1 /*
   2  * CDDL HEADER START
   3  *
   4  * The contents of this file are subject to the terms of the
   5  * Common Development and Distribution License (the "License").
   6  * You may not use this file except in compliance with the License.
   7  *
   8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
   9  * or http://www.opensolaris.org/os/licensing.
  10  * See the License for the specific language governing permissions
  11  * and limitations under the License.
  12  *
  13  * When distributing Covered Code, include this CDDL HEADER in each
  14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
  15  * If applicable, add the following below this CDDL HEADER, with the
  16  * fields enclosed by brackets "[]" replaced with your own identifying
  17  * information: Portions Copyright [yyyy] [name of copyright owner]
  18  *
  19  * CDDL HEADER END
  20  */
  21 
  22 /*
  23  * Copyright (c) 1991, 2010, Oracle and/or its affiliates. All rights reserved.
  24  * Copyright (c) 1990 Mentat Inc.
  25  * Copyright (c) 2011 Joyent, Inc. All rights reserved.
  26  */
  27 
  28 #include <sys/types.h>
  29 #include <sys/stream.h>
  30 #include <sys/dlpi.h>
  31 #include <sys/stropts.h>
  32 #include <sys/sysmacros.h>
  33 #include <sys/strsubr.h>
  34 #include <sys/strlog.h>
  35 #include <sys/strsun.h>
  36 #include <sys/zone.h>
  37 #define _SUN_TPI_VERSION 2
  38 #include <sys/tihdr.h>
  39 #include <sys/xti_inet.h>
  40 #include <sys/ddi.h>
  41 #include <sys/suntpi.h>
  42 #include <sys/cmn_err.h>
  43 #include <sys/debug.h>
  44 #include <sys/kobj.h>
  45 #include <sys/modctl.h>
  46 #include <sys/atomic.h>
  47 #include <sys/policy.h>
  48 #include <sys/priv.h>
  49 #include <sys/taskq.h>
  50 
  51 #include <sys/systm.h>
  52 #include <sys/param.h>
  53 #include <sys/kmem.h>
  54 #include <sys/sdt.h>
  55 #include <sys/socket.h>
  56 #include <sys/vtrace.h>
  57 #include <sys/isa_defs.h>
  58 #include <sys/mac.h>
  59 #include <net/if.h>
  60 #include <net/if_arp.h>
  61 #include <net/route.h>
  62 #include <sys/sockio.h>
  63 #include <netinet/in.h>
  64 #include <net/if_dl.h>
  65 
  66 #include <inet/common.h>
  67 #include <inet/mi.h>
  68 #include <inet/mib2.h>
  69 #include <inet/nd.h>
  70 #include <inet/arp.h>
  71 #include <inet/snmpcom.h>
  72 #include <inet/optcom.h>
  73 #include <inet/kstatcom.h>
  74 
  75 #include <netinet/igmp_var.h>
  76 #include <netinet/ip6.h>
  77 #include <netinet/icmp6.h>
  78 #include <netinet/sctp.h>
  79 
  80 #include <inet/ip.h>
  81 #include <inet/ip_impl.h>
  82 #include <inet/ip6.h>
  83 #include <inet/ip6_asp.h>
  84 #include <inet/tcp.h>
  85 #include <inet/tcp_impl.h>
  86 #include <inet/ip_multi.h>
  87 #include <inet/ip_if.h>
  88 #include <inet/ip_ire.h>
  89 #include <inet/ip_ftable.h>
  90 #include <inet/ip_rts.h>
  91 #include <inet/ip_ndp.h>
  92 #include <inet/ip_listutils.h>
  93 #include <netinet/igmp.h>
  94 #include <netinet/ip_mroute.h>
  95 #include <inet/ipp_common.h>
  96 
  97 #include <net/pfkeyv2.h>
  98 #include <inet/sadb.h>
  99 #include <inet/ipsec_impl.h>
 100 #include <inet/iptun/iptun_impl.h>
 101 #include <inet/ipdrop.h>
 102 #include <inet/ip_netinfo.h>
 103 #include <inet/ilb_ip.h>
 104 
 105 #include <sys/ethernet.h>
 106 #include <net/if_types.h>
 107 #include <sys/cpuvar.h>
 108 
 109 #include <ipp/ipp.h>
 110 #include <ipp/ipp_impl.h>
 111 #include <ipp/ipgpc/ipgpc.h>
 112 
 113 #include <sys/pattr.h>
 114 #include <inet/dccp.h>
 115 #include <inet/dccp_impl.h>
 116 #include <inet/dccp_ip.h>
 117 #include <inet/ipclassifier.h>
 118 #include <inet/sctp_ip.h>
 119 #include <inet/sctp/sctp_impl.h>
 120 #include <inet/udp_impl.h>
 121 #include <inet/rawip_impl.h>
 122 #include <inet/rts_impl.h>
 123 
 124 #include <sys/tsol/label.h>
 125 #include <sys/tsol/tnet.h>
 126 
 127 #include <sys/squeue_impl.h>
 128 #include <inet/ip_arp.h>
 129 
 130 #include <sys/clock_impl.h>       /* For LBOLT_FASTPATH{,64} */
 131 
 132 /*
 133  * Values for squeue switch:
 134  * IP_SQUEUE_ENTER_NODRAIN: SQ_NODRAIN
 135  * IP_SQUEUE_ENTER: SQ_PROCESS
 136  * IP_SQUEUE_FILL: SQ_FILL
 137  */
 138 int ip_squeue_enter = IP_SQUEUE_ENTER;  /* Setable in /etc/system */
 139 
 140 int ip_squeue_flag;
 141 
 142 /*
 143  * Setable in /etc/system
 144  */
 145 int ip_poll_normal_ms = 100;
 146 int ip_poll_normal_ticks = 0;
 147 int ip_modclose_ackwait_ms = 3000;
 148 
 149 /*
 150  * It would be nice to have these present only in DEBUG systems, but the
 151  * current design of the global symbol checking logic requires them to be
 152  * unconditionally present.
 153  */
 154 uint_t ip_thread_data;                  /* TSD key for debug support */
 155 krwlock_t ip_thread_rwlock;
 156 list_t  ip_thread_list;
 157 
 158 /*
 159  * Structure to represent a linked list of msgblks. Used by ip_snmp_ functions.
 160  */
 161 
 162 struct listptr_s {
 163         mblk_t  *lp_head;       /* pointer to the head of the list */
 164         mblk_t  *lp_tail;       /* pointer to the tail of the list */
 165 };
 166 
 167 typedef struct listptr_s listptr_t;
 168 
 169 /*
 170  * This is used by ip_snmp_get_mib2_ip_route_media and
 171  * ip_snmp_get_mib2_ip6_route_media to carry the lists of return data.
 172  */
 173 typedef struct iproutedata_s {
 174         uint_t          ird_idx;
 175         uint_t          ird_flags;      /* see below */
 176         listptr_t       ird_route;      /* ipRouteEntryTable */
 177         listptr_t       ird_netmedia;   /* ipNetToMediaEntryTable */
 178         listptr_t       ird_attrs;      /* ipRouteAttributeTable */
 179 } iproutedata_t;
 180 
 181 /* Include ire_testhidden and IRE_IF_CLONE routes */
 182 #define IRD_REPORT_ALL  0x01
 183 
 184 /*
 185  * Cluster specific hooks. These should be NULL when booted as a non-cluster
 186  */
 187 
 188 /*
 189  * Hook functions to enable cluster networking
 190  * On non-clustered systems these vectors must always be NULL.
 191  *
 192  * Hook function to Check ip specified ip address is a shared ip address
 193  * in the cluster
 194  *
 195  */
 196 int (*cl_inet_isclusterwide)(netstackid_t stack_id, uint8_t protocol,
 197     sa_family_t addr_family, uint8_t *laddrp, void *args) = NULL;
 198 
 199 /*
 200  * Hook function to generate cluster wide ip fragment identifier
 201  */
 202 uint32_t (*cl_inet_ipident)(netstackid_t stack_id, uint8_t protocol,
 203     sa_family_t addr_family, uint8_t *laddrp, uint8_t *faddrp,
 204     void *args) = NULL;
 205 
 206 /*
 207  * Hook function to generate cluster wide SPI.
 208  */
 209 void (*cl_inet_getspi)(netstackid_t, uint8_t, uint8_t *, size_t,
 210     void *) = NULL;
 211 
 212 /*
 213  * Hook function to verify if the SPI is already utlized.
 214  */
 215 
 216 int (*cl_inet_checkspi)(netstackid_t, uint8_t, uint32_t, void *) = NULL;
 217 
 218 /*
 219  * Hook function to delete the SPI from the cluster wide repository.
 220  */
 221 
 222 void (*cl_inet_deletespi)(netstackid_t, uint8_t, uint32_t, void *) = NULL;
 223 
 224 /*
 225  * Hook function to inform the cluster when packet received on an IDLE SA
 226  */
 227 
 228 void (*cl_inet_idlesa)(netstackid_t, uint8_t, uint32_t, sa_family_t,
 229     in6_addr_t, in6_addr_t, void *) = NULL;
 230 
 231 /*
 232  * Synchronization notes:
 233  *
 234  * IP is a fully D_MP STREAMS module/driver. Thus it does not depend on any
 235  * MT level protection given by STREAMS. IP uses a combination of its own
 236  * internal serialization mechanism and standard Solaris locking techniques.
 237  * The internal serialization is per phyint.  This is used to serialize
 238  * plumbing operations, IPMP operations, most set ioctls, etc.
 239  *
 240  * Plumbing is a long sequence of operations involving message
 241  * exchanges between IP, ARP and device drivers. Many set ioctls are typically
 242  * involved in plumbing operations. A natural model is to serialize these
 243  * ioctls one per ill. For example plumbing of hme0 and qfe0 can go on in
 244  * parallel without any interference. But various set ioctls on hme0 are best
 245  * serialized, along with IPMP operations and processing of DLPI control
 246  * messages received from drivers on a per phyint basis. This serialization is
 247  * provided by the ipsq_t and primitives operating on this. Details can
 248  * be found in ip_if.c above the core primitives operating on ipsq_t.
 249  *
 250  * Lookups of an ipif or ill by a thread return a refheld ipif / ill.
 251  * Simiarly lookup of an ire by a thread also returns a refheld ire.
 252  * In addition ipif's and ill's referenced by the ire are also indirectly
 253  * refheld. Thus no ipif or ill can vanish as long as an ipif is refheld
 254  * directly or indirectly. For example an SIOCSLIFADDR ioctl that changes the
 255  * address of an ipif has to go through the ipsq_t. This ensures that only
 256  * one such exclusive operation proceeds at any time on the ipif. It then
 257  * waits for all refcnts
 258  * associated with this ipif to come down to zero. The address is changed
 259  * only after the ipif has been quiesced. Then the ipif is brought up again.
 260  * More details are described above the comment in ip_sioctl_flags.
 261  *
 262  * Packet processing is based mostly on IREs and are fully multi-threaded
 263  * using standard Solaris MT techniques.
 264  *
 265  * There are explicit locks in IP to handle:
 266  * - The ip_g_head list maintained by mi_open_link() and friends.
 267  *
 268  * - The reassembly data structures (one lock per hash bucket)
 269  *
 270  * - conn_lock is meant to protect conn_t fields. The fields actually
 271  *   protected by conn_lock are documented in the conn_t definition.
 272  *
 273  * - ire_lock to protect some of the fields of the ire, IRE tables
 274  *   (one lock per hash bucket). Refer to ip_ire.c for details.
 275  *
 276  * - ndp_g_lock and ncec_lock for protecting NCEs.
 277  *
 278  * - ill_lock protects fields of the ill and ipif. Details in ip.h
 279  *
 280  * - ill_g_lock: This is a global reader/writer lock. Protects the following
 281  *      * The AVL tree based global multi list of all ills.
 282  *      * The linked list of all ipifs of an ill
 283  *      * The <ipsq-xop> mapping
 284  *      * <ill-phyint> association
 285  *   Insertion/deletion of an ill in the system, insertion/deletion of an ipif
 286  *   into an ill, changing the <ipsq-xop> mapping of an ill, changing the
 287  *   <ill-phyint> assoc of an ill will all have to hold the ill_g_lock as
 288  *   writer for the actual duration of the insertion/deletion/change.
 289  *
 290  * - ill_lock:  This is a per ill mutex.
 291  *   It protects some members of the ill_t struct; see ip.h for details.
 292  *   It also protects the <ill-phyint> assoc.
 293  *   It also protects the list of ipifs hanging off the ill.
 294  *
 295  * - ipsq_lock: This is a per ipsq_t mutex lock.
 296  *   This protects some members of the ipsq_t struct; see ip.h for details.
 297  *   It also protects the <ipsq-ipxop> mapping
 298  *
 299  * - ipx_lock: This is a per ipxop_t mutex lock.
 300  *   This protects some members of the ipxop_t struct; see ip.h for details.
 301  *
 302  * - phyint_lock: This is a per phyint mutex lock. Protects just the
 303  *   phyint_flags
 304  *
 305  * - ip_addr_avail_lock: This is used to ensure the uniqueness of IP addresses.
 306  *   This lock is held in ipif_up_done and the ipif is marked IPIF_UP and the
 307  *   uniqueness check also done atomically.
 308  *
 309  * - ill_g_usesrc_lock: This readers/writer lock protects the usesrc
 310  *   group list linked by ill_usesrc_grp_next. It also protects the
 311  *   ill_usesrc_ifindex field. It is taken as a writer when a member of the
 312  *   group is being added or deleted.  This lock is taken as a reader when
 313  *   walking the list/group(eg: to get the number of members in a usesrc group).
 314  *   Note, it is only necessary to take this lock if the ill_usesrc_grp_next
 315  *   field is changing state i.e from NULL to non-NULL or vice-versa. For
 316  *   example, it is not necessary to take this lock in the initial portion
 317  *   of ip_sioctl_slifusesrc or at all in ip_sioctl_flags since these
 318  *   operations are executed exclusively and that ensures that the "usesrc
 319  *   group state" cannot change. The "usesrc group state" change can happen
 320  *   only in the latter part of ip_sioctl_slifusesrc and in ill_delete.
 321  *
 322  * Changing <ill-phyint>, <ipsq-xop> assocications:
 323  *
 324  * To change the <ill-phyint> association, the ill_g_lock must be held
 325  * as writer, and the ill_locks of both the v4 and v6 instance of the ill
 326  * must be held.
 327  *
 328  * To change the <ipsq-xop> association, the ill_g_lock must be held as
 329  * writer, the ipsq_lock must be held, and one must be writer on the ipsq.
 330  * This is only done when ills are added or removed from IPMP groups.
 331  *
 332  * To add or delete an ipif from the list of ipifs hanging off the ill,
 333  * ill_g_lock (writer) and ill_lock must be held and the thread must be
 334  * a writer on the associated ipsq.
 335  *
 336  * To add or delete an ill to the system, the ill_g_lock must be held as
 337  * writer and the thread must be a writer on the associated ipsq.
 338  *
 339  * To add or delete an ilm to an ill, the ill_lock must be held and the thread
 340  * must be a writer on the associated ipsq.
 341  *
 342  * Lock hierarchy
 343  *
 344  * Some lock hierarchy scenarios are listed below.
 345  *
 346  * ill_g_lock -> conn_lock -> ill_lock -> ipsq_lock -> ipx_lock
 347  * ill_g_lock -> ill_lock(s) -> phyint_lock
 348  * ill_g_lock -> ndp_g_lock -> ill_lock -> ncec_lock
 349  * ill_g_lock -> ip_addr_avail_lock
 350  * conn_lock -> irb_lock -> ill_lock -> ire_lock
 351  * ill_g_lock -> ip_g_nd_lock
 352  * ill_g_lock -> ips_ipmp_lock -> ill_lock -> nce_lock
 353  * ill_g_lock -> ndp_g_lock -> ill_lock -> ncec_lock -> nce_lock
 354  * arl_lock -> ill_lock
 355  * ips_ire_dep_lock -> irb_lock
 356  *
 357  * When more than 1 ill lock is needed to be held, all ill lock addresses
 358  * are sorted on address and locked starting from highest addressed lock
 359  * downward.
 360  *
 361  * Multicast scenarios
 362  * ips_ill_g_lock -> ill_mcast_lock
 363  * conn_ilg_lock -> ips_ill_g_lock -> ill_lock
 364  * ill_mcast_serializer -> ill_mcast_lock -> ips_ipmp_lock -> ill_lock
 365  * ill_mcast_serializer -> ill_mcast_lock -> connf_lock -> conn_lock
 366  * ill_mcast_serializer -> ill_mcast_lock -> conn_ilg_lock
 367  * ill_mcast_serializer -> ill_mcast_lock -> ips_igmp_timer_lock
 368  *
 369  * IPsec scenarios
 370  *
 371  * ipsa_lock -> ill_g_lock -> ill_lock
 372  * ill_g_usesrc_lock -> ill_g_lock -> ill_lock
 373  *
 374  * Trusted Solaris scenarios
 375  *
 376  * igsa_lock -> gcgrp_rwlock -> gcgrp_lock
 377  * igsa_lock -> gcdb_lock
 378  * gcgrp_rwlock -> ire_lock
 379  * gcgrp_rwlock -> gcdb_lock
 380  *
 381  * squeue(sq_lock), flow related (ft_lock, fe_lock) locking
 382  *
 383  * cpu_lock --> ill_lock --> sqset_lock --> sq_lock
 384  * sq_lock -> conn_lock -> QLOCK(q)
 385  * ill_lock -> ft_lock -> fe_lock
 386  *
 387  * Routing/forwarding table locking notes:
 388  *
 389  * Lock acquisition order: Radix tree lock, irb_lock.
 390  * Requirements:
 391  * i.  Walker must not hold any locks during the walker callback.
 392  * ii  Walker must not see a truncated tree during the walk because of any node
 393  *     deletion.
 394  * iii Existing code assumes ire_bucket is valid if it is non-null and is used
 395  *     in many places in the code to walk the irb list. Thus even if all the
 396  *     ires in a bucket have been deleted, we still can't free the radix node
 397  *     until the ires have actually been inactive'd (freed).
 398  *
 399  * Tree traversal - Need to hold the global tree lock in read mode.
 400  * Before dropping the global tree lock, need to either increment the ire_refcnt
 401  * to ensure that the radix node can't be deleted.
 402  *
 403  * Tree add - Need to hold the global tree lock in write mode to add a
 404  * radix node. To prevent the node from being deleted, increment the
 405  * irb_refcnt, after the node is added to the tree. The ire itself is
 406  * added later while holding the irb_lock, but not the tree lock.
 407  *
 408  * Tree delete - Need to hold the global tree lock and irb_lock in write mode.
 409  * All associated ires must be inactive (i.e. freed), and irb_refcnt
 410  * must be zero.
 411  *
 412  * Walker - Increment irb_refcnt before calling the walker callback. Hold the
 413  * global tree lock (read mode) for traversal.
 414  *
 415  * IRE dependencies - In some cases we hold ips_ire_dep_lock across ire_refrele
 416  * hence we will acquire irb_lock while holding ips_ire_dep_lock.
 417  *
 418  * IPsec notes :
 419  *
 420  * IP interacts with the IPsec code (AH/ESP) by storing IPsec attributes
 421  * in the ip_xmit_attr_t ip_recv_attr_t. For outbound datagrams, the
 422  * ip_xmit_attr_t has the
 423  * information used by the IPsec code for applying the right level of
 424  * protection. The information initialized by IP in the ip_xmit_attr_t
 425  * is determined by the per-socket policy or global policy in the system.
 426  * For inbound datagrams, the ip_recv_attr_t
 427  * starts out with nothing in it. It gets filled
 428  * with the right information if it goes through the AH/ESP code, which
 429  * happens if the incoming packet is secure. The information initialized
 430  * by AH/ESP, is later used by IP (during fanouts to ULP) to see whether
 431  * the policy requirements needed by per-socket policy or global policy
 432  * is met or not.
 433  *
 434  * For fully connected sockets i.e dst, src [addr, port] is known,
 435  * conn_policy_cached is set indicating that policy has been cached.
 436  * conn_in_enforce_policy may or may not be set depending on whether
 437  * there is a global policy match or per-socket policy match.
 438  * Policy inheriting happpens in ip_policy_set once the destination is known.
 439  * Once the right policy is set on the conn_t, policy cannot change for
 440  * this socket. This makes life simpler for TCP (UDP ?) where
 441  * re-transmissions go out with the same policy. For symmetry, policy
 442  * is cached for fully connected UDP sockets also. Thus if policy is cached,
 443  * it also implies that policy is latched i.e policy cannot change
 444  * on these sockets. As we have the right policy on the conn, we don't
 445  * have to lookup global policy for every outbound and inbound datagram
 446  * and thus serving as an optimization. Note that a global policy change
 447  * does not affect fully connected sockets if they have policy. If fully
 448  * connected sockets did not have any policy associated with it, global
 449  * policy change may affect them.
 450  *
 451  * IP Flow control notes:
 452  * ---------------------
 453  * Non-TCP streams are flow controlled by IP. The way this is accomplished
 454  * differs when ILL_CAPAB_DLD_DIRECT is enabled for that IP instance. When
 455  * ILL_DIRECT_CAPABLE(ill) is TRUE, IP can do direct function calls into
 456  * GLDv3. Otherwise packets are sent down to lower layers using STREAMS
 457  * functions.
 458  *
 459  * Per Tx ring udp flow control:
 460  * This is applicable only when ILL_CAPAB_DLD_DIRECT capability is set in
 461  * the ill (i.e. ILL_DIRECT_CAPABLE(ill) is true).
 462  *
 463  * The underlying link can expose multiple Tx rings to the GLDv3 mac layer.
 464  * To achieve best performance, outgoing traffic need to be fanned out among
 465  * these Tx ring. mac_tx() is called (via str_mdata_fastpath_put()) to send
 466  * traffic out of the NIC and it takes a fanout hint. UDP connections pass
 467  * the address of connp as fanout hint to mac_tx(). Under flow controlled
 468  * condition, mac_tx() returns a non-NULL cookie (ip_mac_tx_cookie_t). This
 469  * cookie points to a specific Tx ring that is blocked. The cookie is used to
 470  * hash into an idl_tx_list[] entry in idl_tx_list[] array. Each idl_tx_list_t
 471  * point to drain_lists (idl_t's). These drain list will store the blocked UDP
 472  * connp's. The drain list is not a single list but a configurable number of
 473  * lists.
 474  *
 475  * The diagram below shows idl_tx_list_t's and their drain_lists. ip_stack_t
 476  * has an array of idl_tx_list_t. The size of the array is TX_FANOUT_SIZE
 477  * which is equal to 128. This array in turn contains a pointer to idl_t[],
 478  * the ip drain list. The idl_t[] array size is MIN(max_ncpus, 8). The drain
 479  * list will point to the list of connp's that are flow controlled.
 480  *
 481  *                      ---------------   -------   -------   -------
 482  *                   |->|drain_list[0]|-->|connp|-->|connp|-->|connp|-->
 483  *                   |  ---------------   -------   -------   -------
 484  *                   |  ---------------   -------   -------   -------
 485  *                   |->|drain_list[1]|-->|connp|-->|connp|-->|connp|-->
 486  * ----------------  |  ---------------   -------   -------   -------
 487  * |idl_tx_list[0]|->|  ---------------   -------   -------   -------
 488  * ----------------  |->|drain_list[2]|-->|connp|-->|connp|-->|connp|-->
 489  *                   |  ---------------   -------   -------   -------
 490  *                   .        .              .         .         .
 491  *                   |  ---------------   -------   -------   -------
 492  *                   |->|drain_list[n]|-->|connp|-->|connp|-->|connp|-->
 493  *                      ---------------   -------   -------   -------
 494  *                      ---------------   -------   -------   -------
 495  *                   |->|drain_list[0]|-->|connp|-->|connp|-->|connp|-->
 496  *                   |  ---------------   -------   -------   -------
 497  *                   |  ---------------   -------   -------   -------
 498  * ----------------  |->|drain_list[1]|-->|connp|-->|connp|-->|connp|-->
 499  * |idl_tx_list[1]|->|  ---------------   -------   -------   -------
 500  * ----------------  |        .              .         .         .
 501  *                   |  ---------------   -------   -------   -------
 502  *                   |->|drain_list[n]|-->|connp|-->|connp|-->|connp|-->
 503  *                      ---------------   -------   -------   -------
 504  *     .....
 505  * ----------------
 506  * |idl_tx_list[n]|-> ...
 507  * ----------------
 508  *
 509  * When mac_tx() returns a cookie, the cookie is hashed into an index into
 510  * ips_idl_tx_list[], and conn_drain_insert() is called with the idl_tx_list
 511  * to insert the conn onto.  conn_drain_insert() asserts flow control for the
 512  * sockets via su_txq_full() (non-STREAMS) or QFULL on conn_wq (STREAMS).
 513  * Further, conn_blocked is set to indicate that the conn is blocked.
 514  *
 515  * GLDv3 calls ill_flow_enable() when flow control is relieved.  The cookie
 516  * passed in the call to ill_flow_enable() identifies the blocked Tx ring and
 517  * is again hashed to locate the appropriate idl_tx_list, which is then
 518  * drained via conn_walk_drain().  conn_walk_drain() goes through each conn in
 519  * the drain list and calls conn_drain_remove() to clear flow control (via
 520  * calling su_txq_full() or clearing QFULL), and remove the conn from the
 521  * drain list.
 522  *
 523  * Note that the drain list is not a single list but a (configurable) array of
 524  * lists (8 elements by default).  Synchronization between drain insertion and
 525  * flow control wakeup is handled by using idl_txl->txl_lock, and only
 526  * conn_drain_insert() and conn_drain_remove() manipulate the drain list.
 527  *
 528  * Flow control via STREAMS is used when ILL_DIRECT_CAPABLE() returns FALSE.
 529  * On the send side, if the packet cannot be sent down to the driver by IP
 530  * (canput() fails), ip_xmit() drops the packet and returns EWOULDBLOCK to the
 531  * caller, who may then invoke ixa_check_drain_insert() to insert the conn on
 532  * the 0'th drain list.  When ip_wsrv() runs on the ill_wq because flow
 533  * control has been relieved, the blocked conns in the 0'th drain list are
 534  * drained as in the non-STREAMS case.
 535  *
 536  * In both the STREAMS and non-STREAMS cases, the sockfs upcall to set QFULL
 537  * is done when the conn is inserted into the drain list (conn_drain_insert())
 538  * and cleared when the conn is removed from the it (conn_drain_remove()).
 539  *
 540  * IPQOS notes:
 541  *
 542  * IPQoS Policies are applied to packets using IPPF (IP Policy framework)
 543  * and IPQoS modules. IPPF includes hooks in IP at different control points
 544  * (callout positions) which direct packets to IPQoS modules for policy
 545  * processing. Policies, if present, are global.
 546  *
 547  * The callout positions are located in the following paths:
 548  *              o local_in (packets destined for this host)
 549  *              o local_out (packets orginating from this host )
 550  *              o fwd_in  (packets forwarded by this m/c - inbound)
 551  *              o fwd_out (packets forwarded by this m/c - outbound)
 552  * Hooks at these callout points can be enabled/disabled using the ndd variable
 553  * ip_policy_mask (a bit mask with the 4 LSB indicating the callout positions).
 554  * By default all the callout positions are enabled.
 555  *
 556  * Outbound (local_out)
 557  * Hooks are placed in ire_send_wire_v4 and ire_send_wire_v6.
 558  *
 559  * Inbound (local_in)
 560  * Hooks are placed in ip_fanout_v4 and ip_fanout_v6.
 561  *
 562  * Forwarding (in and out)
 563  * Hooks are placed in ire_recv_forward_v4/v6.
 564  *
 565  * IP Policy Framework processing (IPPF processing)
 566  * Policy processing for a packet is initiated by ip_process, which ascertains
 567  * that the classifier (ipgpc) is loaded and configured, failing which the
 568  * packet resumes normal processing in IP. If the clasifier is present, the
 569  * packet is acted upon by one or more IPQoS modules (action instances), per
 570  * filters configured in ipgpc and resumes normal IP processing thereafter.
 571  * An action instance can drop a packet in course of its processing.
 572  *
 573  * Zones notes:
 574  *
 575  * The partitioning rules for networking are as follows:
 576  * 1) Packets coming from a zone must have a source address belonging to that
 577  * zone.
 578  * 2) Packets coming from a zone can only be sent on a physical interface on
 579  * which the zone has an IP address.
 580  * 3) Between two zones on the same machine, packet delivery is only allowed if
 581  * there's a matching route for the destination and zone in the forwarding
 582  * table.
 583  * 4) The TCP and UDP port spaces are per-zone; that is, two processes in
 584  * different zones can bind to the same port with the wildcard address
 585  * (INADDR_ANY).
 586  *
 587  * The granularity of interface partitioning is at the logical interface level.
 588  * Therefore, every zone has its own IP addresses, and incoming packets can be
 589  * attributed to a zone unambiguously. A logical interface is placed into a zone
 590  * using the SIOCSLIFZONE ioctl; this sets the ipif_zoneid field in the ipif_t
 591  * structure. Rule (1) is implemented by modifying the source address selection
 592  * algorithm so that the list of eligible addresses is filtered based on the
 593  * sending process zone.
 594  *
 595  * The Internet Routing Entries (IREs) are either exclusive to a zone or shared
 596  * across all zones, depending on their type. Here is the break-up:
 597  *
 598  * IRE type                             Shared/exclusive
 599  * --------                             ----------------
 600  * IRE_BROADCAST                        Exclusive
 601  * IRE_DEFAULT (default routes)         Shared (*)
 602  * IRE_LOCAL                            Exclusive (x)
 603  * IRE_LOOPBACK                         Exclusive
 604  * IRE_PREFIX (net routes)              Shared (*)
 605  * IRE_IF_NORESOLVER (interface routes) Exclusive
 606  * IRE_IF_RESOLVER (interface routes)   Exclusive
 607  * IRE_IF_CLONE (interface routes)      Exclusive
 608  * IRE_HOST (host routes)               Shared (*)
 609  *
 610  * (*) A zone can only use a default or off-subnet route if the gateway is
 611  * directly reachable from the zone, that is, if the gateway's address matches
 612  * one of the zone's logical interfaces.
 613  *
 614  * (x) IRE_LOCAL are handled a bit differently.
 615  * When ip_restrict_interzone_loopback is set (the default),
 616  * ire_route_recursive restricts loopback using an IRE_LOCAL
 617  * between zone to the case when L2 would have conceptually looped the packet
 618  * back, i.e. the loopback which is required since neither Ethernet drivers
 619  * nor Ethernet hardware loops them back. This is the case when the normal
 620  * routes (ignoring IREs with different zoneids) would send out the packet on
 621  * the same ill as the ill with which is IRE_LOCAL is associated.
 622  *
 623  * Multiple zones can share a common broadcast address; typically all zones
 624  * share the 255.255.255.255 address. Incoming as well as locally originated
 625  * broadcast packets must be dispatched to all the zones on the broadcast
 626  * network. For directed broadcasts (e.g. 10.16.72.255) this is not trivial
 627  * since some zones may not be on the 10.16.72/24 network. To handle this, each
 628  * zone has its own set of IRE_BROADCAST entries; then, broadcast packets are
 629  * sent to every zone that has an IRE_BROADCAST entry for the destination
 630  * address on the input ill, see ip_input_broadcast().
 631  *
 632  * Applications in different zones can join the same multicast group address.
 633  * The same logic applies for multicast as for broadcast. ip_input_multicast
 634  * dispatches packets to all zones that have members on the physical interface.
 635  */
 636 
 637 /*
 638  * Squeue Fanout flags:
 639  *      0: No fanout.
 640  *      1: Fanout across all squeues
 641  */
 642 boolean_t       ip_squeue_fanout = 0;
 643 
 644 /*
 645  * Maximum dups allowed per packet.
 646  */
 647 uint_t ip_max_frag_dups = 10;
 648 
 649 static int      ip_open(queue_t *q, dev_t *devp, int flag, int sflag,
 650                     cred_t *credp, boolean_t isv6);
 651 static mblk_t   *ip_xmit_attach_llhdr(mblk_t *, nce_t *);
 652 
 653 static boolean_t icmp_inbound_verify_v4(mblk_t *, icmph_t *, ip_recv_attr_t *);
 654 static void     icmp_inbound_too_big_v4(icmph_t *, ip_recv_attr_t *);
 655 static void     icmp_inbound_error_fanout_v4(mblk_t *, icmph_t *,
 656     ip_recv_attr_t *);
 657 static void     icmp_options_update(ipha_t *);
 658 static void     icmp_param_problem(mblk_t *, uint8_t,  ip_recv_attr_t *);
 659 static void     icmp_pkt(mblk_t *, void *, size_t, ip_recv_attr_t *);
 660 static mblk_t   *icmp_pkt_err_ok(mblk_t *, ip_recv_attr_t *);
 661 static void     icmp_redirect_v4(mblk_t *mp, ipha_t *, icmph_t *,
 662     ip_recv_attr_t *);
 663 static void     icmp_send_redirect(mblk_t *, ipaddr_t, ip_recv_attr_t *);
 664 static void     icmp_send_reply_v4(mblk_t *, ipha_t *, icmph_t *,
 665     ip_recv_attr_t *);
 666 
 667 mblk_t          *ip_dlpi_alloc(size_t, t_uscalar_t);
 668 char            *ip_dot_addr(ipaddr_t, char *);
 669 mblk_t          *ip_carve_mp(mblk_t **, ssize_t);
 670 int             ip_close(queue_t *, int);
 671 static char     *ip_dot_saddr(uchar_t *, char *);
 672 static void     ip_lrput(queue_t *, mblk_t *);
 673 ipaddr_t        ip_net_mask(ipaddr_t);
 674 char            *ip_nv_lookup(nv_t *, int);
 675 void    ip_rput(queue_t *, mblk_t *);
 676 static void     ip_rput_dlpi_writer(ipsq_t *dummy_sq, queue_t *q, mblk_t *mp,
 677                     void *dummy_arg);
 678 int             ip_snmp_get(queue_t *, mblk_t *, int, boolean_t);
 679 static mblk_t   *ip_snmp_get_mib2_ip(queue_t *, mblk_t *,
 680                     mib2_ipIfStatsEntry_t *, ip_stack_t *, boolean_t);
 681 static mblk_t   *ip_snmp_get_mib2_ip_traffic_stats(queue_t *, mblk_t *,
 682                     ip_stack_t *, boolean_t);
 683 static mblk_t   *ip_snmp_get_mib2_ip6(queue_t *, mblk_t *, ip_stack_t *,
 684                     boolean_t);
 685 static mblk_t   *ip_snmp_get_mib2_icmp(queue_t *, mblk_t *, ip_stack_t *ipst);
 686 static mblk_t   *ip_snmp_get_mib2_icmp6(queue_t *, mblk_t *, ip_stack_t *ipst);
 687 static mblk_t   *ip_snmp_get_mib2_igmp(queue_t *, mblk_t *, ip_stack_t *ipst);
 688 static mblk_t   *ip_snmp_get_mib2_multi(queue_t *, mblk_t *, ip_stack_t *ipst);
 689 static mblk_t   *ip_snmp_get_mib2_ip_addr(queue_t *, mblk_t *,
 690                     ip_stack_t *ipst, boolean_t);
 691 static mblk_t   *ip_snmp_get_mib2_ip6_addr(queue_t *, mblk_t *,
 692                     ip_stack_t *ipst, boolean_t);
 693 static mblk_t   *ip_snmp_get_mib2_ip_group_src(queue_t *, mblk_t *,
 694                     ip_stack_t *ipst);
 695 static mblk_t   *ip_snmp_get_mib2_ip6_group_src(queue_t *, mblk_t *,
 696                     ip_stack_t *ipst);
 697 static mblk_t   *ip_snmp_get_mib2_ip_group_mem(queue_t *, mblk_t *,
 698                     ip_stack_t *ipst);
 699 static mblk_t   *ip_snmp_get_mib2_ip6_group_mem(queue_t *, mblk_t *,
 700                     ip_stack_t *ipst);
 701 static mblk_t   *ip_snmp_get_mib2_virt_multi(queue_t *, mblk_t *,
 702                     ip_stack_t *ipst);
 703 static mblk_t   *ip_snmp_get_mib2_multi_rtable(queue_t *, mblk_t *,
 704                     ip_stack_t *ipst);
 705 static mblk_t   *ip_snmp_get_mib2_ip_route_media(queue_t *, mblk_t *, int,
 706                     ip_stack_t *ipst);
 707 static mblk_t   *ip_snmp_get_mib2_ip6_route_media(queue_t *, mblk_t *, int,
 708                     ip_stack_t *ipst);
 709 static void     ip_snmp_get2_v4(ire_t *, iproutedata_t *);
 710 static void     ip_snmp_get2_v6_route(ire_t *, iproutedata_t *);
 711 static int      ip_snmp_get2_v4_media(ncec_t *, iproutedata_t *);
 712 static int      ip_snmp_get2_v6_media(ncec_t *, iproutedata_t *);
 713 int             ip_snmp_set(queue_t *, int, int, uchar_t *, int);
 714 
 715 static mblk_t   *ip_fragment_copyhdr(uchar_t *, int, int, ip_stack_t *,
 716                     mblk_t *);
 717 
 718 static void     conn_drain_init(ip_stack_t *);
 719 static void     conn_drain_fini(ip_stack_t *);
 720 static void     conn_drain(conn_t *connp, boolean_t closing);
 721 
 722 static void     conn_walk_drain(ip_stack_t *, idl_tx_list_t *);
 723 static void     conn_walk_sctp(pfv_t, void *, zoneid_t, netstack_t *);
 724 
 725 static void     *ip_stack_init(netstackid_t stackid, netstack_t *ns);
 726 static void     ip_stack_shutdown(netstackid_t stackid, void *arg);
 727 static void     ip_stack_fini(netstackid_t stackid, void *arg);
 728 
 729 static int      ip_multirt_apply_membership(int (*fn)(conn_t *, boolean_t,
 730     const in6_addr_t *, ipaddr_t, uint_t, mcast_record_t, const in6_addr_t *),
 731     ire_t *, conn_t *, boolean_t, const in6_addr_t *,  mcast_record_t,
 732     const in6_addr_t *);
 733 
 734 static int      ip_squeue_switch(int);
 735 
 736 static void     *ip_kstat_init(netstackid_t, ip_stack_t *);
 737 static void     ip_kstat_fini(netstackid_t, kstat_t *);
 738 static int      ip_kstat_update(kstat_t *kp, int rw);
 739 static void     *icmp_kstat_init(netstackid_t);
 740 static void     icmp_kstat_fini(netstackid_t, kstat_t *);
 741 static int      icmp_kstat_update(kstat_t *kp, int rw);
 742 static void     *ip_kstat2_init(netstackid_t, ip_stat_t *);
 743 static void     ip_kstat2_fini(netstackid_t, kstat_t *);
 744 
 745 static void     ipobs_init(ip_stack_t *);
 746 static void     ipobs_fini(ip_stack_t *);
 747 
 748 static int      ip_tp_cpu_update(cpu_setup_t, int, void *);
 749 
 750 ipaddr_t        ip_g_all_ones = IP_HOST_MASK;
 751 
 752 static long ip_rput_pullups;
 753 int     dohwcksum = 1;  /* use h/w cksum if supported by the hardware */
 754 
 755 vmem_t *ip_minor_arena_sa; /* for minor nos. from INET_MIN_DEV+2 thru 2^^18-1 */
 756 vmem_t *ip_minor_arena_la; /* for minor nos. from 2^^18 thru 2^^32-1 */
 757 
 758 int     ip_debug;
 759 
 760 /*
 761  * Multirouting/CGTP stuff
 762  */
 763 int     ip_cgtp_filter_rev = CGTP_FILTER_REV;   /* CGTP hooks version */
 764 
 765 /*
 766  * IP tunables related declarations. Definitions are in ip_tunables.c
 767  */
 768 extern mod_prop_info_t ip_propinfo_tbl[];
 769 extern int ip_propinfo_count;
 770 
 771 /*
 772  * Table of IP ioctls encoding the various properties of the ioctl and
 773  * indexed based on the last byte of the ioctl command. Occasionally there
 774  * is a clash, and there is more than 1 ioctl with the same last byte.
 775  * In such a case 1 ioctl is encoded in the ndx table and the remaining
 776  * ioctls are encoded in the misc table. An entry in the ndx table is
 777  * retrieved by indexing on the last byte of the ioctl command and comparing
 778  * the ioctl command with the value in the ndx table. In the event of a
 779  * mismatch the misc table is then searched sequentially for the desired
 780  * ioctl command.
