1/*
2 * Copyright (c) 2008-2021 Apple Computer, Inc. All rights reserved.
3 *
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
14 *
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
25 *
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 */
28/*!
29 * @header kpi_socketfilter.h
30 * This header defines an API for intercepting communications at the
31 * socket layer.
32 *
33 * For the most part, socket filters want to do three things: Filter
34 * data in and out, watch for state changes, and intercept a few calls
35 * for security. The number of function pointers supplied by a socket
36 * filter has been significantly reduced. The filter no longer has any
37 * knowledge of socket buffers. The filter no longer intercepts nearly
38 * every internal socket call. There are two data filters, an in
39 * filter, and an out filter. The in filter occurs before data is
40 * placed in the receive socket buffer. This is done to avoid waking
41 * the process unnecessarily. The out filter occurs before the data is
42 * appended to the send socket buffer. This should cover inbound and
43 * outbound data. For monitoring state changes, we've added a notify
44 * function that will be called when various events that the filter can
45 * not intercept occur. In addition, we've added a few functions that a
46 * filter may use to intercept common operations. These functions are:
47 * connect (inbound), connect (outbound), bind, set socket option,
48 * get socket option, and listen. Bind, listen, connect in, and connect
49 * out could be used together to build a fairly comprehensive firewall
50 * without having to do much with individual packets.
51 */
52#ifndef __KPI_SOCKETFILTER__
53#define __KPI_SOCKETFILTER__
54
55#include <sys/kernel_types.h>
56#include <sys/kpi_socket.h>
57
58#ifndef PRIVATE
59#include <Availability.h>
60#define __NKE_API_DEPRECATED __API_DEPRECATED("Network Kernel Extension KPI is deprecated", macos(10.4, 10.15))
61#else
62#define __NKE_API_DEPRECATED
63#endif /* PRIVATE */
64
65struct sockaddr;
66
67/*!
68 * @enum sflt_flags
69 * @abstract Constants defining mbuf flags. Only the flags listed below
70 * can be set or retrieved.
71 * @constant SFLT_GLOBAL Indicates this socket filter should be
72 * attached to all new sockets when they're created.
73 * @constant SFLT_PROG Indicates this socket filter should be attached
74 * only when request by the application using the SO_NKE socket
75 * option.
76 * @constant SFLT_EXTENDED Indicates that this socket filter utilizes
77 * the extended fields within the sflt_filter structure.
78 * @constant SFLT_EXTENDED_REGISTRY Indicates that this socket filter
79 * wants to attach to all the sockets already present on the
80 * system. It will also receive notifications for these sockets.
81 */
82enum {
83 SFLT_GLOBAL = 0x01,
84 SFLT_PROG = 0x02,
85 SFLT_EXTENDED = 0x04,
86 SFLT_EXTENDED_REGISTRY = 0x08
87};
88typedef u_int32_t sflt_flags;
89
90/*!
91 * @typedef sflt_handle
92 * @abstract A 4 byte identifier used with the SO_NKE socket option to
93 * identify the socket filter to be attached.
94 */
95typedef u_int32_t sflt_handle;
96
97/*!
98 * @enum sflt_event_t
99 * @abstract Events notify a filter of state changes and other various
100 * events related to the socket. These events cannot be prevented
101 * or intercepted, only observed.
102 * @constant sock_evt_connected Indicates this socket has moved to the
103 * connected state.
104 * @constant sock_evt_disconnected Indicates this socket has moved to
105 * the disconnected state.
106 * @constant sock_evt_flush_read The read socket buffer has been
107 * flushed.
108 * @constant sock_evt_shutdown The read and or write side(s) of the
109 * connection have been shutdown. The param will point to an
110 * integer that indicates the direction that has been shutdown. See
111 * 'man 2 shutdown' for more information.
112 * @constant sock_evt_cantrecvmore Indicates the socket cannot receive
113 * more data.
114 * @constant sock_evt_cantsendmore Indicates the socket cannot send
115 * more data.
116 * @constant sock_evt_closing Indicates the socket is closing.
117 * @constant sock_evt_bound Indicates this socket has moved to the
118 * bound state (only for PF_INET/PF_INET6 domain).
