content_filter.c source code [xnu/bsd/net/content_filter.c]

1	/*
2	* Copyright (c) 2013-2018 Apple Inc. All rights reserved.
3	*
4	* @APPLE_LICENSE_HEADER_START@
5	*
6	* This file contains Original Code and/or Modifications of Original Code
7	* as defined in and that are subject to the Apple Public Source License
8	* Version 2.0 (the 'License'). You may not use this file except in
9	* compliance with the License. Please obtain a copy of the License at
10	* http://www.opensource.apple.com/apsl/ and read it before using this
11	* file.
12	*
13	* The Original Code and all software distributed under the License are
14	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18	* Please see the License for the specific language governing rights and
19	* limitations under the License.
20	*
21	* @APPLE_LICENSE_HEADER_END@
22	*/
23
24	/*
25	* THEORY OF OPERATION
26	*
27	* The socket content filter subsystem provides a way for user space agents to
28	* make filtering decisions based on the content of the data being sent and
29	* received by TCP/IP sockets.
30	*
31	* A content filter user space agents gets a copy of the data and the data is
32	* also kept in kernel buffer until the user space agents makes a pass or drop
33	* decision. This unidirectional flow of content avoids unnecessary data copies
34	* back to the kernel.
35	*
36	* A user space filter agent opens a kernel control socket with the name
37	* CONTENT_FILTER_CONTROL_NAME to attach to the socket content filter subsystem.
38	* When connected, a "struct content_filter" is created and set as the
39	* "unitinfo" of the corresponding kernel control socket instance.
40	*
41	* The socket content filter subsystem exchanges messages with the user space
42	* filter agent until an ultimate pass or drop decision is made by the
43	* user space filter agent.
44	*
45	* It should be noted that messages about many TCP/IP sockets can be multiplexed
46	* over a single kernel control socket.
47	*
48	* Notes:
49	* - The current implementation is limited to TCP sockets.
50	* - The current implementation supports up to two simultaneous content filters
51	* for the sake of simplicity of the implementation.
52	*
53	*
54	* NECP FILTER CONTROL UNIT
55	*
56	* A user space filter agent uses the Network Extension Control Policy (NECP)
57	* database to specify which TCP/IP sockets need to be filtered. The NECP
58	* criteria may be based on a variety of properties like user ID or proc UUID.
59	*
60	* The NECP "filter control unit" is used by the socket content filter subsystem
61	* to deliver the relevant TCP/IP content information to the appropriate
62	* user space filter agent via its kernel control socket instance.
63	* This works as follows:
64	*
65	* 1) The user space filter agent specifies an NECP filter control unit when
66	* in adds its filtering rules to the NECP database.
67	*
68	* 2) The user space filter agent also sets its NECP filter control unit on the
69	* content filter kernel control socket via the socket option
70	* CFIL_OPT_NECP_CONTROL_UNIT.
71	*
72	* 3) The NECP database is consulted to find out if a given TCP/IP socket
73	* needs to be subjected to content filtering and returns the corresponding
74	* NECP filter control unit -- the NECP filter control unit is actually
75	* stored in the TCP/IP socket structure so the NECP lookup is really simple.
76	*
77	* 4) The NECP filter control unit is then used to find the corresponding
78	* kernel control socket instance.
79	*
80	* Note: NECP currently supports a single filter control unit per TCP/IP socket
81	* but this restriction may be soon lifted.
82	*
83	*
84	* THE MESSAGING PROTOCOL
85	*
86	* The socket content filter subsystem and a user space filter agent
87	* communicate over the kernel control socket via an asynchronous
88	* messaging protocol (this is not a request-response protocol).
89	* The socket content filter subsystem sends event messages to the user
90	* space filter agent about the TCP/IP sockets it is interested to filter.
91	* The user space filter agent sends action messages to either allow
92	* data to pass or to disallow the data flow (and drop the connection).
93	*
94	* All messages over a content filter kernel control socket share the same
95	* common header of type "struct cfil_msg_hdr". The message type tells if
96	* it's a event message "CFM_TYPE_EVENT" or a action message "CFM_TYPE_ACTION".
97	* The message header field "cfm_sock_id" identifies a given TCP/IP socket.
98	* Note the message header length field may be padded for alignment and can
99	* be larger than the actual content of the message.
100	* The field "cfm_op" describe the kind of event or action.
101	*
102	* Here are the kinds of content filter events:
103	* - CFM_OP_SOCKET_ATTACHED: a new TCP/IP socket is being filtered
104	* - CFM_OP_SOCKET_CLOSED: A TCP/IP socket is closed
105	* - CFM_OP_DATA_OUT: A span of data is being sent on a TCP/IP socket
106	* - CFM_OP_DATA_IN: A span of data is being or received on a TCP/IP socket
107	*
108	*
109	* EVENT MESSAGES
110	*
111	* The CFM_OP_DATA_OUT and CFM_OP_DATA_IN event messages contains a span of
112	* data that is being sent or received. The position of this span of data
113	* in the data flow is described by a set of start and end offsets. These
114	* are absolute 64 bits offsets. The first byte sent (or received) starts
115	* at offset 0 and ends at offset 1. The length of the content data
116	* is given by the difference between the end offset and the start offset.
117	*
118	* After a CFM_OP_SOCKET_ATTACHED is delivered, CFM_OP_DATA_OUT and
119	* CFM_OP_DATA_OUT events are not delivered until a CFM_OP_DATA_UPDATE
120	* action message is sent by the user space filter agent.
121	*
122	* Note: absolute 64 bits offsets should be large enough for the foreseeable
123	* future. A 64-bits counter will wrap after 468 years at 10 Gbit/sec:
124	* 2E64 / ((10E9 / 8) * 60 * 60 * 24 * 365.25) = 467.63
125	*
126	* They are two kinds of primary content filter actions:
127	* - CFM_OP_DATA_UPDATE: to update pass or peek offsets for each direction.
128	* - CFM_OP_DROP: to shutdown socket and disallow further data flow
129	*
130	* There is also an action to mark a given client flow as already filtered
131	* at a higher level, CFM_OP_BLESS_CLIENT.
132	*
133	*
134	* ACTION MESSAGES
135	*
136	* The CFM_OP_DATA_UPDATE action messages let the user space filter
137	* agent allow data to flow up to the specified pass offset -- there
138	* is a pass offset for outgoing data and a pass offset for incoming data.
139	* When a new TCP/IP socket is attached to the content filter, each pass offset
140	* is initially set to 0 so not data is allowed to pass by default.
141	* When the pass offset is set to CFM_MAX_OFFSET via a CFM_OP_DATA_UPDATE
142	* then the data flow becomes unrestricted.
143	*
144	* Note that pass offsets can only be incremented. A CFM_OP_DATA_UPDATE message
145	* with a pass offset smaller than the pass offset of a previous
146	* CFM_OP_DATA_UPDATE message is silently ignored.
147	*
148	* A user space filter agent also uses CFM_OP_DATA_UPDATE action messages
149	* to tell the kernel how much data it wants to see by using the peek offsets.
150	* Just like pass offsets, there is a peek offset for each direction.
151	* When a new TCP/IP socket is attached to the content filter, each peek offset
152	* is initially set to 0 so no CFM_OP_DATA_OUT and CFM_OP_DATA_IN event
153	* messages are dispatched by default until a CFM_OP_DATA_UPDATE action message
154	* with a greater than 0 peek offset is sent by the user space filter agent.
155	* When the peek offset is set to CFM_MAX_OFFSET via a CFM_OP_DATA_UPDATE
156	* then the flow of update data events becomes unrestricted.
157	*
158	* Note that peek offsets cannot be smaller than the corresponding pass offset.
159	* Also a peek offsets cannot be smaller than the corresponding end offset
160	* of the last CFM_OP_DATA_OUT/CFM_OP_DATA_IN message dispatched. Trying
161	* to set a too small peek value is silently ignored.
162	*
163	*
164	* PER SOCKET "struct cfil_info"
165	*
166	* As soon as a TCP/IP socket gets attached to a content filter, a
167	* "struct cfil_info" is created to hold the content filtering state for this
168	* socket.
169	*
170	* The content filtering state is made of the following information
171	* for each direction:
172	* - The current pass offset;
173	* - The first and last offsets of the data pending, waiting for a filtering
174	* decision;
175	* - The inject queue for data that passed the filters and that needs
176	* to be re-injected;
177	* - A content filter specific state in a set of "struct cfil_entry"
178	*
179	*
180	* CONTENT FILTER STATE "struct cfil_entry"
181	*
182	* The "struct cfil_entry" maintains the information most relevant to the
183	* message handling over a kernel control socket with a user space filter agent.
184	*
185	* The "struct cfil_entry" holds the NECP filter control unit that corresponds
186	* to the kernel control socket unit it corresponds to and also has a pointer
187	* to the corresponding "struct content_filter".
188	*
189	* For each direction, "struct cfil_entry" maintains the following information:
190	* - The pass offset
191	* - The peek offset
192	* - The offset of the last data peeked at by the filter
193	* - A queue of data that's waiting to be delivered to the user space filter
194	* agent on the kernel control socket
195	* - A queue of data for which event messages have been sent on the kernel
196	* control socket and are pending for a filtering decision.
197	*
198	*
199	* CONTENT FILTER QUEUES
200	*
201	* Data that is being filtered is steered away from the TCP/IP socket buffer
202	* and instead will sit in one of three content filter queues until the data
203	* can be re-injected into the TCP/IP socket buffer.
204	*
205	* A content filter queue is represented by "struct cfil_queue" that contains
206	* a list of mbufs and the start and end offset of the data span of
207	* the list of mbufs.
208	*
209	* The data moves into the three content filter queues according to this
210	* sequence:
211	* a) The "cfe_ctl_q" of "struct cfil_entry"
212	* b) The "cfe_pending_q" of "struct cfil_entry"
213	* c) The "cfi_inject_q" of "struct cfil_info"
214	*
215	* Note: The sequence (a),(b) may be repeated several times if there is more
216	* than one content filter attached to the TCP/IP socket.
217	*
218	* The "cfe_ctl_q" queue holds data than cannot be delivered to the
219	* kernel conntrol socket for two reasons:
220	* - The peek offset is less that the end offset of the mbuf data
221	* - The kernel control socket is flow controlled
222	*
223	* The "cfe_pending_q" queue holds data for which CFM_OP_DATA_OUT or
224	* CFM_OP_DATA_IN have been successfully dispatched to the kernel control
225	* socket and are waiting for a pass action message fromn the user space
226	* filter agent. An mbuf length must be fully allowed to pass to be removed
227	* from the cfe_pending_q.
228	*
229	* The "cfi_inject_q" queue holds data that has been fully allowed to pass
230	* by the user space filter agent and that needs to be re-injected into the
231	* TCP/IP socket.
232	*
233	*
234	* IMPACT ON FLOW CONTROL
235	*
236	* An essential aspect of the content filer subsystem is to minimize the
237	* impact on flow control of the TCP/IP sockets being filtered.
238	*
239	* The processing overhead of the content filtering may have an effect on
240	* flow control by adding noticeable delays and cannot be eliminated --
241	* care must be taken by the user space filter agent to minimize the
242	* processing delays.
243	*
244	* The amount of data being filtered is kept in buffers while waiting for
245	* a decision by the user space filter agent. This amount of data pending
246	* needs to be subtracted from the amount of data available in the
247	* corresponding TCP/IP socket buffer. This is done by modifying
248	* sbspace() and tcp_sbspace() to account for amount of data pending
249	* in the content filter.
250	*
251	*
252	* LOCKING STRATEGY
253	*
254	* The global state of content filter subsystem is protected by a single
255	* read-write lock "cfil_lck_rw". The data flow can be done with the
256	* cfil read-write lock held as shared so it can be re-entered from multiple
257	* threads.
258	*
259	* The per TCP/IP socket content filterstate -- "struct cfil_info" -- is
260	* protected by the socket lock.
261	*
262	* A TCP/IP socket lock cannot be taken while the cfil read-write lock
263	* is held. That's why we have some sequences where we drop the cfil read-write
264	* lock before taking the TCP/IP lock.
265	*
266	* It is also important to lock the TCP/IP socket buffer while the content
267	* filter is modifying the amount of pending data. Otherwise the calculations
268	* in sbspace() and tcp_sbspace() could be wrong.
269	*
270	* The "cfil_lck_rw" protects "struct content_filter" and also the fields
271	* "cfe_link" and "cfe_filter" of "struct cfil_entry".
272	*
273	* Actually "cfe_link" and "cfe_filter" are protected by both by
274	* "cfil_lck_rw" and the socket lock: they may be modified only when
275	* "cfil_lck_rw" is exclusive and the socket is locked.
276	*
277	* To read the other fields of "struct content_filter" we have to take
278	* "cfil_lck_rw" in shared mode.
279	*
280	*
281	* LIMITATIONS
282	*
283	* - For TCP sockets only
284	*
285	* - Does not support TCP unordered messages
286	*/
287
288	/*
289	* TO DO LIST
290	*
291	* SOONER:
292	*
293	* Deal with OOB
294	*
295	* LATER:
296	*
297	* If support datagram, enqueue control and address mbufs as well
298	*/
299
300	#include <sys/types.h>
301	#include <sys/kern_control.h>
302	#include <sys/queue.h>
303	#include <sys/domain.h>
304	#include <sys/protosw.h>
305	#include <sys/syslog.h>
306	#include <sys/systm.h>
307	#include <sys/param.h>
308	#include <sys/mbuf.h>
309
310	#include <kern/locks.h>
311	#include <kern/zalloc.h>
312	#include <kern/debug.h>
313
314	#include <net/content_filter.h>
315
316	#include <netinet/in_pcb.h>
317	#include <netinet/tcp.h>
318	#include <netinet/tcp_var.h>
319	#include <netinet/udp.h>
320	#include <netinet/udp_var.h>
321
322	#include <string.h>
323	#include <libkern/libkern.h>
324	#include <kern/sched_prim.h>
325
326	#define MAX_CONTENT_FILTER 2
327
328	struct cfil_entry;
329
330	/*
331	* The structure content_filter represents a user space content filter
332	* It's created and associated with a kernel control socket instance
333	*/
334	struct content_filter {
335	kern_ctl_ref cf_kcref;
336	u_int32_t cf_kcunit;
337	u_int32_t cf_flags;
338
339	uint32_t cf_necp_control_unit;
340
341	uint32_t cf_sock_count;
342	TAILQ_HEAD(, cfil_entry) cf_sock_entries;
343	};
344
345	#define CFF_ACTIVE 0x01
346	#define CFF_DETACHING 0x02
347	#define CFF_FLOW_CONTROLLED 0x04
348
349	struct content_filter **content_filters = NULL;
350	uint32_t cfil_active_count = `0`; / Number of active content filters /
351	uint32_t cfil_sock_attached_count = `0`; / Number of sockets attachements /
352	uint32_t cfil_sock_udp_attached_count = `0`; / Number of UDP sockets attachements /
353	uint32_t cfil_close_wait_timeout = `1000`; / in milliseconds /
354
355	static kern_ctl_ref cfil_kctlref = NULL;
356
357	static lck_grp_attr_t *cfil_lck_grp_attr = NULL;
358	static lck_attr_t *cfil_lck_attr = NULL;
359	static lck_grp_t *cfil_lck_grp = NULL;
360	decl_lck_rw_data(static, cfil_lck_rw);
361
362	#define CFIL_RW_LCK_MAX 8
363
364	int cfil_rw_nxt_lck = `0`;
365	void* cfil_rw_lock_history[CFIL_RW_LCK_MAX];
366
367	int cfil_rw_nxt_unlck = `0`;
368	void* cfil_rw_unlock_history[CFIL_RW_LCK_MAX];
369
370	#define CONTENT_FILTER_ZONE_NAME "content_filter"
371	#define CONTENT_FILTER_ZONE_MAX 10
372	static struct zone content_filter_zone = NULL; /* zone for content_filter /
373
374
375	#define CFIL_INFO_ZONE_NAME "cfil_info"
376	#define CFIL_INFO_ZONE_MAX 1024
377	static struct zone cfil_info_zone = NULL; /* zone for cfil_info /
378
379	MBUFQ_HEAD(cfil_mqhead);
380
381	struct cfil_queue {
382	uint64_t q_start; / offset of first byte in queue /
383	uint64_t q_end; / offset of last byte in queue /
384	struct cfil_mqhead q_mq;
385	};
386
387	/*
388	* struct cfil_entry
389	*
390	* The is one entry per content filter
391	*/
392	struct cfil_entry {
393	TAILQ_ENTRY(cfil_entry) cfe_link;
394	struct content_filter *cfe_filter;
395
396	struct cfil_info *cfe_cfil_info;
397	uint32_t cfe_flags;
398	uint32_t cfe_necp_control_unit;
399	struct timeval cfe_last_event; / To user space /
400	struct timeval cfe_last_action; / From user space /
401
402	struct cfe_buf {
403	/*
404	* cfe_pending_q holds data that has been delivered to
405	* the filter and for which we are waiting for an action
406	*/
407	struct cfil_queue cfe_pending_q;
408	/*
409	* This queue is for data that has not be delivered to
410	* the content filter (new data, pass peek or flow control)
411	*/
412	struct cfil_queue cfe_ctl_q;
413
414	uint64_t cfe_pass_offset;
415	uint64_t cfe_peek_offset;
416	uint64_t cfe_peeked;
417	} cfe_snd, cfe_rcv;
418	};
419
420	#define CFEF_CFIL_ATTACHED 0x0001 /* was attached to filter */
421	#define CFEF_SENT_SOCK_ATTACHED 0x0002 /* sock attach event was sent */
422	#define CFEF_DATA_START 0x0004 /* can send data event */
423	#define CFEF_FLOW_CONTROLLED 0x0008 /* wait for flow control lift */
424	#define CFEF_SENT_DISCONNECT_IN 0x0010 /* event was sent */
425	#define CFEF_SENT_DISCONNECT_OUT 0x0020 /* event was sent */
426	#define CFEF_SENT_SOCK_CLOSED 0x0040 /* closed event was sent */
427	#define CFEF_CFIL_DETACHED 0x0080 /* filter was detached */
428
429
430	#define CFI_ADD_TIME_LOG(cfil, t1, t0, op) \
431	struct timeval _tdiff; \
432	if ((cfil)->cfi_op_list_ctr < CFI_MAX_TIME_LOG_ENTRY) { \
433	timersub(t1, t0, &_tdiff); \
434	(cfil)->cfi_op_time[(cfil)->cfi_op_list_ctr] = (uint32_t)(_tdiff.tv_sec * 1000 + _tdiff.tv_usec / 1000);\
435	(cfil)->cfi_op_list[(cfil)->cfi_op_list_ctr] = (unsigned char)op; \
436	(cfil)->cfi_op_list_ctr ++; \
437	}
438
439	struct cfil_hash_entry;
440
441	/*
442	* struct cfil_info
443	*
444	* There is a struct cfil_info per socket
445	*/
446	struct cfil_info {
447	TAILQ_ENTRY(cfil_info) cfi_link;
448	struct socket *cfi_so;
449	uint64_t cfi_flags;
450	uint64_t cfi_sock_id;
451	struct timeval64 cfi_first_event;
452	uint32_t cfi_op_list_ctr;
453	uint32_t cfi_op_time[CFI_MAX_TIME_LOG_ENTRY]; / time interval in microseconds since first event /
454	unsigned char cfi_op_list[CFI_MAX_TIME_LOG_ENTRY];
455
456	struct cfi_buf {
457	/*
458	* cfi_pending_first and cfi_pending_last describe the total
459	* amount of data outstanding for all the filters on
460	* this socket and data in the flow queue
461	* cfi_pending_mbcnt counts in sballoc() "chars of mbufs used"
462	*/
463	uint64_t cfi_pending_first;
464	uint64_t cfi_pending_last;
465	uint32_t cfi_pending_mbcnt;
466	uint32_t cfi_pending_mbnum;
467	uint32_t cfi_tail_drop_cnt;
468	/*
469	* cfi_pass_offset is the minimum of all the filters
470	*/
471	uint64_t cfi_pass_offset;
472	/*
473	* cfi_inject_q holds data that needs to be re-injected
474	* into the socket after filtering and that can
475	* be queued because of flow control
476	*/
477	struct cfil_queue cfi_inject_q;
478	} cfi_snd, cfi_rcv;
479
480	struct cfil_entry cfi_entries[MAX_CONTENT_FILTER];
481	struct cfil_hash_entry *cfi_hash_entry;
482	} __attribute__((aligned(`8`)));
483
484	#define CFIF_DROP 0x0001 /* drop action applied */
485	#define CFIF_CLOSE_WAIT 0x0002 /* waiting for filter to close */
486	#define CFIF_SOCK_CLOSED 0x0004 /* socket is closed */
487	#define CFIF_RETRY_INJECT_IN 0x0010 /* inject in failed */
488	#define CFIF_RETRY_INJECT_OUT 0x0020 /* inject out failed */
489	#define CFIF_SHUT_WR 0x0040 /* shutdown write */
490	#define CFIF_SHUT_RD 0x0080 /* shutdown read */
491
492	#define CFI_MASK_GENCNT 0xFFFFFFFF00000000 /* upper 32 bits */
493	#define CFI_SHIFT_GENCNT 32
494	#define CFI_MASK_FLOWHASH 0x00000000FFFFFFFF /* lower 32 bits */
495	#define CFI_SHIFT_FLOWHASH 0
496
497	TAILQ_HEAD(cfil_sock_head, cfil_info) cfil_sock_head;
498
499	#define CFIL_QUEUE_VERIFY(x) if (cfil_debug) cfil_queue_verify(x)
500	#define CFIL_INFO_VERIFY(x) if (cfil_debug) cfil_info_verify(x)
501
502	/*
503	* UDP Socket Support
504	*/
505	LIST_HEAD(cfilhashhead, cfil_hash_entry);
506	#define CFILHASHSIZE 16
507	#define CFIL_HASH(laddr, faddr, lport, fport) ((faddr) ^ ((laddr) >> 16) ^ (fport) ^ (lport))
508	#define IS_UDP(so) (so && so->so_proto->pr_type == SOCK_DGRAM && so->so_proto->pr_protocol == IPPROTO_UDP)
509	#define UNCONNECTED(inp) (inp && (((inp->inp_vflag & INP_IPV4) && (inp->inp_faddr.s_addr == INADDR_ANY)) \|\| \
510	((inp->inp_vflag & INP_IPV6) && IN6_IS_ADDR_UNSPECIFIED(&inp->in6p_faddr))))
511	#define IS_ENTRY_ATTACHED(cfil_info, kcunit) (cfil_info != NULL && (kcunit <= MAX_CONTENT_FILTER) && \
512	cfil_info->cfi_entries[kcunit - 1].cfe_filter != NULL)
513	#define IS_DNS(local, remote) (check_port(local, 53) \|\| check_port(remote, 53) \|\| check_port(local, 5353) \|\| check_port(remote, 5353))
514
515	/*
516	* UDP Garbage Collection:
517	*/
518	static struct thread *cfil_udp_gc_thread;
519	#define UDP_FLOW_GC_IDLE_TO 30 // Flow Idle Timeout in seconds
520	#define UDP_FLOW_GC_ACTION_TO 10 // Flow Action Timeout (no action from user space) in seconds
521	#define UDP_FLOW_GC_MAX_COUNT 100 // Max UDP flows to be handled per run
522	#define UDP_FLOW_GC_RUN_INTERVAL_NSEC (10 * NSEC_PER_SEC) // GC wakes up every 10 seconds
523
524	/*
525	* UDP flow queue thresholds
526	*/
527	#define UDP_FLOW_GC_MBUF_CNT_MAX (2 << MBSHIFT) // Max mbuf byte count in flow queue (2MB)
528	#define UDP_FLOW_GC_MBUF_NUM_MAX (UDP_FLOW_GC_MBUF_CNT_MAX >> MCLSHIFT) // Max mbuf count in flow queue (1K)
529	#define UDP_FLOW_GC_MBUF_SHIFT 5 // Shift to get 1/32 of platform limits
530	/*
531	* UDP flow queue threshold globals:
532	*/
533	static unsigned int cfil_udp_gc_mbuf_num_max = UDP_FLOW_GC_MBUF_NUM_MAX;
534	static unsigned int cfil_udp_gc_mbuf_cnt_max = UDP_FLOW_GC_MBUF_CNT_MAX;
535
536	/*
537	* struct cfil_hash_entry
538	*
539	* Hash entry for cfil_info
540	*/
541	struct cfil_hash_entry {
542	LIST_ENTRY(cfil_hash_entry) cfentry_link;
543	struct cfil_info *cfentry_cfil;
544	u_short cfentry_fport;
545	u_short cfentry_lport;
546	sa_family_t cfentry_family;
547	u_int32_t cfentry_flowhash;
548	u_int32_t cfentry_lastused;
549	union {
550	/ foreign host table entry /
551	struct in_addr_4in6 addr46;
552	struct in6_addr addr6;
553	} cfentry_faddr;
554	union {
555	/ local host table entry /
556	struct in_addr_4in6 addr46;
557	struct in6_addr addr6;
558	} cfentry_laddr;
559	};
560
561	/*
562	* struct cfil_db
563	*
564	* For each UDP socket, this is a hash table maintaining all cfil_info structs
565	* keyed by the flow 4-tuples <lport,fport,laddr,faddr>.
566	*/
567	struct cfil_db {
568	struct socket *cfdb_so;
569	uint32_t cfdb_count; / Number of total content filters /
570	struct cfilhashhead *cfdb_hashbase;
571	u_long cfdb_hashmask;
572	struct cfil_hash_entry cfdb_only_entry; /* Optimization for connected UDP /
573	};
574
575	/*
576	* CFIL specific mbuf tag:
577	* Save state of socket at the point of data entry into cfil.
578	* Use saved state for reinjection at protocol layer.
579	*/
580	struct cfil_tag {
581	union sockaddr_in_4_6 cfil_faddr;
582	uint32_t cfil_so_state_change_cnt;
583	short cfil_so_options;
584	};
585
586	#define CFIL_HASH_ENTRY_ZONE_NAME "cfil_entry_hash"
587	#define CFIL_HASH_ENTRY_ZONE_MAX 1024
588	static struct zone *cfil_hash_entry_zone = NULL;
589
590	#define CFIL_DB_ZONE_NAME "cfil_db"
591	#define CFIL_DB_ZONE_MAX 1024
592	static struct zone *cfil_db_zone = NULL;
593
594	/*
595	* Statistics
596	*/
597
598	struct cfil_stats cfil_stats;
599
600	/*
601	* For troubleshooting
602	*/
603	int cfil_log_level = LOG_ERR;
604	int cfil_debug = `1`;
605
606	// Debug controls added for selective debugging.