 781  *
 782  * Entry: <command> <copyin_size> <flags> <cmd_type> <function> <restart_func>
 783  */
 784 ip_ioctl_cmd_t ip_ndx_ioctl_table[] = {
 785         /* 000 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 786         /* 001 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 787         /* 002 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 788         /* 003 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 789         /* 004 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 790         /* 005 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 791         /* 006 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 792         /* 007 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 793         /* 008 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 794         /* 009 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 795 
 796         /* 010 */ { SIOCADDRT,  sizeof (struct rtentry), IPI_PRIV,
 797                         MISC_CMD, ip_siocaddrt, NULL },
 798         /* 011 */ { SIOCDELRT,  sizeof (struct rtentry), IPI_PRIV,
 799                         MISC_CMD, ip_siocdelrt, NULL },
 800 
 801         /* 012 */ { SIOCSIFADDR, sizeof (struct ifreq), IPI_PRIV | IPI_WR,
 802                         IF_CMD, ip_sioctl_addr, ip_sioctl_addr_restart },
 803         /* 013 */ { SIOCGIFADDR, sizeof (struct ifreq), IPI_GET_CMD,
 804                         IF_CMD, ip_sioctl_get_addr, NULL },
 805 
 806         /* 014 */ { SIOCSIFDSTADDR, sizeof (struct ifreq), IPI_PRIV | IPI_WR,
 807                         IF_CMD, ip_sioctl_dstaddr, ip_sioctl_dstaddr_restart },
 808         /* 015 */ { SIOCGIFDSTADDR, sizeof (struct ifreq),
 809                         IPI_GET_CMD, IF_CMD, ip_sioctl_get_dstaddr, NULL },
 810 
 811         /* 016 */ { SIOCSIFFLAGS, sizeof (struct ifreq),
 812                         IPI_PRIV | IPI_WR,
 813                         IF_CMD, ip_sioctl_flags, ip_sioctl_flags_restart },
 814         /* 017 */ { SIOCGIFFLAGS, sizeof (struct ifreq),
 815                         IPI_MODOK | IPI_GET_CMD,
 816                         IF_CMD, ip_sioctl_get_flags, NULL },
 817 
 818         /* 018 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 819         /* 019 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 820 
 821         /* copyin size cannot be coded for SIOCGIFCONF */
 822         /* 020 */ { O_SIOCGIFCONF, 0, IPI_GET_CMD,
 823                         MISC_CMD, ip_sioctl_get_ifconf, NULL },
 824 
 825         /* 021 */ { SIOCSIFMTU, sizeof (struct ifreq), IPI_PRIV | IPI_WR,
 826                         IF_CMD, ip_sioctl_mtu, NULL },
 827         /* 022 */ { SIOCGIFMTU, sizeof (struct ifreq), IPI_GET_CMD,
 828                         IF_CMD, ip_sioctl_get_mtu, NULL },
 829         /* 023 */ { SIOCGIFBRDADDR, sizeof (struct ifreq),
 830                         IPI_GET_CMD, IF_CMD, ip_sioctl_get_brdaddr, NULL },
 831         /* 024 */ { SIOCSIFBRDADDR, sizeof (struct ifreq), IPI_PRIV | IPI_WR,
 832                         IF_CMD, ip_sioctl_brdaddr, NULL },
 833         /* 025 */ { SIOCGIFNETMASK, sizeof (struct ifreq),
 834                         IPI_GET_CMD, IF_CMD, ip_sioctl_get_netmask, NULL },
 835         /* 026 */ { SIOCSIFNETMASK, sizeof (struct ifreq), IPI_PRIV | IPI_WR,
 836                         IF_CMD, ip_sioctl_netmask, ip_sioctl_netmask_restart },
 837         /* 027 */ { SIOCGIFMETRIC, sizeof (struct ifreq),
 838                         IPI_GET_CMD, IF_CMD, ip_sioctl_get_metric, NULL },
 839         /* 028 */ { SIOCSIFMETRIC, sizeof (struct ifreq), IPI_PRIV,
 840                         IF_CMD, ip_sioctl_metric, NULL },
 841         /* 029 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 842 
 843         /* See 166-168 below for extended SIOC*XARP ioctls */
 844         /* 030 */ { SIOCSARP, sizeof (struct arpreq), IPI_PRIV | IPI_WR,
 845                         ARP_CMD, ip_sioctl_arp, NULL },
 846         /* 031 */ { SIOCGARP, sizeof (struct arpreq), IPI_GET_CMD,
 847                         ARP_CMD, ip_sioctl_arp, NULL },
 848         /* 032 */ { SIOCDARP, sizeof (struct arpreq), IPI_PRIV | IPI_WR,
 849                         ARP_CMD, ip_sioctl_arp, NULL },
 850 
 851         /* 033 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 852         /* 034 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 853         /* 035 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 854         /* 036 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 855         /* 037 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 856         /* 038 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 857         /* 039 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 858         /* 040 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 859         /* 041 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 860         /* 042 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 861         /* 043 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 862         /* 044 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 863         /* 045 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 864         /* 046 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 865         /* 047 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 866         /* 048 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 867         /* 049 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 868         /* 050 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 869         /* 051 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 870         /* 052 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 871         /* 053 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 872 
 873         /* 054 */ { IF_UNITSEL, sizeof (int), IPI_PRIV | IPI_WR | IPI_MODOK,
 874                         MISC_CMD, if_unitsel, if_unitsel_restart },
 875 
 876         /* 055 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 877         /* 056 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 878         /* 057 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 879         /* 058 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 880         /* 059 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 881         /* 060 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 882         /* 061 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 883         /* 062 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 884         /* 063 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 885         /* 064 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 886         /* 065 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 887         /* 066 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 888         /* 067 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 889         /* 068 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 890         /* 069 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 891         /* 070 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 892         /* 071 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 893         /* 072 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 894 
 895         /* 073 */ { SIOCSIFNAME, sizeof (struct ifreq),
 896                         IPI_PRIV | IPI_WR | IPI_MODOK,
 897                         IF_CMD, ip_sioctl_sifname, NULL },
 898 
 899         /* 074 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 900         /* 075 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 901         /* 076 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 902         /* 077 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 903         /* 078 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 904         /* 079 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 905         /* 080 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 906         /* 081 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 907         /* 082 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 908         /* 083 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 909         /* 084 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 910         /* 085 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 911         /* 086 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 912 
 913         /* 087 */ { SIOCGIFNUM, sizeof (int), IPI_GET_CMD,
 914                         MISC_CMD, ip_sioctl_get_ifnum, NULL },
 915         /* 088 */ { SIOCGIFMUXID, sizeof (struct ifreq), IPI_GET_CMD,
 916                         IF_CMD, ip_sioctl_get_muxid, NULL },
 917         /* 089 */ { SIOCSIFMUXID, sizeof (struct ifreq),
 918                         IPI_PRIV | IPI_WR, IF_CMD, ip_sioctl_muxid, NULL },
 919 
 920         /* Both if and lif variants share same func */
 921         /* 090 */ { SIOCGIFINDEX, sizeof (struct ifreq), IPI_GET_CMD,
 922                         IF_CMD, ip_sioctl_get_lifindex, NULL },
 923         /* Both if and lif variants share same func */
 924         /* 091 */ { SIOCSIFINDEX, sizeof (struct ifreq),
 925                         IPI_PRIV | IPI_WR, IF_CMD, ip_sioctl_slifindex, NULL },
 926 
 927         /* copyin size cannot be coded for SIOCGIFCONF */
 928         /* 092 */ { SIOCGIFCONF, 0, IPI_GET_CMD,
 929                         MISC_CMD, ip_sioctl_get_ifconf, NULL },
 930         /* 093 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 931         /* 094 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 932         /* 095 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 933         /* 096 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 934         /* 097 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 935         /* 098 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 936         /* 099 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 937         /* 100 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 938         /* 101 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 939         /* 102 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 940         /* 103 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 941         /* 104 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 942         /* 105 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 943         /* 106 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 944         /* 107 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 945         /* 108 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 946         /* 109 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 947 
 948         /* 110 */ { SIOCLIFREMOVEIF, sizeof (struct lifreq),
 949                         IPI_PRIV | IPI_WR, LIF_CMD, ip_sioctl_removeif,
 950                         ip_sioctl_removeif_restart },
 951         /* 111 */ { SIOCLIFADDIF, sizeof (struct lifreq),
 952                         IPI_GET_CMD | IPI_PRIV | IPI_WR,
 953                         LIF_CMD, ip_sioctl_addif, NULL },
 954 #define SIOCLIFADDR_NDX 112
 955         /* 112 */ { SIOCSLIFADDR, sizeof (struct lifreq), IPI_PRIV | IPI_WR,
 956                         LIF_CMD, ip_sioctl_addr, ip_sioctl_addr_restart },
 957         /* 113 */ { SIOCGLIFADDR, sizeof (struct lifreq),
 958                         IPI_GET_CMD, LIF_CMD, ip_sioctl_get_addr, NULL },
 959         /* 114 */ { SIOCSLIFDSTADDR, sizeof (struct lifreq), IPI_PRIV | IPI_WR,
 960                         LIF_CMD, ip_sioctl_dstaddr, ip_sioctl_dstaddr_restart },
 961         /* 115 */ { SIOCGLIFDSTADDR, sizeof (struct lifreq),
 962                         IPI_GET_CMD, LIF_CMD, ip_sioctl_get_dstaddr, NULL },
 963         /* 116 */ { SIOCSLIFFLAGS, sizeof (struct lifreq),
 964                         IPI_PRIV | IPI_WR,
 965                         LIF_CMD, ip_sioctl_flags, ip_sioctl_flags_restart },
 966         /* 117 */ { SIOCGLIFFLAGS, sizeof (struct lifreq),
 967                         IPI_GET_CMD | IPI_MODOK,
 968                         LIF_CMD, ip_sioctl_get_flags, NULL },
 969 
 970         /* 118 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 971         /* 119 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
 972 
 973         /* 120 */ { O_SIOCGLIFCONF, 0, IPI_GET_CMD, MISC_CMD,
 974                         ip_sioctl_get_lifconf, NULL },
 975         /* 121 */ { SIOCSLIFMTU, sizeof (struct lifreq), IPI_PRIV | IPI_WR,
 976                         LIF_CMD, ip_sioctl_mtu, NULL },
 977         /* 122 */ { SIOCGLIFMTU, sizeof (struct lifreq), IPI_GET_CMD,
 978                         LIF_CMD, ip_sioctl_get_mtu, NULL },
 979         /* 123 */ { SIOCGLIFBRDADDR, sizeof (struct lifreq),
 980                         IPI_GET_CMD, LIF_CMD, ip_sioctl_get_brdaddr, NULL },
 981         /* 124 */ { SIOCSLIFBRDADDR, sizeof (struct lifreq), IPI_PRIV | IPI_WR,
 982                         LIF_CMD, ip_sioctl_brdaddr, NULL },
 983         /* 125 */ { SIOCGLIFNETMASK, sizeof (struct lifreq),
 984                         IPI_GET_CMD, LIF_CMD, ip_sioctl_get_netmask, NULL },
 985         /* 126 */ { SIOCSLIFNETMASK, sizeof (struct lifreq), IPI_PRIV | IPI_WR,
 986                         LIF_CMD, ip_sioctl_netmask, ip_sioctl_netmask_restart },
 987         /* 127 */ { SIOCGLIFMETRIC, sizeof (struct lifreq),
 988                         IPI_GET_CMD, LIF_CMD, ip_sioctl_get_metric, NULL },
 989         /* 128 */ { SIOCSLIFMETRIC, sizeof (struct lifreq), IPI_PRIV | IPI_WR,
 990                         LIF_CMD, ip_sioctl_metric, NULL },
 991         /* 129 */ { SIOCSLIFNAME, sizeof (struct lifreq),
 992                         IPI_PRIV | IPI_WR | IPI_MODOK,
 993                         LIF_CMD, ip_sioctl_slifname,
 994                         ip_sioctl_slifname_restart },
 995 
 996         /* 130 */ { SIOCGLIFNUM, sizeof (struct lifnum), IPI_GET_CMD,
 997                         MISC_CMD, ip_sioctl_get_lifnum, NULL },
 998         /* 131 */ { SIOCGLIFMUXID, sizeof (struct lifreq),
 999                         IPI_GET_CMD, LIF_CMD, ip_sioctl_get_muxid, NULL },
1000         /* 132 */ { SIOCSLIFMUXID, sizeof (struct lifreq),
1001                         IPI_PRIV | IPI_WR, LIF_CMD, ip_sioctl_muxid, NULL },
1002         /* 133 */ { SIOCGLIFINDEX, sizeof (struct lifreq),
1003                         IPI_GET_CMD, LIF_CMD, ip_sioctl_get_lifindex, 0 },
1004         /* 134 */ { SIOCSLIFINDEX, sizeof (struct lifreq),
1005                         IPI_PRIV | IPI_WR, LIF_CMD, ip_sioctl_slifindex, 0 },
1006         /* 135 */ { SIOCSLIFTOKEN, sizeof (struct lifreq), IPI_PRIV | IPI_WR,
1007                         LIF_CMD, ip_sioctl_token, NULL },
1008         /* 136 */ { SIOCGLIFTOKEN, sizeof (struct lifreq),
1009                         IPI_GET_CMD, LIF_CMD, ip_sioctl_get_token, NULL },
1010         /* 137 */ { SIOCSLIFSUBNET, sizeof (struct lifreq), IPI_PRIV | IPI_WR,
1011                         LIF_CMD, ip_sioctl_subnet, ip_sioctl_subnet_restart },
1012         /* 138 */ { SIOCGLIFSUBNET, sizeof (struct lifreq),
1013                         IPI_GET_CMD, LIF_CMD, ip_sioctl_get_subnet, NULL },
1014         /* 139 */ { SIOCSLIFLNKINFO, sizeof (struct lifreq), IPI_PRIV | IPI_WR,
1015                         LIF_CMD, ip_sioctl_lnkinfo, NULL },
1016 
1017         /* 140 */ { SIOCGLIFLNKINFO, sizeof (struct lifreq),
1018                         IPI_GET_CMD, LIF_CMD, ip_sioctl_get_lnkinfo, NULL },
1019         /* 141 */ { SIOCLIFDELND, sizeof (struct lifreq), IPI_PRIV,
1020                         LIF_CMD, ip_siocdelndp_v6, NULL },
1021         /* 142 */ { SIOCLIFGETND, sizeof (struct lifreq), IPI_GET_CMD,
1022                         LIF_CMD, ip_siocqueryndp_v6, NULL },
1023         /* 143 */ { SIOCLIFSETND, sizeof (struct lifreq), IPI_PRIV,
1024                         LIF_CMD, ip_siocsetndp_v6, NULL },
1025         /* 144 */ { SIOCTMYADDR, sizeof (struct sioc_addrreq), IPI_GET_CMD,
1026                         MISC_CMD, ip_sioctl_tmyaddr, NULL },
1027         /* 145 */ { SIOCTONLINK, sizeof (struct sioc_addrreq), IPI_GET_CMD,
1028                         MISC_CMD, ip_sioctl_tonlink, NULL },
1029         /* 146 */ { SIOCTMYSITE, sizeof (struct sioc_addrreq), 0,
1030                         MISC_CMD, ip_sioctl_tmysite, NULL },
1031         /* 147 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
1032         /* 148 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
1033         /* IPSECioctls handled in ip_sioctl_copyin_setup itself */
1034         /* 149 */ { SIOCFIPSECONFIG, 0, IPI_PRIV, MISC_CMD, NULL, NULL },
1035         /* 150 */ { SIOCSIPSECONFIG, 0, IPI_PRIV, MISC_CMD, NULL, NULL },
1036         /* 151 */ { SIOCDIPSECONFIG, 0, IPI_PRIV, MISC_CMD, NULL, NULL },
1037         /* 152 */ { SIOCLIPSECONFIG, 0, IPI_PRIV, MISC_CMD, NULL, NULL },
1038 
1039         /* 153 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
1040 
1041         /* 154 */ { SIOCGLIFBINDING, sizeof (struct lifreq), IPI_GET_CMD,
1042                         LIF_CMD, ip_sioctl_get_binding, NULL },
1043         /* 155 */ { SIOCSLIFGROUPNAME, sizeof (struct lifreq),
1044                         IPI_PRIV | IPI_WR,
1045                         LIF_CMD, ip_sioctl_groupname, ip_sioctl_groupname },
1046         /* 156 */ { SIOCGLIFGROUPNAME, sizeof (struct lifreq),
1047                         IPI_GET_CMD, LIF_CMD, ip_sioctl_get_groupname, NULL },
1048         /* 157 */ { SIOCGLIFGROUPINFO, sizeof (lifgroupinfo_t),
1049                         IPI_GET_CMD, MISC_CMD, ip_sioctl_groupinfo, NULL },
1050 
1051         /* Leave 158-160 unused; used to be SIOC*IFARP ioctls */
1052         /* 158 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
1053         /* 159 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
1054         /* 160 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
1055 
1056         /* 161 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
1057 
1058         /* These are handled in ip_sioctl_copyin_setup itself */
1059         /* 162 */ { SIOCGIP6ADDRPOLICY, 0, IPI_NULL_BCONT,
1060                         MISC_CMD, NULL, NULL },
1061         /* 163 */ { SIOCSIP6ADDRPOLICY, 0, IPI_PRIV | IPI_NULL_BCONT,
1062                         MISC_CMD, NULL, NULL },
1063         /* 164 */ { SIOCGDSTINFO, 0, IPI_GET_CMD, MISC_CMD, NULL, NULL },
1064 
1065         /* 165 */ { SIOCGLIFCONF, 0, IPI_GET_CMD, MISC_CMD,
1066                         ip_sioctl_get_lifconf, NULL },
1067 
1068         /* 166 */ { SIOCSXARP, sizeof (struct xarpreq), IPI_PRIV | IPI_WR,
1069                         XARP_CMD, ip_sioctl_arp, NULL },
1070         /* 167 */ { SIOCGXARP, sizeof (struct xarpreq), IPI_GET_CMD,
1071                         XARP_CMD, ip_sioctl_arp, NULL },
1072         /* 168 */ { SIOCDXARP, sizeof (struct xarpreq), IPI_PRIV | IPI_WR,
1073                         XARP_CMD, ip_sioctl_arp, NULL },
1074 
1075         /* SIOCPOPSOCKFS is not handled by IP */
1076         /* 169 */ { IPI_DONTCARE /* SIOCPOPSOCKFS */, 0, 0, 0, NULL, NULL },
1077 
1078         /* 170 */ { SIOCGLIFZONE, sizeof (struct lifreq),
1079                         IPI_GET_CMD, LIF_CMD, ip_sioctl_get_lifzone, NULL },
1080         /* 171 */ { SIOCSLIFZONE, sizeof (struct lifreq),
1081                         IPI_PRIV | IPI_WR, LIF_CMD, ip_sioctl_slifzone,
1082                         ip_sioctl_slifzone_restart },
1083         /* 172-174 are SCTP ioctls and not handled by IP */
1084         /* 172 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
1085         /* 173 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
1086         /* 174 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
1087         /* 175 */ { SIOCGLIFUSESRC, sizeof (struct lifreq),
1088                         IPI_GET_CMD, LIF_CMD,
1089                         ip_sioctl_get_lifusesrc, 0 },
1090         /* 176 */ { SIOCSLIFUSESRC, sizeof (struct lifreq),
1091                         IPI_PRIV | IPI_WR,
1092                         LIF_CMD, ip_sioctl_slifusesrc,
1093                         NULL },
1094         /* 177 */ { SIOCGLIFSRCOF, 0, IPI_GET_CMD, MISC_CMD,
1095                         ip_sioctl_get_lifsrcof, NULL },
1096         /* 178 */ { SIOCGMSFILTER, sizeof (struct group_filter), IPI_GET_CMD,
1097                         MSFILT_CMD, ip_sioctl_msfilter, NULL },
1098         /* 179 */ { SIOCSMSFILTER, sizeof (struct group_filter), 0,
1099                         MSFILT_CMD, ip_sioctl_msfilter, NULL },
1100         /* 180 */ { SIOCGIPMSFILTER, sizeof (struct ip_msfilter), IPI_GET_CMD,
1101                         MSFILT_CMD, ip_sioctl_msfilter, NULL },
1102         /* 181 */ { SIOCSIPMSFILTER, sizeof (struct ip_msfilter), 0,
1103                         MSFILT_CMD, ip_sioctl_msfilter, NULL },
1104         /* 182 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
1105         /* SIOCSENABLESDP is handled by SDP */
1106         /* 183 */ { IPI_DONTCARE /* SIOCSENABLESDP */, 0, 0, 0, NULL, NULL },
1107         /* 184 */ { IPI_DONTCARE /* SIOCSQPTR */, 0, 0, 0, NULL, NULL },
1108         /* 185 */ { SIOCGIFHWADDR, sizeof (struct ifreq), IPI_GET_CMD,
1109                         IF_CMD, ip_sioctl_get_ifhwaddr, NULL },
1110         /* 186 */ { IPI_DONTCARE /* SIOCGSTAMP */, 0, 0, 0, NULL, NULL },
1111         /* 187 */ { SIOCILB, 0, IPI_PRIV | IPI_GET_CMD, MISC_CMD,
1112                         ip_sioctl_ilb_cmd, NULL },
1113         /* 188 */ { SIOCGETPROP, 0, IPI_GET_CMD, 0, NULL, NULL },
1114         /* 189 */ { SIOCSETPROP, 0, IPI_PRIV | IPI_WR, 0, NULL, NULL},
1115         /* 190 */ { SIOCGLIFDADSTATE, sizeof (struct lifreq),
1116                         IPI_GET_CMD, LIF_CMD, ip_sioctl_get_dadstate, NULL },
1117         /* 191 */ { SIOCSLIFPREFIX, sizeof (struct lifreq), IPI_PRIV | IPI_WR,
1118                         LIF_CMD, ip_sioctl_prefix, ip_sioctl_prefix_restart },
1119         /* 192 */ { SIOCGLIFHWADDR, sizeof (struct lifreq), IPI_GET_CMD,
1120                         LIF_CMD, ip_sioctl_get_lifhwaddr, NULL }
1121 };
1122 
1123 int ip_ndx_ioctl_count = sizeof (ip_ndx_ioctl_table) / sizeof (ip_ioctl_cmd_t);
1124 
1125 ip_ioctl_cmd_t ip_misc_ioctl_table[] = {
1126         { I_LINK,       0, IPI_PRIV | IPI_WR, 0, NULL, NULL },
1127         { I_UNLINK,     0, IPI_PRIV | IPI_WR, 0, NULL, NULL },
1128         { I_PLINK,      0, IPI_PRIV | IPI_WR, 0, NULL, NULL },
1129         { I_PUNLINK,    0, IPI_PRIV | IPI_WR, 0, NULL, NULL },
1130         { ND_GET,       0, 0, 0, NULL, NULL },
1131         { ND_SET,       0, IPI_PRIV | IPI_WR, 0, NULL, NULL },
1132         { IP_IOCTL,     0, 0, 0, NULL, NULL },
1133         { SIOCGETVIFCNT, sizeof (struct sioc_vif_req), IPI_GET_CMD,
1134                 MISC_CMD, mrt_ioctl},
1135         { SIOCGETSGCNT, sizeof (struct sioc_sg_req), IPI_GET_CMD,
1136                 MISC_CMD, mrt_ioctl},
1137         { SIOCGETLSGCNT, sizeof (struct sioc_lsg_req), IPI_GET_CMD,
1138                 MISC_CMD, mrt_ioctl}
1139 };
1140 
1141 int ip_misc_ioctl_count =
1142     sizeof (ip_misc_ioctl_table) / sizeof (ip_ioctl_cmd_t);
1143 
1144 int     conn_drain_nthreads;            /* Number of drainers reqd. */
1145                                         /* Settable in /etc/system */
1146 /* Defined in ip_ire.c */
1147 extern uint32_t ip_ire_max_bucket_cnt, ip6_ire_max_bucket_cnt;
1148 extern uint32_t ip_ire_min_bucket_cnt, ip6_ire_min_bucket_cnt;
1149 extern uint32_t ip_ire_mem_ratio, ip_ire_cpu_ratio;
1150 
1151 static nv_t     ire_nv_arr[] = {
1152         { IRE_BROADCAST, "BROADCAST" },
1153         { IRE_LOCAL, "LOCAL" },
1154         { IRE_LOOPBACK, "LOOPBACK" },
1155         { IRE_DEFAULT, "DEFAULT" },
1156         { IRE_PREFIX, "PREFIX" },
1157         { IRE_IF_NORESOLVER, "IF_NORESOL" },
1158         { IRE_IF_RESOLVER, "IF_RESOLV" },
1159         { IRE_IF_CLONE, "IF_CLONE" },
1160         { IRE_HOST, "HOST" },
1161         { IRE_MULTICAST, "MULTICAST" },
1162         { IRE_NOROUTE, "NOROUTE" },
1163         { 0 }
1164 };
1165 
1166 nv_t    *ire_nv_tbl = ire_nv_arr;
1167 
1168 /* Simple ICMP IP Header Template */
1169 static ipha_t icmp_ipha = {
1170         IP_SIMPLE_HDR_VERSION, 0, 0, 0, 0, 0, IPPROTO_ICMP
1171 };
1172 
1173 struct module_info ip_mod_info = {
1174         IP_MOD_ID, IP_MOD_NAME, IP_MOD_MINPSZ, IP_MOD_MAXPSZ, IP_MOD_HIWAT,
1175         IP_MOD_LOWAT
1176 };
1177 
1178 /*
1179  * Duplicate static symbols within a module confuses mdb; so we avoid the
1180  * problem by making the symbols here distinct from those in udp.c.
1181  */
1182 
1183 /*
1184  * Entry points for IP as a device and as a module.
1185  * We have separate open functions for the /dev/ip and /dev/ip6 devices.
1186  */
1187 static struct qinit iprinitv4 = {
1188         (pfi_t)ip_rput, NULL, ip_openv4, ip_close, NULL,
1189         &ip_mod_info
1190 };
1191 
1192 struct qinit iprinitv6 = {
1193         (pfi_t)ip_rput_v6, NULL, ip_openv6, ip_close, NULL,
1194         &ip_mod_info
1195 };
1196 
1197 static struct qinit ipwinit = {
1198         (pfi_t)ip_wput_nondata, (pfi_t)ip_wsrv, NULL, NULL, NULL,
1199         &ip_mod_info
1200 };
1201 
1202 static struct qinit iplrinit = {
1203         (pfi_t)ip_lrput, NULL, ip_openv4, ip_close, NULL,
1204         &ip_mod_info
1205 };
1206 
1207 static struct qinit iplwinit = {
1208         (pfi_t)ip_lwput, NULL, NULL, NULL, NULL,
1209         &ip_mod_info
1210 };
1211 
1212 /* For AF_INET aka /dev/ip */
1213 struct streamtab ipinfov4 = {
1214         &iprinitv4, &ipwinit, &iplrinit, &iplwinit
1215 };
1216 
1217 /* For AF_INET6 aka /dev/ip6 */
1218 struct streamtab ipinfov6 = {
1219         &iprinitv6, &ipwinit, &iplrinit, &iplwinit
1220 };
1221 
1222 #ifdef  DEBUG
1223 boolean_t skip_sctp_cksum = B_FALSE;
1224 #endif
1225 
1226 /*
1227  * Generate an ICMP fragmentation needed message.
1228  * When called from ip_output side a minimal ip_recv_attr_t needs to be
1229  * constructed by the caller.
1230  */
1231 void
1232 icmp_frag_needed(mblk_t *mp, int mtu, ip_recv_attr_t *ira)
1233 {
1234         icmph_t icmph;
1235         ip_stack_t      *ipst = ira->ira_ill->ill_ipst;
1236 
1237         mp = icmp_pkt_err_ok(mp, ira);
1238         if (mp == NULL)
1239                 return;
1240 
1241         bzero(&icmph, sizeof (icmph_t));
1242         icmph.icmph_type = ICMP_DEST_UNREACHABLE;
1243         icmph.icmph_code = ICMP_FRAGMENTATION_NEEDED;
1244         icmph.icmph_du_mtu = htons((uint16_t)mtu);
1245         BUMP_MIB(&ipst->ips_icmp_mib, icmpOutFragNeeded);
1246         BUMP_MIB(&ipst->ips_icmp_mib, icmpOutDestUnreachs);
1247 
1248         icmp_pkt(mp, &icmph, sizeof (icmph_t), ira);
1249 }
1250 
1251 /*
1252  * icmp_inbound_v4 deals with ICMP messages that are handled by IP.
1253  * If the ICMP message is consumed by IP, i.e., it should not be delivered
1254  * to any IPPROTO_ICMP raw sockets, then it returns NULL.
1255  * Likewise, if the ICMP error is misformed (too short, etc), then it
1256  * returns NULL. The caller uses this to determine whether or not to send
1257  * to raw sockets.
1258  *
1259  * All error messages are passed to the matching transport stream.
1260  *
1261  * The following cases are handled by icmp_inbound:
1262  * 1) It needs to send a reply back and possibly delivering it
1263  *    to the "interested" upper clients.
1264  * 2) Return the mblk so that the caller can pass it to the RAW socket clients.
1265  * 3) It needs to change some values in IP only.
1266  * 4) It needs to change some values in IP and upper layers e.g TCP
1267  *    by delivering an error to the upper layers.
1268  *
1269  * We handle the above three cases in the context of IPsec in the
1270  * following way :
1271  *
1272  * 1) Send the reply back in the same way as the request came in.
1273  *    If it came in encrypted, it goes out encrypted. If it came in
1274  *    clear, it goes out in clear. Thus, this will prevent chosen
1275  *    plain text attack.
1276  * 2) The client may or may not expect things to come in secure.
1277  *    If it comes in secure, the policy constraints are checked
1278  *    before delivering it to the upper layers. If it comes in
1279  *    clear, ipsec_inbound_accept_clear will decide whether to
1280  *    accept this in clear or not. In both the cases, if the returned
1281  *    message (IP header + 8 bytes) that caused the icmp message has
1282  *    AH/ESP headers, it is sent up to AH/ESP for validation before
1283  *    sending up. If there are only 8 bytes of returned message, then
1284  *    upper client will not be notified.
1285  * 3) Check with global policy to see whether it matches the constaints.
1286  *    But this will be done only if icmp_accept_messages_in_clear is
1287  *    zero.
1288  * 4) If we need to change both in IP and ULP, then the decision taken
1289  *    while affecting the values in IP and while delivering up to TCP
1290  *    should be the same.
1291  *
1292  *      There are two cases.
1293  *
1294  *      a) If we reject data at the IP layer (ipsec_check_global_policy()
1295  *         failed), we will not deliver it to the ULP, even though they
1296  *         are *willing* to accept in *clear*. This is fine as our global
1297  *         disposition to icmp messages asks us reject the datagram.
1298  *
1299  *      b) If we accept data at the IP layer (ipsec_check_global_policy()
1300  *         succeeded or icmp_accept_messages_in_clear is 1), and not able
1301  *         to deliver it to ULP (policy failed), it can lead to
1302  *         consistency problems. The cases known at this time are
1303  *         ICMP_DESTINATION_UNREACHABLE  messages with following code
1304  *         values :
1305  *
1306  *         - ICMP_FRAGMENTATION_NEEDED : IP adapts to the new value
1307  *           and Upper layer rejects. Then the communication will
1308  *           come to a stop. This is solved by making similar decisions
1309  *           at both levels. Currently, when we are unable to deliver
1310  *           to the Upper Layer (due to policy failures) while IP has
1311  *           adjusted dce_pmtu, the next outbound datagram would
1312  *           generate a local ICMP_FRAGMENTATION_NEEDED message - which
1313  *           will be with the right level of protection. Thus the right
1314  *           value will be communicated even if we are not able to
1315  *           communicate when we get from the wire initially. But this
1316  *           assumes there would be at least one outbound datagram after
1317  *           IP has adjusted its dce_pmtu value. To make things
1318  *           simpler, we accept in clear after the validation of
1319  *           AH/ESP headers.
1320  *
1321  *         - Other ICMP ERRORS : We may not be able to deliver it to the
1322  *           upper layer depending on the level of protection the upper
1323  *           layer expects and the disposition in ipsec_inbound_accept_clear().
1324  *           ipsec_inbound_accept_clear() decides whether a given ICMP error
1325  *           should be accepted in clear when the Upper layer expects secure.
1326  *           Thus the communication may get aborted by some bad ICMP
1327  *           packets.
1328  */
1329 mblk_t *
1330 icmp_inbound_v4(mblk_t *mp, ip_recv_attr_t *ira)
1331 {
1332         icmph_t         *icmph;
1333         ipha_t          *ipha;          /* Outer header */
1334         int             ip_hdr_length;  /* Outer header length */
1335         boolean_t       interested;
1336         ipif_t          *ipif;
1337         uint32_t        ts;
1338         uint32_t        *tsp;
1339         timestruc_t     now;
1340         ill_t           *ill = ira->ira_ill;
1341         ip_stack_t      *ipst = ill->ill_ipst;
1342         zoneid_t        zoneid = ira->ira_zoneid;
1343         int             len_needed;
1344         mblk_t          *mp_ret = NULL;
1345 
1346         ipha = (ipha_t *)mp->b_rptr;
1347 
1348         BUMP_MIB(&ipst->ips_icmp_mib, icmpInMsgs);
1349 
1350         ip_hdr_length = ira->ira_ip_hdr_length;
1351         if ((mp->b_wptr - mp->b_rptr) < (ip_hdr_length + ICMPH_SIZE)) {
1352                 if (ira->ira_pktlen < (ip_hdr_length + ICMPH_SIZE)) {
1353                         BUMP_MIB(ill->ill_ip_mib, ipIfStatsInTruncatedPkts);
1354                         ip_drop_input("ipIfStatsInTruncatedPkts", mp, ill);
1355                         freemsg(mp);
1356                         return (NULL);
1357                 }
1358                 /* Last chance to get real. */
1359                 ipha = ip_pullup(mp, ip_hdr_length + ICMPH_SIZE, ira);
1360                 if (ipha == NULL) {
1361                         BUMP_MIB(&ipst->ips_icmp_mib, icmpInErrors);
1362                         freemsg(mp);
1363                         return (NULL);
1364                 }
1365         }
1366 
1367         /* The IP header will always be a multiple of four bytes */
1368         icmph = (icmph_t *)&mp->b_rptr[ip_hdr_length];
1369         ip2dbg(("icmp_inbound_v4: type %d code %d\n", icmph->icmph_type,
1370             icmph->icmph_code));
1371 
1372         /*
1373          * We will set "interested" to "true" if we should pass a copy to
1374          * the transport or if we handle the packet locally.
1375          */
1376         interested = B_FALSE;
1377         switch (icmph->icmph_type) {
1378         case ICMP_ECHO_REPLY:
1379                 BUMP_MIB(&ipst->ips_icmp_mib, icmpInEchoReps);
1380                 break;
1381         case ICMP_DEST_UNREACHABLE:
1382                 if (icmph->icmph_code == ICMP_FRAGMENTATION_NEEDED)
1383                         BUMP_MIB(&ipst->ips_icmp_mib, icmpInFragNeeded);
1384                 interested = B_TRUE;    /* Pass up to transport */
1385                 BUMP_MIB(&ipst->ips_icmp_mib, icmpInDestUnreachs);
1386                 break;
1387         case ICMP_SOURCE_QUENCH:
1388                 interested = B_TRUE;    /* Pass up to transport */
1389                 BUMP_MIB(&ipst->ips_icmp_mib, icmpInSrcQuenchs);
1390                 break;
1391         case ICMP_REDIRECT:
1392                 if (!ipst->ips_ip_ignore_redirect)
1393                         interested = B_TRUE;
1394                 BUMP_MIB(&ipst->ips_icmp_mib, icmpInRedirects);
1395                 break;
1396         case ICMP_ECHO_REQUEST:
1397                 /*
1398                  * Whether to respond to echo requests that come in as IP
1399                  * broadcasts or as IP multicast is subject to debate
1400                  * (what isn't?).  We aim to please, you pick it.
1401                  * Default is do it.
1402                  */
1403                 if (ira->ira_flags & IRAF_MULTICAST) {
1404                         /* multicast: respond based on tunable */
1405                         interested = ipst->ips_ip_g_resp_to_echo_mcast;
1406                 } else if (ira->ira_flags & IRAF_BROADCAST) {
1407                         /* broadcast: respond based on tunable */
1408                         interested = ipst->ips_ip_g_resp_to_echo_bcast;
1409                 } else {
1410                         /* unicast: always respond */
1411                         interested = B_TRUE;
1412                 }
1413                 BUMP_MIB(&ipst->ips_icmp_mib, icmpInEchos);
1414                 if (!interested) {
1415                         /* We never pass these to RAW sockets */
1416                         freemsg(mp);
1417                         return (NULL);
1418                 }
1419 
1420                 /* Check db_ref to make sure we can modify the packet. */
1421                 if (mp->b_datap->db_ref > 1) {
1422                         mblk_t  *mp1;
1423 
1424                         mp1 = copymsg(mp);
1425                         freemsg(mp);
1426                         if (!mp1) {
1427                                 BUMP_MIB(&ipst->ips_icmp_mib, icmpOutDrops);
1428                                 return (NULL);
1429                         }
1430                         mp = mp1;
1431                         ipha = (ipha_t *)mp->b_rptr;
1432                         icmph = (icmph_t *)&mp->b_rptr[ip_hdr_length];
1433                 }
1434                 icmph->icmph_type = ICMP_ECHO_REPLY;
1435                 BUMP_MIB(&ipst->ips_icmp_mib, icmpOutEchoReps);
1436                 icmp_send_reply_v4(mp, ipha, icmph, ira);
1437                 return (NULL);
1438 
1439         case ICMP_ROUTER_ADVERTISEMENT:
1440         case ICMP_ROUTER_SOLICITATION:
1441                 break;
1442         case ICMP_TIME_EXCEEDED:
1443                 interested = B_TRUE;    /* Pass up to transport */
1444                 BUMP_MIB(&ipst->ips_icmp_mib, icmpInTimeExcds);
1445                 break;
1446         case ICMP_PARAM_PROBLEM:
1447                 interested = B_TRUE;    /* Pass up to transport */
1448                 BUMP_MIB(&ipst->ips_icmp_mib, icmpInParmProbs);
1449                 break;
1450         case ICMP_TIME_STAMP_REQUEST:
1451                 /* Response to Time Stamp Requests is local policy. */
1452                 if (ipst->ips_ip_g_resp_to_timestamp) {
1453                         if (ira->ira_flags & IRAF_MULTIBROADCAST)
1454                                 interested =
1455                                     ipst->ips_ip_g_resp_to_timestamp_bcast;
1456                         else
1457                                 interested = B_TRUE;
1458                 }
1459                 if (!interested) {
1460                         /* We never pass these to RAW sockets */
1461                         freemsg(mp);
1462                         return (NULL);
1463                 }
1464 
1465                 /* Make sure we have enough of the packet */
1466                 len_needed = ip_hdr_length + ICMPH_SIZE +
1467                     3 * sizeof (uint32_t);
1468 
1469                 if (mp->b_wptr - mp->b_rptr < len_needed) {
1470                         ipha = ip_pullup(mp, len_needed, ira);
1471                         if (ipha == NULL) {
1472                                 BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
1473                                 ip_drop_input("ipIfStatsInDiscards - ip_pullup",
1474                                     mp, ill);
1475                                 freemsg(mp);
1476                                 return (NULL);
1477                         }
1478                         /* Refresh following the pullup. */
1479                         icmph = (icmph_t *)&mp->b_rptr[ip_hdr_length];
1480                 }
1481                 BUMP_MIB(&ipst->ips_icmp_mib, icmpInTimestamps);
1482                 /* Check db_ref to make sure we can modify the packet. */
1483                 if (mp->b_datap->db_ref > 1) {
1484                         mblk_t  *mp1;
1485 
1486                         mp1 = copymsg(mp);
1487                         freemsg(mp);
1488                         if (!mp1) {
1489                                 BUMP_MIB(&ipst->ips_icmp_mib, icmpOutDrops);
1490                                 return (NULL);
1491                         }
1492                         mp = mp1;
1493                         ipha = (ipha_t *)mp->b_rptr;
1494                         icmph = (icmph_t *)&mp->b_rptr[ip_hdr_length];
1495                 }
1496                 icmph->icmph_type = ICMP_TIME_STAMP_REPLY;
1497                 tsp = (uint32_t *)&icmph[1];
1498                 tsp++;          /* Skip past 'originate time' */
1499                 /* Compute # of milliseconds since midnight */
1500                 gethrestime(&now);
1501                 ts = (now.tv_sec % (24 * 60 * 60)) * 1000 +
1502                     now.tv_nsec / (NANOSEC / MILLISEC);
1503                 *tsp++ = htonl(ts);     /* Lay in 'receive time' */
1504                 *tsp++ = htonl(ts);     /* Lay in 'send time' */
1505                 BUMP_MIB(&ipst->ips_icmp_mib, icmpOutTimestampReps);
1506                 icmp_send_reply_v4(mp, ipha, icmph, ira);
1507                 return (NULL);
1508 
1509         case ICMP_TIME_STAMP_REPLY:
1510                 BUMP_MIB(&ipst->ips_icmp_mib, icmpInTimestampReps);
1511                 break;
1512         case ICMP_INFO_REQUEST:
1513                 /* Per RFC 1122 3.2.2.7, ignore this. */
1514         case ICMP_INFO_REPLY:
1515                 break;
1516         case ICMP_ADDRESS_MASK_REQUEST:
1517                 if (ira->ira_flags & IRAF_MULTIBROADCAST) {
1518                         interested =
1519                             ipst->ips_ip_respond_to_address_mask_broadcast;
1520                 } else {
1521                         interested = B_TRUE;
1522                 }
1523                 if (!interested) {
1524                         /* We never pass these to RAW sockets */
1525                         freemsg(mp);
1526                         return (NULL);
1527                 }
1528                 len_needed = ip_hdr_length + ICMPH_SIZE + IP_ADDR_LEN;
1529                 if (mp->b_wptr - mp->b_rptr < len_needed) {
1530                         ipha = ip_pullup(mp, len_needed, ira);
1531                         if (ipha == NULL) {
1532                                 BUMP_MIB(ill->ill_ip_mib,
1533                                     ipIfStatsInTruncatedPkts);
1534                                 ip_drop_input("ipIfStatsInTruncatedPkts", mp,
1535                                     ill);
1536                                 freemsg(mp);
1537                                 return (NULL);
1538                         }
1539                         /* Refresh following the pullup. */
1540                         icmph = (icmph_t *)&mp->b_rptr[ip_hdr_length];
1541                 }
1542                 BUMP_MIB(&ipst->ips_icmp_mib, icmpInAddrMasks);
1543                 /* Check db_ref to make sure we can modify the packet. */
1544                 if (mp->b_datap->db_ref > 1) {
1545                         mblk_t  *mp1;
1546 
1547                         mp1 = copymsg(mp);
1548                         freemsg(mp);
1549                         if (!mp1) {
1550                                 BUMP_MIB(&ipst->ips_icmp_mib, icmpOutDrops);
1551                                 return (NULL);
1552                         }
1553                         mp = mp1;
1554                         ipha = (ipha_t *)mp->b_rptr;
1555                         icmph = (icmph_t *)&mp->b_rptr[ip_hdr_length];
1556                 }
1557                 /*
1558                  * Need the ipif with the mask be the same as the source
1559                  * address of the mask reply. For unicast we have a specific
1560                  * ipif. For multicast/broadcast we only handle onlink
1561                  * senders, and use the source address to pick an ipif.
1562                  */
1563                 ipif = ipif_lookup_addr(ipha->ipha_dst, ill, zoneid, ipst);
1564                 if (ipif == NULL) {
1565                         /* Broadcast or multicast */
1566                         ipif = ipif_lookup_remote(ill, ipha->ipha_src, zoneid);
1567                         if (ipif == NULL) {
1568                                 freemsg(mp);
1569                                 return (NULL);
1570                         }
1571                 }
1572                 icmph->icmph_type = ICMP_ADDRESS_MASK_REPLY;
1573                 bcopy(&ipif->ipif_net_mask, &icmph[1], IP_ADDR_LEN);
1574                 ipif_refrele(ipif);
1575                 BUMP_MIB(&ipst->ips_icmp_mib, icmpOutAddrMaskReps);
1576                 icmp_send_reply_v4(mp, ipha, icmph, ira);
1577                 return (NULL);
1578 
1579         case ICMP_ADDRESS_MASK_REPLY:
1580                 BUMP_MIB(&ipst->ips_icmp_mib, icmpInAddrMaskReps);
1581                 break;
1582         default:
1583                 interested = B_TRUE;    /* Pass up to transport */
1584                 BUMP_MIB(&ipst->ips_icmp_mib, icmpInUnknowns);
1585                 break;
1586         }
1587         /*
1588          * See if there is an ICMP client to avoid an extra copymsg/freemsg
1589          * if there isn't one.
1590          */
1591         if (ipst->ips_ipcl_proto_fanout_v4[IPPROTO_ICMP].connf_head != NULL) {
1592                 /* If there is an ICMP client and we want one too, copy it. */
1593 
1594                 if (!interested) {
1595                         /* Caller will deliver to RAW sockets */
1596                         return (mp);
1597                 }
1598                 mp_ret = copymsg(mp);
1599                 if (mp_ret == NULL) {
1600                         BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
1601                         ip_drop_input("ipIfStatsInDiscards - copymsg", mp, ill);
1602                 }
1603         } else if (!interested) {
1604                 /* Neither we nor raw sockets are interested. Drop packet now */
1605                 freemsg(mp);
1606                 return (NULL);
1607         }
1608 
1609         /*
1610          * ICMP error or redirect packet. Make sure we have enough of
1611          * the header and that db_ref == 1 since we might end up modifying
1612          * the packet.
1613          */
1614         if (mp->b_cont != NULL) {
1615                 if (ip_pullup(mp, -1, ira) == NULL) {
1616                         BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
1617                         ip_drop_input("ipIfStatsInDiscards - ip_pullup",
1618                             mp, ill);
1619                         freemsg(mp);
1620                         return (mp_ret);
1621                 }
1622         }
1623 
1624         if (mp->b_datap->db_ref > 1) {
1625                 mblk_t  *mp1;
1626 
1627                 mp1 = copymsg(mp);
1628                 if (mp1 == NULL) {
1629                         BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
1630                         ip_drop_input("ipIfStatsInDiscards - copymsg", mp, ill);
1631                         freemsg(mp);
1632                         return (mp_ret);
1633                 }
1634                 freemsg(mp);
1635                 mp = mp1;
1636         }
1637 
1638         /*
1639          * In case mp has changed, verify the message before any further
1640          * processes.
1641          */
1642         ipha = (ipha_t *)mp->b_rptr;
1643         icmph = (icmph_t *)&mp->b_rptr[ip_hdr_length];
1644         if (!icmp_inbound_verify_v4(mp, icmph, ira)) {
1645                 freemsg(mp);
1646                 return (mp_ret);
1647         }
1648 
1649         switch (icmph->icmph_type) {
1650         case ICMP_REDIRECT:
1651                 icmp_redirect_v4(mp, ipha, icmph, ira);
1652                 break;
1653         case ICMP_DEST_UNREACHABLE:
1654                 if (icmph->icmph_code == ICMP_FRAGMENTATION_NEEDED) {
1655                         /* Update DCE and adjust MTU is icmp header if needed */
1656                         icmp_inbound_too_big_v4(icmph, ira);
1657                 }
1658                 /* FALLTHRU */
1659         default:
1660                 icmp_inbound_error_fanout_v4(mp, icmph, ira);
1661                 break;
1662         }
1663         return (mp_ret);
1664 }
1665 
1666 /*
1667  * Send an ICMP echo, timestamp or address mask reply.
1668  * The caller has already updated the payload part of the packet.
1669  * We handle the ICMP checksum, IP source address selection and feed
1670  * the packet into ip_output_simple.
1671  */
1672 static void
1673 icmp_send_reply_v4(mblk_t *mp, ipha_t *ipha, icmph_t *icmph,
1674     ip_recv_attr_t *ira)
1675 {
1676         uint_t          ip_hdr_length = ira->ira_ip_hdr_length;
1677         ill_t           *ill = ira->ira_ill;
1678         ip_stack_t      *ipst = ill->ill_ipst;
1679         ip_xmit_attr_t  ixas;
1680 
1681         /* Send out an ICMP packet */
1682         icmph->icmph_checksum = 0;
1683         icmph->icmph_checksum = IP_CSUM(mp, ip_hdr_length, 0);
1684         /* Reset time to live. */
1685         ipha->ipha_ttl = ipst->ips_ip_def_ttl;
1686         {
1687                 /* Swap source and destination addresses */
1688                 ipaddr_t tmp;
1689 
1690                 tmp = ipha->ipha_src;
1691                 ipha->ipha_src = ipha->ipha_dst;
1692                 ipha->ipha_dst = tmp;
1693         }
1694         ipha->ipha_ident = 0;
1695         if (!IS_SIMPLE_IPH(ipha))
1696                 icmp_options_update(ipha);
1697 
1698         bzero(&ixas, sizeof (ixas));
1699         ixas.ixa_flags = IXAF_BASIC_SIMPLE_V4;
1700         ixas.ixa_zoneid = ira->ira_zoneid;
1701         ixas.ixa_cred = kcred;
1702         ixas.ixa_cpid = NOPID;
1703         ixas.ixa_tsl = ira->ira_tsl; /* Behave as a multi-level responder */
1704         ixas.ixa_ifindex = 0;
1705         ixas.ixa_ipst = ipst;
1706         ixas.ixa_multicast_ttl = IP_DEFAULT_MULTICAST_TTL;
1707 
1708         if (!(ira->ira_flags & IRAF_IPSEC_SECURE)) {
1709                 /*
1710                  * This packet should go out the same way as it
1711                  * came in i.e in clear, independent of the IPsec policy
1712                  * for transmitting packets.
1713                  */
1714                 ixas.ixa_flags |= IXAF_NO_IPSEC;
1715         } else {
1716                 if (!ipsec_in_to_out(ira, &ixas, mp, ipha, NULL)) {
1717                         BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
1718                         /* Note: mp already consumed and ip_drop_packet done */
1719                         return;
1720                 }
1721         }
1722         if (ira->ira_flags & IRAF_MULTIBROADCAST) {
1723                 /*
1724                  * Not one or our addresses (IRE_LOCALs), thus we let
1725                  * ip_output_simple pick the source.
