSS Distributions }
159*aca3beaaSApple OSS Distributions
160*aca3beaaSApple OSS Distributions new_filter = kalloc_type(struct ipfilter, Z_WAITOK | Z_NOFAIL);
161*aca3beaaSApple OSS Distributions
162*aca3beaaSApple OSS Distributions lck_mtx_lock(&kipf_lock);
163*aca3beaaSApple OSS Distributions new_filter->ipf_filter = *filter;
164*aca3beaaSApple OSS Distributions new_filter->ipf_head = head;
165*aca3beaaSApple OSS Distributions
166*aca3beaaSApple OSS Distributions TAILQ_INSERT_HEAD(head, new_filter, ipf_link);
167*aca3beaaSApple OSS Distributions
168*aca3beaaSApple OSS Distributions OSIncrementAtomic64(&net_api_stats.nas_ipf_add_count);
169*aca3beaaSApple OSS Distributions INC_ATOMIC_INT64_LIM(net_api_stats.nas_ipf_add_total);
170*aca3beaaSApple OSS Distributions if (is_internal) {
171*aca3beaaSApple OSS Distributions new_filter->ipf_flags = IPFF_INTERNAL;
172*aca3beaaSApple OSS Distributions OSIncrementAtomic64(&net_api_stats.nas_ipf_add_os_count);
173*aca3beaaSApple OSS Distributions INC_ATOMIC_INT64_LIM(net_api_stats.nas_ipf_add_os_total);
174*aca3beaaSApple OSS Distributions }
175*aca3beaaSApple OSS Distributions #if SKYWALK && defined(XNU_TARGET_OS_OSX)
176*aca3beaaSApple OSS Distributions net_filter_event_mark(NET_FILTER_EVENT_IP,
177*aca3beaaSApple OSS Distributions net_check_compatible_ipf());
178*aca3beaaSApple OSS Distributions #endif /* SKYWALK && XNU_TARGET_OS_OSX */
179*aca3beaaSApple OSS Distributions
180*aca3beaaSApple OSS Distributions lck_mtx_unlock(&kipf_lock);
181*aca3beaaSApple OSS Distributions
182*aca3beaaSApple OSS Distributions *filter_ref = (ipfilter_t)new_filter;
183*aca3beaaSApple OSS Distributions
184*aca3beaaSApple OSS Distributions /* This will force TCP to re-evaluate its use of TSO */
185*aca3beaaSApple OSS Distributions OSAddAtomic(1, &kipf_count);
186*aca3beaaSApple OSS Distributions routegenid_update();
187*aca3beaaSApple OSS Distributions
188*aca3beaaSApple OSS Distributions return 0;
189*aca3beaaSApple OSS Distributions }
190*aca3beaaSApple OSS Distributions
191*aca3beaaSApple OSS Distributions errno_t
ipf_addv4_internal(const struct ipf_filter * filter,ipfilter_t * filter_ref)192*aca3beaaSApple OSS Distributions ipf_addv4_internal(
193*aca3beaaSApple OSS Distributions const struct ipf_filter *filter,
194*aca3beaaSApple OSS Distributions ipfilter_t *filter_ref)
195*aca3beaaSApple OSS Distributions {
196*aca3beaaSApple OSS Distributions return ipf_add(filter, filter_ref, &ipv4_filters, true);
197*aca3beaaSApple OSS Distributions }
198*aca3beaaSApple OSS Distributions
199*aca3beaaSApple OSS Distributions errno_t
ipf_addv4(const struct ipf_filter * filter,ipfilter_t * filter_ref)200*aca3beaaSApple OSS Distributions ipf_addv4(
201*aca3beaaSApple OSS Distributions const struct ipf_filter *filter,
202*aca3beaaSApple OSS Distributions ipfilter_t *filter_ref)
203*aca3beaaSApple OSS Distributions {
204*aca3beaaSApple OSS Distributions return ipf_add(filter, filter_ref, &ipv4_filters, false);
205*aca3beaaSApple OSS Distributions }
206*aca3beaaSApple OSS Distributions
207*aca3beaaSApple OSS Distributions errno_t
ipf_addv6_internal(const struct ipf_filter * filter,ipfilter_t * filter_ref)208*aca3beaaSApple OSS Distributions ipf_addv6_internal(
209*aca3beaaSApple OSS Distributions const struct ipf_filter *filter,
210*aca3beaaSApple OSS Distributions ipfilter_t *filter_ref)
211*aca3beaaSApple OSS Distributions {
212*aca3beaaSApple OSS Distributions return ipf_add(filter, filter_ref, &ipv6_filters, true);
213*aca3beaaSApple OSS Distributions }
214*aca3beaaSApple OSS Distributions