607	// Disabled for production. If enabled,
608	// these will have performance impact
609	#define LIFECYCLE_DEBUG 0
610	#define VERDICT_DEBUG 0
611	#define DATA_DEBUG 0
612	#define SHOW_DEBUG 0
613	#define GC_DEBUG 0
614
615	/*
616	* Sysctls for logs and statistics
617	*/
618	static int sysctl_cfil_filter_list(struct sysctl_oid , void* , int*,
619	struct sysctl_req *);
620	static int sysctl_cfil_sock_list(struct sysctl_oid , void* , int*,
621	struct sysctl_req *);
622
623	SYSCTL_NODE(_net, OID_AUTO, cfil, CTLFLAG_RW\|CTLFLAG_LOCKED, `0`, "cfil");
624
625	SYSCTL_INT(_net_cfil, OID_AUTO, log, CTLFLAG_RW\|CTLFLAG_LOCKED,
626	&cfil_log_level, `0`, "");
627
628	SYSCTL_INT(_net_cfil, OID_AUTO, debug, CTLFLAG_RW\|CTLFLAG_LOCKED,
629	&cfil_debug, `0`, "");
630
631	SYSCTL_UINT(_net_cfil, OID_AUTO, sock_attached_count, CTLFLAG_RD\|CTLFLAG_LOCKED,
632	&cfil_sock_attached_count, `0`, "");
633
634	SYSCTL_UINT(_net_cfil, OID_AUTO, active_count, CTLFLAG_RD\|CTLFLAG_LOCKED,
635	&cfil_active_count, `0`, "");
636
637	SYSCTL_UINT(_net_cfil, OID_AUTO, close_wait_timeout, CTLFLAG_RW\|CTLFLAG_LOCKED,
638	&cfil_close_wait_timeout, `0`, "");
639
640	static int cfil_sbtrim = `1`;
641	SYSCTL_UINT(_net_cfil, OID_AUTO, sbtrim, CTLFLAG_RW\|CTLFLAG_LOCKED,
642	&cfil_sbtrim, `0`, "");
643
644	SYSCTL_PROC(_net_cfil, OID_AUTO, filter_list, CTLFLAG_RD\|CTLFLAG_LOCKED,
645	`0`, `0`, sysctl_cfil_filter_list, "S,cfil_filter_stat", "");
646
647	SYSCTL_PROC(_net_cfil, OID_AUTO, sock_list, CTLFLAG_RD\|CTLFLAG_LOCKED,
648	`0`, `0`, sysctl_cfil_sock_list, "S,cfil_sock_stat", "");
649
650	SYSCTL_STRUCT(_net_cfil, OID_AUTO, stats, CTLFLAG_RD\|CTLFLAG_LOCKED,
651	&cfil_stats, cfil_stats, "");
652
653	/*
654	* Forward declaration to appease the compiler
655	*/
656	static int cfil_action_data_pass(struct socket , struct* cfil_info , uint32_t, int*,
657	uint64_t, uint64_t);
658	static int cfil_action_drop(struct socket , struct* cfil_info *, uint32_t);
659	static int cfil_action_bless_client(uint32_t, struct cfil_msg_hdr *);
660	static int cfil_dispatch_closed_event(struct socket , struct* cfil_info , int*);
661	static int cfil_data_common(struct socket , struct* cfil_info , int, struct* sockaddr *,
662	struct mbuf , struct* mbuf *, uint32_t);
663	static int cfil_data_filter(struct socket , struct* cfil_info , uint32_t, int*,
664	struct mbuf *, uint64_t);
665	static void fill_ip_sockaddr_4_6(union sockaddr_in_4_6 *,
666	struct in_addr, u_int16_t);
667	static void fill_ip6_sockaddr_4_6(union sockaddr_in_4_6 *,
668	struct in6_addr *, u_int16_t);
669	;
670	static int cfil_dispatch_attach_event(struct socket , struct* cfil_info *, uint32_t);
671	static void cfil_info_free(struct cfil_info *);
672	static struct cfil_info * cfil_info_alloc(struct socket , struct* cfil_hash_entry *);
673	static int cfil_info_attach_unit(struct socket , uint32_t, struct* cfil_info *);
674	static struct socket * cfil_socket_from_sock_id(cfil_sock_id_t, bool);
675	static struct socket * cfil_socket_from_client_uuid(uuid_t, bool *);
676	static int cfil_service_pending_queue(struct socket , struct* cfil_info , uint32_t, int*);
677	static int cfil_data_service_ctl_q(struct socket , struct* cfil_info , uint32_t, int*);
678	static void cfil_info_verify(struct cfil_info *);
679	static int cfil_update_data_offsets(struct socket , struct* cfil_info , uint32_t, int*,
680	uint64_t, uint64_t);
681	static int cfil_acquire_sockbuf(struct socket , struct* cfil_info , int*);
682	static void cfil_release_sockbuf(struct socket , int*);
683	static int cfil_filters_attached(struct socket *);
684
685	static void cfil_rw_lock_exclusive(lck_rw_t *);
686	static void cfil_rw_unlock_exclusive(lck_rw_t *);
687	static void cfil_rw_lock_shared(lck_rw_t *);
688	static void cfil_rw_unlock_shared(lck_rw_t *);
689	static boolean_t cfil_rw_lock_shared_to_exclusive(lck_rw_t *);
690	static void cfil_rw_lock_exclusive_to_shared(lck_rw_t *);
691
692	static unsigned int cfil_data_length(struct mbuf , int* , int* *);
693	static errno_t cfil_db_init(struct socket *);
694	static void cfil_db_free(struct socket *so);
695	struct cfil_hash_entry cfil_db_lookup_entry(struct* cfil_db , struct* sockaddr , struct* sockaddr *);
696	struct cfil_hash_entry cfil_db_lookup_entry_with_sockid(struct* cfil_db *, u_int64_t);
697	struct cfil_hash_entry cfil_db_add_entry(struct* cfil_db , struct* sockaddr , struct* sockaddr *);
698	void cfil_db_delete_entry(struct cfil_db , struct* cfil_hash_entry *);
699	struct cfil_hash_entry cfil_sock_udp_get_flow(struct* socket , uint32_t, bool, struct* sockaddr , struct* sockaddr *);
700	struct cfil_info cfil_db_get_cfil_info(struct* cfil_db *, cfil_sock_id_t);
701	static errno_t cfil_sock_udp_handle_data(bool, struct socket , struct* sockaddr , struct* sockaddr *,
702	struct mbuf , struct* mbuf *, uint32_t);
703	static int32_t cfil_sock_udp_data_pending(struct sockbuf *, bool);
704	static void cfil_sock_udp_is_closed(struct socket *);
705	static int cfil_sock_udp_notify_shutdown(struct socket , int* , int, int);
706	static int cfil_sock_udp_shutdown(struct socket , int* *);
707	static void cfil_sock_udp_close_wait(struct socket *);
708	static void cfil_sock_udp_buf_update(struct sockbuf *);
709	static int cfil_filters_udp_attached(struct socket *, bool);
710	static void cfil_get_flow_address_v6(struct cfil_hash_entry , struct* inpcb *,
711	struct in6_addr , struct in6_addr ,
712	u_int16_t , u_int16_t );
713	static void cfil_get_flow_address(struct cfil_hash_entry , struct* inpcb *,
714	struct in_addr , struct* in_addr *,
715	u_int16_t , u_int16_t );
716	static void cfil_info_log(int, struct cfil_info , const* char *);
717	void cfil_filter_show(u_int32_t);
718	void cfil_info_show(void);
719	bool cfil_info_idle_timed_out(struct cfil_info , int*, u_int32_t);
720	bool cfil_info_action_timed_out(struct cfil_info , int*);
721	bool cfil_info_buffer_threshold_exceeded(struct cfil_info *);
722	struct m_tag cfil_udp_save_socket_state(struct* cfil_info , struct* mbuf *);
723	static void cfil_udp_gc_thread_func(void *, wait_result_t);
724	static void cfil_info_udp_expire(void *, wait_result_t);
725
726	bool check_port(struct sockaddr *, u_short);
727
728	/*
729	* Content filter global read write lock
730	*/
731
732	static void
733	cfil_rw_lock_exclusive(lck_rw_t *lck)
734	{
735	void *lr_saved;
736
737	lr_saved = __builtin_return_address(`0`);
738
739	lck_rw_lock_exclusive(lck);
740
741	cfil_rw_lock_history[cfil_rw_nxt_lck] = lr_saved;
742	cfil_rw_nxt_lck = (cfil_rw_nxt_lck + `1`) % CFIL_RW_LCK_MAX;
743	}
744
745	static void
746	cfil_rw_unlock_exclusive(lck_rw_t *lck)
747	{
748	void *lr_saved;
749
750	lr_saved = __builtin_return_address(`0`);
751
752	lck_rw_unlock_exclusive(lck);
753
754	cfil_rw_unlock_history[cfil_rw_nxt_unlck] = lr_saved;
755	cfil_rw_nxt_unlck = (cfil_rw_nxt_unlck + `1`) % CFIL_RW_LCK_MAX;
756	}
757
758	static void
759	cfil_rw_lock_shared(lck_rw_t *lck)
760	{
761	void *lr_saved;
762
763	lr_saved = __builtin_return_address(`0`);
764
765	lck_rw_lock_shared(lck);
766
767	cfil_rw_lock_history[cfil_rw_nxt_lck] = lr_saved;
768	cfil_rw_nxt_lck = (cfil_rw_nxt_lck + `1`) % CFIL_RW_LCK_MAX;
769	}
770
771	static void
772	cfil_rw_unlock_shared(lck_rw_t *lck)
773	{
774	void *lr_saved;
775
776	lr_saved = __builtin_return_address(`0`);
777
778	lck_rw_unlock_shared(lck);
779
780	cfil_rw_unlock_history[cfil_rw_nxt_unlck] = lr_saved;
781	cfil_rw_nxt_unlck = (cfil_rw_nxt_unlck + `1`) % CFIL_RW_LCK_MAX;
782	}
783
784	static boolean_t
785	cfil_rw_lock_shared_to_exclusive(lck_rw_t *lck)
786	{
787	void *lr_saved;
788	boolean_t upgraded;
789
790	lr_saved = __builtin_return_address(`0`);
791
792	upgraded = lck_rw_lock_shared_to_exclusive(lck);
793	if (upgraded) {
794	cfil_rw_unlock_history[cfil_rw_nxt_unlck] = lr_saved;
795	cfil_rw_nxt_unlck = (cfil_rw_nxt_unlck + `1`) % CFIL_RW_LCK_MAX;
796	}
797	return (upgraded);
798	}
799
800	static void
801	cfil_rw_lock_exclusive_to_shared(lck_rw_t *lck)
802	{
803	void *lr_saved;
804
805	lr_saved = __builtin_return_address(`0`);
806
807	lck_rw_lock_exclusive_to_shared(lck);
808
809	cfil_rw_lock_history[cfil_rw_nxt_lck] = lr_saved;
810	cfil_rw_nxt_lck = (cfil_rw_nxt_lck + `1`) % CFIL_RW_LCK_MAX;
811	}
812
813	static void
814	cfil_rw_lock_assert_held(lck_rw_t lck, int* exclusive)
815	{
816	#if !MACH_ASSERT
817	#pragma unused(lck, exclusive)
818	#endif
819	LCK_RW_ASSERT(lck,
820	exclusive ? LCK_RW_ASSERT_EXCLUSIVE : LCK_RW_ASSERT_HELD);
821	}
822
823	/*
824	* Return the number of bytes in the mbuf chain using the same
825	* method as m_length() or sballoc()
826	*
827	* Returns data len - starting from PKT start
828	* - retmbcnt - optional param to get total mbuf bytes in chain
829	* - retmbnum - optional param to get number of mbufs in chain
830	*/
831	static unsigned int
832	cfil_data_length(struct mbuf m, int* retmbcnt, int* *retmbnum)
833	{
834	struct mbuf *m0;
835	unsigned int pktlen = `0`;
836	int mbcnt;
837	int mbnum;
838
839	// Locate the start of data
840	for (m0 = m; m0 != NULL; m0 = m0->m_next) {
841	if (m0->m_flags & M_PKTHDR)
842	break;
843	}
844	if (m0 == NULL) {
845	CFIL_LOG(LOG_ERR, "cfil_data_length: no M_PKTHDR");
846	return (`0`);
847	}
848	m = m0;
849
850	if (retmbcnt == NULL && retmbnum == NULL)
851	return (m_length(m));
852
853	pktlen = `0`;
854	mbcnt = `0`;
855	mbnum = `0`;
856	for (m0 = m; m0 != NULL; m0 = m0->m_next) {
857	pktlen += m0->m_len;
858	mbnum++;
859	mbcnt += MSIZE;
860	if (m0->m_flags & M_EXT)
861	mbcnt += m0->m_ext.ext_size;
862	}
863	if (retmbcnt) {
864	*retmbcnt = mbcnt;
865	}
866	if (retmbnum) {
867	*retmbnum = mbnum;
868	}
869	return (pktlen);
870	}
871
872	static struct mbuf *
873	cfil_data_start(struct mbuf *m)
874	{
875	struct mbuf *m0;
876
877	// Locate the start of data
878	for (m0 = m; m0 != NULL; m0 = m0->m_next) {
879	if (m0->m_flags & M_PKTHDR)
880	break;
881	}
882	return m0;
883	}
884
885	/*
886	* Common mbuf queue utilities
887	*/
888
889	static inline void
890	cfil_queue_init(struct cfil_queue *cfq)
891	{
892	cfq->q_start = `0`;
893	cfq->q_end = `0`;
894	MBUFQ_INIT(&cfq->q_mq);
895	}
896
897	static inline uint64_t
898	cfil_queue_drain(struct cfil_queue *cfq)
899	{
900	uint64_t drained = cfq->q_start - cfq->q_end;
901	cfq->q_start = `0`;
902	cfq->q_end = `0`;
903	MBUFQ_DRAIN(&cfq->q_mq);
904
905	return (drained);
906	}
907
908	/ Return 1 when empty, 0 otherwise /
909	static inline int
910	cfil_queue_empty(struct cfil_queue *cfq)
911	{
912	return (MBUFQ_EMPTY(&cfq->q_mq));
913	}
914
915	static inline uint64_t
916	cfil_queue_offset_first(struct cfil_queue *cfq)
917	{
918	return (cfq->q_start);
919	}
920
921	static inline uint64_t
922	cfil_queue_offset_last(struct cfil_queue *cfq)
923	{
924	return (cfq->q_end);
925	}
926
927	static inline uint64_t
928	cfil_queue_len(struct cfil_queue *cfq)
929	{
930	return (cfq->q_end - cfq->q_start);
931	}
932
933	/*
934	* Routines to verify some fundamental assumptions
935	*/
936
937	static void
938	cfil_queue_verify(struct cfil_queue *cfq)
939	{
940	mbuf_t chain;
941	mbuf_t m;
942	mbuf_t n;
943	uint64_t queuesize = `0`;
944
945	/ Verify offset are ordered /
946	VERIFY(cfq->q_start <= cfq->q_end);
947
948	/*
949	* When queue is empty, the offsets are equal otherwise the offsets
950	* are different
951	*/
952	VERIFY((MBUFQ_EMPTY(&cfq->q_mq) && cfq->q_start == cfq->q_end) \|\|
953	(!MBUFQ_EMPTY(&cfq->q_mq) &&
954	cfq->q_start != cfq->q_end));
955
956	MBUFQ_FOREACH(chain, &cfq->q_mq) {
957	size_t chainsize = `0`;
958	m = chain;
959	unsigned int mlen = cfil_data_length(m, NULL, NULL);
960	// skip the addr and control stuff if present
961	m = cfil_data_start(m);
962
963	if (m == NULL \|\|
964	m == (void *)M_TAG_FREE_PATTERN \|\|
965	m->m_next == (void *)M_TAG_FREE_PATTERN \|\|
966	m->m_nextpkt == (void *)M_TAG_FREE_PATTERN)
967	panic("%s - mq %p is free at %p", __func__,
968	&cfq->q_mq, m);
969	for (n = m; n != NULL; n = n->m_next) {
970	if (n->m_type != MT_DATA &&
971	n->m_type != MT_HEADER &&
972	n->m_type != MT_OOBDATA)
973	panic("%s - %p unsupported type %u", __func__,
974	n, n->m_type);
975	chainsize += n->m_len;
976	}
977	if (mlen != chainsize)
978	panic("%s - %p m_length() %u != chainsize %lu",
979	__func__, m, mlen, chainsize);
980	queuesize += chainsize;
981	}
982	if (queuesize != cfq->q_end - cfq->q_start)
983	panic("%s - %p queuesize %llu != offsetdiffs %llu", __func__,
984	m, queuesize, cfq->q_end - cfq->q_start);
985	}
986
987	static void
988	cfil_queue_enqueue(struct cfil_queue *cfq, mbuf_t m, size_t len)
989	{
990	CFIL_QUEUE_VERIFY(cfq);
991
992	MBUFQ_ENQUEUE(&cfq->q_mq, m);
993	cfq->q_end += len;
994
995	CFIL_QUEUE_VERIFY(cfq);
996	}
997
998	static void
999	cfil_queue_remove(struct cfil_queue *cfq, mbuf_t m, size_t len)
1000	{
1001	CFIL_QUEUE_VERIFY(cfq);
1002
1003	VERIFY(cfil_data_length(m, NULL, NULL) == len);
1004
1005	MBUFQ_REMOVE(&cfq->q_mq, m);
1006	MBUFQ_NEXT(m) = NULL;
1007	cfq->q_start += len;
1008
1009	CFIL_QUEUE_VERIFY(cfq);
1010	}
1011
1012	static mbuf_t
1013	cfil_queue_first(struct cfil_queue *cfq)
1014	{
1015	return (MBUFQ_FIRST(&cfq->q_mq));
1016	}
1017
1018	static mbuf_t
1019	cfil_queue_next(struct cfil_queue *cfq, mbuf_t m)
1020	{
1021	#pragma unused(cfq)
1022	return (MBUFQ_NEXT(m));
1023	}
1024
1025	static void
1026	cfil_entry_buf_verify(struct cfe_buf *cfe_buf)
1027	{
1028	CFIL_QUEUE_VERIFY(&cfe_buf->cfe_ctl_q);
1029	CFIL_QUEUE_VERIFY(&cfe_buf->cfe_pending_q);
1030
1031	/ Verify the queues are ordered so that pending is before ctl /
1032	VERIFY(cfe_buf->cfe_ctl_q.q_start >= cfe_buf->cfe_pending_q.q_end);
1033
1034	/ The peek offset cannot be less than the pass offset /
1035	VERIFY(cfe_buf->cfe_peek_offset >= cfe_buf->cfe_pass_offset);
1036
1037	/ Make sure we've updated the offset we peeked at /
1038	VERIFY(cfe_buf->cfe_ctl_q.q_start <= cfe_buf->cfe_peeked);
1039	}
1040
1041	static void
1042	cfil_entry_verify(struct cfil_entry *entry)
1043	{
1044	cfil_entry_buf_verify(&entry->cfe_snd);
1045	cfil_entry_buf_verify(&entry->cfe_rcv);
1046	}
1047
1048	static void
1049	cfil_info_buf_verify(struct cfi_buf *cfi_buf)
1050	{
1051	CFIL_QUEUE_VERIFY(&cfi_buf->cfi_inject_q);
1052
1053	VERIFY(cfi_buf->cfi_pending_first <= cfi_buf->cfi_pending_last);
1054	VERIFY(cfi_buf->cfi_pending_mbcnt >= `0`);
1055	}
1056
1057	static void
1058	cfil_info_verify(struct cfil_info *cfil_info)
1059	{
1060	int i;
1061
1062	if (cfil_info == NULL)
1063	return;
1064
1065	cfil_info_buf_verify(&cfil_info->cfi_snd);
1066	cfil_info_buf_verify(&cfil_info->cfi_rcv);
1067
1068	for (i = `0`; i < MAX_CONTENT_FILTER; i++)
1069	cfil_entry_verify(&cfil_info->cfi_entries[i]);
1070	}
1071
1072	static void
1073	verify_content_filter(struct content_filter *cfc)
1074	{
1075	struct cfil_entry *entry;
1076	uint32_t count = `0`;
1077
1078	VERIFY(cfc->cf_sock_count >= `0`);
1079
1080	TAILQ_FOREACH(entry, &cfc->cf_sock_entries, cfe_link) {
1081	count++;
1082	VERIFY(cfc == entry->cfe_filter);
1083	}
1084	VERIFY(count == cfc->cf_sock_count);
1085	}
1086
1087	/*
1088	* Kernel control socket callbacks
1089	*/
1090	static errno_t
1091	cfil_ctl_connect(kern_ctl_ref kctlref, struct sockaddr_ctl *sac,
1092	void **unitinfo)
1093	{
1094	errno_t error = `0`;
1095	struct content_filter *cfc = NULL;
1096
1097	CFIL_LOG(LOG_NOTICE, "");
1098
1099	cfc = zalloc(content_filter_zone);
1100	if (cfc == NULL) {
1101	CFIL_LOG(LOG_ERR, "zalloc failed");
1102	error = ENOMEM;
1103	goto done;
1104	}
1105	bzero(cfc, sizeof(struct content_filter));
1106
1107	cfil_rw_lock_exclusive(&cfil_lck_rw);
1108	if (content_filters == NULL) {
1109	struct content_filter **tmp;
1110
1111	cfil_rw_unlock_exclusive(&cfil_lck_rw);
1112
1113	MALLOC(tmp,
1114	struct content_filter **,
1115	MAX_CONTENT_FILTER * sizeof(struct content_filter *),
1116	M_TEMP,
1117	M_WAITOK \| M_ZERO);
1118
1119	cfil_rw_lock_exclusive(&cfil_lck_rw);
1120
1121	if (tmp == NULL && content_filters == NULL) {
1122	error = ENOMEM;
1123	cfil_rw_unlock_exclusive(&cfil_lck_rw);
1124	goto done;
1125	}
1126	/ Another thread may have won the race /
1127	if (content_filters != NULL)
1128	FREE(tmp, M_TEMP);
1129	else
1130	content_filters = tmp;
1131	}
1132
1133	if (sac->sc_unit == `0` \|\| sac->sc_unit > MAX_CONTENT_FILTER) {
1134	CFIL_LOG(LOG_ERR, "bad sc_unit %u", sac->sc_unit);
1135	error = EINVAL;
1136	} else if (content_filters[sac->sc_unit - `1`] != NULL) {
1137	CFIL_LOG(LOG_ERR, "sc_unit %u in use", sac->sc_unit);
1138	error = EADDRINUSE;
1139	} else {
1140	/*
1141	* kernel control socket kcunit numbers start at 1
1142	*/
1143	content_filters[sac->sc_unit - `1`] = cfc;
1144
1145	cfc->cf_kcref = kctlref;
1146	cfc->cf_kcunit = sac->sc_unit;
1147	TAILQ_INIT(&cfc->cf_sock_entries);
1148
1149	*unitinfo = cfc;
1150	cfil_active_count++;
1151	}
1152	cfil_rw_unlock_exclusive(&cfil_lck_rw);
1153	done:
1154	if (error != `0` && cfc != NULL)
1155	zfree(content_filter_zone, cfc);
1156
1157	if (error == `0`)
1158	OSIncrementAtomic(&cfil_stats.cfs_ctl_connect_ok);
1159	else
1160	OSIncrementAtomic(&cfil_stats.cfs_ctl_connect_fail);
1161
1162	CFIL_LOG(LOG_INFO, "return %d cfil_active_count %u kcunit %u",
1163	error, cfil_active_count, sac->sc_unit);
1164
1165	return (error);
1166	}
1167
1168	static errno_t
1169	cfil_ctl_disconnect(kern_ctl_ref kctlref, u_int32_t kcunit, void *unitinfo)
1170	{
1171	#pragma unused(kctlref)
1172	errno_t error = `0`;
1173	struct content_filter *cfc;
1174	struct cfil_entry *entry;
1175	uint64_t sock_flow_id = `0`;
1176
1177	CFIL_LOG(LOG_NOTICE, "");
1178
1179	if (content_filters == NULL) {
1180	CFIL_LOG(LOG_ERR, "no content filter");
1181	error = EINVAL;
1182	goto done;
1183	}
1184	if (kcunit > MAX_CONTENT_FILTER) {
1185	CFIL_LOG(LOG_ERR, "kcunit %u > MAX_CONTENT_FILTER (%d)",
1186	kcunit, MAX_CONTENT_FILTER);
1187	error = EINVAL;
1188	goto done;
1189	}
1190
1191	cfc = (struct content_filter *)unitinfo;
1192	if (cfc == NULL)
1193	goto done;
1194
1195	cfil_rw_lock_exclusive(&cfil_lck_rw);
1196	if (content_filters[kcunit - `1`] != cfc \|\| cfc->cf_kcunit != kcunit) {
1197	CFIL_LOG(LOG_ERR, "bad unit info %u)",
1198	kcunit);
1199	cfil_rw_unlock_exclusive(&cfil_lck_rw);
1200	goto done;
1201	}
1202	cfc->cf_flags \|= CFF_DETACHING;
1203	/*
1204	* Remove all sockets from the filter
1205	*/
1206	while ((entry = TAILQ_FIRST(&cfc->cf_sock_entries)) != NULL) {
1207	cfil_rw_lock_assert_held(&cfil_lck_rw, `1`);
1208
1209	verify_content_filter(cfc);
1210	/*
1211	* Accept all outstanding data by pushing to next filter
1212	* or back to socket
1213	*
1214	* TBD: Actually we should make sure all data has been pushed
1215	* back to socket
1216	*/
1217	if (entry->cfe_cfil_info && entry->cfe_cfil_info->cfi_so) {
1218	struct cfil_info *cfil_info = entry->cfe_cfil_info;
1219	struct socket *so = cfil_info->cfi_so;
1220	sock_flow_id = cfil_info->cfi_sock_id;
1221
1222	/ Need to let data flow immediately /
1223	entry->cfe_flags \|= CFEF_SENT_SOCK_ATTACHED \|
1224	CFEF_DATA_START;
1225
1226	/*
1227	* Respect locking hierarchy
1228	*/
1229	cfil_rw_unlock_exclusive(&cfil_lck_rw);
1230
1231	socket_lock(so, `1`);
1232
1233	/*
1234	* When cfe_filter is NULL the filter is detached
1235	* and the entry has been removed from cf_sock_entries
1236	*/
1237	if ((so->so_cfil == NULL && so->so_cfil_db == NULL) \|\| entry->cfe_filter == NULL) {
1238	cfil_rw_lock_exclusive(&cfil_lck_rw);
1239	goto release;
1240	}
1241
1242	(void) cfil_action_data_pass(so, cfil_info, kcunit, `1`,
1243	CFM_MAX_OFFSET,
1244	CFM_MAX_OFFSET);
1245
1246	(void) cfil_action_data_pass(so, cfil_info, kcunit, `0`,
1247	CFM_MAX_OFFSET,
1248	CFM_MAX_OFFSET);
1249
1250	cfil_rw_lock_exclusive(&cfil_lck_rw);
1251
1252	/*
1253	* Check again to make sure if the cfil_info is still valid
1254	* as the socket may have been unlocked when when calling
1255	* cfil_acquire_sockbuf()
1256	*/
1257	if (entry->cfe_filter == NULL \|\|
1258	(so->so_cfil == NULL && cfil_db_get_cfil_info(so->so_cfil_db, sock_flow_id) == NULL)) {
1259	goto release;
1260	}
1261
1262	/ The filter is now detached /
1263	entry->cfe_flags \|= CFEF_CFIL_DETACHED;
1264	#if LIFECYCLE_DEBUG
1265	cfil_info_log(LOG_DEBUG, cfil_info, "CFIL: LIFECYCLE: - FILTER DISCONNECTED");
1266	#endif
1267	CFIL_LOG(LOG_NOTICE, "so %llx detached %u",
1268	(uint64_t)VM_KERNEL_ADDRPERM(so), kcunit);
1269	if ((cfil_info->cfi_flags & CFIF_CLOSE_WAIT) &&
1270	cfil_filters_attached(so) == `0`) {
1271	CFIL_LOG(LOG_NOTICE, "so %llx waking",
1272	(uint64_t)VM_KERNEL_ADDRPERM(so));
1273	wakeup((caddr_t)cfil_info);
1274	}
1275
1276	/*
1277	* Remove the filter entry from the content filter
1278	* but leave the rest of the state intact as the queues
1279	* may not be empty yet
1280	*/
1281	entry->cfe_filter = NULL;
1282	entry->cfe_necp_control_unit = `0`;
1283
1284	TAILQ_REMOVE(&cfc->cf_sock_entries, entry, cfe_link);
1285	cfc->cf_sock_count--;
1286	release:
1287	socket_unlock(so, `1`);
1288	}
1289	}
1290	verify_content_filter(cfc);
1291
1292	VERIFY(cfc->cf_sock_count == `0`);
1293
1294	/*
1295	* Make filter inactive
1296	*/
1297	content_filters[kcunit - `1`] = NULL;
1298	cfil_active_count--;
1299	cfil_rw_unlock_exclusive(&cfil_lck_rw);
1300
1301	zfree(content_filter_zone, cfc);
1302	done:
1303	if (error == `0`)
1304	OSIncrementAtomic(&cfil_stats.cfs_ctl_disconnect_ok);
1305	else
1306	OSIncrementAtomic(&cfil_stats.cfs_ctl_disconnect_fail);
1307
1308	CFIL_LOG(LOG_INFO, "return %d cfil_active_count %u kcunit %u",
1309	error, cfil_active_count, kcunit);
1310
1311	return (error);
1312	}
1313
1314	/*
1315	* cfil_acquire_sockbuf()
1316	*
1317	* Prevent any other thread from acquiring the sockbuf
1318	* We use sb_cfil_thread as a semaphore to prevent other threads from
1319	* messing with the sockbuf -- see sblock()
1320	* Note: We do not set SB_LOCK here because the thread may check or modify
1321	* SB_LOCK several times until it calls cfil_release_sockbuf() -- currently
1322	* sblock(), sbunlock() or sodefunct()
1323	*/
1324	static int
1325	cfil_acquire_sockbuf(struct socket so, struct* cfil_info cfil_info, int* outgoing)
1326	{
1327	thread_t tp = current_thread();
1328	struct sockbuf *sb = outgoing ? &so->so_snd : &so->so_rcv;
1329	lck_mtx_t *mutex_held;
1330	int error = `0`;
1331
1332	/*
1333	* Wait until no thread is holding the sockbuf and other content
1334	* filter threads have released the sockbuf
1335	*/
1336	while ((sb->sb_flags & SB_LOCK) \|\|
1337	(sb->sb_cfil_thread != NULL && sb->sb_cfil_thread != tp)) {
1338	if (so->so_proto->pr_getlock != NULL)
1339	mutex_held = (*so->so_proto->pr_getlock)(so, PR_F_WILLUNLOCK);
1340	else
1341	mutex_held = so->so_proto->pr_domain->dom_mtx;
1342
1343	LCK_MTX_ASSERT(mutex_held, LCK_MTX_ASSERT_OWNED);
1344
1345	sb->sb_wantlock++;
1346	VERIFY(sb->sb_wantlock != `0`);
1347
1348	msleep(&sb->sb_flags, mutex_held, PSOCK, "cfil_acquire_sockbuf",
1349	NULL);
1350
1351	VERIFY(sb->sb_wantlock != `0`);
1352	sb->sb_wantlock--;
1353	}
1354	/*
1355	* Use reference count for repetitive calls on same thread
1356	*/
1357	if (sb->sb_cfil_refs == `0`) {
1358	VERIFY(sb->sb_cfil_thread == NULL);
1359	VERIFY((sb->sb_flags & SB_LOCK) == `0`);
1360
1361	sb->sb_cfil_thread = tp;
1362	sb->sb_flags \|= SB_LOCK;
1363	}
1364	sb->sb_cfil_refs++;
1365
1366	/ We acquire the socket buffer when we need to cleanup /
1367	if (cfil_info == NULL) {
1368	CFIL_LOG(LOG_ERR, "so %llx cfil detached",
1369	(uint64_t)VM_KERNEL_ADDRPERM(so));
1370	error = `0`;
1371	} else if (cfil_info->cfi_flags & CFIF_DROP) {
1372	CFIL_LOG(LOG_ERR, "so %llx drop set",
1373	(uint64_t)VM_KERNEL_ADDRPERM(so));
1374	error = EPIPE;
1375	}
1376
1377	return (error);
1378	}
1379
1380	static void
1381	cfil_release_sockbuf(struct socket so, int* outgoing)
1382	{
1383	struct sockbuf *sb = outgoing ? &so->so_snd : &so->so_rcv;
1384	thread_t tp = current_thread();
1385
1386	socket_lock_assert_owned(so);
1387
1388	if (sb->sb_cfil_thread != NULL && sb->sb_cfil_thread != tp)
1389	panic("%s sb_cfil_thread %p not current %p", __func__,
1390	sb->sb_cfil_thread, tp);
1391	/*
1392	* Don't panic if we are defunct because SB_LOCK has
1393	* been cleared by sodefunct()
1394	*/
1395	if (!(so->so_flags & SOF_DEFUNCT) && !(sb->sb_flags & SB_LOCK))
1396	panic("%s SB_LOCK not set on %p", __func__,
1397	sb);
1398	/*
1399	* We can unlock when the thread unwinds to the last reference
1400	*/
1401	sb->sb_cfil_refs--;
1402	if (sb->sb_cfil_refs == `0`) {
1403	sb->sb_cfil_thread = NULL;
1404	sb->sb_flags &= ~SB_LOCK;
1405
1406	if (sb->sb_wantlock > `0`)
1407	wakeup(&sb->sb_flags);
1408	}
1409	}
1410
1411	cfil_sock_id_t
1412	cfil_sock_id_from_socket(struct socket *so)
1413	{
1414	if ((so->so_flags & SOF_CONTENT_FILTER) && so->so_cfil)
1415	return (so->so_cfil->cfi_sock_id);
1416	else
1417	return (CFIL_SOCK_ID_NONE);
1418	}
1419
1420	static bool
1421	cfil_socket_safe_lock(struct inpcb *inp)
1422	{
1423	if (in_pcb_checkstate(inp, WNT_ACQUIRE, `0`) != WNT_STOPUSING) {
1424	socket_lock(inp->inp_socket, `1`);
1425	if (in_pcb_checkstate(inp, WNT_RELEASE, `1`) != WNT_STOPUSING) {
1426	return true;
1427	}
1428	socket_unlock(inp->inp_socket, `1`);
1429	}
1430	return false;
1431	}
1432
1433	static struct socket *
1434	cfil_socket_from_sock_id(cfil_sock_id_t cfil_sock_id, bool udp_only)
1435	{
1436	struct socket *so = NULL;
1437	u_int64_t gencnt = cfil_sock_id >> `32`;
1438	u_int32_t flowhash = (u_int32_t)(cfil_sock_id & `0x0ffffffff`);
1439	struct inpcb *inp = NULL;
1440	struct inpcbinfo *pcbinfo = NULL;
1441
1442	#if VERDICT_DEBUG
1443	CFIL_LOG(LOG_ERR, "CFIL: VERDICT: search for socket: id %llu gencnt %llx flowhash %x", cfil_sock_id, gencnt, flowhash);
1444	#endif
1445
1446	if (udp_only)
1447	goto find_udp;
1448
1449	pcbinfo = &tcbinfo;
1450	lck_rw_lock_shared(pcbinfo->ipi_lock);
1451	LIST_FOREACH(inp, pcbinfo->ipi_listhead, inp_list) {
1452	if (inp->inp_state != INPCB_STATE_DEAD &&
1453	inp->inp_socket != NULL &&
1454	inp->inp_flowhash == flowhash &&
1455	(inp->inp_socket->so_gencnt & `0x0ffffffff`) == gencnt &&
1456	inp->inp_socket->so_cfil != NULL) {
1457	if (cfil_socket_safe_lock(inp))
1458	so = inp->inp_socket;
1459	break;
1460	}
1461	}
1462	lck_rw_done(pcbinfo->ipi_lock);
1463	if (so != NULL) {
1464	goto done;
1465	}
1466
1467	find_udp:
1468
1469	pcbinfo = &udbinfo;
1470	lck_rw_lock_shared(pcbinfo->ipi_lock);
1471	LIST_FOREACH(inp, pcbinfo->ipi_listhead, inp_list) {
1472	if (inp->inp_state != INPCB_STATE_DEAD &&
1473	inp->inp_socket != NULL &&
1474	inp->inp_socket->so_cfil_db != NULL &&
1475	(inp->inp_socket->so_gencnt & `0x0ffffffff`) == gencnt) {
1476	if (cfil_socket_safe_lock(inp))
1477	so = inp->inp_socket;
1478	break;
1479	}
1480	}
1481	lck_rw_done(pcbinfo->ipi_lock);
1482
1483	done:
1484	if (so == NULL) {
1485	OSIncrementAtomic(&cfil_stats.cfs_sock_id_not_found);
1486	CFIL_LOG(LOG_DEBUG,
1487	"no socket for sock_id %llx gencnt %llx flowhash %x",
1488	cfil_sock_id, gencnt, flowhash);
1489	}
1490
1491	return (so);
1492	}
1493
1494	static struct socket *
1495	cfil_socket_from_client_uuid(uuid_t necp_client_uuid, bool *cfil_attached)
1496	{
1497	struct socket *so = NULL;
1498	struct inpcb *inp = NULL;
1499	struct inpcbinfo *pcbinfo = &tcbinfo;
1500
1501	lck_rw_lock_shared(pcbinfo->ipi_lock);
1502	LIST_FOREACH(inp, pcbinfo->ipi_listhead, inp_list) {
1503	if (inp->inp_state != INPCB_STATE_DEAD &&
1504	inp->inp_socket != NULL &&
1505	uuid_compare(inp->necp_client_uuid, necp_client_uuid) == `0`) {
1506	*cfil_attached = (inp->inp_socket->so_cfil != NULL);
1507	if (cfil_socket_safe_lock(inp))
1508	so = inp->inp_socket;
1509	break;
1510	}
1511	}
1512	lck_rw_done(pcbinfo->ipi_lock);
1513	if (so != NULL) {
1514	goto done;
1515	}
1516
1517	pcbinfo = &udbinfo;
1518	lck_rw_lock_shared(pcbinfo->ipi_lock);
1519	LIST_FOREACH(inp, pcbinfo->ipi_listhead, inp_list) {
1520	if (inp->inp_state != INPCB_STATE_DEAD &&
1521	inp->inp_socket != NULL &&
1522	uuid_compare(inp->necp_client_uuid, necp_client_uuid) == `0`) {
1523	*cfil_attached = (inp->inp_socket->so_cfil_db != NULL);
1524	if (cfil_socket_safe_lock(inp))
1525	so = inp->inp_socket;
1526	break;
1527	}
1528	}
1529	lck_rw_done(pcbinfo->ipi_lock);
1530
1531	done:
1532	return (so);
1533	}
1534
1535	static errno_t
1536	cfil_ctl_send(kern_ctl_ref kctlref, u_int32_t kcunit, void *unitinfo, mbuf_t m,
1537	int flags)
1538	{
1539	#pragma unused(kctlref, flags)
1540	errno_t error = `0`;
1541	struct cfil_msg_hdr *msghdr;
1542	struct content_filter cfc = (struct* content_filter *)unitinfo;
1543	struct socket *so;
1544	struct cfil_msg_action *action_msg;
1545	struct cfil_entry *entry;
1546	struct cfil_info *cfil_info = NULL;
1547
1548	CFIL_LOG(LOG_INFO, "");
1549
1550	if (content_filters == NULL) {
1551	CFIL_LOG(LOG_ERR, "no content filter");
1552	error = EINVAL;
1553	goto done;
1554	}
1555	if (kcunit > MAX_CONTENT_FILTER) {
1556	CFIL_LOG(LOG_ERR, "kcunit %u > MAX_CONTENT_FILTER (%d)",
1557	kcunit, MAX_CONTENT_FILTER);
1558	error = EINVAL;
1559	goto done;
1560	}
1561
1562	if (m_length(m) < sizeof(struct cfil_msg_hdr)) {
1563	CFIL_LOG(LOG_ERR, "too short %u", m_length(m));
1564	error = EINVAL;
1565	goto done;
1566	}
1567	msghdr = (struct cfil_msg_hdr *)mbuf_data(m);
1568	if (msghdr->cfm_version != CFM_VERSION_CURRENT) {
1569	CFIL_LOG(LOG_ERR, "bad version %u", msghdr->cfm_version);
1570	error = EINVAL;
1571	goto done;
1572	}
1573	if (msghdr->cfm_type != CFM_TYPE_ACTION) {
1574	CFIL_LOG(LOG_ERR, "bad type %u", msghdr->cfm_type);
1575	error = EINVAL;
1576	goto done;
1577	}
1578	/ Validate action operation /
1579	switch (msghdr->cfm_op) {
1580	case CFM_OP_DATA_UPDATE:
1581	OSIncrementAtomic(
1582	&cfil_stats.cfs_ctl_action_data_update);
1583	break;
1584	case CFM_OP_DROP:
1585	OSIncrementAtomic(&cfil_stats.cfs_ctl_action_drop);
1586	break;
1587	case CFM_OP_BLESS_CLIENT:
1588	if (msghdr->cfm_len != sizeof(struct cfil_msg_bless_client)) {
1589	OSIncrementAtomic(&cfil_stats.cfs_ctl_action_bad_len);
1590	error = EINVAL;
1591	CFIL_LOG(LOG_ERR, "bad len: %u for op %u",
1592	msghdr->cfm_len,
1593	msghdr->cfm_op);
1594	goto done;
1595	}
1596	error = cfil_action_bless_client(kcunit, msghdr);
1597	goto done;
1598	default:
1599	OSIncrementAtomic(&cfil_stats.cfs_ctl_action_bad_op);
1600	CFIL_LOG(LOG_ERR, "bad op %u", msghdr->cfm_op);
1601	error = EINVAL;
1602	goto done;
1603	}
1604	if (msghdr->cfm_len != sizeof(struct cfil_msg_action)) {
1605	OSIncrementAtomic(&cfil_stats.cfs_ctl_action_bad_len);
1606	error = EINVAL;
1607	CFIL_LOG(LOG_ERR, "bad len: %u for op %u",
1608	msghdr->cfm_len,
1609	msghdr->cfm_op);
1610	goto done;
1611	}
1612	cfil_rw_lock_shared(&cfil_lck_rw);
1613	if (cfc != (void *)content_filters[kcunit - `1`]) {
1614	CFIL_LOG(LOG_ERR, "unitinfo does not match for kcunit %u",
1615	kcunit);
1616	error = EINVAL;
1617	cfil_rw_unlock_shared(&cfil_lck_rw);
1618	goto done;
1619	}
1620	cfil_rw_unlock_shared(&cfil_lck_rw);
1621
1622	// Search for socket (TCP+UDP and lock so)
1623	so = cfil_socket_from_sock_id(msghdr->cfm_sock_id, false);
1624	if (so == NULL) {
1625	CFIL_LOG(LOG_NOTICE, "bad sock_id %llx",
1626	msghdr->cfm_sock_id);
1627	error = EINVAL;
1628	goto done;
1629	}
1630
1631	cfil_info = so->so_cfil_db != NULL ?
