From fa87b3aff7e1469fee28ed9efc5d172470edb756 Mon Sep 17 00:00:00 2001
From: Thomas BERNARD <miniupnp@free.fr>
Date: Mon, 16 Dec 2013 13:03:54 +0100
Subject: [PATCH] miniupnpd: attempt to compile for OS X/pf

---
 miniupnpd/Changelog.txt   |  3 +++
 miniupnpd/INSTALL         | 10 ++++++++++
 miniupnpd/Makefile.macosx | 23 +++++++++++++++++++----
 miniupnpd/genconfig.sh    |  9 ++++++++-
 miniupnpd/pf/obsdrdr.c    | 28 ++++++++++++++++++++++++++++
 5 files changed, 68 insertions(+), 5 deletions(-)

diff --git a/miniupnpd/Changelog.txt b/miniupnpd/Changelog.txt
index 4c7afc4..f2761ea 100644
--- a/miniupnpd/Changelog.txt
+++ b/miniupnpd/Changelog.txt
@@ -1,5 +1,8 @@
 $Id: Changelog.txt,v 1.346 2013/12/13 13:41:52 nanard Exp $
 
+2013/12/16:
+  Attempt to compile with OS X/pf
+
 2013/12/13:
   Make all manufacturer info configurable thanks to Leo Moll
   Merge PCP support (see https://github.com/miniupnp/miniupnp)
diff --git a/miniupnpd/INSTALL b/miniupnpd/INSTALL
index e6a6fbc..92d2dd3 100644
--- a/miniupnpd/INSTALL
+++ b/miniupnpd/INSTALL
@@ -55,6 +55,16 @@ http://blogs.sun.com/avalon/category/IPFilter
   Or edit config.h after it has been generated by genconfig.sh
 - use 'bsdmake' or 'make -f Makefile.macosx' to build
 
+============================== Mac OS X/pf ================================
+
+Starting with Mac OS X 10.7 Lion, pf replaced ipfw as the OS X firewall.
+also bsdmake is not available anymore.
+Make sure you have installed the Xcode commande line tools (from the
+Xcode Preferences menu or using 'xcode-select --install' command)
+
+You'll need to download xnu sources : https://github.com/opensource-apple/xnu
+> INCLUDES="-I.../xnu/bsd -I.../xnu/libkern" make -f Makefile.macosx
+
 ============================ Linux/netfilter ==============================
 To Build and install :
 
diff --git a/miniupnpd/Makefile.macosx b/miniupnpd/Makefile.macosx
index f8d2bf9..7520124 100644
--- a/miniupnpd/Makefile.macosx
+++ b/miniupnpd/Makefile.macosx
@@ -3,6 +3,10 @@
 # Author: Thomas Bernard
 # This Makefile should work for MacOSX
 #
+# To compile with pf with OS X 10.7+, you need to specify
+# path to XNU bsd sources :
+# INCLUDES="-I.../xnu/bsd I.../xnu/libkern" make -f Makefile.macosx
+#
 # To install use :
 # $ PREFIX=/dummyinstalldir make -f Makefile.macosx install
 # or :
@@ -10,16 +14,20 @@
 #
 CFLAGS = -Wall -O -g3 -DDEBUG
 #CFLAGS = -Wall -Os
-CC = gcc
+#CC = gcc  #better use clang !
 RM = rm -f
 MV = mv
 INSTALL = install
 STRIP = strip
 
+CFLAGS += -DMACOSX
+
 # OSNAME and FWNAME are used for building OS or FW dependent code.
 OSNAME = $(shell uname)
 ARCH = $(shell uname -p)
-FWNAME = ipfw
+# Firewall is ipfw up to OS X 10.6 Snow Leopard
+# and pf since OS X 10.7 Lion (Darwin 11.0)
+FWNAME = $(shell [ `uname -r | cut -d. -f1` -ge 11  ] && echo "pf" || echo "ipfw" )
 
 STD_OBJS = miniupnpd.o upnphttp.o upnpdescgen.o upnpsoap.o \
           upnpredirect.o getifaddr.o daemonize.o upnpglobalvars.o \
@@ -27,9 +35,16 @@ STD_OBJS = miniupnpd.o upnphttp.o upnpdescgen.o upnpsoap.o \
 	  upnpevents.o getconnstatus.o upnputils.o
 MAC_OBJS = mac/getifstats.o bsd/ifacewatcher.o
 IPFW_OBJS = ipfw/ipfwrdr.o ipfw/ipfwaux.o
+PF_OBJS = pf/obsdrdr.o pf/pfpinhole.o
 MISC_OBJS = upnpreplyparse.o minixml.o
 
-ALL_OBJS = $(STD_OBJS) $(MISC_OBJS) $(MAC_OBJS) $(IPFW_OBJS)
+ALL_OBJS = $(STD_OBJS) $(MISC_OBJS) $(MAC_OBJS)
+ifeq ($(FWNAME), ipfw)
+  ALL_OBJS += $(IPFW_OBJS)
+else
+  ALL_OBJS += $(PF_OBJS)
+  CFLAGS += -DPF
+endif
 
 TEST_UPNPDESCGEN_OBJS = testupnpdescgen.o upnpdescgen.o
 TEST_GETIFSTATS_OBJS = testgetifstats.o mac/getifstats.o
@@ -106,5 +121,5 @@ config.h: genconfig.sh
 