215*aca3beaaSApple OSS Distributions errno_t
ipf_addv6(const struct ipf_filter * filter,ipfilter_t * filter_ref)216*aca3beaaSApple OSS Distributions ipf_addv6(
217*aca3beaaSApple OSS Distributions const struct ipf_filter *filter,
218*aca3beaaSApple OSS Distributions ipfilter_t *filter_ref)
219*aca3beaaSApple OSS Distributions {
220*aca3beaaSApple OSS Distributions return ipf_add(filter, filter_ref, &ipv6_filters, false);
221*aca3beaaSApple OSS Distributions }
222*aca3beaaSApple OSS Distributions
223*aca3beaaSApple OSS Distributions static errno_t
ipf_input_detached(void * cookie,mbuf_t * data,int offset,u_int8_t protocol)224*aca3beaaSApple OSS Distributions ipf_input_detached(void *cookie, mbuf_t *data, int offset, u_int8_t protocol)
225*aca3beaaSApple OSS Distributions {
226*aca3beaaSApple OSS Distributions #pragma unused(cookie, data, offset, protocol)
227*aca3beaaSApple OSS Distributions
228*aca3beaaSApple OSS Distributions #if DEBUG
229*aca3beaaSApple OSS Distributions printf("ipf_input_detached\n");
230*aca3beaaSApple OSS Distributions #endif /* DEBUG */
231*aca3beaaSApple OSS Distributions
232*aca3beaaSApple OSS Distributions return 0;
233*aca3beaaSApple OSS Distributions }
234*aca3beaaSApple OSS Distributions
235*aca3beaaSApple OSS Distributions static errno_t
ipf_output_detached(void * cookie,mbuf_t * data,ipf_pktopts_t options)236*aca3beaaSApple OSS Distributions ipf_output_detached(void *cookie, mbuf_t *data, ipf_pktopts_t options)
237*aca3beaaSApple OSS Distributions {
238*aca3beaaSApple OSS Distributions #pragma unused(cookie, data, options)
239*aca3beaaSApple OSS Distributions
240*aca3beaaSApple OSS Distributions #if DEBUG
241*aca3beaaSApple OSS Distributions printf("ipf_output_detached\n");
242*aca3beaaSApple OSS Distributions #endif /* DEBUG */
243*aca3beaaSApple OSS Distributions
244*aca3beaaSApple OSS Distributions return 0;
245*aca3beaaSApple OSS Distributions }
246*aca3beaaSApple OSS Distributions
247*aca3beaaSApple OSS Distributions errno_t
ipf_remove(ipfilter_t filter_ref)248*aca3beaaSApple OSS Distributions ipf_remove(
249*aca3beaaSApple OSS Distributions ipfilter_t filter_ref)
250*aca3beaaSApple OSS Distributions {
251*aca3beaaSApple OSS Distributions struct ipfilter *match = (struct ipfilter *)filter_ref;
252*aca3beaaSApple OSS Distributions struct ipfilter_list *head;
253*aca3beaaSApple OSS Distributions
254*aca3beaaSApple OSS Distributions if (match == 0 || (match->ipf_head != &ipv4_filters && match->ipf_head != &ipv6_filters)) {
255*aca3beaaSApple OSS Distributions return EINVAL;
256*aca3beaaSApple OSS Distributions }
257*aca3beaaSApple OSS Distributions
258*aca3beaaSApple OSS Distributions head = match->ipf_head;
259*aca3beaaSApple OSS Distributions
260*aca3beaaSApple OSS Distributions lck_mtx_lock(&kipf_lock);
261*aca3beaaSApple OSS Distributions TAILQ_FOREACH(match, head, ipf_link) {
262*aca3beaaSApple OSS Distributions if (match == (struct ipfilter *)filter_ref) {
263*aca3beaaSApple OSS Distributions ipf_detach_func ipf_detach = match->ipf_filter.ipf_detach;
264*aca3beaaSApple OSS Distributions void* cookie = match->ipf_filter.cookie;
265*aca3beaaSApple OSS Distributions
266*aca3beaaSApple OSS Distributions /*
267*aca3beaaSApple OSS Distributions * Cannot detach when they are filters running
268*aca3beaaSApple OSS Distributions */
269*aca3beaaSApple OSS Distributions if (kipf_ref) {
270*aca3beaaSApple OSS Distributions kipf_delayed_remove++;
271*aca3beaaSApple OSS Distributions TAILQ_INSERT_TAIL(&tbr_filters, match, ipf_tbr);
272*aca3beaaSApple OSS Distributions match->ipf_filter.ipf_input = ipf_input_detached;