1632	cfil_db_get_cfil_info(so->so_cfil_db, msghdr->cfm_sock_id) : so->so_cfil;
1633
1634	if (cfil_info == NULL) {
1635	CFIL_LOG(LOG_NOTICE, "so %llx <id %llu> not attached",
1636	(uint64_t)VM_KERNEL_ADDRPERM(so), msghdr->cfm_sock_id);
1637	error = EINVAL;
1638	goto unlock;
1639	} else if (cfil_info->cfi_flags & CFIF_DROP) {
1640	CFIL_LOG(LOG_NOTICE, "so %llx drop set",
1641	(uint64_t)VM_KERNEL_ADDRPERM(so));
1642	error = EINVAL;
1643	goto unlock;
1644	}
1645	entry = &cfil_info->cfi_entries[kcunit - `1`];
1646	if (entry->cfe_filter == NULL) {
1647	CFIL_LOG(LOG_NOTICE, "so %llx no filter",
1648	(uint64_t)VM_KERNEL_ADDRPERM(so));
1649	error = EINVAL;
1650	goto unlock;
1651	}
1652
1653	if (entry->cfe_flags & CFEF_SENT_SOCK_ATTACHED)
1654	entry->cfe_flags \|= CFEF_DATA_START;
1655	else {
1656	CFIL_LOG(LOG_ERR,
1657	"so %llx attached not sent for %u",
1658	(uint64_t)VM_KERNEL_ADDRPERM(so), kcunit);
1659	error = EINVAL;
1660	goto unlock;
1661	}
1662
1663	microuptime(&entry->cfe_last_action);
1664	CFI_ADD_TIME_LOG(cfil_info, &entry->cfe_last_action, &cfil_info->cfi_first_event, msghdr->cfm_op);
1665
1666	action_msg = (struct cfil_msg_action *)msghdr;
1667
1668	switch (msghdr->cfm_op) {
1669	case CFM_OP_DATA_UPDATE:
1670	#if VERDICT_DEBUG
1671	CFIL_LOG(LOG_ERR, "CFIL: VERDICT RECEIVED: <so %llx sockID %llu> <IN peek:%llu pass:%llu, OUT peek:%llu pass:%llu>",
1672	(uint64_t)VM_KERNEL_ADDRPERM(so),
1673	cfil_info->cfi_sock_id,
1674	action_msg->cfa_in_peek_offset, action_msg->cfa_in_pass_offset,
1675	action_msg->cfa_out_peek_offset, action_msg->cfa_out_pass_offset);
1676	#endif
1677	if (action_msg->cfa_out_peek_offset != `0` \|\|
1678	action_msg->cfa_out_pass_offset != `0`)
1679	error = cfil_action_data_pass(so, cfil_info, kcunit, `1`,
1680	action_msg->cfa_out_pass_offset,
1681	action_msg->cfa_out_peek_offset);
1682	if (error == EJUSTRETURN)
1683	error = `0`;
1684	if (error != `0`)
1685	break;
1686	if (action_msg->cfa_in_peek_offset != `0` \|\|
1687	action_msg->cfa_in_pass_offset != `0`)
1688	error = cfil_action_data_pass(so, cfil_info, kcunit, `0`,
1689	action_msg->cfa_in_pass_offset,
1690	action_msg->cfa_in_peek_offset);
1691	if (error == EJUSTRETURN)
1692	error = `0`;
1693	break;
1694
1695	case CFM_OP_DROP:
1696	error = cfil_action_drop(so, cfil_info, kcunit);
1697	break;
1698
1699	default:
1700	error = EINVAL;
1701	break;
1702	}
1703	unlock:
1704	socket_unlock(so, `1`);
1705	done:
1706	mbuf_freem(m);
1707
1708	if (error == `0`)
1709	OSIncrementAtomic(&cfil_stats.cfs_ctl_send_ok);
1710	else
1711	OSIncrementAtomic(&cfil_stats.cfs_ctl_send_bad);
1712
1713	return (error);
1714	}
1715
1716	static errno_t
1717	cfil_ctl_getopt(kern_ctl_ref kctlref, u_int32_t kcunit, void *unitinfo,
1718	int opt, void data, size_t len)
1719	{
1720	#pragma unused(kctlref, opt)
1721	struct cfil_info *cfil_info = NULL;
1722	errno_t error = `0`;
1723	struct content_filter cfc = (struct* content_filter *)unitinfo;
1724
1725	CFIL_LOG(LOG_NOTICE, "");
1726
1727	cfil_rw_lock_shared(&cfil_lck_rw);
1728
1729	if (content_filters == NULL) {
1730	CFIL_LOG(LOG_ERR, "no content filter");
1731	error = EINVAL;
1732	goto done;
1733	}
1734	if (kcunit > MAX_CONTENT_FILTER) {
1735	CFIL_LOG(LOG_ERR, "kcunit %u > MAX_CONTENT_FILTER (%d)",
1736	kcunit, MAX_CONTENT_FILTER);
1737	error = EINVAL;
1738	goto done;
1739	}
1740	if (cfc != (void *)content_filters[kcunit - `1`]) {
1741	CFIL_LOG(LOG_ERR, "unitinfo does not match for kcunit %u",
1742	kcunit);
1743	error = EINVAL;
1744	goto done;
1745	}
1746	switch (opt) {
1747	case CFIL_OPT_NECP_CONTROL_UNIT:
1748	if (len < sizeof*(uint32_t)) {
1749	CFIL_LOG(LOG_ERR, "len too small %lu", *len);
1750	error = EINVAL;
1751	goto done;
1752	}
1753	if (data != NULL) {
1754	(uint32_t )data = cfc->cf_necp_control_unit;
1755	}
1756	break;
1757	case CFIL_OPT_GET_SOCKET_INFO:
1758	if (len != sizeof(struct* cfil_opt_sock_info)) {
1759	CFIL_LOG(LOG_ERR, "len does not match %lu", *len);
1760	error = EINVAL;
1761	goto done;
1762	}
1763	if (data == NULL) {
1764	CFIL_LOG(LOG_ERR, "data not passed");
1765	error = EINVAL;
1766	goto done;
1767	}
1768
1769	struct cfil_opt_sock_info *sock_info =
1770	(struct cfil_opt_sock_info *) data;
1771
1772	// Unlock here so that we never hold both cfil_lck_rw and the
1773	// socket_lock at the same time. Otherwise, this can deadlock
1774	// because soclose() takes the socket_lock and then exclusive
1775	// cfil_lck_rw and we require the opposite order.
1776
1777	// WARNING: Be sure to never use anything protected
1778	// by cfil_lck_rw beyond this point.
1779	// WARNING: Be sure to avoid fallthrough and
1780	// goto return_already_unlocked from this branch.
1781	cfil_rw_unlock_shared(&cfil_lck_rw);
1782
1783	// Search (TCP+UDP) and lock socket
1784	struct socket *sock =
1785	cfil_socket_from_sock_id(sock_info->cfs_sock_id, false);
1786	if (sock == NULL) {
1787	#if LIFECYCLE_DEBUG
1788	CFIL_LOG(LOG_ERR, "CFIL: GET_SOCKET_INFO failed: bad sock_id %llu",
1789	sock_info->cfs_sock_id);
1790	#endif
1791	error = ENOENT;
1792	goto return_already_unlocked;
1793	}
1794
1795	cfil_info = (sock->so_cfil_db != NULL) ?
1796	cfil_db_get_cfil_info(sock->so_cfil_db, sock_info->cfs_sock_id) : sock->so_cfil;
1797
1798	if (cfil_info == NULL) {
1799	#if LIFECYCLE_DEBUG
1800	CFIL_LOG(LOG_ERR, "CFIL: GET_SOCKET_INFO failed: so %llx not attached, cannot fetch info",
1801	(uint64_t)VM_KERNEL_ADDRPERM(sock));
1802	#endif
1803	error = EINVAL;
1804	socket_unlock(sock, `1`);
1805	goto return_already_unlocked;
1806	}
1807
1808	// Fill out family, type, and protocol
1809	sock_info->cfs_sock_family = sock->so_proto->pr_domain->dom_family;
1810	sock_info->cfs_sock_type = sock->so_proto->pr_type;
1811	sock_info->cfs_sock_protocol = sock->so_proto->pr_protocol;
1812
1813	// Source and destination addresses
1814	struct inpcb *inp = sotoinpcb(sock);
1815	if (inp->inp_vflag & INP_IPV6) {
1816	struct in6_addr laddr = NULL, faddr = NULL;
1817	u_int16_t lport = `0`, fport = `0`;
1818
1819	cfil_get_flow_address_v6(cfil_info->cfi_hash_entry, inp,
1820	&laddr, &faddr, &lport, &fport);
1821	fill_ip6_sockaddr_4_6(&sock_info->cfs_local, laddr, lport);
1822	fill_ip6_sockaddr_4_6(&sock_info->cfs_remote, faddr, fport);
1823	} else if (inp->inp_vflag & INP_IPV4) {
1824	struct in_addr laddr = {`0`}, faddr = {`0`};
1825	u_int16_t lport = `0`, fport = `0`;
1826
1827	cfil_get_flow_address(cfil_info->cfi_hash_entry, inp,
1828	&laddr, &faddr, &lport, &fport);
1829	fill_ip_sockaddr_4_6(&sock_info->cfs_local, laddr, lport);
1830	fill_ip_sockaddr_4_6(&sock_info->cfs_remote, faddr, fport);
1831	}
1832
1833	// Set the pid info
1834	sock_info->cfs_pid = sock->last_pid;
1835	memcpy(sock_info->cfs_uuid, sock->last_uuid, sizeof(uuid_t));
1836
1837	if (sock->so_flags & SOF_DELEGATED) {
1838	sock_info->cfs_e_pid = sock->e_pid;
1839	memcpy(sock_info->cfs_e_uuid, sock->e_uuid, sizeof(uuid_t));
1840	} else {
1841	sock_info->cfs_e_pid = sock->last_pid;
1842	memcpy(sock_info->cfs_e_uuid, sock->last_uuid, sizeof(uuid_t));
1843	}
1844
1845	socket_unlock(sock, `1`);
1846
1847	goto return_already_unlocked;
1848	default:
1849	error = ENOPROTOOPT;
1850	break;
1851	}
1852	done:
1853	cfil_rw_unlock_shared(&cfil_lck_rw);
1854
1855	return (error);
1856
1857	return_already_unlocked:
1858
1859	return (error);
1860	}
1861
1862	static errno_t
1863	cfil_ctl_setopt(kern_ctl_ref kctlref, u_int32_t kcunit, void *unitinfo,
1864	int opt, void *data, size_t len)
1865	{
1866	#pragma unused(kctlref, opt)
1867	errno_t error = `0`;
1868	struct content_filter cfc = (struct* content_filter *)unitinfo;
1869
1870	CFIL_LOG(LOG_NOTICE, "");
1871
1872	cfil_rw_lock_exclusive(&cfil_lck_rw);
1873
1874	if (content_filters == NULL) {
1875	CFIL_LOG(LOG_ERR, "no content filter");
1876	error = EINVAL;
1877	goto done;
1878	}
1879	if (kcunit > MAX_CONTENT_FILTER) {
1880	CFIL_LOG(LOG_ERR, "kcunit %u > MAX_CONTENT_FILTER (%d)",
1881	kcunit, MAX_CONTENT_FILTER);
1882	error = EINVAL;
1883	goto done;
1884	}
1885	if (cfc != (void *)content_filters[kcunit - `1`]) {
1886	CFIL_LOG(LOG_ERR, "unitinfo does not match for kcunit %u",
1887	kcunit);
1888	error = EINVAL;
1889	goto done;
1890	}
1891	switch (opt) {
1892	case CFIL_OPT_NECP_CONTROL_UNIT:
1893	if (len < sizeof(uint32_t)) {
1894	CFIL_LOG(LOG_ERR, "CFIL_OPT_NECP_CONTROL_UNIT "
1895	"len too small %lu", len);
1896	error = EINVAL;
1897	goto done;
1898	}
1899	if (cfc->cf_necp_control_unit != `0`) {
1900	CFIL_LOG(LOG_ERR, "CFIL_OPT_NECP_CONTROL_UNIT "
1901	"already set %u",
1902	cfc->cf_necp_control_unit);
1903	error = EINVAL;
1904	goto done;
1905	}
1906	cfc->cf_necp_control_unit = (uint32_t )data;
1907	break;
1908	default:
1909	error = ENOPROTOOPT;
1910	break;
1911	}
1912	done:
1913	cfil_rw_unlock_exclusive(&cfil_lck_rw);
1914
1915	return (error);
1916	}
1917
1918
1919	static void
1920	cfil_ctl_rcvd(kern_ctl_ref kctlref, u_int32_t kcunit, void unitinfo, int* flags)
1921	{
1922	#pragma unused(kctlref, flags)
1923	struct content_filter cfc = (struct* content_filter *)unitinfo;
1924	struct socket *so = NULL;
1925	int error;
1926	struct cfil_entry *entry;
1927	struct cfil_info *cfil_info = NULL;
1928
1929	CFIL_LOG(LOG_INFO, "");
1930
1931	if (content_filters == NULL) {
1932	CFIL_LOG(LOG_ERR, "no content filter");
1933	OSIncrementAtomic(&cfil_stats.cfs_ctl_rcvd_bad);
1934	return;
1935	}
1936	if (kcunit > MAX_CONTENT_FILTER) {
1937	CFIL_LOG(LOG_ERR, "kcunit %u > MAX_CONTENT_FILTER (%d)",
1938	kcunit, MAX_CONTENT_FILTER);
1939	OSIncrementAtomic(&cfil_stats.cfs_ctl_rcvd_bad);
1940	return;
1941	}
1942	cfil_rw_lock_shared(&cfil_lck_rw);
1943	if (cfc != (void *)content_filters[kcunit - `1`]) {
1944	CFIL_LOG(LOG_ERR, "unitinfo does not match for kcunit %u",
1945	kcunit);
1946	OSIncrementAtomic(&cfil_stats.cfs_ctl_rcvd_bad);
1947	goto done;
1948	}
1949	/ Let's assume the flow control is lifted /
1950	if (cfc->cf_flags & CFF_FLOW_CONTROLLED) {
1951	if (!cfil_rw_lock_shared_to_exclusive(&cfil_lck_rw))
1952	cfil_rw_lock_exclusive(&cfil_lck_rw);
1953
1954	cfc->cf_flags &= ~CFF_FLOW_CONTROLLED;
1955
1956	cfil_rw_lock_exclusive_to_shared(&cfil_lck_rw);
1957	LCK_RW_ASSERT(&cfil_lck_rw, LCK_RW_ASSERT_SHARED);
1958	}
1959	/*
1960	* Flow control will be raised again as soon as an entry cannot enqueue
1961	* to the kernel control socket
1962	*/
1963	while ((cfc->cf_flags & CFF_FLOW_CONTROLLED) == `0`) {
1964	verify_content_filter(cfc);
1965
1966	cfil_rw_lock_assert_held(&cfil_lck_rw, `0`);
1967
1968	/ Find an entry that is flow controlled /
1969	TAILQ_FOREACH(entry, &cfc->cf_sock_entries, cfe_link) {
1970	if (entry->cfe_cfil_info == NULL \|\|
1971	entry->cfe_cfil_info->cfi_so == NULL)
1972	continue;
1973	if ((entry->cfe_flags & CFEF_FLOW_CONTROLLED) == `0`)
1974	continue;
1975	}
1976	if (entry == NULL)
1977	break;
1978
1979	OSIncrementAtomic(&cfil_stats.cfs_ctl_rcvd_flow_lift);
1980
1981	cfil_info = entry->cfe_cfil_info;
1982	so = cfil_info->cfi_so;
1983
1984	cfil_rw_unlock_shared(&cfil_lck_rw);
1985	socket_lock(so, `1`);
1986
1987	do {
1988	error = cfil_acquire_sockbuf(so, cfil_info, `1`);
1989	if (error == `0`)
1990	error = cfil_data_service_ctl_q(so, cfil_info, kcunit, `1`);
1991	cfil_release_sockbuf(so, `1`);
1992	if (error != `0`)
1993	break;
1994
1995	error = cfil_acquire_sockbuf(so, cfil_info, `0`);
1996	if (error == `0`)
1997	error = cfil_data_service_ctl_q(so, cfil_info, kcunit, `0`);
1998	cfil_release_sockbuf(so, `0`);
1999	} while (`0`);
2000
2001	socket_lock_assert_owned(so);
2002	socket_unlock(so, `1`);
2003
2004	cfil_rw_lock_shared(&cfil_lck_rw);
2005	}
2006	done:
2007	cfil_rw_unlock_shared(&cfil_lck_rw);
2008	}
2009
2010	void
2011	cfil_init(void)
2012	{
2013	struct kern_ctl_reg kern_ctl;
2014	errno_t error = `0`;
2015	vm_size_t content_filter_size = `0`; / size of content_filter /
2016	vm_size_t cfil_info_size = `0`; / size of cfil_info /
2017	vm_size_t cfil_hash_entry_size = `0`; / size of cfil_hash_entry /
2018	vm_size_t cfil_db_size = `0`; / size of cfil_db /
2019	unsigned int mbuf_limit = `0`;
2020
2021	CFIL_LOG(LOG_NOTICE, "");
2022
2023	/*
2024	* Compile time verifications
2025	*/
2026	_CASSERT(CFIL_MAX_FILTER_COUNT == MAX_CONTENT_FILTER);
2027	_CASSERT(sizeof(struct cfil_filter_stat) % sizeof(uint32_t) == `0`);
2028	_CASSERT(sizeof(struct cfil_entry_stat) % sizeof(uint32_t) == `0`);
2029	_CASSERT(sizeof(struct cfil_sock_stat) % sizeof(uint32_t) == `0`);
2030
2031	/*
2032	* Runtime time verifications
2033	*/
2034	VERIFY(IS_P2ALIGNED(&cfil_stats.cfs_ctl_q_in_enqueued,
2035	sizeof(uint32_t)));
2036	VERIFY(IS_P2ALIGNED(&cfil_stats.cfs_ctl_q_out_enqueued,
2037	sizeof(uint32_t)));
2038	VERIFY(IS_P2ALIGNED(&cfil_stats.cfs_ctl_q_in_peeked,
2039	sizeof(uint32_t)));
2040	VERIFY(IS_P2ALIGNED(&cfil_stats.cfs_ctl_q_out_peeked,
2041	sizeof(uint32_t)));
2042
2043	VERIFY(IS_P2ALIGNED(&cfil_stats.cfs_pending_q_in_enqueued,
2044	sizeof(uint32_t)));
2045	VERIFY(IS_P2ALIGNED(&cfil_stats.cfs_pending_q_out_enqueued,
2046	sizeof(uint32_t)));
2047
2048	VERIFY(IS_P2ALIGNED(&cfil_stats.cfs_inject_q_in_enqueued,
2049	sizeof(uint32_t)));
2050	VERIFY(IS_P2ALIGNED(&cfil_stats.cfs_inject_q_out_enqueued,
2051	sizeof(uint32_t)));
2052	VERIFY(IS_P2ALIGNED(&cfil_stats.cfs_inject_q_in_passed,
2053	sizeof(uint32_t)));
2054	VERIFY(IS_P2ALIGNED(&cfil_stats.cfs_inject_q_out_passed,
2055	sizeof(uint32_t)));
2056
2057	/*
2058	* Zone for content filters kernel control sockets
2059	*/
2060	content_filter_size = sizeof(struct content_filter);
2061	content_filter_zone = zinit(content_filter_size,
2062	CONTENT_FILTER_ZONE_MAX * content_filter_size,
2063	`0`,
2064	CONTENT_FILTER_ZONE_NAME);
2065	if (content_filter_zone == NULL) {
2066	panic("%s: zinit(%s) failed", __func__,
2067	CONTENT_FILTER_ZONE_NAME);
2068	/ NOTREACHED /
2069	}
2070	zone_change(content_filter_zone, Z_CALLERACCT, FALSE);
2071	zone_change(content_filter_zone, Z_EXPAND, TRUE);
2072
2073	/*
2074	* Zone for per socket content filters
2075	*/
2076	cfil_info_size = sizeof(struct cfil_info);
2077	cfil_info_zone = zinit(cfil_info_size,
2078	CFIL_INFO_ZONE_MAX * cfil_info_size,
2079	`0`,
2080	CFIL_INFO_ZONE_NAME);
2081	if (cfil_info_zone == NULL) {
2082	panic("%s: zinit(%s) failed", __func__, CFIL_INFO_ZONE_NAME);
2083	/ NOTREACHED /
2084	}
2085	zone_change(cfil_info_zone, Z_CALLERACCT, FALSE);
2086	zone_change(cfil_info_zone, Z_EXPAND, TRUE);
2087
2088	/*
2089	* Zone for content filters cfil hash entries and db
2090	*/
2091	cfil_hash_entry_size = sizeof(struct cfil_hash_entry);
2092	cfil_hash_entry_zone = zinit(cfil_hash_entry_size,
2093	CFIL_HASH_ENTRY_ZONE_MAX * cfil_hash_entry_size,
2094	`0`,
2095	CFIL_HASH_ENTRY_ZONE_NAME);
2096	if (cfil_hash_entry_zone == NULL) {
2097	panic("%s: zinit(%s) failed", __func__, CFIL_HASH_ENTRY_ZONE_NAME);
2098	/ NOTREACHED /
2099	}
2100	zone_change(cfil_hash_entry_zone, Z_CALLERACCT, FALSE);
2101	zone_change(cfil_hash_entry_zone, Z_EXPAND, TRUE);
2102
2103	cfil_db_size = sizeof(struct cfil_db);
2104	cfil_db_zone = zinit(cfil_db_size,
2105	CFIL_DB_ZONE_MAX * cfil_db_size,
2106	`0`,
2107	CFIL_DB_ZONE_NAME);
2108	if (cfil_db_zone == NULL) {
2109	panic("%s: zinit(%s) failed", __func__, CFIL_DB_ZONE_NAME);
2110	/ NOTREACHED /
2111	}
2112	zone_change(cfil_db_zone, Z_CALLERACCT, FALSE);
2113	zone_change(cfil_db_zone, Z_EXPAND, TRUE);
2114
2115	/*
2116	* Allocate locks
2117	*/
2118	cfil_lck_grp_attr = lck_grp_attr_alloc_init();
2119	if (cfil_lck_grp_attr == NULL) {
2120	panic("%s: lck_grp_attr_alloc_init failed", __func__);
2121	/ NOTREACHED /
2122	}
2123	cfil_lck_grp = lck_grp_alloc_init("content filter",
2124	cfil_lck_grp_attr);
2125	if (cfil_lck_grp == NULL) {
2126	panic("%s: lck_grp_alloc_init failed", __func__);
2127	/ NOTREACHED /
2128	}
2129	cfil_lck_attr = lck_attr_alloc_init();
2130	if (cfil_lck_attr == NULL) {
2131	panic("%s: lck_attr_alloc_init failed", __func__);
2132	/ NOTREACHED /
2133	}
2134	lck_rw_init(&cfil_lck_rw, cfil_lck_grp, cfil_lck_attr);
2135
2136	TAILQ_INIT(&cfil_sock_head);
2137
2138	/*
2139	* Register kernel control
2140	*/
2141	bzero(&kern_ctl, sizeof(kern_ctl));
2142	strlcpy(kern_ctl.ctl_name, CONTENT_FILTER_CONTROL_NAME,
2143	sizeof(kern_ctl.ctl_name));
2144	kern_ctl.ctl_flags = CTL_FLAG_PRIVILEGED \| CTL_FLAG_REG_EXTENDED;
2145	kern_ctl.ctl_sendsize = `512` * `1024`; / enough? /
2146	kern_ctl.ctl_recvsize = `512` * `1024`; / enough? /
2147	kern_ctl.ctl_connect = cfil_ctl_connect;
2148	kern_ctl.ctl_disconnect = cfil_ctl_disconnect;
2149	kern_ctl.ctl_send = cfil_ctl_send;
2150	kern_ctl.ctl_getopt = cfil_ctl_getopt;
2151	kern_ctl.ctl_setopt = cfil_ctl_setopt;
2152	kern_ctl.ctl_rcvd = cfil_ctl_rcvd;
2153	error = ctl_register(&kern_ctl, &cfil_kctlref);
2154	if (error != `0`) {
2155	CFIL_LOG(LOG_ERR, "ctl_register failed: %d", error);
2156	return;
2157	}
2158
2159	// Spawn thread for gargage collection
2160	if (kernel_thread_start(cfil_udp_gc_thread_func, NULL,
2161	&cfil_udp_gc_thread) != KERN_SUCCESS) {
2162	panic_plain("%s: Can't create UDP GC thread", __func__);
2163	/ NOTREACHED /
2164	}
2165	/ this must not fail /
2166	VERIFY(cfil_udp_gc_thread != NULL);
2167
2168	// Set UDP per-flow mbuf thresholds to 1/32 of platform max
2169	mbuf_limit = MAX(UDP_FLOW_GC_MBUF_CNT_MAX, (nmbclusters << MCLSHIFT) >> UDP_FLOW_GC_MBUF_SHIFT);
2170	cfil_udp_gc_mbuf_num_max = (mbuf_limit >> MCLSHIFT);
2171	cfil_udp_gc_mbuf_cnt_max = mbuf_limit;
2172	}
2173
2174	struct cfil_info *
2175	cfil_info_alloc(struct socket so, struct* cfil_hash_entry *hash_entry)
2176	{
2177	int kcunit;
2178	struct cfil_info *cfil_info = NULL;
2179	struct inpcb *inp = sotoinpcb(so);
2180
2181	CFIL_LOG(LOG_INFO, "");
2182
2183	socket_lock_assert_owned(so);
2184
2185	cfil_info = zalloc(cfil_info_zone);
2186	if (cfil_info == NULL)
2187	goto done;
2188	bzero(cfil_info, sizeof(struct cfil_info));
2189
2190	cfil_queue_init(&cfil_info->cfi_snd.cfi_inject_q);
2191	cfil_queue_init(&cfil_info->cfi_rcv.cfi_inject_q);
2192
2193	for (kcunit = `1`; kcunit <= MAX_CONTENT_FILTER; kcunit++) {
2194	struct cfil_entry *entry;
2195
2196	entry = &cfil_info->cfi_entries[kcunit - `1`];
2197	entry->cfe_cfil_info = cfil_info;
2198
2199	/ Initialize the filter entry /
2200	entry->cfe_filter = NULL;
2201	entry->cfe_flags = `0`;
2202	entry->cfe_necp_control_unit = `0`;
2203	entry->cfe_snd.cfe_pass_offset = `0`;
2204	entry->cfe_snd.cfe_peek_offset = `0`;
2205	entry->cfe_snd.cfe_peeked = `0`;
2206	entry->cfe_rcv.cfe_pass_offset = `0`;
2207	entry->cfe_rcv.cfe_peek_offset = `0`;
2208	entry->cfe_rcv.cfe_peeked = `0`;
2209	/*
2210	* Timestamp the last action to avoid pre-maturely
2211	* triggering garbage collection
2212	*/
2213	microuptime(&entry->cfe_last_action);
2214
2215	cfil_queue_init(&entry->cfe_snd.cfe_pending_q);
2216	cfil_queue_init(&entry->cfe_rcv.cfe_pending_q);
2217	cfil_queue_init(&entry->cfe_snd.cfe_ctl_q);
2218	cfil_queue_init(&entry->cfe_rcv.cfe_ctl_q);
2219	}
2220
2221	cfil_rw_lock_exclusive(&cfil_lck_rw);
2222
2223	/*
2224	* Create a cfi_sock_id that's not the socket pointer!