1726                  */
1727                 ipha->ipha_src = INADDR_ANY;
1728                 ixas.ixa_flags |= IXAF_SET_SOURCE;
1729         }
1730         /* Should we send with DF and use dce_pmtu? */
1731         if (ipst->ips_ipv4_icmp_return_pmtu) {
1732                 ixas.ixa_flags |= IXAF_PMTU_DISCOVERY;
1733                 ipha->ipha_fragment_offset_and_flags |= IPH_DF_HTONS;
1734         }
1735 
1736         BUMP_MIB(&ipst->ips_icmp_mib, icmpOutMsgs);
1737 
1738         (void) ip_output_simple(mp, &ixas);
1739         ixa_cleanup(&ixas);
1740 }
1741 
1742 /*
1743  * Verify the ICMP messages for either for ICMP error or redirect packet.
1744  * The caller should have fully pulled up the message. If it's a redirect
1745  * packet, only basic checks on IP header will be done; otherwise, verify
1746  * the packet by looking at the included ULP header.
1747  *
1748  * Called before icmp_inbound_error_fanout_v4 is called.
1749  */
1750 static boolean_t
1751 icmp_inbound_verify_v4(mblk_t *mp, icmph_t *icmph, ip_recv_attr_t *ira)
1752 {
1753         ill_t           *ill = ira->ira_ill;
1754         int             hdr_length;
1755         ip_stack_t      *ipst = ira->ira_ill->ill_ipst;
1756         conn_t          *connp;
1757         ipha_t          *ipha;  /* Inner IP header */
1758 
1759         ipha = (ipha_t *)&icmph[1];
1760         if ((uchar_t *)ipha + IP_SIMPLE_HDR_LENGTH > mp->b_wptr)
1761                 goto truncated;
1762 
1763         hdr_length = IPH_HDR_LENGTH(ipha);
1764 
1765         if ((IPH_HDR_VERSION(ipha) != IPV4_VERSION))
1766                 goto discard_pkt;
1767 
1768         if (hdr_length < sizeof (ipha_t))
1769                 goto truncated;
1770 
1771         if ((uchar_t *)ipha + hdr_length > mp->b_wptr)
1772                 goto truncated;
1773 
1774         /*
1775          * Stop here for ICMP_REDIRECT.
1776          */
1777         if (icmph->icmph_type == ICMP_REDIRECT)
1778                 return (B_TRUE);
1779 
1780         /*
1781          * ICMP errors only.
1782          */
1783         switch (ipha->ipha_protocol) {
1784         case IPPROTO_UDP:
1785                 /*
1786                  * Verify we have at least ICMP_MIN_TP_HDR_LEN bytes of
1787                  * transport header.
1788                  */
1789                 if ((uchar_t *)ipha + hdr_length + ICMP_MIN_TP_HDR_LEN >
1790                     mp->b_wptr)
1791                         goto truncated;
1792                 break;
1793         case IPPROTO_TCP: {
1794                 tcpha_t         *tcpha;
1795 
1796                 /*
1797                  * Verify we have at least ICMP_MIN_TP_HDR_LEN bytes of
1798                  * transport header.
1799                  */
1800                 if ((uchar_t *)ipha + hdr_length + ICMP_MIN_TP_HDR_LEN >
1801                     mp->b_wptr)
1802                         goto truncated;
1803 
1804                 tcpha = (tcpha_t *)((uchar_t *)ipha + hdr_length);
1805                 connp = ipcl_tcp_lookup_reversed_ipv4(ipha, tcpha, TCPS_LISTEN,
1806                     ipst);
1807                 if (connp == NULL)
1808                         goto discard_pkt;
1809 
1810                 if ((connp->conn_verifyicmp != NULL) &&
1811                     !connp->conn_verifyicmp(connp, tcpha, icmph, NULL, ira)) {
1812                         CONN_DEC_REF(connp);
1813                         goto discard_pkt;
1814                 }
1815                 CONN_DEC_REF(connp);
1816                 break;
1817         }
1818         case IPPROTO_SCTP:
1819                 /*
1820                  * Verify we have at least ICMP_MIN_TP_HDR_LEN bytes of
1821                  * transport header.
1822                  */
1823                 if ((uchar_t *)ipha + hdr_length + ICMP_MIN_TP_HDR_LEN >
1824                     mp->b_wptr)
1825                         goto truncated;
1826                 break;
1827         case IPPROTO_ESP:
1828         case IPPROTO_AH:
1829                 break;
1830         case IPPROTO_ENCAP:
1831                 if ((uchar_t *)ipha + hdr_length + sizeof (ipha_t) >
1832                     mp->b_wptr)
1833                         goto truncated;
1834                 break;
1835         default:
1836                 break;
1837         }
1838 
1839         return (B_TRUE);
1840 
1841 discard_pkt:
1842         /* Bogus ICMP error. */
1843         BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
1844         return (B_FALSE);
1845 
1846 truncated:
1847         /* We pulled up everthing already. Must be truncated */
1848         BUMP_MIB(ill->ill_ip_mib, ipIfStatsInTruncatedPkts);
1849         ip_drop_input("ipIfStatsInTruncatedPkts", mp, ill);
1850         return (B_FALSE);
1851 }
1852 
1853 /* Table from RFC 1191 */
1854 static int icmp_frag_size_table[] =
1855 { 32000, 17914, 8166, 4352, 2002, 1496, 1006, 508, 296, 68 };
1856 
1857 /*
1858  * Process received ICMP Packet too big.
1859  * Just handles the DCE create/update, including using the above table of
1860  * PMTU guesses. The caller is responsible for validating the packet before
1861  * passing it in and also to fanout the ICMP error to any matching transport
1862  * conns. Assumes the message has been fully pulled up and verified.
1863  *
1864  * Before getting here, the caller has called icmp_inbound_verify_v4()
1865  * that should have verified with ULP to prevent undoing the changes we're
1866  * going to make to DCE. For example, TCP might have verified that the packet
1867  * which generated error is in the send window.
1868  *
1869  * In some cases modified this MTU in the ICMP header packet; the caller
1870  * should pass to the matching ULP after this returns.
1871  */
1872 static void
1873 icmp_inbound_too_big_v4(icmph_t *icmph, ip_recv_attr_t *ira)
1874 {
1875         dce_t           *dce;
1876         int             old_mtu;
1877         int             mtu, orig_mtu;
1878         ipaddr_t        dst;
1879         boolean_t       disable_pmtud;
1880         ill_t           *ill = ira->ira_ill;
1881         ip_stack_t      *ipst = ill->ill_ipst;
1882         uint_t          hdr_length;
1883         ipha_t          *ipha;
1884 
1885         /* Caller already pulled up everything. */
1886         ipha = (ipha_t *)&icmph[1];
1887         ASSERT(icmph->icmph_type == ICMP_DEST_UNREACHABLE &&
1888             icmph->icmph_code == ICMP_FRAGMENTATION_NEEDED);
1889         ASSERT(ill != NULL);
1890 
1891         hdr_length = IPH_HDR_LENGTH(ipha);
1892 
1893         /*
1894          * We handle path MTU for source routed packets since the DCE
1895          * is looked up using the final destination.
1896          */
1897         dst = ip_get_dst(ipha);
1898 
1899         dce = dce_lookup_and_add_v4(dst, ipst);
1900         if (dce == NULL) {
1901                 /* Couldn't add a unique one - ENOMEM */
1902                 ip1dbg(("icmp_inbound_too_big_v4: no dce for 0x%x\n",
1903                     ntohl(dst)));
1904                 return;
1905         }
1906 
1907         /* Check for MTU discovery advice as described in RFC 1191 */
1908         mtu = ntohs(icmph->icmph_du_mtu);
1909         orig_mtu = mtu;
1910         disable_pmtud = B_FALSE;
1911 
1912         mutex_enter(&dce->dce_lock);
1913         if (dce->dce_flags & DCEF_PMTU)
1914                 old_mtu = dce->dce_pmtu;
1915         else
1916                 old_mtu = ill->ill_mtu;
1917 
1918         if (icmph->icmph_du_zero != 0 || mtu < ipst->ips_ip_pmtu_min) {
1919                 uint32_t length;
1920                 int     i;
1921 
1922                 /*
1923                  * Use the table from RFC 1191 to figure out
1924                  * the next "plateau" based on the length in
1925                  * the original IP packet.
1926                  */
1927                 length = ntohs(ipha->ipha_length);
1928                 DTRACE_PROBE2(ip4__pmtu__guess, dce_t *, dce,
1929                     uint32_t, length);
1930                 if (old_mtu <= length &&
1931                     old_mtu >= length - hdr_length) {
1932                         /*
1933                          * Handle broken BSD 4.2 systems that
1934                          * return the wrong ipha_length in ICMP
1935                          * errors.
1936                          */
1937                         ip1dbg(("Wrong mtu: sent %d, dce %d\n",
1938                             length, old_mtu));
1939                         length -= hdr_length;
1940                 }
1941                 for (i = 0; i < A_CNT(icmp_frag_size_table); i++) {
1942                         if (length > icmp_frag_size_table[i])
1943                                 break;
1944                 }
1945                 if (i == A_CNT(icmp_frag_size_table)) {
1946                         /* Smaller than IP_MIN_MTU! */
1947                         ip1dbg(("Too big for packet size %d\n",
1948                             length));
1949                         disable_pmtud = B_TRUE;
1950                         mtu = ipst->ips_ip_pmtu_min;
1951                 } else {
1952                         mtu = icmp_frag_size_table[i];
1953                         ip1dbg(("Calculated mtu %d, packet size %d, "
1954                             "before %d\n", mtu, length, old_mtu));
1955                         if (mtu < ipst->ips_ip_pmtu_min) {
1956                                 mtu = ipst->ips_ip_pmtu_min;
1957                                 disable_pmtud = B_TRUE;
1958                         }
1959                 }
1960         }
1961         if (disable_pmtud)
1962                 dce->dce_flags |= DCEF_TOO_SMALL_PMTU;
1963         else
1964                 dce->dce_flags &= ~DCEF_TOO_SMALL_PMTU;
1965 
1966         dce->dce_pmtu = MIN(old_mtu, mtu);
1967         /* Prepare to send the new max frag size for the ULP. */
1968         icmph->icmph_du_zero = 0;
1969         icmph->icmph_du_mtu =  htons((uint16_t)dce->dce_pmtu);
1970         DTRACE_PROBE4(ip4__pmtu__change, icmph_t *, icmph, dce_t *,
1971             dce, int, orig_mtu, int, mtu);
1972 
1973         /* We now have a PMTU for sure */
1974         dce->dce_flags |= DCEF_PMTU;
1975         dce->dce_last_change_time = TICK_TO_SEC(ddi_get_lbolt64());
1976         mutex_exit(&dce->dce_lock);
1977         /*
1978          * After dropping the lock the new value is visible to everyone.
1979          * Then we bump the generation number so any cached values reinspect
1980          * the dce_t.
1981          */
1982         dce_increment_generation(dce);
1983         dce_refrele(dce);
1984 }
1985 
1986 /*
1987  * If the packet in error is Self-Encapsulated, icmp_inbound_error_fanout_v4
1988  * calls this function.
1989  */
1990 static mblk_t *
1991 icmp_inbound_self_encap_error_v4(mblk_t *mp, ipha_t *ipha, ipha_t *in_ipha)
1992 {
1993         int length;
1994 
1995         ASSERT(mp->b_datap->db_type == M_DATA);
1996 
1997         /* icmp_inbound_v4 has already pulled up the whole error packet */
1998         ASSERT(mp->b_cont == NULL);
1999 
2000         /*
2001          * The length that we want to overlay is the inner header
2002          * and what follows it.
2003          */
2004         length = msgdsize(mp) - ((uchar_t *)in_ipha - mp->b_rptr);
2005 
2006         /*
2007          * Overlay the inner header and whatever follows it over the
2008          * outer header.
2009          */
2010         bcopy((uchar_t *)in_ipha, (uchar_t *)ipha, length);
2011 
2012         /* Adjust for what we removed */
2013         mp->b_wptr -= (uchar_t *)in_ipha - (uchar_t *)ipha;
2014         return (mp);
2015 }
2016 
2017 /*
2018  * Try to pass the ICMP message upstream in case the ULP cares.
2019  *
2020  * If the packet that caused the ICMP error is secure, we send
2021  * it to AH/ESP to make sure that the attached packet has a
2022  * valid association. ipha in the code below points to the
2023  * IP header of the packet that caused the error.
2024  *
2025  * For IPsec cases, we let the next-layer-up (which has access to
2026  * cached policy on the conn_t, or can query the SPD directly)
2027  * subtract out any IPsec overhead if they must.  We therefore make no
2028  * adjustments here for IPsec overhead.
2029  *
2030  * IFN could have been generated locally or by some router.
2031  *
2032  * LOCAL : ire_send_wire (before calling ipsec_out_process) can call
2033  * icmp_frag_needed/icmp_pkt2big_v6 to generated a local IFN.
2034  *          This happens because IP adjusted its value of MTU on an
2035  *          earlier IFN message and could not tell the upper layer,
2036  *          the new adjusted value of MTU e.g. Packet was encrypted
2037  *          or there was not enough information to fanout to upper
2038  *          layers. Thus on the next outbound datagram, ire_send_wire
2039  *          generates the IFN, where IPsec processing has *not* been
2040  *          done.
2041  *
2042  *          Note that we retain ixa_fragsize across IPsec thus once
2043  *          we have picking ixa_fragsize and entered ipsec_out_process we do
2044  *          no change the fragsize even if the path MTU changes before
2045  *          we reach ip_output_post_ipsec.
2046  *
2047  *          In the local case, IRAF_LOOPBACK will be set indicating
2048  *          that IFN was generated locally.
2049  *
2050  * ROUTER : IFN could be secure or non-secure.
2051  *
2052  *          * SECURE : We use the IPSEC_IN to fanout to AH/ESP if the
2053  *            packet in error has AH/ESP headers to validate the AH/ESP
2054  *            headers. AH/ESP will verify whether there is a valid SA or
2055  *            not and send it back. We will fanout again if we have more
2056  *            data in the packet.
2057  *
2058  *            If the packet in error does not have AH/ESP, we handle it
2059  *            like any other case.
2060  *
2061  *          * NON_SECURE : If the packet in error has AH/ESP headers, we send it
2062  *            up to AH/ESP for validation. AH/ESP will verify whether there is a
2063  *            valid SA or not and send it back. We will fanout again if
2064  *            we have more data in the packet.
2065  *
2066  *            If the packet in error does not have AH/ESP, we handle it
2067  *            like any other case.
2068  *
2069  * The caller must have called icmp_inbound_verify_v4.
2070  */
2071 static void
2072 icmp_inbound_error_fanout_v4(mblk_t *mp, icmph_t *icmph, ip_recv_attr_t *ira)
2073 {
2074         uint16_t        *up;    /* Pointer to ports in ULP header */
2075         uint32_t        ports;  /* reversed ports for fanout */
2076         ipha_t          ripha;  /* With reversed addresses */
2077         ipha_t          *ipha;  /* Inner IP header */
2078         uint_t          hdr_length; /* Inner IP header length */
2079         tcpha_t         *tcpha;
2080         conn_t          *connp;
2081         ill_t           *ill = ira->ira_ill;
2082         ip_stack_t      *ipst = ill->ill_ipst;
2083         ipsec_stack_t   *ipss = ipst->ips_netstack->netstack_ipsec;
2084         ill_t           *rill = ira->ira_rill;
2085 
2086         /* Caller already pulled up everything. */
2087         ipha = (ipha_t *)&icmph[1];
2088         ASSERT((uchar_t *)&ipha[1] <= mp->b_wptr);
2089         ASSERT(mp->b_cont == NULL);
2090 
2091         hdr_length = IPH_HDR_LENGTH(ipha);
2092         ira->ira_protocol = ipha->ipha_protocol;
2093 
2094         /*
2095          * We need a separate IP header with the source and destination
2096          * addresses reversed to do fanout/classification because the ipha in
2097          * the ICMP error is in the form we sent it out.
2098          */
2099         ripha.ipha_src = ipha->ipha_dst;
2100         ripha.ipha_dst = ipha->ipha_src;
2101         ripha.ipha_protocol = ipha->ipha_protocol;
2102         ripha.ipha_version_and_hdr_length = ipha->ipha_version_and_hdr_length;
2103 
2104         ip2dbg(("icmp_inbound_error_v4: proto %d %x to %x: %d/%d\n",
2105             ripha.ipha_protocol, ntohl(ipha->ipha_src),
2106             ntohl(ipha->ipha_dst),
2107             icmph->icmph_type, icmph->icmph_code));
2108 
2109         switch (ipha->ipha_protocol) {
2110         case IPPROTO_UDP:
2111                 up = (uint16_t *)((uchar_t *)ipha + hdr_length);
2112 
2113                 /* Attempt to find a client stream based on port. */
2114                 ip2dbg(("icmp_inbound_error_v4: UDP ports %d to %d\n",
2115                     ntohs(up[0]), ntohs(up[1])));
2116 
2117                 /* Note that we send error to all matches. */
2118                 ira->ira_flags |= IRAF_ICMP_ERROR;
2119                 ip_fanout_udp_multi_v4(mp, &ripha, up[0], up[1], ira);
2120                 ira->ira_flags &= ~IRAF_ICMP_ERROR;
2121                 return;
2122 
2123         case IPPROTO_TCP:
2124                 /*
2125                  * Find a TCP client stream for this packet.
2126                  * Note that we do a reverse lookup since the header is
2127                  * in the form we sent it out.
2128                  */
2129                 tcpha = (tcpha_t *)((uchar_t *)ipha + hdr_length);
2130                 connp = ipcl_tcp_lookup_reversed_ipv4(ipha, tcpha, TCPS_LISTEN,
2131                     ipst);
2132                 if (connp == NULL)
2133                         goto discard_pkt;
2134 
2135                 if (CONN_INBOUND_POLICY_PRESENT(connp, ipss) ||
2136                     (ira->ira_flags & IRAF_IPSEC_SECURE)) {
2137                         mp = ipsec_check_inbound_policy(mp, connp,
2138                             ipha, NULL, ira);
2139                         if (mp == NULL) {
2140                                 BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
2141                                 /* Note that mp is NULL */
2142                                 ip_drop_input("ipIfStatsInDiscards", mp, ill);
2143                                 CONN_DEC_REF(connp);
2144                                 return;
2145                         }
2146                 }
2147 
2148                 ira->ira_flags |= IRAF_ICMP_ERROR;
2149                 ira->ira_ill = ira->ira_rill = NULL;
2150                 if (IPCL_IS_TCP(connp)) {
2151                         SQUEUE_ENTER_ONE(connp->conn_sqp, mp,
2152                             connp->conn_recvicmp, connp, ira, SQ_FILL,
2153                             SQTAG_TCP_INPUT_ICMP_ERR);
2154                 } else {
2155                         /* Not TCP; must be SOCK_RAW, IPPROTO_TCP */
2156                         (connp->conn_recv)(connp, mp, NULL, ira);
2157                         CONN_DEC_REF(connp);
2158                 }
2159                 ira->ira_ill = ill;
2160                 ira->ira_rill = rill;
2161                 ira->ira_flags &= ~IRAF_ICMP_ERROR;
2162                 return;
2163 
2164         case IPPROTO_SCTP:
2165                 up = (uint16_t *)((uchar_t *)ipha + hdr_length);
2166                 /* Find a SCTP client stream for this packet. */
2167                 ((uint16_t *)&ports)[0] = up[1];
2168                 ((uint16_t *)&ports)[1] = up[0];
2169 
2170                 ira->ira_flags |= IRAF_ICMP_ERROR;
2171                 ip_fanout_sctp(mp, &ripha, NULL, ports, ira);
2172                 ira->ira_flags &= ~IRAF_ICMP_ERROR;
2173                 return;
2174 
2175         case IPPROTO_ESP:
2176         case IPPROTO_AH:
2177                 if (!ipsec_loaded(ipss)) {
2178                         ip_proto_not_sup(mp, ira);
2179                         return;
2180                 }
2181 
2182                 if (ipha->ipha_protocol == IPPROTO_ESP)
2183                         mp = ipsecesp_icmp_error(mp, ira);
2184                 else
2185                         mp = ipsecah_icmp_error(mp, ira);
2186                 if (mp == NULL)
2187                         return;
2188 
2189                 /* Just in case ipsec didn't preserve the NULL b_cont */
2190                 if (mp->b_cont != NULL) {
2191                         if (!pullupmsg(mp, -1))
2192                                 goto discard_pkt;
2193                 }
2194 
2195                 /*
2196                  * Note that ira_pktlen and ira_ip_hdr_length are no longer
2197                  * correct, but we don't use them any more here.
2198                  *
2199                  * If succesful, the mp has been modified to not include
2200                  * the ESP/AH header so we can fanout to the ULP's icmp
2201                  * error handler.
2202                  */
2203                 if (mp->b_wptr - mp->b_rptr < IP_SIMPLE_HDR_LENGTH)
2204                         goto truncated;
2205 
2206                 /* Verify the modified message before any further processes. */
2207                 ipha = (ipha_t *)mp->b_rptr;
2208                 hdr_length = IPH_HDR_LENGTH(ipha);
2209                 icmph = (icmph_t *)&mp->b_rptr[hdr_length];
2210                 if (!icmp_inbound_verify_v4(mp, icmph, ira)) {
2211                         freemsg(mp);
2212                         return;
2213                 }
2214 
2215                 icmp_inbound_error_fanout_v4(mp, icmph, ira);
2216                 return;
2217 
2218         case IPPROTO_ENCAP: {
2219                 /* Look for self-encapsulated packets that caused an error */
2220                 ipha_t *in_ipha;
2221 
2222                 /*
2223                  * Caller has verified that length has to be
2224                  * at least the size of IP header.
2225                  */
2226                 ASSERT(hdr_length >= sizeof (ipha_t));
2227                 /*
2228                  * Check the sanity of the inner IP header like
2229                  * we did for the outer header.
2230                  */
2231                 in_ipha = (ipha_t *)((uchar_t *)ipha + hdr_length);
2232                 if ((IPH_HDR_VERSION(in_ipha) != IPV4_VERSION)) {
2233                         goto discard_pkt;
2234                 }
2235                 if (IPH_HDR_LENGTH(in_ipha) < sizeof (ipha_t)) {
2236                         goto discard_pkt;
2237                 }
2238                 /* Check for Self-encapsulated tunnels */
2239                 if (in_ipha->ipha_src == ipha->ipha_src &&
2240                     in_ipha->ipha_dst == ipha->ipha_dst) {
2241 
2242                         mp = icmp_inbound_self_encap_error_v4(mp, ipha,
2243                             in_ipha);
2244                         if (mp == NULL)
2245                                 goto discard_pkt;
2246 
2247                         /*
2248                          * Just in case self_encap didn't preserve the NULL
2249                          * b_cont
2250                          */
2251                         if (mp->b_cont != NULL) {
2252                                 if (!pullupmsg(mp, -1))
2253                                         goto discard_pkt;
2254                         }
2255                         /*
2256                          * Note that ira_pktlen and ira_ip_hdr_length are no
2257                          * longer correct, but we don't use them any more here.
2258                          */
2259                         if (mp->b_wptr - mp->b_rptr < IP_SIMPLE_HDR_LENGTH)
2260                                 goto truncated;
2261 
2262                         /*
2263                          * Verify the modified message before any further
2264                          * processes.
2265                          */
2266                         ipha = (ipha_t *)mp->b_rptr;
2267                         hdr_length = IPH_HDR_LENGTH(ipha);
2268                         icmph = (icmph_t *)&mp->b_rptr[hdr_length];
2269                         if (!icmp_inbound_verify_v4(mp, icmph, ira)) {
2270                                 freemsg(mp);
2271                                 return;
2272                         }
2273 
2274                         /*
2275                          * The packet in error is self-encapsualted.
2276                          * And we are finding it further encapsulated
2277                          * which we could not have possibly generated.
2278                          */
2279                         if (ipha->ipha_protocol == IPPROTO_ENCAP) {
2280                                 goto discard_pkt;
2281                         }
2282                         icmp_inbound_error_fanout_v4(mp, icmph, ira);
2283                         return;
2284                 }
2285                 /* No self-encapsulated */
2286                 /* FALLTHRU */
2287         }
2288         case IPPROTO_IPV6:
2289                 if ((connp = ipcl_iptun_classify_v4(&ripha.ipha_src,
2290                     &ripha.ipha_dst, ipst)) != NULL) {
2291                         ira->ira_flags |= IRAF_ICMP_ERROR;
2292                         connp->conn_recvicmp(connp, mp, NULL, ira);
2293                         CONN_DEC_REF(connp);
2294                         ira->ira_flags &= ~IRAF_ICMP_ERROR;
2295                         return;
2296                 }
2297                 /*
2298                  * No IP tunnel is interested, fallthrough and see
2299                  * if a raw socket will want it.
2300                  */
2301                 /* FALLTHRU */
2302         default:
2303                 ira->ira_flags |= IRAF_ICMP_ERROR;
2304                 ip_fanout_proto_v4(mp, &ripha, ira);
2305                 ira->ira_flags &= ~IRAF_ICMP_ERROR;
2306                 return;
2307         }
2308         /* NOTREACHED */
2309 discard_pkt:
2310         BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
2311         ip1dbg(("icmp_inbound_error_fanout_v4: drop pkt\n"));
2312         ip_drop_input("ipIfStatsInDiscards", mp, ill);
2313         freemsg(mp);
2314         return;
2315 
2316 truncated:
2317         /* We pulled up everthing already. Must be truncated */
2318         BUMP_MIB(ill->ill_ip_mib, ipIfStatsInTruncatedPkts);
2319         ip_drop_input("ipIfStatsInTruncatedPkts", mp, ill);
2320         freemsg(mp);
2321 }
2322 
2323 /*
2324  * Common IP options parser.
2325  *
2326  * Setup routine: fill in *optp with options-parsing state, then
2327  * tail-call ipoptp_next to return the first option.
2328  */
2329 uint8_t
2330 ipoptp_first(ipoptp_t *optp, ipha_t *ipha)
2331 {
2332         uint32_t totallen; /* total length of all options */
2333 
2334         totallen = ipha->ipha_version_and_hdr_length -
2335             (uint8_t)((IP_VERSION << 4) + IP_SIMPLE_HDR_LENGTH_IN_WORDS);
2336         totallen <<= 2;
2337         optp->ipoptp_next = (uint8_t *)(&ipha[1]);
2338         optp->ipoptp_end = optp->ipoptp_next + totallen;
2339         optp->ipoptp_flags = 0;
2340         return (ipoptp_next(optp));
2341 }
2342 
2343 /* Like above but without an ipha_t */
2344 uint8_t
2345 ipoptp_first2(ipoptp_t *optp, uint32_t totallen, uint8_t *opt)
2346 {
2347         optp->ipoptp_next = opt;
2348         optp->ipoptp_end = optp->ipoptp_next + totallen;
2349         optp->ipoptp_flags = 0;
2350         return (ipoptp_next(optp));
2351 }
2352 
2353 /*
2354  * Common IP options parser: extract next option.
2355  */
2356 uint8_t
2357 ipoptp_next(ipoptp_t *optp)
2358 {
2359         uint8_t *end = optp->ipoptp_end;
2360         uint8_t *cur = optp->ipoptp_next;
2361         uint8_t opt, len, pointer;
2362 
2363         /*
2364          * If cur > end already, then the ipoptp_end or ipoptp_next pointer
2365          * has been corrupted.
2366          */
2367         ASSERT(cur <= end);
2368 
2369         if (cur == end)
2370                 return (IPOPT_EOL);
2371 
2372         opt = cur[IPOPT_OPTVAL];
2373 
2374         /*
2375          * Skip any NOP options.
2376          */
2377         while (opt == IPOPT_NOP) {
2378                 cur++;
2379                 if (cur == end)
2380                         return (IPOPT_EOL);
2381                 opt = cur[IPOPT_OPTVAL];
2382         }
2383 
2384         if (opt == IPOPT_EOL)
2385                 return (IPOPT_EOL);
2386 
2387         /*
2388          * Option requiring a length.
2389          */
2390         if ((cur + 1) >= end) {
2391                 optp->ipoptp_flags |= IPOPTP_ERROR;
2392                 return (IPOPT_EOL);
2393         }
2394         len = cur[IPOPT_OLEN];
2395         if (len < 2) {
2396                 optp->ipoptp_flags |= IPOPTP_ERROR;
2397                 return (IPOPT_EOL);
2398         }
2399         optp->ipoptp_cur = cur;
2400         optp->ipoptp_len = len;
2401         optp->ipoptp_next = cur + len;
2402         if (cur + len > end) {
2403                 optp->ipoptp_flags |= IPOPTP_ERROR;
2404                 return (IPOPT_EOL);
2405         }
2406 
2407         /*
2408          * For the options which require a pointer field, make sure
2409          * its there, and make sure it points to either something
2410          * inside this option, or the end of the option.
2411          */
2412         switch (opt) {
2413         case IPOPT_RR:
2414         case IPOPT_TS:
2415         case IPOPT_LSRR:
2416         case IPOPT_SSRR:
2417                 if (len <= IPOPT_OFFSET) {
2418                         optp->ipoptp_flags |= IPOPTP_ERROR;
2419                         return (opt);
2420                 }
2421                 pointer = cur[IPOPT_OFFSET];
2422                 if (pointer - 1 > len) {
2423                         optp->ipoptp_flags |= IPOPTP_ERROR;
2424                         return (opt);
2425                 }
2426                 break;
2427         }
2428 
2429         /*
2430          * Sanity check the pointer field based on the type of the
2431          * option.
2432          */
2433         switch (opt) {
2434         case IPOPT_RR:
2435         case IPOPT_SSRR:
2436         case IPOPT_LSRR:
2437                 if (pointer < IPOPT_MINOFF_SR)
2438                         optp->ipoptp_flags |= IPOPTP_ERROR;
2439                 break;
2440         case IPOPT_TS:
2441                 if (pointer < IPOPT_MINOFF_IT)
2442                         optp->ipoptp_flags |= IPOPTP_ERROR;
2443                 /*
2444                  * Note that the Internet Timestamp option also
2445                  * contains two four bit fields (the Overflow field,
2446                  * and the Flag field), which follow the pointer
2447                  * field.  We don't need to check that these fields
2448                  * fall within the length of the option because this
2449                  * was implicitely done above.  We've checked that the
2450                  * pointer value is at least IPOPT_MINOFF_IT, and that
2451                  * it falls within the option.  Since IPOPT_MINOFF_IT >
2452                  * IPOPT_POS_OV_FLG, we don't need the explicit check.
2453                  */
2454                 ASSERT(len > IPOPT_POS_OV_FLG);
2455                 break;
2456         }
2457 
2458         return (opt);
2459 }
2460 
2461 /*
2462  * Use the outgoing IP header to create an IP_OPTIONS option the way
2463  * it was passed down from the application.
2464  *
2465  * This is compatible with BSD in that it returns
2466  * the reverse source route with the final destination
2467  * as the last entry. The first 4 bytes of the option
2468  * will contain the final destination.
2469  */
2470 int
2471 ip_opt_get_user(conn_t *connp, uchar_t *buf)
2472 {
2473         ipoptp_t        opts;
2474         uchar_t         *opt;
2475         uint8_t         optval;
2476         uint8_t         optlen;
2477         uint32_t        len = 0;
2478         uchar_t         *buf1 = buf;
2479         uint32_t        totallen;
2480         ipaddr_t        dst;
2481         ip_pkt_t        *ipp = &connp->conn_xmit_ipp;
2482 
2483         if (!(ipp->ipp_fields & IPPF_IPV4_OPTIONS))
2484                 return (0);
2485 
2486         totallen = ipp->ipp_ipv4_options_len;
2487         if (totallen & 0x3)
2488                 return (0);
2489 
2490         buf += IP_ADDR_LEN;     /* Leave room for final destination */
2491         len += IP_ADDR_LEN;
2492         bzero(buf1, IP_ADDR_LEN);
2493 
2494         dst = connp->conn_faddr_v4;
2495 
2496         for (optval = ipoptp_first2(&opts, totallen, ipp->ipp_ipv4_options);
2497             optval != IPOPT_EOL;
2498             optval = ipoptp_next(&opts)) {
2499                 int     off;
2500 
2501                 opt = opts.ipoptp_cur;
2502                 if ((opts.ipoptp_flags & IPOPTP_ERROR) != 0) {
2503                         break;
2504                 }
2505                 optlen = opts.ipoptp_len;
2506 
2507                 switch (optval) {
2508                 case IPOPT_SSRR:
2509                 case IPOPT_LSRR:
2510 
2511                         /*
2512                          * Insert destination as the first entry in the source
2513                          * route and move down the entries on step.
2514                          * The last entry gets placed at buf1.
2515                          */
2516                         buf[IPOPT_OPTVAL] = optval;
2517                         buf[IPOPT_OLEN] = optlen;
2518                         buf[IPOPT_OFFSET] = optlen;
2519 
2520                         off = optlen - IP_ADDR_LEN;
2521                         if (off < 0) {
2522                                 /* No entries in source route */
2523                                 break;
2524                         }
2525                         /* Last entry in source route if not already set */
2526                         if (dst == INADDR_ANY)
2527                                 bcopy(opt + off, buf1, IP_ADDR_LEN);
2528                         off -= IP_ADDR_LEN;
2529 
2530                         while (off > 0) {
2531                                 bcopy(opt + off,
2532                                     buf + off + IP_ADDR_LEN,
2533                                     IP_ADDR_LEN);
2534                                 off -= IP_ADDR_LEN;
2535                         }
2536                         /* ipha_dst into first slot */
2537                         bcopy(&dst, buf + off + IP_ADDR_LEN,
2538                             IP_ADDR_LEN);
2539                         buf += optlen;
2540                         len += optlen;
2541                         break;
2542 
2543                 default:
2544                         bcopy(opt, buf, optlen);
2545                         buf += optlen;
2546                         len += optlen;
2547                         break;
2548                 }
2549         }
2550 done:
2551         /* Pad the resulting options */
2552         while (len & 0x3) {
2553                 *buf++ = IPOPT_EOL;
2554                 len++;
2555         }
2556         return (len);
2557 }
2558 
2559 /*
2560  * Update any record route or timestamp options to include this host.
2561  * Reverse any source route option.
2562  * This routine assumes that the options are well formed i.e. that they
2563  * have already been checked.
2564  */
2565 static void
2566 icmp_options_update(ipha_t *ipha)
2567 {
2568         ipoptp_t        opts;
2569         uchar_t         *opt;
2570         uint8_t         optval;
2571         ipaddr_t        src;            /* Our local address */
2572         ipaddr_t        dst;
2573 
2574         ip2dbg(("icmp_options_update\n"));
2575         src = ipha->ipha_src;
2576         dst = ipha->ipha_dst;
2577 
2578         for (optval = ipoptp_first(&opts, ipha);
2579             optval != IPOPT_EOL;
2580             optval = ipoptp_next(&opts)) {
2581                 ASSERT((opts.ipoptp_flags & IPOPTP_ERROR) == 0);
2582                 opt = opts.ipoptp_cur;
2583                 ip2dbg(("icmp_options_update: opt %d, len %d\n",
2584                     optval, opts.ipoptp_len));
2585                 switch (optval) {
2586                         int off1, off2;
2587                 case IPOPT_SSRR:
2588                 case IPOPT_LSRR:
2589                         /*
2590                          * Reverse the source route.  The first entry
2591                          * should be the next to last one in the current
2592                          * source route (the last entry is our address).
2593                          * The last entry should be the final destination.
2594                          */
2595                         off1 = IPOPT_MINOFF_SR - 1;
2596                         off2 = opt[IPOPT_OFFSET] - IP_ADDR_LEN - 1;
2597                         if (off2 < 0) {
2598                                 /* No entries in source route */
2599                                 ip1dbg((
2600                                     "icmp_options_update: bad src route\n"));
2601                                 break;
2602                         }
2603                         bcopy((char *)opt + off2, &dst, IP_ADDR_LEN);
2604                         bcopy(&ipha->ipha_dst, (char *)opt + off2, IP_ADDR_LEN);
2605                         bcopy(&dst, &ipha->ipha_dst, IP_ADDR_LEN);
2606                         off2 -= IP_ADDR_LEN;
2607 
2608                         while (off1 < off2) {
2609                                 bcopy((char *)opt + off1, &src, IP_ADDR_LEN);
2610                                 bcopy((char *)opt + off2, (char *)opt + off1,
2611                                     IP_ADDR_LEN);
2612                                 bcopy(&src, (char *)opt + off2, IP_ADDR_LEN);
2613                                 off1 += IP_ADDR_LEN;
2614                                 off2 -= IP_ADDR_LEN;
2615                         }
2616                         opt[IPOPT_OFFSET] = IPOPT_MINOFF_SR;
2617                         break;
2618                 }
2619         }
2620 }
2621 
2622 /*
2623  * Process received ICMP Redirect messages.
2624  * Assumes the caller has verified that the headers are in the pulled up mblk.
2625  * Consumes mp.
2626  */
2627 static void
2628 icmp_redirect_v4(mblk_t *mp, ipha_t *ipha, icmph_t *icmph, ip_recv_attr_t *ira)
2629 {
2630         ire_t           *ire, *nire;
2631         ire_t           *prev_ire;
2632         ipaddr_t        src, dst, gateway;
2633         ip_stack_t      *ipst = ira->ira_ill->ill_ipst;
2634         ipha_t          *inner_ipha;    /* Inner IP header */
2635 
2636         /* Caller already pulled up everything. */
2637         inner_ipha = (ipha_t *)&icmph[1];
2638         src = ipha->ipha_src;
2639         dst = inner_ipha->ipha_dst;
2640         gateway = icmph->icmph_rd_gateway;
2641         /* Make sure the new gateway is reachable somehow. */
2642         ire = ire_ftable_lookup_v4(gateway, 0, 0, IRE_ONLINK, NULL,
2643             ALL_ZONES, NULL, MATCH_IRE_TYPE, 0, ipst, NULL);
2644         /*
2645          * Make sure we had a route for the dest in question and that
2646          * that route was pointing to the old gateway (the source of the
2647          * redirect packet.)
2648          * We do longest match and then compare ire_gateway_addr below.
2649          */
2650         prev_ire = ire_ftable_lookup_v4(dst, 0, 0, 0, NULL, ALL_ZONES,
2651             NULL, MATCH_IRE_DSTONLY, 0, ipst, NULL);
2652         /*
2653          * Check that
2654          *      the redirect was not from ourselves
2655          *      the new gateway and the old gateway are directly reachable
2656          */
2657         if (prev_ire == NULL || ire == NULL ||
2658             (prev_ire->ire_type & (IRE_LOCAL|IRE_LOOPBACK)) ||
2659             (prev_ire->ire_flags & (RTF_REJECT|RTF_BLACKHOLE)) ||
2660             !(ire->ire_type & IRE_IF_ALL) ||
2661             prev_ire->ire_gateway_addr != src) {
2662                 BUMP_MIB(&ipst->ips_icmp_mib, icmpInBadRedirects);
2663                 ip_drop_input("icmpInBadRedirects - ire", mp, ira->ira_ill);
2664                 freemsg(mp);
2665                 if (ire != NULL)
2666                         ire_refrele(ire);
2667                 if (prev_ire != NULL)
2668                         ire_refrele(prev_ire);
2669                 return;
2670         }
2671 
2672         ire_refrele(prev_ire);
2673         ire_refrele(ire);
2674 
2675         /*
2676          * TODO: more precise handling for cases 0, 2, 3, the latter two
2677          * require TOS routing
2678          */
2679         switch (icmph->icmph_code) {
2680         case 0:
2681         case 1:
2682                 /* TODO: TOS specificity for cases 2 and 3 */
2683         case 2:
2684         case 3:
2685                 break;
2686         default:
2687                 BUMP_MIB(&ipst->ips_icmp_mib, icmpInBadRedirects);
2688                 ip_drop_input("icmpInBadRedirects - code", mp, ira->ira_ill);
2689                 freemsg(mp);
2690                 return;
2691         }
2692         /*
2693          * Create a Route Association.  This will allow us to remember that
2694          * someone we believe told us to use the particular gateway.
2695          */
2696         ire = ire_create(
2697             (uchar_t *)&dst,                        /* dest addr */
2698             (uchar_t *)&ip_g_all_ones,              /* mask */
2699             (uchar_t *)&gateway,            /* gateway addr */
2700             IRE_HOST,
2701             NULL,                               /* ill */
2702             ALL_ZONES,
2703             (RTF_DYNAMIC | RTF_GATEWAY | RTF_HOST),
2704             NULL,                               /* tsol_gc_t */
2705             ipst);
2706 
2707         if (ire == NULL) {
2708                 freemsg(mp);
2709                 return;
2710         }
2711         nire = ire_add(ire);
2712         /* Check if it was a duplicate entry */
2713         if (nire != NULL && nire != ire) {
2714                 ASSERT(nire->ire_identical_ref > 1);
2715                 ire_delete(nire);
2716                 ire_refrele(nire);
2717                 nire = NULL;
2718         }
2719         ire = nire;
2720         if (ire != NULL) {
2721                 ire_refrele(ire);               /* Held in ire_add */
2722 
2723                 /* tell routing sockets that we received a redirect */
2724                 ip_rts_change(RTM_REDIRECT, dst, gateway, IP_HOST_MASK, 0, src,
2725                     (RTF_DYNAMIC | RTF_GATEWAY | RTF_HOST), 0,
2726                     (RTA_DST | RTA_GATEWAY | RTA_NETMASK | RTA_AUTHOR), ipst);
2727         }
2728 
2729         /*
2730          * Delete any existing IRE_HOST type redirect ires for this destination.
2731          * This together with the added IRE has the effect of
2732          * modifying an existing redirect.
2733          */
2734         prev_ire = ire_ftable_lookup_v4(dst, 0, src, IRE_HOST, NULL,
2735             ALL_ZONES, NULL, (MATCH_IRE_GW | MATCH_IRE_TYPE), 0, ipst, NULL);
2736         if (prev_ire != NULL) {
2737                 if (prev_ire ->ire_flags & RTF_DYNAMIC)
2738                         ire_delete(prev_ire);
2739                 ire_refrele(prev_ire);
2740         }
2741 
2742         freemsg(mp);
2743 }
2744 
2745 /*
2746  * Generate an ICMP parameter problem message.
2747  * When called from ip_output side a minimal ip_recv_attr_t needs to be
2748  * constructed by the caller.
2749  */
2750 static void
2751 icmp_param_problem(mblk_t *mp, uint8_t ptr, ip_recv_attr_t *ira)
2752 {
2753         icmph_t icmph;
2754         ip_stack_t      *ipst = ira->ira_ill->ill_ipst;
2755 
2756         mp = icmp_pkt_err_ok(mp, ira);
2757         if (mp == NULL)
2758                 return;
2759 
2760         bzero(&icmph, sizeof (icmph_t));
2761         icmph.icmph_type = ICMP_PARAM_PROBLEM;
2762         icmph.icmph_pp_ptr = ptr;
2763         BUMP_MIB(&ipst->ips_icmp_mib, icmpOutParmProbs);
2764         icmp_pkt(mp, &icmph, sizeof (icmph_t), ira);
2765 }
2766 
2767 /*
2768  * Build and ship an IPv4 ICMP message using the packet data in mp, and
2769  * the ICMP header pointed to by "stuff".  (May be called as writer.)
2770  * Note: assumes that icmp_pkt_err_ok has been called to verify that
2771  * an icmp error packet can be sent.
2772  * Assigns an appropriate source address to the packet. If ipha_dst is
2773  * one of our addresses use it for source. Otherwise let ip_output_simple
2774  * pick the source address.
2775  */
2776 static void
2777 icmp_pkt(mblk_t *mp, void *stuff, size_t len, ip_recv_attr_t *ira)
2778 {
2779         ipaddr_t dst;
2780         icmph_t *icmph;
2781         ipha_t  *ipha;
2782         uint_t  len_needed;
2783         size_t  msg_len;
2784         mblk_t  *mp1;
2785         ipaddr_t src;
2786         ire_t   *ire;
2787         ip_xmit_attr_t ixas;
2788         ip_stack_t *ipst = ira->ira_ill->ill_ipst;
2789 
2790         ipha = (ipha_t *)mp->b_rptr;
2791 
2792         bzero(&ixas, sizeof (ixas));
2793         ixas.ixa_flags = IXAF_BASIC_SIMPLE_V4;
2794         ixas.ixa_zoneid = ira->ira_zoneid;
2795         ixas.ixa_ifindex = 0;
2796         ixas.ixa_ipst = ipst;
2797         ixas.ixa_cred = kcred;
2798         ixas.ixa_cpid = NOPID;
2799         ixas.ixa_tsl = ira->ira_tsl; /* Behave as a multi-level responder */
2800         ixas.ixa_multicast_ttl = IP_DEFAULT_MULTICAST_TTL;
2801 
2802         if (ira->ira_flags & IRAF_IPSEC_SECURE) {
2803                 /*
2804                  * Apply IPsec based on how IPsec was applied to
2805                  * the packet that had the error.
2806                  *
2807                  * If it was an outbound packet that caused the ICMP
2808                  * error, then the caller will have setup the IRA
2809                  * appropriately.