119 */
120enum {
121 sock_evt_connecting = 1,
122 sock_evt_connected = 2,
123 sock_evt_disconnecting = 3,
124 sock_evt_disconnected = 4,
125 sock_evt_flush_read = 5,
126 sock_evt_shutdown = 6, /* param points to an integer specifying how (read, write, or both) see man 2 shutdown */
127 sock_evt_cantrecvmore = 7,
128 sock_evt_cantsendmore = 8,
129 sock_evt_closing = 9,
130 sock_evt_bound = 10
131};
132typedef u_int32_t sflt_event_t;
133
134/*!
135 * @enum sflt_data_flag_t
136 * @abstract Inbound and outbound data filters may handle many
137 * different types of incoming and outgoing data. These flags help
138 * distinguish between normal data, out-of-band data, and records.
139 * @constant sock_data_filt_flag_oob Indicates this data is out-of-band
140 * data.
141 * @constant sock_data_filt_flag_record Indicates this data is a
142 * record. This flag is only ever seen on inbound data.
143 */
144enum {
145 sock_data_filt_flag_oob = 1,
146 sock_data_filt_flag_record = 2
147};
148typedef u_int32_t sflt_data_flag_t;
149
150__BEGIN_DECLS
151
152/*!
153 * @typedef sf_unregistered_func
154 *
155 * @discussion sf_unregistered_func is called to notify the filter it
156 * has been unregistered. This is the last function the stack will
157 * call and this function will only be called once all other
158 * function calls in to your filter have completed. Once this
159 * function has been called, your kext may safely unload.
160 * @param handle The socket filter handle used to identify this filter.
161 */
162typedef void (*sf_unregistered_func)(sflt_handle handle);
163
164/*!
165 * @typedef sf_attach_func
166 *
167 * @discussion sf_attach_func is called to notify the filter it has
168 * been attached to a socket. The filter may allocate memory for
169 * this attachment and use the cookie to track it. This filter is
170 * called in one of two cases:
171 * 1) You've installed a global filter and a new socket was created.
172 * 2) Your non-global socket filter is being attached using the SO_NKE
173 * socket option.
174 * @param cookie Used to allow the socket filter to set the cookie for
175 * this attachment.
176 * @param so The socket the filter is being attached to.
177 * @result If you return a non-zero value, your filter will not be
178 * attached to this socket.
179 */
180typedef errno_t (*sf_attach_func)(void **cookie, socket_t so);
181
182/*!
183 * @typedef sf_detach_func
184 *
185 * @discussion sf_detach_func is called to notify the filter it has
186 * been detached from a socket. If the filter allocated any memory
187 * for this attachment, it should be freed. This function will
188 * be called when the socket is disposed of.
189 * @param cookie Cookie value specified when the filter attach was
190 * called.
191 * @param so The socket the filter is attached to.
192 * @discussion If you return a non-zero value, your filter will not be
193 * attached to this socket.
194 */
195typedef void (*sf_detach_func)(void *cookie, socket_t so);
196
197/*!
198 * @typedef sf_notify_func
199 *
200 * @discussion sf_notify_func is called to notify the filter of various
201 * state changes and other events occuring on the socket.
202 * @param cookie Cookie value specified when the filter attach was
203 * called.
204 * @param so The socket the filter is attached to.
205 * @param event The type of event that has occurred.
206 * @param param Additional information about the event.
207 */
208typedef void (*sf_notify_func)(void *cookie, socket_t so, sflt_event_t event,
209 void *param);
210
211/*!
212 * @typedef sf_getpeername_func
213 *
214 * @discussion sf_getpeername_func is called to allow a filter to
215 * to intercept the getpeername function. When called, sa will
216 * point to a pointer to a socket address that was malloced
217 * in zone M_SONAME. If you want to replace this address, either
218 * modify the currenty copy or allocate a new one and free the
219 * old one.
220 * @param cookie Cookie value specified when the filter attach was
221 * called.
222 * @param so The socket the filter is attached to.
223 * @param sa A pointer to a socket address pointer.
224 * @result If you return a non-zero value, processing will stop. If
225 * you return EJUSTRETURN, no further filters will be called
226 * but a result of zero will be returned to the caller of
227 * getpeername.