273*aca3beaaSApple OSS Distributions match->ipf_filter.ipf_output = ipf_output_detached;
274*aca3beaaSApple OSS Distributions lck_mtx_unlock(&kipf_lock);
275*aca3beaaSApple OSS Distributions } else {
276*aca3beaaSApple OSS Distributions VERIFY(OSDecrementAtomic64(&net_api_stats.nas_ipf_add_count) > 0);
277*aca3beaaSApple OSS Distributions if (match->ipf_flags & IPFF_INTERNAL) {
278*aca3beaaSApple OSS Distributions VERIFY(OSDecrementAtomic64(&net_api_stats.nas_ipf_add_os_count) > 0);
279*aca3beaaSApple OSS Distributions }
280*aca3beaaSApple OSS Distributions
281*aca3beaaSApple OSS Distributions TAILQ_REMOVE(head, match, ipf_link);
282*aca3beaaSApple OSS Distributions lck_mtx_unlock(&kipf_lock);
283*aca3beaaSApple OSS Distributions
284*aca3beaaSApple OSS Distributions if (ipf_detach) {
285*aca3beaaSApple OSS Distributions ipf_detach(cookie);
286*aca3beaaSApple OSS Distributions }
287*aca3beaaSApple OSS Distributions kfree_type(struct ipfilter, match);
288*aca3beaaSApple OSS Distributions
289*aca3beaaSApple OSS Distributions /* This will force TCP to re-evaluate its use of TSO */
290*aca3beaaSApple OSS Distributions OSAddAtomic(-1, &kipf_count);
291*aca3beaaSApple OSS Distributions routegenid_update();
292*aca3beaaSApple OSS Distributions }
293*aca3beaaSApple OSS Distributions return 0;
294*aca3beaaSApple OSS Distributions }
295*aca3beaaSApple OSS Distributions }
296*aca3beaaSApple OSS Distributions #if SKYWALK && defined(XNU_TARGET_OS_OSX)
297*aca3beaaSApple OSS Distributions net_filter_event_mark(NET_FILTER_EVENT_IP,
298*aca3beaaSApple OSS Distributions net_check_compatible_ipf());
299*aca3beaaSApple OSS Distributions #endif /* SKYWALK && XNU_TARGET_OS_OSX */
300*aca3beaaSApple OSS Distributions
301*aca3beaaSApple OSS Distributions lck_mtx_unlock(&kipf_lock);
302*aca3beaaSApple OSS Distributions
303*aca3beaaSApple OSS Distributions return ENOENT;
304*aca3beaaSApple OSS Distributions }
305*aca3beaaSApple OSS Distributions
306*aca3beaaSApple OSS Distributions int log_for_en1 = 0;
307*aca3beaaSApple OSS Distributions
308*aca3beaaSApple OSS Distributions errno_t
ipf_inject_input(mbuf_t data,ipfilter_t filter_ref)309*aca3beaaSApple OSS Distributions ipf_inject_input(
310*aca3beaaSApple OSS Distributions mbuf_t data,
311*aca3beaaSApple OSS Distributions ipfilter_t filter_ref)
312*aca3beaaSApple OSS Distributions {
313*aca3beaaSApple OSS Distributions struct mbuf *m = (struct mbuf *)data;
314*aca3beaaSApple OSS Distributions struct m_tag *mtag = 0;
315*aca3beaaSApple OSS Distributions struct ip *ip = mtod(m, struct ip *);
316*aca3beaaSApple OSS Distributions struct ip6_hdr *ip6;
317*aca3beaaSApple OSS Distributions u_int8_t vers;
318*aca3beaaSApple OSS Distributions int hlen;
319*aca3beaaSApple OSS Distributions errno_t error = 0;
320*aca3beaaSApple OSS Distributions protocol_family_t proto;
321*aca3beaaSApple OSS Distributions struct in_ifaddr *ia = NULL;
322*aca3beaaSApple OSS Distributions struct in_addr *pkt_dst = NULL;
323*aca3beaaSApple OSS Distributions struct in6_ifaddr *ia6 = NULL;
324*aca3beaaSApple OSS Distributions struct sockaddr_in6 pkt_dst6;
325*aca3beaaSApple OSS Distributions
326*aca3beaaSApple OSS Distributions vers = IP_VHL_V(ip->ip_vhl);
327*aca3beaaSApple OSS Distributions
328*aca3beaaSApple OSS Distributions switch (vers) {
329*aca3beaaSApple OSS Distributions case 4:
330*aca3beaaSApple OSS Distributions proto = PF_INET;
331*aca3beaaSApple OSS Distributions break;
332*aca3beaaSApple OSS Distributions case 6:
333*aca3beaaSApple OSS Distributions proto = PF_INET6;