2810                  */
2811                 if (!ipsec_in_to_out(ira, &ixas, mp, ipha, NULL)) {
2812                         BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsOutDiscards);
2813                         /* Note: mp already consumed and ip_drop_packet done */
2814                         return;
2815                 }
2816         } else {
2817                 /*
2818                  * This is in clear. The icmp message we are building
2819                  * here should go out in clear, independent of our policy.
2820                  */
2821                 ixas.ixa_flags |= IXAF_NO_IPSEC;
2822         }
2823 
2824         /* Remember our eventual destination */
2825         dst = ipha->ipha_src;
2826 
2827         /*
2828          * If the packet was for one of our unicast addresses, make
2829          * sure we respond with that as the source. Otherwise
2830          * have ip_output_simple pick the source address.
2831          */
2832         ire = ire_ftable_lookup_v4(ipha->ipha_dst, 0, 0,
2833             (IRE_LOCAL|IRE_LOOPBACK), NULL, ira->ira_zoneid, NULL,
2834             MATCH_IRE_TYPE|MATCH_IRE_ZONEONLY, 0, ipst, NULL);
2835         if (ire != NULL) {
2836                 ire_refrele(ire);
2837                 src = ipha->ipha_dst;
2838         } else {
2839                 src = INADDR_ANY;
2840                 ixas.ixa_flags |= IXAF_SET_SOURCE;
2841         }
2842 
2843         /*
2844          * Check if we can send back more then 8 bytes in addition to
2845          * the IP header.  We try to send 64 bytes of data and the internal
2846          * header in the special cases of ipv4 encapsulated ipv4 or ipv6.
2847          */
2848         len_needed = IPH_HDR_LENGTH(ipha);
2849         if (ipha->ipha_protocol == IPPROTO_ENCAP ||
2850             ipha->ipha_protocol == IPPROTO_IPV6) {
2851                 if (!pullupmsg(mp, -1)) {
2852                         BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsOutDiscards);
2853                         ip_drop_output("ipIfStatsOutDiscards", mp, NULL);
2854                         freemsg(mp);
2855                         return;
2856                 }
2857                 ipha = (ipha_t *)mp->b_rptr;
2858 
2859                 if (ipha->ipha_protocol == IPPROTO_ENCAP) {
2860                         len_needed += IPH_HDR_LENGTH(((uchar_t *)ipha +
2861                             len_needed));
2862                 } else {
2863                         ip6_t *ip6h = (ip6_t *)((uchar_t *)ipha + len_needed);
2864 
2865                         ASSERT(ipha->ipha_protocol == IPPROTO_IPV6);
2866                         len_needed += ip_hdr_length_v6(mp, ip6h);
2867                 }
2868         }
2869         len_needed += ipst->ips_ip_icmp_return;
2870         msg_len = msgdsize(mp);
2871         if (msg_len > len_needed) {
2872                 (void) adjmsg(mp, len_needed - msg_len);
2873                 msg_len = len_needed;
2874         }
2875         mp1 = allocb(sizeof (icmp_ipha) + len, BPRI_MED);
2876         if (mp1 == NULL) {
2877                 BUMP_MIB(&ipst->ips_icmp_mib, icmpOutErrors);
2878                 freemsg(mp);
2879                 return;
2880         }
2881         mp1->b_cont = mp;
2882         mp = mp1;
2883 
2884         /*
2885          * Set IXAF_TRUSTED_ICMP so we can let the ICMP messages this
2886          * node generates be accepted in peace by all on-host destinations.
2887          * If we do NOT assume that all on-host destinations trust
2888          * self-generated ICMP messages, then rework here, ip6.c, and spd.c.
2889          * (Look for IXAF_TRUSTED_ICMP).
2890          */
2891         ixas.ixa_flags |= IXAF_TRUSTED_ICMP;
2892 
2893         ipha = (ipha_t *)mp->b_rptr;
2894         mp1->b_wptr = (uchar_t *)ipha + (sizeof (icmp_ipha) + len);
2895         *ipha = icmp_ipha;
2896         ipha->ipha_src = src;
2897         ipha->ipha_dst = dst;
2898         ipha->ipha_ttl = ipst->ips_ip_def_ttl;
2899         msg_len += sizeof (icmp_ipha) + len;
2900         if (msg_len > IP_MAXPACKET) {
2901                 (void) adjmsg(mp, IP_MAXPACKET - msg_len);
2902                 msg_len = IP_MAXPACKET;
2903         }
2904         ipha->ipha_length = htons((uint16_t)msg_len);
2905         icmph = (icmph_t *)&ipha[1];
2906         bcopy(stuff, icmph, len);
2907         icmph->icmph_checksum = 0;
2908         icmph->icmph_checksum = IP_CSUM(mp, (int32_t)sizeof (ipha_t), 0);
2909         BUMP_MIB(&ipst->ips_icmp_mib, icmpOutMsgs);
2910 
2911         (void) ip_output_simple(mp, &ixas);
2912         ixa_cleanup(&ixas);
2913 }
2914 
2915 /*
2916  * Determine if an ICMP error packet can be sent given the rate limit.
2917  * The limit consists of an average frequency (icmp_pkt_err_interval measured
2918  * in milliseconds) and a burst size. Burst size number of packets can
2919  * be sent arbitrarely closely spaced.
2920  * The state is tracked using two variables to implement an approximate
2921  * token bucket filter:
2922  *      icmp_pkt_err_last - lbolt value when the last burst started
2923  *      icmp_pkt_err_sent - number of packets sent in current burst
2924  */
2925 boolean_t
2926 icmp_err_rate_limit(ip_stack_t *ipst)
2927 {
2928         clock_t now = TICK_TO_MSEC(ddi_get_lbolt());
2929         uint_t refilled; /* Number of packets refilled in tbf since last */
2930         /* Guard against changes by loading into local variable */
2931         uint_t err_interval = ipst->ips_ip_icmp_err_interval;
2932 
2933         if (err_interval == 0)
2934                 return (B_FALSE);
2935 
2936         if (ipst->ips_icmp_pkt_err_last > now) {
2937                 /* 100HZ lbolt in ms for 32bit arch wraps every 49.7 days */
2938                 ipst->ips_icmp_pkt_err_last = 0;
2939                 ipst->ips_icmp_pkt_err_sent = 0;
2940         }
2941         /*
2942          * If we are in a burst update the token bucket filter.
2943          * Update the "last" time to be close to "now" but make sure
2944          * we don't loose precision.
2945          */
2946         if (ipst->ips_icmp_pkt_err_sent != 0) {
2947                 refilled = (now - ipst->ips_icmp_pkt_err_last)/err_interval;
2948                 if (refilled > ipst->ips_icmp_pkt_err_sent) {
2949                         ipst->ips_icmp_pkt_err_sent = 0;
2950                 } else {
2951                         ipst->ips_icmp_pkt_err_sent -= refilled;
2952                         ipst->ips_icmp_pkt_err_last += refilled * err_interval;
2953                 }
2954         }
2955         if (ipst->ips_icmp_pkt_err_sent == 0) {
2956                 /* Start of new burst */
2957                 ipst->ips_icmp_pkt_err_last = now;
2958         }
2959         if (ipst->ips_icmp_pkt_err_sent < ipst->ips_ip_icmp_err_burst) {
2960                 ipst->ips_icmp_pkt_err_sent++;
2961                 ip1dbg(("icmp_err_rate_limit: %d sent in burst\n",
2962                     ipst->ips_icmp_pkt_err_sent));
2963                 return (B_FALSE);
2964         }
2965         ip1dbg(("icmp_err_rate_limit: dropped\n"));
2966         return (B_TRUE);
2967 }
2968 
2969 /*
2970  * Check if it is ok to send an IPv4 ICMP error packet in
2971  * response to the IPv4 packet in mp.
2972  * Free the message and return null if no
2973  * ICMP error packet should be sent.
2974  */
2975 static mblk_t *
2976 icmp_pkt_err_ok(mblk_t *mp, ip_recv_attr_t *ira)
2977 {
2978         ip_stack_t      *ipst = ira->ira_ill->ill_ipst;
2979         icmph_t *icmph;
2980         ipha_t  *ipha;
2981         uint_t  len_needed;
2982 
2983         if (!mp)
2984                 return (NULL);
2985         ipha = (ipha_t *)mp->b_rptr;
2986         if (ip_csum_hdr(ipha)) {
2987                 BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsInCksumErrs);
2988                 ip_drop_input("ipIfStatsInCksumErrs", mp, NULL);
2989                 freemsg(mp);
2990                 return (NULL);
2991         }
2992         if (ip_type_v4(ipha->ipha_dst, ipst) == IRE_BROADCAST ||
2993             ip_type_v4(ipha->ipha_src, ipst) == IRE_BROADCAST ||
2994             CLASSD(ipha->ipha_dst) ||
2995             CLASSD(ipha->ipha_src) ||
2996             (ntohs(ipha->ipha_fragment_offset_and_flags) & IPH_OFFSET)) {
2997                 /* Note: only errors to the fragment with offset 0 */
2998                 BUMP_MIB(&ipst->ips_icmp_mib, icmpOutDrops);
2999                 freemsg(mp);
3000                 return (NULL);
3001         }
3002         if (ipha->ipha_protocol == IPPROTO_ICMP) {
3003                 /*
3004                  * Check the ICMP type.  RFC 1122 sez:  don't send ICMP
3005                  * errors in response to any ICMP errors.
3006                  */
3007                 len_needed = IPH_HDR_LENGTH(ipha) + ICMPH_SIZE;
3008                 if (mp->b_wptr - mp->b_rptr < len_needed) {
3009                         if (!pullupmsg(mp, len_needed)) {
3010                                 BUMP_MIB(&ipst->ips_icmp_mib, icmpInErrors);
3011                                 freemsg(mp);
3012                                 return (NULL);
3013                         }
3014                         ipha = (ipha_t *)mp->b_rptr;
3015                 }
3016                 icmph = (icmph_t *)
3017                     (&((char *)ipha)[IPH_HDR_LENGTH(ipha)]);
3018                 switch (icmph->icmph_type) {
3019                 case ICMP_DEST_UNREACHABLE:
3020                 case ICMP_SOURCE_QUENCH:
3021                 case ICMP_TIME_EXCEEDED:
3022                 case ICMP_PARAM_PROBLEM:
3023                 case ICMP_REDIRECT:
3024                         BUMP_MIB(&ipst->ips_icmp_mib, icmpOutDrops);
3025                         freemsg(mp);
3026                         return (NULL);
3027                 default:
3028                         break;
3029                 }
3030         }
3031         /*
3032          * If this is a labeled system, then check to see if we're allowed to
3033          * send a response to this particular sender.  If not, then just drop.
3034          */
3035         if (is_system_labeled() && !tsol_can_reply_error(mp, ira)) {
3036                 ip2dbg(("icmp_pkt_err_ok: can't respond to packet\n"));
3037                 BUMP_MIB(&ipst->ips_icmp_mib, icmpOutDrops);
3038                 freemsg(mp);
3039                 return (NULL);
3040         }
3041         if (icmp_err_rate_limit(ipst)) {
3042                 /*
3043                  * Only send ICMP error packets every so often.
3044                  * This should be done on a per port/source basis,
3045                  * but for now this will suffice.
3046                  */
3047                 freemsg(mp);
3048                 return (NULL);
3049         }
3050         return (mp);
3051 }
3052 
3053 /*
3054  * Called when a packet was sent out the same link that it arrived on.
3055  * Check if it is ok to send a redirect and then send it.
3056  */
3057 void
3058 ip_send_potential_redirect_v4(mblk_t *mp, ipha_t *ipha, ire_t *ire,
3059     ip_recv_attr_t *ira)
3060 {
3061         ip_stack_t      *ipst = ira->ira_ill->ill_ipst;
3062         ipaddr_t        src, nhop;
3063         mblk_t          *mp1;
3064         ire_t           *nhop_ire;
3065 
3066         /*
3067          * Check the source address to see if it originated
3068          * on the same logical subnet it is going back out on.
3069          * If so, we should be able to send it a redirect.
3070          * Avoid sending a redirect if the destination
3071          * is directly connected (i.e., we matched an IRE_ONLINK),
3072          * or if the packet was source routed out this interface.
3073          *
3074          * We avoid sending a redirect if the
3075          * destination is directly connected
3076          * because it is possible that multiple
3077          * IP subnets may have been configured on
3078          * the link, and the source may not
3079          * be on the same subnet as ip destination,
3080          * even though they are on the same
3081          * physical link.
3082          */
3083         if ((ire->ire_type & IRE_ONLINK) ||
3084             ip_source_routed(ipha, ipst))
3085                 return;
3086 
3087         nhop_ire = ire_nexthop(ire);
3088         if (nhop_ire == NULL)
3089                 return;
3090 
3091         nhop = nhop_ire->ire_addr;
3092 
3093         if (nhop_ire->ire_type & IRE_IF_CLONE) {
3094                 ire_t   *ire2;
3095 
3096                 /* Follow ire_dep_parent to find non-clone IRE_INTERFACE */
3097                 mutex_enter(&nhop_ire->ire_lock);
3098                 ire2 = nhop_ire->ire_dep_parent;
3099                 if (ire2 != NULL)
3100                         ire_refhold(ire2);
3101                 mutex_exit(&nhop_ire->ire_lock);
3102                 ire_refrele(nhop_ire);
3103                 nhop_ire = ire2;
3104         }
3105         if (nhop_ire == NULL)
3106                 return;
3107 
3108         ASSERT(!(nhop_ire->ire_type & IRE_IF_CLONE));
3109 
3110         src = ipha->ipha_src;
3111 
3112         /*
3113          * We look at the interface ire for the nexthop,
3114          * to see if ipha_src is in the same subnet
3115          * as the nexthop.
3116          */
3117         if ((src & nhop_ire->ire_mask) == (nhop & nhop_ire->ire_mask)) {
3118                 /*
3119                  * The source is directly connected.
3120                  */
3121                 mp1 = copymsg(mp);
3122                 if (mp1 != NULL) {
3123                         icmp_send_redirect(mp1, nhop, ira);
3124                 }
3125         }
3126         ire_refrele(nhop_ire);
3127 }
3128 
3129 /*
3130  * Generate an ICMP redirect message.
3131  */
3132 static void
3133 icmp_send_redirect(mblk_t *mp, ipaddr_t gateway, ip_recv_attr_t *ira)
3134 {
3135         icmph_t icmph;
3136         ip_stack_t *ipst = ira->ira_ill->ill_ipst;
3137 
3138         mp = icmp_pkt_err_ok(mp, ira);
3139         if (mp == NULL)
3140                 return;
3141 
3142         bzero(&icmph, sizeof (icmph_t));
3143         icmph.icmph_type = ICMP_REDIRECT;
3144         icmph.icmph_code = 1;
3145         icmph.icmph_rd_gateway = gateway;
3146         BUMP_MIB(&ipst->ips_icmp_mib, icmpOutRedirects);
3147         icmp_pkt(mp, &icmph, sizeof (icmph_t), ira);
3148 }
3149 
3150 /*
3151  * Generate an ICMP time exceeded message.
3152  */
3153 void
3154 icmp_time_exceeded(mblk_t *mp, uint8_t code, ip_recv_attr_t *ira)
3155 {
3156         icmph_t icmph;
3157         ip_stack_t *ipst = ira->ira_ill->ill_ipst;
3158 
3159         mp = icmp_pkt_err_ok(mp, ira);
3160         if (mp == NULL)
3161                 return;
3162 
3163         bzero(&icmph, sizeof (icmph_t));
3164         icmph.icmph_type = ICMP_TIME_EXCEEDED;
3165         icmph.icmph_code = code;
3166         BUMP_MIB(&ipst->ips_icmp_mib, icmpOutTimeExcds);
3167         icmp_pkt(mp, &icmph, sizeof (icmph_t), ira);
3168 }
3169 
3170 /*
3171  * Generate an ICMP unreachable message.
3172  * When called from ip_output side a minimal ip_recv_attr_t needs to be
3173  * constructed by the caller.
3174  */
3175 void
3176 icmp_unreachable(mblk_t *mp, uint8_t code, ip_recv_attr_t *ira)
3177 {
3178         icmph_t icmph;
3179         ip_stack_t *ipst = ira->ira_ill->ill_ipst;
3180 
3181         mp = icmp_pkt_err_ok(mp, ira);
3182         if (mp == NULL)
3183                 return;
3184 
3185         bzero(&icmph, sizeof (icmph_t));
3186         icmph.icmph_type = ICMP_DEST_UNREACHABLE;
3187         icmph.icmph_code = code;
3188         BUMP_MIB(&ipst->ips_icmp_mib, icmpOutDestUnreachs);
3189         icmp_pkt(mp, &icmph, sizeof (icmph_t), ira);
3190 }
3191 
3192 /*
3193  * Latch in the IPsec state for a stream based the policy in the listener
3194  * and the actions in the ip_recv_attr_t.
3195  * Called directly from TCP and SCTP.
3196  */
3197 boolean_t
3198 ip_ipsec_policy_inherit(conn_t *connp, conn_t *lconnp, ip_recv_attr_t *ira)
3199 {
3200         ASSERT(lconnp->conn_policy != NULL);
3201         ASSERT(connp->conn_policy == NULL);
3202 
3203         IPPH_REFHOLD(lconnp->conn_policy);
3204         connp->conn_policy = lconnp->conn_policy;
3205 
3206         if (ira->ira_ipsec_action != NULL) {
3207                 if (connp->conn_latch == NULL) {
3208                         connp->conn_latch = iplatch_create();
3209                         if (connp->conn_latch == NULL)
3210                                 return (B_FALSE);
3211                 }
3212                 ipsec_latch_inbound(connp, ira);
3213         }
3214         return (B_TRUE);
3215 }
3216 
3217 /*
3218  * Verify whether or not the IP address is a valid local address.
3219  * Could be a unicast, including one for a down interface.
3220  * If allow_mcbc then a multicast or broadcast address is also
3221  * acceptable.
3222  *
3223  * In the case of a broadcast/multicast address, however, the
3224  * upper protocol is expected to reset the src address
3225  * to zero when we return IPVL_MCAST/IPVL_BCAST so that
3226  * no packets are emitted with broadcast/multicast address as
3227  * source address (that violates hosts requirements RFC 1122)
3228  * The addresses valid for bind are:
3229  *      (1) - INADDR_ANY (0)
3230  *      (2) - IP address of an UP interface
3231  *      (3) - IP address of a DOWN interface
3232  *      (4) - valid local IP broadcast addresses. In this case
3233  *      the conn will only receive packets destined to
3234  *      the specified broadcast address.
3235  *      (5) - a multicast address. In this case
3236  *      the conn will only receive packets destined to
3237  *      the specified multicast address. Note: the
3238  *      application still has to issue an
3239  *      IP_ADD_MEMBERSHIP socket option.
3240  *
3241  * In all the above cases, the bound address must be valid in the current zone.
3242  * When the address is loopback, multicast or broadcast, there might be many
3243  * matching IREs so bind has to look up based on the zone.
3244  */
3245 ip_laddr_t
3246 ip_laddr_verify_v4(ipaddr_t src_addr, zoneid_t zoneid,
3247     ip_stack_t *ipst, boolean_t allow_mcbc)
3248 {
3249         ire_t *src_ire;
3250 
3251         ASSERT(src_addr != INADDR_ANY);
3252 
3253         src_ire = ire_ftable_lookup_v4(src_addr, 0, 0, 0,
3254             NULL, zoneid, NULL, MATCH_IRE_ZONEONLY, 0, ipst, NULL);
3255 
3256         /*
3257          * If an address other than in6addr_any is requested,
3258          * we verify that it is a valid address for bind
3259          * Note: Following code is in if-else-if form for
3260          * readability compared to a condition check.
3261          */
3262         if (src_ire != NULL && (src_ire->ire_type & (IRE_LOCAL|IRE_LOOPBACK))) {
3263                 /*
3264                  * (2) Bind to address of local UP interface
3265                  */
3266                 ire_refrele(src_ire);
3267                 return (IPVL_UNICAST_UP);
3268         } else if (src_ire != NULL && src_ire->ire_type & IRE_BROADCAST) {
3269                 /*
3270                  * (4) Bind to broadcast address
3271                  */
3272                 ire_refrele(src_ire);
3273                 if (allow_mcbc)
3274                         return (IPVL_BCAST);
3275                 else
3276                         return (IPVL_BAD);
3277         } else if (CLASSD(src_addr)) {
3278                 /* (5) bind to multicast address. */
3279                 if (src_ire != NULL)
3280                         ire_refrele(src_ire);
3281 
3282                 if (allow_mcbc)
3283                         return (IPVL_MCAST);
3284                 else
3285                         return (IPVL_BAD);
3286         } else {
3287                 ipif_t *ipif;
3288 
3289                 /*
3290                  * (3) Bind to address of local DOWN interface?
3291                  * (ipif_lookup_addr() looks up all interfaces
3292                  * but we do not get here for UP interfaces
3293                  * - case (2) above)
3294                  */
3295                 if (src_ire != NULL)
3296                         ire_refrele(src_ire);
3297 
3298                 ipif = ipif_lookup_addr(src_addr, NULL, zoneid, ipst);
3299                 if (ipif == NULL)
3300                         return (IPVL_BAD);
3301 
3302                 /* Not a useful source? */
3303                 if (ipif->ipif_flags & (IPIF_NOLOCAL | IPIF_ANYCAST)) {
3304                         ipif_refrele(ipif);
3305                         return (IPVL_BAD);
3306                 }
3307                 ipif_refrele(ipif);
3308                 return (IPVL_UNICAST_DOWN);
3309         }
3310 }
3311 
3312 /*
3313  * Insert in the bind fanout for IPv4 and IPv6.
3314  * The caller should already have used ip_laddr_verify_v*() before calling
3315  * this.
3316  */
3317 int
3318 ip_laddr_fanout_insert(conn_t *connp)
3319 {
3320         int             error;
3321 
3322         /*
3323          * Allow setting new policies. For example, disconnects result
3324          * in us being called. As we would have set conn_policy_cached
3325          * to B_TRUE before, we should set it to B_FALSE, so that policy
3326          * can change after the disconnect.
3327          */
3328         connp->conn_policy_cached = B_FALSE;
3329 
3330         error = ipcl_bind_insert(connp);
3331         if (error != 0) {
3332                 if (connp->conn_anon_port) {
3333                         (void) tsol_mlp_anon(crgetzone(connp->conn_cred),
3334                             connp->conn_mlp_type, connp->conn_proto,
3335                             ntohs(connp->conn_lport), B_FALSE);
3336                 }
3337                 connp->conn_mlp_type = mlptSingle;
3338         }
3339         return (error);
3340 }
3341 
3342 /*
3343  * Verify that both the source and destination addresses are valid. If
3344  * IPDF_VERIFY_DST is not set, then the destination address may be unreachable,
3345  * i.e. have no route to it.  Protocols like TCP want to verify destination
3346  * reachability, while tunnels do not.
3347  *
3348  * Determine the route, the interface, and (optionally) the source address
3349  * to use to reach a given destination.
3350  * Note that we allow connect to broadcast and multicast addresses when
3351  * IPDF_ALLOW_MCBC is set.
3352  * first_hop and dst_addr are normally the same, but if source routing
3353  * they will differ; in that case the first_hop is what we'll use for the
3354  * routing lookup but the dce and label checks will be done on dst_addr,
3355  *
3356  * If uinfo is set, then we fill in the best available information
3357  * we have for the destination. This is based on (in priority order) any
3358  * metrics and path MTU stored in a dce_t, route metrics, and finally the
3359  * ill_mtu/ill_mc_mtu.
3360  *
3361  * Tsol note: If we have a source route then dst_addr != firsthop. But we
3362  * always do the label check on dst_addr.
3363  */
3364 int
3365 ip_set_destination_v4(ipaddr_t *src_addrp, ipaddr_t dst_addr, ipaddr_t firsthop,
3366     ip_xmit_attr_t *ixa, iulp_t *uinfo, uint32_t flags, uint_t mac_mode)
3367 {
3368         ire_t           *ire = NULL;
3369         int             error = 0;
3370         ipaddr_t        setsrc;                         /* RTF_SETSRC */
3371         zoneid_t        zoneid = ixa->ixa_zoneid;    /* Honors SO_ALLZONES */
3372         ip_stack_t      *ipst = ixa->ixa_ipst;
3373         dce_t           *dce;
3374         uint_t          pmtu;
3375         uint_t          generation;
3376         nce_t           *nce;
3377         ill_t           *ill = NULL;
3378         boolean_t       multirt = B_FALSE;
3379 
3380         ASSERT(ixa->ixa_flags & IXAF_IS_IPV4);
3381 
3382         /*
3383          * We never send to zero; the ULPs map it to the loopback address.
3384          * We can't allow it since we use zero to mean unitialized in some
3385          * places.
3386          */
3387         ASSERT(dst_addr != INADDR_ANY);
3388 
3389         if (is_system_labeled()) {
3390                 ts_label_t *tsl = NULL;
3391 
3392                 error = tsol_check_dest(ixa->ixa_tsl, &dst_addr, IPV4_VERSION,
3393                     mac_mode, (flags & IPDF_ZONE_IS_GLOBAL) != 0, &tsl);
3394                 if (error != 0)
3395                         return (error);
3396                 if (tsl != NULL) {
3397                         /* Update the label */
3398                         ip_xmit_attr_replace_tsl(ixa, tsl);
3399                 }
3400         }
3401 
3402         setsrc = INADDR_ANY;
3403         /*
3404          * Select a route; For IPMP interfaces, we would only select
3405          * a "hidden" route (i.e., going through a specific under_ill)
3406          * if ixa_ifindex has been specified.
3407          */
3408         ire = ip_select_route_v4(firsthop, *src_addrp, ixa,
3409             &generation, &setsrc, &error, &multirt);
3410         ASSERT(ire != NULL);    /* IRE_NOROUTE if none found */
3411         if (error != 0)
3412                 goto bad_addr;
3413 
3414         /*
3415          * ire can't be a broadcast or multicast unless IPDF_ALLOW_MCBC is set.
3416          * If IPDF_VERIFY_DST is set, the destination must be reachable;
3417          * Otherwise the destination needn't be reachable.
3418          *
3419          * If we match on a reject or black hole, then we've got a
3420          * local failure.  May as well fail out the connect() attempt,
3421          * since it's never going to succeed.
3422          */
3423         if (ire->ire_flags & (RTF_REJECT|RTF_BLACKHOLE)) {
3424                 /*
3425                  * If we're verifying destination reachability, we always want
3426                  * to complain here.
3427                  *
3428                  * If we're not verifying destination reachability but the
3429                  * destination has a route, we still want to fail on the
3430                  * temporary address and broadcast address tests.
3431                  *
3432                  * In both cases do we let the code continue so some reasonable
3433                  * information is returned to the caller. That enables the
3434                  * caller to use (and even cache) the IRE. conn_ip_ouput will
3435                  * use the generation mismatch path to check for the unreachable
3436                  * case thereby avoiding any specific check in the main path.
3437                  */
3438                 ASSERT(generation == IRE_GENERATION_VERIFY);
3439                 if (flags & IPDF_VERIFY_DST) {
3440                         /*
3441                          * Set errno but continue to set up ixa_ire to be
3442                          * the RTF_REJECT|RTF_BLACKHOLE IRE.
3443                          * That allows callers to use ip_output to get an
3444                          * ICMP error back.
3445                          */
3446                         if (!(ire->ire_type & IRE_HOST))
3447                                 error = ENETUNREACH;
3448                         else
3449                                 error = EHOSTUNREACH;
3450                 }
3451         }
3452 
3453         if ((ire->ire_type & (IRE_BROADCAST|IRE_MULTICAST)) &&
3454             !(flags & IPDF_ALLOW_MCBC)) {
3455                 ire_refrele(ire);
3456                 ire = ire_reject(ipst, B_FALSE);
3457                 generation = IRE_GENERATION_VERIFY;
3458                 error = ENETUNREACH;
3459         }
3460 
3461         /* Cache things */
3462         if (ixa->ixa_ire != NULL)
3463                 ire_refrele_notr(ixa->ixa_ire);
3464 #ifdef DEBUG
3465         ire_refhold_notr(ire);
3466         ire_refrele(ire);
3467 #endif
3468         ixa->ixa_ire = ire;
3469         ixa->ixa_ire_generation = generation;
3470 
3471         /*
3472          * Ensure that ixa_dce is always set any time that ixa_ire is set,
3473          * since some callers will send a packet to conn_ip_output() even if
3474          * there's an error.
3475          */
3476         if (flags & IPDF_UNIQUE_DCE) {
3477                 /* Fallback to the default dce if allocation fails */
3478                 dce = dce_lookup_and_add_v4(dst_addr, ipst);
3479                 if (dce != NULL)
3480                         generation = dce->dce_generation;
3481                 else
3482                         dce = dce_lookup_v4(dst_addr, ipst, &generation);
3483         } else {
3484                 dce = dce_lookup_v4(dst_addr, ipst, &generation);
3485         }
3486         ASSERT(dce != NULL);
3487         if (ixa->ixa_dce != NULL)
3488                 dce_refrele_notr(ixa->ixa_dce);
3489 #ifdef DEBUG
3490         dce_refhold_notr(dce);
3491         dce_refrele(dce);
3492 #endif
3493         ixa->ixa_dce = dce;
3494         ixa->ixa_dce_generation = generation;
3495 
3496         /*
3497          * For multicast with multirt we have a flag passed back from
3498          * ire_lookup_multi_ill_v4 since we don't have an IRE for each
3499          * possible multicast address.
3500          * We also need a flag for multicast since we can't check
3501          * whether RTF_MULTIRT is set in ixa_ire for multicast.
3502          */
3503         if (multirt) {
3504                 ixa->ixa_postfragfn = ip_postfrag_multirt_v4;
3505                 ixa->ixa_flags |= IXAF_MULTIRT_MULTICAST;
3506         } else {
3507                 ixa->ixa_postfragfn = ire->ire_postfragfn;
3508                 ixa->ixa_flags &= ~IXAF_MULTIRT_MULTICAST;
3509         }
3510         if (!(ire->ire_flags & (RTF_REJECT|RTF_BLACKHOLE))) {
3511                 /* Get an nce to cache. */
3512                 nce = ire_to_nce(ire, firsthop, NULL);
3513                 if (nce == NULL) {
3514                         /* Allocation failure? */
3515                         ixa->ixa_ire_generation = IRE_GENERATION_VERIFY;
3516                 } else {
3517                         if (ixa->ixa_nce != NULL)
3518                                 nce_refrele(ixa->ixa_nce);
3519                         ixa->ixa_nce = nce;
3520                 }
3521         }
3522 
3523         /*
3524          * If the source address is a loopback address, the
3525          * destination had best be local or multicast.
3526          * If we are sending to an IRE_LOCAL using a loopback source then
3527          * it had better be the same zoneid.
3528          */
3529         if (*src_addrp == htonl(INADDR_LOOPBACK)) {
3530                 if ((ire->ire_type & IRE_LOCAL) && ire->ire_zoneid != zoneid) {
3531                         ire = NULL;     /* Stored in ixa_ire */
3532                         error = EADDRNOTAVAIL;
3533                         goto bad_addr;
3534                 }
3535                 if (!(ire->ire_type & (IRE_LOOPBACK|IRE_LOCAL|IRE_MULTICAST))) {
3536                         ire = NULL;     /* Stored in ixa_ire */
3537                         error = EADDRNOTAVAIL;
3538                         goto bad_addr;
3539                 }
3540         }
3541         if (ire->ire_type & IRE_BROADCAST) {
3542                 /*
3543                  * If the ULP didn't have a specified source, then we
3544                  * make sure we reselect the source when sending
3545                  * broadcasts out different interfaces.
3546                  */
3547                 if (flags & IPDF_SELECT_SRC)
3548                         ixa->ixa_flags |= IXAF_SET_SOURCE;
3549                 else
3550                         ixa->ixa_flags &= ~IXAF_SET_SOURCE;
3551         }
3552 
3553         /*
3554          * Does the caller want us to pick a source address?
3555          */
3556         if (flags & IPDF_SELECT_SRC) {
3557                 ipaddr_t        src_addr;
3558 
3559                 /*
3560                  * We use use ire_nexthop_ill to avoid the under ipmp
3561                  * interface for source address selection. Note that for ipmp
3562                  * probe packets, ixa_ifindex would have been specified, and
3563                  * the ip_select_route() invocation would have picked an ire
3564                  * will ire_ill pointing at an under interface.
3565                  */
3566                 ill = ire_nexthop_ill(ire);
3567 
3568                 /* If unreachable we have no ill but need some source */
3569                 if (ill == NULL) {
3570                         src_addr = htonl(INADDR_LOOPBACK);
3571                         /* Make sure we look for a better source address */
3572                         generation = SRC_GENERATION_VERIFY;
3573                 } else {
3574                         error = ip_select_source_v4(ill, setsrc, dst_addr,
3575                             ixa->ixa_multicast_ifaddr, zoneid,
3576                             ipst, &src_addr, &generation, NULL);
3577                         if (error != 0) {
3578                                 ire = NULL;     /* Stored in ixa_ire */
3579                                 goto bad_addr;
3580                         }
3581                 }
3582 
3583                 /*
3584                  * We allow the source address to to down.
3585                  * However, we check that we don't use the loopback address
3586                  * as a source when sending out on the wire.
3587                  */
3588                 if ((src_addr == htonl(INADDR_LOOPBACK)) &&
3589                     !(ire->ire_type & (IRE_LOCAL|IRE_LOOPBACK|IRE_MULTICAST)) &&
3590                     !(ire->ire_flags & (RTF_REJECT|RTF_BLACKHOLE))) {
3591                         ire = NULL;     /* Stored in ixa_ire */
3592                         error = EADDRNOTAVAIL;
3593                         goto bad_addr;
3594                 }
3595 
3596                 *src_addrp = src_addr;
3597                 ixa->ixa_src_generation = generation;
3598         }
3599 
3600         /*
3601          * Make sure we don't leave an unreachable ixa_nce in place
3602          * since ip_select_route is used when we unplumb i.e., remove
3603          * references on ixa_ire, ixa_nce, and ixa_dce.
3604          */
3605         nce = ixa->ixa_nce;
3606         if (nce != NULL && nce->nce_is_condemned) {
3607                 nce_refrele(nce);
3608                 ixa->ixa_nce = NULL;
3609                 ixa->ixa_ire_generation = IRE_GENERATION_VERIFY;
3610         }
3611 
3612         /*
3613          * The caller has set IXAF_PMTU_DISCOVERY if path MTU is desired.
3614          * However, we can't do it for IPv4 multicast or broadcast.
3615          */
3616         if (ire->ire_type & (IRE_BROADCAST|IRE_MULTICAST))
3617                 ixa->ixa_flags &= ~IXAF_PMTU_DISCOVERY;
3618 
3619         /*
3620          * Set initial value for fragmentation limit. Either conn_ip_output
3621          * or ULP might updates it when there are routing changes.
3622          * Handles a NULL ixa_ire->ire_ill or a NULL ixa_nce for RTF_REJECT.
3623          */
3624         pmtu = ip_get_pmtu(ixa);
3625         ixa->ixa_fragsize = pmtu;
3626         /* Make sure ixa_fragsize and ixa_pmtu remain identical */
3627         if (ixa->ixa_flags & IXAF_VERIFY_PMTU)
3628                 ixa->ixa_pmtu = pmtu;
3629 
3630         /*
3631          * Extract information useful for some transports.
3632          * First we look for DCE metrics. Then we take what we have in
3633          * the metrics in the route, where the offlink is used if we have
3634          * one.
3635          */
3636         if (uinfo != NULL) {
3637                 bzero(uinfo, sizeof (*uinfo));
3638 
3639                 if (dce->dce_flags & DCEF_UINFO)
3640                         *uinfo = dce->dce_uinfo;
3641 
3642                 rts_merge_metrics(uinfo, &ire->ire_metrics);
3643 
3644                 /* Allow ire_metrics to decrease the path MTU from above */
3645                 if (uinfo->iulp_mtu == 0 || uinfo->iulp_mtu > pmtu)
3646                         uinfo->iulp_mtu = pmtu;
3647 
3648                 uinfo->iulp_localnet = (ire->ire_type & IRE_ONLINK) != 0;
3649                 uinfo->iulp_loopback = (ire->ire_type & IRE_LOOPBACK) != 0;
3650                 uinfo->iulp_local = (ire->ire_type & IRE_LOCAL) != 0;
3651         }
3652 
3653         if (ill != NULL)
3654                 ill_refrele(ill);
3655 
3656         return (error);
3657 
3658 bad_addr:
3659         if (ire != NULL)
3660                 ire_refrele(ire);
3661 
3662         if (ill != NULL)
3663                 ill_refrele(ill);
3664 
3665         /*
3666          * Make sure we don't leave an unreachable ixa_nce in place
3667          * since ip_select_route is used when we unplumb i.e., remove
3668          * references on ixa_ire, ixa_nce, and ixa_dce.
3669          */
3670         nce = ixa->ixa_nce;
3671         if (nce != NULL && nce->nce_is_condemned) {
3672                 nce_refrele(nce);
3673                 ixa->ixa_nce = NULL;
3674                 ixa->ixa_ire_generation = IRE_GENERATION_VERIFY;
3675         }
3676 
3677         return (error);
3678 }
3679 
3680 
3681 /*
3682  * Get the base MTU for the case when path MTU discovery is not used.
3683  * Takes the MTU of the IRE into account.
3684  */
3685 uint_t
3686 ip_get_base_mtu(ill_t *ill, ire_t *ire)
3687 {
3688         uint_t mtu;
3689         uint_t iremtu = ire->ire_metrics.iulp_mtu;
3690 
3691         if (ire->ire_type & (IRE_MULTICAST|IRE_BROADCAST))
3692                 mtu = ill->ill_mc_mtu;
3693         else
3694                 mtu = ill->ill_mtu;
3695 
3696         if (iremtu != 0 && iremtu < mtu)
3697                 mtu = iremtu;
3698 
3699         return (mtu);
3700 }
3701 
3702 /*
3703  * Get the PMTU for the attributes. Handles both IPv4 and IPv6.
3704  * Assumes that ixa_ire, dce, and nce have already been set up.
3705  *
3706  * The caller has set IXAF_PMTU_DISCOVERY if path MTU discovery is desired.
3707  * We avoid path MTU discovery if it is disabled with ndd.
3708  * Furtermore, if the path MTU is too small, then we don't set DF for IPv4.
3709  *
3710  * NOTE: We also used to turn it off for source routed packets. That
3711  * is no longer required since the dce is per final destination.
3712  */
3713 uint_t
3714 ip_get_pmtu(ip_xmit_attr_t *ixa)
3715 {
3716         ip_stack_t      *ipst = ixa->ixa_ipst;
3717         dce_t           *dce;
3718         nce_t           *nce;
3719         ire_t           *ire;
3720         uint_t          pmtu;
3721 
3722         ire = ixa->ixa_ire;
3723         dce = ixa->ixa_dce;
3724         nce = ixa->ixa_nce;
3725 
3726         /*
3727          * If path MTU discovery has been turned off by ndd, then we ignore
3728          * any dce_pmtu and for IPv4 we will not set DF.
3729          */
3730         if (!ipst->ips_ip_path_mtu_discovery)
3731                 ixa->ixa_flags &= ~IXAF_PMTU_DISCOVERY;
3732 
3733         pmtu = IP_MAXPACKET;
3734         /*
3735          * Decide whether whether IPv4 sets DF
3736          * For IPv6 "no DF" means to use the 1280 mtu
3737          */
3738         if (ixa->ixa_flags & IXAF_PMTU_DISCOVERY) {
3739                 ixa->ixa_flags |= IXAF_PMTU_IPV4_DF;
3740         } else {
3741                 ixa->ixa_flags &= ~IXAF_PMTU_IPV4_DF;
3742                 if (!(ixa->ixa_flags & IXAF_IS_IPV4))
3743                         pmtu = IPV6_MIN_MTU;
3744         }
3745 
3746         /* Check if the PMTU is to old before we use it */
3747         if ((dce->dce_flags & DCEF_PMTU) &&
3748             TICK_TO_SEC(ddi_get_lbolt64()) - dce->dce_last_change_time >
3749             ipst->ips_ip_pathmtu_interval) {
3750                 /*
3751                  * Older than 20 minutes. Drop the path MTU information.
3752                  */
3753                 mutex_enter(&dce->dce_lock);
3754                 dce->dce_flags &= ~(DCEF_PMTU|DCEF_TOO_SMALL_PMTU);
3755                 dce->dce_last_change_time = TICK_TO_SEC(ddi_get_lbolt64());
3756                 mutex_exit(&dce->dce_lock);
3757                 dce_increment_generation(dce);
3758         }
3759 
3760         /* The metrics on the route can lower the path MTU */
3761         if (ire->ire_metrics.iulp_mtu != 0 &&
3762             ire->ire_metrics.iulp_mtu < pmtu)
3763                 pmtu = ire->ire_metrics.iulp_mtu;
3764 
3765         /*
3766          * If the path MTU is smaller than some minimum, we still use dce_pmtu
3767          * above (would be 576 for IPv4 and 1280 for IPv6), but we clear
3768          * IXAF_PMTU_IPV4_DF so that we avoid setting DF for IPv4.
3769          */
3770         if (ixa->ixa_flags & IXAF_PMTU_DISCOVERY) {
3771                 if (dce->dce_flags & DCEF_PMTU) {
3772                         if (dce->dce_pmtu < pmtu)
3773                                 pmtu = dce->dce_pmtu;
3774 
3775                         if (dce->dce_flags & DCEF_TOO_SMALL_PMTU) {
3776                                 ixa->ixa_flags |= IXAF_PMTU_TOO_SMALL;
3777                                 ixa->ixa_flags &= ~IXAF_PMTU_IPV4_DF;
3778                         } else {
3779                                 ixa->ixa_flags &= ~IXAF_PMTU_TOO_SMALL;
3780                                 ixa->ixa_flags |= IXAF_PMTU_IPV4_DF;
3781                         }
3782                 } else {
3783                         ixa->ixa_flags &= ~IXAF_PMTU_TOO_SMALL;
3784                         ixa->ixa_flags |= IXAF_PMTU_IPV4_DF;
3785                 }
3786         }
3787 
3788         /*
3789          * If we have an IRE_LOCAL we use the loopback mtu instead of
3790          * the ill for going out the wire i.e., IRE_LOCAL gets the same
3791          * mtu as IRE_LOOPBACK.
3792          */
3793         if (ire->ire_type & (IRE_LOCAL|IRE_LOOPBACK)) {
3794                 uint_t loopback_mtu;
3795 
3796                 loopback_mtu = (ire->ire_ipversion == IPV6_VERSION) ?
3797                     ip_loopback_mtu_v6plus : ip_loopback_mtuplus;
3798 
3799                 if (loopback_mtu < pmtu)
3800                         pmtu = loopback_mtu;
3801         } else if (nce != NULL) {
3802                 /*
3803                  * Make sure we don't exceed the interface MTU.
3804                  * In the case of RTF_REJECT or RTF_BLACKHOLE we might not have
3805                  * an ill. We'd use the above IP_MAXPACKET in that case just
3806                  * to tell the transport something larger than zero.
3807                  */
3808                 if (ire->ire_type & (IRE_MULTICAST|IRE_BROADCAST)) {
3809                         if (nce->nce_common->ncec_ill->ill_mc_mtu < pmtu)
3810                                 pmtu = nce->nce_common->ncec_ill->ill_mc_mtu;
3811                         if (nce->nce_common->ncec_ill != nce->nce_ill &&
3812                             nce->nce_ill->ill_mc_mtu < pmtu) {
3813                                 /*
3814                                  * for interfaces in an IPMP group, the mtu of
3815                                  * the nce_ill (under_ill) could be different
3816                                  * from the mtu of the ncec_ill, so we take the
3817                                  * min of the two.
3818                                  */
3819                                 pmtu = nce->nce_ill->ill_mc_mtu;
3820                         }
3821                 } else {
3822                         if (nce->nce_common->ncec_ill->ill_mtu < pmtu)
3823                                 pmtu = nce->nce_common->ncec_ill->ill_mtu;
3824                         if (nce->nce_common->ncec_ill != nce->nce_ill &&
3825                             nce->nce_ill->ill_mtu < pmtu) {
3826                                 /*
3827                                  * for interfaces in an IPMP group, the mtu of
3828                                  * the nce_ill (under_ill) could be different
3829                                  * from the mtu of the ncec_ill, so we take the
3830                                  * min of the two.
3831                                  */
3832                                 pmtu = nce->nce_ill->ill_mtu;
3833                         }
3834                 }
3835         }
3836 
3837         /*
3838          * Handle the IPV6_USE_MIN_MTU socket option or ancillary data.
3839          * Only applies to IPv6.
3840          */
3841         if (!(ixa->ixa_flags & IXAF_IS_IPV4)) {
3842                 if (ixa->ixa_flags & IXAF_USE_MIN_MTU) {
3843                         switch (ixa->ixa_use_min_mtu) {
3844                         case IPV6_USE_MIN_MTU_MULTICAST:
3845                                 if (ire->ire_type & IRE_MULTICAST)
3846                                         pmtu = IPV6_MIN_MTU;
3847                                 break;
3848                         case IPV6_USE_MIN_MTU_ALWAYS:
3849                                 pmtu = IPV6_MIN_MTU;
3850                                 break;
3851                         case IPV6_USE_MIN_MTU_NEVER:
3852                                 break;
3853                         }
3854                 } else {
3855                         /* Default is IPV6_USE_MIN_MTU_MULTICAST */
3856                         if (ire->ire_type & IRE_MULTICAST)
3857                                 pmtu = IPV6_MIN_MTU;
3858                 }
3859         }
3860 
3861         /*
3862          * After receiving an ICMPv6 "packet too big" message with a
3863          * MTU < 1280, and for multirouted IPv6 packets, the IP layer
3864          * will insert a 8-byte fragment header in every packet. We compensate
3865          * for those cases by returning a smaller path MTU to the ULP.