228 */
229typedef int (*sf_getpeername_func)(void *cookie, socket_t so,
230 struct sockaddr **sa);
231
232/*!
233 * @typedef sf_getsockname_func
234 *
235 * @discussion sf_getsockname_func is called to allow a filter to
236 * to intercept the getsockname function. When called, sa will
237 * point to a pointer to a socket address that was malloced
238 * in zone M_SONAME. If you want to replace this address, either
239 * modify the currenty copy or allocate a new one and free the
240 * old one.
241 * @param cookie Cookie value specified when the filter attach was
242 * called.
243 * @param so The socket the filter is attached to.
244 * @param sa A pointer to a socket address pointer.
245 * @result If you return a non-zero value, processing will stop. If
246 * you return EJUSTRETURN, no further filters will be called
247 * but a result of zero will be returned to the caller of
248 * getsockname.
249 */
250typedef int (*sf_getsockname_func)(void *cookie, socket_t so,
251 struct sockaddr **sa);
252
253/*!
254 * @typedef sf_data_in_func
255 *
256 * @discussion sf_data_in_func is called to filter incoming data. If your
257 * filter intercepts data for later reinjection, it must queue
258 * all incoming data to preserve the order of the data. Use
259 * sock_inject_data_in to later reinject this data if you return
260 * EJUSTRETURN. Warning: This filter is on the data path. Do not
261 * spend excesive time. Do not wait for data on another socket.
262 * @param cookie Cookie value specified when the filter attach was
263 * called.
264 * @param so The socket the filter is attached to.
265 * @param from The addres the data is from, may be NULL if the socket
266 * is connected.
267 * @param data The data being received. Control data may appear in the
268 * mbuf chain, be sure to check the mbuf types to find control
269 * data.
270 * @param control Control data being passed separately from the data.
271 * @param flags Flags to indicate if this is out of band data or a
272 * record.
273 * @result Return:
274 * 0 - The caller will continue with normal processing of the data.
275 * EJUSTRETURN - The caller will stop processing the data, the
276 * data will not be freed.
277 * Anything Else - The caller will free the data and stop
278 * processing.
279 */
280typedef errno_t (*sf_data_in_func)(void *cookie, socket_t so,
281 const struct sockaddr *from, mbuf_t *data, mbuf_t *control,
282 sflt_data_flag_t flags);
283
284/*!
285 * @typedef sf_data_out_func
286 *
287 * @discussion sf_data_out_func is called to filter outbound data. If
288 * your filter intercepts data for later reinjection, it must queue
289 * all outbound data to preserve the order of the data when
290 * reinjecting. Use sock_inject_data_out to later reinject this
291 * data.
292 * @param cookie Cookie value specified when the filter attach was
293 * called.
294 * @param so The socket the filter is attached to.
295 * @param to The address the data is to, may be NULL if the socket
296 * is connected.
297 * @param data The data being received. Control data may appear in the
298 * mbuf chain, be sure to check the mbuf types to find control
299 * data.
300 * @param control Control data being passed separately from the data.
301 * @param flags Flags to indicate if this is out of band data or a
302 * record.
303 * @result Return:
304 * 0 - The caller will continue with normal processing of the data.
305 * EJUSTRETURN - The caller will stop processing the data,
306 * the data will not be freed.
307 * Anything Else - The caller will free the data and stop
308 * processing.
309 */
310typedef errno_t (*sf_data_out_func)(void *cookie, socket_t so,
311 const struct sockaddr *to, mbuf_t *data, mbuf_t *control,
312 sflt_data_flag_t flags);
313
314/*!
315 * @typedef sf_connect_in_func
316 *
317 * @discussion sf_connect_in_func is called to filter inbound connections.
318 * A protocol will call this before accepting an incoming
319 * connection and placing it on the queue of completed connections.
320 * Warning: This filter is on the data path. Do not spend excesive
321 * time. Do not wait for data on another socket.
322 * @param cookie Cookie value specified when the filter attach was
323 * called.
324 * @param so The socket the filter is attached to.
325 * @param from The address the incoming connection is from.
