1*aca3beaaSApple OSS Distributions /* 2*aca3beaaSApple OSS Distributions * Copyright (c) 2008-2021 Apple Inc. All rights reserved. 3*aca3beaaSApple OSS Distributions * 4*aca3beaaSApple OSS Distributions * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ 5*aca3beaaSApple OSS Distributions * 6*aca3beaaSApple OSS Distributions * This file contains Original Code and/or Modifications of Original Code 7*aca3beaaSApple OSS Distributions * as defined in and that are subject to the Apple Public Source License 8*aca3beaaSApple OSS Distributions * Version 2.0 (the 'License'). You may not use this file except in 9*aca3beaaSApple OSS Distributions * compliance with the License. The rights granted to you under the License 10*aca3beaaSApple OSS Distributions * may not be used to create, or enable the creation or redistribution of, 11*aca3beaaSApple OSS Distributions * unlawful or unlicensed copies of an Apple operating system, or to 12*aca3beaaSApple OSS Distributions * circumvent, violate, or enable the circumvention or violation of, any 13*aca3beaaSApple OSS Distributions * terms of an Apple operating system software license agreement. 14*aca3beaaSApple OSS Distributions * 15*aca3beaaSApple OSS Distributions * Please obtain a copy of the License at 16*aca3beaaSApple OSS Distributions * http://www.opensource.apple.com/apsl/ and read it before using this file. 17*aca3beaaSApple OSS Distributions * 18*aca3beaaSApple OSS Distributions * The Original Code and all software distributed under the License are 19*aca3beaaSApple OSS Distributions * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 20*aca3beaaSApple OSS Distributions * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 21*aca3beaaSApple OSS Distributions * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 22*aca3beaaSApple OSS Distributions * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 23*aca3beaaSApple OSS Distributions * Please see the License for the specific language governing rights and 24*aca3beaaSApple OSS Distributions * limitations under the License. 25*aca3beaaSApple OSS Distributions * 26*aca3beaaSApple OSS Distributions * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ 27*aca3beaaSApple OSS Distributions */ 28*aca3beaaSApple OSS Distributions /*! 29*aca3beaaSApple OSS Distributions * @header kpi_ipfilter.h 30*aca3beaaSApple OSS Distributions * This header defines an API to attach IP filters. IP filters may be 31*aca3beaaSApple OSS Distributions * attached to intercept either IPv4 or IPv6 packets. The filters can 32*aca3beaaSApple OSS Distributions * intercept all IP packets in to and out of the host regardless of 33*aca3beaaSApple OSS Distributions * interface. 34*aca3beaaSApple OSS Distributions */ 35*aca3beaaSApple OSS Distributions 36*aca3beaaSApple OSS Distributions #ifndef __KPI_IPFILTER__ 37*aca3beaaSApple OSS Distributions #define __KPI_IPFILTER__ 38*aca3beaaSApple OSS Distributions 39*aca3beaaSApple OSS Distributions #ifndef PRIVATE 40*aca3beaaSApple OSS Distributions #include <Availability.h> 41*aca3beaaSApple OSS Distributions #define __NKE_API_DEPRECATED __API_DEPRECATED("Network Kernel Extension KPI is deprecated", macos(10.4, 10.15)) 42*aca3beaaSApple OSS Distributions #else 43*aca3beaaSApple OSS Distributions #define __NKE_API_DEPRECATED 44*aca3beaaSApple OSS Distributions #endif /* PRIVATE */ 45*aca3beaaSApple OSS Distributions 46*aca3beaaSApple OSS Distributions /* 47*aca3beaaSApple OSS Distributions * ipf_pktopts 48*aca3beaaSApple OSS Distributions * 49*aca3beaaSApple OSS Distributions * Options for outgoing packets. The options need to be preserved when 50*aca3beaaSApple OSS Distributions * re-injecting a packet. 