3866          *
3867          * In the case of CGTP then ip_output will add a fragment header.
3868          * Make sure there is room for it by telling a smaller number
3869          * to the transport.
3870          *
3871          * When IXAF_IPV6_ADDR_FRAGHDR we subtract the frag hdr here
3872          * so the ULPs consistently see a iulp_pmtu and ip_get_pmtu()
3873          * which is the size of the packets it can send.
3874          */
3875         if (!(ixa->ixa_flags & IXAF_IS_IPV4)) {
3876                 if ((dce->dce_flags & DCEF_TOO_SMALL_PMTU) ||
3877                     (ire->ire_flags & RTF_MULTIRT) ||
3878                     (ixa->ixa_flags & IXAF_MULTIRT_MULTICAST)) {
3879                         pmtu -= sizeof (ip6_frag_t);
3880                         ixa->ixa_flags |= IXAF_IPV6_ADD_FRAGHDR;
3881                 }
3882         }
3883 
3884         return (pmtu);
3885 }
3886 
3887 /*
3888  * Carve "len" bytes out of an mblk chain, consuming any we empty, and duping
3889  * the final piece where we don't.  Return a pointer to the first mblk in the
3890  * result, and update the pointer to the next mblk to chew on.  If anything
3891  * goes wrong (i.e., dupb fails), we waste everything in sight and return a
3892  * NULL pointer.
3893  */
3894 mblk_t *
3895 ip_carve_mp(mblk_t **mpp, ssize_t len)
3896 {
3897         mblk_t  *mp0;
3898         mblk_t  *mp1;
3899         mblk_t  *mp2;
3900 
3901         if (!len || !mpp || !(mp0 = *mpp))
3902                 return (NULL);
3903         /* If we aren't going to consume the first mblk, we need a dup. */
3904         if (mp0->b_wptr - mp0->b_rptr > len) {
3905                 mp1 = dupb(mp0);
3906                 if (mp1) {
3907                         /* Partition the data between the two mblks. */
3908                         mp1->b_wptr = mp1->b_rptr + len;
3909                         mp0->b_rptr = mp1->b_wptr;
3910                         /*
3911                          * after adjustments if mblk not consumed is now
3912                          * unaligned, try to align it. If this fails free
3913                          * all messages and let upper layer recover.
3914                          */
3915                         if (!OK_32PTR(mp0->b_rptr)) {
3916                                 if (!pullupmsg(mp0, -1)) {
3917                                         freemsg(mp0);
3918                                         freemsg(mp1);
3919                                         *mpp = NULL;
3920                                         return (NULL);
3921                                 }
3922                         }
3923                 }
3924                 return (mp1);
3925         }
3926         /* Eat through as many mblks as we need to get len bytes. */
3927         len -= mp0->b_wptr - mp0->b_rptr;
3928         for (mp2 = mp1 = mp0; (mp2 = mp2->b_cont) != 0 && len; mp1 = mp2) {
3929                 if (mp2->b_wptr - mp2->b_rptr > len) {
3930                         /*
3931                          * We won't consume the entire last mblk.  Like
3932                          * above, dup and partition it.
3933                          */
3934                         mp1->b_cont = dupb(mp2);
3935                         mp1 = mp1->b_cont;
3936                         if (!mp1) {
3937                                 /*
3938                                  * Trouble.  Rather than go to a lot of
3939                                  * trouble to clean up, we free the messages.
3940                                  * This won't be any worse than losing it on
3941                                  * the wire.
3942                                  */
3943                                 freemsg(mp0);
3944                                 freemsg(mp2);
3945                                 *mpp = NULL;
3946                                 return (NULL);
3947                         }
3948                         mp1->b_wptr = mp1->b_rptr + len;
3949                         mp2->b_rptr = mp1->b_wptr;
3950                         /*
3951                          * after adjustments if mblk not consumed is now
3952                          * unaligned, try to align it. If this fails free
3953                          * all messages and let upper layer recover.
3954                          */
3955                         if (!OK_32PTR(mp2->b_rptr)) {
3956                                 if (!pullupmsg(mp2, -1)) {
3957                                         freemsg(mp0);
3958                                         freemsg(mp2);
3959                                         *mpp = NULL;
3960                                         return (NULL);
3961                                 }
3962                         }
3963                         *mpp = mp2;
3964                         return (mp0);
3965                 }
3966                 /* Decrement len by the amount we just got. */
3967                 len -= mp2->b_wptr - mp2->b_rptr;
3968         }
3969         /*
3970          * len should be reduced to zero now.  If not our caller has
3971          * screwed up.
3972          */
3973         if (len) {
3974                 /* Shouldn't happen! */
3975                 freemsg(mp0);
3976                 *mpp = NULL;
3977                 return (NULL);
3978         }
3979         /*
3980          * We consumed up to exactly the end of an mblk.  Detach the part
3981          * we are returning from the rest of the chain.
3982          */
3983         mp1->b_cont = NULL;
3984         *mpp = mp2;
3985         return (mp0);
3986 }
3987 
3988 /* The ill stream is being unplumbed. Called from ip_close */
3989 int
3990 ip_modclose(ill_t *ill)
3991 {
3992         boolean_t success;
3993         ipsq_t  *ipsq;
3994         ipif_t  *ipif;
3995         queue_t *q = ill->ill_rq;
3996         ip_stack_t      *ipst = ill->ill_ipst;
3997         int     i;
3998         arl_ill_common_t *ai = ill->ill_common;
3999 
4000         /*
4001          * The punlink prior to this may have initiated a capability
4002          * negotiation. But ipsq_enter will block until that finishes or
4003          * times out.
4004          */
4005         success = ipsq_enter(ill, B_FALSE, NEW_OP);
4006 
4007         /*
4008          * Open/close/push/pop is guaranteed to be single threaded
4009          * per stream by STREAMS. FS guarantees that all references
4010          * from top are gone before close is called. So there can't
4011          * be another close thread that has set CONDEMNED on this ill.
4012          * and cause ipsq_enter to return failure.
4013          */
4014         ASSERT(success);
4015         ipsq = ill->ill_phyint->phyint_ipsq;
4016 
4017         /*
4018          * Mark it condemned. No new reference will be made to this ill.
4019          * Lookup functions will return an error. Threads that try to
4020          * increment the refcnt must check for ILL_CAN_LOOKUP. This ensures
4021          * that the refcnt will drop down to zero.
4022          */
4023         mutex_enter(&ill->ill_lock);
4024         ill->ill_state_flags |= ILL_CONDEMNED;
4025         for (ipif = ill->ill_ipif; ipif != NULL;
4026             ipif = ipif->ipif_next) {
4027                 ipif->ipif_state_flags |= IPIF_CONDEMNED;
4028         }
4029         /*
4030          * Wake up anybody waiting to enter the ipsq. ipsq_enter
4031          * returns  error if ILL_CONDEMNED is set
4032          */
4033         cv_broadcast(&ill->ill_cv);
4034         mutex_exit(&ill->ill_lock);
4035 
4036         /*
4037          * Send all the deferred DLPI messages downstream which came in
4038          * during the small window right before ipsq_enter(). We do this
4039          * without waiting for the ACKs because all the ACKs for M_PROTO
4040          * messages are ignored in ip_rput() when ILL_CONDEMNED is set.
4041          */
4042         ill_dlpi_send_deferred(ill);
4043 
4044         /*
4045          * Shut down fragmentation reassembly.
4046          * ill_frag_timer won't start a timer again.
4047          * Now cancel any existing timer
4048          */
4049         (void) untimeout(ill->ill_frag_timer_id);
4050         (void) ill_frag_timeout(ill, 0);
4051 
4052         /*
4053          * Call ill_delete to bring down the ipifs, ilms and ill on
4054          * this ill. Then wait for the refcnts to drop to zero.
4055          * ill_is_freeable checks whether the ill is really quiescent.
4056          * Then make sure that threads that are waiting to enter the
4057          * ipsq have seen the error returned by ipsq_enter and have
4058          * gone away. Then we call ill_delete_tail which does the
4059          * DL_UNBIND_REQ with the driver and then qprocsoff.
4060          */
4061         ill_delete(ill);
4062         mutex_enter(&ill->ill_lock);
4063         while (!ill_is_freeable(ill))
4064                 cv_wait(&ill->ill_cv, &ill->ill_lock);
4065 
4066         while (ill->ill_waiters)
4067                 cv_wait(&ill->ill_cv, &ill->ill_lock);
4068 
4069         mutex_exit(&ill->ill_lock);
4070 
4071         /*
4072          * ill_delete_tail drops reference on ill_ipst, but we need to keep
4073          * it held until the end of the function since the cleanup
4074          * below needs to be able to use the ip_stack_t.
4075          */
4076         netstack_hold(ipst->ips_netstack);
4077 
4078         /* qprocsoff is done via ill_delete_tail */
4079         ill_delete_tail(ill);
4080         /*
4081          * synchronously wait for arp stream to unbind. After this, we
4082          * cannot get any data packets up from the driver.
4083          */
4084         arp_unbind_complete(ill);
4085         ASSERT(ill->ill_ipst == NULL);
4086 
4087         /*
4088          * Walk through all conns and qenable those that have queued data.
4089          * Close synchronization needs this to
4090          * be done to ensure that all upper layers blocked
4091          * due to flow control to the closing device
4092          * get unblocked.
4093          */
4094         ip1dbg(("ip_wsrv: walking\n"));
4095         for (i = 0; i < TX_FANOUT_SIZE; i++) {
4096                 conn_walk_drain(ipst, &ipst->ips_idl_tx_list[i]);
4097         }
4098 
4099         /*
4100          * ai can be null if this is an IPv6 ill, or if the IPv4
4101          * stream is being torn down before ARP was plumbed (e.g.,
4102          * /sbin/ifconfig plumbing a stream twice, and encountering
4103          * an error
4104          */
4105         if (ai != NULL) {
4106                 ASSERT(!ill->ill_isv6);
4107                 mutex_enter(&ai->ai_lock);
4108                 ai->ai_ill = NULL;
4109                 if (ai->ai_arl == NULL) {
4110                         mutex_destroy(&ai->ai_lock);
4111                         kmem_free(ai, sizeof (*ai));
4112                 } else {
4113                         cv_signal(&ai->ai_ill_unplumb_done);
4114                         mutex_exit(&ai->ai_lock);
4115                 }
4116         }
4117 
4118         mutex_enter(&ipst->ips_ip_mi_lock);
4119         mi_close_unlink(&ipst->ips_ip_g_head, (IDP)ill);
4120         mutex_exit(&ipst->ips_ip_mi_lock);
4121 
4122         /*
4123          * credp could be null if the open didn't succeed and ip_modopen
4124          * itself calls ip_close.
4125          */
4126         if (ill->ill_credp != NULL)
4127                 crfree(ill->ill_credp);
4128 
4129         mutex_destroy(&ill->ill_saved_ire_lock);
4130         mutex_destroy(&ill->ill_lock);
4131         rw_destroy(&ill->ill_mcast_lock);
4132         mutex_destroy(&ill->ill_mcast_serializer);
4133         list_destroy(&ill->ill_nce);
4134 
4135         /*
4136          * Now we are done with the module close pieces that
4137          * need the netstack_t.
4138          */
4139         netstack_rele(ipst->ips_netstack);
4140 
4141         mi_close_free((IDP)ill);
4142         q->q_ptr = WR(q)->q_ptr = NULL;
4143 
4144         ipsq_exit(ipsq);
4145 
4146         return (0);
4147 }
4148 
4149 /*
4150  * This is called as part of close() for IP, UDP, ICMP, and RTS
4151  * in order to quiesce the conn.
4152  */
4153 void
4154 ip_quiesce_conn(conn_t *connp)
4155 {
4156         boolean_t       drain_cleanup_reqd = B_FALSE;
4157         boolean_t       conn_ioctl_cleanup_reqd = B_FALSE;
4158         boolean_t       ilg_cleanup_reqd = B_FALSE;
4159         ip_stack_t      *ipst;
4160 
4161         ASSERT(!IPCL_IS_TCP(connp));
4162         ipst = connp->conn_netstack->netstack_ip;
4163 
4164         /*
4165          * Mark the conn as closing, and this conn must not be
4166          * inserted in future into any list. Eg. conn_drain_insert(),
4167          * won't insert this conn into the conn_drain_list.
4168          *
4169          * conn_idl, and conn_ilg cannot get set henceforth.
4170          */
4171         mutex_enter(&connp->conn_lock);
4172         ASSERT(!(connp->conn_state_flags & CONN_QUIESCED));
4173         connp->conn_state_flags |= CONN_CLOSING;
4174         if (connp->conn_idl != NULL)
4175                 drain_cleanup_reqd = B_TRUE;
4176         if (connp->conn_oper_pending_ill != NULL)
4177                 conn_ioctl_cleanup_reqd = B_TRUE;
4178         if (connp->conn_dhcpinit_ill != NULL) {
4179                 ASSERT(connp->conn_dhcpinit_ill->ill_dhcpinit != 0);
4180                 atomic_dec_32(&connp->conn_dhcpinit_ill->ill_dhcpinit);
4181                 ill_set_inputfn(connp->conn_dhcpinit_ill);
4182                 connp->conn_dhcpinit_ill = NULL;
4183         }
4184         if (connp->conn_ilg != NULL)
4185                 ilg_cleanup_reqd = B_TRUE;
4186         mutex_exit(&connp->conn_lock);
4187 
4188         if (conn_ioctl_cleanup_reqd)
4189                 conn_ioctl_cleanup(connp);
4190 
4191         if (is_system_labeled() && connp->conn_anon_port) {
4192                 (void) tsol_mlp_anon(crgetzone(connp->conn_cred),
4193                     connp->conn_mlp_type, connp->conn_proto,
4194                     ntohs(connp->conn_lport), B_FALSE);
4195                 connp->conn_anon_port = 0;
4196         }
4197         connp->conn_mlp_type = mlptSingle;
4198 
4199         /*
4200          * Remove this conn from any fanout list it is on.
4201          * and then wait for any threads currently operating
4202          * on this endpoint to finish
4203          */
4204         ipcl_hash_remove(connp);
4205 
4206         /*
4207          * Remove this conn from the drain list, and do any other cleanup that
4208          * may be required.  (TCP conns are never flow controlled, and
4209          * conn_idl will be NULL.)
4210          */
4211         if (drain_cleanup_reqd && connp->conn_idl != NULL) {
4212                 idl_t *idl = connp->conn_idl;
4213 
4214                 mutex_enter(&idl->idl_lock);
4215                 conn_drain(connp, B_TRUE);
4216                 mutex_exit(&idl->idl_lock);
4217         }
4218 
4219         if (connp == ipst->ips_ip_g_mrouter)
4220                 (void) ip_mrouter_done(ipst);
4221 
4222         if (ilg_cleanup_reqd)
4223                 ilg_delete_all(connp);
4224 
4225         /*
4226          * Now conn refcnt can increase only thru CONN_INC_REF_LOCKED.
4227          * callers from write side can't be there now because close
4228          * is in progress. The only other caller is ipcl_walk
4229          * which checks for the condemned flag.
4230          */
4231         mutex_enter(&connp->conn_lock);
4232         connp->conn_state_flags |= CONN_CONDEMNED;
4233         while (connp->conn_ref != 1)
4234                 cv_wait(&connp->conn_cv, &connp->conn_lock);
4235         connp->conn_state_flags |= CONN_QUIESCED;
4236         mutex_exit(&connp->conn_lock);
4237 }
4238 
4239 /* ARGSUSED */
4240 int
4241 ip_close(queue_t *q, int flags)
4242 {
4243         conn_t          *connp;
4244 
4245         /*
4246          * Call the appropriate delete routine depending on whether this is
4247          * a module or device.
4248          */
4249         if (WR(q)->q_next != NULL) {
4250                 /* This is a module close */
4251                 return (ip_modclose((ill_t *)q->q_ptr));
4252         }
4253 
4254         connp = q->q_ptr;
4255         ip_quiesce_conn(connp);
4256 
4257         qprocsoff(q);
4258 
4259         /*
4260          * Now we are truly single threaded on this stream, and can
4261          * delete the things hanging off the connp, and finally the connp.
4262          * We removed this connp from the fanout list, it cannot be
4263          * accessed thru the fanouts, and we already waited for the
4264          * conn_ref to drop to 0. We are already in close, so
4265          * there cannot be any other thread from the top. qprocsoff
4266          * has completed, and service has completed or won't run in
4267          * future.
4268          */
4269         ASSERT(connp->conn_ref == 1);
4270 
4271         inet_minor_free(connp->conn_minor_arena, connp->conn_dev);
4272 
4273         connp->conn_ref--;
4274         ipcl_conn_destroy(connp);
4275 
4276         q->q_ptr = WR(q)->q_ptr = NULL;
4277         return (0);
4278 }
4279 
4280 /*
4281  * Wapper around putnext() so that ip_rts_request can merely use
4282  * conn_recv.
4283  */
4284 /*ARGSUSED2*/
4285 static void
4286 ip_conn_input(void *arg1, mblk_t *mp, void *arg2, ip_recv_attr_t *ira)
4287 {
4288         conn_t *connp = (conn_t *)arg1;
4289 
4290         putnext(connp->conn_rq, mp);
4291 }
4292 
4293 /* Dummy in case ICMP error delivery is attempted to a /dev/ip instance */
4294 /* ARGSUSED */
4295 static void
4296 ip_conn_input_icmp(void *arg1, mblk_t *mp, void *arg2, ip_recv_attr_t *ira)
4297 {
4298         freemsg(mp);
4299 }
4300 
4301 /*
4302  * Called when the module is about to be unloaded
4303  */
4304 void
4305 ip_ddi_destroy(void)
4306 {
4307         /* This needs to be called before destroying any transports. */
4308         mutex_enter(&cpu_lock);
4309         unregister_cpu_setup_func(ip_tp_cpu_update, NULL);
4310         mutex_exit(&cpu_lock);
4311 
4312         tnet_fini();
4313 
4314         icmp_ddi_g_destroy();
4315         rts_ddi_g_destroy();
4316         udp_ddi_g_destroy();
4317         dccp_ddi_g_destroy();
4318         sctp_ddi_g_destroy();
4319         tcp_ddi_g_destroy();
4320         ilb_ddi_g_destroy();
4321         dce_g_destroy();
4322         ipsec_policy_g_destroy();
4323         ipcl_g_destroy();
4324         ip_net_g_destroy();
4325         ip_ire_g_fini();
4326         inet_minor_destroy(ip_minor_arena_sa);
4327 #if defined(_LP64)
4328         inet_minor_destroy(ip_minor_arena_la);
4329 #endif
4330 
4331 #ifdef DEBUG
4332         list_destroy(&ip_thread_list);
4333         rw_destroy(&ip_thread_rwlock);
4334         tsd_destroy(&ip_thread_data);
4335 #endif
4336 
4337         netstack_unregister(NS_IP);
4338 }
4339 
4340 /*
4341  * First step in cleanup.
4342  */
4343 /* ARGSUSED */
4344 static void
4345 ip_stack_shutdown(netstackid_t stackid, void *arg)
4346 {
4347         ip_stack_t *ipst = (ip_stack_t *)arg;
4348 
4349 #ifdef NS_DEBUG
4350         printf("ip_stack_shutdown(%p, stack %d)\n", (void *)ipst, stackid);
4351 #endif
4352 
4353         /*
4354          * Perform cleanup for special interfaces (loopback and IPMP).
4355          */
4356         ip_interface_cleanup(ipst);
4357 
4358         /*
4359          * The *_hook_shutdown()s start the process of notifying any
4360          * consumers that things are going away.... nothing is destroyed.
4361          */
4362         ipv4_hook_shutdown(ipst);
4363         ipv6_hook_shutdown(ipst);
4364         arp_hook_shutdown(ipst);
4365 
4366         mutex_enter(&ipst->ips_capab_taskq_lock);
4367         ipst->ips_capab_taskq_quit = B_TRUE;
4368         cv_signal(&ipst->ips_capab_taskq_cv);
4369         mutex_exit(&ipst->ips_capab_taskq_lock);
4370 }
4371 
4372 /*
4373  * Free the IP stack instance.
4374  */
4375 static void
4376 ip_stack_fini(netstackid_t stackid, void *arg)
4377 {
4378         ip_stack_t *ipst = (ip_stack_t *)arg;
4379         int ret;
4380 
4381 #ifdef NS_DEBUG
4382         printf("ip_stack_fini(%p, stack %d)\n", (void *)ipst, stackid);
4383 #endif
4384         /*
4385          * At this point, all of the notifications that the events and
4386          * protocols are going away have been run, meaning that we can
4387          * now set about starting to clean things up.
4388          */
4389         ipobs_fini(ipst);
4390         ipv4_hook_destroy(ipst);
4391         ipv6_hook_destroy(ipst);
4392         arp_hook_destroy(ipst);
4393         ip_net_destroy(ipst);
4394 
4395         ipmp_destroy(ipst);
4396 
4397         ip_kstat_fini(stackid, ipst->ips_ip_mibkp);
4398         ipst->ips_ip_mibkp = NULL;
4399         icmp_kstat_fini(stackid, ipst->ips_icmp_mibkp);
4400         ipst->ips_icmp_mibkp = NULL;
4401         ip_kstat2_fini(stackid, ipst->ips_ip_kstat);
4402         ipst->ips_ip_kstat = NULL;
4403         bzero(&ipst->ips_ip_statistics, sizeof (ipst->ips_ip_statistics));
4404         ip6_kstat_fini(stackid, ipst->ips_ip6_kstat);
4405         ipst->ips_ip6_kstat = NULL;
4406         bzero(&ipst->ips_ip6_statistics, sizeof (ipst->ips_ip6_statistics));
4407 
4408         kmem_free(ipst->ips_propinfo_tbl,
4409             ip_propinfo_count * sizeof (mod_prop_info_t));
4410         ipst->ips_propinfo_tbl = NULL;
4411 
4412         dce_stack_destroy(ipst);
4413         ip_mrouter_stack_destroy(ipst);
4414 
4415         ret = untimeout(ipst->ips_igmp_timeout_id);
4416         if (ret == -1) {
4417                 ASSERT(ipst->ips_igmp_timeout_id == 0);
4418         } else {
4419                 ASSERT(ipst->ips_igmp_timeout_id != 0);
4420                 ipst->ips_igmp_timeout_id = 0;
4421         }
4422         ret = untimeout(ipst->ips_igmp_slowtimeout_id);
4423         if (ret == -1) {
4424                 ASSERT(ipst->ips_igmp_slowtimeout_id == 0);
4425         } else {
4426                 ASSERT(ipst->ips_igmp_slowtimeout_id != 0);
4427                 ipst->ips_igmp_slowtimeout_id = 0;
4428         }
4429         ret = untimeout(ipst->ips_mld_timeout_id);
4430         if (ret == -1) {
4431                 ASSERT(ipst->ips_mld_timeout_id == 0);
4432         } else {
4433                 ASSERT(ipst->ips_mld_timeout_id != 0);
4434                 ipst->ips_mld_timeout_id = 0;
4435         }
4436         ret = untimeout(ipst->ips_mld_slowtimeout_id);
4437         if (ret == -1) {
4438                 ASSERT(ipst->ips_mld_slowtimeout_id == 0);
4439         } else {
4440                 ASSERT(ipst->ips_mld_slowtimeout_id != 0);
4441                 ipst->ips_mld_slowtimeout_id = 0;
4442         }
4443 
4444         ip_ire_fini(ipst);
4445         ip6_asp_free(ipst);
4446         conn_drain_fini(ipst);
4447         ipcl_destroy(ipst);
4448 
4449         mutex_destroy(&ipst->ips_ndp4->ndp_g_lock);
4450         mutex_destroy(&ipst->ips_ndp6->ndp_g_lock);
4451         kmem_free(ipst->ips_ndp4, sizeof (ndp_g_t));
4452         ipst->ips_ndp4 = NULL;
4453         kmem_free(ipst->ips_ndp6, sizeof (ndp_g_t));
4454         ipst->ips_ndp6 = NULL;
4455 
4456         if (ipst->ips_loopback_ksp != NULL) {
4457                 kstat_delete_netstack(ipst->ips_loopback_ksp, stackid);
4458                 ipst->ips_loopback_ksp = NULL;
4459         }
4460 
4461         mutex_destroy(&ipst->ips_capab_taskq_lock);
4462         cv_destroy(&ipst->ips_capab_taskq_cv);
4463 
4464         rw_destroy(&ipst->ips_srcid_lock);
4465 
4466         mutex_destroy(&ipst->ips_ip_mi_lock);
4467         rw_destroy(&ipst->ips_ill_g_usesrc_lock);
4468 
4469         mutex_destroy(&ipst->ips_igmp_timer_lock);
4470         mutex_destroy(&ipst->ips_mld_timer_lock);
4471         mutex_destroy(&ipst->ips_igmp_slowtimeout_lock);
4472         mutex_destroy(&ipst->ips_mld_slowtimeout_lock);
4473         mutex_destroy(&ipst->ips_ip_addr_avail_lock);
4474         rw_destroy(&ipst->ips_ill_g_lock);
4475 
4476         kmem_free(ipst->ips_phyint_g_list, sizeof (phyint_list_t));
4477         ipst->ips_phyint_g_list = NULL;
4478         kmem_free(ipst->ips_ill_g_heads, sizeof (ill_g_head_t) * MAX_G_HEADS);
4479         ipst->ips_ill_g_heads = NULL;
4480 
4481         ldi_ident_release(ipst->ips_ldi_ident);
4482         kmem_free(ipst, sizeof (*ipst));
4483 }
4484 
4485 /*
4486  * This function is called from the TSD destructor, and is used to debug
4487  * reference count issues in IP. See block comment in <inet/ip_if.h> for
4488  * details.
4489  */
4490 static void
4491 ip_thread_exit(void *phash)
4492 {
4493         th_hash_t *thh = phash;
4494 
4495         rw_enter(&ip_thread_rwlock, RW_WRITER);
4496         list_remove(&ip_thread_list, thh);
4497         rw_exit(&ip_thread_rwlock);
4498         mod_hash_destroy_hash(thh->thh_hash);
4499         kmem_free(thh, sizeof (*thh));
4500 }
4501 
4502 /*
4503  * Called when the IP kernel module is loaded into the kernel
4504  */
4505 void
4506 ip_ddi_init(void)
4507 {
4508         ip_squeue_flag = ip_squeue_switch(ip_squeue_enter);
4509 
4510         /*
4511          * For IP and TCP the minor numbers should start from 2 since we have 4
4512          * initial devices: ip, ip6, tcp, tcp6.
4513          */
4514         /*
4515          * If this is a 64-bit kernel, then create two separate arenas -
4516          * one for TLIs in the range of INET_MIN_DEV+2 through 2^^18-1, and the
4517          * other for socket apps in the range 2^^18 through 2^^32-1.
4518          */
4519         ip_minor_arena_la = NULL;
4520         ip_minor_arena_sa = NULL;
4521 #if defined(_LP64)
4522         if ((ip_minor_arena_sa = inet_minor_create("ip_minor_arena_sa",
4523             INET_MIN_DEV + 2, MAXMIN32, KM_SLEEP)) == NULL) {
4524                 cmn_err(CE_PANIC,
4525                     "ip_ddi_init: ip_minor_arena_sa creation failed\n");
4526         }
4527         if ((ip_minor_arena_la = inet_minor_create("ip_minor_arena_la",
4528             MAXMIN32 + 1, MAXMIN64, KM_SLEEP)) == NULL) {
4529                 cmn_err(CE_PANIC,
4530                     "ip_ddi_init: ip_minor_arena_la creation failed\n");
4531         }
4532 #else
4533         if ((ip_minor_arena_sa = inet_minor_create("ip_minor_arena_sa",
4534             INET_MIN_DEV + 2, MAXMIN, KM_SLEEP)) == NULL) {
4535                 cmn_err(CE_PANIC,
4536                     "ip_ddi_init: ip_minor_arena_sa creation failed\n");
4537         }
4538 #endif
4539         ip_poll_normal_ticks = MSEC_TO_TICK_ROUNDUP(ip_poll_normal_ms);
4540 
4541         ipcl_g_init();
4542         ip_ire_g_init();
4543         ip_net_g_init();
4544 
4545 #ifdef DEBUG
4546         tsd_create(&ip_thread_data, ip_thread_exit);
4547         rw_init(&ip_thread_rwlock, NULL, RW_DEFAULT, NULL);
4548         list_create(&ip_thread_list, sizeof (th_hash_t),
4549             offsetof(th_hash_t, thh_link));
4550 #endif
4551         ipsec_policy_g_init();
4552         tcp_ddi_g_init();
4553         sctp_ddi_g_init();
4554         dccp_ddi_g_init();
4555         dce_g_init();
4556 
4557         /*
4558          * We want to be informed each time a stack is created or
4559          * destroyed in the kernel, so we can maintain the
4560          * set of udp_stack_t's.
4561          */
4562         netstack_register(NS_IP, ip_stack_init, ip_stack_shutdown,
4563             ip_stack_fini);
4564 
4565         tnet_init();
4566 
4567         udp_ddi_g_init();
4568         rts_ddi_g_init();
4569         icmp_ddi_g_init();
4570         ilb_ddi_g_init();
4571 
4572         /* This needs to be called after all transports are initialized. */
4573         mutex_enter(&cpu_lock);
4574         register_cpu_setup_func(ip_tp_cpu_update, NULL);
4575         mutex_exit(&cpu_lock);
4576 }
4577 
4578 /*
4579  * Initialize the IP stack instance.
4580  */
4581 static void *
4582 ip_stack_init(netstackid_t stackid, netstack_t *ns)
4583 {
4584         ip_stack_t      *ipst;
4585         size_t          arrsz;
4586         major_t         major;
4587 
4588 #ifdef NS_DEBUG
4589         printf("ip_stack_init(stack %d)\n", stackid);
4590 #endif
4591 
4592         ipst = (ip_stack_t *)kmem_zalloc(sizeof (*ipst), KM_SLEEP);
4593         ipst->ips_netstack = ns;
4594 
4595         ipst->ips_ill_g_heads = kmem_zalloc(sizeof (ill_g_head_t) * MAX_G_HEADS,
4596             KM_SLEEP);
4597         ipst->ips_phyint_g_list = kmem_zalloc(sizeof (phyint_list_t),
4598             KM_SLEEP);
4599         ipst->ips_ndp4 = kmem_zalloc(sizeof (ndp_g_t), KM_SLEEP);
4600         ipst->ips_ndp6 = kmem_zalloc(sizeof (ndp_g_t), KM_SLEEP);
4601         mutex_init(&ipst->ips_ndp4->ndp_g_lock, NULL, MUTEX_DEFAULT, NULL);
4602         mutex_init(&ipst->ips_ndp6->ndp_g_lock, NULL, MUTEX_DEFAULT, NULL);
4603 
4604         mutex_init(&ipst->ips_igmp_timer_lock, NULL, MUTEX_DEFAULT, NULL);
4605         ipst->ips_igmp_deferred_next = INFINITY;
4606         mutex_init(&ipst->ips_mld_timer_lock, NULL, MUTEX_DEFAULT, NULL);
4607         ipst->ips_mld_deferred_next = INFINITY;
4608         mutex_init(&ipst->ips_igmp_slowtimeout_lock, NULL, MUTEX_DEFAULT, NULL);
4609         mutex_init(&ipst->ips_mld_slowtimeout_lock, NULL, MUTEX_DEFAULT, NULL);
4610         mutex_init(&ipst->ips_ip_mi_lock, NULL, MUTEX_DEFAULT, NULL);
4611         mutex_init(&ipst->ips_ip_addr_avail_lock, NULL, MUTEX_DEFAULT, NULL);
4612         rw_init(&ipst->ips_ill_g_lock, NULL, RW_DEFAULT, NULL);
4613         rw_init(&ipst->ips_ill_g_usesrc_lock, NULL, RW_DEFAULT, NULL);
4614 
4615         ipcl_init(ipst);
4616         ip_ire_init(ipst);
4617         ip6_asp_init(ipst);
4618         ipif_init(ipst);
4619         conn_drain_init(ipst);
4620         ip_mrouter_stack_init(ipst);
4621         dce_stack_init(ipst);
4622 
4623         ipst->ips_ip_multirt_log_interval = 1000;
4624 
4625         ipst->ips_ill_index = 1;
4626 
4627         ipst->ips_saved_ip_forwarding = -1;
4628         ipst->ips_reg_vif_num = ALL_VIFS;    /* Index to Register vif */
4629 
4630         arrsz = ip_propinfo_count * sizeof (mod_prop_info_t);
4631         ipst->ips_propinfo_tbl = (mod_prop_info_t *)kmem_alloc(arrsz, KM_SLEEP);
4632         bcopy(ip_propinfo_tbl, ipst->ips_propinfo_tbl, arrsz);
4633 
4634         ipst->ips_ip_mibkp = ip_kstat_init(stackid, ipst);
4635         ipst->ips_icmp_mibkp = icmp_kstat_init(stackid);
4636         ipst->ips_ip_kstat = ip_kstat2_init(stackid, &ipst->ips_ip_statistics);
4637         ipst->ips_ip6_kstat =
4638             ip6_kstat_init(stackid, &ipst->ips_ip6_statistics);
4639 
4640         ipst->ips_ip_src_id = 1;
4641         rw_init(&ipst->ips_srcid_lock, NULL, RW_DEFAULT, NULL);
4642 
4643         ipst->ips_src_generation = SRC_GENERATION_INITIAL;
4644 
4645         ip_net_init(ipst, ns);
4646         ipv4_hook_init(ipst);
4647         ipv6_hook_init(ipst);
4648         arp_hook_init(ipst);
4649         ipmp_init(ipst);
4650         ipobs_init(ipst);
4651 
4652         /*
4653          * Create the taskq dispatcher thread and initialize related stuff.
4654          */
4655         mutex_init(&ipst->ips_capab_taskq_lock, NULL, MUTEX_DEFAULT, NULL);
4656         cv_init(&ipst->ips_capab_taskq_cv, NULL, CV_DEFAULT, NULL);
4657         ipst->ips_capab_taskq_thread = thread_create(NULL, 0,
4658             ill_taskq_dispatch, ipst, 0, &p0, TS_RUN, minclsyspri);
4659 
4660         major = mod_name_to_major(INET_NAME);
4661         (void) ldi_ident_from_major(major, &ipst->ips_ldi_ident);
4662         return (ipst);
4663 }
4664 
4665 /*
4666  * Allocate and initialize a DLPI template of the specified length.  (May be
4667  * called as writer.)
4668  */
4669 mblk_t *
4670 ip_dlpi_alloc(size_t len, t_uscalar_t prim)
4671 {
4672         mblk_t  *mp;
4673 
4674         mp = allocb(len, BPRI_MED);
4675         if (!mp)
4676                 return (NULL);
4677 
4678         /*
4679          * DLPIv2 says that DL_INFO_REQ and DL_TOKEN_REQ (the latter
4680          * of which we don't seem to use) are sent with M_PCPROTO, and
4681          * that other DLPI are M_PROTO.
4682          */
4683         if (prim == DL_INFO_REQ) {
4684                 mp->b_datap->db_type = M_PCPROTO;
4685         } else {
4686                 mp->b_datap->db_type = M_PROTO;
4687         }
4688 
4689         mp->b_wptr = mp->b_rptr + len;
4690         bzero(mp->b_rptr, len);
4691         ((dl_unitdata_req_t *)mp->b_rptr)->dl_primitive = prim;
4692         return (mp);
4693 }
4694 
4695 /*
4696  * Allocate and initialize a DLPI notification.  (May be called as writer.)
4697  */
4698 mblk_t *
4699 ip_dlnotify_alloc(uint_t notification, uint_t data)
4700 {
4701         dl_notify_ind_t *notifyp;
4702         mblk_t          *mp;
4703 
4704         if ((mp = ip_dlpi_alloc(DL_NOTIFY_IND_SIZE, DL_NOTIFY_IND)) == NULL)
4705                 return (NULL);
4706 
4707         notifyp = (dl_notify_ind_t *)mp->b_rptr;
4708         notifyp->dl_notification = notification;
4709         notifyp->dl_data = data;
4710         return (mp);
4711 }
4712 
4713 mblk_t *
4714 ip_dlnotify_alloc2(uint_t notification, uint_t data1, uint_t data2)
4715 {
4716         dl_notify_ind_t *notifyp;
4717         mblk_t          *mp;
4718 
4719         if ((mp = ip_dlpi_alloc(DL_NOTIFY_IND_SIZE, DL_NOTIFY_IND)) == NULL)
4720                 return (NULL);
4721 
4722         notifyp = (dl_notify_ind_t *)mp->b_rptr;
4723         notifyp->dl_notification = notification;
4724         notifyp->dl_data1 = data1;
4725         notifyp->dl_data2 = data2;
4726         return (mp);
4727 }
4728 
4729 /*
4730  * Debug formatting routine.  Returns a character string representation of the
4731  * addr in buf, of the form xxx.xxx.xxx.xxx.  This routine takes the address
4732  * in the form of a ipaddr_t and calls ip_dot_saddr with a pointer.
4733  *
4734  * Once the ndd table-printing interfaces are removed, this can be changed to
4735  * standard dotted-decimal form.
4736  */
4737 char *
4738 ip_dot_addr(ipaddr_t addr, char *buf)
4739 {
4740         uint8_t *ap = (uint8_t *)&addr;
4741 
4742         (void) mi_sprintf(buf, "%03d.%03d.%03d.%03d",
4743             ap[0] & 0xFF, ap[1] & 0xFF, ap[2] & 0xFF, ap[3] & 0xFF);
4744         return (buf);
4745 }
4746 
4747 /*
4748  * Write the given MAC address as a printable string in the usual colon-
4749  * separated format.
4750  */
4751 const char *
4752 mac_colon_addr(const uint8_t *addr, size_t alen, char *buf, size_t buflen)
4753 {
4754         char *bp;
4755 
4756         if (alen == 0 || buflen < 4)
4757                 return ("?");
4758         bp = buf;
4759         for (;;) {
4760                 /*
4761                  * If there are more MAC address bytes available, but we won't
4762                  * have any room to print them, then add "..." to the string
4763                  * instead.  See below for the 'magic number' explanation.
4764                  */
4765                 if ((alen == 2 && buflen < 6) || (alen > 2 && buflen < 7)) {
4766                         (void) strcpy(bp, "...");
4767                         break;
4768                 }
4769                 (void) sprintf(bp, "%02x", *addr++);
4770                 bp += 2;
4771                 if (--alen == 0)
4772                         break;
4773                 *bp++ = ':';
4774                 buflen -= 3;
4775                 /*
4776                  * At this point, based on the first 'if' statement above,
4777                  * either alen == 1 and buflen >= 3, or alen > 1 and
4778                  * buflen >= 4.  The first case leaves room for the final "xx"
4779                  * number and trailing NUL byte.  The second leaves room for at
4780                  * least "...".  Thus the apparently 'magic' numbers chosen for
4781                  * that statement.
4782                  */
4783         }
4784         return (buf);
4785 }
4786 
4787 /*
4788  * Called when it is conceptually a ULP that would sent the packet
4789  * e.g., port unreachable and protocol unreachable. Check that the packet
4790  * would have passed the IPsec global policy before sending the error.
4791  *
4792  * Send an ICMP error after patching up the packet appropriately.
4793  * Uses ip_drop_input and bumps the appropriate MIB.
4794  */
4795 void
4796 ip_fanout_send_icmp_v4(mblk_t *mp, uint_t icmp_type, uint_t icmp_code,
4797     ip_recv_attr_t *ira)
4798 {
4799         ipha_t          *ipha;
4800         boolean_t       secure;
4801         ill_t           *ill = ira->ira_ill;
4802         ip_stack_t      *ipst = ill->ill_ipst;
4803         netstack_t      *ns = ipst->ips_netstack;
4804         ipsec_stack_t   *ipss = ns->netstack_ipsec;
4805 
4806         secure = ira->ira_flags & IRAF_IPSEC_SECURE;
4807 
4808         /*
4809          * We are generating an icmp error for some inbound packet.
4810          * Called from all ip_fanout_(udp, tcp, proto) functions.
4811          * Before we generate an error, check with global policy
4812          * to see whether this is allowed to enter the system. As
4813          * there is no "conn", we are checking with global policy.
4814          */
4815         ipha = (ipha_t *)mp->b_rptr;
4816         if (secure || ipss->ipsec_inbound_v4_policy_present) {
4817                 mp = ipsec_check_global_policy(mp, NULL, ipha, NULL, ira, ns);
4818                 if (mp == NULL)
4819                         return;
4820         }
4821 
4822         /* We never send errors for protocols that we do implement */
4823         if (ira->ira_protocol == IPPROTO_ICMP ||
4824             ira->ira_protocol == IPPROTO_IGMP) {
4825                 BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
4826                 ip_drop_input("ip_fanout_send_icmp_v4", mp, ill);
4827                 freemsg(mp);
4828                 return;
4829         }
4830         /*
4831          * Have to correct checksum since
4832          * the packet might have been
4833          * fragmented and the reassembly code in ip_rput
4834          * does not restore the IP checksum.
4835          */
4836         ipha->ipha_hdr_checksum = 0;
4837         ipha->ipha_hdr_checksum = ip_csum_hdr(ipha);
4838 
4839         switch (icmp_type) {
4840         case ICMP_DEST_UNREACHABLE:
4841                 switch (icmp_code) {
4842                 case ICMP_PROTOCOL_UNREACHABLE:
4843                         BUMP_MIB(ill->ill_ip_mib, ipIfStatsInUnknownProtos);
4844                         ip_drop_input("ipIfStatsInUnknownProtos", mp, ill);
4845                         break;
4846                 case ICMP_PORT_UNREACHABLE:
4847                         BUMP_MIB(ill->ill_ip_mib, udpIfStatsNoPorts);
4848                         ip_drop_input("ipIfStatsNoPorts", mp, ill);
4849                         break;
4850                 }
4851 
4852                 icmp_unreachable(mp, icmp_code, ira);
4853                 break;
4854         default:
4855 #ifdef DEBUG
4856                 panic("ip_fanout_send_icmp_v4: wrong type");
4857                 /*NOTREACHED*/
4858 #else
4859                 freemsg(mp);
4860                 break;
4861 #endif
4862         }
4863 }
4864 
4865 /*
4866  * Used to send an ICMP error message when a packet is received for
4867  * a protocol that is not supported. The mblk passed as argument
4868  * is consumed by this function.
4869  */
4870 void
4871 ip_proto_not_sup(mblk_t *mp, ip_recv_attr_t *ira)
4872 {
4873         ipha_t          *ipha;
4874 
4875         ipha = (ipha_t *)mp->b_rptr;
4876         if (ira->ira_flags & IRAF_IS_IPV4) {
4877                 ASSERT(IPH_HDR_VERSION(ipha) == IP_VERSION);
4878                 ip_fanout_send_icmp_v4(mp, ICMP_DEST_UNREACHABLE,
4879                     ICMP_PROTOCOL_UNREACHABLE, ira);
4880         } else {
4881                 ASSERT(IPH_HDR_VERSION(ipha) == IPV6_VERSION);
4882                 ip_fanout_send_icmp_v6(mp, ICMP6_PARAM_PROB,
4883                     ICMP6_PARAMPROB_NEXTHEADER, ira);
4884         }
4885 }
4886 
4887 /*
4888  * Deliver a rawip packet to the given conn, possibly applying ipsec policy.
4889  * Handles IPv4 and IPv6.
4890  * We are responsible for disposing of mp, such as by freemsg() or putnext()
4891  * Caller is responsible for dropping references to the conn.
4892  */
4893 void
4894 ip_fanout_proto_conn(conn_t *connp, mblk_t *mp, ipha_t *ipha, ip6_t *ip6h,
4895     ip_recv_attr_t *ira)
4896 {
4897         ill_t           *ill = ira->ira_ill;
4898         ip_stack_t      *ipst = ill->ill_ipst;
4899         ipsec_stack_t   *ipss = ipst->ips_netstack->netstack_ipsec;
4900         boolean_t       secure;
4901         uint_t          protocol = ira->ira_protocol;
4902         iaflags_t       iraflags = ira->ira_flags;
4903         queue_t         *rq;
4904 
4905         secure = iraflags & IRAF_IPSEC_SECURE;
4906 
4907         rq = connp->conn_rq;
4908         if (IPCL_IS_NONSTR(connp) ? connp->conn_flow_cntrld : !canputnext(rq)) {
4909                 switch (protocol) {
4910                 case IPPROTO_ICMPV6:
4911                         BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpInOverflows);
4912                         break;
4913                 case IPPROTO_ICMP:
4914                         BUMP_MIB(&ipst->ips_icmp_mib, icmpInOverflows);
4915                         break;
4916                 default:
4917                         BUMP_MIB(ill->ill_ip_mib, rawipIfStatsInOverflows);
4918                         break;
4919                 }
4920                 freemsg(mp);
4921                 return;
4922         }
4923 
4924         ASSERT(!(IPCL_IS_IPTUN(connp)));
4925 
4926         if (((iraflags & IRAF_IS_IPV4) ?