326 * @result Return:
327 * 0 - The caller will continue with normal processing of the
328 * connection.
329 * Anything Else - The caller will rejecting the incoming
330 * connection.
331 */
332typedef errno_t (*sf_connect_in_func)(void *cookie, socket_t so,
333 const struct sockaddr *from);
334
335/*!
336 * @typedef sf_connect_out_func
337 *
338 * @discussion sf_connect_out_func is called to filter outbound
339 * connections. A protocol will call this before initiating an
340 * outbound connection.
341 * @param cookie Cookie value specified when the filter attach was
342 * called.
343 * @param so The socket the filter is attached to.
344 * @param to The remote address of the outbound connection.
345 * @result Return:
346 * 0 - The caller will continue with normal processing of the
347 * connection.
348 * EJUSTRETURN - The caller will return with a value of 0 (no error)
349 * from that point without further processing the connect command. The
350 * protocol layer will not see the call.
351 * Anything Else - The caller will rejecting the outbound
352 * connection.
353 */
354typedef errno_t (*sf_connect_out_func)(void *cookie, socket_t so,
355 const struct sockaddr *to);
356
357/*!
358 * @typedef sf_bind_func
359 *
360 * @discussion sf_bind_func is called before performing a bind
361 * operation on a socket.
362 * @param cookie Cookie value specified when the filter attach was
363 * called.
364 * @param so The socket the filter is attached to.
365 * @param to The local address of the socket will be bound to.
366 * @result Return:
367 * 0 - The caller will continue with normal processing of the bind.
368 * EJUSTRETURN - The caller will return with a value of 0 (no error)
369 * from that point without further processing the bind command. The
370 * protocol layer will not see the call.
371 * Anything Else - The caller will rejecting the bind.
372 */
373typedef errno_t (*sf_bind_func)(void *cookie, socket_t so,
374 const struct sockaddr *to);
375
376/*!
377 * @typedef sf_setoption_func
378 *
379 * @discussion sf_setoption_func is called before performing setsockopt
380 * on a socket.
381 * @param cookie Cookie value specified when the filter attach was
382 * called.
383 * @param so The socket the filter is attached to.
384 * @param opt The socket option to set.
385 * @result Return:
386 * 0 - The caller will continue with normal processing of the
387 * setsockopt.
388 * EJUSTRETURN - The caller will return with a value of 0 (no error)
389 * from that point without further propagating the set option
390 * command. The socket and protocol layers will not see the call.
391 * Anything Else - The caller will stop processing and return
392 * this error.
393 */
394typedef errno_t (*sf_setoption_func)(void *cookie, socket_t so, sockopt_t opt);
395
396/*!
397 * @typedef sf_getoption_func
398 *
399 * @discussion sf_getoption_func is called before performing getsockopt
400 * on a socket.
401 * @param cookie Cookie value specified when the filter attach was
402 * called.
403 * @param so The socket the filter is attached to.
404 * @param opt The socket option to get.
405 * @result Return:
406 * 0 - The caller will continue with normal processing of the
407 * getsockopt.
408 * EJUSTRETURN - The caller will return with a value of 0 (no error)
409 * from that point without further propagating the get option
410 * command. The socket and protocol layers will not see the call.
411 * Anything Else - The caller will stop processing and return
412 * this error.
413 */
414typedef errno_t (*sf_getoption_func)(void *cookie, socket_t so, sockopt_t opt);
415
416/*!
417 * @typedef sf_listen_func
418 *
419 * @discussion sf_listen_func is called before performing listen
420 * on a socket.
421 * @param cookie Cookie value specified when the filter attach was
422 * called.
423 * @param so The socket the filter is attached to.
424 * @result Return:
425 * 0 - The caller will continue with normal processing of listen.
426 * EJUSTRETURN - The caller will return with a value of 0 (no error)
427 * from that point without further processing the listen command. The
428 * protocol will not see the call.
429 * Anything Else - The caller will stop processing and return
430 * this error.
431 */
432typedef errno_t (*sf_listen_func)(void *cookie, socket_t so);
433
434/*!
435 * @typedef sf_ioctl_func
436 *
437 * @discussion sf_ioctl_func is called before performing an ioctl
438 * on a socket.