334*aca3beaaSApple OSS Distributions break;
335*aca3beaaSApple OSS Distributions default:
336*aca3beaaSApple OSS Distributions error = ENOTSUP;
337*aca3beaaSApple OSS Distributions goto done;
338*aca3beaaSApple OSS Distributions }
339*aca3beaaSApple OSS Distributions
340*aca3beaaSApple OSS Distributions if (filter_ref == 0 && m->m_pkthdr.rcvif == 0) {
341*aca3beaaSApple OSS Distributions /*
342*aca3beaaSApple OSS Distributions * Search for interface with the local address
343*aca3beaaSApple OSS Distributions */
344*aca3beaaSApple OSS Distributions switch (proto) {
345*aca3beaaSApple OSS Distributions case PF_INET:
346*aca3beaaSApple OSS Distributions pkt_dst = &ip->ip_dst;
347*aca3beaaSApple OSS Distributions lck_rw_lock_shared(&in_ifaddr_rwlock);
348*aca3beaaSApple OSS Distributions TAILQ_FOREACH(ia, INADDR_HASH(pkt_dst->s_addr), ia_hash) {
349*aca3beaaSApple OSS Distributions if (IA_SIN(ia)->sin_addr.s_addr == pkt_dst->s_addr) {
350*aca3beaaSApple OSS Distributions m->m_pkthdr.rcvif = ia->ia_ifp;
351*aca3beaaSApple OSS Distributions break;
352*aca3beaaSApple OSS Distributions }
353*aca3beaaSApple OSS Distributions }
354*aca3beaaSApple OSS Distributions lck_rw_done(&in_ifaddr_rwlock);
355*aca3beaaSApple OSS Distributions break;
356*aca3beaaSApple OSS Distributions
357*aca3beaaSApple OSS Distributions case PF_INET6:
358*aca3beaaSApple OSS Distributions ip6 = mtod(m, struct ip6_hdr *);
359*aca3beaaSApple OSS Distributions pkt_dst6.sin6_addr = ip6->ip6_dst;
360*aca3beaaSApple OSS Distributions lck_rw_lock_shared(&in6_ifaddr_rwlock);
361*aca3beaaSApple OSS Distributions TAILQ_FOREACH(ia6, IN6ADDR_HASH(&pkt_dst6.sin6_addr), ia6_hash) {
362*aca3beaaSApple OSS Distributions if (IN6_ARE_ADDR_EQUAL(&ia6->ia_addr.sin6_addr, &pkt_dst6.sin6_addr)) {
363*aca3beaaSApple OSS Distributions m->m_pkthdr.rcvif = ia6->ia_ifp;
364*aca3beaaSApple OSS Distributions break;
365*aca3beaaSApple OSS Distributions }
366*aca3beaaSApple OSS Distributions }
367*aca3beaaSApple OSS Distributions lck_rw_done(&in6_ifaddr_rwlock);
368*aca3beaaSApple OSS Distributions break;
369*aca3beaaSApple OSS Distributions
370*aca3beaaSApple OSS Distributions default:
371*aca3beaaSApple OSS Distributions break;
372*aca3beaaSApple OSS Distributions }
373*aca3beaaSApple OSS Distributions
374*aca3beaaSApple OSS Distributions /*
375*aca3beaaSApple OSS Distributions * If none found, fallback to loopback
376*aca3beaaSApple OSS Distributions */
377*aca3beaaSApple OSS Distributions if (m->m_pkthdr.rcvif == NULL) {
378*aca3beaaSApple OSS Distributions m->m_pkthdr.rcvif = lo_ifp;
379*aca3beaaSApple OSS Distributions }
380*aca3beaaSApple OSS Distributions
381*aca3beaaSApple OSS Distributions m->m_pkthdr.csum_data = 0;
382*aca3beaaSApple OSS Distributions m->m_pkthdr.csum_flags = 0;
383*aca3beaaSApple OSS Distributions if (vers == 4) {
384*aca3beaaSApple OSS Distributions hlen = IP_VHL_HL(ip->ip_vhl) << 2;
385*aca3beaaSApple OSS Distributions ip->ip_sum = 0;
386*aca3beaaSApple OSS Distributions ip->ip_sum = in_cksum(m, hlen);
387*aca3beaaSApple OSS Distributions }
388*aca3beaaSApple OSS Distributions }
389*aca3beaaSApple OSS Distributions if (filter_ref != 0) {
390*aca3beaaSApple OSS Distributions mtag = m_tag_create(KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPFILT,
391*aca3beaaSApple OSS Distributions sizeof(ipfilter_t), M_NOWAIT, m);
392*aca3beaaSApple OSS Distributions if (mtag == NULL) {
393*aca3beaaSApple OSS Distributions error = ENOMEM;
394*aca3beaaSApple OSS Distributions goto done;
395*aca3beaaSApple OSS Distributions }
396*aca3beaaSApple OSS Distributions *(ipfilter_t *)(mtag + 1) = filter_ref;