51*aca3beaaSApple OSS Distributions */ 52*aca3beaaSApple OSS Distributions struct ipf_pktopts { 53*aca3beaaSApple OSS Distributions u_int32_t ippo_flags; 54*aca3beaaSApple OSS Distributions ifnet_t ippo_mcast_ifnet; 55*aca3beaaSApple OSS Distributions int ippo_mcast_loop; 56*aca3beaaSApple OSS Distributions u_int8_t ippo_mcast_ttl; 57*aca3beaaSApple OSS Distributions }; 58*aca3beaaSApple OSS Distributions #define IPPOF_MCAST_OPTS 0x1 59*aca3beaaSApple OSS Distributions #ifdef PRIVATE 60*aca3beaaSApple OSS Distributions #define IPPOF_BOUND_IF 0x2 61*aca3beaaSApple OSS Distributions #define IPPOF_NO_IFT_CELLULAR 0x4 62*aca3beaaSApple OSS Distributions #define IPPOF_SELECT_SRCIF 0x8 63*aca3beaaSApple OSS Distributions #define IPPOF_BOUND_SRCADDR 0x10 64*aca3beaaSApple OSS Distributions #define IPPOF_SHIFT_IFSCOPE 16 65*aca3beaaSApple OSS Distributions #define IPPOF_NO_IFF_EXPENSIVE 0x20 66*aca3beaaSApple OSS Distributions #define IPPOF_NO_IFF_CONSTRAINED 0x40 67*aca3beaaSApple OSS Distributions #endif /* PRIVATE */ 68*aca3beaaSApple OSS Distributions 69*aca3beaaSApple OSS Distributions typedef struct ipf_pktopts *ipf_pktopts_t; 70*aca3beaaSApple OSS Distributions 71*aca3beaaSApple OSS Distributions __BEGIN_DECLS 72*aca3beaaSApple OSS Distributions 73*aca3beaaSApple OSS Distributions /*! 74*aca3beaaSApple OSS Distributions * @typedef ipf_input_func 75*aca3beaaSApple OSS Distributions * 76*aca3beaaSApple OSS Distributions * @discussion ipf_input_func is used to filter incoming ip packets. 77*aca3beaaSApple OSS Distributions * The IP filter is called for packets from all interfaces. The 78*aca3beaaSApple OSS Distributions * filter is called between when the general IP processing is 79*aca3beaaSApple OSS Distributions * handled and when the packet is passed up to the next layer 80*aca3beaaSApple OSS Distributions * protocol such as udp or tcp. In the case of encapsulation, such 81*aca3beaaSApple OSS Distributions * as UDP in ESP (IPsec), your filter will be called once for ESP 82*aca3beaaSApple OSS Distributions * and then again for UDP. This will give your filter an 83*aca3beaaSApple OSS Distributions * opportunity to process the ESP header as well as the decrypted 84*aca3beaaSApple OSS Distributions * packet. Offset and protocol are used to determine where in the 85*aca3beaaSApple OSS Distributions * packet processing is currently occuring. If you're only 86*aca3beaaSApple OSS Distributions * interested in TCP or UDP packets, just return 0 if protocol 87*aca3beaaSApple OSS Distributions * doesn't match TCP or UDP. 88*aca3beaaSApple OSS Distributions * @param cookie The cookie specified when your filter was attached. 89*aca3beaaSApple OSS Distributions * @param data The reassembled ip packet, data will start at the ip 90*aca3beaaSApple OSS Distributions * header. 91*aca3beaaSApple OSS Distributions * @param offset An offset to the next header 92*aca3beaaSApple OSS Distributions * (udp/tcp/icmp/esp/etc...). 93*aca3beaaSApple OSS Distributions * @param protocol The protocol type (udp/tcp/icmp/etc...) of the IP packet 94*aca3beaaSApple OSS Distributions * @result Return: 95*aca3beaaSApple OSS Distributions * 0 - The caller will continue with normal processing of the 96*aca3beaaSApple OSS Distributions * packet. 97*aca3beaaSApple OSS Distributions * EJUSTRETURN - The caller will stop processing the packet, 98*aca3beaaSApple OSS Distributions * the packet will not be freed. 