2225	*/
2226
2227	if (hash_entry == NULL) {
2228	// This is the TCP case, cfil_info is tracked per socket
2229	if (inp->inp_flowhash == `0`)
2230	inp->inp_flowhash = inp_calc_flowhash(inp);
2231
2232	so->so_cfil = cfil_info;
2233	cfil_info->cfi_so = so;
2234	cfil_info->cfi_sock_id =
2235	((so->so_gencnt << `32`) \| inp->inp_flowhash);
2236	} else {
2237	// This is the UDP case, cfil_info is tracked in per-socket hash
2238	cfil_info->cfi_so = so;
2239	hash_entry->cfentry_cfil = cfil_info;
2240	cfil_info->cfi_hash_entry = hash_entry;
2241	cfil_info->cfi_sock_id = ((so->so_gencnt << `32`) \| (hash_entry->cfentry_flowhash & `0xffffffff`));
2242	CFIL_LOG(LOG_DEBUG, "CFIL: UDP inp_flowhash %x so_gencnt %llx entry flowhash %x sockID %llx",
2243	inp->inp_flowhash, so->so_gencnt, hash_entry->cfentry_flowhash, cfil_info->cfi_sock_id);
2244
2245	// Wake up gc thread if this is first flow added
2246	if (cfil_sock_udp_attached_count == `0`) {
2247	thread_wakeup((caddr_t)&cfil_sock_udp_attached_count);
2248	}
2249
2250	cfil_sock_udp_attached_count++;
2251	}
2252
2253	TAILQ_INSERT_TAIL(&cfil_sock_head, cfil_info, cfi_link);
2254
2255	cfil_sock_attached_count++;
2256
2257	cfil_rw_unlock_exclusive(&cfil_lck_rw);
2258
2259	done:
2260	if (cfil_info != NULL)
2261	OSIncrementAtomic(&cfil_stats.cfs_cfi_alloc_ok);
2262	else
2263	OSIncrementAtomic(&cfil_stats.cfs_cfi_alloc_fail);
2264
2265	return (cfil_info);
2266	}
2267
2268	int
2269	cfil_info_attach_unit(struct socket so, uint32_t filter_control_unit, struct* cfil_info *cfil_info)
2270	{
2271	int kcunit;
2272	int attached = `0`;
2273
2274	CFIL_LOG(LOG_INFO, "");
2275
2276	socket_lock_assert_owned(so);
2277
2278	cfil_rw_lock_exclusive(&cfil_lck_rw);
2279
2280	for (kcunit = `1`;
2281	content_filters != NULL && kcunit <= MAX_CONTENT_FILTER;
2282	kcunit++) {
2283	struct content_filter *cfc = content_filters[kcunit - `1`];
2284	struct cfil_entry *entry;
2285
2286	if (cfc == NULL)
2287	continue;
2288	if (cfc->cf_necp_control_unit != filter_control_unit)
2289	continue;
2290
2291	entry = &cfil_info->cfi_entries[kcunit - `1`];
2292
2293	entry->cfe_filter = cfc;
2294	entry->cfe_necp_control_unit = filter_control_unit;
2295	TAILQ_INSERT_TAIL(&cfc->cf_sock_entries, entry, cfe_link);
2296	cfc->cf_sock_count++;
2297	verify_content_filter(cfc);
2298	attached = `1`;
2299	entry->cfe_flags \|= CFEF_CFIL_ATTACHED;
2300	break;
2301	}
2302
2303	cfil_rw_unlock_exclusive(&cfil_lck_rw);
2304
2305	return (attached);
2306	}
2307
2308	static void
2309	cfil_info_free(struct cfil_info *cfil_info)
2310	{
2311	int kcunit;
2312	uint64_t in_drain = `0`;
2313	uint64_t out_drained = `0`;
2314
2315	if (cfil_info == NULL)
2316	return;
2317
2318	CFIL_LOG(LOG_INFO, "");
2319
2320	cfil_rw_lock_exclusive(&cfil_lck_rw);
2321
2322	for (kcunit = `1`;
2323	content_filters != NULL && kcunit <= MAX_CONTENT_FILTER;
2324	kcunit++) {
2325	struct cfil_entry *entry;
2326	struct content_filter *cfc;
2327
2328	entry = &cfil_info->cfi_entries[kcunit - `1`];
2329
2330	/ Don't be silly and try to detach twice /
2331	if (entry->cfe_filter == NULL)
2332	continue;
2333
2334	cfc = content_filters[kcunit - `1`];
2335
2336	VERIFY(cfc == entry->cfe_filter);
2337
2338	entry->cfe_filter = NULL;
2339	entry->cfe_necp_control_unit = `0`;
2340	TAILQ_REMOVE(&cfc->cf_sock_entries, entry, cfe_link);
2341	cfc->cf_sock_count--;
2342
2343	verify_content_filter(cfc);
2344	}
2345	if (cfil_info->cfi_hash_entry != NULL)
2346	cfil_sock_udp_attached_count--;
2347	cfil_sock_attached_count--;
2348	TAILQ_REMOVE(&cfil_sock_head, cfil_info, cfi_link);
2349
2350	out_drained += cfil_queue_drain(&cfil_info->cfi_snd.cfi_inject_q);
2351	in_drain += cfil_queue_drain(&cfil_info->cfi_rcv.cfi_inject_q);
2352
2353	for (kcunit = `1`; kcunit <= MAX_CONTENT_FILTER; kcunit++) {
2354	struct cfil_entry *entry;
2355
2356	entry = &cfil_info->cfi_entries[kcunit - `1`];
2357	out_drained += cfil_queue_drain(&entry->cfe_snd.cfe_pending_q);
2358	in_drain += cfil_queue_drain(&entry->cfe_rcv.cfe_pending_q);
2359	out_drained += cfil_queue_drain(&entry->cfe_snd.cfe_ctl_q);
2360	in_drain += cfil_queue_drain(&entry->cfe_rcv.cfe_ctl_q);
2361	}
2362	cfil_rw_unlock_exclusive(&cfil_lck_rw);
2363
2364	if (out_drained)
2365	OSIncrementAtomic(&cfil_stats.cfs_flush_out_free);
2366	if (in_drain)
2367	OSIncrementAtomic(&cfil_stats.cfs_flush_in_free);
2368
2369	zfree(cfil_info_zone, cfil_info);
2370	}
2371
2372	/*
2373	* Entry point from Sockets layer
2374	* The socket is locked.
2375	*/
2376	errno_t
2377	cfil_sock_attach(struct socket *so)
2378	{
2379	errno_t error = `0`;
2380	uint32_t filter_control_unit;
2381
2382	socket_lock_assert_owned(so);
2383
2384	/ Limit ourselves to TCP that are not MPTCP subflows /
2385	if ((so->so_proto->pr_domain->dom_family != PF_INET &&
2386	so->so_proto->pr_domain->dom_family != PF_INET6) \|\|
2387	so->so_proto->pr_type != SOCK_STREAM \|\|
2388	so->so_proto->pr_protocol != IPPROTO_TCP \|\|
2389	(so->so_flags & SOF_MP_SUBFLOW) != `0` \|\|
2390	(so->so_flags1 & SOF1_CONTENT_FILTER_SKIP) != `0`)
2391	goto done;
2392
2393	filter_control_unit = necp_socket_get_content_filter_control_unit(so);
2394	if (filter_control_unit == `0`)
2395	goto done;
2396
2397	if ((filter_control_unit & NECP_MASK_USERSPACE_ONLY) != `0`) {
2398	OSIncrementAtomic(&cfil_stats.cfs_sock_userspace_only);
2399	goto done;
2400	}
2401	if (cfil_active_count == `0`) {
2402	OSIncrementAtomic(&cfil_stats.cfs_sock_attach_in_vain);
2403	goto done;
2404	}
2405	if (so->so_cfil != NULL) {
2406	OSIncrementAtomic(&cfil_stats.cfs_sock_attach_already);
2407	CFIL_LOG(LOG_ERR, "already attached");
2408	} else {
2409	cfil_info_alloc(so, NULL);
2410	if (so->so_cfil == NULL) {
2411	error = ENOMEM;
2412	OSIncrementAtomic(&cfil_stats.cfs_sock_attach_no_mem);
2413	goto done;
2414	}
2415	}
2416	if (cfil_info_attach_unit(so, filter_control_unit, so->so_cfil) == `0`) {
2417	CFIL_LOG(LOG_ERR, "cfil_info_attach_unit(%u) failed",
2418	filter_control_unit);
2419	OSIncrementAtomic(&cfil_stats.cfs_sock_attach_failed);
2420	goto done;
2421	}
2422	CFIL_LOG(LOG_INFO, "so %llx filter_control_unit %u sockID %llx",
2423	(uint64_t)VM_KERNEL_ADDRPERM(so),
2424	filter_control_unit, so->so_cfil->cfi_sock_id);
2425
2426	so->so_flags \|= SOF_CONTENT_FILTER;
2427	OSIncrementAtomic(&cfil_stats.cfs_sock_attached);
2428
2429	/ Hold a reference on the socket /
2430	so->so_usecount++;
2431
2432	error = cfil_dispatch_attach_event(so, so->so_cfil, filter_control_unit);
2433	/ We can recover from flow control or out of memory errors /
2434	if (error == ENOBUFS \|\| error == ENOMEM)
2435	error = `0`;
2436	else if (error != `0`)
2437	goto done;
2438
2439	CFIL_INFO_VERIFY(so->so_cfil);
2440	done:
2441	return (error);
2442	}
2443
2444	/*
2445	* Entry point from Sockets layer
2446	* The socket is locked.
2447	*/
2448	errno_t
2449	cfil_sock_detach(struct socket *so)
2450	{
2451	if (IS_UDP(so)) {
2452	cfil_db_free(so);
2453	return (`0`);
2454	}
2455
2456	if (so->so_cfil) {
2457	if (so->so_flags & SOF_CONTENT_FILTER) {
2458	so->so_flags &= ~SOF_CONTENT_FILTER;
2459	VERIFY(so->so_usecount > `0`);
2460	so->so_usecount--;
2461	}
2462	cfil_info_free(so->so_cfil);
2463	so->so_cfil = NULL;
2464	OSIncrementAtomic(&cfil_stats.cfs_sock_detached);
2465	}
2466	return (`0`);
2467	}
2468
2469	static int
2470	cfil_dispatch_attach_event(struct socket so, struct* cfil_info *cfil_info, uint32_t filter_control_unit)
2471	{
2472	errno_t error = `0`;
2473	struct cfil_entry *entry = NULL;
2474	struct cfil_msg_sock_attached msg_attached;
2475	uint32_t kcunit;
2476	struct content_filter *cfc = NULL;
2477
2478	socket_lock_assert_owned(so);
2479
2480	cfil_rw_lock_shared(&cfil_lck_rw);
2481
2482	if (so->so_proto == NULL \|\| so->so_proto->pr_domain == NULL) {
2483	error = EINVAL;
2484	goto done;
2485	}
2486	/*
2487	* Find the matching filter unit
2488	*/
2489	for (kcunit = `1`; kcunit <= MAX_CONTENT_FILTER; kcunit++) {
2490	cfc = content_filters[kcunit - `1`];
2491
2492	if (cfc == NULL)
2493	continue;
2494	if (cfc->cf_necp_control_unit != filter_control_unit)
2495	continue;
2496	entry = &cfil_info->cfi_entries[kcunit - `1`];
2497	if (entry->cfe_filter == NULL)
2498	continue;
2499
2500	VERIFY(cfc == entry->cfe_filter);
2501
2502	break;
2503	}
2504
2505	if (entry == NULL \|\| entry->cfe_filter == NULL)
2506	goto done;
2507
2508	if ((entry->cfe_flags & CFEF_SENT_SOCK_ATTACHED))
2509	goto done;
2510
2511	CFIL_LOG(LOG_INFO, "so %llx filter_control_unit %u kcunit %u",
2512	(uint64_t)VM_KERNEL_ADDRPERM(so), filter_control_unit, kcunit);
2513
2514	/ Would be wasteful to try when flow controlled /
2515	if (cfc->cf_flags & CFF_FLOW_CONTROLLED) {
2516	error = ENOBUFS;
2517	goto done;
2518	}
2519
2520	bzero(&msg_attached, sizeof(struct cfil_msg_sock_attached));
2521	msg_attached.cfs_msghdr.cfm_len = sizeof(struct cfil_msg_sock_attached);
2522	msg_attached.cfs_msghdr.cfm_version = CFM_VERSION_CURRENT;
2523	msg_attached.cfs_msghdr.cfm_type = CFM_TYPE_EVENT;
2524	msg_attached.cfs_msghdr.cfm_op = CFM_OP_SOCKET_ATTACHED;
2525	msg_attached.cfs_msghdr.cfm_sock_id = entry->cfe_cfil_info->cfi_sock_id;
2526
2527	msg_attached.cfs_sock_family = so->so_proto->pr_domain->dom_family;
2528	msg_attached.cfs_sock_type = so->so_proto->pr_type;
2529	msg_attached.cfs_sock_protocol = so->so_proto->pr_protocol;
2530	msg_attached.cfs_pid = so->last_pid;
2531	memcpy(msg_attached.cfs_uuid, so->last_uuid, sizeof(uuid_t));
2532	if (so->so_flags & SOF_DELEGATED) {
2533	msg_attached.cfs_e_pid = so->e_pid;
2534	memcpy(msg_attached.cfs_e_uuid, so->e_uuid, sizeof(uuid_t));
2535	} else {
2536	msg_attached.cfs_e_pid = so->last_pid;
2537	memcpy(msg_attached.cfs_e_uuid, so->last_uuid, sizeof(uuid_t));
2538	}
2539
2540	#if LIFECYCLE_DEBUG
2541	CFIL_LOG(LOG_DEBUG, "CFIL: LIFECYCLE: SENDING ATTACH UP <sockID %llu> ",
2542	entry->cfe_cfil_info->cfi_sock_id);
2543	#endif
2544
2545	error = ctl_enqueuedata(entry->cfe_filter->cf_kcref,
2546	entry->cfe_filter->cf_kcunit,
2547	&msg_attached,
2548	sizeof(struct cfil_msg_sock_attached),
2549	CTL_DATA_EOR);
2550	if (error != `0`) {
2551	CFIL_LOG(LOG_ERR, "ctl_enqueuedata() failed: %d", error);
2552	goto done;
2553	}
2554	microuptime(&entry->cfe_last_event);
2555	cfil_info->cfi_first_event.tv_sec = entry->cfe_last_event.tv_sec;
2556	cfil_info->cfi_first_event.tv_usec = entry->cfe_last_event.tv_usec;
2557
2558	entry->cfe_flags \|= CFEF_SENT_SOCK_ATTACHED;
2559	OSIncrementAtomic(&cfil_stats.cfs_attach_event_ok);
2560	done:
2561
2562	/ We can recover from flow control /
2563	if (error == ENOBUFS) {
2564	entry->cfe_flags \|= CFEF_FLOW_CONTROLLED;
2565	OSIncrementAtomic(&cfil_stats.cfs_attach_event_flow_control);
2566
2567	if (!cfil_rw_lock_shared_to_exclusive(&cfil_lck_rw))
2568	cfil_rw_lock_exclusive(&cfil_lck_rw);
2569
2570	cfc->cf_flags \|= CFF_FLOW_CONTROLLED;
2571
2572	cfil_rw_unlock_exclusive(&cfil_lck_rw);
2573	} else {
2574	if (error != `0`)
2575	OSIncrementAtomic(&cfil_stats.cfs_attach_event_fail);
2576
2577	cfil_rw_unlock_shared(&cfil_lck_rw);
2578	}
2579	return (error);
2580	}
2581
2582	static int
2583	cfil_dispatch_disconnect_event(struct socket so, struct* cfil_info cfil_info, uint32_t kcunit, int* outgoing)
2584	{
2585	errno_t error = `0`;
2586	struct mbuf *msg = NULL;
2587	struct cfil_entry *entry;
2588	struct cfe_buf *entrybuf;
2589	struct cfil_msg_hdr msg_disconnected;
2590	struct content_filter *cfc;
2591
2592	socket_lock_assert_owned(so);
2593
2594	cfil_rw_lock_shared(&cfil_lck_rw);
2595
2596	entry = &cfil_info->cfi_entries[kcunit - `1`];
2597	if (outgoing)
2598	entrybuf = &entry->cfe_snd;
2599	else
2600	entrybuf = &entry->cfe_rcv;
2601
2602	cfc = entry->cfe_filter;
2603	if (cfc == NULL)
2604	goto done;
2605
2606	CFIL_LOG(LOG_INFO, "so %llx kcunit %u outgoing %d",
2607	(uint64_t)VM_KERNEL_ADDRPERM(so), kcunit, outgoing);
2608
2609	/*
2610	* Send the disconnection event once
2611	*/
2612	if ((outgoing && (entry->cfe_flags & CFEF_SENT_DISCONNECT_OUT)) \|\|
2613	(!outgoing && (entry->cfe_flags & CFEF_SENT_DISCONNECT_IN))) {
2614	CFIL_LOG(LOG_INFO, "so %llx disconnect already sent",
2615	(uint64_t)VM_KERNEL_ADDRPERM(so));
2616	goto done;
2617	}
2618
2619	/*
2620	* We're not disconnected as long as some data is waiting
2621	* to be delivered to the filter
2622	*/
2623	if (outgoing && cfil_queue_empty(&entrybuf->cfe_ctl_q) == `0`) {
2624	CFIL_LOG(LOG_INFO, "so %llx control queue not empty",
2625	(uint64_t)VM_KERNEL_ADDRPERM(so));
2626	error = EBUSY;
2627	goto done;
2628	}
2629	/ Would be wasteful to try when flow controlled /
2630	if (cfc->cf_flags & CFF_FLOW_CONTROLLED) {
2631	error = ENOBUFS;
2632	goto done;
2633	}
2634
2635	#if LIFECYCLE_DEBUG
2636	cfil_info_log(LOG_ERR, cfil_info, outgoing ?
2637	"CFIL: LIFECYCLE: OUT - SENDING DISCONNECT UP":
2638	"CFIL: LIFECYCLE: IN - SENDING DISCONNECT UP");
2639	#endif
2640
2641	bzero(&msg_disconnected, sizeof(struct cfil_msg_hdr));
2642	msg_disconnected.cfm_len = sizeof(struct cfil_msg_hdr);
2643	msg_disconnected.cfm_version = CFM_VERSION_CURRENT;
2644	msg_disconnected.cfm_type = CFM_TYPE_EVENT;
2645	msg_disconnected.cfm_op = outgoing ? CFM_OP_DISCONNECT_OUT :
2646	CFM_OP_DISCONNECT_IN;
2647	msg_disconnected.cfm_sock_id = entry->cfe_cfil_info->cfi_sock_id;
2648	error = ctl_enqueuedata(entry->cfe_filter->cf_kcref,
2649	entry->cfe_filter->cf_kcunit,
2650	&msg_disconnected,
2651	sizeof(struct cfil_msg_hdr),
2652	CTL_DATA_EOR);
2653	if (error != `0`) {
2654	CFIL_LOG(LOG_ERR, "ctl_enqueuembuf() failed: %d", error);
2655	mbuf_freem(msg);
2656	goto done;
2657	}
2658	microuptime(&entry->cfe_last_event);
2659	CFI_ADD_TIME_LOG(cfil_info, &entry->cfe_last_event, &cfil_info->cfi_first_event, msg_disconnected.cfm_op);
2660
2661	/ Remember we have sent the disconnection message /
2662	if (outgoing) {
2663	entry->cfe_flags \|= CFEF_SENT_DISCONNECT_OUT;
2664	OSIncrementAtomic(&cfil_stats.cfs_disconnect_out_event_ok);
2665	} else {
2666	entry->cfe_flags \|= CFEF_SENT_DISCONNECT_IN;
2667	OSIncrementAtomic(&cfil_stats.cfs_disconnect_in_event_ok);
2668	}
2669	done:
2670	if (error == ENOBUFS) {
2671	entry->cfe_flags \|= CFEF_FLOW_CONTROLLED;
2672	OSIncrementAtomic(
2673	&cfil_stats.cfs_disconnect_event_flow_control);
2674
2675	if (!cfil_rw_lock_shared_to_exclusive(&cfil_lck_rw))
2676	cfil_rw_lock_exclusive(&cfil_lck_rw);
2677
2678	cfc->cf_flags \|= CFF_FLOW_CONTROLLED;
2679
2680	cfil_rw_unlock_exclusive(&cfil_lck_rw);
2681	} else {
2682	if (error != `0`)
2683	OSIncrementAtomic(
2684	&cfil_stats.cfs_disconnect_event_fail);
2685
2686	cfil_rw_unlock_shared(&cfil_lck_rw);
2687	}
2688	return (error);
2689	}
2690
2691	int
2692	cfil_dispatch_closed_event(struct socket so, struct* cfil_info cfil_info, int* kcunit)
2693	{
2694	struct cfil_entry *entry;
2695	struct cfil_msg_sock_closed msg_closed;
2696	errno_t error = `0`;
2697	struct content_filter *cfc;
2698
2699	socket_lock_assert_owned(so);
2700
2701	cfil_rw_lock_shared(&cfil_lck_rw);
2702
2703	entry = &cfil_info->cfi_entries[kcunit - `1`];
2704	cfc = entry->cfe_filter;
2705	if (cfc == NULL)
2706	goto done;
2707
2708	CFIL_LOG(LOG_INFO, "so %llx kcunit %d",
2709	(uint64_t)VM_KERNEL_ADDRPERM(so), kcunit);
2710
2711	/ Would be wasteful to try when flow controlled /
2712	if (cfc->cf_flags & CFF_FLOW_CONTROLLED) {
2713	error = ENOBUFS;
2714	goto done;
2715	}
2716	/*
2717	* Send a single closed message per filter
2718	*/
2719	if ((entry->cfe_flags & CFEF_SENT_SOCK_CLOSED) != `0`)
2720	goto done;
2721	if ((entry->cfe_flags & CFEF_SENT_SOCK_ATTACHED) == `0`)
2722	goto done;
2723
2724	microuptime(&entry->cfe_last_event);
2725	CFI_ADD_TIME_LOG(cfil_info, &entry->cfe_last_event, &cfil_info->cfi_first_event, CFM_OP_SOCKET_CLOSED);
2726
2727	bzero(&msg_closed, sizeof(struct cfil_msg_sock_closed));
2728	msg_closed.cfc_msghdr.cfm_len = sizeof(struct cfil_msg_sock_closed);
2729	msg_closed.cfc_msghdr.cfm_version = CFM_VERSION_CURRENT;
2730	msg_closed.cfc_msghdr.cfm_type = CFM_TYPE_EVENT;
2731	msg_closed.cfc_msghdr.cfm_op = CFM_OP_SOCKET_CLOSED;
2732	msg_closed.cfc_msghdr.cfm_sock_id = entry->cfe_cfil_info->cfi_sock_id;
2733	msg_closed.cfc_first_event.tv_sec = cfil_info->cfi_first_event.tv_sec;
2734	msg_closed.cfc_first_event.tv_usec = cfil_info->cfi_first_event.tv_usec;
2735	memcpy(msg_closed.cfc_op_time, cfil_info->cfi_op_time, sizeof(uint32_t)*CFI_MAX_TIME_LOG_ENTRY);
2736	memcpy(msg_closed.cfc_op_list, cfil_info->cfi_op_list, sizeof(unsigned char)*CFI_MAX_TIME_LOG_ENTRY);
2737	msg_closed.cfc_op_list_ctr = cfil_info->cfi_op_list_ctr;
2738
2739	#if LIFECYCLE_DEBUG
2740	CFIL_LOG(LOG_ERR, "CFIL: LIFECYCLE: SENDING CLOSED UP: <sock id %llu> op ctr %d, start time %llu.%llu", msg_closed.cfc_msghdr.cfm_sock_id, cfil_info->cfi_op_list_ctr, cfil_info->cfi_first_event.tv_sec, cfil_info->cfi_first_event.tv_usec);
2741	#endif
2742	/ for debugging*
2743	if (msg_closed.cfc_op_list_ctr > CFI_MAX_TIME_LOG_ENTRY) {
2744	msg_closed.cfc_op_list_ctr = CFI_MAX_TIME_LOG_ENTRY; // just in case
2745	}
2746	for (unsigned int i = 0; i < msg_closed.cfc_op_list_ctr ; i++) {
2747	CFIL_LOG(LOG_ERR, "MD: socket %llu event %2u, time + %u msec", msg_closed.cfc_msghdr.cfm_sock_id, (unsigned short)msg_closed.cfc_op_list[i], msg_closed.cfc_op_time[i]);
2748	}
2749	*/
2750
2751	error = ctl_enqueuedata(entry->cfe_filter->cf_kcref,
2752	entry->cfe_filter->cf_kcunit,
2753	&msg_closed,
2754	sizeof(struct cfil_msg_sock_closed),
2755	CTL_DATA_EOR);
2756	if (error != `0`) {
2757	CFIL_LOG(LOG_ERR, "ctl_enqueuedata() failed: %d",
2758	error);
2759	goto done;
2760	}
2761
2762	entry->cfe_flags \|= CFEF_SENT_SOCK_CLOSED;
2763	OSIncrementAtomic(&cfil_stats.cfs_closed_event_ok);
2764	done:
2765	/ We can recover from flow control /
2766	if (error == ENOBUFS) {
2767	entry->cfe_flags \|= CFEF_FLOW_CONTROLLED;
2768	OSIncrementAtomic(&cfil_stats.cfs_closed_event_flow_control);
2769
2770	if (!cfil_rw_lock_shared_to_exclusive(&cfil_lck_rw))
2771	cfil_rw_lock_exclusive(&cfil_lck_rw);
2772
2773	cfc->cf_flags \|= CFF_FLOW_CONTROLLED;
2774
2775	cfil_rw_unlock_exclusive(&cfil_lck_rw);
2776	} else {
2777	if (error != `0`)
2778	OSIncrementAtomic(&cfil_stats.cfs_closed_event_fail);
2779
2780	cfil_rw_unlock_shared(&cfil_lck_rw);
2781	}
2782
2783	return (error);
2784	}
2785
2786	static void
2787	fill_ip6_sockaddr_4_6(union sockaddr_in_4_6 *sin46,
2788	struct in6_addr *ip6, u_int16_t port)
2789	{
2790	struct sockaddr_in6 *sin6 = &sin46->sin6;
2791
2792	sin6->sin6_family = AF_INET6;
2793	sin6->sin6_len = sizeof(*sin6);
2794	sin6->sin6_port = port;
2795	sin6->sin6_addr = *ip6;
2796	if (IN6_IS_SCOPE_EMBED(&sin6->sin6_addr)) {
2797	sin6->sin6_scope_id = ntohs(sin6->sin6_addr.s6_addr16[`1`]);
2798	sin6->sin6_addr.s6_addr16[`1`] = `0`;
2799	}
2800	}
2801
2802	static void
2803	fill_ip_sockaddr_4_6(union sockaddr_in_4_6 *sin46,
2804	struct in_addr ip, u_int16_t port)
2805	{
2806	struct sockaddr_in *sin = &sin46->sin;
2807
2808	sin->sin_family = AF_INET;
2809	sin->sin_len = sizeof(*sin);
2810	sin->sin_port = port;
2811	sin->sin_addr.s_addr = ip.s_addr;
2812	}
2813
2814	static void
2815	cfil_get_flow_address_v6(struct cfil_hash_entry entry, struct* inpcb *inp,
2816	struct in6_addr laddr, struct in6_addr faddr,
2817	u_int16_t lport, u_int16_t fport)
2818	{
2819	if (entry != NULL) {
2820	*laddr = &entry->cfentry_laddr.addr6;
2821	*faddr = &entry->cfentry_faddr.addr6;
2822	*lport = entry->cfentry_lport;
2823	*fport = entry->cfentry_fport;
2824	} else {
2825	*laddr = &inp->in6p_laddr;
2826	*faddr = &inp->in6p_faddr;
2827	*lport = inp->inp_lport;
2828	*fport = inp->inp_fport;
2829	}
2830	}
2831
2832	static void
2833	cfil_get_flow_address(struct cfil_hash_entry entry, struct* inpcb *inp,
2834	struct in_addr laddr, struct* in_addr *faddr,
2835	u_int16_t lport, u_int16_t fport)
2836	{
2837	if (entry != NULL) {
2838	*laddr = entry->cfentry_laddr.addr46.ia46_addr4;
2839	*faddr = entry->cfentry_faddr.addr46.ia46_addr4;
2840	*lport = entry->cfentry_lport;
2841	*fport = entry->cfentry_fport;
2842	} else {
2843	*laddr = inp->inp_laddr;
2844	*faddr = inp->inp_faddr;
2845	*lport = inp->inp_lport;
2846	*fport = inp->inp_fport;
2847	}
2848	}
2849
2850	static int
2851	cfil_dispatch_data_event(struct socket so, struct* cfil_info cfil_info, uint32_t kcunit, int* outgoing,
2852	struct mbuf data, unsigned* int copyoffset, unsigned int copylen)
2853	{
2854	errno_t error = `0`;
2855	struct mbuf *copy = NULL;
2856	struct mbuf *msg = NULL;
2857	unsigned int one = `1`;
2858	struct cfil_msg_data_event *data_req;
2859	size_t hdrsize;
2860	struct inpcb inp = (struct* inpcb *)so->so_pcb;
2861	struct cfil_entry *entry;
2862	struct cfe_buf *entrybuf;
2863	struct content_filter *cfc;
2864	struct timeval tv;
2865
2866	cfil_rw_lock_shared(&cfil_lck_rw);
2867
2868	entry = &cfil_info->cfi_entries[kcunit - `1`];
2869	if (outgoing)
2870	entrybuf = &entry->cfe_snd;
2871	else
2872	entrybuf = &entry->cfe_rcv;
2873
2874	cfc = entry->cfe_filter;
2875	if (cfc == NULL)
2876	goto done;
2877
2878	data = cfil_data_start(data);
2879	if (data == NULL \|\| (data->m_flags & M_PKTHDR) == `0`) {
2880	CFIL_LOG(LOG_ERR, "NOT PKTHDR");
2881	goto done;
2882	}
2883
2884	CFIL_LOG(LOG_INFO, "so %llx kcunit %u outgoing %d",
2885	(uint64_t)VM_KERNEL_ADDRPERM(so), kcunit, outgoing);
2886
2887	socket_lock_assert_owned(so);
2888
2889	/ Would be wasteful to try /
2890	if (cfc->cf_flags & CFF_FLOW_CONTROLLED) {
2891	error = ENOBUFS;
2892	goto done;
2893	}
2894
2895	/ Make a copy of the data to pass to kernel control socket /
2896	copy = m_copym_mode(data, copyoffset, copylen, M_DONTWAIT,
2897	M_COPYM_NOOP_HDR);
2898	if (copy == NULL) {
2899	CFIL_LOG(LOG_ERR, "m_copym_mode() failed");
2900	error = ENOMEM;
2901	goto done;
2902	}
2903
2904	/ We need an mbuf packet for the message header /
2905	hdrsize = sizeof(struct cfil_msg_data_event);
2906	error = mbuf_allocpacket(MBUF_DONTWAIT, hdrsize, &one, &msg);
2907	if (error != `0`) {
2908	CFIL_LOG(LOG_ERR, "mbuf_allocpacket() failed");
2909	m_freem(copy);
2910	/*
2911	* ENOBUFS is to indicate flow control
2912	*/
2913	error = ENOMEM;
2914	goto done;
2915	}
2916	mbuf_setlen(msg, hdrsize);
2917	mbuf_pkthdr_setlen(msg, hdrsize + copylen);
2918	msg->m_next = copy;
2919	data_req = (struct cfil_msg_data_event *)mbuf_data(msg);
2920	bzero(data_req, hdrsize);
2921	data_req->cfd_msghdr.cfm_len = hdrsize + copylen;
2922	data_req->cfd_msghdr.cfm_version = `1`;
2923	data_req->cfd_msghdr.cfm_type = CFM_TYPE_EVENT;
2924	data_req->cfd_msghdr.cfm_op =
2925	outgoing ? CFM_OP_DATA_OUT : CFM_OP_DATA_IN;
2926	data_req->cfd_msghdr.cfm_sock_id =
2927	entry->cfe_cfil_info->cfi_sock_id;
2928	data_req->cfd_start_offset = entrybuf->cfe_peeked;
2929	data_req->cfd_end_offset = entrybuf->cfe_peeked + copylen;
2930
2931	/*
2932	* TBD:
2933	* For non connected sockets need to copy addresses from passed
2934	* parameters
2935	*/
2936	if (inp->inp_vflag & INP_IPV6) {
2937	struct in6_addr laddr = NULL, faddr = NULL;
2938	u_int16_t lport = `0`, fport = `0`;
2939
2940	cfil_get_flow_address_v6(cfil_info->cfi_hash_entry, inp,
2941	&laddr, &faddr, &lport, &fport);
2942	if (outgoing) {
2943	fill_ip6_sockaddr_4_6(&data_req->cfc_src, laddr, lport);
2944	fill_ip6_sockaddr_4_6(&data_req->cfc_dst, faddr, fport);
2945	} else {
2946	fill_ip6_sockaddr_4_6(&data_req->cfc_src, faddr, fport);
2947	fill_ip6_sockaddr_4_6(&data_req->cfc_dst, laddr, lport);
2948	}
2949	} else if (inp->inp_vflag & INP_IPV4) {
2950	struct in_addr laddr = {`0`}, faddr = {`0`};
2951	u_int16_t lport = `0`, fport = `0`;
2952
2953	cfil_get_flow_address(cfil_info->cfi_hash_entry, inp,
2954	&laddr, &faddr, &lport, &fport);
2955
2956	if (outgoing) {
2957	fill_ip_sockaddr_4_6(&data_req->cfc_src, laddr, lport);
2958	fill_ip_sockaddr_4_6(&data_req->cfc_dst, faddr, fport);
2959	} else {
2960	fill_ip_sockaddr_4_6(&data_req->cfc_src, faddr, fport);
2961	fill_ip_sockaddr_4_6(&data_req->cfc_dst, laddr, lport);
2962	}
2963	}
2964
2965	microuptime(&tv);
2966	CFI_ADD_TIME_LOG(cfil_info, &tv, &cfil_info->cfi_first_event, data_req->cfd_msghdr.cfm_op);
2967
2968	/ Pass the message to the content filter /
2969	error = ctl_enqueuembuf(entry->cfe_filter->cf_kcref,
2970	entry->cfe_filter->cf_kcunit,
2971	msg, CTL_DATA_EOR);
2972	if (error != `0`) {
2973	CFIL_LOG(LOG_ERR, "ctl_enqueuembuf() failed: %d", error);
2974	mbuf_freem(msg);
2975	goto done;
2976	}
2977	entry->cfe_flags &= ~CFEF_FLOW_CONTROLLED;
2978	OSIncrementAtomic(&cfil_stats.cfs_data_event_ok);
2979
2980	#if VERDICT_DEBUG
2981	CFIL_LOG(LOG_ERR, "CFIL: VERDICT ACTION: so %llx sockID %llu outgoing %d: mbuf %llx copyoffset %u copylen %u",
2982	(uint64_t)VM_KERNEL_ADDRPERM(so), cfil_info->cfi_sock_id, outgoing, (uint64_t)VM_KERNEL_ADDRPERM(data), copyoffset, copylen);
2983	#endif
2984
2985	done:
2986	if (error == ENOBUFS) {
2987	entry->cfe_flags \|= CFEF_FLOW_CONTROLLED;
2988	OSIncrementAtomic(
2989	&cfil_stats.cfs_data_event_flow_control);
2990
2991	if (!cfil_rw_lock_shared_to_exclusive(&cfil_lck_rw))
2992	cfil_rw_lock_exclusive(&cfil_lck_rw);
2993
2994	cfc->cf_flags \|= CFF_FLOW_CONTROLLED;
2995
2996	cfil_rw_unlock_exclusive(&cfil_lck_rw);
2997	} else {
2998	if (error != `0`)