397*aca3beaaSApple OSS Distributions m_tag_prepend(m, mtag);
398*aca3beaaSApple OSS Distributions }
399*aca3beaaSApple OSS Distributions
400*aca3beaaSApple OSS Distributions error = proto_inject(proto, data);
401*aca3beaaSApple OSS Distributions
402*aca3beaaSApple OSS Distributions done:
403*aca3beaaSApple OSS Distributions return error;
404*aca3beaaSApple OSS Distributions }
405*aca3beaaSApple OSS Distributions
406*aca3beaaSApple OSS Distributions static errno_t
ipf_injectv4_out(mbuf_t data,ipfilter_t filter_ref,ipf_pktopts_t options)407*aca3beaaSApple OSS Distributions ipf_injectv4_out(mbuf_t data, ipfilter_t filter_ref, ipf_pktopts_t options)
408*aca3beaaSApple OSS Distributions {
409*aca3beaaSApple OSS Distributions struct route ro;
410*aca3beaaSApple OSS Distributions struct ip *ip;
411*aca3beaaSApple OSS Distributions struct mbuf *m = (struct mbuf *)data;
412*aca3beaaSApple OSS Distributions errno_t error = 0;
413*aca3beaaSApple OSS Distributions struct m_tag *mtag = NULL;
414*aca3beaaSApple OSS Distributions struct ip_moptions *imo = NULL;
415*aca3beaaSApple OSS Distributions struct ip_out_args ipoa;
416*aca3beaaSApple OSS Distributions
417*aca3beaaSApple OSS Distributions bzero(&ipoa, sizeof(ipoa));
418*aca3beaaSApple OSS Distributions ipoa.ipoa_boundif = IFSCOPE_NONE;
419*aca3beaaSApple OSS Distributions ipoa.ipoa_sotc = SO_TC_UNSPEC;
420*aca3beaaSApple OSS Distributions ipoa.ipoa_netsvctype = _NET_SERVICE_TYPE_UNSPEC;
421*aca3beaaSApple OSS Distributions
422*aca3beaaSApple OSS Distributions /* Make the IP header contiguous in the mbuf */
423*aca3beaaSApple OSS Distributions if ((size_t)m->m_len < sizeof(struct ip)) {
424*aca3beaaSApple OSS Distributions m = m_pullup(m, sizeof(struct ip));
425*aca3beaaSApple OSS Distributions if (m == NULL) {
426*aca3beaaSApple OSS Distributions return ENOMEM;
427*aca3beaaSApple OSS Distributions }
428*aca3beaaSApple OSS Distributions }
429*aca3beaaSApple OSS Distributions ip = (struct ip *)m_mtod(m);
430*aca3beaaSApple OSS Distributions
431*aca3beaaSApple OSS Distributions if (filter_ref != 0) {
432*aca3beaaSApple OSS Distributions mtag = m_tag_create(KERNEL_MODULE_TAG_ID,
433*aca3beaaSApple OSS Distributions KERNEL_TAG_TYPE_IPFILT, sizeof(ipfilter_t), M_NOWAIT, m);
434*aca3beaaSApple OSS Distributions if (mtag == NULL) {
435*aca3beaaSApple OSS Distributions m_freem(m);
436*aca3beaaSApple OSS Distributions return ENOMEM;
437*aca3beaaSApple OSS Distributions }
438*aca3beaaSApple OSS Distributions *(ipfilter_t *)(mtag + 1) = filter_ref;
439*aca3beaaSApple OSS Distributions m_tag_prepend(m, mtag);
440*aca3beaaSApple OSS Distributions }
441*aca3beaaSApple OSS Distributions
442*aca3beaaSApple OSS Distributions if (options != NULL && (options->ippo_flags & IPPOF_MCAST_OPTS) &&
443*aca3beaaSApple OSS Distributions (imo = ip_allocmoptions(Z_NOWAIT)) != NULL) {
444*aca3beaaSApple OSS Distributions imo->imo_multicast_ifp = options->ippo_mcast_ifnet;
445*aca3beaaSApple OSS Distributions imo->imo_multicast_ttl = options->ippo_mcast_ttl;
446*aca3beaaSApple OSS Distributions imo->imo_multicast_loop = (u_char)options->ippo_mcast_loop;
447*aca3beaaSApple OSS Distributions }
448*aca3beaaSApple OSS Distributions
449*aca3beaaSApple OSS Distributions if (options != NULL) {
450*aca3beaaSApple OSS Distributions if (options->ippo_flags & IPPOF_SELECT_SRCIF) {
451*aca3beaaSApple OSS Distributions ipoa.ipoa_flags |= IPOAF_SELECT_SRCIF;
452*aca3beaaSApple OSS Distributions }
453*aca3beaaSApple OSS Distributions if (options->ippo_flags & IPPOF_BOUND_IF) {
