I am writing a Network Kernel Extension on MacOS that is comprised of a Socket Filter and an IP filter. My IP filter works as a kind of fire-wall, i only want to allow packets through that have been previously tagged as ALLOWED by the socket filter.
In the socket filter sf_data_out_func function, I successfully tag all the mbufs. However in my ipf_output_func I do not seem to be able to find these tagged packets with a mbuf_tag_find().
I am tagging the packets in the socket filter as follows:
static errno_t socket_data_out(void *cookie, socket_t so, const struct sockaddr *to, mbuf_t *data, mbuf_t *control, sflt_data_flag_t flags)
{
if(!cookie)
return 0;
struct my_entry *entry = cookie;
errno_t ret;
int *tag_ref = NULL;
// Not used
int value = 1;
if((ret = mbuf_tag_allocate(*data, my_tag_id, ALLOWED_PACKET, sizeof(value), MBUF_WAITOK, (void**)&tag_ref)))
{
log("mbuf_tag_allocate failed");
}
return 0;
}
and in the IP filter as follows:
static errno_t ipfilter_output(void *cookie, mbuf_t *data, ipf_pktopts_t options)
{
errno_t status;
int *tag_ref;
size_t len;
int value = 1;
status = mbuf_tag_find(*data, my_tag_id, ALLOWED_PACKET, &len, (void**)&tag_ref);
if(status == 0)
log("Found an allowed packet!");
return 0;
}
But the IP filter NEVER prints out "Found an allowed packet!".
Can an IP filter find a packet previously tagged in a socket filter?
As far as I see it, there is no guarantee in the documentation, that the mbuf as seen by a socket filter is the same mbuf that later on passes an IP filter. If the data is copied from one mbuf to another one, tags are not automatically copied as well.
Socket Filter and IP Filter are two different concepts of filters that don't necessarily mix very well. Either you care from which socket data has been sent or you don't. In the first case you only require a Socket Filter and in the later one you only require an IP Filter.