99*aca3beaaSApple OSS Distributions * Anything Else - The caller will free the packet and stop 100*aca3beaaSApple OSS Distributions * processing. 101*aca3beaaSApple OSS Distributions */ 102*aca3beaaSApple OSS Distributions typedef errno_t (*ipf_input_func)(void *cookie, mbuf_t *data, int offset, 103*aca3beaaSApple OSS Distributions u_int8_t protocol); 104*aca3beaaSApple OSS Distributions 105*aca3beaaSApple OSS Distributions /*! 106*aca3beaaSApple OSS Distributions * @typedef ipf_output_func 107*aca3beaaSApple OSS Distributions * 108*aca3beaaSApple OSS Distributions * @discussion ipf_output_func is used to filter outbound ip packets. 109*aca3beaaSApple OSS Distributions * The IP filter is called for packets to all interfaces. The 110*aca3beaaSApple OSS Distributions * filter is called before fragmentation and IPsec processing. If 111*aca3beaaSApple OSS Distributions * you need to change the destination IP address, call 112*aca3beaaSApple OSS Distributions * ipf_inject_output and return EJUSTRETURN. 113*aca3beaaSApple OSS Distributions * @param cookie The cookie specified when your filter was attached. 114*aca3beaaSApple OSS Distributions * @param data The ip packet, will contain an IP header followed by the 115*aca3beaaSApple OSS Distributions * rest of the IP packet. 116*aca3beaaSApple OSS Distributions * @result Return: 117*aca3beaaSApple OSS Distributions * 0 - The caller will continue with normal processing of the 118*aca3beaaSApple OSS Distributions * packet. 119*aca3beaaSApple OSS Distributions * EJUSTRETURN - The caller will stop processing the packet, 120*aca3beaaSApple OSS Distributions * the packet will not be freed. 121*aca3beaaSApple OSS Distributions * Anything Else - The caller will free the packet and stop 122*aca3beaaSApple OSS Distributions * processing. 123*aca3beaaSApple OSS Distributions */ 124*aca3beaaSApple OSS Distributions typedef errno_t (*ipf_output_func)(void *cookie, mbuf_t *data, 125*aca3beaaSApple OSS Distributions ipf_pktopts_t options); 126*aca3beaaSApple OSS Distributions 127*aca3beaaSApple OSS Distributions /*! 128*aca3beaaSApple OSS Distributions * @typedef ipf_detach_func 129*aca3beaaSApple OSS Distributions * 130*aca3beaaSApple OSS Distributions * @discussion ipf_detach_func is called to notify your filter that it 131*aca3beaaSApple OSS Distributions * has been detached. 132*aca3beaaSApple OSS Distributions * @param cookie The cookie specified when your filter was attached. 133*aca3beaaSApple OSS Distributions */ 134*aca3beaaSApple OSS Distributions typedef void (*ipf_detach_func)(void *cookie); 135*aca3beaaSApple OSS Distributions 136*aca3beaaSApple OSS Distributions /*! 137*aca3beaaSApple OSS Distributions * @typedef ipf_filter 138*aca3beaaSApple OSS Distributions * @discussion This structure is used to define an IP filter for 139*aca3beaaSApple OSS Distributions * use with the ipf_addv4 or ipf_addv6 function. 140*aca3beaaSApple OSS Distributions * @field cookie A kext defined cookie that will be passed to all 141*aca3beaaSApple OSS Distributions * filter functions. 142*aca3beaaSApple OSS Distributions * @field name A filter name used for debugging purposes. 143*aca3beaaSApple OSS Distributions * @field ipf_input The filter function to handle inbound packets. 144*aca3beaaSApple OSS Distributions * @field ipf_output The filter function to handle outbound packets. 145*aca3beaaSApple OSS Distributions * @field ipf_detach The filter function to notify of a detach. 