454*aca3beaaSApple OSS Distributions ipoa.ipoa_flags |= IPOAF_BOUND_IF;
455*aca3beaaSApple OSS Distributions ipoa.ipoa_boundif = options->ippo_flags >>
456*aca3beaaSApple OSS Distributions IPPOF_SHIFT_IFSCOPE;
457*aca3beaaSApple OSS Distributions }
458*aca3beaaSApple OSS Distributions if (options->ippo_flags & IPPOF_NO_IFT_CELLULAR) {
459*aca3beaaSApple OSS Distributions ipoa.ipoa_flags |= IPOAF_NO_CELLULAR;
460*aca3beaaSApple OSS Distributions }
461*aca3beaaSApple OSS Distributions if (options->ippo_flags & IPPOF_BOUND_SRCADDR) {
462*aca3beaaSApple OSS Distributions ipoa.ipoa_flags |= IPOAF_BOUND_SRCADDR;
463*aca3beaaSApple OSS Distributions }
464*aca3beaaSApple OSS Distributions if (options->ippo_flags & IPPOF_NO_IFF_EXPENSIVE) {
465*aca3beaaSApple OSS Distributions ipoa.ipoa_flags |= IPOAF_NO_EXPENSIVE;
466*aca3beaaSApple OSS Distributions }
467*aca3beaaSApple OSS Distributions if (options->ippo_flags & IPPOF_NO_IFF_CONSTRAINED) {
468*aca3beaaSApple OSS Distributions ipoa.ipoa_flags |= IPOAF_NO_CONSTRAINED;
469*aca3beaaSApple OSS Distributions }
470*aca3beaaSApple OSS Distributions }
471*aca3beaaSApple OSS Distributions
472*aca3beaaSApple OSS Distributions bzero(&ro, sizeof(struct route));
473*aca3beaaSApple OSS Distributions
474*aca3beaaSApple OSS Distributions /* Put ip_len and ip_off in host byte order, ip_output expects that */
475*aca3beaaSApple OSS Distributions
476*aca3beaaSApple OSS Distributions #if BYTE_ORDER != BIG_ENDIAN
477*aca3beaaSApple OSS Distributions NTOHS(ip->ip_len);
478*aca3beaaSApple OSS Distributions NTOHS(ip->ip_off);
479*aca3beaaSApple OSS Distributions #endif
480*aca3beaaSApple OSS Distributions
481*aca3beaaSApple OSS Distributions /* Send; enforce source interface selection via IP_OUTARGS flag */
482*aca3beaaSApple OSS Distributions error = ip_output(m, NULL, &ro,
483*aca3beaaSApple OSS Distributions IP_ALLOWBROADCAST | IP_RAWOUTPUT | IP_OUTARGS, imo, &ipoa);
484*aca3beaaSApple OSS Distributions
485*aca3beaaSApple OSS Distributions /* Release the route */
486*aca3beaaSApple OSS Distributions ROUTE_RELEASE(&ro);
487*aca3beaaSApple OSS Distributions
488*aca3beaaSApple OSS Distributions if (imo != NULL) {
489*aca3beaaSApple OSS Distributions IMO_REMREF(imo);
490*aca3beaaSApple OSS Distributions }
491*aca3beaaSApple OSS Distributions
492*aca3beaaSApple OSS Distributions return error;
493*aca3beaaSApple OSS Distributions }
494*aca3beaaSApple OSS Distributions
495*aca3beaaSApple OSS Distributions static errno_t
ipf_injectv6_out(mbuf_t data,ipfilter_t filter_ref,ipf_pktopts_t options)496*aca3beaaSApple OSS Distributions ipf_injectv6_out(mbuf_t data, ipfilter_t filter_ref, ipf_pktopts_t options)
497*aca3beaaSApple OSS Distributions {
498*aca3beaaSApple OSS Distributions struct route_in6 ro;
499*aca3beaaSApple OSS Distributions struct ip6_hdr *ip6;
500*aca3beaaSApple OSS Distributions struct mbuf *m = (struct mbuf *)data;
501*aca3beaaSApple OSS Distributions errno_t error = 0;
502*aca3beaaSApple OSS Distributions struct m_tag *mtag = NULL;
503*aca3beaaSApple OSS Distributions struct ip6_moptions *im6o = NULL;
504*aca3beaaSApple OSS Distributions struct ip6_out_args ip6oa;
505*aca3beaaSApple OSS Distributions
506*aca3beaaSApple OSS Distributions bzero(&ip6oa, sizeof(ip6oa));
507*aca3beaaSApple OSS Distributions ip6oa.ip6oa_boundif = IFSCOPE_NONE;
508*aca3beaaSApple OSS Distributions ip6oa.ip6oa_sotc = SO_TC_UNSPEC;
509*aca3beaaSApple OSS Distributions ip6oa.ip6oa_netsvctype = _NET_SERVICE_TYPE_UNSPEC;
510*aca3beaaSApple OSS Distributions
511*aca3beaaSApple OSS Distributions /* Make the IP header contiguous in the mbuf */