2999	OSIncrementAtomic(&cfil_stats.cfs_data_event_fail);
3000
3001	cfil_rw_unlock_shared(&cfil_lck_rw);
3002	}
3003	return (error);
3004	}
3005
3006	/*
3007	* Process the queue of data waiting to be delivered to content filter
3008	*/
3009	static int
3010	cfil_data_service_ctl_q(struct socket so, struct* cfil_info cfil_info, uint32_t kcunit, int* outgoing)
3011	{
3012	errno_t error = `0`;
3013	struct mbuf data, tmp = NULL;
3014	unsigned int datalen = `0`, copylen = `0`, copyoffset = `0`;
3015	struct cfil_entry *entry;
3016	struct cfe_buf *entrybuf;
3017	uint64_t currentoffset = `0`;
3018
3019	if (cfil_info == NULL)
3020	return (`0`);
3021
3022	CFIL_LOG(LOG_INFO, "so %llx kcunit %u outgoing %d",
3023	(uint64_t)VM_KERNEL_ADDRPERM(so), kcunit, outgoing);
3024
3025	socket_lock_assert_owned(so);
3026
3027	entry = &cfil_info->cfi_entries[kcunit - `1`];
3028	if (outgoing)
3029	entrybuf = &entry->cfe_snd;
3030	else
3031	entrybuf = &entry->cfe_rcv;
3032
3033	/ Send attached message if not yet done /
3034	if ((entry->cfe_flags & CFEF_SENT_SOCK_ATTACHED) == `0`) {
3035	error = cfil_dispatch_attach_event(so, cfil_info, kcunit);
3036	if (error != `0`) {
3037	/ We can recover from flow control /
3038	if (error == ENOBUFS \|\| error == ENOMEM)
3039	error = `0`;
3040	goto done;
3041	}
3042	} else if ((entry->cfe_flags & CFEF_DATA_START) == `0`) {
3043	OSIncrementAtomic(&cfil_stats.cfs_ctl_q_not_started);
3044	goto done;
3045	}
3046
3047	#if DATA_DEBUG
3048	CFIL_LOG(LOG_DEBUG, "CFIL: SERVICE CTL-Q: pass_offset %llu peeked %llu peek_offset %llu",
3049	entrybuf->cfe_pass_offset,
3050	entrybuf->cfe_peeked,
3051	entrybuf->cfe_peek_offset);
3052	#endif
3053
3054	/ Move all data that can pass /
3055	while ((data = cfil_queue_first(&entrybuf->cfe_ctl_q)) != NULL &&
3056	entrybuf->cfe_ctl_q.q_start < entrybuf->cfe_pass_offset) {
3057	datalen = cfil_data_length(data, NULL, NULL);
3058	tmp = data;
3059
3060	if (entrybuf->cfe_ctl_q.q_start + datalen <=
3061	entrybuf->cfe_pass_offset) {
3062	/*
3063	* The first mbuf can fully pass
3064	*/
3065	copylen = datalen;
3066	} else {
3067	/*
3068	* The first mbuf can partially pass
3069	*/
3070	copylen = entrybuf->cfe_pass_offset -
3071	entrybuf->cfe_ctl_q.q_start;
3072	}
3073	VERIFY(copylen <= datalen);
3074
3075	#if DATA_DEBUG
3076	CFIL_LOG(LOG_DEBUG,
3077	"CFIL: SERVICE CTL-Q PASSING: %llx first %llu peeked %llu pass %llu peek %llu"
3078	"datalen %u copylen %u",
3079	(uint64_t)VM_KERNEL_ADDRPERM(tmp),
3080	entrybuf->cfe_ctl_q.q_start,
3081	entrybuf->cfe_peeked,
3082	entrybuf->cfe_pass_offset,
3083	entrybuf->cfe_peek_offset,
3084	datalen, copylen);
3085	#endif
3086
3087	/*
3088	* Data that passes has been peeked at explicitly or
3089	* implicitly
3090	*/
3091	if (entrybuf->cfe_ctl_q.q_start + copylen >
3092	entrybuf->cfe_peeked)
3093	entrybuf->cfe_peeked =
3094	entrybuf->cfe_ctl_q.q_start + copylen;
3095	/*
3096	* Stop on partial pass
3097	*/
3098	if (copylen < datalen)
3099	break;
3100
3101	/ All good, move full data from ctl queue to pending queue /
3102	cfil_queue_remove(&entrybuf->cfe_ctl_q, data, datalen);
3103
3104	cfil_queue_enqueue(&entrybuf->cfe_pending_q, data, datalen);
3105	if (outgoing)
3106	OSAddAtomic64(datalen,
3107	&cfil_stats.cfs_pending_q_out_enqueued);
3108	else
3109	OSAddAtomic64(datalen,
3110	&cfil_stats.cfs_pending_q_in_enqueued);
3111	}
3112	CFIL_INFO_VERIFY(cfil_info);
3113	if (tmp != NULL)
3114	CFIL_LOG(LOG_DEBUG,
3115	"%llx first %llu peeked %llu pass %llu peek %llu"
3116	"datalen %u copylen %u",
3117	(uint64_t)VM_KERNEL_ADDRPERM(tmp),
3118	entrybuf->cfe_ctl_q.q_start,
3119	entrybuf->cfe_peeked,
3120	entrybuf->cfe_pass_offset,
3121	entrybuf->cfe_peek_offset,
3122	datalen, copylen);
3123	tmp = NULL;
3124
3125	/ Now deal with remaining data the filter wants to peek at /
3126	for (data = cfil_queue_first(&entrybuf->cfe_ctl_q),
3127	currentoffset = entrybuf->cfe_ctl_q.q_start;
3128	data != NULL && currentoffset < entrybuf->cfe_peek_offset;
3129	data = cfil_queue_next(&entrybuf->cfe_ctl_q, data),
3130	currentoffset += datalen) {
3131	datalen = cfil_data_length(data, NULL, NULL);
3132	tmp = data;
3133
3134	/ We've already peeked at this mbuf /
3135	if (currentoffset + datalen <= entrybuf->cfe_peeked)
3136	continue;
3137	/*
3138	* The data in the first mbuf may have been
3139	* partially peeked at
3140	*/
3141	copyoffset = entrybuf->cfe_peeked - currentoffset;
3142	VERIFY(copyoffset < datalen);
3143	copylen = datalen - copyoffset;
3144	VERIFY(copylen <= datalen);
3145	/*
3146	* Do not copy more than needed
3147	*/
3148	if (currentoffset + copyoffset + copylen >
3149	entrybuf->cfe_peek_offset) {
3150	copylen = entrybuf->cfe_peek_offset -
3151	(currentoffset + copyoffset);
3152	}
3153
3154	#if DATA_DEBUG
3155	CFIL_LOG(LOG_DEBUG,
3156	"CFIL: SERVICE CTL-Q PEEKING: %llx current %llu peeked %llu pass %llu peek %llu "
3157	"datalen %u copylen %u copyoffset %u",
3158	(uint64_t)VM_KERNEL_ADDRPERM(tmp),
3159	currentoffset,
3160	entrybuf->cfe_peeked,
3161	entrybuf->cfe_pass_offset,
3162	entrybuf->cfe_peek_offset,
3163	datalen, copylen, copyoffset);
3164	#endif
3165
3166	/*
3167	* Stop if there is nothing more to peek at
3168	*/
3169	if (copylen == `0`)
3170	break;
3171	/*
3172	* Let the filter get a peek at this span of data
3173	*/
3174	error = cfil_dispatch_data_event(so, cfil_info, kcunit,
3175	outgoing, data, copyoffset, copylen);
3176	if (error != `0`) {
3177	/ On error, leave data in ctl_q /
3178	break;
3179	}
3180	entrybuf->cfe_peeked += copylen;
3181	if (outgoing)
3182	OSAddAtomic64(copylen,
3183	&cfil_stats.cfs_ctl_q_out_peeked);
3184	else
3185	OSAddAtomic64(copylen,
3186	&cfil_stats.cfs_ctl_q_in_peeked);
3187
3188	/ Stop when data could not be fully peeked at /
3189	if (copylen + copyoffset < datalen)
3190	break;
3191	}
3192	CFIL_INFO_VERIFY(cfil_info);
3193	if (tmp != NULL)
3194	CFIL_LOG(LOG_DEBUG,
3195	"%llx first %llu peeked %llu pass %llu peek %llu"
3196	"datalen %u copylen %u copyoffset %u",
3197	(uint64_t)VM_KERNEL_ADDRPERM(tmp),
3198	currentoffset,
3199	entrybuf->cfe_peeked,
3200	entrybuf->cfe_pass_offset,
3201	entrybuf->cfe_peek_offset,
3202	datalen, copylen, copyoffset);
3203
3204	/*
3205	* Process data that has passed the filter
3206	*/
3207	error = cfil_service_pending_queue(so, cfil_info, kcunit, outgoing);
3208	if (error != `0`) {
3209	CFIL_LOG(LOG_ERR, "cfil_service_pending_queue() error %d",
3210	error);
3211	goto done;
3212	}
3213
3214	/*
3215	* Dispatch disconnect events that could not be sent
3216	*/
3217	if (cfil_info == NULL)
3218	goto done;
3219	else if (outgoing) {
3220	if ((cfil_info->cfi_flags & CFIF_SHUT_WR) &&
3221	!(entry->cfe_flags & CFEF_SENT_DISCONNECT_OUT))
3222	cfil_dispatch_disconnect_event(so, cfil_info, kcunit, `1`);
3223	} else {
3224	if ((cfil_info->cfi_flags & CFIF_SHUT_RD) &&
3225	!(entry->cfe_flags & CFEF_SENT_DISCONNECT_IN))
3226	cfil_dispatch_disconnect_event(so, cfil_info, kcunit, `0`);
3227	}
3228
3229	done:
3230	CFIL_LOG(LOG_DEBUG,
3231	"first %llu peeked %llu pass %llu peek %llu",
3232	entrybuf->cfe_ctl_q.q_start,
3233	entrybuf->cfe_peeked,
3234	entrybuf->cfe_pass_offset,
3235	entrybuf->cfe_peek_offset);
3236
3237	CFIL_INFO_VERIFY(cfil_info);
3238	return (error);
3239	}
3240
3241	/*
3242	* cfil_data_filter()
3243	*
3244	* Process data for a content filter installed on a socket
3245	*/
3246	int
3247	cfil_data_filter(struct socket so, struct* cfil_info cfil_info, uint32_t kcunit, int* outgoing,
3248	struct mbuf *data, uint64_t datalen)
3249	{
3250	errno_t error = `0`;
3251	struct cfil_entry *entry;
3252	struct cfe_buf *entrybuf;
3253
3254	CFIL_LOG(LOG_INFO, "so %llx kcunit %u outgoing %d",
3255	(uint64_t)VM_KERNEL_ADDRPERM(so), kcunit, outgoing);
3256
3257	socket_lock_assert_owned(so);
3258
3259	entry = &cfil_info->cfi_entries[kcunit - `1`];
3260	if (outgoing)
3261	entrybuf = &entry->cfe_snd;
3262	else
3263	entrybuf = &entry->cfe_rcv;
3264
3265	/ Are we attached to the filter? /
3266	if (entry->cfe_filter == NULL) {
3267	error = `0`;
3268	goto done;
3269	}
3270
3271	/ Dispatch to filters /
3272	cfil_queue_enqueue(&entrybuf->cfe_ctl_q, data, datalen);
3273	if (outgoing)
3274	OSAddAtomic64(datalen,
3275	&cfil_stats.cfs_ctl_q_out_enqueued);
3276	else
3277	OSAddAtomic64(datalen,
3278	&cfil_stats.cfs_ctl_q_in_enqueued);
3279
3280	error = cfil_data_service_ctl_q(so, cfil_info, kcunit, outgoing);
3281	if (error != `0`) {
3282	CFIL_LOG(LOG_ERR, "cfil_data_service_ctl_q() error %d",
3283	error);
3284	}
3285	/*
3286	* We have to return EJUSTRETURN in all cases to avoid double free
3287	* by socket layer
3288	*/
3289	error = EJUSTRETURN;
3290	done:
3291	CFIL_INFO_VERIFY(cfil_info);
3292
3293	CFIL_LOG(LOG_INFO, "return %d", error);
3294	return (error);
3295	}
3296
3297	/*
3298	* cfil_service_inject_queue() re-inject data that passed the
3299	* content filters
3300	*/
3301	static int
3302	cfil_service_inject_queue(struct socket so, struct* cfil_info cfil_info, int* outgoing)
3303	{
3304	mbuf_t data;
3305	unsigned int datalen;
3306	int mbcnt = `0`;
3307	int mbnum = `0`;
3308	errno_t error = `0`;
3309	struct cfi_buf *cfi_buf;
3310	struct cfil_queue *inject_q;
3311	int need_rwakeup = `0`;
3312	int count = `0`;
3313
3314	if (cfil_info == NULL)
3315	return (`0`);
3316
3317	socket_lock_assert_owned(so);
3318
3319	if (outgoing) {
3320	cfi_buf = &cfil_info->cfi_snd;
3321	cfil_info->cfi_flags &= ~CFIF_RETRY_INJECT_OUT;
3322	} else {
3323	cfi_buf = &cfil_info->cfi_rcv;
3324	cfil_info->cfi_flags &= ~CFIF_RETRY_INJECT_IN;
3325	}
3326	inject_q = &cfi_buf->cfi_inject_q;
3327
3328	if (cfil_queue_empty(inject_q))
3329	return (`0`);
3330
3331	#if DATA_DEBUG \| VERDICT_DEBUG
3332	CFIL_LOG(LOG_ERR, "CFIL: SERVICE INJECT-Q: <so %llx> outgoing %d queue len %llu",
3333	(uint64_t)VM_KERNEL_ADDRPERM(so), outgoing, cfil_queue_len(inject_q));
3334	#endif
3335
3336	while ((data = cfil_queue_first(inject_q)) != NULL) {
3337	datalen = cfil_data_length(data, &mbcnt, &mbnum);
3338
3339	#if DATA_DEBUG
3340	CFIL_LOG(LOG_DEBUG, "CFIL: SERVICE INJECT-Q: <%s>: <so %llx> data %llx datalen %u (mbcnt %u)",
3341	remote_addr_ptr ? "UNCONNECTED" : "CONNECTED",
3342	(uint64_t)VM_KERNEL_ADDRPERM(so), (uint64_t)VM_KERNEL_ADDRPERM(data), datalen, mbcnt);
3343	#endif
3344
3345	/ Remove data from queue and adjust stats /
3346	cfil_queue_remove(inject_q, data, datalen);
3347	cfi_buf->cfi_pending_first += datalen;
3348	cfi_buf->cfi_pending_mbcnt -= mbcnt;
3349	cfi_buf->cfi_pending_mbnum -= mbnum;
3350	cfil_info_buf_verify(cfi_buf);
3351
3352	if (outgoing) {
3353	error = sosend_reinject(so, NULL, data, NULL, `0`);
3354	if (error != `0`) {
3355	#if DATA_DEBUG
3356	cfil_info_log(LOG_ERR, cfil_info, "CFIL: Error: sosend_reinject() failed");
3357	CFIL_LOG(LOG_ERR, "### sosend() failed %d", error);
3358	#endif
3359	break;
3360	}
3361	// At least one injection succeeded, need to wake up pending threads.
3362	need_rwakeup = `1`;
3363	} else {
3364	data->m_flags \|= M_SKIPCFIL;
3365
3366	/*
3367	* NOTE: We currently only support TCP and UDP.
3368	* For RAWIP, MPTCP and message TCP we'll
3369	* need to call the appropriate sbappendxxx()
3370	* of fix sock_inject_data_in()
3371	*/
3372	if (IS_UDP(so) == TRUE) {
3373	if (sbappendchain(&so->so_rcv, data, `0`))
3374	need_rwakeup = `1`;
3375	} else {
3376	if (sbappendstream(&so->so_rcv, data))
3377	need_rwakeup = `1`;
3378	}
3379	}
3380
3381	if (outgoing)
3382	OSAddAtomic64(datalen,
3383	&cfil_stats.cfs_inject_q_out_passed);
3384	else
3385	OSAddAtomic64(datalen,
3386	&cfil_stats.cfs_inject_q_in_passed);
3387
3388	count++;
3389	}
3390
3391	#if DATA_DEBUG \| VERDICT_DEBUG
3392	CFIL_LOG(LOG_ERR, "CFIL: SERVICE INJECT-Q: <so %llx> injected %d",
3393	(uint64_t)VM_KERNEL_ADDRPERM(so), count);
3394	#endif
3395
3396	/ A single wakeup is for several packets is more efficient /
3397	if (need_rwakeup) {
3398	if (outgoing == TRUE)
3399	sowwakeup(so);
3400	else
3401	sorwakeup(so);
3402	}
3403
3404	if (error != `0` && cfil_info) {
3405	if (error == ENOBUFS)
3406	OSIncrementAtomic(&cfil_stats.cfs_inject_q_nobufs);
3407	if (error == ENOMEM)
3408	OSIncrementAtomic(&cfil_stats.cfs_inject_q_nomem);
3409
3410	if (outgoing) {
3411	cfil_info->cfi_flags \|= CFIF_RETRY_INJECT_OUT;
3412	OSIncrementAtomic(&cfil_stats.cfs_inject_q_out_fail);
3413	} else {
3414	cfil_info->cfi_flags \|= CFIF_RETRY_INJECT_IN;
3415	OSIncrementAtomic(&cfil_stats.cfs_inject_q_in_fail);
3416	}
3417	}
3418
3419	/*
3420	* Notify
3421	*/
3422	if (cfil_info && (cfil_info->cfi_flags & CFIF_SHUT_WR)) {
3423	cfil_sock_notify_shutdown(so, SHUT_WR);
3424	if (cfil_sock_data_pending(&so->so_snd) == `0`)
3425	soshutdownlock_final(so, SHUT_WR);
3426	}
3427	if (cfil_info && (cfil_info->cfi_flags & CFIF_CLOSE_WAIT)) {
3428	if (cfil_filters_attached(so) == `0`) {
3429	CFIL_LOG(LOG_INFO, "so %llx waking",
3430	(uint64_t)VM_KERNEL_ADDRPERM(so));
3431	wakeup((caddr_t)cfil_info);
3432	}
3433	}
3434
3435	CFIL_INFO_VERIFY(cfil_info);
3436
3437	return (error);
3438	}
3439
3440	static int
3441	cfil_service_pending_queue(struct socket so, struct* cfil_info cfil_info, uint32_t kcunit, int* outgoing)
3442	{
3443	uint64_t passlen, curlen;
3444	mbuf_t data;
3445	unsigned int datalen;
3446	errno_t error = `0`;
3447	struct cfil_entry *entry;
3448	struct cfe_buf *entrybuf;
3449	struct cfil_queue *pending_q;
3450
3451	CFIL_LOG(LOG_INFO, "so %llx kcunit %u outgoing %d",
3452	(uint64_t)VM_KERNEL_ADDRPERM(so), kcunit, outgoing);
3453
3454	socket_lock_assert_owned(so);
3455
3456	entry = &cfil_info->cfi_entries[kcunit - `1`];
3457	if (outgoing)
3458	entrybuf = &entry->cfe_snd;
3459	else
3460	entrybuf = &entry->cfe_rcv;
3461
3462	pending_q = &entrybuf->cfe_pending_q;
3463
3464	passlen = entrybuf->cfe_pass_offset - pending_q->q_start;
3465
3466	/*
3467	* Locate the chunks of data that we can pass to the next filter
3468	* A data chunk must be on mbuf boundaries
3469	*/
3470	curlen = `0`;
3471	while ((data = cfil_queue_first(pending_q)) != NULL) {
3472	datalen = cfil_data_length(data, NULL, NULL);
3473
3474	#if DATA_DEBUG
3475	CFIL_LOG(LOG_DEBUG,
3476	"CFIL: SERVICE PENDING-Q: data %llx datalen %u passlen %llu curlen %llu",
3477	(uint64_t)VM_KERNEL_ADDRPERM(data), datalen,
3478	passlen, curlen);
3479	#endif
3480
3481	if (curlen + datalen > passlen)
3482	break;
3483
3484	cfil_queue_remove(pending_q, data, datalen);
3485
3486	curlen += datalen;
3487
3488	for (kcunit += `1`;
3489	kcunit <= MAX_CONTENT_FILTER;
3490	kcunit++) {
3491	error = cfil_data_filter(so, cfil_info, kcunit, outgoing,
3492	data, datalen);
3493	/ 0 means passed so we can continue /
3494	if (error != `0`)
3495	break;
3496	}
3497	/ When data has passed all filters, re-inject /
3498	if (error == `0`) {
3499	if (outgoing) {
3500	cfil_queue_enqueue(
3501	&cfil_info->cfi_snd.cfi_inject_q,
3502	data, datalen);
3503	OSAddAtomic64(datalen,
3504	&cfil_stats.cfs_inject_q_out_enqueued);
3505	} else {
3506	cfil_queue_enqueue(
3507	&cfil_info->cfi_rcv.cfi_inject_q,
3508	data, datalen);
3509	OSAddAtomic64(datalen,
3510	&cfil_stats.cfs_inject_q_in_enqueued);
3511	}
3512	}
3513	}
3514
3515	CFIL_INFO_VERIFY(cfil_info);
3516
3517	return (error);
3518	}
3519
3520	int
3521	cfil_update_data_offsets(struct socket so, struct* cfil_info cfil_info, uint32_t kcunit, int* outgoing,
3522	uint64_t pass_offset, uint64_t peek_offset)
3523	{
3524	errno_t error = `0`;
3525	struct cfil_entry *entry = NULL;
3526	struct cfe_buf *entrybuf;
3527	int updated = `0`;
3528
3529	CFIL_LOG(LOG_INFO, "pass %llu peek %llu", pass_offset, peek_offset);
3530
3531	socket_lock_assert_owned(so);
3532
3533	if (cfil_info == NULL) {
3534	CFIL_LOG(LOG_ERR, "so %llx cfil detached",
3535	(uint64_t)VM_KERNEL_ADDRPERM(so));
3536	error = `0`;
3537	goto done;
3538	} else if (cfil_info->cfi_flags & CFIF_DROP) {
3539	CFIL_LOG(LOG_ERR, "so %llx drop set",
3540	(uint64_t)VM_KERNEL_ADDRPERM(so));
3541	error = EPIPE;
3542	goto done;
3543	}
3544
3545	entry = &cfil_info->cfi_entries[kcunit - `1`];
3546	if (outgoing)
3547	entrybuf = &entry->cfe_snd;
3548	else
3549	entrybuf = &entry->cfe_rcv;
3550
3551	/ Record updated offsets for this content filter /
3552	if (pass_offset > entrybuf->cfe_pass_offset) {
3553	entrybuf->cfe_pass_offset = pass_offset;
3554
3555	if (entrybuf->cfe_peek_offset < entrybuf->cfe_pass_offset)
3556	entrybuf->cfe_peek_offset = entrybuf->cfe_pass_offset;
3557	updated = `1`;
3558	} else {
3559	CFIL_LOG(LOG_INFO, "pass_offset %llu <= cfe_pass_offset %llu",
3560	pass_offset, entrybuf->cfe_pass_offset);
3561	}
3562	/ Filter does not want or need to see data that's allowed to pass /
3563	if (peek_offset > entrybuf->cfe_pass_offset &&
3564	peek_offset > entrybuf->cfe_peek_offset) {
3565	entrybuf->cfe_peek_offset = peek_offset;
3566	updated = `1`;
3567	}
3568	/ Nothing to do /
3569	if (updated == `0`)
3570	goto done;
3571
3572	/ Move data held in control queue to pending queue if needed /
3573	error = cfil_data_service_ctl_q(so, cfil_info, kcunit, outgoing);
3574	if (error != `0`) {
3575	CFIL_LOG(LOG_ERR, "cfil_data_service_ctl_q() error %d",
3576	error);
3577	goto done;
3578	}
3579	error = EJUSTRETURN;
3580
3581	done:
3582	/*
3583	* The filter is effectively detached when pass all from both sides
3584	* or when the socket is closed and no more data is waiting
3585	* to be delivered to the filter
3586	*/
3587	if (entry != NULL &&
3588	((entry->cfe_snd.cfe_pass_offset == CFM_MAX_OFFSET &&
3589	entry->cfe_rcv.cfe_pass_offset == CFM_MAX_OFFSET) \|\|
3590	((cfil_info->cfi_flags & CFIF_CLOSE_WAIT) &&
3591	cfil_queue_empty(&entry->cfe_snd.cfe_ctl_q) &&
3592	cfil_queue_empty(&entry->cfe_rcv.cfe_ctl_q)))) {
3593	entry->cfe_flags \|= CFEF_CFIL_DETACHED;
3594	#if LIFECYCLE_DEBUG
3595	cfil_info_log(LOG_ERR, cfil_info, outgoing ?
3596	"CFIL: LIFECYCLE: OUT - PASSED ALL - DETACH":
3597	"CFIL: LIFECYCLE: IN - PASSED ALL - DETACH");
3598	#endif
3599	CFIL_LOG(LOG_INFO, "so %llx detached %u",
3600	(uint64_t)VM_KERNEL_ADDRPERM(so), kcunit);
3601	if ((cfil_info->cfi_flags & CFIF_CLOSE_WAIT) &&
3602	cfil_filters_attached(so) == `0`) {
3603	#if LIFECYCLE_DEBUG
3604	cfil_info_log(LOG_ERR, cfil_info, "CFIL: LIFECYCLE: WAKING");
3605	#endif
3606	CFIL_LOG(LOG_INFO, "so %llx waking",
3607	(uint64_t)VM_KERNEL_ADDRPERM(so));
3608	wakeup((caddr_t)cfil_info);
3609	}
3610	}
3611	CFIL_INFO_VERIFY(cfil_info);
3612	CFIL_LOG(LOG_INFO, "return %d", error);
3613	return (error);
3614	}
3615
3616	/*
3617	* Update pass offset for socket when no data is pending
3618	*/
3619	static int
3620	cfil_set_socket_pass_offset(struct socket so, struct* cfil_info cfil_info, int* outgoing)
3621	{
3622	struct cfi_buf *cfi_buf;
3623	struct cfil_entry *entry;
3624	struct cfe_buf *entrybuf;
3625	uint32_t kcunit;
3626	uint64_t pass_offset = `0`;
3627
3628	if (cfil_info == NULL)
3629	return (`0`);
3630
3631	CFIL_LOG(LOG_INFO, "so %llx outgoing %d",
3632	(uint64_t)VM_KERNEL_ADDRPERM(so), outgoing);
3633
3634	socket_lock_assert_owned(so);
3635
3636	if (outgoing)
3637	cfi_buf = &cfil_info->cfi_snd;
3638	else
3639	cfi_buf = &cfil_info->cfi_rcv;
3640
3641	CFIL_LOG(LOG_DEBUG, "CFIL: <so %llx, sockID %llu> outgoing %d cfi_pending_first %llu cfi_pending_last %llu",
3642	(uint64_t)VM_KERNEL_ADDRPERM(so), cfil_info->cfi_sock_id, outgoing,
3643	cfi_buf->cfi_pending_first, cfi_buf->cfi_pending_last);
3644
3645	if (cfi_buf->cfi_pending_last - cfi_buf->cfi_pending_first == `0`) {
3646	for (kcunit = `1`; kcunit <= MAX_CONTENT_FILTER; kcunit++) {
3647	entry = &cfil_info->cfi_entries[kcunit - `1`];
3648
3649	/ Are we attached to a filter? /
3650	if (entry->cfe_filter == NULL)
3651	continue;
3652
3653	if (outgoing)
3654	entrybuf = &entry->cfe_snd;
3655	else
3656	entrybuf = &entry->cfe_rcv;
3657
3658	if (pass_offset == `0` \|\|
3659	entrybuf->cfe_pass_offset < pass_offset)
3660	pass_offset = entrybuf->cfe_pass_offset;
3661	}
3662	cfi_buf->cfi_pass_offset = pass_offset;
3663	}
3664
3665	CFIL_LOG(LOG_DEBUG, "CFIL: <so %llx, sockID %llu>, cfi_pass_offset %llu",
3666	(uint64_t)VM_KERNEL_ADDRPERM(so), cfil_info->cfi_sock_id, cfi_buf->cfi_pass_offset);
3667
3668	return (`0`);
3669	}
3670
3671	int
3672	cfil_action_data_pass(struct socket so, struct* cfil_info cfil_info, uint32_t kcunit, int* outgoing,
3673	uint64_t pass_offset, uint64_t peek_offset)
3674	{
3675	errno_t error = `0`;
3676
3677	CFIL_LOG(LOG_INFO, "");
3678
3679	socket_lock_assert_owned(so);
3680
3681	error = cfil_acquire_sockbuf(so, cfil_info, outgoing);
3682	if (error != `0`) {
3683	CFIL_LOG(LOG_INFO, "so %llx %s dropped",
3684	(uint64_t)VM_KERNEL_ADDRPERM(so),
3685	outgoing ? "out" : "in");
3686	goto release;
3687	}
3688
3689	error = cfil_update_data_offsets(so, cfil_info, kcunit, outgoing,
3690	pass_offset, peek_offset);
3691
3692	cfil_service_inject_queue(so, cfil_info, outgoing);
3693
3694	cfil_set_socket_pass_offset(so, cfil_info, outgoing);
3695	release:
3696	CFIL_INFO_VERIFY(cfil_info);
3697	cfil_release_sockbuf(so, outgoing);
3698
3699	return (error);
3700	}
3701
3702
3703	static void
3704	cfil_flush_queues(struct socket so, struct* cfil_info *cfil_info)
3705	{
3706	struct cfil_entry *entry;
3707	int kcunit;
3708	uint64_t drained;
3709
3710	if ((so->so_flags & SOF_CONTENT_FILTER) == `0` \|\| cfil_info == NULL)
3711	goto done;
3712
3713	socket_lock_assert_owned(so);
3714
3715	/*
3716	* Flush the output queues and ignore errors as long as
3717	* we are attached
3718	*/
3719	(void) cfil_acquire_sockbuf(so, cfil_info, `1`);
3720	if (cfil_info != NULL) {
3721	drained = `0`;
3722	for (kcunit = `1`; kcunit <= MAX_CONTENT_FILTER; kcunit++) {
3723	entry = &cfil_info->cfi_entries[kcunit - `1`];
3724
3725	drained += cfil_queue_drain(&entry->cfe_snd.cfe_ctl_q);
3726	drained += cfil_queue_drain(&entry->cfe_snd.cfe_pending_q);
3727	}
3728	drained += cfil_queue_drain(&cfil_info->cfi_snd.cfi_inject_q);
3729
3730	if (drained) {
3731	if (cfil_info->cfi_flags & CFIF_DROP)
3732	OSIncrementAtomic(
3733	&cfil_stats.cfs_flush_out_drop);
3734	else
3735	OSIncrementAtomic(
3736	&cfil_stats.cfs_flush_out_close);
3737	}
3738	}
3739	cfil_release_sockbuf(so, `1`);
3740
3741	/*
3742	* Flush the input queues
3743	*/
3744	(void) cfil_acquire_sockbuf(so, cfil_info, `0`);
3745	if (cfil_info != NULL) {
3746	drained = `0`;
3747	for (kcunit = `1`; kcunit <= MAX_CONTENT_FILTER; kcunit++) {
3748	entry = &cfil_info->cfi_entries[kcunit - `1`];
3749
3750	drained += cfil_queue_drain(
3751	&entry->cfe_rcv.cfe_ctl_q);
3752	drained += cfil_queue_drain(
3753	&entry->cfe_rcv.cfe_pending_q);
3754	}
3755	drained += cfil_queue_drain(&cfil_info->cfi_rcv.cfi_inject_q);
3756
3757	if (drained) {
3758	if (cfil_info->cfi_flags & CFIF_DROP)
3759	OSIncrementAtomic(
3760	&cfil_stats.cfs_flush_in_drop);
3761	else
3762	OSIncrementAtomic(
3763	&cfil_stats.cfs_flush_in_close);
3764	}
3765	}
3766	cfil_release_sockbuf(so, `0`);
3767	done:
3768	CFIL_INFO_VERIFY(cfil_info);
3769	}
3770
3771	int
3772	cfil_action_drop(struct socket so, struct* cfil_info *cfil_info, uint32_t kcunit)
3773	{
3774	errno_t error = `0`;
3775	struct cfil_entry *entry;
3776	struct proc *p;
3777
3778	if ((so->so_flags & SOF_CONTENT_FILTER) == `0` \|\| cfil_info == NULL)
3779	goto done;
3780
3781	socket_lock_assert_owned(so);
3782
3783	entry = &cfil_info->cfi_entries[kcunit - `1`];
3784
3785	/ Are we attached to the filter? /
3786	if (entry->cfe_filter == NULL)
3787	goto done;
3788
3789	cfil_info->cfi_flags \|= CFIF_DROP;
3790
3791	p = current_proc();
3792
3793	/*
3794	* Force the socket to be marked defunct
3795	* (forcing fixed along with rdar://19391339)
3796	*/
3797	if (so->so_cfil_db == NULL) {
3798	error = sosetdefunct(p, so,
3799	SHUTDOWN_SOCKET_LEVEL_CONTENT_FILTER \| SHUTDOWN_SOCKET_LEVEL_DISCONNECT_ALL,
3800	FALSE);
3801
3802	/ Flush the socket buffer and disconnect /
3803	if (error == `0`)
3804	error = sodefunct(p, so,
3805	SHUTDOWN_SOCKET_LEVEL_CONTENT_FILTER \| SHUTDOWN_SOCKET_LEVEL_DISCONNECT_ALL);
3806	}
3807
3808	/ The filter is done, mark as detached /
3809	entry->cfe_flags \|= CFEF_CFIL_DETACHED;
3810	#if LIFECYCLE_DEBUG
3811	cfil_info_log(LOG_ERR, cfil_info, "CFIL: LIFECYCLE: DROP - DETACH");
3812	#endif
3813	CFIL_LOG(LOG_INFO, "so %llx detached %u",
3814	(uint64_t)VM_KERNEL_ADDRPERM(so), kcunit);
3815
3816	/ Pending data needs to go /
3817	cfil_flush_queues(so, cfil_info);
3818
3819	if (cfil_info && (cfil_info->cfi_flags & CFIF_CLOSE_WAIT)) {
3820	if (cfil_filters_attached(so) == `0`) {
3821	CFIL_LOG(LOG_INFO, "so %llx waking",
3822	(uint64_t)VM_KERNEL_ADDRPERM(so));
3823	wakeup((caddr_t)cfil_info);
3824	}
3825	}
3826	done:
3827	return (error);
3828	}
3829
3830	int
3831	cfil_action_bless_client(uint32_t kcunit, struct cfil_msg_hdr *msghdr)
3832	{
3833	errno_t error = `0`;
3834	struct cfil_info *cfil_info = NULL;
3835
3836	bool cfil_attached = false;
3837	struct cfil_msg_bless_client blessmsg = (struct* cfil_msg_bless_client *)msghdr;
3838
3839	// Search and lock socket
3840	struct socket *so = cfil_socket_from_client_uuid(blessmsg->cfb_client_uuid, &cfil_attached);
3841	if (so == NULL) {
3842	error = ENOENT;
3843	} else {
3844	// The client gets a pass automatically
3845	cfil_info = (so->so_cfil_db != NULL) ?