4927             CONN_INBOUND_POLICY_PRESENT(connp, ipss) :
4928             CONN_INBOUND_POLICY_PRESENT_V6(connp, ipss)) ||
4929             secure) {
4930                 mp = ipsec_check_inbound_policy(mp, connp, ipha,
4931                     ip6h, ira);
4932                 if (mp == NULL) {
4933                         BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
4934                         /* Note that mp is NULL */
4935                         ip_drop_input("ipIfStatsInDiscards", mp, ill);
4936                         return;
4937                 }
4938         }
4939 
4940         if (iraflags & IRAF_ICMP_ERROR) {
4941                 (connp->conn_recvicmp)(connp, mp, NULL, ira);
4942         } else {
4943                 ill_t *rill = ira->ira_rill;
4944 
4945                 BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInDelivers);
4946                 ira->ira_ill = ira->ira_rill = NULL;
4947                 /* Send it upstream */
4948                 (connp->conn_recv)(connp, mp, NULL, ira);
4949                 ira->ira_ill = ill;
4950                 ira->ira_rill = rill;
4951         }
4952 }
4953 
4954 /*
4955  * Handle protocols with which IP is less intimate.  There
4956  * can be more than one stream bound to a particular
4957  * protocol.  When this is the case, normally each one gets a copy
4958  * of any incoming packets.
4959  *
4960  * IPsec NOTE :
4961  *
4962  * Don't allow a secure packet going up a non-secure connection.
4963  * We don't allow this because
4964  *
4965  * 1) Reply might go out in clear which will be dropped at
4966  *    the sending side.
4967  * 2) If the reply goes out in clear it will give the
4968  *    adversary enough information for getting the key in
4969  *    most of the cases.
4970  *
4971  * Moreover getting a secure packet when we expect clear
4972  * implies that SA's were added without checking for
4973  * policy on both ends. This should not happen once ISAKMP
4974  * is used to negotiate SAs as SAs will be added only after
4975  * verifying the policy.
4976  *
4977  * Zones notes:
4978  * Earlier in ip_input on a system with multiple shared-IP zones we
4979  * duplicate the multicast and broadcast packets and send them up
4980  * with each explicit zoneid that exists on that ill.
4981  * This means that here we can match the zoneid with SO_ALLZONES being special.
4982  */
4983 void
4984 ip_fanout_proto_v4(mblk_t *mp, ipha_t *ipha, ip_recv_attr_t *ira)
4985 {
4986         mblk_t          *mp1;
4987         ipaddr_t        laddr;
4988         conn_t          *connp, *first_connp, *next_connp;
4989         connf_t         *connfp;
4990         ill_t           *ill = ira->ira_ill;
4991         ip_stack_t      *ipst = ill->ill_ipst;
4992 
4993         laddr = ipha->ipha_dst;
4994 
4995         connfp = &ipst->ips_ipcl_proto_fanout_v4[ira->ira_protocol];
4996         mutex_enter(&connfp->connf_lock);
4997         connp = connfp->connf_head;
4998         for (connp = connfp->connf_head; connp != NULL;
4999             connp = connp->conn_next) {
5000                 /* Note: IPCL_PROTO_MATCH includes conn_wantpacket */
5001                 if (IPCL_PROTO_MATCH(connp, ira, ipha) &&
5002                     (!(ira->ira_flags & IRAF_SYSTEM_LABELED) ||
5003                     tsol_receive_local(mp, &laddr, IPV4_VERSION, ira, connp))) {
5004                         break;
5005                 }
5006         }
5007 
5008         if (connp == NULL) {
5009                 /*
5010                  * No one bound to these addresses.  Is
5011                  * there a client that wants all
5012                  * unclaimed datagrams?
5013                  */
5014                 mutex_exit(&connfp->connf_lock);
5015                 ip_fanout_send_icmp_v4(mp, ICMP_DEST_UNREACHABLE,
5016                     ICMP_PROTOCOL_UNREACHABLE, ira);
5017                 return;
5018         }
5019 
5020         ASSERT(IPCL_IS_NONSTR(connp) || connp->conn_rq != NULL);
5021 
5022         CONN_INC_REF(connp);
5023         first_connp = connp;
5024         connp = connp->conn_next;
5025 
5026         for (;;) {
5027                 while (connp != NULL) {
5028                         /* Note: IPCL_PROTO_MATCH includes conn_wantpacket */
5029                         if (IPCL_PROTO_MATCH(connp, ira, ipha) &&
5030                             (!(ira->ira_flags & IRAF_SYSTEM_LABELED) ||
5031                             tsol_receive_local(mp, &laddr, IPV4_VERSION,
5032                             ira, connp)))
5033                                 break;
5034                         connp = connp->conn_next;
5035                 }
5036 
5037                 if (connp == NULL) {
5038                         /* No more interested clients */
5039                         connp = first_connp;
5040                         break;
5041                 }
5042                 if (((mp1 = dupmsg(mp)) == NULL) &&
5043                     ((mp1 = copymsg(mp)) == NULL)) {
5044                         /* Memory allocation failed */
5045                         BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
5046                         ip_drop_input("ipIfStatsInDiscards", mp, ill);
5047                         connp = first_connp;
5048                         break;
5049                 }
5050 
5051                 CONN_INC_REF(connp);
5052                 mutex_exit(&connfp->connf_lock);
5053 
5054                 ip_fanout_proto_conn(connp, mp1, (ipha_t *)mp1->b_rptr, NULL,
5055                     ira);
5056 
5057                 mutex_enter(&connfp->connf_lock);
5058                 /* Follow the next pointer before releasing the conn. */
5059                 next_connp = connp->conn_next;
5060                 CONN_DEC_REF(connp);
5061                 connp = next_connp;
5062         }
5063 
5064         /* Last one.  Send it upstream. */
5065         mutex_exit(&connfp->connf_lock);
5066 
5067         ip_fanout_proto_conn(connp, mp, ipha, NULL, ira);
5068 
5069         CONN_DEC_REF(connp);
5070 }
5071 
5072 /*
5073  * If we have a IPsec NAT-Traversal packet, strip the zero-SPI or
5074  * pass it along to ESP if the SPI is non-zero.  Returns the mblk if the mblk
5075  * is not consumed.
5076  *
5077  * One of three things can happen, all of which affect the passed-in mblk:
5078  *
5079  * 1.) The packet is stock UDP and gets its zero-SPI stripped.  Return mblk..
5080  *
5081  * 2.) The packet is ESP-in-UDP, gets transformed into an equivalent
5082  *     ESP packet, and is passed along to ESP for consumption.  Return NULL.
5083  *
5084  * 3.) The packet is an ESP-in-UDP Keepalive.  Drop it and return NULL.
5085  */
5086 mblk_t *
5087 zero_spi_check(mblk_t *mp, ip_recv_attr_t *ira)
5088 {
5089         int shift, plen, iph_len;
5090         ipha_t *ipha;
5091         udpha_t *udpha;
5092         uint32_t *spi;
5093         uint32_t esp_ports;
5094         uint8_t *orptr;
5095         ip_stack_t      *ipst = ira->ira_ill->ill_ipst;
5096         ipsec_stack_t   *ipss = ipst->ips_netstack->netstack_ipsec;
5097 
5098         ipha = (ipha_t *)mp->b_rptr;
5099         iph_len = ira->ira_ip_hdr_length;
5100         plen = ira->ira_pktlen;
5101 
5102         if (plen - iph_len - sizeof (udpha_t) < sizeof (uint32_t)) {
5103                 /*
5104                  * Most likely a keepalive for the benefit of an intervening
5105                  * NAT.  These aren't for us, per se, so drop it.
5106                  *
5107                  * RFC 3947/8 doesn't say for sure what to do for 2-3
5108                  * byte packets (keepalives are 1-byte), but we'll drop them
5109                  * also.
5110                  */
5111                 ip_drop_packet(mp, B_TRUE, ira->ira_ill,
5112                     DROPPER(ipss, ipds_esp_nat_t_ka), &ipss->ipsec_dropper);
5113                 return (NULL);
5114         }
5115 
5116         if (MBLKL(mp) < iph_len + sizeof (udpha_t) + sizeof (*spi)) {
5117                 /* might as well pull it all up - it might be ESP. */
5118                 if (!pullupmsg(mp, -1)) {
5119                         ip_drop_packet(mp, B_TRUE, ira->ira_ill,
5120                             DROPPER(ipss, ipds_esp_nomem),
5121                             &ipss->ipsec_dropper);
5122                         return (NULL);
5123                 }
5124 
5125                 ipha = (ipha_t *)mp->b_rptr;
5126         }
5127         spi = (uint32_t *)(mp->b_rptr + iph_len + sizeof (udpha_t));
5128         if (*spi == 0) {
5129                 /* UDP packet - remove 0-spi. */
5130                 shift = sizeof (uint32_t);
5131         } else {
5132                 /* ESP-in-UDP packet - reduce to ESP. */
5133                 ipha->ipha_protocol = IPPROTO_ESP;
5134                 shift = sizeof (udpha_t);
5135         }
5136 
5137         /* Fix IP header */
5138         ira->ira_pktlen = (plen - shift);
5139         ipha->ipha_length = htons(ira->ira_pktlen);
5140         ipha->ipha_hdr_checksum = 0;
5141 
5142         orptr = mp->b_rptr;
5143         mp->b_rptr += shift;
5144 
5145         udpha = (udpha_t *)(orptr + iph_len);
5146         if (*spi == 0) {
5147                 ASSERT((uint8_t *)ipha == orptr);
5148                 udpha->uha_length = htons(plen - shift - iph_len);
5149                 iph_len += sizeof (udpha_t);    /* For the call to ovbcopy(). */
5150                 esp_ports = 0;
5151         } else {
5152                 esp_ports = *((uint32_t *)udpha);
5153                 ASSERT(esp_ports != 0);
5154         }
5155         ovbcopy(orptr, orptr + shift, iph_len);
5156         if (esp_ports != 0) /* Punt up for ESP processing. */ {
5157                 ipha = (ipha_t *)(orptr + shift);
5158 
5159                 ira->ira_flags |= IRAF_ESP_UDP_PORTS;
5160                 ira->ira_esp_udp_ports = esp_ports;
5161                 ip_fanout_v4(mp, ipha, ira);
5162                 return (NULL);
5163         }
5164         return (mp);
5165 }
5166 
5167 /*
5168  * Deliver a udp packet to the given conn, possibly applying ipsec policy.
5169  * Handles IPv4 and IPv6.
5170  * We are responsible for disposing of mp, such as by freemsg() or putnext()
5171  * Caller is responsible for dropping references to the conn.
5172  */
5173 void
5174 ip_fanout_udp_conn(conn_t *connp, mblk_t *mp, ipha_t *ipha, ip6_t *ip6h,
5175     ip_recv_attr_t *ira)
5176 {
5177         ill_t           *ill = ira->ira_ill;
5178         ip_stack_t      *ipst = ill->ill_ipst;
5179         ipsec_stack_t   *ipss = ipst->ips_netstack->netstack_ipsec;
5180         boolean_t       secure;
5181         iaflags_t       iraflags = ira->ira_flags;
5182 
5183         secure = iraflags & IRAF_IPSEC_SECURE;
5184 
5185         if (IPCL_IS_NONSTR(connp) ? connp->conn_flow_cntrld :
5186             !canputnext(connp->conn_rq)) {
5187                 BUMP_MIB(ill->ill_ip_mib, udpIfStatsInOverflows);
5188                 freemsg(mp);
5189                 return;
5190         }
5191 
5192         if (((iraflags & IRAF_IS_IPV4) ?
5193             CONN_INBOUND_POLICY_PRESENT(connp, ipss) :
5194             CONN_INBOUND_POLICY_PRESENT_V6(connp, ipss)) ||
5195             secure) {
5196                 mp = ipsec_check_inbound_policy(mp, connp, ipha,
5197                     ip6h, ira);
5198                 if (mp == NULL) {
5199                         BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
5200                         /* Note that mp is NULL */
5201                         ip_drop_input("ipIfStatsInDiscards", mp, ill);
5202                         return;
5203                 }
5204         }
5205 
5206         /*
5207          * Since this code is not used for UDP unicast we don't need a NAT_T
5208          * check. Only ip_fanout_v4 has that check.
5209          */
5210         if (ira->ira_flags & IRAF_ICMP_ERROR) {
5211                 (connp->conn_recvicmp)(connp, mp, NULL, ira);
5212         } else {
5213                 ill_t *rill = ira->ira_rill;
5214 
5215                 BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInDelivers);
5216                 ira->ira_ill = ira->ira_rill = NULL;
5217                 /* Send it upstream */
5218                 (connp->conn_recv)(connp, mp, NULL, ira);
5219                 ira->ira_ill = ill;
5220                 ira->ira_rill = rill;
5221         }
5222 }
5223 
5224 /*
5225  * Fanout for UDP packets that are multicast or broadcast, and ICMP errors.
5226  * (Unicast fanout is handled in ip_input_v4.)
5227  *
5228  * If SO_REUSEADDR is set all multicast and broadcast packets
5229  * will be delivered to all conns bound to the same port.
5230  *
5231  * If there is at least one matching AF_INET receiver, then we will
5232  * ignore any AF_INET6 receivers.
5233  * In the special case where an AF_INET socket binds to 0.0.0.0/<port> and an
5234  * AF_INET6 socket binds to ::/<port>, only the AF_INET socket receives the IPv4
5235  * packets.
5236  *
5237  * Zones notes:
5238  * Earlier in ip_input on a system with multiple shared-IP zones we
5239  * duplicate the multicast and broadcast packets and send them up
5240  * with each explicit zoneid that exists on that ill.
5241  * This means that here we can match the zoneid with SO_ALLZONES being special.
5242  */
5243 void
5244 ip_fanout_udp_multi_v4(mblk_t *mp, ipha_t *ipha, uint16_t lport, uint16_t fport,
5245     ip_recv_attr_t *ira)
5246 {
5247         ipaddr_t        laddr;
5248         in6_addr_t      v6faddr;
5249         conn_t          *connp;
5250         connf_t         *connfp;
5251         ipaddr_t        faddr;
5252         ill_t           *ill = ira->ira_ill;
5253         ip_stack_t      *ipst = ill->ill_ipst;
5254 
5255         ASSERT(ira->ira_flags & (IRAF_MULTIBROADCAST|IRAF_ICMP_ERROR));
5256 
5257         laddr = ipha->ipha_dst;
5258         faddr = ipha->ipha_src;
5259 
5260         connfp = &ipst->ips_ipcl_udp_fanout[IPCL_UDP_HASH(lport, ipst)];
5261         mutex_enter(&connfp->connf_lock);
5262         connp = connfp->connf_head;
5263 
5264         /*
5265          * If SO_REUSEADDR has been set on the first we send the
5266          * packet to all clients that have joined the group and
5267          * match the port.
5268          */
5269         while (connp != NULL) {
5270                 if ((IPCL_UDP_MATCH(connp, lport, laddr, fport, faddr)) &&
5271                     conn_wantpacket(connp, ira, ipha) &&
5272                     (!(ira->ira_flags & IRAF_SYSTEM_LABELED) ||
5273                     tsol_receive_local(mp, &laddr, IPV4_VERSION, ira, connp)))
5274                         break;
5275                 connp = connp->conn_next;
5276         }
5277 
5278         if (connp == NULL)
5279                 goto notfound;
5280 
5281         CONN_INC_REF(connp);
5282 
5283         if (connp->conn_reuseaddr) {
5284                 conn_t          *first_connp = connp;
5285                 conn_t          *next_connp;
5286                 mblk_t          *mp1;
5287 
5288                 connp = connp->conn_next;
5289                 for (;;) {
5290                         while (connp != NULL) {
5291                                 if (IPCL_UDP_MATCH(connp, lport, laddr,
5292                                     fport, faddr) &&
5293                                     conn_wantpacket(connp, ira, ipha) &&
5294                                     (!(ira->ira_flags & IRAF_SYSTEM_LABELED) ||
5295                                     tsol_receive_local(mp, &laddr, IPV4_VERSION,
5296                                     ira, connp)))
5297                                         break;
5298                                 connp = connp->conn_next;
5299                         }
5300                         if (connp == NULL) {
5301                                 /* No more interested clients */
5302                                 connp = first_connp;
5303                                 break;
5304                         }
5305                         if (((mp1 = dupmsg(mp)) == NULL) &&
5306                             ((mp1 = copymsg(mp)) == NULL)) {
5307                                 /* Memory allocation failed */
5308                                 BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
5309                                 ip_drop_input("ipIfStatsInDiscards", mp, ill);
5310                                 connp = first_connp;
5311                                 break;
5312                         }
5313                         CONN_INC_REF(connp);
5314                         mutex_exit(&connfp->connf_lock);
5315 
5316                         IP_STAT(ipst, ip_udp_fanmb);
5317                         ip_fanout_udp_conn(connp, mp1, (ipha_t *)mp1->b_rptr,
5318                             NULL, ira);
5319                         mutex_enter(&connfp->connf_lock);
5320                         /* Follow the next pointer before releasing the conn */
5321                         next_connp = connp->conn_next;
5322                         CONN_DEC_REF(connp);
5323                         connp = next_connp;
5324                 }
5325         }
5326 
5327         /* Last one.  Send it upstream. */
5328         mutex_exit(&connfp->connf_lock);
5329         IP_STAT(ipst, ip_udp_fanmb);
5330         ip_fanout_udp_conn(connp, mp, ipha, NULL, ira);
5331         CONN_DEC_REF(connp);
5332         return;
5333 
5334 notfound:
5335         mutex_exit(&connfp->connf_lock);
5336         /*
5337          * IPv6 endpoints bound to multicast IPv4-mapped addresses
5338          * have already been matched above, since they live in the IPv4
5339          * fanout tables. This implies we only need to
5340          * check for IPv6 in6addr_any endpoints here.
5341          * Thus we compare using ipv6_all_zeros instead of the destination
5342          * address, except for the multicast group membership lookup which
5343          * uses the IPv4 destination.
5344          */
5345         IN6_IPADDR_TO_V4MAPPED(ipha->ipha_src, &v6faddr);
5346         connfp = &ipst->ips_ipcl_udp_fanout[IPCL_UDP_HASH(lport, ipst)];
5347         mutex_enter(&connfp->connf_lock);
5348         connp = connfp->connf_head;
5349         /*
5350          * IPv4 multicast packet being delivered to an AF_INET6
5351          * in6addr_any endpoint.
5352          * Need to check conn_wantpacket(). Note that we use conn_wantpacket()
5353          * and not conn_wantpacket_v6() since any multicast membership is
5354          * for an IPv4-mapped multicast address.
5355          */
5356         while (connp != NULL) {
5357                 if (IPCL_UDP_MATCH_V6(connp, lport, ipv6_all_zeros,
5358                     fport, v6faddr) &&
5359                     conn_wantpacket(connp, ira, ipha) &&
5360                     (!(ira->ira_flags & IRAF_SYSTEM_LABELED) ||
5361                     tsol_receive_local(mp, &laddr, IPV4_VERSION, ira, connp)))
5362                         break;
5363                 connp = connp->conn_next;
5364         }
5365 
5366         if (connp == NULL) {
5367                 /*
5368                  * No one bound to this port.  Is
5369                  * there a client that wants all
5370                  * unclaimed datagrams?
5371                  */
5372                 mutex_exit(&connfp->connf_lock);
5373 
5374                 if (ipst->ips_ipcl_proto_fanout_v4[IPPROTO_UDP].connf_head !=
5375                     NULL) {
5376                         ASSERT(ira->ira_protocol == IPPROTO_UDP);
5377                         ip_fanout_proto_v4(mp, ipha, ira);
5378                 } else {
5379                         /*
5380                          * We used to attempt to send an icmp error here, but
5381                          * since this is known to be a multicast packet
5382                          * and we don't send icmp errors in response to
5383                          * multicast, just drop the packet and give up sooner.
5384                          */
5385                         BUMP_MIB(ill->ill_ip_mib, udpIfStatsNoPorts);
5386                         freemsg(mp);
5387                 }
5388                 return;
5389         }
5390         ASSERT(IPCL_IS_NONSTR(connp) || connp->conn_rq != NULL);
5391 
5392         /*
5393          * If SO_REUSEADDR has been set on the first we send the
5394          * packet to all clients that have joined the group and
5395          * match the port.
5396          */
5397         if (connp->conn_reuseaddr) {
5398                 conn_t          *first_connp = connp;
5399                 conn_t          *next_connp;
5400                 mblk_t          *mp1;
5401 
5402                 CONN_INC_REF(connp);
5403                 connp = connp->conn_next;
5404                 for (;;) {
5405                         while (connp != NULL) {
5406                                 if (IPCL_UDP_MATCH_V6(connp, lport,
5407                                     ipv6_all_zeros, fport, v6faddr) &&
5408                                     conn_wantpacket(connp, ira, ipha) &&
5409                                     (!(ira->ira_flags & IRAF_SYSTEM_LABELED) ||
5410                                     tsol_receive_local(mp, &laddr, IPV4_VERSION,
5411                                     ira, connp)))
5412                                         break;
5413                                 connp = connp->conn_next;
5414                         }
5415                         if (connp == NULL) {
5416                                 /* No more interested clients */
5417                                 connp = first_connp;
5418                                 break;
5419                         }
5420                         if (((mp1 = dupmsg(mp)) == NULL) &&
5421                             ((mp1 = copymsg(mp)) == NULL)) {
5422                                 /* Memory allocation failed */
5423                                 BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
5424                                 ip_drop_input("ipIfStatsInDiscards", mp, ill);
5425                                 connp = first_connp;
5426                                 break;
5427                         }
5428                         CONN_INC_REF(connp);
5429                         mutex_exit(&connfp->connf_lock);
5430 
5431                         IP_STAT(ipst, ip_udp_fanmb);
5432                         ip_fanout_udp_conn(connp, mp1, (ipha_t *)mp1->b_rptr,
5433                             NULL, ira);
5434                         mutex_enter(&connfp->connf_lock);
5435                         /* Follow the next pointer before releasing the conn */
5436                         next_connp = connp->conn_next;
5437                         CONN_DEC_REF(connp);
5438                         connp = next_connp;
5439                 }
5440         }
5441 
5442         /* Last one.  Send it upstream. */
5443         mutex_exit(&connfp->connf_lock);
5444         IP_STAT(ipst, ip_udp_fanmb);
5445         ip_fanout_udp_conn(connp, mp, ipha, NULL, ira);
5446         CONN_DEC_REF(connp);
5447 }
5448 
5449 /*
5450  * Split an incoming packet's IPv4 options into the label and the other options.
5451  * If 'allocate' is set it does memory allocation for the ip_pkt_t, including
5452  * clearing out any leftover label or options.
5453  * Otherwise it just makes ipp point into the packet.
5454  *
5455  * Returns zero if ok; ENOMEM if the buffer couldn't be allocated.
5456  */
5457 int
5458 ip_find_hdr_v4(ipha_t *ipha, ip_pkt_t *ipp, boolean_t allocate)
5459 {
5460         uchar_t         *opt;
5461         uint32_t        totallen;
5462         uint32_t        optval;
5463         uint32_t        optlen;
5464 
5465         ipp->ipp_fields |= IPPF_HOPLIMIT | IPPF_TCLASS | IPPF_ADDR;
5466         ipp->ipp_hoplimit = ipha->ipha_ttl;
5467         ipp->ipp_type_of_service = ipha->ipha_type_of_service;
5468         IN6_IPADDR_TO_V4MAPPED(ipha->ipha_dst, &ipp->ipp_addr);
5469 
5470         /*
5471          * Get length (in 4 byte octets) of IP header options.
5472          */
5473         totallen = ipha->ipha_version_and_hdr_length -
5474             (uint8_t)((IP_VERSION << 4) + IP_SIMPLE_HDR_LENGTH_IN_WORDS);
5475 
5476         if (totallen == 0) {
5477                 if (!allocate)
5478                         return (0);
5479 
5480                 /* Clear out anything from a previous packet */
5481                 if (ipp->ipp_fields & IPPF_IPV4_OPTIONS) {
5482                         kmem_free(ipp->ipp_ipv4_options,
5483                             ipp->ipp_ipv4_options_len);
5484                         ipp->ipp_ipv4_options = NULL;
5485                         ipp->ipp_ipv4_options_len = 0;
5486                         ipp->ipp_fields &= ~IPPF_IPV4_OPTIONS;
5487                 }
5488                 if (ipp->ipp_fields & IPPF_LABEL_V4) {
5489                         kmem_free(ipp->ipp_label_v4, ipp->ipp_label_len_v4);
5490                         ipp->ipp_label_v4 = NULL;
5491                         ipp->ipp_label_len_v4 = 0;
5492                         ipp->ipp_fields &= ~IPPF_LABEL_V4;
5493                 }
5494                 return (0);
5495         }
5496 
5497         totallen <<= 2;
5498         opt = (uchar_t *)&ipha[1];
5499         if (!is_system_labeled()) {
5500 
5501         copyall:
5502                 if (!allocate) {
5503                         if (totallen != 0) {
5504                                 ipp->ipp_ipv4_options = opt;
5505                                 ipp->ipp_ipv4_options_len = totallen;
5506                                 ipp->ipp_fields |= IPPF_IPV4_OPTIONS;
5507                         }
5508                         return (0);
5509                 }
5510                 /* Just copy all of options */
5511                 if (ipp->ipp_fields & IPPF_IPV4_OPTIONS) {
5512                         if (totallen == ipp->ipp_ipv4_options_len) {
5513                                 bcopy(opt, ipp->ipp_ipv4_options, totallen);
5514                                 return (0);
5515                         }
5516                         kmem_free(ipp->ipp_ipv4_options,
5517                             ipp->ipp_ipv4_options_len);
5518                         ipp->ipp_ipv4_options = NULL;
5519                         ipp->ipp_ipv4_options_len = 0;
5520                         ipp->ipp_fields &= ~IPPF_IPV4_OPTIONS;
5521                 }
5522                 if (totallen == 0)
5523                         return (0);
5524 
5525                 ipp->ipp_ipv4_options = kmem_alloc(totallen, KM_NOSLEEP);
5526                 if (ipp->ipp_ipv4_options == NULL)
5527                         return (ENOMEM);
5528                 ipp->ipp_ipv4_options_len = totallen;
5529                 ipp->ipp_fields |= IPPF_IPV4_OPTIONS;
5530                 bcopy(opt, ipp->ipp_ipv4_options, totallen);
5531                 return (0);
5532         }
5533 
5534         if (allocate && (ipp->ipp_fields & IPPF_LABEL_V4)) {
5535                 kmem_free(ipp->ipp_label_v4, ipp->ipp_label_len_v4);
5536                 ipp->ipp_label_v4 = NULL;
5537                 ipp->ipp_label_len_v4 = 0;
5538                 ipp->ipp_fields &= ~IPPF_LABEL_V4;
5539         }
5540 
5541         /*
5542          * Search for CIPSO option.
5543          * We assume CIPSO is first in options if it is present.
5544          * If it isn't, then ipp_opt_ipv4_options will not include the options
5545          * prior to the CIPSO option.
5546          */
5547         while (totallen != 0) {
5548                 switch (optval = opt[IPOPT_OPTVAL]) {
5549                 case IPOPT_EOL:
5550                         return (0);
5551                 case IPOPT_NOP:
5552                         optlen = 1;
5553                         break;
5554                 default:
5555                         if (totallen <= IPOPT_OLEN)
5556                                 return (EINVAL);
5557                         optlen = opt[IPOPT_OLEN];
5558                         if (optlen < 2)
5559                                 return (EINVAL);
5560                 }
5561                 if (optlen > totallen)
5562                         return (EINVAL);
5563 
5564                 switch (optval) {
5565                 case IPOPT_COMSEC:
5566                         if (!allocate) {
5567                                 ipp->ipp_label_v4 = opt;
5568                                 ipp->ipp_label_len_v4 = optlen;
5569                                 ipp->ipp_fields |= IPPF_LABEL_V4;
5570                         } else {
5571                                 ipp->ipp_label_v4 = kmem_alloc(optlen,
5572                                     KM_NOSLEEP);
5573                                 if (ipp->ipp_label_v4 == NULL)
5574                                         return (ENOMEM);
5575                                 ipp->ipp_label_len_v4 = optlen;
5576                                 ipp->ipp_fields |= IPPF_LABEL_V4;
5577                                 bcopy(opt, ipp->ipp_label_v4, optlen);
5578                         }
5579                         totallen -= optlen;
5580                         opt += optlen;
5581 
5582                         /* Skip padding bytes until we get to a multiple of 4 */
5583                         while ((totallen & 3) != 0 && opt[0] == IPOPT_NOP) {
5584                                 totallen--;
5585                                 opt++;
5586                         }
5587                         /* Remaining as ipp_ipv4_options */
5588                         goto copyall;
5589                 }
5590                 totallen -= optlen;
5591                 opt += optlen;
5592         }
5593         /* No CIPSO found; return everything as ipp_ipv4_options */
5594         totallen = ipha->ipha_version_and_hdr_length -
5595             (uint8_t)((IP_VERSION << 4) + IP_SIMPLE_HDR_LENGTH_IN_WORDS);
5596         totallen <<= 2;
5597         opt = (uchar_t *)&ipha[1];
5598         goto copyall;
5599 }
5600 
5601 /*
5602  * Efficient versions of lookup for an IRE when we only
5603  * match the address.
5604  * For RTF_REJECT or BLACKHOLE we return IRE_NOROUTE.
5605  * Does not handle multicast addresses.
5606  */
5607 uint_t
5608 ip_type_v4(ipaddr_t addr, ip_stack_t *ipst)
5609 {
5610         ire_t *ire;
5611         uint_t result;
5612 
5613         ire = ire_ftable_lookup_simple_v4(addr, 0, ipst, NULL);
5614         ASSERT(ire != NULL);
5615         if (ire->ire_flags & (RTF_REJECT|RTF_BLACKHOLE))
5616                 result = IRE_NOROUTE;
5617         else
5618                 result = ire->ire_type;
5619         ire_refrele(ire);
5620         return (result);
5621 }
5622 
5623 /*
5624  * Efficient versions of lookup for an IRE when we only
5625  * match the address.
5626  * For RTF_REJECT or BLACKHOLE we return IRE_NOROUTE.
5627  * Does not handle multicast addresses.
5628  */
5629 uint_t
5630 ip_type_v6(const in6_addr_t *addr, ip_stack_t *ipst)
5631 {
5632         ire_t *ire;
5633         uint_t result;
5634 
5635         ire = ire_ftable_lookup_simple_v6(addr, 0, ipst, NULL);
5636         ASSERT(ire != NULL);
5637         if (ire->ire_flags & (RTF_REJECT|RTF_BLACKHOLE))
5638                 result = IRE_NOROUTE;
5639         else
5640                 result = ire->ire_type;
5641         ire_refrele(ire);
5642         return (result);
5643 }
5644 
5645 /*
5646  * Nobody should be sending
5647  * packets up this stream
5648  */
5649 static void
5650 ip_lrput(queue_t *q, mblk_t *mp)
5651 {
5652         switch (mp->b_datap->db_type) {
5653         case M_FLUSH:
5654                 /* Turn around */
5655                 if (*mp->b_rptr & FLUSHW) {
5656                         *mp->b_rptr &= ~FLUSHR;
5657                         qreply(q, mp);
5658                         return;
5659                 }
5660                 break;
5661         }
5662         freemsg(mp);
5663 }
5664 
5665 /* Nobody should be sending packets down this stream */
5666 /* ARGSUSED */
5667 void
5668 ip_lwput(queue_t *q, mblk_t *mp)
5669 {
5670         freemsg(mp);
5671 }
5672 
5673 /*
5674  * Move the first hop in any source route to ipha_dst and remove that part of
5675  * the source route.  Called by other protocols.  Errors in option formatting
5676  * are ignored - will be handled by ip_output_options. Return the final
5677  * destination (either ipha_dst or the last entry in a source route.)
5678  */
5679 ipaddr_t
5680 ip_massage_options(ipha_t *ipha, netstack_t *ns)
5681 {
5682         ipoptp_t        opts;
5683         uchar_t         *opt;
5684         uint8_t         optval;
5685         uint8_t         optlen;
5686         ipaddr_t        dst;
5687         int             i;
5688         ip_stack_t      *ipst = ns->netstack_ip;
5689 
5690         ip2dbg(("ip_massage_options\n"));
5691         dst = ipha->ipha_dst;
5692         for (optval = ipoptp_first(&opts, ipha);
5693             optval != IPOPT_EOL;
5694             optval = ipoptp_next(&opts)) {
5695                 opt = opts.ipoptp_cur;
5696                 switch (optval) {
5697                         uint8_t off;
5698                 case IPOPT_SSRR:
5699                 case IPOPT_LSRR:
5700                         if ((opts.ipoptp_flags & IPOPTP_ERROR) != 0) {
5701                                 ip1dbg(("ip_massage_options: bad src route\n"));
5702                                 break;
5703                         }
5704                         optlen = opts.ipoptp_len;
5705                         off = opt[IPOPT_OFFSET];
5706                         off--;
5707                 redo_srr:
5708                         if (optlen < IP_ADDR_LEN ||
5709                             off > optlen - IP_ADDR_LEN) {
5710                                 /* End of source route */
5711                                 ip1dbg(("ip_massage_options: end of SR\n"));
5712                                 break;
5713                         }
5714                         bcopy((char *)opt + off, &dst, IP_ADDR_LEN);
5715                         ip1dbg(("ip_massage_options: next hop 0x%x\n",
5716                             ntohl(dst)));
5717                         /*
5718                          * Check if our address is present more than
5719                          * once as consecutive hops in source route.
5720                          * XXX verify per-interface ip_forwarding
5721                          * for source route?
5722                          */
5723                         if (ip_type_v4(dst, ipst) == IRE_LOCAL) {
5724                                 off += IP_ADDR_LEN;
5725                                 goto redo_srr;
5726                         }
5727                         if (dst == htonl(INADDR_LOOPBACK)) {
5728                                 ip1dbg(("ip_massage_options: loopback addr in "
5729                                     "source route!\n"));
5730                                 break;
5731                         }
5732                         /*
5733                          * Update ipha_dst to be the first hop and remove the
5734                          * first hop from the source route (by overwriting
5735                          * part of the option with NOP options).
5736                          */
5737                         ipha->ipha_dst = dst;
5738                         /* Put the last entry in dst */
5739                         off = ((optlen - IP_ADDR_LEN - 3) & ~(IP_ADDR_LEN-1)) +
5740                             3;
5741                         bcopy(&opt[off], &dst, IP_ADDR_LEN);
5742 
5743                         ip1dbg(("ip_massage_options: last hop 0x%x\n",
5744                             ntohl(dst)));
5745                         /* Move down and overwrite */
5746                         opt[IP_ADDR_LEN] = opt[0];
5747                         opt[IP_ADDR_LEN+1] = opt[IPOPT_OLEN] - IP_ADDR_LEN;
5748                         opt[IP_ADDR_LEN+2] = opt[IPOPT_OFFSET];
5749                         for (i = 0; i < IP_ADDR_LEN; i++)
5750                                 opt[i] = IPOPT_NOP;
5751                         break;
5752                 }
5753         }
5754         return (dst);
5755 }
5756 
5757 /*
5758  * Return the network mask
5759  * associated with the specified address.
5760  */
5761 ipaddr_t
5762 ip_net_mask(ipaddr_t addr)
5763 {
5764         uchar_t *up = (uchar_t *)&addr;
5765         ipaddr_t mask = 0;
5766         uchar_t *maskp = (uchar_t *)&mask;
5767 
5768 #if defined(__i386) || defined(__amd64)
5769 #define TOTALLY_BRAIN_DAMAGED_C_COMPILER
5770 #endif
5771 #ifdef  TOTALLY_BRAIN_DAMAGED_C_COMPILER
5772         maskp[0] = maskp[1] = maskp[2] = maskp[3] = 0;
5773 #endif
5774         if (CLASSD(addr)) {
5775                 maskp[0] = 0xF0;
5776                 return (mask);
5777         }
5778 
5779         /* We assume Class E default netmask to be 32 */
5780         if (CLASSE(addr))
5781                 return (0xffffffffU);
5782 
5783         if (addr == 0)
5784                 return (0);
5785         maskp[0] = 0xFF;
5786         if ((up[0] & 0x80) == 0)
5787                 return (mask);
5788 
5789         maskp[1] = 0xFF;
5790         if ((up[0] & 0xC0) == 0x80)
5791                 return (mask);
5792 
5793         maskp[2] = 0xFF;
5794         if ((up[0] & 0xE0) == 0xC0)
5795                 return (mask);
5796 
5797         /* Otherwise return no mask */
5798         return ((ipaddr_t)0);
5799 }
5800 
5801 /* Name/Value Table Lookup Routine */
5802 char *
5803 ip_nv_lookup(nv_t *nv, int value)
5804 {
5805         if (!nv)
5806                 return (NULL);
5807         for (; nv->nv_name; nv++) {
5808                 if (nv->nv_value == value)
5809                         return (nv->nv_name);
5810         }
5811         return ("unknown");
5812 }
5813 
5814 static int
5815 ip_wait_for_info_ack(ill_t *ill)
5816 {
5817         int err;
5818 
5819         mutex_enter(&ill->ill_lock);
5820         while (ill->ill_state_flags & ILL_LL_SUBNET_PENDING) {
5821                 /*
5822                  * Return value of 0 indicates a pending signal.
5823                  */
5824                 err = cv_wait_sig(&ill->ill_cv, &ill->ill_lock);
5825                 if (err == 0) {
5826                         mutex_exit(&ill->ill_lock);
5827                         return (EINTR);
5828                 }
5829         }
5830         mutex_exit(&ill->ill_lock);
5831         /*
5832          * ip_rput_other could have set an error  in ill_error on
5833          * receipt of M_ERROR.
5834          */
5835         return (ill->ill_error);
5836 }
5837 
5838 /*
5839  * This is a module open, i.e. this is a control stream for access
5840  * to a DLPI device.  We allocate an ill_t as the instance data in
5841  * this case.
5842  */
5843 static int
5844 ip_modopen(queue_t *q, dev_t *devp, int flag, int sflag, cred_t *credp)
5845 {
5846         ill_t   *ill;
5847         int     err;
5848         zoneid_t zoneid;
5849         netstack_t *ns;
5850         ip_stack_t *ipst;
5851 
5852         /*
5853          * Prevent unprivileged processes from pushing IP so that
5854          * they can't send raw IP.
5855          */
5856         if (secpolicy_net_rawaccess(credp) != 0)
5857                 return (EPERM);
5858 
5859         ns = netstack_find_by_cred(credp);
5860         ASSERT(ns != NULL);
5861         ipst = ns->netstack_ip;
5862         ASSERT(ipst != NULL);
5863 
5864         /*
5865          * For exclusive stacks we set the zoneid to zero
5866          * to make IP operate as if in the global zone.
5867          */
5868         if (ipst->ips_netstack->netstack_stackid != GLOBAL_NETSTACKID)
5869                 zoneid = GLOBAL_ZONEID;
5870         else
5871                 zoneid = crgetzoneid(credp);
5872 
5873         ill = (ill_t *)mi_open_alloc_sleep(sizeof (ill_t));
5874         q->q_ptr = WR(q)->q_ptr = ill;
5875         ill->ill_ipst = ipst;
5876         ill->ill_zoneid = zoneid;
5877 
5878         /*
5879          * ill_init initializes the ill fields and then sends down
5880          * down a DL_INFO_REQ after calling qprocson.
5881          */
5882         err = ill_init(q, ill);
5883 
5884         if (err != 0) {
5885                 mi_free(ill);
5886                 netstack_rele(ipst->ips_netstack);
5887                 q->q_ptr = NULL;
5888                 WR(q)->q_ptr = NULL;
5889                 return (err);
5890         }
5891 
5892         /*
5893          * Wait for the DL_INFO_ACK if a DL_INFO_REQ was sent.
5894          *
5895          * ill_init initializes the ipsq marking this thread as
5896          * writer
5897          */
5898         ipsq_exit(ill->ill_phyint->phyint_ipsq);
5899         err = ip_wait_for_info_ack(ill);
5900         if (err == 0)
5901                 ill->ill_credp = credp;
5902         else
5903                 goto fail;
5904 
5905         crhold(credp);
5906 
5907         mutex_enter(&ipst->ips_ip_mi_lock);
5908         err = mi_open_link(&ipst->ips_ip_g_head, (IDP)q->q_ptr, devp, flag,
5909             sflag, credp);
5910         mutex_exit(&ipst->ips_ip_mi_lock);
5911 fail:
5912         if (err) {
5913                 (void) ip_close(q, 0);
5914                 return (err);
5915         }
5916         return (0);
5917 }
5918 
5919 /* For /dev/ip aka AF_INET open */
5920 int
5921 ip_openv4(queue_t *q, dev_t *devp, int flag, int sflag, cred_t *credp)
5922 {
5923         return (ip_open(q, devp, flag, sflag, credp, B_FALSE));
5924 }
5925 
5926 /* For /dev/ip6 aka AF_INET6 open */
5927 int
5928 ip_openv6(queue_t *q, dev_t *devp, int flag, int sflag, cred_t *credp)
5929 {
5930         return (ip_open(q, devp, flag, sflag, credp, B_TRUE));
5931 }
5932 
5933 /* IP open routine. */
5934 int
5935 ip_open(queue_t *q, dev_t *devp, int flag, int sflag, cred_t *credp,
5936     boolean_t isv6)
5937 {
5938         conn_t          *connp;
5939         major_t         maj;
5940         zoneid_t        zoneid;
5941         netstack_t      *ns;
5942         ip_stack_t      *ipst;
5943 
5944         /* Allow reopen. */
5945         if (q->q_ptr != NULL)
5946                 return (0);
5947 
5948         if (sflag & MODOPEN) {
5949                 /* This is a module open */
5950                 return (ip_modopen(q, devp, flag, sflag, credp));
5951         }
5952 
5953         if ((flag & ~(FKLYR)) == IP_HELPER_STR) {
5954                 /*
5955                  * Non streams based socket looking for a stream
5956                  * to access IP
5957                  */
5958                 return (ip_helper_stream_setup(q, devp, flag, sflag,
5959                     credp, isv6));
5960         }
5961 
5962         ns = netstack_find_by_cred(credp);
5963         ASSERT(ns != NULL);
5964         ipst = ns->netstack_ip;
5965         ASSERT(ipst != NULL);
5966 
5967         /*
5968          * For exclusive stacks we set the zoneid to zero
5969          * to make IP operate as if in the global zone.
5970          */
5971         if (ipst->ips_netstack->netstack_stackid != GLOBAL_NETSTACKID)
5972                 zoneid = GLOBAL_ZONEID;
5973         else
5974                 zoneid = crgetzoneid(credp);
5975 
5976         /*
5977          * We are opening as a device. This is an IP client stream, and we
5978          * allocate an conn_t as the instance data.
5979          */
5980         connp = ipcl_conn_create(IPCL_IPCCONN, KM_SLEEP, ipst->ips_netstack);
5981 
5982         /*
5983          * ipcl_conn_create did a netstack_hold. Undo the hold that was
5984          * done by netstack_find_by_cred()
5985          */
5986         netstack_rele(ipst->ips_netstack);
5987 
5988         connp->conn_ixa->ixa_flags |= IXAF_MULTICAST_LOOP | IXAF_SET_ULP_CKSUM;
5989         /* conn_allzones can not be set this early, hence no IPCL_ZONEID */
5990         connp->conn_ixa->ixa_zoneid = zoneid;
5991         connp->conn_zoneid = zoneid;
5992 
5993         connp->conn_rq = q;
5994         q->q_ptr = WR(q)->q_ptr = connp;
5995 
5996         /* Minor tells us which /dev entry was opened */
5997         if (isv6) {
5998                 connp->conn_family = AF_INET6;
5999                 connp->conn_ipversion = IPV6_VERSION;
6000                 connp->conn_ixa->ixa_flags &= ~IXAF_IS_IPV4;
6001                 connp->conn_ixa->ixa_src_preferences = IPV6_PREFER_SRC_DEFAULT;
6002         } else {
6003                 connp->conn_family = AF_INET;
6004                 connp->conn_ipversion = IPV4_VERSION;
6005                 connp->conn_ixa->ixa_flags |= IXAF_IS_IPV4;
6006         }
6007 
6008         if ((ip_minor_arena_la != NULL) && (flag & SO_SOCKSTR) &&
6009             ((connp->conn_dev = inet_minor_alloc(ip_minor_arena_la)) != 0)) {
6010                 connp->conn_minor_arena = ip_minor_arena_la;
6011         } else {
6012                 /*
6013                  * Either minor numbers in the large arena were exhausted
6014                  * or a non socket application is doing the open.
6015                  * Try to allocate from the small arena.