 .SUFFIXES: .o .c
 .c.o:
-	$(CC) $(CFLAGS) -c -o $@ $<
+	$(CC) $(CFLAGS) $(INCLUDES) -c -o $@ $<
 #	$(CC) $(CFLAGS) -c -o $(.TARGET) $(.IMPSRC)
diff --git a/miniupnpd/genconfig.sh b/miniupnpd/genconfig.sh
index d4cf5d8..3c2a39e 100755
--- a/miniupnpd/genconfig.sh
+++ b/miniupnpd/genconfig.sh
@@ -273,8 +273,15 @@ case $OS_NAME in
 		FW=netfilter
 		;;
 	Darwin)
+		MAJORVER=`echo $OS_VERSION | cut -d. -f1`
 		echo "#define USE_IFACEWATCHER 1" >> ${CONFIGFILE}
-		FW=ipfw
+		# OS X switched to pf since 10.7 Lion (Darwin 11.0)
+		if [ $MAJORVER -ge 11 ] ; then
+			FW=pf
+			echo "#define PFRULE_INOUT_COUNTS" >> ${CONFIGFILE}
+		else
+			FW=ipfw
+		fi
 		OS_URL=http://developer.apple.com/macosx
 		;;
 	*)
diff --git a/miniupnpd/pf/obsdrdr.c b/miniupnpd/pf/obsdrdr.c
index d0287cb..04c2ddb 100644
--- a/miniupnpd/pf/obsdrdr.c
+++ b/miniupnpd/pf/obsdrdr.c
@@ -45,6 +45,9 @@
 #ifdef __DragonFly__
 #include <net/pf/pfvar.h>
 #else
+#ifdef MACOSX
+#define PRIVATE 1
+#endif
 #include <net/pfvar.h>
 #endif
 #include <fcntl.h>
@@ -219,9 +222,15 @@ add_redirect_rule2(const char * ifname,
 		pcr.rule.rdr.addr.type = PF_ADDR_ADDRMASK;
 #endif
 
+#ifdef MACOSX
+		pcr.rule.dst.xport.range.op = PF_OP_EQ;
+		pcr.rule.dst.xport.range.port[0] = htons(eport);
+		pcr.rule.dst.xport.range.port[1] = htons(eport);
+#else
 		pcr.rule.dst.port_op = PF_OP_EQ;
 		pcr.rule.dst.port[0] = htons(eport);
 		pcr.rule.dst.port[1] = htons(eport);
+#endif
 #ifndef PF_NEWSTYLE
 		pcr.rule.action = PF_RDR;
 #ifndef PF_ENABLE_FILTER_RULES
@@ -490,8 +499,13 @@ get_redirect_rule(const char * ifname, unsigned short eport, int proto,
 			syslog(LOG_ERR, "ioctl(dev, DIOCGETRULE): %m");
 			goto error;
 		}
+#ifdef MACOSX
+		if( (eport == ntohs(pr.rule.dst.xport.range.port[0]))
+		  && (eport == ntohs(pr.rule.dst.xport.range.port[1]))
+#else
 		if( (eport == ntohs(pr.rule.dst.port[0]))
 		  && (eport == ntohs(pr.rule.dst.port[1]))
+#endif
 		  && (pr.rule.proto == proto) )
 		{
 #ifndef PF_NEWSTYLE
@@ -591,8 +605,13 @@ delete_redirect_rule(const char * ifname, unsigned short eport, int proto)
 			syslog(LOG_ERR, "ioctl(dev, DIOCGETRULE): %m");
 			goto error;
 		}
+#ifdef MACOSX
+		if( (eport == ntohs(pr.rule.dst.xport.range.port[0]))
+		  && (eport == ntohs(pr.rule.dst.xport.range.port[1]))
+#else
 		if( (eport == ntohs(pr.rule.dst.port[0]))
 		  && (eport == ntohs(pr.rule.dst.port[1]))
+#endif
 		  && (pr.rule.proto == proto) )
 		{
 			pr.action = PF_CHANGE_GET_TICKET;
@@ -710,7 +729,11 @@ get_redirect_rule_by_index(int index,
 		goto error;
 	}
 	*proto = pr.rule.proto;
+#ifdef MACOSX
+	*eport = ntohs(pr.rule.dst.xport.range.port[0]);
+#else
 	*eport = ntohs(pr.rule.dst.port[0]);
+#endif
 #ifndef PF_NEWSTYLE
 	*iport = pr.rule.rpool.proxy_port[0];
 #else
@@ -822,8 +845,13 @@ get_portmappings_in_range(unsigned short startport, unsigned short endport,
 			syslog(LOG_ERR, "ioctl(dev, DIOCGETRULE): %m");
 			continue;
 		}
+#ifdef MACOSX
+		eport = ntohs(pr.rule.dst.xport.range.port[0]);
+		if( (eport == ntohs(pr.rule.dst.xport.range.port[1]))
+#else
 		eport = ntohs(pr.rule.dst.port[0]);
 		if( (eport == ntohs(pr.rule.dst.port[1]))
+#endif
 		  && (pr.rule.proto == proto)
 		  && (startport <= eport) && (eport <= endport) )
 		{