512*aca3beaaSApple OSS Distributions if ((size_t)m->m_len < sizeof(struct ip6_hdr)) {
513*aca3beaaSApple OSS Distributions m = m_pullup(m, sizeof(struct ip6_hdr));
514*aca3beaaSApple OSS Distributions if (m == NULL) {
515*aca3beaaSApple OSS Distributions return ENOMEM;
516*aca3beaaSApple OSS Distributions }
517*aca3beaaSApple OSS Distributions }
518*aca3beaaSApple OSS Distributions ip6 = (struct ip6_hdr *)m_mtod(m);
519*aca3beaaSApple OSS Distributions
520*aca3beaaSApple OSS Distributions if (filter_ref != 0) {
521*aca3beaaSApple OSS Distributions mtag = m_tag_create(KERNEL_MODULE_TAG_ID,
522*aca3beaaSApple OSS Distributions KERNEL_TAG_TYPE_IPFILT, sizeof(ipfilter_t), M_NOWAIT, m);
523*aca3beaaSApple OSS Distributions if (mtag == NULL) {
524*aca3beaaSApple OSS Distributions m_freem(m);
525*aca3beaaSApple OSS Distributions return ENOMEM;
526*aca3beaaSApple OSS Distributions }
527*aca3beaaSApple OSS Distributions *(ipfilter_t *)(mtag + 1) = filter_ref;
528*aca3beaaSApple OSS Distributions m_tag_prepend(m, mtag);
529*aca3beaaSApple OSS Distributions }
530*aca3beaaSApple OSS Distributions
531*aca3beaaSApple OSS Distributions if (options != NULL && (options->ippo_flags & IPPOF_MCAST_OPTS) &&
532*aca3beaaSApple OSS Distributions (im6o = ip6_allocmoptions(Z_NOWAIT)) != NULL) {
533*aca3beaaSApple OSS Distributions im6o->im6o_multicast_ifp = options->ippo_mcast_ifnet;
534*aca3beaaSApple OSS Distributions im6o->im6o_multicast_hlim = options->ippo_mcast_ttl;
535*aca3beaaSApple OSS Distributions im6o->im6o_multicast_loop = (u_char)options->ippo_mcast_loop;
536*aca3beaaSApple OSS Distributions }
537*aca3beaaSApple OSS Distributions
538*aca3beaaSApple OSS Distributions if (options != NULL) {
539*aca3beaaSApple OSS Distributions if (options->ippo_flags & IPPOF_SELECT_SRCIF) {
540*aca3beaaSApple OSS Distributions ip6oa.ip6oa_flags |= IP6OAF_SELECT_SRCIF;
541*aca3beaaSApple OSS Distributions }
542*aca3beaaSApple OSS Distributions if (options->ippo_flags & IPPOF_BOUND_IF) {
543*aca3beaaSApple OSS Distributions ip6oa.ip6oa_flags |= IP6OAF_BOUND_IF;
544*aca3beaaSApple OSS Distributions ip6oa.ip6oa_boundif = options->ippo_flags >>
545*aca3beaaSApple OSS Distributions IPPOF_SHIFT_IFSCOPE;
546*aca3beaaSApple OSS Distributions }
547*aca3beaaSApple OSS Distributions if (options->ippo_flags & IPPOF_NO_IFT_CELLULAR) {
548*aca3beaaSApple OSS Distributions ip6oa.ip6oa_flags |= IP6OAF_NO_CELLULAR;
549*aca3beaaSApple OSS Distributions }
550*aca3beaaSApple OSS Distributions if (options->ippo_flags & IPPOF_BOUND_SRCADDR) {
551*aca3beaaSApple OSS Distributions ip6oa.ip6oa_flags |= IP6OAF_BOUND_SRCADDR;
552*aca3beaaSApple OSS Distributions }
553*aca3beaaSApple OSS Distributions if (options->ippo_flags & IPPOF_NO_IFF_EXPENSIVE) {
554*aca3beaaSApple OSS Distributions ip6oa.ip6oa_flags |= IP6OAF_NO_EXPENSIVE;
555*aca3beaaSApple OSS Distributions }
556*aca3beaaSApple OSS Distributions if (options->ippo_flags & IPPOF_NO_IFF_CONSTRAINED) {
557*aca3beaaSApple OSS Distributions ip6oa.ip6oa_flags |= IP6OAF_NO_CONSTRAINED;
558*aca3beaaSApple OSS Distributions }
559*aca3beaaSApple OSS Distributions }
560*aca3beaaSApple OSS Distributions
561*aca3beaaSApple OSS Distributions bzero(&ro, sizeof(struct route_in6));
562*aca3beaaSApple OSS Distributions
563*aca3beaaSApple OSS Distributions /*
564*aca3beaaSApple OSS Distributions * Send mbuf and ifscope information. Check for correctness
565*aca3beaaSApple OSS Distributions * of ifscope information is done while searching for a route in
566*aca3beaaSApple OSS Distributions * ip6_output.