439 *
440 * All undefined ioctls are reserved for future use by Apple. If
441 * you need to communicate with your kext using an ioctl, please
442 * use SIOCSIFKPI and SIOCGIFKPI.
443 * @param cookie Cookie value specified when the filter attach was
444 * called.
445 * @param so The socket the filter is attached to.
446 * @param request The ioctl name.
447 * @param argp A pointer to the ioctl parameter.
448 * @result Return:
449 * 0 - The caller will continue with normal processing of
450 * this ioctl.
451 * EJUSTRETURN - The caller will return with a value of 0 (no error)
452 * from that point without further processing or propogating
453 * the ioctl.
454 * Anything Else - The caller will stop processing and return
455 * this error.
456 */
457typedef errno_t (*sf_ioctl_func)(void *cookie, socket_t so,
458 unsigned long request, const char* argp);
459
460/*!
461 * @typedef sf_accept_func
462 *
463 * @discussion sf_accept_func is called after a socket is dequeued
464 * off the completed (incoming) connection list and before
465 * the file descriptor is associated with it. A filter can
466 * utilize this callback to intercept the accepted socket
467 * in order to examine it, prior to returning the socket to
468 * the caller of accept. Such a filter may also choose to
469 * discard the accepted socket if it wishes to do so.
470 * @param cookie Cookie value specified when the filter attach was called.
471 * @param so_listen The listening socket.
472 * @param so The socket that is about to be accepted.
473 * @param local The local address of the about to be accepted socket.
474 * @param remote The remote address of the about to be accepted socket.
475 * @result Return:
476 * 0 - The caller will continue with normal processing of accept.
477 * EJUSTRETURN - The to be accepted socket will be disconnected
478 * prior to being returned to the caller of accept. No further
479 * control or data operations on the socket will be allowed.
480 * This is the recommended return value as it has the least
481 * amount of impact, especially to applications which don't
482 * check the error value returned by accept.
483 * Anything Else - The to be accepted socket will be closed and
484 * the error will be returned to the caller of accept.
485 * Note that socket filter developers are advised to exercise
486 * caution when returning non-zero values to the caller,
487 * since some applications don't check the error value
488 * returned by accept and therefore risk breakage.
489 */
490typedef errno_t (*sf_accept_func)(void *cookie, socket_t so_listen, socket_t so,
491 const struct sockaddr *local, const struct sockaddr *remote);
492
493/*!
494 * @struct sflt_filter
495 * @discussion This structure is used to define a socket filter.
496 * @field sf_handle A value used to find socket filters by
497 * applications. An application can use this value to specify that
498 * this filter should be attached when using the SO_NKE socket
499 * option.
500 * @field sf_flags Indicate whether this filter should be attached to
501 * all new sockets or just those that request the filter be
502 * attached using the SO_NKE socket option. If this filter
503 * utilizes the socket filter extension fields, it must also
504 * set SFLT_EXTENDED.
505 * @field sf_name A name used for debug purposes.
506 * @field sf_unregistered Your function for being notified when your
507 * filter has been unregistered.
508 * @field sf_attach Your function for handling attaches to sockets.
509 * @field sf_detach Your function for handling detaches from sockets.
510 * @field sf_notify Your function for handling events. May be null.
511 * @field sf_data_in Your function for handling incoming data. May be
512 * null.
513 * @field sf_data_out Your function for handling outgoing data. May be
514 * null.
515 * @field sf_connect_in Your function for handling inbound
516 * connections. May be null.
517 * @field sf_connect_out Your function for handling outbound
518 * connections. May be null.
519 * @field sf_bind Your function for handling binds. May be null.
520 * @field sf_setoption Your function for handling setsockopt. May be null.
521 * @field sf_getoption Your function for handling getsockopt. May be null.
522 * @field sf_listen Your function for handling listen. May be null.
523 * @field sf_ioctl Your function for handling ioctls. May be null.
524 * @field sf_len Length of socket filter extension structure; developers
525 * must initialize this to sizeof sflt_filter_ext structure.
526 * This field and all fields following it will only be valid
527 * if SFLT_EXTENDED flag is set in sf_flags field.