6016                  */
6017                 if ((connp->conn_dev =
6018                     inet_minor_alloc(ip_minor_arena_sa)) == 0) {
6019                         /* CONN_DEC_REF takes care of netstack_rele() */
6020                         q->q_ptr = WR(q)->q_ptr = NULL;
6021                         CONN_DEC_REF(connp);
6022                         return (EBUSY);
6023                 }
6024                 connp->conn_minor_arena = ip_minor_arena_sa;
6025         }
6026 
6027         maj = getemajor(*devp);
6028         *devp = makedevice(maj, (minor_t)connp->conn_dev);
6029 
6030         /*
6031          * connp->conn_cred is crfree()ed in ipcl_conn_destroy()
6032          */
6033         connp->conn_cred = credp;
6034         connp->conn_cpid = curproc->p_pid;
6035         /* Cache things in ixa without an extra refhold */
6036         ASSERT(!(connp->conn_ixa->ixa_free_flags & IXA_FREE_CRED));
6037         connp->conn_ixa->ixa_cred = connp->conn_cred;
6038         connp->conn_ixa->ixa_cpid = connp->conn_cpid;
6039         if (is_system_labeled())
6040                 connp->conn_ixa->ixa_tsl = crgetlabel(connp->conn_cred);
6041 
6042         /*
6043          * Handle IP_IOC_RTS_REQUEST and other ioctls which use conn_recv
6044          */
6045         connp->conn_recv = ip_conn_input;
6046         connp->conn_recvicmp = ip_conn_input_icmp;
6047 
6048         crhold(connp->conn_cred);
6049 
6050         /*
6051          * If the caller has the process-wide flag set, then default to MAC
6052          * exempt mode.  This allows read-down to unlabeled hosts.
6053          */
6054         if (getpflags(NET_MAC_AWARE, credp) != 0)
6055                 connp->conn_mac_mode = CONN_MAC_AWARE;
6056 
6057         connp->conn_zone_is_global = (crgetzoneid(credp) == GLOBAL_ZONEID);
6058 
6059         connp->conn_rq = q;
6060         connp->conn_wq = WR(q);
6061 
6062         /* Non-zero default values */
6063         connp->conn_ixa->ixa_flags |= IXAF_MULTICAST_LOOP;
6064 
6065         /*
6066          * Make the conn globally visible to walkers
6067          */
6068         ASSERT(connp->conn_ref == 1);
6069         mutex_enter(&connp->conn_lock);
6070         connp->conn_state_flags &= ~CONN_INCIPIENT;
6071         mutex_exit(&connp->conn_lock);
6072 
6073         qprocson(q);
6074 
6075         return (0);
6076 }
6077 
6078 /*
6079  * Set IPsec policy from an ipsec_req_t. If the req is not "zero" and valid,
6080  * all of them are copied to the conn_t. If the req is "zero", the policy is
6081  * zeroed out. A "zero" policy has zero ipsr_{ah,req,self_encap}_req
6082  * fields.
6083  * We keep only the latest setting of the policy and thus policy setting
6084  * is not incremental/cumulative.
6085  *
6086  * Requests to set policies with multiple alternative actions will
6087  * go through a different API.
6088  */
6089 int
6090 ipsec_set_req(cred_t *cr, conn_t *connp, ipsec_req_t *req)
6091 {
6092         uint_t ah_req = 0;
6093         uint_t esp_req = 0;
6094         uint_t se_req = 0;
6095         ipsec_act_t *actp = NULL;
6096         uint_t nact;
6097         ipsec_policy_head_t *ph;
6098         boolean_t is_pol_reset, is_pol_inserted = B_FALSE;
6099         int error = 0;
6100         netstack_t      *ns = connp->conn_netstack;
6101         ip_stack_t      *ipst = ns->netstack_ip;
6102         ipsec_stack_t   *ipss = ns->netstack_ipsec;
6103 
6104 #define REQ_MASK (IPSEC_PREF_REQUIRED|IPSEC_PREF_NEVER)
6105 
6106         /*
6107          * The IP_SEC_OPT option does not allow variable length parameters,
6108          * hence a request cannot be NULL.
6109          */
6110         if (req == NULL)
6111                 return (EINVAL);
6112 
6113         ah_req = req->ipsr_ah_req;
6114         esp_req = req->ipsr_esp_req;
6115         se_req = req->ipsr_self_encap_req;
6116 
6117         /* Don't allow setting self-encap without one or more of AH/ESP. */
6118         if (se_req != 0 && esp_req == 0 && ah_req == 0)
6119                 return (EINVAL);
6120 
6121         /*
6122          * Are we dealing with a request to reset the policy (i.e.
6123          * zero requests).
6124          */
6125         is_pol_reset = ((ah_req & REQ_MASK) == 0 &&
6126             (esp_req & REQ_MASK) == 0 &&
6127             (se_req & REQ_MASK) == 0);
6128 
6129         if (!is_pol_reset) {
6130                 /*
6131                  * If we couldn't load IPsec, fail with "protocol
6132                  * not supported".
6133                  * IPsec may not have been loaded for a request with zero
6134                  * policies, so we don't fail in this case.
6135                  */
6136                 mutex_enter(&ipss->ipsec_loader_lock);
6137                 if (ipss->ipsec_loader_state != IPSEC_LOADER_SUCCEEDED) {
6138                         mutex_exit(&ipss->ipsec_loader_lock);
6139                         return (EPROTONOSUPPORT);
6140                 }
6141                 mutex_exit(&ipss->ipsec_loader_lock);
6142 
6143                 /*
6144                  * Test for valid requests. Invalid algorithms
6145                  * need to be tested by IPsec code because new
6146                  * algorithms can be added dynamically.
6147                  */
6148                 if ((ah_req & ~(REQ_MASK|IPSEC_PREF_UNIQUE)) != 0 ||
6149                     (esp_req & ~(REQ_MASK|IPSEC_PREF_UNIQUE)) != 0 ||
6150                     (se_req & ~(REQ_MASK|IPSEC_PREF_UNIQUE)) != 0) {
6151                         return (EINVAL);
6152                 }
6153 
6154                 /*
6155                  * Only privileged users can issue these
6156                  * requests.
6157                  */
6158                 if (((ah_req & IPSEC_PREF_NEVER) ||
6159                     (esp_req & IPSEC_PREF_NEVER) ||
6160                     (se_req & IPSEC_PREF_NEVER)) &&
6161                     secpolicy_ip_config(cr, B_FALSE) != 0) {
6162                         return (EPERM);
6163                 }
6164 
6165                 /*
6166                  * The IPSEC_PREF_REQUIRED and IPSEC_PREF_NEVER
6167                  * are mutually exclusive.
6168                  */
6169                 if (((ah_req & REQ_MASK) == REQ_MASK) ||
6170                     ((esp_req & REQ_MASK) == REQ_MASK) ||
6171                     ((se_req & REQ_MASK) == REQ_MASK)) {
6172                         /* Both of them are set */
6173                         return (EINVAL);
6174                 }
6175         }
6176 
6177         ASSERT(MUTEX_HELD(&connp->conn_lock));
6178 
6179         /*
6180          * If we have already cached policies in conn_connect(), don't
6181          * let them change now. We cache policies for connections
6182          * whose src,dst [addr, port] is known.
6183          */
6184         if (connp->conn_policy_cached) {
6185                 return (EINVAL);
6186         }
6187 
6188         /*
6189          * We have a zero policies, reset the connection policy if already
6190          * set. This will cause the connection to inherit the
6191          * global policy, if any.
6192          */
6193         if (is_pol_reset) {
6194                 if (connp->conn_policy != NULL) {
6195                         IPPH_REFRELE(connp->conn_policy, ipst->ips_netstack);
6196                         connp->conn_policy = NULL;
6197                 }
6198                 connp->conn_in_enforce_policy = B_FALSE;
6199                 connp->conn_out_enforce_policy = B_FALSE;
6200                 return (0);
6201         }
6202 
6203         ph = connp->conn_policy = ipsec_polhead_split(connp->conn_policy,
6204             ipst->ips_netstack);
6205         if (ph == NULL)
6206                 goto enomem;
6207 
6208         ipsec_actvec_from_req(req, &actp, &nact, ipst->ips_netstack);
6209         if (actp == NULL)
6210                 goto enomem;
6211 
6212         /*
6213          * Always insert IPv4 policy entries, since they can also apply to
6214          * ipv6 sockets being used in ipv4-compat mode.
6215          */
6216         if (!ipsec_polhead_insert(ph, actp, nact, IPSEC_AF_V4,
6217             IPSEC_TYPE_INBOUND, ns))
6218                 goto enomem;
6219         is_pol_inserted = B_TRUE;
6220         if (!ipsec_polhead_insert(ph, actp, nact, IPSEC_AF_V4,
6221             IPSEC_TYPE_OUTBOUND, ns))
6222                 goto enomem;
6223 
6224         /*
6225          * We're looking at a v6 socket, also insert the v6-specific
6226          * entries.
6227          */
6228         if (connp->conn_family == AF_INET6) {
6229                 if (!ipsec_polhead_insert(ph, actp, nact, IPSEC_AF_V6,
6230                     IPSEC_TYPE_INBOUND, ns))
6231                         goto enomem;
6232                 if (!ipsec_polhead_insert(ph, actp, nact, IPSEC_AF_V6,
6233                     IPSEC_TYPE_OUTBOUND, ns))
6234                         goto enomem;
6235         }
6236 
6237         ipsec_actvec_free(actp, nact);
6238 
6239         /*
6240          * If the requests need security, set enforce_policy.
6241          * If the requests are IPSEC_PREF_NEVER, one should
6242          * still set conn_out_enforce_policy so that ip_set_destination
6243          * marks the ip_xmit_attr_t appropriatly. This is needed so that
6244          * for connections that we don't cache policy in at connect time,
6245          * if global policy matches in ip_output_attach_policy, we
6246          * don't wrongly inherit global policy. Similarly, we need
6247          * to set conn_in_enforce_policy also so that we don't verify
6248          * policy wrongly.
6249          */
6250         if ((ah_req & REQ_MASK) != 0 ||
6251             (esp_req & REQ_MASK) != 0 ||
6252             (se_req & REQ_MASK) != 0) {
6253                 connp->conn_in_enforce_policy = B_TRUE;
6254                 connp->conn_out_enforce_policy = B_TRUE;
6255         }
6256 
6257         return (error);
6258 #undef REQ_MASK
6259 
6260         /*
6261          * Common memory-allocation-failure exit path.
6262          */
6263 enomem:
6264         if (actp != NULL)
6265                 ipsec_actvec_free(actp, nact);
6266         if (is_pol_inserted)
6267                 ipsec_polhead_flush(ph, ns);
6268         return (ENOMEM);
6269 }
6270 
6271 /*
6272  * Set socket options for joining and leaving multicast groups.
6273  * Common to IPv4 and IPv6; inet6 indicates the type of socket.
6274  * The caller has already check that the option name is consistent with
6275  * the address family of the socket.
6276  */
6277 int
6278 ip_opt_set_multicast_group(conn_t *connp, t_scalar_t name,
6279     uchar_t *invalp, boolean_t inet6, boolean_t checkonly)
6280 {
6281         int             *i1 = (int *)invalp;
6282         int             error = 0;
6283         ip_stack_t      *ipst = connp->conn_netstack->netstack_ip;
6284         struct ip_mreq  *v4_mreqp;
6285         struct ipv6_mreq *v6_mreqp;
6286         struct group_req *greqp;
6287         ire_t *ire;
6288         boolean_t done = B_FALSE;
6289         ipaddr_t ifaddr;
6290         in6_addr_t v6group;
6291         uint_t ifindex;
6292         boolean_t mcast_opt = B_TRUE;
6293         mcast_record_t fmode;
6294         int (*optfn)(conn_t *, boolean_t, const in6_addr_t *,
6295             ipaddr_t, uint_t, mcast_record_t, const in6_addr_t *);
6296 
6297         switch (name) {
6298         case IP_ADD_MEMBERSHIP:
6299         case IPV6_JOIN_GROUP:
6300                 mcast_opt = B_FALSE;
6301                 /* FALLTHRU */
6302         case MCAST_JOIN_GROUP:
6303                 fmode = MODE_IS_EXCLUDE;
6304                 optfn = ip_opt_add_group;
6305                 break;
6306 
6307         case IP_DROP_MEMBERSHIP:
6308         case IPV6_LEAVE_GROUP:
6309                 mcast_opt = B_FALSE;
6310                 /* FALLTHRU */
6311         case MCAST_LEAVE_GROUP:
6312                 fmode = MODE_IS_INCLUDE;
6313                 optfn = ip_opt_delete_group;
6314                 break;
6315         default:
6316                 ASSERT(0);
6317         }
6318 
6319         if (mcast_opt) {
6320                 struct sockaddr_in *sin;
6321                 struct sockaddr_in6 *sin6;
6322 
6323                 greqp = (struct group_req *)i1;
6324                 if (greqp->gr_group.ss_family == AF_INET) {
6325                         sin = (struct sockaddr_in *)&(greqp->gr_group);
6326                         IN6_INADDR_TO_V4MAPPED(&sin->sin_addr, &v6group);
6327                 } else {
6328                         if (!inet6)
6329                                 return (EINVAL);        /* Not on INET socket */
6330 
6331                         sin6 = (struct sockaddr_in6 *)&(greqp->gr_group);
6332                         v6group = sin6->sin6_addr;
6333                 }
6334                 ifaddr = INADDR_ANY;
6335                 ifindex = greqp->gr_interface;
6336         } else if (inet6) {
6337                 v6_mreqp = (struct ipv6_mreq *)i1;
6338                 v6group = v6_mreqp->ipv6mr_multiaddr;
6339                 ifaddr = INADDR_ANY;
6340                 ifindex = v6_mreqp->ipv6mr_interface;
6341         } else {
6342                 v4_mreqp = (struct ip_mreq *)i1;
6343                 IN6_INADDR_TO_V4MAPPED(&v4_mreqp->imr_multiaddr, &v6group);
6344                 ifaddr = (ipaddr_t)v4_mreqp->imr_interface.s_addr;
6345                 ifindex = 0;
6346         }
6347 
6348         /*
6349          * In the multirouting case, we need to replicate
6350          * the request on all interfaces that will take part
6351          * in replication.  We do so because multirouting is
6352          * reflective, thus we will probably receive multi-
6353          * casts on those interfaces.
6354          * The ip_multirt_apply_membership() succeeds if
6355          * the operation succeeds on at least one interface.
6356          */
6357         if (IN6_IS_ADDR_V4MAPPED(&v6group)) {
6358                 ipaddr_t group;
6359 
6360                 IN6_V4MAPPED_TO_IPADDR(&v6group, group);
6361 
6362                 ire = ire_ftable_lookup_v4(group, IP_HOST_MASK, 0,
6363                     IRE_HOST | IRE_INTERFACE, NULL, ALL_ZONES, NULL,
6364                     MATCH_IRE_MASK | MATCH_IRE_TYPE, 0, ipst, NULL);
6365         } else {
6366                 ire = ire_ftable_lookup_v6(&v6group, &ipv6_all_ones, 0,
6367                     IRE_HOST | IRE_INTERFACE, NULL, ALL_ZONES, NULL,
6368                     MATCH_IRE_MASK | MATCH_IRE_TYPE, 0, ipst, NULL);
6369         }
6370         if (ire != NULL) {
6371                 if (ire->ire_flags & RTF_MULTIRT) {
6372                         error = ip_multirt_apply_membership(optfn, ire, connp,
6373                             checkonly, &v6group, fmode, &ipv6_all_zeros);
6374                         done = B_TRUE;
6375                 }
6376                 ire_refrele(ire);
6377         }
6378 
6379         if (!done) {
6380                 error = optfn(connp, checkonly, &v6group, ifaddr, ifindex,
6381                     fmode, &ipv6_all_zeros);
6382         }
6383         return (error);
6384 }
6385 
6386 /*
6387  * Set socket options for joining and leaving multicast groups
6388  * for specific sources.
6389  * Common to IPv4 and IPv6; inet6 indicates the type of socket.
6390  * The caller has already check that the option name is consistent with
6391  * the address family of the socket.
6392  */
6393 int
6394 ip_opt_set_multicast_sources(conn_t *connp, t_scalar_t name,
6395     uchar_t *invalp, boolean_t inet6, boolean_t checkonly)
6396 {
6397         int             *i1 = (int *)invalp;
6398         int             error = 0;
6399         ip_stack_t      *ipst = connp->conn_netstack->netstack_ip;
6400         struct ip_mreq_source *imreqp;
6401         struct group_source_req *gsreqp;
6402         in6_addr_t v6group, v6src;
6403         uint32_t ifindex;
6404         ipaddr_t ifaddr;
6405         boolean_t mcast_opt = B_TRUE;
6406         mcast_record_t fmode;
6407         ire_t *ire;
6408         boolean_t done = B_FALSE;
6409         int (*optfn)(conn_t *, boolean_t, const in6_addr_t *,
6410             ipaddr_t, uint_t, mcast_record_t, const in6_addr_t *);
6411 
6412         switch (name) {
6413         case IP_BLOCK_SOURCE:
6414                 mcast_opt = B_FALSE;
6415                 /* FALLTHRU */
6416         case MCAST_BLOCK_SOURCE:
6417                 fmode = MODE_IS_EXCLUDE;
6418                 optfn = ip_opt_add_group;
6419                 break;
6420 
6421         case IP_UNBLOCK_SOURCE:
6422                 mcast_opt = B_FALSE;
6423                 /* FALLTHRU */
6424         case MCAST_UNBLOCK_SOURCE:
6425                 fmode = MODE_IS_EXCLUDE;
6426                 optfn = ip_opt_delete_group;
6427                 break;
6428 
6429         case IP_ADD_SOURCE_MEMBERSHIP:
6430                 mcast_opt = B_FALSE;
6431                 /* FALLTHRU */
6432         case MCAST_JOIN_SOURCE_GROUP:
6433                 fmode = MODE_IS_INCLUDE;
6434                 optfn = ip_opt_add_group;
6435                 break;
6436 
6437         case IP_DROP_SOURCE_MEMBERSHIP:
6438                 mcast_opt = B_FALSE;
6439                 /* FALLTHRU */
6440         case MCAST_LEAVE_SOURCE_GROUP:
6441                 fmode = MODE_IS_INCLUDE;
6442                 optfn = ip_opt_delete_group;
6443                 break;
6444         default:
6445                 ASSERT(0);
6446         }
6447 
6448         if (mcast_opt) {
6449                 gsreqp = (struct group_source_req *)i1;
6450                 ifindex = gsreqp->gsr_interface;
6451                 if (gsreqp->gsr_group.ss_family == AF_INET) {
6452                         struct sockaddr_in *s;
6453                         s = (struct sockaddr_in *)&gsreqp->gsr_group;
6454                         IN6_INADDR_TO_V4MAPPED(&s->sin_addr, &v6group);
6455                         s = (struct sockaddr_in *)&gsreqp->gsr_source;
6456                         IN6_INADDR_TO_V4MAPPED(&s->sin_addr, &v6src);
6457                 } else {
6458                         struct sockaddr_in6 *s6;
6459 
6460                         if (!inet6)
6461                                 return (EINVAL);        /* Not on INET socket */
6462 
6463                         s6 = (struct sockaddr_in6 *)&gsreqp->gsr_group;
6464                         v6group = s6->sin6_addr;
6465                         s6 = (struct sockaddr_in6 *)&gsreqp->gsr_source;
6466                         v6src = s6->sin6_addr;
6467                 }
6468                 ifaddr = INADDR_ANY;
6469         } else {
6470                 imreqp = (struct ip_mreq_source *)i1;
6471                 IN6_INADDR_TO_V4MAPPED(&imreqp->imr_multiaddr, &v6group);
6472                 IN6_INADDR_TO_V4MAPPED(&imreqp->imr_sourceaddr, &v6src);
6473                 ifaddr = (ipaddr_t)imreqp->imr_interface.s_addr;
6474                 ifindex = 0;
6475         }
6476 
6477         /*
6478          * Handle src being mapped INADDR_ANY by changing it to unspecified.
6479          */
6480         if (IN6_IS_ADDR_V4MAPPED_ANY(&v6src))
6481                 v6src = ipv6_all_zeros;
6482 
6483         /*
6484          * In the multirouting case, we need to replicate
6485          * the request as noted in the mcast cases above.
6486          */
6487         if (IN6_IS_ADDR_V4MAPPED(&v6group)) {
6488                 ipaddr_t group;
6489 
6490                 IN6_V4MAPPED_TO_IPADDR(&v6group, group);
6491 
6492                 ire = ire_ftable_lookup_v4(group, IP_HOST_MASK, 0,
6493                     IRE_HOST | IRE_INTERFACE, NULL, ALL_ZONES, NULL,
6494                     MATCH_IRE_MASK | MATCH_IRE_TYPE, 0, ipst, NULL);
6495         } else {
6496                 ire = ire_ftable_lookup_v6(&v6group, &ipv6_all_ones, 0,
6497                     IRE_HOST | IRE_INTERFACE, NULL, ALL_ZONES, NULL,
6498                     MATCH_IRE_MASK | MATCH_IRE_TYPE, 0, ipst, NULL);
6499         }
6500         if (ire != NULL) {
6501                 if (ire->ire_flags & RTF_MULTIRT) {
6502                         error = ip_multirt_apply_membership(optfn, ire, connp,
6503                             checkonly, &v6group, fmode, &v6src);
6504                         done = B_TRUE;
6505                 }
6506                 ire_refrele(ire);
6507         }
6508         if (!done) {
6509                 error = optfn(connp, checkonly, &v6group, ifaddr, ifindex,
6510                     fmode, &v6src);
6511         }
6512         return (error);
6513 }
6514 
6515 /*
6516  * Given a destination address and a pointer to where to put the information
6517  * this routine fills in the mtuinfo.
6518  * The socket must be connected.
6519  * For sctp conn_faddr is the primary address.
6520  */
6521 int
6522 ip_fill_mtuinfo(conn_t *connp, ip_xmit_attr_t *ixa, struct ip6_mtuinfo *mtuinfo)
6523 {
6524         uint32_t        pmtu = IP_MAXPACKET;
6525         uint_t          scopeid;
6526 
6527         if (IN6_IS_ADDR_UNSPECIFIED(&connp->conn_faddr_v6))
6528                 return (-1);
6529 
6530         /* In case we never sent or called ip_set_destination_v4/v6 */
6531         if (ixa->ixa_ire != NULL)
6532                 pmtu = ip_get_pmtu(ixa);
6533 
6534         if (ixa->ixa_flags & IXAF_SCOPEID_SET)
6535                 scopeid = ixa->ixa_scopeid;
6536         else
6537                 scopeid = 0;
6538 
6539         bzero(mtuinfo, sizeof (*mtuinfo));
6540         mtuinfo->ip6m_addr.sin6_family = AF_INET6;
6541         mtuinfo->ip6m_addr.sin6_port = connp->conn_fport;
6542         mtuinfo->ip6m_addr.sin6_addr = connp->conn_faddr_v6;
6543         mtuinfo->ip6m_addr.sin6_scope_id = scopeid;
6544         mtuinfo->ip6m_mtu = pmtu;
6545 
6546         return (sizeof (struct ip6_mtuinfo));
6547 }
6548 
6549 /*
6550  * When the src multihoming is changed from weak to [strong, preferred]
6551  * ip_ire_rebind_walker is called to walk the list of all ire_t entries
6552  * and identify routes that were created by user-applications in the
6553  * unbound state (i.e., without RTA_IFP), and for which an ire_ill is not
6554  * currently defined. These routes are then 'rebound', i.e., their ire_ill
6555  * is selected by finding an interface route for the gateway.
6556  */
6557 /* ARGSUSED */
6558 void
6559 ip_ire_rebind_walker(ire_t *ire, void *notused)
6560 {
6561         if (!ire->ire_unbound || ire->ire_ill != NULL)
6562                 return;
6563         ire_rebind(ire);
6564         ire_delete(ire);
6565 }
6566 
6567 /*
6568  * When the src multihoming is changed from  [strong, preferred] to weak,
6569  * ip_ire_unbind_walker is called to walk the list of all ire_t entries, and
6570  * set any entries that were created by user-applications in the unbound state
6571  * (i.e., without RTA_IFP) back to having a NULL ire_ill.
6572  */
6573 /* ARGSUSED */
6574 void
6575 ip_ire_unbind_walker(ire_t *ire, void *notused)
6576 {
6577         ire_t *new_ire;
6578 
6579         if (!ire->ire_unbound || ire->ire_ill == NULL)
6580                 return;
6581         if (ire->ire_ipversion == IPV6_VERSION) {
6582                 new_ire = ire_create_v6(&ire->ire_addr_v6, &ire->ire_mask_v6,
6583                     &ire->ire_gateway_addr_v6, ire->ire_type, NULL,
6584                     ire->ire_zoneid, ire->ire_flags, NULL, ire->ire_ipst);
6585         } else {
6586                 new_ire = ire_create((uchar_t *)&ire->ire_addr,
6587                     (uchar_t *)&ire->ire_mask,
6588                     (uchar_t *)&ire->ire_gateway_addr, ire->ire_type, NULL,
6589                     ire->ire_zoneid, ire->ire_flags, NULL, ire->ire_ipst);
6590         }
6591         if (new_ire == NULL)
6592                 return;
6593         new_ire->ire_unbound = B_TRUE;
6594         /*
6595          * The bound ire must first be deleted so that we don't return
6596          * the existing one on the attempt to add the unbound new_ire.
6597          */
6598         ire_delete(ire);
6599         new_ire = ire_add(new_ire);
6600         if (new_ire != NULL)
6601                 ire_refrele(new_ire);
6602 }
6603 
6604 /*
6605  * When the settings of ip*_strict_src_multihoming tunables are changed,
6606  * all cached routes need to be recomputed. This recomputation needs to be
6607  * done when going from weaker to stronger modes so that the cached ire
6608  * for the connection does not violate the current ip*_strict_src_multihoming
6609  * setting. It also needs to be done when going from stronger to weaker modes,
6610  * so that we fall back to matching on the longest-matching-route (as opposed
6611  * to a shorter match that may have been selected in the strong mode
6612  * to satisfy src_multihoming settings).
6613  *
6614  * The cached ixa_ire entires for all conn_t entries are marked as
6615  * "verify" so that they will be recomputed for the next packet.
6616  */
6617 void
6618 conn_ire_revalidate(conn_t *connp, void *arg)
6619 {
6620         boolean_t isv6 = (boolean_t)arg;
6621 
6622         if ((isv6 && connp->conn_ipversion != IPV6_VERSION) ||
6623             (!isv6 && connp->conn_ipversion != IPV4_VERSION))
6624                 return;
6625         connp->conn_ixa->ixa_ire_generation = IRE_GENERATION_VERIFY;
6626 }
6627 
6628 /*
6629  * Handles both IPv4 and IPv6 reassembly - doing the out-of-order cases,
6630  * When an ipf is passed here for the first time, if
6631  * we already have in-order fragments on the queue, we convert from the fast-
6632  * path reassembly scheme to the hard-case scheme.  From then on, additional
6633  * fragments are reassembled here.  We keep track of the start and end offsets
6634  * of each piece, and the number of holes in the chain.  When the hole count
6635  * goes to zero, we are done!
6636  *
6637  * The ipf_count will be updated to account for any mblk(s) added (pointed to
6638  * by mp) or subtracted (freeb()ed dups), upon return the caller must update
6639  * ipfb_count and ill_frag_count by the difference of ipf_count before and
6640  * after the call to ip_reassemble().
6641  */
6642 int
6643 ip_reassemble(mblk_t *mp, ipf_t *ipf, uint_t start, boolean_t more, ill_t *ill,
6644     size_t msg_len)
6645 {
6646         uint_t  end;
6647         mblk_t  *next_mp;
6648         mblk_t  *mp1;
6649         uint_t  offset;
6650         boolean_t incr_dups = B_TRUE;
6651         boolean_t offset_zero_seen = B_FALSE;
6652         boolean_t pkt_boundary_checked = B_FALSE;
6653 
6654         /* If start == 0 then ipf_nf_hdr_len has to be set. */
6655         ASSERT(start != 0 || ipf->ipf_nf_hdr_len != 0);
6656 
6657         /* Add in byte count */
6658         ipf->ipf_count += msg_len;
6659         if (ipf->ipf_end) {
6660                 /*
6661                  * We were part way through in-order reassembly, but now there
6662                  * is a hole.  We walk through messages already queued, and
6663                  * mark them for hard case reassembly.  We know that up till
6664                  * now they were in order starting from offset zero.
6665                  */
6666                 offset = 0;
6667                 for (mp1 = ipf->ipf_mp->b_cont; mp1; mp1 = mp1->b_cont) {
6668                         IP_REASS_SET_START(mp1, offset);
6669                         if (offset == 0) {
6670                                 ASSERT(ipf->ipf_nf_hdr_len != 0);
6671                                 offset = -ipf->ipf_nf_hdr_len;
6672                         }
6673                         offset += mp1->b_wptr - mp1->b_rptr;
6674                         IP_REASS_SET_END(mp1, offset);
6675                 }
6676                 /* One hole at the end. */
6677                 ipf->ipf_hole_cnt = 1;
6678                 /* Brand it as a hard case, forever. */
6679                 ipf->ipf_end = 0;
6680         }
6681         /* Walk through all the new pieces. */
6682         do {
6683                 end = start + (mp->b_wptr - mp->b_rptr);
6684                 /*
6685                  * If start is 0, decrease 'end' only for the first mblk of
6686                  * the fragment. Otherwise 'end' can get wrong value in the
6687                  * second pass of the loop if first mblk is exactly the
6688                  * size of ipf_nf_hdr_len.
6689                  */
6690                 if (start == 0 && !offset_zero_seen) {
6691                         /* First segment */
6692                         ASSERT(ipf->ipf_nf_hdr_len != 0);
6693                         end -= ipf->ipf_nf_hdr_len;
6694                         offset_zero_seen = B_TRUE;
6695                 }
6696                 next_mp = mp->b_cont;
6697                 /*
6698                  * We are checking to see if there is any interesing data
6699                  * to process.  If there isn't and the mblk isn't the
6700                  * one which carries the unfragmentable header then we
6701                  * drop it.  It's possible to have just the unfragmentable
6702                  * header come through without any data.  That needs to be
6703                  * saved.
6704                  *
6705                  * If the assert at the top of this function holds then the
6706                  * term "ipf->ipf_nf_hdr_len != 0" isn't needed.  This code
6707                  * is infrequently traveled enough that the test is left in
6708                  * to protect against future code changes which break that
6709                  * invariant.
6710                  */
6711                 if (start == end && start != 0 && ipf->ipf_nf_hdr_len != 0) {
6712                         /* Empty.  Blast it. */
6713                         IP_REASS_SET_START(mp, 0);
6714                         IP_REASS_SET_END(mp, 0);
6715                         /*
6716                          * If the ipf points to the mblk we are about to free,
6717                          * update ipf to point to the next mblk (or NULL
6718                          * if none).
6719                          */
6720                         if (ipf->ipf_mp->b_cont == mp)
6721                                 ipf->ipf_mp->b_cont = next_mp;
6722                         freeb(mp);
6723                         continue;
6724                 }
6725                 mp->b_cont = NULL;
6726                 IP_REASS_SET_START(mp, start);
6727                 IP_REASS_SET_END(mp, end);
6728                 if (!ipf->ipf_tail_mp) {
6729                         ipf->ipf_tail_mp = mp;
6730                         ipf->ipf_mp->b_cont = mp;
6731                         if (start == 0 || !more) {
6732                                 ipf->ipf_hole_cnt = 1;
6733                                 /*
6734                                  * if the first fragment comes in more than one
6735                                  * mblk, this loop will be executed for each
6736                                  * mblk. Need to adjust hole count so exiting
6737                                  * this routine will leave hole count at 1.
6738                                  */
6739                                 if (next_mp)
6740                                         ipf->ipf_hole_cnt++;
6741                         } else
6742                                 ipf->ipf_hole_cnt = 2;
6743                         continue;
6744                 } else if (ipf->ipf_last_frag_seen && !more &&
6745                     !pkt_boundary_checked) {
6746                         /*
6747                          * We check datagram boundary only if this fragment
6748                          * claims to be the last fragment and we have seen a
6749                          * last fragment in the past too. We do this only
6750                          * once for a given fragment.
6751                          *
6752                          * start cannot be 0 here as fragments with start=0
6753                          * and MF=0 gets handled as a complete packet. These
6754                          * fragments should not reach here.
6755                          */
6756 
6757                         if (start + msgdsize(mp) !=
6758                             IP_REASS_END(ipf->ipf_tail_mp)) {
6759                                 /*
6760                                  * We have two fragments both of which claim
6761                                  * to be the last fragment but gives conflicting
6762                                  * information about the whole datagram size.
6763                                  * Something fishy is going on. Drop the
6764                                  * fragment and free up the reassembly list.
6765                                  */
6766                                 return (IP_REASS_FAILED);
6767                         }
6768 
6769                         /*
6770                          * We shouldn't come to this code block again for this
6771                          * particular fragment.
6772                          */
6773                         pkt_boundary_checked = B_TRUE;
6774                 }
6775 
6776                 /* New stuff at or beyond tail? */
6777                 offset = IP_REASS_END(ipf->ipf_tail_mp);
6778                 if (start >= offset) {
6779                         if (ipf->ipf_last_frag_seen) {
6780                                 /* current fragment is beyond last fragment */
6781                                 return (IP_REASS_FAILED);
6782                         }
6783                         /* Link it on end. */
6784                         ipf->ipf_tail_mp->b_cont = mp;
6785                         ipf->ipf_tail_mp = mp;
6786                         if (more) {
6787                                 if (start != offset)
6788                                         ipf->ipf_hole_cnt++;
6789                         } else if (start == offset && next_mp == NULL)
6790                                         ipf->ipf_hole_cnt--;
6791                         continue;
6792                 }
6793                 mp1 = ipf->ipf_mp->b_cont;
6794                 offset = IP_REASS_START(mp1);
6795                 /* New stuff at the front? */
6796                 if (start < offset) {
6797                         if (start == 0) {
6798                                 if (end >= offset) {
6799                                         /* Nailed the hole at the begining. */
6800                                         ipf->ipf_hole_cnt--;
6801                                 }
6802                         } else if (end < offset) {
6803                                 /*
6804                                  * A hole, stuff, and a hole where there used
6805                                  * to be just a hole.
6806                                  */
6807                                 ipf->ipf_hole_cnt++;
6808                         }
6809                         mp->b_cont = mp1;
6810                         /* Check for overlap. */
6811                         while (end > offset) {
6812                                 if (end < IP_REASS_END(mp1)) {
6813                                         mp->b_wptr -= end - offset;
6814                                         IP_REASS_SET_END(mp, offset);
6815                                         BUMP_MIB(ill->ill_ip_mib,
6816                                             ipIfStatsReasmPartDups);
6817                                         break;
6818                                 }
6819                                 /* Did we cover another hole? */
6820                                 if ((mp1->b_cont &&
6821                                     IP_REASS_END(mp1) !=
6822                                     IP_REASS_START(mp1->b_cont) &&
6823                                     end >= IP_REASS_START(mp1->b_cont)) ||
6824                                     (!ipf->ipf_last_frag_seen && !more)) {
6825                                         ipf->ipf_hole_cnt--;
6826                                 }
6827                                 /* Clip out mp1. */
6828                                 if ((mp->b_cont = mp1->b_cont) == NULL) {
6829                                         /*
6830                                          * After clipping out mp1, this guy
6831                                          * is now hanging off the end.
6832                                          */
6833                                         ipf->ipf_tail_mp = mp;
6834                                 }
6835                                 IP_REASS_SET_START(mp1, 0);
6836                                 IP_REASS_SET_END(mp1, 0);
6837                                 /* Subtract byte count */
6838                                 ipf->ipf_count -= mp1->b_datap->db_lim -
6839                                     mp1->b_datap->db_base;
6840                                 freeb(mp1);
6841                                 BUMP_MIB(ill->ill_ip_mib,
6842                                     ipIfStatsReasmPartDups);
6843                                 mp1 = mp->b_cont;
6844                                 if (!mp1)
6845                                         break;
6846                                 offset = IP_REASS_START(mp1);
6847                         }
6848                         ipf->ipf_mp->b_cont = mp;
6849                         continue;
6850                 }
6851                 /*
6852                  * The new piece starts somewhere between the start of the head
6853                  * and before the end of the tail.
6854                  */
6855                 for (; mp1; mp1 = mp1->b_cont) {
6856                         offset = IP_REASS_END(mp1);
6857                         if (start < offset) {
6858                                 if (end <= offset) {
6859                                         /* Nothing new. */
6860                                         IP_REASS_SET_START(mp, 0);
6861                                         IP_REASS_SET_END(mp, 0);
6862                                         /* Subtract byte count */
6863                                         ipf->ipf_count -= mp->b_datap->db_lim -
6864                                             mp->b_datap->db_base;
6865                                         if (incr_dups) {
6866                                                 ipf->ipf_num_dups++;
6867                                                 incr_dups = B_FALSE;
6868                                         }
6869                                         freeb(mp);
6870                                         BUMP_MIB(ill->ill_ip_mib,
6871                                             ipIfStatsReasmDuplicates);
6872                                         break;
6873                                 }
6874                                 /*
6875                                  * Trim redundant stuff off beginning of new
6876                                  * piece.
6877                                  */
6878                                 IP_REASS_SET_START(mp, offset);
6879                                 mp->b_rptr += offset - start;
6880                                 BUMP_MIB(ill->ill_ip_mib,
6881                                     ipIfStatsReasmPartDups);
6882                                 start = offset;
6883                                 if (!mp1->b_cont) {
6884                                         /*
6885                                          * After trimming, this guy is now
6886                                          * hanging off the end.
6887                                          */
6888                                         mp1->b_cont = mp;
6889                                         ipf->ipf_tail_mp = mp;
6890                                         if (!more) {
6891                                                 ipf->ipf_hole_cnt--;
6892                                         }
6893                                         break;
6894                                 }
6895                         }
6896                         if (start >= IP_REASS_START(mp1->b_cont))
6897                                 continue;
6898                         /* Fill a hole */
6899                         if (start > offset)
6900                                 ipf->ipf_hole_cnt++;
6901                         mp->b_cont = mp1->b_cont;
6902                         mp1->b_cont = mp;
6903                         mp1 = mp->b_cont;
6904                         offset = IP_REASS_START(mp1);
6905                         if (end >= offset) {
6906                                 ipf->ipf_hole_cnt--;
6907                                 /* Check for overlap. */
6908                                 while (end > offset) {
6909                                         if (end < IP_REASS_END(mp1)) {
6910                                                 mp->b_wptr -= end - offset;
6911                                                 IP_REASS_SET_END(mp, offset);
6912                                                 /*
6913                                                  * TODO we might bump
6914                                                  * this up twice if there is
6915                                                  * overlap at both ends.
6916                                                  */
6917                                                 BUMP_MIB(ill->ill_ip_mib,
6918                                                     ipIfStatsReasmPartDups);
6919                                                 break;
6920                                         }
6921                                         /* Did we cover another hole? */
6922                                         if ((mp1->b_cont &&
6923                                             IP_REASS_END(mp1)
6924                                             != IP_REASS_START(mp1->b_cont) &&
6925                                             end >=
6926                                             IP_REASS_START(mp1->b_cont)) ||
6927                                             (!ipf->ipf_last_frag_seen &&
6928                                             !more)) {
6929                                                 ipf->ipf_hole_cnt--;
6930                                         }
6931                                         /* Clip out mp1. */
6932                                         if ((mp->b_cont = mp1->b_cont) ==
6933                                             NULL) {
6934                                                 /*
6935                                                  * After clipping out mp1,
6936                                                  * this guy is now hanging
6937                                                  * off the end.
6938                                                  */
6939                                                 ipf->ipf_tail_mp = mp;
6940                                         }
6941                                         IP_REASS_SET_START(mp1, 0);
6942                                         IP_REASS_SET_END(mp1, 0);
6943                                         /* Subtract byte count */
6944                                         ipf->ipf_count -=
6945                                             mp1->b_datap->db_lim -
6946                                             mp1->b_datap->db_base;
6947                                         freeb(mp1);
6948                                         BUMP_MIB(ill->ill_ip_mib,
6949                                             ipIfStatsReasmPartDups);
6950                                         mp1 = mp->b_cont;
6951                                         if (!mp1)
6952                                                 break;
6953                                         offset = IP_REASS_START(mp1);
6954                                 }
6955                         }
6956                         break;
6957                 }
6958         } while (start = end, mp = next_mp);
6959 
6960         /* Fragment just processed could be the last one. Remember this fact */
6961         if (!more)
6962                 ipf->ipf_last_frag_seen = B_TRUE;
6963 
6964         /* Still got holes? */
6965         if (ipf->ipf_hole_cnt)
6966                 return (IP_REASS_PARTIAL);
6967         /* Clean up overloaded fields to avoid upstream disasters. */
6968         for (mp1 = ipf->ipf_mp->b_cont; mp1; mp1 = mp1->b_cont) {
6969                 IP_REASS_SET_START(mp1, 0);
6970                 IP_REASS_SET_END(mp1, 0);
6971         }
6972         return (IP_REASS_COMPLETE);
6973 }
6974 
6975 /*
6976  * Fragmentation reassembly.  Each ILL has a hash table for
6977  * queuing packets undergoing reassembly for all IPIFs
6978  * associated with the ILL.  The hash is based on the packet
6979  * IP ident field.  The ILL frag hash table was allocated
6980  * as a timer block at the time the ILL was created.  Whenever
6981  * there is anything on the reassembly queue, the timer will
6982  * be running.  Returns the reassembled packet if reassembly completes.
6983  */
6984 mblk_t *
6985 ip_input_fragment(mblk_t *mp, ipha_t *ipha, ip_recv_attr_t *ira)
6986 {
6987         uint32_t        frag_offset_flags;
6988         mblk_t          *t_mp;
6989         ipaddr_t        dst;
6990         uint8_t         proto = ipha->ipha_protocol;
6991         uint32_t        sum_val;
6992         uint16_t        sum_flags;
6993         ipf_t           *ipf;
6994         ipf_t           **ipfp;
6995         ipfb_t          *ipfb;
6996         uint16_t        ident;
6997         uint32_t        offset;
6998         ipaddr_t        src;
6999         uint_t          hdr_length;
7000         uint32_t        end;
7001         mblk_t          *mp1;
7002         mblk_t          *tail_mp;
7003         size_t          count;
7004         size_t          msg_len;
7005         uint8_t         ecn_info = 0;
7006         uint32_t        packet_size;
7007         boolean_t       pruned = B_FALSE;
7008         ill_t           *ill = ira->ira_ill;
7009         ip_stack_t      *ipst = ill->ill_ipst;
7010 
7011         /*
7012          * Drop the fragmented as early as possible, if
7013          * we don't have resource(s) to re-assemble.
7014          */
7015         if (ipst->ips_ip_reass_queue_bytes == 0) {
7016                 freemsg(mp);
7017                 return (NULL);
7018         }
7019 
7020         /* Check for fragmentation offset; return if there's none */
7021         if ((frag_offset_flags = ntohs(ipha->ipha_fragment_offset_and_flags) &
7022             (IPH_MF | IPH_OFFSET)) == 0)
7023                 return (mp);
7024 
7025         /*
7026          * We utilize hardware computed checksum info only for UDP since
7027          * IP fragmentation is a normal occurrence for the protocol.  In
7028          * addition, checksum offload support for IP fragments carrying
7029          * UDP payload is commonly implemented across network adapters.
7030          */
7031         ASSERT(ira->ira_rill != NULL);
7032         if (proto == IPPROTO_UDP && dohwcksum &&
7033             ILL_HCKSUM_CAPABLE(ira->ira_rill) &&
7034             (DB_CKSUMFLAGS(mp) & (HCK_FULLCKSUM | HCK_PARTIALCKSUM))) {
7035                 mblk_t *mp1 = mp->b_cont;
7036                 int32_t len;
7037 
7038                 /* Record checksum information from the packet */
7039                 sum_val = (uint32_t)DB_CKSUM16(mp);
7040                 sum_flags = DB_CKSUMFLAGS(mp);
7041 
7042                 /* IP payload offset from beginning of mblk */
7043                 offset = ((uchar_t *)ipha + IPH_HDR_LENGTH(ipha)) - mp->b_rptr;
7044 
7045                 if ((sum_flags & HCK_PARTIALCKSUM) &&
7046                     (mp1 == NULL || mp1->b_cont == NULL) &&
7047                     offset >= DB_CKSUMSTART(mp) &&
7048                     ((len = offset - DB_CKSUMSTART(mp)) & 1) == 0) {
7049                         uint32_t adj;
7050                         /*
7051                          * Partial checksum has been calculated by hardware
7052                          * and attached to the packet; in addition, any
7053                          * prepended extraneous data is even byte aligned.
7054                          * If any such data exists, we adjust the checksum;
7055                          * this would also handle any postpended data.
7056                          */
7057                         IP_ADJCKSUM_PARTIAL(mp->b_rptr + DB_CKSUMSTART(mp),
7058                             mp, mp1, len, adj);
7059 
7060                         /* One's complement subtract extraneous checksum */
7061                         if (adj >= sum_val)
7062                                 sum_val = ~(adj - sum_val) & 0xFFFF;
7063                         else
7064                                 sum_val -= adj;
7065                 }
7066         } else {
7067                 sum_val = 0;
7068                 sum_flags = 0;
7069         }
7070 
7071         /* Clear hardware checksumming flag */
7072         DB_CKSUMFLAGS(mp) = 0;
7073 
7074         ident = ipha->ipha_ident;
7075         offset = (frag_offset_flags << 3) & 0xFFFF;
7076         src = ipha->ipha_src;
7077         dst = ipha->ipha_dst;
7078         hdr_length = IPH_HDR_LENGTH(ipha);
7079         end = ntohs(ipha->ipha_length) - hdr_length;
7080 
7081         /* If end == 0 then we have a packet with no data, so just free it */
7082         if (end == 0) {
7083                 freemsg(mp);
7084                 return (NULL);
7085         }
7086 
7087         /* Record the ECN field info. */
7088         ecn_info = (ipha->ipha_type_of_service & 0x3);
7089         if (offset != 0) {
7090                 /*
7091                  * If this isn't the first piece, strip the header, and
7092                  * add the offset to the end value.