3846	cfil_db_get_cfil_info(so->so_cfil_db, msghdr->cfm_sock_id) : so->so_cfil;
3847
3848	if (cfil_attached) {
3849	#if VERDICT_DEBUG
3850	if (cfil_info != NULL) {
3851	CFIL_LOG(LOG_ERR, "CFIL: VERDICT RECEIVED: BLESS %s <so %llx sockID %llu>",
3852	cfil_info->cfi_hash_entry ? "UDP" : "TCP",
3853	(uint64_t)VM_KERNEL_ADDRPERM(so),
3854	cfil_info->cfi_sock_id);
3855	}
3856	#endif
3857	(void)cfil_action_data_pass(so, cfil_info, kcunit, `1`, CFM_MAX_OFFSET, CFM_MAX_OFFSET);
3858	(void)cfil_action_data_pass(so, cfil_info, kcunit, `0`, CFM_MAX_OFFSET, CFM_MAX_OFFSET);
3859	} else {
3860	so->so_flags1 \|= SOF1_CONTENT_FILTER_SKIP;
3861	}
3862	socket_unlock(so, `1`);
3863	}
3864
3865	return (error);
3866	}
3867
3868	static int
3869	cfil_update_entry_offsets(struct socket so, struct* cfil_info cfil_info, int* outgoing, unsigned int datalen)
3870	{
3871	struct cfil_entry *entry;
3872	struct cfe_buf *entrybuf;
3873	uint32_t kcunit;
3874
3875	CFIL_LOG(LOG_INFO, "so %llx outgoing %d datalen %u",
3876	(uint64_t)VM_KERNEL_ADDRPERM(so), outgoing, datalen);
3877
3878	for (kcunit = `1`; kcunit <= MAX_CONTENT_FILTER; kcunit++) {
3879	entry = &cfil_info->cfi_entries[kcunit - `1`];
3880
3881	/ Are we attached to the filter? /
3882	if (entry->cfe_filter == NULL)
3883	continue;
3884
3885	if (outgoing)
3886	entrybuf = &entry->cfe_snd;
3887	else
3888	entrybuf = &entry->cfe_rcv;
3889
3890	entrybuf->cfe_ctl_q.q_start += datalen;
3891	entrybuf->cfe_pass_offset = entrybuf->cfe_ctl_q.q_start;
3892	entrybuf->cfe_peeked = entrybuf->cfe_ctl_q.q_start;
3893	if (entrybuf->cfe_peek_offset < entrybuf->cfe_pass_offset)
3894	entrybuf->cfe_peek_offset = entrybuf->cfe_pass_offset;
3895
3896	entrybuf->cfe_ctl_q.q_end += datalen;
3897
3898	entrybuf->cfe_pending_q.q_start += datalen;
3899	entrybuf->cfe_pending_q.q_end += datalen;
3900	}
3901	CFIL_INFO_VERIFY(cfil_info);
3902	return (`0`);
3903	}
3904
3905	int
3906	cfil_data_common(struct socket so, struct* cfil_info cfil_info, int* outgoing, struct sockaddr *to,
3907	struct mbuf data, struct* mbuf *control, uint32_t flags)
3908	{
3909	#pragma unused(to, control, flags)
3910	errno_t error = `0`;
3911	unsigned int datalen;
3912	int mbcnt = `0`;
3913	int mbnum = `0`;
3914	int kcunit;
3915	struct cfi_buf *cfi_buf;
3916	struct mbuf *chain = NULL;
3917
3918	if (cfil_info == NULL) {
3919	CFIL_LOG(LOG_ERR, "so %llx cfil detached",
3920	(uint64_t)VM_KERNEL_ADDRPERM(so));
3921	error = `0`;
3922	goto done;
3923	} else if (cfil_info->cfi_flags & CFIF_DROP) {
3924	CFIL_LOG(LOG_ERR, "so %llx drop set",
3925	(uint64_t)VM_KERNEL_ADDRPERM(so));
3926	error = EPIPE;
3927	goto done;
3928	}
3929
3930	datalen = cfil_data_length(data, &mbcnt, &mbnum);
3931
3932	if (outgoing)
3933	cfi_buf = &cfil_info->cfi_snd;
3934	else
3935	cfi_buf = &cfil_info->cfi_rcv;
3936
3937	cfi_buf->cfi_pending_last += datalen;
3938	cfi_buf->cfi_pending_mbcnt += mbcnt;
3939	cfi_buf->cfi_pending_mbnum += mbnum;
3940
3941	if (IS_UDP(so)) {
3942	if (cfi_buf->cfi_pending_mbnum > cfil_udp_gc_mbuf_num_max \|\|
3943	cfi_buf->cfi_pending_mbcnt > cfil_udp_gc_mbuf_cnt_max) {
3944	cfi_buf->cfi_tail_drop_cnt++;
3945	cfi_buf->cfi_pending_mbcnt -= mbcnt;
3946	cfi_buf->cfi_pending_mbnum -= mbnum;
3947	return (EPIPE);
3948	}
3949	}
3950
3951	cfil_info_buf_verify(cfi_buf);
3952
3953	#if DATA_DEBUG
3954	CFIL_LOG(LOG_DEBUG, "CFIL: QUEUEING DATA: <so %llx> %s: data %llx len %u flags 0x%x nextpkt %llx - cfi_pending_last %llu cfi_pending_mbcnt %u cfi_pass_offset %llu",
3955	(uint64_t)VM_KERNEL_ADDRPERM(so),
3956	outgoing ? "OUT" : "IN",
3957	(uint64_t)VM_KERNEL_ADDRPERM(data), datalen, data->m_flags,
3958	(uint64_t)VM_KERNEL_ADDRPERM(data->m_nextpkt),
3959	cfi_buf->cfi_pending_last,
3960	cfi_buf->cfi_pending_mbcnt,
3961	cfi_buf->cfi_pass_offset);
3962	#endif
3963
3964	/ Fast path when below pass offset /
3965	if (cfi_buf->cfi_pending_last <= cfi_buf->cfi_pass_offset) {
3966	cfil_update_entry_offsets(so, cfil_info, outgoing, datalen);
3967	#if DATA_DEBUG
3968	CFIL_LOG(LOG_DEBUG, "CFIL: QUEUEING DATA: FAST PATH");
3969	#endif
3970	} else {
3971	for (kcunit = `1`; kcunit <= MAX_CONTENT_FILTER; kcunit++) {
3972	// Is cfil attached to this filter?
3973	if (IS_ENTRY_ATTACHED(cfil_info, kcunit)) {
3974	if (IS_UDP(so)) {
3975	/ UDP only:*
3976	* Chain addr (incoming only TDB), control (optional) and data into one chain.
3977	* This full chain will be reinjected into socket after recieving verdict.
3978	*/
3979	(void) cfil_udp_save_socket_state(cfil_info, data);
3980	chain = sbconcat_mbufs(NULL, outgoing ? NULL : to, data, control);
3981	if (chain == NULL) {
3982	return (ENOBUFS);
3983	}
3984	data = chain;
3985	}
3986	error = cfil_data_filter(so, cfil_info, kcunit, outgoing, data,
3987	datalen);
3988	}
3989	/ 0 means passed so continue with next filter /
3990	if (error != `0`)
3991	break;
3992	}
3993	}
3994
3995	/ Move cursor if no filter claimed the data /
3996	if (error == `0`) {
3997	cfi_buf->cfi_pending_first += datalen;
3998	cfi_buf->cfi_pending_mbcnt -= mbcnt;
3999	cfi_buf->cfi_pending_mbnum -= mbnum;
4000	cfil_info_buf_verify(cfi_buf);
4001	}
4002	done:
4003	CFIL_INFO_VERIFY(cfil_info);
4004
4005	return (error);
4006	}
4007
4008	/*
4009	* Callback from socket layer sosendxxx()
4010	*/
4011	int
4012	cfil_sock_data_out(struct socket so, struct* sockaddr *to,
4013	struct mbuf data, struct* mbuf *control, uint32_t flags)
4014	{
4015	int error = `0`;
4016
4017	if (IS_UDP(so)) {
4018	return (cfil_sock_udp_handle_data(TRUE, so, NULL, to, data, control, flags));
4019	}
4020
4021	if ((so->so_flags & SOF_CONTENT_FILTER) == `0` \|\| so->so_cfil == NULL)
4022	return (`0`);
4023
4024	socket_lock_assert_owned(so);
4025
4026	if (so->so_cfil->cfi_flags & CFIF_DROP) {
4027	CFIL_LOG(LOG_ERR, "so %llx drop set",
4028	(uint64_t)VM_KERNEL_ADDRPERM(so));
4029	return (EPIPE);
4030	}
4031	if (control != NULL) {
4032	CFIL_LOG(LOG_ERR, "so %llx control",
4033	(uint64_t)VM_KERNEL_ADDRPERM(so));
4034	OSIncrementAtomic(&cfil_stats.cfs_data_out_control);
4035	}
4036	if ((flags & MSG_OOB)) {
4037	CFIL_LOG(LOG_ERR, "so %llx MSG_OOB",
4038	(uint64_t)VM_KERNEL_ADDRPERM(so));
4039	OSIncrementAtomic(&cfil_stats.cfs_data_out_oob);
4040	}
4041	if ((so->so_snd.sb_flags & SB_LOCK) == `0`)
4042	panic("so %p SB_LOCK not set", so);
4043
4044	if (so->so_snd.sb_cfil_thread != NULL)
4045	panic("%s sb_cfil_thread %p not NULL", __func__,
4046	so->so_snd.sb_cfil_thread);
4047
4048	error = cfil_data_common(so, so->so_cfil, `1`, to, data, control, flags);
4049
4050	return (error);
4051	}
4052
4053	/*
4054	* Callback from socket layer sbappendxxx()
4055	*/
4056	int
4057	cfil_sock_data_in(struct socket so, struct* sockaddr *from,
4058	struct mbuf data, struct* mbuf *control, uint32_t flags)
4059	{
4060	int error = `0`;
4061
4062	if (IS_UDP(so)) {
4063	return (cfil_sock_udp_handle_data(FALSE, so, NULL, from, data, control, flags));
4064	}
4065
4066	if ((so->so_flags & SOF_CONTENT_FILTER) == `0` \|\| so->so_cfil == NULL)
4067	return (`0`);
4068
4069	socket_lock_assert_owned(so);
4070
4071	if (so->so_cfil->cfi_flags & CFIF_DROP) {
4072	CFIL_LOG(LOG_ERR, "so %llx drop set",
4073	(uint64_t)VM_KERNEL_ADDRPERM(so));
4074	return (EPIPE);
4075	}
4076	if (control != NULL) {
4077	CFIL_LOG(LOG_ERR, "so %llx control",
4078	(uint64_t)VM_KERNEL_ADDRPERM(so));
4079	OSIncrementAtomic(&cfil_stats.cfs_data_in_control);
4080	}
4081	if (data->m_type == MT_OOBDATA) {
4082	CFIL_LOG(LOG_ERR, "so %llx MSG_OOB",
4083	(uint64_t)VM_KERNEL_ADDRPERM(so));
4084	OSIncrementAtomic(&cfil_stats.cfs_data_in_oob);
4085	}
4086	error = cfil_data_common(so, so->so_cfil, `0`, from, data, control, flags);
4087
4088	return (error);
4089	}
4090
4091	/*
4092	* Callback from socket layer soshutdownxxx()
4093	*
4094	* We may delay the shutdown write if there's outgoing data in process.
4095	*
4096	* There is no point in delaying the shutdown read because the process
4097	* indicated that it does not want to read anymore data.
4098	*/
4099	int
4100	cfil_sock_shutdown(struct socket so, int* *how)
4101	{
4102	int error = `0`;
4103
4104	if (IS_UDP(so)) {
4105	return (cfil_sock_udp_shutdown(so, how));
4106	}
4107
4108	if ((so->so_flags & SOF_CONTENT_FILTER) == `0` \|\| so->so_cfil == NULL)
4109	goto done;
4110
4111	socket_lock_assert_owned(so);
4112
4113	CFIL_LOG(LOG_INFO, "so %llx how %d",
4114	(uint64_t)VM_KERNEL_ADDRPERM(so), *how);
4115
4116	/*
4117	* Check the state of the socket before the content filter
4118	*/
4119	if (*how != SHUT_WR && (so->so_state & SS_CANTRCVMORE) != `0`) {
4120	/ read already shut down /
4121	error = ENOTCONN;
4122	goto done;
4123	}
4124	if (*how != SHUT_RD && (so->so_state & SS_CANTSENDMORE) != `0`) {
4125	/ write already shut down /
4126	error = ENOTCONN;
4127	goto done;
4128	}
4129
4130	if ((so->so_cfil->cfi_flags & CFIF_DROP) != `0`) {
4131	CFIL_LOG(LOG_ERR, "so %llx drop set",
4132	(uint64_t)VM_KERNEL_ADDRPERM(so));
4133	goto done;
4134	}
4135
4136	/*
4137	* shutdown read: SHUT_RD or SHUT_RDWR
4138	*/
4139	if (*how != SHUT_WR) {
4140	if (so->so_cfil->cfi_flags & CFIF_SHUT_RD) {
4141	error = ENOTCONN;
4142	goto done;
4143	}
4144	so->so_cfil->cfi_flags \|= CFIF_SHUT_RD;
4145	cfil_sock_notify_shutdown(so, SHUT_RD);
4146	}
4147	/*
4148	* shutdown write: SHUT_WR or SHUT_RDWR
4149	*/
4150	if (*how != SHUT_RD) {
4151	if (so->so_cfil->cfi_flags & CFIF_SHUT_WR) {
4152	error = ENOTCONN;
4153	goto done;
4154	}
4155	so->so_cfil->cfi_flags \|= CFIF_SHUT_WR;
4156	cfil_sock_notify_shutdown(so, SHUT_WR);
4157	/*
4158	* When outgoing data is pending, we delay the shutdown at the
4159	* protocol level until the content filters give the final
4160	* verdict on the pending data.
4161	*/
4162	if (cfil_sock_data_pending(&so->so_snd) != `0`) {
4163	/*
4164	* When shutting down the read and write sides at once
4165	* we can proceed to the final shutdown of the read
4166	* side. Otherwise, we just return.
4167	*/
4168	if (*how == SHUT_WR) {
4169	error = EJUSTRETURN;
4170	} else if (*how == SHUT_RDWR) {
4171	*how = SHUT_RD;
4172	}
4173	}
4174	}
4175	done:
4176	return (error);
4177	}
4178
4179	/*
4180	* This is called when the socket is closed and there is no more
4181	* opportunity for filtering
4182	*/
4183	void
4184	cfil_sock_is_closed(struct socket *so)
4185	{
4186	errno_t error = `0`;
4187	int kcunit;
4188
4189	if (IS_UDP(so)) {
4190	cfil_sock_udp_is_closed(so);
4191	return;
4192	}
4193
4194	if ((so->so_flags & SOF_CONTENT_FILTER) == `0` \|\| so->so_cfil == NULL)
4195	return;
4196
4197	CFIL_LOG(LOG_INFO, "so %llx", (uint64_t)VM_KERNEL_ADDRPERM(so));
4198
4199	socket_lock_assert_owned(so);
4200
4201	for (kcunit = `1`; kcunit <= MAX_CONTENT_FILTER; kcunit++) {
4202	/ Let the filters know of the closing /
4203	error = cfil_dispatch_closed_event(so, so->so_cfil, kcunit);
4204	}
4205
4206	/ Last chance to push passed data out /
4207	error = cfil_acquire_sockbuf(so, so->so_cfil, `1`);
4208	if (error == `0`)
4209	cfil_service_inject_queue(so, so->so_cfil, `1`);
4210	cfil_release_sockbuf(so, `1`);
4211
4212	so->so_cfil->cfi_flags \|= CFIF_SOCK_CLOSED;
4213
4214	/ Pending data needs to go /
4215	cfil_flush_queues(so, so->so_cfil);
4216
4217	CFIL_INFO_VERIFY(so->so_cfil);
4218	}
4219
4220	/*
4221	* This is called when the socket is disconnected so let the filters
4222	* know about the disconnection and that no more data will come
4223	*
4224	* The how parameter has the same values as soshutown()
4225	*/
4226	void
4227	cfil_sock_notify_shutdown(struct socket so, int* how)
4228	{
4229	errno_t error = `0`;
4230	int kcunit;
4231
4232	if (IS_UDP(so)) {
4233	cfil_sock_udp_notify_shutdown(so, how, `0`, `0`);
4234	return;
4235	}
4236
4237	if ((so->so_flags & SOF_CONTENT_FILTER) == `0` \|\| so->so_cfil == NULL)
4238	return;
4239
4240	CFIL_LOG(LOG_INFO, "so %llx how %d",
4241	(uint64_t)VM_KERNEL_ADDRPERM(so), how);
4242
4243	socket_lock_assert_owned(so);
4244
4245	for (kcunit = `1`; kcunit <= MAX_CONTENT_FILTER; kcunit++) {
4246	/ Disconnect incoming side /
4247	if (how != SHUT_WR)
4248	error = cfil_dispatch_disconnect_event(so, so->so_cfil, kcunit, `0`);
4249	/ Disconnect outgoing side /
4250	if (how != SHUT_RD)
4251	error = cfil_dispatch_disconnect_event(so, so->so_cfil, kcunit, `1`);
4252	}
4253	}
4254
4255	static int
4256	cfil_filters_attached(struct socket *so)
4257	{
4258	struct cfil_entry *entry;
4259	uint32_t kcunit;
4260	int attached = `0`;
4261
4262	if (IS_UDP(so)) {
4263	return cfil_filters_udp_attached(so, FALSE);
4264	}
4265
4266	if ((so->so_flags & SOF_CONTENT_FILTER) == `0` \|\| so->so_cfil == NULL)
4267	return (`0`);
4268
4269	socket_lock_assert_owned(so);
4270
4271	for (kcunit = `1`; kcunit <= MAX_CONTENT_FILTER; kcunit++) {
4272	entry = &so->so_cfil->cfi_entries[kcunit - `1`];
4273
4274	/ Are we attached to the filter? /
4275	if (entry->cfe_filter == NULL)
4276	continue;
4277	if ((entry->cfe_flags & CFEF_SENT_SOCK_ATTACHED) == `0`)
4278	continue;
4279	if ((entry->cfe_flags & CFEF_CFIL_DETACHED) != `0`)
4280	continue;
4281	attached = `1`;
4282	break;
4283	}
4284
4285	return (attached);
4286	}
4287
4288	/*
4289	* This is called when the socket is closed and we are waiting for
4290	* the filters to gives the final pass or drop
4291	*/
4292	void
4293	cfil_sock_close_wait(struct socket *so)
4294	{
4295	lck_mtx_t *mutex_held;
4296	struct timespec ts;
4297	int error;
4298
4299	if (IS_UDP(so)) {
4300	cfil_sock_udp_close_wait(so);
4301	return;
4302	}
4303
4304	if ((so->so_flags & SOF_CONTENT_FILTER) == `0` \|\| so->so_cfil == NULL)
4305	return;
4306
4307	CFIL_LOG(LOG_INFO, "so %llx", (uint64_t)VM_KERNEL_ADDRPERM(so));
4308
4309	if (so->so_proto->pr_getlock != NULL)
4310	mutex_held = (*so->so_proto->pr_getlock)(so, PR_F_WILLUNLOCK);
4311	else
4312	mutex_held = so->so_proto->pr_domain->dom_mtx;
4313	LCK_MTX_ASSERT(mutex_held, LCK_MTX_ASSERT_OWNED);
4314
4315	while (cfil_filters_attached(so)) {
4316	/*
4317	* Notify the filters we are going away so they can detach
4318	*/
4319	cfil_sock_notify_shutdown(so, SHUT_RDWR);
4320
4321	/*
4322	* Make sure we need to wait after the filter are notified
4323	* of the disconnection
4324	*/
4325	if (cfil_filters_attached(so) == `0`)
4326	break;
4327
4328	CFIL_LOG(LOG_INFO, "so %llx waiting",
4329	(uint64_t)VM_KERNEL_ADDRPERM(so));
4330
4331	ts.tv_sec = cfil_close_wait_timeout / `1000`;
4332	ts.tv_nsec = (cfil_close_wait_timeout % `1000`) *
4333	NSEC_PER_USEC * `1000`;
4334
4335	OSIncrementAtomic(&cfil_stats.cfs_close_wait);
4336	so->so_cfil->cfi_flags \|= CFIF_CLOSE_WAIT;
4337	error = msleep((caddr_t)so->so_cfil, mutex_held,
4338	PSOCK \| PCATCH, "cfil_sock_close_wait", &ts);
4339	so->so_cfil->cfi_flags &= ~CFIF_CLOSE_WAIT;
4340
4341	CFIL_LOG(LOG_NOTICE, "so %llx timed out %d",
4342	(uint64_t)VM_KERNEL_ADDRPERM(so), (error != `0`));
4343
4344	/*
4345	* Force close in case of timeout
4346	*/
4347	if (error != `0`) {
4348	OSIncrementAtomic(&cfil_stats.cfs_close_wait_timeout);
4349	break;
4350	}
4351	}
4352
4353	}
4354
4355	/*
4356	* Returns the size of the data held by the content filter by using
4357	*/
4358	int32_t
4359	cfil_sock_data_pending(struct sockbuf *sb)
4360	{
4361	struct socket *so = sb->sb_so;
4362	uint64_t pending = `0`;
4363
4364	if (IS_UDP(so)) {
4365	return (cfil_sock_udp_data_pending(sb, FALSE));
4366	}
4367
4368	if ((so->so_flags & SOF_CONTENT_FILTER) != `0` && so->so_cfil != NULL) {
4369	struct cfi_buf *cfi_buf;
4370
4371	socket_lock_assert_owned(so);
4372
4373	if ((sb->sb_flags & SB_RECV) == `0`)
4374	cfi_buf = &so->so_cfil->cfi_snd;
4375	else
4376	cfi_buf = &so->so_cfil->cfi_rcv;
4377
4378	pending = cfi_buf->cfi_pending_last -
4379	cfi_buf->cfi_pending_first;
4380
4381	/*
4382	* If we are limited by the "chars of mbufs used" roughly
4383	* adjust so we won't overcommit
4384	*/
4385	if (pending > (uint64_t)cfi_buf->cfi_pending_mbcnt)
4386	pending = cfi_buf->cfi_pending_mbcnt;
4387	}
4388
4389	VERIFY(pending < INT32_MAX);
4390
4391	return (int32_t)(pending);
4392	}
4393
4394	/*
4395	* Return the socket buffer space used by data being held by content filters
4396	* so processes won't clog the socket buffer
4397	*/
4398	int32_t
4399	cfil_sock_data_space(struct sockbuf *sb)
4400	{
4401	struct socket *so = sb->sb_so;
4402	uint64_t pending = `0`;
4403
4404	if (IS_UDP(so)) {
4405	return (cfil_sock_udp_data_pending(sb, TRUE));
4406	}
4407
4408	if ((so->so_flags & SOF_CONTENT_FILTER) != `0` && so->so_cfil != NULL &&
4409	so->so_snd.sb_cfil_thread != current_thread()) {
4410	struct cfi_buf *cfi_buf;
4411
4412	socket_lock_assert_owned(so);
4413
4414	if ((sb->sb_flags & SB_RECV) == `0`)
4415	cfi_buf = &so->so_cfil->cfi_snd;
4416	else
4417	cfi_buf = &so->so_cfil->cfi_rcv;
4418
4419	pending = cfi_buf->cfi_pending_last -
4420	cfi_buf->cfi_pending_first;
4421
4422	/*
4423	* If we are limited by the "chars of mbufs used" roughly
4424	* adjust so we won't overcommit
4425	*/
4426	if ((uint64_t)cfi_buf->cfi_pending_mbcnt > pending)
4427	pending = cfi_buf->cfi_pending_mbcnt;
4428	}
4429
4430	VERIFY(pending < INT32_MAX);
4431
4432	return (int32_t)(pending);
4433	}
4434
4435	/*
4436	* A callback from the socket and protocol layer when data becomes
4437	* available in the socket buffer to give a chance for the content filter
4438	* to re-inject data that was held back
4439	*/
4440	void
4441	cfil_sock_buf_update(struct sockbuf *sb)
4442	{
4443	int outgoing;
4444	int error;
4445	struct socket *so = sb->sb_so;
4446
4447	if (IS_UDP(so)) {
4448	cfil_sock_udp_buf_update(sb);
4449	return;
4450	}
4451
4452	if ((so->so_flags & SOF_CONTENT_FILTER) == `0` \|\| so->so_cfil == NULL)
4453	return;
4454
4455	if (!cfil_sbtrim)
4456	return;
4457
4458	socket_lock_assert_owned(so);
4459
4460	if ((sb->sb_flags & SB_RECV) == `0`) {
4461	if ((so->so_cfil->cfi_flags & CFIF_RETRY_INJECT_OUT) == `0`)
4462	return;
4463	outgoing = `1`;
4464	OSIncrementAtomic(&cfil_stats.cfs_inject_q_out_retry);
4465	} else {
4466	if ((so->so_cfil->cfi_flags & CFIF_RETRY_INJECT_IN) == `0`)
4467	return;
4468	outgoing = `0`;
4469	OSIncrementAtomic(&cfil_stats.cfs_inject_q_in_retry);
4470	}
4471
4472	CFIL_LOG(LOG_NOTICE, "so %llx outgoing %d",
4473	(uint64_t)VM_KERNEL_ADDRPERM(so), outgoing);
4474
4475	error = cfil_acquire_sockbuf(so, so->so_cfil, outgoing);
4476	if (error == `0`)
4477	cfil_service_inject_queue(so, so->so_cfil, outgoing);
4478	cfil_release_sockbuf(so, outgoing);
4479	}
4480
4481	int
4482	sysctl_cfil_filter_list(struct sysctl_oid oidp, void* arg1, int* arg2,
4483	struct sysctl_req *req)
4484	{
4485	#pragma unused(oidp, arg1, arg2)
4486	int error = `0`;
4487	size_t len = `0`;
4488	u_int32_t i;
4489
4490	/ Read only /
4491	if (req->newptr != USER_ADDR_NULL)
4492	return (EPERM);
4493
4494	cfil_rw_lock_shared(&cfil_lck_rw);
4495
4496	for (i = `0`; content_filters != NULL && i < MAX_CONTENT_FILTER; i++) {
4497	struct cfil_filter_stat filter_stat;
4498	struct content_filter *cfc = content_filters[i];
4499
4500	if (cfc == NULL)
4501	continue;
4502
4503	/ If just asking for the size /
4504	if (req->oldptr == USER_ADDR_NULL) {
4505	len += sizeof(struct cfil_filter_stat);
4506	continue;
4507	}
4508
4509	bzero(&filter_stat, sizeof(struct cfil_filter_stat));
4510	filter_stat.cfs_len = sizeof(struct cfil_filter_stat);
4511	filter_stat.cfs_filter_id = cfc->cf_kcunit;
4512	filter_stat.cfs_flags = cfc->cf_flags;
4513	filter_stat.cfs_sock_count = cfc->cf_sock_count;
4514	filter_stat.cfs_necp_control_unit = cfc->cf_necp_control_unit;
4515
4516	error = SYSCTL_OUT(req, &filter_stat,
4517	sizeof (struct cfil_filter_stat));
4518	if (error != `0`)
4519	break;
4520	}
4521	/ If just asking for the size /
4522	if (req->oldptr == USER_ADDR_NULL)
4523	req->oldidx = len;
4524
4525	cfil_rw_unlock_shared(&cfil_lck_rw);
4526
4527	#if SHOW_DEBUG
4528	if (req->oldptr != USER_ADDR_NULL) {
4529	for (i = `1`; content_filters != NULL && i <= MAX_CONTENT_FILTER; i++) {
4530	cfil_filter_show(i);
4531	}
4532	}
4533	#endif
4534
4535	return (error);
4536	}
4537
4538	static int sysctl_cfil_sock_list(struct sysctl_oid oidp, void* arg1, int* arg2,
4539	struct sysctl_req *req)
4540	{
4541	#pragma unused(oidp, arg1, arg2)
4542	int error = `0`;
4543	u_int32_t i;
4544	struct cfil_info *cfi;
4545
4546	/ Read only /
4547	if (req->newptr != USER_ADDR_NULL)
4548	return (EPERM);
4549
4550	cfil_rw_lock_shared(&cfil_lck_rw);
4551
4552	/*
4553	* If just asking for the size,
4554	*/
4555	if (req->oldptr == USER_ADDR_NULL) {
4556	req->oldidx = cfil_sock_attached_count *
4557	sizeof(struct cfil_sock_stat);
4558	/ Bump the length in case new sockets gets attached /
4559	req->oldidx += req->oldidx >> `3`;
4560	goto done;
4561	}
4562
4563	TAILQ_FOREACH(cfi, &cfil_sock_head, cfi_link) {
4564	struct cfil_entry *entry;
4565	struct cfil_sock_stat stat;
4566	struct socket *so = cfi->cfi_so;
4567
4568	bzero(&stat, sizeof(struct cfil_sock_stat));
4569	stat.cfs_len = sizeof(struct cfil_sock_stat);
4570	stat.cfs_sock_id = cfi->cfi_sock_id;
4571	stat.cfs_flags = cfi->cfi_flags;
4572
4573	if (so != NULL) {
4574	stat.cfs_pid = so->last_pid;
4575	memcpy(stat.cfs_uuid, so->last_uuid,
4576	sizeof(uuid_t));
4577	if (so->so_flags & SOF_DELEGATED) {
4578	stat.cfs_e_pid = so->e_pid;
4579	memcpy(stat.cfs_e_uuid, so->e_uuid,
4580	sizeof(uuid_t));
4581	} else {
4582	stat.cfs_e_pid = so->last_pid;
4583	memcpy(stat.cfs_e_uuid, so->last_uuid,
4584	sizeof(uuid_t));
4585	}
4586
4587	stat.cfs_sock_family = so->so_proto->pr_domain->dom_family;
4588	stat.cfs_sock_type = so->so_proto->pr_type;
4589	stat.cfs_sock_protocol = so->so_proto->pr_protocol;
4590	}
4591
4592	stat.cfs_snd.cbs_pending_first =
4593	cfi->cfi_snd.cfi_pending_first;
4594	stat.cfs_snd.cbs_pending_last =
4595	cfi->cfi_snd.cfi_pending_last;
4596	stat.cfs_snd.cbs_inject_q_len =
4597	cfil_queue_len(&cfi->cfi_snd.cfi_inject_q);
4598	stat.cfs_snd.cbs_pass_offset =
4599	cfi->cfi_snd.cfi_pass_offset;
4600
4601	stat.cfs_rcv.cbs_pending_first =
4602	cfi->cfi_rcv.cfi_pending_first;
4603	stat.cfs_rcv.cbs_pending_last =
4604	cfi->cfi_rcv.cfi_pending_last;
4605	stat.cfs_rcv.cbs_inject_q_len =
4606	cfil_queue_len(&cfi->cfi_rcv.cfi_inject_q);
4607	stat.cfs_rcv.cbs_pass_offset =
4608	cfi->cfi_rcv.cfi_pass_offset;
4609
4610	for (i = `0`; i < MAX_CONTENT_FILTER; i++) {
4611	struct cfil_entry_stat *estat;
4612	struct cfe_buf *ebuf;
4613	struct cfe_buf_stat *sbuf;
4614
4615	entry = &cfi->cfi_entries[i];
4616
4617	estat = &stat.ces_entries[i];
4618
4619	estat->ces_len = sizeof(struct cfil_entry_stat);
4620	estat->ces_filter_id = entry->cfe_filter ?