567*aca3beaaSApple OSS Distributions */
568*aca3beaaSApple OSS Distributions ip6_output_setsrcifscope(m, IFSCOPE_UNKNOWN, NULL);
569*aca3beaaSApple OSS Distributions ip6_output_setdstifscope(m, IFSCOPE_UNKNOWN, NULL);
570*aca3beaaSApple OSS Distributions error = ip6_output(m, NULL, &ro, IPV6_OUTARGS, im6o, NULL, &ip6oa);
571*aca3beaaSApple OSS Distributions
572*aca3beaaSApple OSS Distributions /* Release the route */
573*aca3beaaSApple OSS Distributions ROUTE_RELEASE(&ro);
574*aca3beaaSApple OSS Distributions
575*aca3beaaSApple OSS Distributions if (im6o != NULL) {
576*aca3beaaSApple OSS Distributions IM6O_REMREF(im6o);
577*aca3beaaSApple OSS Distributions }
578*aca3beaaSApple OSS Distributions
579*aca3beaaSApple OSS Distributions return error;
580*aca3beaaSApple OSS Distributions }
581*aca3beaaSApple OSS Distributions
582*aca3beaaSApple OSS Distributions errno_t
ipf_inject_output(mbuf_t data,ipfilter_t filter_ref,ipf_pktopts_t options)583*aca3beaaSApple OSS Distributions ipf_inject_output(
584*aca3beaaSApple OSS Distributions mbuf_t data,
585*aca3beaaSApple OSS Distributions ipfilter_t filter_ref,
586*aca3beaaSApple OSS Distributions ipf_pktopts_t options)
587*aca3beaaSApple OSS Distributions {
588*aca3beaaSApple OSS Distributions struct mbuf *m = (struct mbuf *)data;
589*aca3beaaSApple OSS Distributions u_int8_t vers;
590*aca3beaaSApple OSS Distributions errno_t error = 0;
591*aca3beaaSApple OSS Distributions
592*aca3beaaSApple OSS Distributions #if SKYWALK
593*aca3beaaSApple OSS Distributions sk_protect_t protect = sk_async_transmit_protect();
594*aca3beaaSApple OSS Distributions #endif /* SKYWALK */
595*aca3beaaSApple OSS Distributions
596*aca3beaaSApple OSS Distributions /* Make one byte of the header contiguous in the mbuf */
597*aca3beaaSApple OSS Distributions if (m->m_len < 1) {
598*aca3beaaSApple OSS Distributions m = m_pullup(m, 1);
599*aca3beaaSApple OSS Distributions if (m == NULL) {
600*aca3beaaSApple OSS Distributions goto done;
601*aca3beaaSApple OSS Distributions }
602*aca3beaaSApple OSS Distributions }
603*aca3beaaSApple OSS Distributions
604*aca3beaaSApple OSS Distributions vers = (*(u_int8_t *)m_mtod(m)) >> 4;
605*aca3beaaSApple OSS Distributions switch (vers) {
606*aca3beaaSApple OSS Distributions case 4:
607*aca3beaaSApple OSS Distributions error = ipf_injectv4_out(data, filter_ref, options);
608*aca3beaaSApple OSS Distributions break;
609*aca3beaaSApple OSS Distributions case 6:
610*aca3beaaSApple OSS Distributions error = ipf_injectv6_out(data, filter_ref, options);
611*aca3beaaSApple OSS Distributions break;
612*aca3beaaSApple OSS Distributions default:
613*aca3beaaSApple OSS Distributions m_freem(m);
614*aca3beaaSApple OSS Distributions error = ENOTSUP;
615*aca3beaaSApple OSS Distributions break;
616*aca3beaaSApple OSS Distributions }
617*aca3beaaSApple OSS Distributions
618*aca3beaaSApple OSS Distributions done:
619*aca3beaaSApple OSS Distributions #if SKYWALK
620*aca3beaaSApple OSS Distributions sk_async_transmit_unprotect(protect);
621*aca3beaaSApple OSS Distributions #endif /* SKYWALK */
622*aca3beaaSApple OSS Distributions
623*aca3beaaSApple OSS Distributions return error;
624*aca3beaaSApple OSS Distributions }
625*aca3beaaSApple OSS Distributions
626*aca3beaaSApple OSS Distributions __private_extern__ ipfilter_t
ipf_get_inject_filter(struct mbuf * m)627*aca3beaaSApple OSS Distributions ipf_get_inject_filter(struct mbuf *m)
628*aca3beaaSApple OSS Distributions {
629*aca3beaaSApple OSS Distributions ipfilter_t filter_ref = 0;
630*aca3beaaSApple OSS Distributions struct m_tag *mtag;
631*aca3beaaSApple OSS Distributions
632*aca3beaaSApple OSS Distributions mtag = m_tag_locate(m, KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPFILT, NULL);
633*aca3beaaSApple OSS Distributions if (mtag) {
634*aca3beaaSApple OSS Distributions filter_ref = *(ipfilter_t *)(mtag + 1);
635*aca3beaaSApple OSS Distributions
636*aca3beaaSApple OSS Distributions m_tag_delete(m, mtag);
637*aca3beaaSApple OSS Distributions }
638*aca3beaaSApple OSS Distributions return filter_ref;
639*aca3beaaSApple OSS Distributions }
640*aca3beaaSApple OSS Distributions
641*aca3beaaSApple OSS Distributions #if SKYWALK && defined(XNU_TARGET_OS_OSX)
642*aca3beaaSApple OSS Distributions bool
net_check_compatible_ipf(void)643*aca3beaaSApple OSS Distributions net_check_compatible_ipf(void)
644*aca3beaaSApple OSS Distributions {
645*aca3beaaSApple OSS Distributions if (net_api_stats.nas_ipf_add_count > net_api_stats.nas_ipf_add_os_count) {
646*aca3beaaSApple OSS Distributions return false;
647*aca3beaaSApple OSS Distributions }
648*aca3beaaSApple OSS Distributions return true;
649*aca3beaaSApple OSS Distributions }
650*aca3beaaSApple OSS Distributions #endif /* SKYWALK && XNU_TARGET_OS_OSX */
651