146*aca3beaaSApple OSS Distributions */ 147*aca3beaaSApple OSS Distributions struct ipf_filter { 148*aca3beaaSApple OSS Distributions void *cookie; 149*aca3beaaSApple OSS Distributions const char *name; 150*aca3beaaSApple OSS Distributions ipf_input_func ipf_input; 151*aca3beaaSApple OSS Distributions ipf_output_func ipf_output; 152*aca3beaaSApple OSS Distributions ipf_detach_func ipf_detach; 153*aca3beaaSApple OSS Distributions }; 154*aca3beaaSApple OSS Distributions 155*aca3beaaSApple OSS Distributions struct opaque_ipfilter; 156*aca3beaaSApple OSS Distributions typedef struct opaque_ipfilter *ipfilter_t; 157*aca3beaaSApple OSS Distributions 158*aca3beaaSApple OSS Distributions /*! 159*aca3beaaSApple OSS Distributions * @function ipf_addv4 160*aca3beaaSApple OSS Distributions * @discussion Attaches an IPv4 ip filter. 161*aca3beaaSApple OSS Distributions * @param filter A structure defining the filter. 162*aca3beaaSApple OSS Distributions * @param filter_ref A reference to the filter used to detach it. 163*aca3beaaSApple OSS Distributions * @result 0 on success otherwise the errno error. 164*aca3beaaSApple OSS Distributions */ 165*aca3beaaSApple OSS Distributions #ifdef KERNEL_PRIVATE 166*aca3beaaSApple OSS Distributions extern errno_t ipf_addv4_internal(const struct ipf_filter *filter, 167*aca3beaaSApple OSS Distributions ipfilter_t *filter_ref); 168*aca3beaaSApple OSS Distributions 169*aca3beaaSApple OSS Distributions #define ipf_addv4(filter, filter_ref) \ 170*aca3beaaSApple OSS Distributions ipf_addv4_internal((filter), (filter_ref)) 171*aca3beaaSApple OSS Distributions #else 172*aca3beaaSApple OSS Distributions extern errno_t ipf_addv4(const struct ipf_filter *filter, 173*aca3beaaSApple OSS Distributions ipfilter_t *filter_ref) 174*aca3beaaSApple OSS Distributions __NKE_API_DEPRECATED; 175*aca3beaaSApple OSS Distributions #endif /* KERNEL_PRIVATE */ 176*aca3beaaSApple OSS Distributions 177*aca3beaaSApple OSS Distributions /*! 178*aca3beaaSApple OSS Distributions * @function ipf_addv6 179*aca3beaaSApple OSS Distributions * @discussion Attaches an IPv6 ip filter. 180*aca3beaaSApple OSS Distributions * @param filter A structure defining the filter. 181*aca3beaaSApple OSS Distributions * @param filter_ref A reference to the filter used to detach it. 182*aca3beaaSApple OSS Distributions * @result 0 on success otherwise the errno error. 183*aca3beaaSApple OSS Distributions */ 184*aca3beaaSApple OSS Distributions #ifdef KERNEL_PRIVATE 185*aca3beaaSApple OSS Distributions extern errno_t ipf_addv6_internal(const struct ipf_filter *filter, 186*aca3beaaSApple OSS Distributions ipfilter_t *filter_ref); 187*aca3beaaSApple OSS Distributions 188*aca3beaaSApple OSS Distributions #define ipf_addv6(filter, filter_ref) \ 189*aca3beaaSApple OSS Distributions ipf_addv6_internal((filter), (filter_ref)) 190*aca3beaaSApple OSS Distributions #else 191*aca3beaaSApple OSS Distributions extern errno_t ipf_addv6(const struct ipf_filter *filter, 192*aca3beaaSApple OSS Distributions ipfilter_t *filter_ref) 193*aca3beaaSApple OSS Distributions __NKE_API_DEPRECATED; 194*aca3beaaSApple OSS Distributions #endif /* KERNEL_PRIVATE */ 195*aca3beaaSApple OSS Distributions 196*aca3beaaSApple OSS Distributions /*! 197*aca3beaaSApple OSS Distributions * @function ipf_remove 198*aca3beaaSApple OSS Distributions * @discussion Detaches an IPv4 or IPv6 filter. 199*aca3beaaSApple OSS Distributions * @param filter_ref The reference to the filter returned from ipf_addv4 or 200*aca3beaaSApple OSS Distributions * ipf_addv6. 201*aca3beaaSApple OSS Distributions * @result 0 on success otherwise the errno error. 