4621	entry->cfe_filter->cf_kcunit : `0`;
4622	estat->ces_flags = entry->cfe_flags;
4623	estat->ces_necp_control_unit =
4624	entry->cfe_necp_control_unit;
4625
4626	estat->ces_last_event.tv_sec =
4627	(int64_t)entry->cfe_last_event.tv_sec;
4628	estat->ces_last_event.tv_usec =
4629	(int64_t)entry->cfe_last_event.tv_usec;
4630
4631	estat->ces_last_action.tv_sec =
4632	(int64_t)entry->cfe_last_action.tv_sec;
4633	estat->ces_last_action.tv_usec =
4634	(int64_t)entry->cfe_last_action.tv_usec;
4635
4636	ebuf = &entry->cfe_snd;
4637	sbuf = &estat->ces_snd;
4638	sbuf->cbs_pending_first =
4639	cfil_queue_offset_first(&ebuf->cfe_pending_q);
4640	sbuf->cbs_pending_last =
4641	cfil_queue_offset_last(&ebuf->cfe_pending_q);
4642	sbuf->cbs_ctl_first =
4643	cfil_queue_offset_first(&ebuf->cfe_ctl_q);
4644	sbuf->cbs_ctl_last =
4645	cfil_queue_offset_last(&ebuf->cfe_ctl_q);
4646	sbuf->cbs_pass_offset = ebuf->cfe_pass_offset;
4647	sbuf->cbs_peek_offset = ebuf->cfe_peek_offset;
4648	sbuf->cbs_peeked = ebuf->cfe_peeked;
4649
4650	ebuf = &entry->cfe_rcv;
4651	sbuf = &estat->ces_rcv;
4652	sbuf->cbs_pending_first =
4653	cfil_queue_offset_first(&ebuf->cfe_pending_q);
4654	sbuf->cbs_pending_last =
4655	cfil_queue_offset_last(&ebuf->cfe_pending_q);
4656	sbuf->cbs_ctl_first =
4657	cfil_queue_offset_first(&ebuf->cfe_ctl_q);
4658	sbuf->cbs_ctl_last =
4659	cfil_queue_offset_last(&ebuf->cfe_ctl_q);
4660	sbuf->cbs_pass_offset = ebuf->cfe_pass_offset;
4661	sbuf->cbs_peek_offset = ebuf->cfe_peek_offset;
4662	sbuf->cbs_peeked = ebuf->cfe_peeked;
4663	}
4664	error = SYSCTL_OUT(req, &stat,
4665	sizeof (struct cfil_sock_stat));
4666	if (error != `0`)
4667	break;
4668	}
4669	done:
4670	cfil_rw_unlock_shared(&cfil_lck_rw);
4671
4672	#if SHOW_DEBUG
4673	if (req->oldptr != USER_ADDR_NULL) {
4674	cfil_info_show();
4675	}
4676	#endif
4677
4678	return (error);
4679	}
4680
4681	/*
4682	* UDP Socket Support
4683	*/
4684	static void
4685	cfil_hash_entry_log(int level, struct socket so, struct* cfil_hash_entry entry, uint64_t sockId, const* char* msg)
4686	{
4687	char local[MAX_IPv6_STR_LEN+`6`];
4688	char remote[MAX_IPv6_STR_LEN+`6`];
4689	const void *addr;
4690
4691	// No sock or not UDP, no-op
4692	if (so == NULL \|\| entry == NULL) {
4693	return;
4694	}
4695
4696	local[`0`] = remote[`0`] = `0x0`;
4697
4698	switch (entry->cfentry_family) {
4699	case AF_INET6:
4700	addr = &entry->cfentry_laddr.addr6;
4701	inet_ntop(AF_INET6, addr, local, sizeof(local));
4702	addr = &entry->cfentry_faddr.addr6;
4703	inet_ntop(AF_INET6, addr, remote, sizeof(local));
4704	break;
4705	case AF_INET:
4706	addr = &entry->cfentry_laddr.addr46.ia46_addr4.s_addr;
4707	inet_ntop(AF_INET, addr, local, sizeof(local));
4708	addr = &entry->cfentry_faddr.addr46.ia46_addr4.s_addr;
4709	inet_ntop(AF_INET, addr, remote, sizeof(local));
4710	break;
4711	default:
4712	return;
4713	}
4714
4715	CFIL_LOG(level, "<%s>: <UDP so %llx, entry %p, sockID %llu> lport %d fport %d laddr %s faddr %s",
4716	msg,
4717	(uint64_t)VM_KERNEL_ADDRPERM(so), entry, sockId,
4718	ntohs(entry->cfentry_lport), ntohs(entry->cfentry_fport), local, remote);
4719	}
4720
4721	static void
4722	cfil_inp_log(int level, struct socket so, const* char* msg)
4723	{
4724	struct inpcb *inp = NULL;
4725	char local[MAX_IPv6_STR_LEN+`6`];
4726	char remote[MAX_IPv6_STR_LEN+`6`];
4727	const void *addr;
4728
4729	if (so == NULL) {
4730	return;
4731	}
4732
4733	inp = sotoinpcb(so);
4734	if (inp == NULL) {
4735	return;
4736	}
4737
4738	local[`0`] = remote[`0`] = `0x0`;
4739
4740	#if INET6
4741	if (inp->inp_vflag & INP_IPV6) {
4742	addr = &inp->in6p_laddr.s6_addr32;
4743	inet_ntop(AF_INET6, addr, local, sizeof(local));
4744	addr = &inp->in6p_faddr.s6_addr32;
4745	inet_ntop(AF_INET6, addr, remote, sizeof(local));
4746	} else
4747	#endif /* INET6 */
4748	{
4749	addr = &inp->inp_laddr.s_addr;
4750	inet_ntop(AF_INET, addr, local, sizeof(local));
4751	addr = &inp->inp_faddr.s_addr;
4752	inet_ntop(AF_INET, addr, remote, sizeof(local));
4753	}
4754
4755	if (so->so_cfil != NULL)
4756	CFIL_LOG(level, "<%s>: <%s so %llx - flags 0x%x 0x%x, sockID %llu> lport %d fport %d laddr %s faddr %s",
4757	msg, IS_UDP(so) ? "UDP" : "TCP",
4758	(uint64_t)VM_KERNEL_ADDRPERM(so), inp->inp_flags, inp->inp_socket->so_flags, so->so_cfil->cfi_sock_id,
4759	ntohs(inp->inp_lport), ntohs(inp->inp_fport), local, remote);
4760	else
4761	CFIL_LOG(level, "<%s>: <%s so %llx - flags 0x%x 0x%x> lport %d fport %d laddr %s faddr %s",
4762	msg, IS_UDP(so) ? "UDP" : "TCP",
4763	(uint64_t)VM_KERNEL_ADDRPERM(so), inp->inp_flags, inp->inp_socket->so_flags,
4764	ntohs(inp->inp_lport), ntohs(inp->inp_fport), local, remote);
4765	}
4766
4767	static void
4768	cfil_info_log(int level, struct cfil_info cfil_info, const* char* msg)
4769	{
4770	if (cfil_info == NULL)
4771	return;
4772
4773	if (cfil_info->cfi_hash_entry != NULL)
4774	cfil_hash_entry_log(level, cfil_info->cfi_so, cfil_info->cfi_hash_entry, cfil_info->cfi_sock_id, msg);
4775	else
4776	cfil_inp_log(level, cfil_info->cfi_so, msg);
4777	}
4778
4779	errno_t
4780	cfil_db_init(struct socket *so)
4781	{
4782	errno_t error = `0`;
4783	struct cfil_db *db = NULL;
4784
4785	CFIL_LOG(LOG_INFO, "");
4786
4787	db = zalloc(cfil_db_zone);
4788	if (db == NULL) {
4789	error = ENOMEM;
4790	goto done;
4791	}
4792	bzero(db, sizeof(struct cfil_db));
4793	db->cfdb_so = so;
4794	db->cfdb_hashbase = hashinit(CFILHASHSIZE, M_CFIL, &db->cfdb_hashmask);
4795	if (db->cfdb_hashbase == NULL) {
4796	zfree(cfil_db_zone, db);
4797	db = NULL;
4798	error = ENOMEM;
4799	goto done;
4800	}
4801
4802	so->so_cfil_db = db;
4803
4804	done:
4805	return (error);
4806	}
4807
4808	void
4809	cfil_db_free(struct socket *so)
4810	{
4811	struct cfil_hash_entry *entry = NULL;
4812	struct cfil_hash_entry *temp_entry = NULL;
4813	struct cfilhashhead *cfilhash = NULL;
4814	struct cfil_db *db = NULL;
4815
4816	CFIL_LOG(LOG_INFO, "");
4817
4818	if (so == NULL \|\| so->so_cfil_db == NULL) {
4819	return;
4820	}
4821	db = so->so_cfil_db;
4822
4823	#if LIFECYCLE_DEBUG
4824	CFIL_LOG(LOG_ERR, "CFIL: LIFECYCLE: <so %llx, db %p> freeing db (count == %d)",
4825	(uint64_t)VM_KERNEL_ADDRPERM(so), db, db->cfdb_count);
4826	#endif
4827
4828	for (int i = `0`; i < CFILHASHSIZE; i++) {
4829	cfilhash = &db->cfdb_hashbase[i];
4830	LIST_FOREACH_SAFE(entry, cfilhash, cfentry_link, temp_entry) {
4831	if (entry->cfentry_cfil != NULL) {
4832	#if LIFECYCLE_DEBUG
4833	cfil_info_log(LOG_ERR, entry->cfentry_cfil, "CFIL: LIFECYCLE: DB FREE CLEAN UP");
4834	#endif
4835	cfil_info_free(entry->cfentry_cfil);
4836	OSIncrementAtomic(&cfil_stats.cfs_sock_detached);
4837	entry->cfentry_cfil = NULL;
4838	}
4839
4840	cfil_db_delete_entry(db, entry);
4841	if (so->so_flags & SOF_CONTENT_FILTER) {
4842	if (db->cfdb_count == `0`)
4843	so->so_flags &= ~SOF_CONTENT_FILTER;
4844	VERIFY(so->so_usecount > `0`);
4845	so->so_usecount--;
4846	}
4847	}
4848	}
4849
4850	// Make sure all entries are cleaned up!
4851	VERIFY(db->cfdb_count == `0`);
4852	#if LIFECYCLE_DEBUG
4853	CFIL_LOG(LOG_ERR, "CFIL: LIFECYCLE: so usecount %d", so->so_usecount);
4854	#endif
4855
4856	FREE(db->cfdb_hashbase, M_CFIL);
4857	zfree(cfil_db_zone, db);
4858	so->so_cfil_db = NULL;
4859	}
4860
4861	static bool
4862	fill_cfil_hash_entry_from_address(struct cfil_hash_entry entry, bool isLocal, struct* sockaddr *addr)
4863	{
4864	struct sockaddr_in *sin = NULL;
4865	struct sockaddr_in6 *sin6 = NULL;
4866
4867	if (entry == NULL \|\| addr == NULL) {
4868	return FALSE;
4869	}
4870
4871	switch (addr->sa_family) {
4872	case AF_INET:
4873	sin = satosin(addr);
4874	if (sin->sin_len != sizeof(*sin)) {
4875	return FALSE;
4876	}
4877	if (isLocal == TRUE) {
4878	entry->cfentry_lport = sin->sin_port;
4879	entry->cfentry_laddr.addr46.ia46_addr4.s_addr = sin->sin_addr.s_addr;
4880	} else {
4881	entry->cfentry_fport = sin->sin_port;
4882	entry->cfentry_faddr.addr46.ia46_addr4.s_addr = sin->sin_addr.s_addr;
4883	}
4884	entry->cfentry_family = AF_INET;
4885	return TRUE;
4886	case AF_INET6:
4887	sin6 = satosin6(addr);
4888	if (sin6->sin6_len != sizeof(*sin6)) {
4889	return FALSE;
4890	}
4891	if (isLocal == TRUE) {
4892	entry->cfentry_lport = sin6->sin6_port;
4893	entry->cfentry_laddr.addr6 = sin6->sin6_addr;
4894	} else {
4895	entry->cfentry_fport = sin6->sin6_port;
4896	entry->cfentry_faddr.addr6 = sin6->sin6_addr;
4897	}
4898	entry->cfentry_family = AF_INET6;
4899	return TRUE;
4900	default:
4901	return FALSE;
4902	}
4903	}
4904
4905	static bool
4906	fill_cfil_hash_entry_from_inp(struct cfil_hash_entry entry, bool isLocal, struct* inpcb *inp)
4907	{
4908	if (entry == NULL \|\| inp == NULL) {
4909	return FALSE;
4910	}
4911
4912	if (inp->inp_vflag & INP_IPV4) {
4913	if (isLocal == TRUE) {
4914	entry->cfentry_lport = inp->inp_lport;
4915	entry->cfentry_laddr.addr46.ia46_addr4.s_addr = inp->inp_laddr.s_addr;
4916	} else {
4917	entry->cfentry_fport = inp->inp_fport;
4918	entry->cfentry_faddr.addr46.ia46_addr4.s_addr = inp->inp_faddr.s_addr;
4919	}
4920	entry->cfentry_family = AF_INET;
4921	return TRUE;
4922	} else if (inp->inp_vflag & INP_IPV6) {
4923	if (isLocal == TRUE) {
4924	entry->cfentry_lport = inp->inp_lport;
4925	entry->cfentry_laddr.addr6 = inp->in6p_laddr;
4926	} else {
4927	entry->cfentry_fport = inp->inp_fport;
4928	entry->cfentry_faddr.addr6 = inp->in6p_faddr;
4929	}
4930	entry->cfentry_family = AF_INET6;
4931	return TRUE;
4932	}
4933	return FALSE;
4934	}
4935
4936	bool
4937	check_port(struct sockaddr *addr, u_short port)
4938	{
4939	struct sockaddr_in *sin = NULL;
4940	struct sockaddr_in6 *sin6 = NULL;
4941
4942	if (addr == NULL \|\| port == `0`) {
4943	return FALSE;
4944	}
4945
4946	switch (addr->sa_family) {
4947	case AF_INET:
4948	sin = satosin(addr);
4949	if (sin->sin_len != sizeof(*sin)) {
4950	return FALSE;
4951	}
4952	if (port == ntohs(sin->sin_port)) {
4953	return TRUE;
4954	}
4955	break;
4956	case AF_INET6:
4957	sin6 = satosin6(addr);
4958	if (sin6->sin6_len != sizeof(*sin6)) {
4959	return FALSE;
4960	}
4961	if (port == ntohs(sin6->sin6_port)) {
4962	return TRUE;
4963	}
4964	break;
4965	default:
4966	break;
4967	}
4968	return FALSE;
4969	}
4970
4971	struct cfil_hash_entry *
4972	cfil_db_lookup_entry_with_sockid(struct cfil_db *db, u_int64_t sock_id)
4973	{
4974	struct cfilhashhead *cfilhash = NULL;
4975	u_int32_t flowhash = (u_int32_t)(sock_id & `0x0ffffffff`);
4976	struct cfil_hash_entry *nextentry;
4977
4978	if (db == NULL \|\| db->cfdb_hashbase == NULL \|\| sock_id == `0`) {
4979	return NULL;
4980	}
4981
4982	flowhash &= db->cfdb_hashmask;
4983	cfilhash = &db->cfdb_hashbase[flowhash];
4984
4985	LIST_FOREACH(nextentry, cfilhash, cfentry_link) {
4986	if (nextentry->cfentry_cfil != NULL &&
4987	nextentry->cfentry_cfil->cfi_sock_id == sock_id) {
4988	CFIL_LOG(LOG_DEBUG, "CFIL: UDP <so %llx> matched <id %llu, hash %u>",
4989	(uint64_t)VM_KERNEL_ADDRPERM(db->cfdb_so), nextentry->cfentry_cfil->cfi_sock_id, flowhash);
4990	cfil_hash_entry_log(LOG_DEBUG, db->cfdb_so, nextentry, `0`, "CFIL: UDP found entry");
4991	return nextentry;
4992	}
4993	}
4994
4995	CFIL_LOG(LOG_DEBUG, "CFIL: UDP <so %llx> NOT matched <id %llu, hash %u>",
4996	(uint64_t)VM_KERNEL_ADDRPERM(db->cfdb_so), sock_id, flowhash);
4997	return NULL;
4998	}
4999
5000	struct cfil_hash_entry *
5001	cfil_db_lookup_entry(struct cfil_db db, struct* sockaddr local, struct* sockaddr *remote)
5002	{
5003	struct cfil_hash_entry matchentry;
5004	struct cfil_hash_entry *nextentry = NULL;
5005	struct inpcb *inp = sotoinpcb(db->cfdb_so);
5006	u_int32_t hashkey_faddr = `0`, hashkey_laddr = `0`;
5007	int inp_hash_element = `0`;
5008	struct cfilhashhead *cfilhash = NULL;
5009
5010	CFIL_LOG(LOG_INFO, "");
5011
5012	if (inp == NULL) {
5013	goto done;
5014	}
5015
5016	if (local != NULL) {
5017	fill_cfil_hash_entry_from_address(&matchentry, TRUE, local);
5018	} else {
5019	fill_cfil_hash_entry_from_inp(&matchentry, TRUE, inp);
5020	}
5021	if (remote != NULL) {
5022	fill_cfil_hash_entry_from_address(&matchentry, FALSE, remote);
5023	} else {
5024	fill_cfil_hash_entry_from_inp(&matchentry, FALSE, inp);
5025	}
5026
5027	#if INET6
5028	if (inp->inp_vflag & INP_IPV6) {
5029	hashkey_faddr = matchentry.cfentry_faddr.addr6.s6_addr32[`3`];
5030	hashkey_laddr = matchentry.cfentry_laddr.addr6.s6_addr32[`3`];
5031	} else
5032	#endif /* INET6 */
5033	{
5034	hashkey_faddr = matchentry.cfentry_faddr.addr46.ia46_addr4.s_addr;
5035	hashkey_laddr = matchentry.cfentry_laddr.addr46.ia46_addr4.s_addr;
5036	}
5037
5038	inp_hash_element = CFIL_HASH(hashkey_laddr, hashkey_faddr,
5039	matchentry.cfentry_lport, matchentry.cfentry_fport);
5040	inp_hash_element &= db->cfdb_hashmask;
5041
5042	cfilhash = &db->cfdb_hashbase[inp_hash_element];
5043
5044	LIST_FOREACH(nextentry, cfilhash, cfentry_link) {
5045
5046	#if INET6
5047	if ((inp->inp_vflag & INP_IPV6) &&
5048	nextentry->cfentry_lport == matchentry.cfentry_lport &&
5049	nextentry->cfentry_fport == matchentry.cfentry_fport &&
5050	IN6_ARE_ADDR_EQUAL(&nextentry->cfentry_laddr.addr6, &matchentry.cfentry_laddr.addr6) &&
5051	IN6_ARE_ADDR_EQUAL(&nextentry->cfentry_faddr.addr6, &matchentry.cfentry_faddr.addr6)) {
5052	#if DATA_DEBUG
5053	cfil_hash_entry_log(LOG_DEBUG, db->cfdb_so, &matchentry, `0`, "CFIL LOOKUP ENTRY: UDP V6 found entry");
5054	#endif
5055	return nextentry;
5056	} else
5057	#endif /* INET6 */
5058	if (nextentry->cfentry_lport == matchentry.cfentry_lport &&
5059	nextentry->cfentry_fport == matchentry.cfentry_fport &&
5060	nextentry->cfentry_laddr.addr46.ia46_addr4.s_addr == matchentry.cfentry_laddr.addr46.ia46_addr4.s_addr &&
5061	nextentry->cfentry_faddr.addr46.ia46_addr4.s_addr == matchentry.cfentry_faddr.addr46.ia46_addr4.s_addr) {
5062	#if DATA_DEBUG
5063	cfil_hash_entry_log(LOG_DEBUG, db->cfdb_so, &matchentry, `0`, "CFIL LOOKUP ENTRY: UDP V4 found entry");
5064	#endif
5065	return nextentry;
5066	}
5067	}
5068
5069	done:
5070	#if DATA_DEBUG
5071	cfil_hash_entry_log(LOG_DEBUG, db->cfdb_so, &matchentry, `0`, "CFIL LOOKUP ENTRY: UDP no entry found");
5072	#endif
5073	return NULL;
5074	}
5075
5076	void
5077	cfil_db_delete_entry(struct cfil_db db, struct* cfil_hash_entry *hash_entry)
5078	{
5079	if (hash_entry == NULL)
5080	return;
5081
5082	LIST_REMOVE(hash_entry, cfentry_link);
5083	zfree(cfil_hash_entry_zone, hash_entry);
5084	db->cfdb_count--;
5085	if (db->cfdb_only_entry == hash_entry)
5086	db->cfdb_only_entry = NULL;
5087	}
5088
5089	struct cfil_hash_entry *
5090	cfil_db_add_entry(struct cfil_db db, struct* sockaddr local, struct* sockaddr *remote)
5091	{
5092	struct cfil_hash_entry *entry = NULL;
5093	struct inpcb *inp = sotoinpcb(db->cfdb_so);
5094	u_int32_t hashkey_faddr = `0`, hashkey_laddr = `0`;
5095	int inp_hash_element = `0`;
5096	struct cfilhashhead *cfilhash = NULL;
5097
5098	CFIL_LOG(LOG_INFO, "");
5099
5100	if (inp == NULL) {
5101	goto done;
5102	}
5103
5104	entry = zalloc(cfil_hash_entry_zone);
5105	if (entry == NULL) {
5106	goto done;
5107	}
5108	bzero(entry, sizeof(struct cfil_hash_entry));
5109
5110	if (local != NULL) {
5111	fill_cfil_hash_entry_from_address(entry, TRUE, local);
5112	} else {
5113	fill_cfil_hash_entry_from_inp(entry, TRUE, inp);
5114	}
5115	if (remote != NULL) {
5116	fill_cfil_hash_entry_from_address(entry, FALSE, remote);
5117	} else {
5118	fill_cfil_hash_entry_from_inp(entry, FALSE, inp);
5119	}
5120	entry->cfentry_lastused = net_uptime();
5121
5122	#if INET6
5123	if (inp->inp_vflag & INP_IPV6) {
5124	hashkey_faddr = entry->cfentry_faddr.addr6.s6_addr32[`3`];
5125	hashkey_laddr = entry->cfentry_laddr.addr6.s6_addr32[`3`];
5126	} else
5127	#endif /* INET6 */
5128	{
5129	hashkey_faddr = entry->cfentry_faddr.addr46.ia46_addr4.s_addr;
5130	hashkey_laddr = entry->cfentry_laddr.addr46.ia46_addr4.s_addr;
5131	}
5132	entry->cfentry_flowhash = CFIL_HASH(hashkey_laddr, hashkey_faddr,
5133	entry->cfentry_lport, entry->cfentry_fport);
5134	inp_hash_element = entry->cfentry_flowhash & db->cfdb_hashmask;
5135
5136	cfilhash = &db->cfdb_hashbase[inp_hash_element];
5137
5138	LIST_INSERT_HEAD(cfilhash, entry, cfentry_link);
5139	db->cfdb_count++;
5140	db->cfdb_only_entry = entry;
5141	cfil_hash_entry_log(LOG_DEBUG, db->cfdb_so, entry, `0`, "CFIL: cfil_db_add_entry: ADDED");
5142
5143	done:
5144	CFIL_LOG(LOG_DEBUG, "CFIL: UDP <so %llx> total count %d", (uint64_t)VM_KERNEL_ADDRPERM(db->cfdb_so), db->cfdb_count);
5145	return entry;
5146	}
5147
5148	struct cfil_info *
5149	cfil_db_get_cfil_info(struct cfil_db *db, cfil_sock_id_t id)
5150	{
5151	struct cfil_hash_entry *hash_entry = NULL;
5152
5153	CFIL_LOG(LOG_INFO, "");
5154
5155	if (db == NULL \|\| id == `0`) {
5156	CFIL_LOG(LOG_DEBUG, "CFIL: UDP <so %llx> NULL DB <id %llu>",
5157	(uint64_t)VM_KERNEL_ADDRPERM(db->cfdb_so), id);
5158	return NULL;
5159	}
5160
5161	// This is an optimization for connected UDP socket which only has one flow.
5162	// No need to do the hash lookup.
5163	if (db->cfdb_count == `1`) {
5164	if (db->cfdb_only_entry && db->cfdb_only_entry->cfentry_cfil &&
5165	db->cfdb_only_entry->cfentry_cfil->cfi_sock_id == id) {
5166	return (db->cfdb_only_entry->cfentry_cfil);
5167	}
5168	}
5169
5170	hash_entry = cfil_db_lookup_entry_with_sockid(db, id);
5171	return (hash_entry != NULL ? hash_entry->cfentry_cfil : NULL);
5172	}
5173
5174	struct cfil_hash_entry *
5175	cfil_sock_udp_get_flow(struct socket so, uint32_t filter_control_unit, bool outgoing, struct* sockaddr local, struct* sockaddr *remote)
5176	{
5177	#pragma unused(so, filter_control_unit, outgoing, local, remote)
5178	struct cfil_hash_entry *hash_entry = NULL;
5179
5180	errno_t error = `0`;
5181	socket_lock_assert_owned(so);
5182
5183	// If new socket, allocate cfil db
5184	if (so->so_cfil_db == NULL) {
5185	if (cfil_db_init(so) != `0`) {
5186	return (NULL);
5187	}
5188	}
5189
5190	// See if flow already exists.
5191	hash_entry = cfil_db_lookup_entry(so->so_cfil_db, local, remote);
5192	if (hash_entry != NULL) {
5193	return (hash_entry);
5194	}
5195
5196	hash_entry = cfil_db_add_entry(so->so_cfil_db, local, remote);
5197	if (hash_entry == NULL) {
5198	OSIncrementAtomic(&cfil_stats.cfs_sock_attach_no_mem);
5199	CFIL_LOG(LOG_ERR, "CFIL: UDP failed to add entry");
5200	return (NULL);
5201	}
5202
5203	if (cfil_info_alloc(so, hash_entry) == NULL \|\|
5204	hash_entry->cfentry_cfil == NULL) {
5205	cfil_db_delete_entry(so->so_cfil_db, hash_entry);
5206	CFIL_LOG(LOG_ERR, "CFIL: UDP failed to alloc cfil_info");
5207	OSIncrementAtomic(&cfil_stats.cfs_sock_attach_no_mem);
5208	return (NULL);
5209	}
5210
5211	#if LIFECYCLE_DEBUG
5212	cfil_info_log(LOG_ERR, hash_entry->cfentry_cfil, "CFIL: LIFECYCLE: ADDED");
5213	#endif
5214
5215	if (cfil_info_attach_unit(so, filter_control_unit, hash_entry->cfentry_cfil) == `0`) {
5216	CFIL_LOG(LOG_ERR, "CFIL: UDP cfil_info_attach_unit(%u) failed",
5217	filter_control_unit);
5218	OSIncrementAtomic(&cfil_stats.cfs_sock_attach_failed);
5219	return (NULL);
5220	}
5221	CFIL_LOG(LOG_DEBUG, "CFIL: UDP <so %llx> filter_control_unit %u sockID %llu attached",
5222	(uint64_t)VM_KERNEL_ADDRPERM(so),
5223	filter_control_unit, hash_entry->cfentry_cfil->cfi_sock_id);
5224
5225	so->so_flags \|= SOF_CONTENT_FILTER;
5226	OSIncrementAtomic(&cfil_stats.cfs_sock_attached);
5227
5228	/ Hold a reference on the socket for each flow /
5229	so->so_usecount++;
5230
5231	error = cfil_dispatch_attach_event(so, hash_entry->cfentry_cfil, filter_control_unit);
5232	/ We can recover from flow control or out of memory errors /
5233	if (error != `0` && error != ENOBUFS && error != ENOMEM)
5234	return (NULL);
5235
5236	CFIL_INFO_VERIFY(hash_entry->cfentry_cfil);
5237	return (hash_entry);
5238	}
5239
5240	errno_t
5241	cfil_sock_udp_handle_data(bool outgoing, struct socket *so,
5242	struct sockaddr local, struct* sockaddr *remote,
5243	struct mbuf data, struct* mbuf *control, uint32_t flags)
5244	{
5245	#pragma unused(outgoing, so, local, remote, data, control, flags)
5246	errno_t error = `0`;
5247	uint32_t filter_control_unit;
5248	struct cfil_hash_entry *hash_entry = NULL;
5249	struct cfil_info *cfil_info = NULL;
5250
5251	socket_lock_assert_owned(so);
5252
5253	if (cfil_active_count == `0`) {
5254	CFIL_LOG(LOG_DEBUG, "CFIL: UDP no active filter");
5255	OSIncrementAtomic(&cfil_stats.cfs_sock_attach_in_vain);
5256	return (error);
5257	}
5258
5259	filter_control_unit = necp_socket_get_content_filter_control_unit(so);
5260	if (filter_control_unit == `0`) {
5261	CFIL_LOG(LOG_DEBUG, "CFIL: UDP failed to get control unit");
5262	return (error);
5263	}
5264
5265	if ((filter_control_unit & NECP_MASK_USERSPACE_ONLY) != `0`) {
5266	CFIL_LOG(LOG_DEBUG, "CFIL: UDP user space only");
5267	OSIncrementAtomic(&cfil_stats.cfs_sock_userspace_only);
5268	return (error);
5269	}
5270
5271	hash_entry = cfil_sock_udp_get_flow(so, filter_control_unit, outgoing, local, remote);
5272	if (hash_entry == NULL \|\| hash_entry->cfentry_cfil == NULL) {
5273	CFIL_LOG(LOG_ERR, "CFIL: Falied to create UDP flow");
5274	return (EPIPE);
5275	}
5276	// Update last used timestamp, this is for flow Idle TO
5277	hash_entry->cfentry_lastused = net_uptime();
5278	cfil_info = hash_entry->cfentry_cfil;
5279
5280	if (cfil_info->cfi_flags & CFIF_DROP) {
5281	#if DATA_DEBUG
5282	cfil_hash_entry_log(LOG_DEBUG, so, hash_entry, `0`, "CFIL: UDP DROP");
5283	#endif
5284	return (EPIPE);
5285	}
5286	if (control != NULL) {
5287	OSIncrementAtomic(&cfil_stats.cfs_data_in_control);
5288	}
5289	if (data->m_type == MT_OOBDATA) {
5290	CFIL_LOG(LOG_ERR, "so %llx MSG_OOB",
5291	(uint64_t)VM_KERNEL_ADDRPERM(so));
5292	OSIncrementAtomic(&cfil_stats.cfs_data_in_oob);
5293	}
5294
5295	error = cfil_data_common(so, cfil_info, outgoing, remote, data, control, flags);
5296
5297	return (error);
5298	}
5299
5300	/*
5301	* Go through all UDP flows for specified socket and returns TRUE if
5302	* any flow is still attached. If need_wait is TRUE, wait on first
5303	* attached flow.