528 * @field sf_ext_accept Your function for handling inbound connections
529 * at accept time. May be null.
530 * @field sf_ext_rsvd Reserved for future use; you must initialize
531 * the reserved fields with zeroes.
532 */
533struct sflt_filter {
534 sflt_handle sf_handle;
535 int sf_flags;
536 char *sf_name;
537
538 sf_unregistered_func sf_unregistered;
539 sf_attach_func sf_attach;
540 sf_detach_func sf_detach;
541
542 sf_notify_func sf_notify;
543 sf_getpeername_func sf_getpeername;
544 sf_getsockname_func sf_getsockname;
545 sf_data_in_func sf_data_in;
546 sf_data_out_func sf_data_out;
547 sf_connect_in_func sf_connect_in;
548 sf_connect_out_func sf_connect_out;
549 sf_bind_func sf_bind;
550 sf_setoption_func sf_setoption;
551 sf_getoption_func sf_getoption;
552 sf_listen_func sf_listen;
553 sf_ioctl_func sf_ioctl;
554 /*
555 * The following are valid only if SFLT_EXTENDED flag is set.
556 * Initialize sf_ext_len to sizeof sflt_filter_ext structure.
557 * Filters must also initialize reserved fields with zeroes.
558 */
559 struct sflt_filter_ext {
560 unsigned int sf_ext_len;
561 sf_accept_func sf_ext_accept;
562 void *sf_ext_rsvd[5]; /* Reserved */
563 } sf_ext;
564#define sf_len sf_ext.sf_ext_len
565#define sf_accept sf_ext.sf_ext_accept
566};
567
568/*!
569 * @function sflt_register
570 * @discussion Registers a socket filter. See 'man 2 socket' for a
571 * desciption of domain, type, and protocol.
572 * @param filter A structure describing the filter.
573 * @param domain The protocol domain these filters will be attached to.
574 * Only PF_INET & PF_INET6 domains are supported.
575 * @param type The socket type these filters will be attached to.
576 * @param protocol The protocol these filters will be attached to.
577 * @result 0 on success otherwise the errno error.
578 */
579#ifdef KERNEL_PRIVATE
580extern errno_t sflt_register_internal(const struct sflt_filter *filter,
581 int domain, int type, int protocol);
582
583#define sflt_register(filter, domain, type, protocol) \
584 sflt_register_internal((filter), (domain), (type), (protocol))
585#else
586extern errno_t sflt_register(const struct sflt_filter *filter, int domain,
587 int type, int protocol)
588__NKE_API_DEPRECATED;
589#endif /* KERNEL_PRIVATE */
590
591/*!
592 * @function sflt_unregister
593 * @discussion Unregisters a socket filter. This will not detach the
594 * socket filter from all sockets it may be attached to at the
595 * time, it will just prevent the socket filter from being attached
596 * to any new sockets.
597 * @param handle The sf_handle of the socket filter to unregister.
598 * @result 0 on success otherwise the errno error.
599 */
600extern errno_t sflt_unregister(sflt_handle handle)
601__NKE_API_DEPRECATED;
602
603/*!
604 * @function sflt_attach
605 * @discussion Attaches a socket filter to the specified socket. A
606 * filter must be registered before it can be attached.
607 * @param socket The socket the filter should be attached to.
608 * @param handle The handle of the registered filter to be attached.
609 * @result 0 on success otherwise the errno error.
610 */
611extern errno_t sflt_attach(socket_t socket, sflt_handle handle)
612__NKE_API_DEPRECATED;
613
614/*!
615 * @function sflt_detach
616 * @discussion Detaches a socket filter from a specified socket.
617 * @param socket The socket the filter should be detached from.
618 * @param handle The handle of the registered filter to be detached.
619 * @result 0 on success otherwise the errno error.
620 */
621extern errno_t sflt_detach(socket_t socket, sflt_handle handle)
622__NKE_API_DEPRECATED;
623
624/* Functions for manipulating sockets */
625/*
626 * Inject data in to the receive buffer of the socket as if it
627 * had come from the network.
628 *
629 * flags should match sflt_data_flag_t
630 */
631
632/*!