202*aca3beaaSApple OSS Distributions */ 203*aca3beaaSApple OSS Distributions extern errno_t ipf_remove(ipfilter_t filter_ref) 204*aca3beaaSApple OSS Distributions __NKE_API_DEPRECATED; 205*aca3beaaSApple OSS Distributions 206*aca3beaaSApple OSS Distributions /*! 207*aca3beaaSApple OSS Distributions * @function ipf_inject_input 208*aca3beaaSApple OSS Distributions * @discussion Inject an IP packet as though it had just been 209*aca3beaaSApple OSS Distributions * reassembled in ip_input. When re-injecting a packet intercepted 210*aca3beaaSApple OSS Distributions * by the filter's ipf_input function, an IP filter can pass its 211*aca3beaaSApple OSS Distributions * reference to avoid processing the packet twice. This also 212*aca3beaaSApple OSS Distributions * prevents ip filters installed before this filter from 213*aca3beaaSApple OSS Distributions * getting a chance to process the packet. If the filter modified 214*aca3beaaSApple OSS Distributions * the packet, it should not specify the filter ref to give other 215*aca3beaaSApple OSS Distributions * filters a chance to process the new packet. 216*aca3beaaSApple OSS Distributions * 217*aca3beaaSApple OSS Distributions * Caller is responsible for freeing mbuf chain in the event that 218*aca3beaaSApple OSS Distributions * ipf_inject_input returns an error. 219*aca3beaaSApple OSS Distributions * @param data The complete IPv4 or IPv6 packet, receive interface must 220*aca3beaaSApple OSS Distributions * be set. 221*aca3beaaSApple OSS Distributions * @param filter_ref The reference to the filter injecting the data 222*aca3beaaSApple OSS Distributions * @result 0 on success otherwise the errno error. 223*aca3beaaSApple OSS Distributions */ 224*aca3beaaSApple OSS Distributions extern errno_t ipf_inject_input(mbuf_t data, ipfilter_t filter_ref) 225*aca3beaaSApple OSS Distributions __NKE_API_DEPRECATED; 226*aca3beaaSApple OSS Distributions 227*aca3beaaSApple OSS Distributions /*! 228*aca3beaaSApple OSS Distributions * @function ipf_inject_output 229*aca3beaaSApple OSS Distributions * @discussion Inject an IP packet as though it had just been sent to 230*aca3beaaSApple OSS Distributions * ip_output. When re-injecting a packet intercepted by the 231*aca3beaaSApple OSS Distributions * filter's ipf_output function, an IP filter can pass its 232*aca3beaaSApple OSS Distributions * reference to avoid processing the packet twice. This also 233*aca3beaaSApple OSS Distributions * prevents ip filters installed before this filter from getting a 234*aca3beaaSApple OSS Distributions * chance to process the packet. If the filter modified the packet, 235*aca3beaaSApple OSS Distributions * it should not specify the filter ref to give other filters a 236*aca3beaaSApple OSS Distributions * chance to process the new packet. 237*aca3beaaSApple OSS Distributions * @param data The complete IPv4 or IPv6 packet. 238*aca3beaaSApple OSS Distributions * @param filter_ref The reference to the filter injecting the data 239*aca3beaaSApple OSS Distributions * @param options Output options for the packet 240*aca3beaaSApple OSS Distributions * @result 0 on success otherwise the errno error. ipf_inject_output 241*aca3beaaSApple OSS Distributions * will always free the mbuf. 242*aca3beaaSApple OSS Distributions */ 243*aca3beaaSApple OSS Distributions extern errno_t ipf_inject_output(mbuf_t data, ipfilter_t filter_ref, 244*aca3beaaSApple OSS Distributions ipf_pktopts_t options) 245*aca3beaaSApple OSS Distributions __NKE_API_DEPRECATED; 246*aca3beaaSApple OSS Distributions __END_DECLS 247*aca3beaaSApple OSS Distributions #undef __NKE_API_DEPRECATED 248*aca3beaaSApple OSS Distributions #endif /* __KPI_IPFILTER__ */ 249