5304	*/
5305	static int
5306	cfil_filters_udp_attached(struct socket *so, bool need_wait)
5307	{
5308	struct timespec ts;
5309	lck_mtx_t *mutex_held;
5310	struct cfilhashhead *cfilhash = NULL;
5311	struct cfil_db *db = NULL;
5312	struct cfil_hash_entry *hash_entry = NULL;
5313	struct cfil_hash_entry *temp_hash_entry = NULL;
5314	struct cfil_info *cfil_info = NULL;
5315	struct cfil_entry *entry = NULL;
5316	errno_t error = `0`;
5317	int kcunit;
5318	int attached = `0`;
5319
5320	socket_lock_assert_owned(so);
5321
5322	if ((so->so_flags & SOF_CONTENT_FILTER) != `0` && so->so_cfil_db != NULL) {
5323
5324	if (so->so_proto->pr_getlock != NULL)
5325	mutex_held = (*so->so_proto->pr_getlock)(so, PR_F_WILLUNLOCK);
5326	else
5327	mutex_held = so->so_proto->pr_domain->dom_mtx;
5328	LCK_MTX_ASSERT(mutex_held, LCK_MTX_ASSERT_OWNED);
5329
5330	db = so->so_cfil_db;
5331
5332	for (int i = `0`; i < CFILHASHSIZE; i++) {
5333	cfilhash = &db->cfdb_hashbase[i];
5334
5335	LIST_FOREACH_SAFE(hash_entry, cfilhash, cfentry_link, temp_hash_entry) {
5336
5337	if (hash_entry->cfentry_cfil != NULL) {
5338
5339	cfil_info = hash_entry->cfentry_cfil;
5340	for (kcunit = `1`; kcunit <= MAX_CONTENT_FILTER; kcunit++) {
5341	entry = &cfil_info->cfi_entries[kcunit - `1`];
5342
5343	/ Are we attached to the filter? /
5344	if (entry->cfe_filter == NULL) {
5345	continue;
5346	}
5347
5348	if ((entry->cfe_flags & CFEF_SENT_SOCK_ATTACHED) == `0`)
5349	continue;
5350	if ((entry->cfe_flags & CFEF_CFIL_DETACHED) != `0`)
5351	continue;
5352
5353	attached = `1`;
5354
5355	if (need_wait == TRUE) {
5356	#if LIFECYCLE_DEBUG
5357	cfil_info_log(LOG_ERR, cfil_info, "CFIL: LIFECYCLE: WAIT FOR FLOW TO FINISH");
5358	#endif
5359
5360	ts.tv_sec = cfil_close_wait_timeout / `1000`;
5361	ts.tv_nsec = (cfil_close_wait_timeout % `1000`) *
5362	NSEC_PER_USEC * `1000`;
5363
5364	OSIncrementAtomic(&cfil_stats.cfs_close_wait);
5365	cfil_info->cfi_flags \|= CFIF_CLOSE_WAIT;
5366	error = msleep((caddr_t)cfil_info, mutex_held,
5367	PSOCK \| PCATCH, "cfil_filters_udp_attached", &ts);
5368	cfil_info->cfi_flags &= ~CFIF_CLOSE_WAIT;
5369
5370	#if LIFECYCLE_DEBUG
5371	cfil_info_log(LOG_ERR, cfil_info, "CFIL: LIFECYCLE: WAIT FOR FLOW DONE");
5372	#endif
5373
5374	/*
5375	* Force close in case of timeout
5376	*/
5377	if (error != `0`) {
5378	OSIncrementAtomic(&cfil_stats.cfs_close_wait_timeout);
5379	#if LIFECYCLE_DEBUG
5380	cfil_info_log(LOG_ERR, cfil_info, "CFIL: LIFECYCLE: WAIT FOR FLOW TIMED OUT, FORCE DETACH");
5381	#endif
5382	entry->cfe_flags \|= CFEF_CFIL_DETACHED;
5383	break;
5384	}
5385	}
5386	goto done;
5387	}
5388	}
5389	}
5390	}
5391	}
5392
5393	done:
5394	return (attached);
5395	}
5396
5397	int32_t
5398	cfil_sock_udp_data_pending(struct sockbuf *sb, bool check_thread)
5399	{
5400	struct socket *so = sb->sb_so;
5401	struct cfi_buf *cfi_buf;
5402	uint64_t pending = `0`;
5403	uint64_t total_pending = `0`;
5404	struct cfilhashhead *cfilhash = NULL;
5405	struct cfil_db *db = NULL;
5406	struct cfil_hash_entry *hash_entry = NULL;
5407	struct cfil_hash_entry *temp_hash_entry = NULL;
5408
5409	socket_lock_assert_owned(so);
5410
5411	if ((so->so_flags & SOF_CONTENT_FILTER) != `0` && so->so_cfil_db != NULL &&
5412	(check_thread == FALSE \|\| so->so_snd.sb_cfil_thread != current_thread())) {
5413
5414	db = so->so_cfil_db;
5415
5416	for (int i = `0`; i < CFILHASHSIZE; i++) {
5417	cfilhash = &db->cfdb_hashbase[i];
5418
5419	LIST_FOREACH_SAFE(hash_entry, cfilhash, cfentry_link, temp_hash_entry) {
5420
5421	if (hash_entry->cfentry_cfil != NULL) {
5422	if ((sb->sb_flags & SB_RECV) == `0`)
5423	cfi_buf = &hash_entry->cfentry_cfil->cfi_snd;
5424	else
5425	cfi_buf = &hash_entry->cfentry_cfil->cfi_rcv;
5426
5427	pending = cfi_buf->cfi_pending_last - cfi_buf->cfi_pending_first;
5428	/*
5429	* If we are limited by the "chars of mbufs used" roughly
5430	* adjust so we won't overcommit
5431	*/
5432	if ((uint64_t)cfi_buf->cfi_pending_mbcnt > pending)
5433	pending = cfi_buf->cfi_pending_mbcnt;
5434
5435	total_pending += pending;
5436	}
5437	}
5438	}
5439
5440	VERIFY(total_pending < INT32_MAX);
5441	#if DATA_DEBUG
5442	CFIL_LOG(LOG_DEBUG, "CFIL: <so %llx> total pending %llu <check_thread %d>",
5443	(uint64_t)VM_KERNEL_ADDRPERM(so),
5444	total_pending, check_thread);
5445	#endif
5446	}
5447
5448	return (int32_t)(total_pending);
5449	}
5450
5451	int
5452	cfil_sock_udp_notify_shutdown(struct socket so, int* how, int drop_flag, int shut_flag)
5453	{
5454	struct cfil_info *cfil_info = NULL;
5455	struct cfilhashhead *cfilhash = NULL;
5456	struct cfil_db *db = NULL;
5457	struct cfil_hash_entry *hash_entry = NULL;
5458	struct cfil_hash_entry *temp_hash_entry = NULL;
5459	errno_t error = `0`;
5460	int done_count = `0`;
5461	int kcunit;
5462
5463	socket_lock_assert_owned(so);
5464
5465	if ((so->so_flags & SOF_CONTENT_FILTER) != `0` && so->so_cfil_db != NULL) {
5466
5467	db = so->so_cfil_db;
5468
5469	for (int i = `0`; i < CFILHASHSIZE; i++) {
5470	cfilhash = &db->cfdb_hashbase[i];
5471
5472	LIST_FOREACH_SAFE(hash_entry, cfilhash, cfentry_link, temp_hash_entry) {
5473
5474	if (hash_entry->cfentry_cfil != NULL) {
5475	cfil_info = hash_entry->cfentry_cfil;
5476
5477	// This flow is marked as DROP
5478	if (cfil_info->cfi_flags & drop_flag) {
5479	done_count++;
5480	continue;
5481	}
5482
5483	// This flow has been shut already, skip
5484	if (cfil_info->cfi_flags & shut_flag) {
5485	continue;
5486	}
5487	// Mark flow as shut
5488	cfil_info->cfi_flags \|= shut_flag;
5489	done_count++;
5490
5491	for (kcunit = `1`; kcunit <= MAX_CONTENT_FILTER; kcunit++) {
5492	/ Disconnect incoming side /
5493	if (how != SHUT_WR) {
5494	error = cfil_dispatch_disconnect_event(so, cfil_info, kcunit, `0`);
5495	}
5496	/ Disconnect outgoing side /
5497	if (how != SHUT_RD) {
5498	error = cfil_dispatch_disconnect_event(so, cfil_info, kcunit, `1`);
5499	}
5500	}
5501	}
5502	}
5503	}
5504	}
5505
5506	if (done_count == `0`) {
5507	error = ENOTCONN;
5508	}
5509	return (error);
5510	}
5511
5512	int
5513	cfil_sock_udp_shutdown(struct socket so, int* *how)
5514	{
5515	int error = `0`;
5516
5517	if ((so->so_flags & SOF_CONTENT_FILTER) == `0` \|\| (so->so_cfil_db == NULL))
5518	goto done;
5519
5520	socket_lock_assert_owned(so);
5521
5522	CFIL_LOG(LOG_INFO, "so %llx how %d",
5523	(uint64_t)VM_KERNEL_ADDRPERM(so), *how);
5524
5525	/*
5526	* Check the state of the socket before the content filter
5527	*/
5528	if (*how != SHUT_WR && (so->so_state & SS_CANTRCVMORE) != `0`) {
5529	/ read already shut down /
5530	error = ENOTCONN;
5531	goto done;
5532	}
5533	if (*how != SHUT_RD && (so->so_state & SS_CANTSENDMORE) != `0`) {
5534	/ write already shut down /
5535	error = ENOTCONN;
5536	goto done;
5537	}
5538
5539	/*
5540	* shutdown read: SHUT_RD or SHUT_RDWR
5541	*/
5542	if (*how != SHUT_WR) {
5543	error = cfil_sock_udp_notify_shutdown(so, SHUT_RD, CFIF_DROP, CFIF_SHUT_RD);
5544	if (error != `0`)
5545	goto done;
5546	}
5547	/*
5548	* shutdown write: SHUT_WR or SHUT_RDWR
5549	*/
5550	if (*how != SHUT_RD) {
5551	error = cfil_sock_udp_notify_shutdown(so, SHUT_WR, CFIF_DROP, CFIF_SHUT_WR);
5552	if (error != `0`)
5553	goto done;
5554
5555	/*
5556	* When outgoing data is pending, we delay the shutdown at the
5557	* protocol level until the content filters give the final
5558	* verdict on the pending data.
5559	*/
5560	if (cfil_sock_data_pending(&so->so_snd) != `0`) {
5561	/*
5562	* When shutting down the read and write sides at once
5563	* we can proceed to the final shutdown of the read
5564	* side. Otherwise, we just return.
5565	*/
5566	if (*how == SHUT_WR) {
5567	error = EJUSTRETURN;
5568	} else if (*how == SHUT_RDWR) {
5569	*how = SHUT_RD;
5570	}
5571	}
5572	}
5573	done:
5574	return (error);
5575	}
5576
5577	void
5578	cfil_sock_udp_close_wait(struct socket *so)
5579	{
5580	socket_lock_assert_owned(so);
5581
5582	while (cfil_filters_udp_attached(so, FALSE)) {
5583	/*
5584	* Notify the filters we are going away so they can detach
5585	*/
5586	cfil_sock_udp_notify_shutdown(so, SHUT_RDWR, `0`, `0`);
5587
5588	/*
5589	* Make sure we need to wait after the filter are notified
5590	* of the disconnection
5591	*/
5592	if (cfil_filters_udp_attached(so, TRUE) == `0`)
5593	break;
5594	}
5595	}
5596
5597	void
5598	cfil_sock_udp_is_closed(struct socket *so)
5599	{
5600	struct cfil_info *cfil_info = NULL;
5601	struct cfilhashhead *cfilhash = NULL;
5602	struct cfil_db *db = NULL;
5603	struct cfil_hash_entry *hash_entry = NULL;
5604	struct cfil_hash_entry *temp_hash_entry = NULL;
5605	errno_t error = `0`;
5606	int kcunit;
5607
5608	socket_lock_assert_owned(so);
5609
5610	if ((so->so_flags & SOF_CONTENT_FILTER) != `0` && so->so_cfil_db != NULL) {
5611
5612	db = so->so_cfil_db;
5613
5614	for (int i = `0`; i < CFILHASHSIZE; i++) {
5615	cfilhash = &db->cfdb_hashbase[i];
5616
5617	LIST_FOREACH_SAFE(hash_entry, cfilhash, cfentry_link, temp_hash_entry) {
5618	if (hash_entry->cfentry_cfil != NULL) {
5619
5620	cfil_info = hash_entry->cfentry_cfil;
5621
5622	for (kcunit = `1`; kcunit <= MAX_CONTENT_FILTER; kcunit++) {
5623	/ Let the filters know of the closing /
5624	error = cfil_dispatch_closed_event(so, cfil_info, kcunit);
5625	}
5626
5627	/ Last chance to push passed data out /
5628	error = cfil_acquire_sockbuf(so, cfil_info, `1`);
5629	if (error == `0`)
5630	cfil_service_inject_queue(so, cfil_info, `1`);
5631	cfil_release_sockbuf(so, `1`);
5632
5633	cfil_info->cfi_flags \|= CFIF_SOCK_CLOSED;
5634
5635	/ Pending data needs to go /
5636	cfil_flush_queues(so, cfil_info);
5637
5638	CFIL_INFO_VERIFY(cfil_info);
5639	}
5640	}
5641	}
5642	}
5643	}
5644
5645	void
5646	cfil_sock_udp_buf_update(struct sockbuf *sb)
5647	{
5648	struct cfil_info *cfil_info = NULL;
5649	struct cfilhashhead *cfilhash = NULL;
5650	struct cfil_db *db = NULL;
5651	struct cfil_hash_entry *hash_entry = NULL;
5652	struct cfil_hash_entry *temp_hash_entry = NULL;
5653	errno_t error = `0`;
5654	int outgoing;
5655	struct socket *so = sb->sb_so;
5656
5657	socket_lock_assert_owned(so);
5658
5659	if ((so->so_flags & SOF_CONTENT_FILTER) != `0` && so->so_cfil_db != NULL) {
5660
5661	if (!cfil_sbtrim)
5662	return;
5663
5664	db = so->so_cfil_db;
5665
5666	for (int i = `0`; i < CFILHASHSIZE; i++) {
5667	cfilhash = &db->cfdb_hashbase[i];
5668
5669	LIST_FOREACH_SAFE(hash_entry, cfilhash, cfentry_link, temp_hash_entry) {
5670	if (hash_entry->cfentry_cfil != NULL) {
5671
5672	cfil_info = hash_entry->cfentry_cfil;
5673
5674	if ((sb->sb_flags & SB_RECV) == `0`) {
5675	if ((cfil_info->cfi_flags & CFIF_RETRY_INJECT_OUT) == `0`)
5676	return;
5677	outgoing = `1`;
5678	OSIncrementAtomic(&cfil_stats.cfs_inject_q_out_retry);
5679	} else {
5680	if ((cfil_info->cfi_flags & CFIF_RETRY_INJECT_IN) == `0`)
5681	return;
5682	outgoing = `0`;
5683	OSIncrementAtomic(&cfil_stats.cfs_inject_q_in_retry);
5684	}
5685
5686	CFIL_LOG(LOG_NOTICE, "so %llx outgoing %d",
5687	(uint64_t)VM_KERNEL_ADDRPERM(so), outgoing);
5688
5689	error = cfil_acquire_sockbuf(so, cfil_info, outgoing);
5690	if (error == `0`)
5691	cfil_service_inject_queue(so, cfil_info, outgoing);
5692	cfil_release_sockbuf(so, outgoing);
5693	}
5694	}
5695	}
5696	}
5697	}
5698
5699	void
5700	cfil_filter_show(u_int32_t kcunit)
5701	{
5702	struct content_filter *cfc = NULL;
5703	struct cfil_entry *entry;
5704	int count = `0`;
5705
5706	if (content_filters == NULL) {
5707	return;
5708	}
5709	if (kcunit > MAX_CONTENT_FILTER) {
5710	return;
5711	}
5712
5713	cfil_rw_lock_shared(&cfil_lck_rw);
5714
5715	if (content_filters[kcunit - `1`] == NULL) {
5716	cfil_rw_unlock_shared(&cfil_lck_rw);
5717	return;
5718	}
5719	cfc = content_filters[kcunit - `1`];
5720
5721	CFIL_LOG(LOG_ERR, "CFIL: FILTER SHOW: Filter <unit %d, entry count %d> flags <%lx>:",
5722	kcunit, cfc->cf_sock_count, (unsigned long)cfc->cf_flags);
5723	if (cfc->cf_flags & CFF_DETACHING)
5724	CFIL_LOG(LOG_ERR, "CFIL: FILTER SHOW: - DETACHING");
5725	if (cfc->cf_flags & CFF_ACTIVE)
5726	CFIL_LOG(LOG_ERR, "CFIL: FILTER SHOW: - ACTIVE");
5727	if (cfc->cf_flags & CFF_FLOW_CONTROLLED)
5728	CFIL_LOG(LOG_ERR, "CFIL: FILTER SHOW: - FLOW CONTROLLED");
5729
5730	TAILQ_FOREACH(entry, &cfc->cf_sock_entries, cfe_link) {
5731
5732	if (entry->cfe_cfil_info && entry->cfe_cfil_info->cfi_so) {
5733	struct cfil_info *cfil_info = entry->cfe_cfil_info;
5734
5735	count++;
5736
5737	if (entry->cfe_flags & CFEF_CFIL_DETACHED)
5738	cfil_info_log(LOG_ERR, cfil_info, "CFIL: FILTER SHOW: - DETACHED");
5739	else
5740	cfil_info_log(LOG_ERR, cfil_info, "CFIL: FILTER SHOW: - ATTACHED");
5741	}
5742	}
5743
5744	CFIL_LOG(LOG_ERR, "CFIL: FILTER SHOW: Filter - total entries shown: %d", count);
5745
5746	cfil_rw_unlock_shared(&cfil_lck_rw);
5747
5748	}
5749
5750	void
5751	cfil_info_show(void)
5752	{
5753	struct cfil_info *cfil_info;
5754	int count = `0`;
5755
5756	cfil_rw_lock_shared(&cfil_lck_rw);
5757
5758	CFIL_LOG(LOG_ERR, "CFIL: INFO SHOW: count %d", cfil_sock_attached_count);
5759
5760	TAILQ_FOREACH(cfil_info, &cfil_sock_head, cfi_link) {
5761
5762	count++;
5763
5764	cfil_info_log(LOG_ERR, cfil_info, "CFIL: INFO SHOW");
5765
5766	if (cfil_info->cfi_flags & CFIF_DROP)
5767	CFIL_LOG(LOG_ERR, "CFIL: INFO FLAG - DROP");
5768	if (cfil_info->cfi_flags & CFIF_CLOSE_WAIT)
5769	CFIL_LOG(LOG_ERR, "CFIL: INFO FLAG - CLOSE_WAIT");
5770	if (cfil_info->cfi_flags & CFIF_SOCK_CLOSED)
5771	CFIL_LOG(LOG_ERR, "CFIL: INFO FLAG - SOCK_CLOSED");
5772	if (cfil_info->cfi_flags & CFIF_RETRY_INJECT_IN)
5773	CFIL_LOG(LOG_ERR, "CFIL: INFO FLAG - RETRY_INJECT_IN");
5774	if (cfil_info->cfi_flags & CFIF_RETRY_INJECT_OUT)
5775	CFIL_LOG(LOG_ERR, "CFIL: INFO FLAG - RETRY_INJECT_OUT");
5776	if (cfil_info->cfi_flags & CFIF_SHUT_WR)
5777	CFIL_LOG(LOG_ERR, "CFIL: INFO FLAG - SHUT_WR");
5778	if (cfil_info->cfi_flags & CFIF_SHUT_RD)
5779	CFIL_LOG(LOG_ERR, "CFIL: INFO FLAG - SHUT_RD");
5780	}
5781
5782	CFIL_LOG(LOG_ERR, "CFIL: INFO SHOW: total cfil_info shown: %d", count);
5783
5784	cfil_rw_unlock_shared(&cfil_lck_rw);
5785	}
5786
5787	bool
5788	cfil_info_idle_timed_out(struct cfil_info cfil_info, int* timeout, u_int32_t current_time)
5789	{
5790	if (cfil_info && cfil_info->cfi_hash_entry &&
5791	(current_time - cfil_info->cfi_hash_entry->cfentry_lastused >= (u_int32_t)timeout)) {
5792	#if GC_DEBUG
5793	cfil_info_log(LOG_ERR, cfil_info, "CFIL: flow IDLE timeout expired");
5794	#endif
5795	return true;
5796	}
5797	return false;
5798	}
5799
5800	bool
5801	cfil_info_action_timed_out(struct cfil_info cfil_info, int* timeout)
5802	{
5803	struct cfil_entry *entry;
5804	struct timeval current_tv;
5805	struct timeval diff_time;
5806
5807	if (cfil_info == NULL)
5808	return false;
5809
5810	/*
5811	* If we have queued up more data than passed offset and we haven't received
5812	* an action from user space for a while (the user space filter might have crashed),
5813	* return action timed out.
5814	*/
5815	if (cfil_info->cfi_snd.cfi_pending_last > cfil_info->cfi_snd.cfi_pass_offset \|\|
5816	cfil_info->cfi_rcv.cfi_pending_last > cfil_info->cfi_rcv.cfi_pass_offset) {
5817
5818	microuptime(&current_tv);
5819
5820	for (int kcunit = `1`; kcunit <= MAX_CONTENT_FILTER; kcunit++) {
5821	entry = &cfil_info->cfi_entries[kcunit - `1`];
5822
5823	if (entry->cfe_filter == NULL)
5824	continue;
5825
5826	if (cfil_info->cfi_snd.cfi_pending_last > entry->cfe_snd.cfe_pass_offset \|\|
5827	cfil_info->cfi_rcv.cfi_pending_last > entry->cfe_rcv.cfe_pass_offset) {
5828	// haven't gotten an action from this filter, check timeout
5829	timersub(&current_tv, &entry->cfe_last_action, &diff_time);
5830	if (diff_time.tv_sec >= timeout) {
5831	#if GC_DEBUG
5832	cfil_info_log(LOG_ERR, cfil_info, "CFIL: flow ACTION timeout expired");
5833	#endif
5834	return true;
5835	}
5836	}
5837	}
5838	}
5839	return false;
5840	}
5841
5842	bool
5843	cfil_info_buffer_threshold_exceeded(struct cfil_info *cfil_info)
5844	{
5845	if (cfil_info == NULL)
5846	return false;
5847
5848	/*
5849	* Clean up flow if it exceeded queue thresholds
5850	*/
5851	if (cfil_info->cfi_snd.cfi_tail_drop_cnt \|\|
5852	cfil_info->cfi_rcv.cfi_tail_drop_cnt) {
5853	#if GC_DEBUG
5854	CFIL_LOG(LOG_ERR, "CFIL: queue threshold exceeded: mbuf max <count: %d bytes: %d> tail drop count <OUT: %d IN: %d>",
5855	cfil_udp_gc_mbuf_num_max,
5856	cfil_udp_gc_mbuf_cnt_max,
5857	cfil_info->cfi_snd.cfi_tail_drop_cnt,
5858	cfil_info->cfi_rcv.cfi_tail_drop_cnt);
5859	cfil_info_log(LOG_ERR, cfil_info, "CFIL: queue threshold exceeded");
5860	#endif
5861	return true;
5862	}
5863
5864	return false;
5865	}
5866
5867	static void
5868	cfil_udp_gc_thread_sleep(bool forever)
5869	{
5870	if (forever) {
5871	(void) assert_wait((event_t) &cfil_sock_udp_attached_count,
5872	THREAD_INTERRUPTIBLE);
5873	} else {
5874	uint64_t deadline = `0`;
5875	nanoseconds_to_absolutetime(UDP_FLOW_GC_RUN_INTERVAL_NSEC, &deadline);
5876	clock_absolutetime_interval_to_deadline(deadline, &deadline);
5877
5878	(void) assert_wait_deadline(&cfil_sock_udp_attached_count,
5879	THREAD_INTERRUPTIBLE, deadline);
5880	}
5881	}
5882
5883	static void
5884	cfil_udp_gc_thread_func(void *v, wait_result_t w)
5885	{
5886	#pragma unused(v, w)
5887
5888	ASSERT(cfil_udp_gc_thread == current_thread());
5889	thread_set_thread_name(current_thread(), "CFIL_UPD_GC");
5890
5891	// Kick off gc shortly
5892	cfil_udp_gc_thread_sleep(false);
5893	thread_block_parameter((thread_continue_t) cfil_info_udp_expire, NULL);
5894	/ NOTREACHED /
5895	}
5896
5897	static void
5898	cfil_info_udp_expire(void *v, wait_result_t w)
5899	{
5900	#pragma unused(v, w)
5901
5902	static uint64_t expired_array[UDP_FLOW_GC_MAX_COUNT];
5903	static uint32_t expired_count = `0`;
5904
5905	struct cfil_info *cfil_info;
5906	struct cfil_hash_entry *hash_entry;
5907	struct cfil_db *db;
5908	struct socket *so;
5909	u_int32_t current_time = `0`;
5910
5911	current_time = net_uptime();
5912
5913	// Get all expired UDP flow ids
5914	cfil_rw_lock_shared(&cfil_lck_rw);
5915
5916	if (cfil_sock_udp_attached_count == `0`) {
5917	cfil_rw_unlock_shared(&cfil_lck_rw);
5918	goto go_sleep;
5919	}
5920
5921	TAILQ_FOREACH(cfil_info, &cfil_sock_head, cfi_link) {
5922	if (expired_count >= UDP_FLOW_GC_MAX_COUNT)
5923	break;
5924
5925	if (IS_UDP(cfil_info->cfi_so)) {
5926	if (cfil_info_idle_timed_out(cfil_info, UDP_FLOW_GC_IDLE_TO, current_time) \|\|
5927	cfil_info_action_timed_out(cfil_info, UDP_FLOW_GC_ACTION_TO) \|\|
5928	cfil_info_buffer_threshold_exceeded(cfil_info)) {
5929	expired_array[expired_count] = cfil_info->cfi_sock_id;
5930	expired_count++;
5931	}
5932	}
5933	}
5934	cfil_rw_unlock_shared(&cfil_lck_rw);
5935
5936	if (expired_count == `0`)
5937	goto go_sleep;
5938
5939	for (uint32_t i = `0`; i < expired_count; i++) {
5940
5941	// Search for socket (UDP only and lock so)
5942	so = cfil_socket_from_sock_id(expired_array[i], true);
5943	if (so == NULL) {
5944	continue;
5945	}
5946
5947	cfil_info = cfil_db_get_cfil_info(so->so_cfil_db, expired_array[i]);
5948	if (cfil_info == NULL) {
5949	goto unlock;
5950	}
5951
5952	db = so->so_cfil_db;
5953	hash_entry = cfil_info->cfi_hash_entry;
5954
5955	if (db == NULL \|\| hash_entry == NULL) {
5956	goto unlock;
5957	}
5958
5959	#if GC_DEBUG \|\| LIFECYCLE_DEBUG
5960	cfil_info_log(LOG_ERR, cfil_info, "CFIL: LIFECYCLE: GC CLEAN UP");
5961	#endif
5962
5963	cfil_db_delete_entry(db, hash_entry);
5964	cfil_info_free(cfil_info);
5965	OSIncrementAtomic(&cfil_stats.cfs_sock_detached);
5966
5967	if (so->so_flags & SOF_CONTENT_FILTER) {
5968	if (db->cfdb_count == `0`)
5969	so->so_flags &= ~SOF_CONTENT_FILTER;
5970	VERIFY(so->so_usecount > `0`);
5971	so->so_usecount--;
5972	}
5973	unlock:
5974	socket_unlock(so, `1`);
5975	}
5976
5977	#if GC_DEBUG
5978	CFIL_LOG(LOG_ERR, "CFIL: UDP flow idle timeout check: expired %d idle flows", expired_count);
5979	#endif
5980	expired_count = `0`;
5981
5982	go_sleep:
5983
5984	// Sleep forever (until waken up) if no more UDP flow to clean
5985	cfil_rw_lock_shared(&cfil_lck_rw);
5986	cfil_udp_gc_thread_sleep(cfil_sock_udp_attached_count == `0` ? true : false);
5987	cfil_rw_unlock_shared(&cfil_lck_rw);
5988	thread_block_parameter((thread_continue_t)cfil_info_udp_expire, NULL);
5989	/ NOTREACHED /
5990	}
5991
5992	struct m_tag *
5993	cfil_udp_save_socket_state(struct cfil_info cfil_info, struct* mbuf *m)
5994	{
5995	struct m_tag *tag = NULL;
5996	struct cfil_tag *ctag = NULL;
5997	struct cfil_hash_entry *hash_entry = NULL;
5998
5999	if (cfil_info == NULL \|\| cfil_info->cfi_so == NULL \|\|
6000	cfil_info->cfi_hash_entry == NULL \|\| m == NULL \|\| !(m->m_flags & M_PKTHDR)) {
6001	return NULL;
6002	}
6003
6004	/ Allocate a tag /
6005	tag = m_tag_create(KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_CFIL_UDP,
6006	sizeof(struct cfil_tag), M_DONTWAIT, m);
6007
6008	if (tag) {
6009	ctag = (struct cfil_tag*)(tag + `1`);
6010	ctag->cfil_so_state_change_cnt = cfil_info->cfi_so->so_state_change_cnt;
6011	ctag->cfil_so_options = cfil_info->cfi_so->so_options;
6012
6013	hash_entry = cfil_info->cfi_hash_entry;
6014	if (hash_entry->cfentry_family == AF_INET6) {
6015	fill_ip6_sockaddr_4_6(&ctag->cfil_faddr,
6016	&hash_entry->cfentry_faddr.addr6,
6017	hash_entry->cfentry_fport);
6018	} else if (hash_entry->cfentry_family == AF_INET) {
6019	fill_ip_sockaddr_4_6(&ctag->cfil_faddr,
6020	hash_entry->cfentry_faddr.addr46.ia46_addr4,
6021	hash_entry->cfentry_fport);
6022	}
6023	m_tag_prepend(m, tag);
6024	return (tag);
6025	}
6026	return NULL;
6027	}
6028
6029	struct m_tag *
6030	cfil_udp_get_socket_state(struct mbuf m, uint32_t state_change_cnt, short *options,
6031	struct sockaddr **faddr)
6032	{
6033	struct m_tag *tag = NULL;
6034	struct cfil_tag *ctag = NULL;
6035
6036	tag = m_tag_locate(m, KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_CFIL_UDP, NULL);
6037	if (tag) {
6038	ctag = (struct cfil_tag *)(tag + `1`);
6039	if (state_change_cnt)
6040	*state_change_cnt = ctag->cfil_so_state_change_cnt;
6041	if (options)
6042	*options = ctag->cfil_so_options;
6043	if (faddr)
6044	faddr = (struct* sockaddr *) &ctag->cfil_faddr;
6045
6046	/*
6047	* Unlink tag and hand it over to caller.
6048	* Note that caller will be responsible to free it.
6049	*/
6050	m_tag_unlink(m, tag);
6051	return tag;
6052	}
6053	return NULL;
6054	}
6055
6056
6057

Browse the source code of xnu/bsd/net/content_filter.c