633 * @function sock_inject_data_in
634 * @discussion Inject data in to the receive buffer of the socket as if
635 * it had come from the network.
636 * @param so The socket to inject the data on.
637 * @param from The address the data is from, only necessary on
638 * un-connected sockets. A copy of the address will be made, caller
639 * is responsible for freeing the address after calling this
640 * function.
641 * @param data The data and possibly control mbufs.
642 * @param control The separate control mbufs.
643 * @param flags Flags indicating the type of data.
644 * @result 0 on success otherwise the errno error. If the function
645 * returns an error, the caller is responsible for freeing the
646 * mbuf.
647 */
648extern errno_t sock_inject_data_in(socket_t so, const struct sockaddr *from,
649 mbuf_t data, mbuf_t control, sflt_data_flag_t flags)
650__NKE_API_DEPRECATED;
651
652/*!
653 * @function sock_inject_data_out
654 * @discussion Inject data in to the send buffer of the socket as if it
655 * had come from the client.
656 * @param so The socket to inject the data on.
657 * @param to The address the data should be sent to, only necessary on
658 * un-connected sockets. The caller is responsible for freeing the
659 * to address after sock_inject_data_out returns.
660 * @param data The data and possibly control mbufs.
661 * @param control The separate control mbufs.
662 * @param flags Flags indicating the type of data.
663 * @result 0 on success otherwise the errno error. The data and control
664 * values are always freed regardless of return value.
665 */
666extern errno_t sock_inject_data_out(socket_t so, const struct sockaddr *to,
667 mbuf_t data, mbuf_t control, sflt_data_flag_t flags)
668__NKE_API_DEPRECATED;
669
670
671/*
672 * sockopt_t accessors
673 */
674
675enum {
676 sockopt_get = 1,
677 sockopt_set = 2
678};
679typedef u_int8_t sockopt_dir;
680
681/*!
682 * @function sockopt_direction
683 * @discussion Retrieves the direction of the socket option (Get or
684 * Set).
685 * @param sopt The socket option.
686 * @result sock_opt_get or sock_opt_set.
687 */
688extern sockopt_dir sockopt_direction(sockopt_t sopt)
689__NKE_API_DEPRECATED;
690
691/*!
692 * @function sockopt_level
693 * @discussion Retrieves the socket option level. (SOL_SOCKET, etc).
694 * @param sopt The socket option.
695 * @result The socket option level. See man 2 setsockopt
696 */
697extern int sockopt_level(sockopt_t sopt)
698__NKE_API_DEPRECATED;
699
700/*!
701 * @function sockopt_name
702 * @discussion Retrieves the socket option name. (SO_SNDBUF, etc).
703 * @param sopt The socket option.
704 * @result The socket option name. See man 2 setsockopt
705 */
706extern int sockopt_name(sockopt_t sopt)
707__NKE_API_DEPRECATED;
708
709/*!
710 * @function sockopt_valsize
711 * @discussion Retrieves the size of the socket option data.
712 * @param sopt The socket option.
713 * @result The length, in bytes, of the data.
714 */
715extern size_t sockopt_valsize(sockopt_t sopt)
716__NKE_API_DEPRECATED;
717
718/*!
719 * @function sockopt_copyin
720 * @discussion Copies the data from the socket option to a buffer.
721 * @param sopt The socket option.
722 * @param data A pointer to the buffer to copy the data in to.
723 * @param length The number of bytes to copy.
724 * @result An errno error or zero upon success.
725 */
726extern errno_t sockopt_copyin(sockopt_t sopt, void *data, size_t length)
727__NKE_API_DEPRECATED;
728
729/*!
730 * @function sockopt_copyout
731 * @discussion Copies the data from a buffer to a socket option.
732 * @param sopt The socket option.
733 * @param data A pointer to the buffer to copy the data out of.
734 * @param length The number of bytes to copy.
735 * @result An errno error or zero upon success.
736 */
737extern errno_t sockopt_copyout(sockopt_t sopt, void *data, size_t length)
738__NKE_API_DEPRECATED;
739
740#undef __NKE_API_DEPRECATED
741__END_DECLS
742#endif /* __KPI_SOCKETFILTER__ */
743