7093                  */
7094                 mp->b_rptr += hdr_length;
7095                 end += offset;
7096         }
7097 
7098         /* Handle vnic loopback of fragments */
7099         if (mp->b_datap->db_ref > 2)
7100                 msg_len = 0;
7101         else
7102                 msg_len = MBLKSIZE(mp);
7103 
7104         tail_mp = mp;
7105         while (tail_mp->b_cont != NULL) {
7106                 tail_mp = tail_mp->b_cont;
7107                 if (tail_mp->b_datap->db_ref <= 2)
7108                         msg_len += MBLKSIZE(tail_mp);
7109         }
7110 
7111         /* If the reassembly list for this ILL will get too big, prune it */
7112         if ((msg_len + sizeof (*ipf) + ill->ill_frag_count) >=
7113             ipst->ips_ip_reass_queue_bytes) {
7114                 DTRACE_PROBE3(ip_reass_queue_bytes, uint_t, msg_len,
7115                     uint_t, ill->ill_frag_count,
7116                     uint_t, ipst->ips_ip_reass_queue_bytes);
7117                 ill_frag_prune(ill,
7118                     (ipst->ips_ip_reass_queue_bytes < msg_len) ? 0 :
7119                     (ipst->ips_ip_reass_queue_bytes - msg_len));
7120                 pruned = B_TRUE;
7121         }
7122 
7123         ipfb = &ill->ill_frag_hash_tbl[ILL_FRAG_HASH(src, ident)];
7124         mutex_enter(&ipfb->ipfb_lock);
7125 
7126         ipfp = &ipfb->ipfb_ipf;
7127         /* Try to find an existing fragment queue for this packet. */
7128         for (;;) {
7129                 ipf = ipfp[0];
7130                 if (ipf != NULL) {
7131                         /*
7132                          * It has to match on ident and src/dst address.
7133                          */
7134                         if (ipf->ipf_ident == ident &&
7135                             ipf->ipf_src == src &&
7136                             ipf->ipf_dst == dst &&
7137                             ipf->ipf_protocol == proto) {
7138                                 /*
7139                                  * If we have received too many
7140                                  * duplicate fragments for this packet
7141                                  * free it.
7142                                  */
7143                                 if (ipf->ipf_num_dups > ip_max_frag_dups) {
7144                                         ill_frag_free_pkts(ill, ipfb, ipf, 1);
7145                                         freemsg(mp);
7146                                         mutex_exit(&ipfb->ipfb_lock);
7147                                         return (NULL);
7148                                 }
7149                                 /* Found it. */
7150                                 break;
7151                         }
7152                         ipfp = &ipf->ipf_hash_next;
7153                         continue;
7154                 }
7155 
7156                 /*
7157                  * If we pruned the list, do we want to store this new
7158                  * fragment?. We apply an optimization here based on the
7159                  * fact that most fragments will be received in order.
7160                  * So if the offset of this incoming fragment is zero,
7161                  * it is the first fragment of a new packet. We will
7162                  * keep it.  Otherwise drop the fragment, as we have
7163                  * probably pruned the packet already (since the
7164                  * packet cannot be found).
7165                  */
7166                 if (pruned && offset != 0) {
7167                         mutex_exit(&ipfb->ipfb_lock);
7168                         freemsg(mp);
7169                         return (NULL);
7170                 }
7171 
7172                 if (ipfb->ipfb_frag_pkts >= MAX_FRAG_PKTS(ipst))  {
7173                         /*
7174                          * Too many fragmented packets in this hash
7175                          * bucket. Free the oldest.
7176                          */
7177                         ill_frag_free_pkts(ill, ipfb, ipfb->ipfb_ipf, 1);
7178                 }
7179 
7180                 /* New guy.  Allocate a frag message. */
7181                 mp1 = allocb(sizeof (*ipf), BPRI_MED);
7182                 if (mp1 == NULL) {
7183                         BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
7184                         ip_drop_input("ipIfStatsInDiscards", mp, ill);
7185                         freemsg(mp);
7186 reass_done:
7187                         mutex_exit(&ipfb->ipfb_lock);
7188                         return (NULL);
7189                 }
7190 
7191                 BUMP_MIB(ill->ill_ip_mib, ipIfStatsReasmReqds);
7192                 mp1->b_cont = mp;
7193 
7194                 /* Initialize the fragment header. */
7195                 ipf = (ipf_t *)mp1->b_rptr;
7196                 ipf->ipf_mp = mp1;
7197                 ipf->ipf_ptphn = ipfp;
7198                 ipfp[0] = ipf;
7199                 ipf->ipf_hash_next = NULL;
7200                 ipf->ipf_ident = ident;
7201                 ipf->ipf_protocol = proto;
7202                 ipf->ipf_src = src;
7203                 ipf->ipf_dst = dst;
7204                 ipf->ipf_nf_hdr_len = 0;
7205                 /* Record reassembly start time. */
7206                 ipf->ipf_timestamp = gethrestime_sec();
7207                 /* Record ipf generation and account for frag header */
7208                 ipf->ipf_gen = ill->ill_ipf_gen++;
7209                 ipf->ipf_count = MBLKSIZE(mp1);
7210                 ipf->ipf_last_frag_seen = B_FALSE;
7211                 ipf->ipf_ecn = ecn_info;
7212                 ipf->ipf_num_dups = 0;
7213                 ipfb->ipfb_frag_pkts++;
7214                 ipf->ipf_checksum = 0;
7215                 ipf->ipf_checksum_flags = 0;
7216 
7217                 /* Store checksum value in fragment header */
7218                 if (sum_flags != 0) {
7219                         sum_val = (sum_val & 0xFFFF) + (sum_val >> 16);
7220                         sum_val = (sum_val & 0xFFFF) + (sum_val >> 16);
7221                         ipf->ipf_checksum = sum_val;
7222                         ipf->ipf_checksum_flags = sum_flags;
7223                 }
7224 
7225                 /*
7226                  * We handle reassembly two ways.  In the easy case,
7227                  * where all the fragments show up in order, we do
7228                  * minimal bookkeeping, and just clip new pieces on
7229                  * the end.  If we ever see a hole, then we go off
7230                  * to ip_reassemble which has to mark the pieces and
7231                  * keep track of the number of holes, etc.  Obviously,
7232                  * the point of having both mechanisms is so we can
7233                  * handle the easy case as efficiently as possible.
7234                  */
7235                 if (offset == 0) {
7236                         /* Easy case, in-order reassembly so far. */
7237                         ipf->ipf_count += msg_len;
7238                         ipf->ipf_tail_mp = tail_mp;
7239                         /*
7240                          * Keep track of next expected offset in
7241                          * ipf_end.
7242                          */
7243                         ipf->ipf_end = end;
7244                         ipf->ipf_nf_hdr_len = hdr_length;
7245                 } else {
7246                         /* Hard case, hole at the beginning. */
7247                         ipf->ipf_tail_mp = NULL;
7248                         /*
7249                          * ipf_end == 0 means that we have given up
7250                          * on easy reassembly.
7251                          */
7252                         ipf->ipf_end = 0;
7253 
7254                         /* Forget checksum offload from now on */
7255                         ipf->ipf_checksum_flags = 0;
7256 
7257                         /*
7258                          * ipf_hole_cnt is set by ip_reassemble.
7259                          * ipf_count is updated by ip_reassemble.
7260                          * No need to check for return value here
7261                          * as we don't expect reassembly to complete
7262                          * or fail for the first fragment itself.
7263                          */
7264                         (void) ip_reassemble(mp, ipf,
7265                             (frag_offset_flags & IPH_OFFSET) << 3,
7266                             (frag_offset_flags & IPH_MF), ill, msg_len);
7267                 }
7268                 /* Update per ipfb and ill byte counts */
7269                 ipfb->ipfb_count += ipf->ipf_count;
7270                 ASSERT(ipfb->ipfb_count > 0);     /* Wraparound */
7271                 atomic_add_32(&ill->ill_frag_count, ipf->ipf_count);
7272                 /* If the frag timer wasn't already going, start it. */
7273                 mutex_enter(&ill->ill_lock);
7274                 ill_frag_timer_start(ill);
7275                 mutex_exit(&ill->ill_lock);
7276                 goto reass_done;
7277         }
7278 
7279         /*
7280          * If the packet's flag has changed (it could be coming up
7281          * from an interface different than the previous, therefore
7282          * possibly different checksum capability), then forget about
7283          * any stored checksum states.  Otherwise add the value to
7284          * the existing one stored in the fragment header.
7285          */
7286         if (sum_flags != 0 && sum_flags == ipf->ipf_checksum_flags) {
7287                 sum_val += ipf->ipf_checksum;
7288                 sum_val = (sum_val & 0xFFFF) + (sum_val >> 16);
7289                 sum_val = (sum_val & 0xFFFF) + (sum_val >> 16);
7290                 ipf->ipf_checksum = sum_val;
7291         } else if (ipf->ipf_checksum_flags != 0) {
7292                 /* Forget checksum offload from now on */
7293                 ipf->ipf_checksum_flags = 0;
7294         }
7295 
7296         /*
7297          * We have a new piece of a datagram which is already being
7298          * reassembled.  Update the ECN info if all IP fragments
7299          * are ECN capable.  If there is one which is not, clear
7300          * all the info.  If there is at least one which has CE
7301          * code point, IP needs to report that up to transport.
7302          */
7303         if (ecn_info != IPH_ECN_NECT && ipf->ipf_ecn != IPH_ECN_NECT) {
7304                 if (ecn_info == IPH_ECN_CE)
7305                         ipf->ipf_ecn = IPH_ECN_CE;
7306         } else {
7307                 ipf->ipf_ecn = IPH_ECN_NECT;
7308         }
7309         if (offset && ipf->ipf_end == offset) {
7310                 /* The new fragment fits at the end */
7311                 ipf->ipf_tail_mp->b_cont = mp;
7312                 /* Update the byte count */
7313                 ipf->ipf_count += msg_len;
7314                 /* Update per ipfb and ill byte counts */
7315                 ipfb->ipfb_count += msg_len;
7316                 ASSERT(ipfb->ipfb_count > 0);     /* Wraparound */
7317                 atomic_add_32(&ill->ill_frag_count, msg_len);
7318                 if (frag_offset_flags & IPH_MF) {
7319                         /* More to come. */
7320                         ipf->ipf_end = end;
7321                         ipf->ipf_tail_mp = tail_mp;
7322                         goto reass_done;
7323                 }
7324         } else {
7325                 /* Go do the hard cases. */
7326                 int ret;
7327 
7328                 if (offset == 0)
7329                         ipf->ipf_nf_hdr_len = hdr_length;
7330 
7331                 /* Save current byte count */
7332                 count = ipf->ipf_count;
7333                 ret = ip_reassemble(mp, ipf,
7334                     (frag_offset_flags & IPH_OFFSET) << 3,
7335                     (frag_offset_flags & IPH_MF), ill, msg_len);
7336                 /* Count of bytes added and subtracted (freeb()ed) */
7337                 count = ipf->ipf_count - count;
7338                 if (count) {
7339                         /* Update per ipfb and ill byte counts */
7340                         ipfb->ipfb_count += count;
7341                         ASSERT(ipfb->ipfb_count > 0); /* Wraparound */
7342                         atomic_add_32(&ill->ill_frag_count, count);
7343                 }
7344                 if (ret == IP_REASS_PARTIAL) {
7345                         goto reass_done;
7346                 } else if (ret == IP_REASS_FAILED) {
7347                         /* Reassembly failed. Free up all resources */
7348                         ill_frag_free_pkts(ill, ipfb, ipf, 1);
7349                         for (t_mp = mp; t_mp != NULL; t_mp = t_mp->b_cont) {
7350                                 IP_REASS_SET_START(t_mp, 0);
7351                                 IP_REASS_SET_END(t_mp, 0);
7352                         }
7353                         freemsg(mp);
7354                         goto reass_done;
7355                 }
7356                 /* We will reach here iff 'ret' is IP_REASS_COMPLETE */
7357         }
7358         /*
7359          * We have completed reassembly.  Unhook the frag header from
7360          * the reassembly list.
7361          *
7362          * Before we free the frag header, record the ECN info
7363          * to report back to the transport.
7364          */
7365         ecn_info = ipf->ipf_ecn;
7366         BUMP_MIB(ill->ill_ip_mib, ipIfStatsReasmOKs);
7367         ipfp = ipf->ipf_ptphn;
7368 
7369         /* We need to supply these to caller */
7370         if ((sum_flags = ipf->ipf_checksum_flags) != 0)
7371                 sum_val = ipf->ipf_checksum;
7372         else
7373                 sum_val = 0;
7374 
7375         mp1 = ipf->ipf_mp;
7376         count = ipf->ipf_count;
7377         ipf = ipf->ipf_hash_next;
7378         if (ipf != NULL)
7379                 ipf->ipf_ptphn = ipfp;
7380         ipfp[0] = ipf;
7381         atomic_add_32(&ill->ill_frag_count, -count);
7382         ASSERT(ipfb->ipfb_count >= count);
7383         ipfb->ipfb_count -= count;
7384         ipfb->ipfb_frag_pkts--;
7385         mutex_exit(&ipfb->ipfb_lock);
7386         /* Ditch the frag header. */
7387         mp = mp1->b_cont;
7388 
7389         freeb(mp1);
7390 
7391         /* Restore original IP length in header. */
7392         packet_size = (uint32_t)msgdsize(mp);
7393         if (packet_size > IP_MAXPACKET) {
7394                 BUMP_MIB(ill->ill_ip_mib, ipIfStatsInHdrErrors);
7395                 ip_drop_input("Reassembled packet too large", mp, ill);
7396                 freemsg(mp);
7397                 return (NULL);
7398         }
7399 
7400         if (DB_REF(mp) > 1) {
7401                 mblk_t *mp2 = copymsg(mp);
7402 
7403                 if (mp2 == NULL) {
7404                         BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
7405                         ip_drop_input("ipIfStatsInDiscards", mp, ill);
7406                         freemsg(mp);
7407                         return (NULL);
7408                 }
7409                 freemsg(mp);
7410                 mp = mp2;
7411         }
7412         ipha = (ipha_t *)mp->b_rptr;
7413 
7414         ipha->ipha_length = htons((uint16_t)packet_size);
7415         /* We're now complete, zip the frag state */
7416         ipha->ipha_fragment_offset_and_flags = 0;
7417         /* Record the ECN info. */
7418         ipha->ipha_type_of_service &= 0xFC;
7419         ipha->ipha_type_of_service |= ecn_info;
7420 
7421         /* Update the receive attributes */
7422         ira->ira_pktlen = packet_size;
7423         ira->ira_ip_hdr_length = IPH_HDR_LENGTH(ipha);
7424 
7425         /* Reassembly is successful; set checksum information in packet */
7426         DB_CKSUM16(mp) = (uint16_t)sum_val;
7427         DB_CKSUMFLAGS(mp) = sum_flags;
7428         DB_CKSUMSTART(mp) = ira->ira_ip_hdr_length;
7429 
7430         return (mp);
7431 }
7432 
7433 /*
7434  * Pullup function that should be used for IP input in order to
7435  * ensure we do not loose the L2 source address; we need the l2 source
7436  * address for IP_RECVSLLA and for ndp_input.
7437  *
7438  * We return either NULL or b_rptr.
7439  */
7440 void *
7441 ip_pullup(mblk_t *mp, ssize_t len, ip_recv_attr_t *ira)
7442 {
7443         ill_t           *ill = ira->ira_ill;
7444 
7445         if (ip_rput_pullups++ == 0) {
7446                 (void) mi_strlog(ill->ill_rq, 1, SL_ERROR|SL_TRACE,
7447                     "ip_pullup: %s forced us to "
7448                     " pullup pkt, hdr len %ld, hdr addr %p",
7449                     ill->ill_name, len, (void *)mp->b_rptr);
7450         }
7451         if (!(ira->ira_flags & IRAF_L2SRC_SET))
7452                 ip_setl2src(mp, ira, ira->ira_rill);
7453         ASSERT(ira->ira_flags & IRAF_L2SRC_SET);
7454         if (!pullupmsg(mp, len))
7455                 return (NULL);
7456         else
7457                 return (mp->b_rptr);
7458 }
7459 
7460 /*
7461  * Make sure ira_l2src has an address. If we don't have one fill with zeros.
7462  * When called from the ULP ira_rill will be NULL hence the caller has to
7463  * pass in the ill.
7464  */
7465 /* ARGSUSED */
7466 void
7467 ip_setl2src(mblk_t *mp, ip_recv_attr_t *ira, ill_t *ill)
7468 {
7469         const uchar_t *addr;
7470         int alen;
7471 
7472         if (ira->ira_flags & IRAF_L2SRC_SET)
7473                 return;
7474 
7475         ASSERT(ill != NULL);
7476         alen = ill->ill_phys_addr_length;
7477         ASSERT(alen <= sizeof (ira->ira_l2src));
7478         if (ira->ira_mhip != NULL &&
7479             (addr = ira->ira_mhip->mhi_saddr) != NULL) {
7480                 bcopy(addr, ira->ira_l2src, alen);
7481         } else if ((ira->ira_flags & IRAF_L2SRC_LOOPBACK) &&
7482             (addr = ill->ill_phys_addr) != NULL) {
7483                 bcopy(addr, ira->ira_l2src, alen);
7484         } else {
7485                 bzero(ira->ira_l2src, alen);
7486         }
7487         ira->ira_flags |= IRAF_L2SRC_SET;
7488 }
7489 
7490 /*
7491  * check ip header length and align it.
7492  */
7493 mblk_t *
7494 ip_check_and_align_header(mblk_t *mp, uint_t min_size, ip_recv_attr_t *ira)
7495 {
7496         ill_t   *ill = ira->ira_ill;
7497         ssize_t len;
7498 
7499         len = MBLKL(mp);
7500 
7501         if (!OK_32PTR(mp->b_rptr))
7502                 IP_STAT(ill->ill_ipst, ip_notaligned);
7503         else
7504                 IP_STAT(ill->ill_ipst, ip_recv_pullup);
7505 
7506         /* Guard against bogus device drivers */
7507         if (len < 0) {
7508                 BUMP_MIB(ill->ill_ip_mib, ipIfStatsInHdrErrors);
7509                 ip_drop_input("ipIfStatsInHdrErrors", mp, ill);
7510                 freemsg(mp);
7511                 return (NULL);
7512         }
7513 
7514         if (len == 0) {
7515                 /* GLD sometimes sends up mblk with b_rptr == b_wptr! */
7516                 mblk_t *mp1 = mp->b_cont;
7517 
7518                 if (!(ira->ira_flags & IRAF_L2SRC_SET))
7519                         ip_setl2src(mp, ira, ira->ira_rill);
7520                 ASSERT(ira->ira_flags & IRAF_L2SRC_SET);
7521 
7522                 freeb(mp);
7523                 mp = mp1;
7524                 if (mp == NULL)
7525                         return (NULL);
7526 
7527                 if (OK_32PTR(mp->b_rptr) && MBLKL(mp) >= min_size)
7528                         return (mp);
7529         }
7530         if (ip_pullup(mp, min_size, ira) == NULL) {
7531                 if (msgdsize(mp) < min_size) {
7532                         BUMP_MIB(ill->ill_ip_mib, ipIfStatsInHdrErrors);
7533                         ip_drop_input("ipIfStatsInHdrErrors", mp, ill);
7534                 } else {
7535                         BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
7536                         ip_drop_input("ipIfStatsInDiscards", mp, ill);
7537                 }
7538                 freemsg(mp);
7539                 return (NULL);
7540         }
7541         return (mp);
7542 }
7543 
7544 /*
7545  * Common code for IPv4 and IPv6 to check and pullup multi-mblks
7546  */
7547 mblk_t *
7548 ip_check_length(mblk_t *mp, uchar_t *rptr, ssize_t len, uint_t pkt_len,
7549     uint_t min_size, ip_recv_attr_t *ira)
7550 {
7551         ill_t   *ill = ira->ira_ill;
7552 
7553         /*
7554          * Make sure we have data length consistent
7555          * with the IP header.
7556          */
7557         if (mp->b_cont == NULL) {
7558                 /* pkt_len is based on ipha_len, not the mblk length */
7559                 if (pkt_len < min_size) {
7560                         BUMP_MIB(ill->ill_ip_mib, ipIfStatsInHdrErrors);
7561                         ip_drop_input("ipIfStatsInHdrErrors", mp, ill);
7562                         freemsg(mp);
7563                         return (NULL);
7564                 }
7565                 if (len < 0) {
7566                         BUMP_MIB(ill->ill_ip_mib, ipIfStatsInTruncatedPkts);
7567                         ip_drop_input("ipIfStatsInTruncatedPkts", mp, ill);
7568                         freemsg(mp);
7569                         return (NULL);
7570                 }
7571                 /* Drop any pad */
7572                 mp->b_wptr = rptr + pkt_len;
7573         } else if ((len += msgdsize(mp->b_cont)) != 0) {
7574                 ASSERT(pkt_len >= min_size);
7575                 if (pkt_len < min_size) {
7576                         BUMP_MIB(ill->ill_ip_mib, ipIfStatsInHdrErrors);
7577                         ip_drop_input("ipIfStatsInHdrErrors", mp, ill);
7578                         freemsg(mp);
7579                         return (NULL);
7580                 }
7581                 if (len < 0) {
7582                         BUMP_MIB(ill->ill_ip_mib, ipIfStatsInTruncatedPkts);
7583                         ip_drop_input("ipIfStatsInTruncatedPkts", mp, ill);
7584                         freemsg(mp);
7585                         return (NULL);
7586                 }
7587                 /* Drop any pad */
7588                 (void) adjmsg(mp, -len);
7589                 /*
7590                  * adjmsg may have freed an mblk from the chain, hence
7591                  * invalidate any hw checksum here. This will force IP to
7592                  * calculate the checksum in sw, but only for this packet.
7593                  */
7594                 DB_CKSUMFLAGS(mp) = 0;
7595                 IP_STAT(ill->ill_ipst, ip_multimblk);
7596         }
7597         return (mp);
7598 }
7599 
7600 /*
7601  * Check that the IPv4 opt_len is consistent with the packet and pullup
7602  * the options.
7603  */
7604 mblk_t *
7605 ip_check_optlen(mblk_t *mp, ipha_t *ipha, uint_t opt_len, uint_t pkt_len,
7606     ip_recv_attr_t *ira)
7607 {
7608         ill_t   *ill = ira->ira_ill;
7609         ssize_t len;
7610 
7611         /* Assume no IPv6 packets arrive over the IPv4 queue */
7612         if (IPH_HDR_VERSION(ipha) != IPV4_VERSION) {
7613                 BUMP_MIB(ill->ill_ip_mib, ipIfStatsInHdrErrors);
7614                 BUMP_MIB(ill->ill_ip_mib, ipIfStatsInWrongIPVersion);
7615                 ip_drop_input("IPvN packet on IPv4 ill", mp, ill);
7616                 freemsg(mp);
7617                 return (NULL);
7618         }
7619 
7620         if (opt_len > (15 - IP_SIMPLE_HDR_LENGTH_IN_WORDS)) {
7621                 BUMP_MIB(ill->ill_ip_mib, ipIfStatsInHdrErrors);
7622                 ip_drop_input("ipIfStatsInHdrErrors", mp, ill);
7623                 freemsg(mp);
7624                 return (NULL);
7625         }
7626         /*
7627          * Recompute complete header length and make sure we
7628          * have access to all of it.
7629          */
7630         len = ((size_t)opt_len + IP_SIMPLE_HDR_LENGTH_IN_WORDS) << 2;
7631         if (len > (mp->b_wptr - mp->b_rptr)) {
7632                 if (len > pkt_len) {
7633                         BUMP_MIB(ill->ill_ip_mib, ipIfStatsInHdrErrors);
7634                         ip_drop_input("ipIfStatsInHdrErrors", mp, ill);
7635                         freemsg(mp);
7636                         return (NULL);
7637                 }
7638                 if (ip_pullup(mp, len, ira) == NULL) {
7639                         BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
7640                         ip_drop_input("ipIfStatsInDiscards", mp, ill);
7641                         freemsg(mp);
7642                         return (NULL);
7643                 }
7644         }
7645         return (mp);
7646 }
7647 
7648 /*
7649  * Returns a new ire, or the same ire, or NULL.
7650  * If a different IRE is returned, then it is held; the caller
7651  * needs to release it.
7652  * In no case is there any hold/release on the ire argument.
7653  */
7654 ire_t *
7655 ip_check_multihome(void *addr, ire_t *ire, ill_t *ill)
7656 {
7657         ire_t           *new_ire;
7658         ill_t           *ire_ill;
7659         uint_t          ifindex;
7660         ip_stack_t      *ipst = ill->ill_ipst;
7661         boolean_t       strict_check = B_FALSE;
7662 
7663         /*
7664          * IPMP common case: if IRE and ILL are in the same group, there's no
7665          * issue (e.g. packet received on an underlying interface matched an
7666          * IRE_LOCAL on its associated group interface).
7667          */
7668         ASSERT(ire->ire_ill != NULL);
7669         if (IS_IN_SAME_ILLGRP(ill, ire->ire_ill))
7670                 return (ire);
7671 
7672         /*
7673          * Do another ire lookup here, using the ingress ill, to see if the
7674          * interface is in a usesrc group.
7675          * As long as the ills belong to the same group, we don't consider
7676          * them to be arriving on the wrong interface. Thus, if the switch
7677          * is doing inbound load spreading, we won't drop packets when the
7678          * ip*_strict_dst_multihoming switch is on.
7679          * We also need to check for IPIF_UNNUMBERED point2point interfaces
7680          * where the local address may not be unique. In this case we were
7681          * at the mercy of the initial ire lookup and the IRE_LOCAL it
7682          * actually returned. The new lookup, which is more specific, should
7683          * only find the IRE_LOCAL associated with the ingress ill if one
7684          * exists.
7685          */
7686         if (ire->ire_ipversion == IPV4_VERSION) {
7687                 if (ipst->ips_ip_strict_dst_multihoming)
7688                         strict_check = B_TRUE;
7689                 new_ire = ire_ftable_lookup_v4(*((ipaddr_t *)addr), 0, 0,
7690                     IRE_LOCAL, ill, ALL_ZONES, NULL,
7691                     (MATCH_IRE_TYPE|MATCH_IRE_ILL), 0, ipst, NULL);
7692         } else {
7693                 ASSERT(!IN6_IS_ADDR_MULTICAST((in6_addr_t *)addr));
7694                 if (ipst->ips_ipv6_strict_dst_multihoming)
7695                         strict_check = B_TRUE;
7696                 new_ire = ire_ftable_lookup_v6((in6_addr_t *)addr, NULL, NULL,
7697                     IRE_LOCAL, ill, ALL_ZONES, NULL,
7698                     (MATCH_IRE_TYPE|MATCH_IRE_ILL), 0, ipst, NULL);
7699         }
7700         /*
7701          * If the same ire that was returned in ip_input() is found then this
7702          * is an indication that usesrc groups are in use. The packet
7703          * arrived on a different ill in the group than the one associated with
7704          * the destination address.  If a different ire was found then the same
7705          * IP address must be hosted on multiple ills. This is possible with
7706          * unnumbered point2point interfaces. We switch to use this new ire in
7707          * order to have accurate interface statistics.
7708          */
7709         if (new_ire != NULL) {
7710                 /* Note: held in one case but not the other? Caller handles */
7711                 if (new_ire != ire)
7712                         return (new_ire);
7713                 /* Unchanged */
7714                 ire_refrele(new_ire);
7715                 return (ire);
7716         }
7717 
7718         /*
7719          * Chase pointers once and store locally.
7720          */
7721         ASSERT(ire->ire_ill != NULL);
7722         ire_ill = ire->ire_ill;
7723         ifindex = ill->ill_usesrc_ifindex;
7724 
7725         /*
7726          * Check if it's a legal address on the 'usesrc' interface.
7727          * For IPMP data addresses the IRE_LOCAL is the upper, hence we
7728          * can just check phyint_ifindex.
7729          */
7730         if (ifindex != 0 && ifindex == ire_ill->ill_phyint->phyint_ifindex) {
7731                 return (ire);
7732         }
7733 
7734         /*
7735          * If the ip*_strict_dst_multihoming switch is on then we can
7736          * only accept this packet if the interface is marked as routing.
7737          */
7738         if (!(strict_check))
7739                 return (ire);
7740 
7741         if ((ill->ill_flags & ire->ire_ill->ill_flags & ILLF_ROUTER) != 0) {
7742                 return (ire);
7743         }
7744         return (NULL);
7745 }
7746 
7747 /*
7748  * This function is used to construct a mac_header_info_s from a
7749  * DL_UNITDATA_IND message.
7750  * The address fields in the mhi structure points into the message,
7751  * thus the caller can't use those fields after freeing the message.
7752  *
7753  * We determine whether the packet received is a non-unicast packet
7754  * and in doing so, determine whether or not it is broadcast vs multicast.
7755  * For it to be a broadcast packet, we must have the appropriate mblk_t
7756  * hanging off the ill_t.  If this is either not present or doesn't match
7757  * the destination mac address in the DL_UNITDATA_IND, the packet is deemed
7758  * to be multicast.  Thus NICs that have no broadcast address (or no
7759  * capability for one, such as point to point links) cannot return as
7760  * the packet being broadcast.
7761  */
7762 void
7763 ip_dlur_to_mhi(ill_t *ill, mblk_t *mb, struct mac_header_info_s *mhip)
7764 {
7765         dl_unitdata_ind_t *ind = (dl_unitdata_ind_t *)mb->b_rptr;
7766         mblk_t *bmp;
7767         uint_t extra_offset;
7768 
7769         bzero(mhip, sizeof (struct mac_header_info_s));
7770 
7771         mhip->mhi_dsttype = MAC_ADDRTYPE_UNICAST;
7772 
7773         if (ill->ill_sap_length < 0)
7774                 extra_offset = 0;
7775         else
7776                 extra_offset = ill->ill_sap_length;
7777 
7778         mhip->mhi_daddr = (uchar_t *)ind + ind->dl_dest_addr_offset +
7779             extra_offset;
7780         mhip->mhi_saddr = (uchar_t *)ind + ind->dl_src_addr_offset +
7781             extra_offset;
7782 
7783         if (!ind->dl_group_address)
7784                 return;
7785 
7786         /* Multicast or broadcast */
7787         mhip->mhi_dsttype = MAC_ADDRTYPE_MULTICAST;
7788 
7789         if (ind->dl_dest_addr_offset > sizeof (*ind) &&
7790             ind->dl_dest_addr_offset + ind->dl_dest_addr_length < MBLKL(mb) &&
7791             (bmp = ill->ill_bcast_mp) != NULL) {
7792                 dl_unitdata_req_t *dlur;
7793                 uint8_t *bphys_addr;
7794 
7795                 dlur = (dl_unitdata_req_t *)bmp->b_rptr;
7796                 bphys_addr = (uchar_t *)dlur + dlur->dl_dest_addr_offset +
7797                     extra_offset;
7798 
7799                 if (bcmp(mhip->mhi_daddr, bphys_addr,
7800                     ind->dl_dest_addr_length) == 0)
7801                         mhip->mhi_dsttype = MAC_ADDRTYPE_BROADCAST;
7802         }
7803 }
7804 
7805 /*
7806  * This function is used to construct a mac_header_info_s from a
7807  * M_DATA fastpath message from a DLPI driver.
7808  * The address fields in the mhi structure points into the message,
7809  * thus the caller can't use those fields after freeing the message.
7810  *
7811  * We determine whether the packet received is a non-unicast packet
7812  * and in doing so, determine whether or not it is broadcast vs multicast.
7813  * For it to be a broadcast packet, we must have the appropriate mblk_t
7814  * hanging off the ill_t.  If this is either not present or doesn't match
7815  * the destination mac address in the DL_UNITDATA_IND, the packet is deemed
7816  * to be multicast.  Thus NICs that have no broadcast address (or no
7817  * capability for one, such as point to point links) cannot return as
7818  * the packet being broadcast.
7819  */
7820 void
7821 ip_mdata_to_mhi(ill_t *ill, mblk_t *mp, struct mac_header_info_s *mhip)
7822 {
7823         mblk_t *bmp;
7824         struct ether_header *pether;
7825 
7826         bzero(mhip, sizeof (struct mac_header_info_s));
7827 
7828         mhip->mhi_dsttype = MAC_ADDRTYPE_UNICAST;
7829 
7830         pether = (struct ether_header *)((char *)mp->b_rptr
7831             - sizeof (struct ether_header));
7832 
7833         /*
7834          * Make sure the interface is an ethernet type, since we don't
7835          * know the header format for anything but Ethernet. Also make
7836          * sure we are pointing correctly above db_base.
7837          */
7838         if (ill->ill_type != IFT_ETHER)
7839                 return;
7840 
7841 retry:
7842         if ((uchar_t *)pether < mp->b_datap->db_base)
7843                 return;
7844 
7845         /* Is there a VLAN tag? */
7846         if (ill->ill_isv6) {
7847                 if (pether->ether_type != htons(ETHERTYPE_IPV6)) {
7848                         pether = (struct ether_header *)((char *)pether - 4);
7849                         goto retry;
7850                 }
7851         } else {
7852                 if (pether->ether_type != htons(ETHERTYPE_IP)) {
7853                         pether = (struct ether_header *)((char *)pether - 4);
7854                         goto retry;
7855                 }
7856         }
7857         mhip->mhi_daddr = (uchar_t *)&pether->ether_dhost;
7858         mhip->mhi_saddr = (uchar_t *)&pether->ether_shost;
7859 
7860         if (!(mhip->mhi_daddr[0] & 0x01))
7861                 return;
7862 
7863         /* Multicast or broadcast */
7864         mhip->mhi_dsttype = MAC_ADDRTYPE_MULTICAST;
7865 
7866         if ((bmp = ill->ill_bcast_mp) != NULL) {
7867                 dl_unitdata_req_t *dlur;
7868                 uint8_t *bphys_addr;
7869                 uint_t  addrlen;
7870 
7871                 dlur = (dl_unitdata_req_t *)bmp->b_rptr;
7872                 addrlen = dlur->dl_dest_addr_length;
7873                 if (ill->ill_sap_length < 0) {
7874                         bphys_addr = (uchar_t *)dlur +
7875                             dlur->dl_dest_addr_offset;
7876                         addrlen += ill->ill_sap_length;
7877                 } else {
7878                         bphys_addr = (uchar_t *)dlur +
7879                             dlur->dl_dest_addr_offset +
7880                             ill->ill_sap_length;
7881                         addrlen -= ill->ill_sap_length;
7882                 }
7883                 if (bcmp(mhip->mhi_daddr, bphys_addr, addrlen) == 0)
7884                         mhip->mhi_dsttype = MAC_ADDRTYPE_BROADCAST;
7885         }
7886 }
7887 
7888 /*
7889  * Handle anything but M_DATA messages
7890  * We see the DL_UNITDATA_IND which are part
7891  * of the data path, and also the other messages from the driver.
7892  */
7893 void
7894 ip_rput_notdata(ill_t *ill, mblk_t *mp)
7895 {
7896         mblk_t          *first_mp;
7897         struct iocblk   *iocp;
7898         struct mac_header_info_s mhi;
7899 
7900         switch (DB_TYPE(mp)) {
7901         case M_PROTO:
7902         case M_PCPROTO: {
7903                 if (((dl_unitdata_ind_t *)mp->b_rptr)->dl_primitive !=
7904                     DL_UNITDATA_IND) {
7905                         /* Go handle anything other than data elsewhere. */
7906                         ip_rput_dlpi(ill, mp);
7907                         return;
7908                 }
7909 
7910                 first_mp = mp;
7911                 mp = first_mp->b_cont;
7912                 first_mp->b_cont = NULL;
7913 
7914                 if (mp == NULL) {
7915                         freeb(first_mp);
7916                         return;
7917                 }
7918                 ip_dlur_to_mhi(ill, first_mp, &mhi);
7919                 if (ill->ill_isv6)
7920                         ip_input_v6(ill, NULL, mp, &mhi);
7921                 else
7922                         ip_input(ill, NULL, mp, &mhi);
7923 
7924                 /* Ditch the DLPI header. */
7925                 freeb(first_mp);
7926                 return;
7927         }
7928         case M_IOCACK:
7929                 iocp = (struct iocblk *)mp->b_rptr;
7930                 switch (iocp->ioc_cmd) {
7931                 case DL_IOC_HDR_INFO:
7932                         ill_fastpath_ack(ill, mp);
7933                         return;
7934                 default:
7935                         putnext(ill->ill_rq, mp);
7936                         return;
7937                 }
7938                 /* FALLTHRU */
7939         case M_ERROR:
7940         case M_HANGUP:
7941                 mutex_enter(&ill->ill_lock);
7942                 if (ill->ill_state_flags & ILL_CONDEMNED) {
7943                         mutex_exit(&ill->ill_lock);
7944                         freemsg(mp);
7945                         return;
7946                 }
7947                 ill_refhold_locked(ill);
7948                 mutex_exit(&ill->ill_lock);
7949                 qwriter_ip(ill, ill->ill_rq, mp, ip_rput_other, CUR_OP,
7950                     B_FALSE);
7951                 return;
7952         case M_CTL:
7953                 putnext(ill->ill_rq, mp);
7954                 return;
7955         case M_IOCNAK:
7956                 ip1dbg(("got iocnak "));
7957                 iocp = (struct iocblk *)mp->b_rptr;
7958                 switch (iocp->ioc_cmd) {
7959                 case DL_IOC_HDR_INFO:
7960                         ip_rput_other(NULL, ill->ill_rq, mp, NULL);
7961                         return;
7962                 default:
7963                         break;
7964                 }
7965                 /* FALLTHRU */
7966         default:
7967                 putnext(ill->ill_rq, mp);
7968                 return;
7969         }
7970 }
7971 
7972 /* Read side put procedure.  Packets coming from the wire arrive here. */
7973 void
7974 ip_rput(queue_t *q, mblk_t *mp)
7975 {
7976         ill_t   *ill;
7977         union DL_primitives *dl;
7978 
7979         ill = (ill_t *)q->q_ptr;
7980 
7981         if (ill->ill_state_flags & (ILL_CONDEMNED | ILL_LL_SUBNET_PENDING)) {
7982                 /*
7983                  * If things are opening or closing, only accept high-priority
7984                  * DLPI messages.  (On open ill->ill_ipif has not yet been
7985                  * created; on close, things hanging off the ill may have been
7986                  * freed already.)
7987                  */
7988                 dl = (union DL_primitives *)mp->b_rptr;
7989                 if (DB_TYPE(mp) != M_PCPROTO ||
7990                     dl->dl_primitive == DL_UNITDATA_IND) {
7991                         inet_freemsg(mp);
7992                         return;
7993                 }
7994         }
7995         if (DB_TYPE(mp) == M_DATA) {
7996                 struct mac_header_info_s mhi;
7997 
7998                 ip_mdata_to_mhi(ill, mp, &mhi);
7999                 ip_input(ill, NULL, mp, &mhi);
8000         } else {
8001                 ip_rput_notdata(ill, mp);
8002         }
8003 }
8004 
8005 /*
8006  * Move the information to a copy.
8007  */
8008 mblk_t *
8009 ip_fix_dbref(mblk_t *mp, ip_recv_attr_t *ira)
8010 {
8011         mblk_t          *mp1;
8012         ill_t           *ill = ira->ira_ill;
8013         ip_stack_t      *ipst = ill->ill_ipst;
8014 
8015         IP_STAT(ipst, ip_db_ref);
8016 
8017         /* Make sure we have ira_l2src before we loose the original mblk */
8018         if (!(ira->ira_flags & IRAF_L2SRC_SET))
8019                 ip_setl2src(mp, ira, ira->ira_rill);
8020 
8021         mp1 = copymsg(mp);
8022         if (mp1 == NULL) {
8023                 BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
8024                 ip_drop_input("ipIfStatsInDiscards", mp, ill);
8025                 freemsg(mp);
8026                 return (NULL);
8027         }
8028         /* preserve the hardware checksum flags and data, if present */
8029         if (DB_CKSUMFLAGS(mp) != 0) {
8030                 DB_CKSUMFLAGS(mp1) = DB_CKSUMFLAGS(mp);
8031                 DB_CKSUMSTART(mp1) = DB_CKSUMSTART(mp);
8032                 DB_CKSUMSTUFF(mp1) = DB_CKSUMSTUFF(mp);
8033                 DB_CKSUMEND(mp1) = DB_CKSUMEND(mp);
8034                 DB_CKSUM16(mp1) = DB_CKSUM16(mp);
8035         }
8036         freemsg(mp);
8037         return (mp1);
8038 }
8039 
8040 static void
8041 ip_dlpi_error(ill_t *ill, t_uscalar_t prim, t_uscalar_t dl_err,
8042     t_uscalar_t err)
8043 {
8044         if (dl_err == DL_SYSERR) {
8045                 (void) mi_strlog(ill->ill_rq, 1, SL_CONSOLE|SL_ERROR|SL_TRACE,
8046                     "%s: %s failed: DL_SYSERR (errno %u)\n",
8047                     ill->ill_name, dl_primstr(prim), err);
8048                 return;
8049         }
8050 
8051         (void) mi_strlog(ill->ill_rq, 1, SL_CONSOLE|SL_ERROR|SL_TRACE,
8052             "%s: %s failed: %s\n", ill->ill_name, dl_primstr(prim),
8053             dl_errstr(dl_err));
8054 }
8055 
8056 /*
8057  * ip_rput_dlpi is called by ip_rput to handle all DLPI messages other
8058  * than DL_UNITDATA_IND messages. If we need to process this message
8059  * exclusively, we call qwriter_ip, in which case we also need to call
8060  * ill_refhold before that, since qwriter_ip does an ill_refrele.
8061  */
8062 void
8063 ip_rput_dlpi(ill_t *ill, mblk_t *mp)
8064 {
8065         dl_ok_ack_t     *dloa = (dl_ok_ack_t *)mp->b_rptr;
8066         dl_error_ack_t  *dlea = (dl_error_ack_t *)dloa;
8067         queue_t         *q = ill->ill_rq;
8068         t_uscalar_t     prim = dloa->dl_primitive;
8069         t_uscalar_t     reqprim = DL_PRIM_INVAL;
8070 
8071         DTRACE_PROBE3(ill__dlpi, char *, "ip_rput_dlpi",
8072             char *, dl_primstr(prim), ill_t *, ill);
8073         ip1dbg(("ip_rput_dlpi"));
8074 
8075         /*
8076          * If we received an ACK but didn't send a request for it, then it
8077          * can't be part of any pending operation; discard up-front.
8078          */
8079         switch (prim) {
8080         case DL_ERROR_ACK:
8081                 reqprim = dlea->dl_error_primitive;
8082                 ip2dbg(("ip_rput_dlpi(%s): DL_ERROR_ACK for %s (0x%x): %s "
8083                     "(0x%x), unix %u\n", ill->ill_name, dl_primstr(reqprim),
8084                     reqprim, dl_errstr(dlea->dl_errno), dlea->dl_errno,
8085                     dlea->dl_unix_errno));
8086                 break;
8087         case DL_OK_ACK:
8088                 reqprim = dloa->dl_correct_primitive;
8089                 break;
8090         case DL_INFO_ACK:
8091                 reqprim = DL_INFO_REQ;
8092                 break;
8093         case DL_BIND_ACK:
8094                 reqprim = DL_BIND_REQ;
8095                 break;
8096         case DL_PHYS_ADDR_ACK:
8097                 reqprim = DL_PHYS_ADDR_REQ;
8098                 break;
8099         case DL_NOTIFY_ACK:
8100                 reqprim = DL_NOTIFY_REQ;
8101                 break;
8102         case DL_CAPABILITY_ACK:
8103                 reqprim = DL_CAPABILITY_REQ;
8104                 break;
8105         }
8106 
8107         if (prim != DL_NOTIFY_IND) {
8108                 if (reqprim == DL_PRIM_INVAL ||
8109                     !ill_dlpi_pending(ill, reqprim)) {
8110                         /* Not a DLPI message we support or expected */
8111                         freemsg(mp);
8112                         return;
8113                 }
8114                 ip1dbg(("ip_rput: received %s for %s\n", dl_primstr(prim),
8115                     dl_primstr(reqprim)));
8116         }
8117 
8118         switch (reqprim) {
8119         case DL_UNBIND_REQ:
8120                 /*
8121                  * NOTE: we mark the unbind as complete even if we got a
8122                  * DL_ERROR_ACK, since there's not much else we can do.
8123                  */
8124                 mutex_enter(&ill->ill_lock);
8125                 ill->ill_state_flags &= ~ILL_DL_UNBIND_IN_PROGRESS;
8126                 cv_signal(&ill->ill_cv);
8127                 mutex_exit(&ill->ill_lock);
8128                 break;
8129 
8130         case DL_ENABMULTI_REQ:
8131                 if (prim == DL_OK_ACK) {
8132                         if (ill->ill_dlpi_multicast_state == IDS_INPROGRESS)
8133                                 ill->ill_dlpi_multicast_state = IDS_OK;
8134                 }
8135                 break;
8136         }
8137 
8138         /*
8139          * The message is one we're waiting for (or DL_NOTIFY_IND), but we
8140          * need to become writer to continue to process it.  Because an
8141          * exclusive operation doesn't complete until replies to all queued
8142          * DLPI messages have been received, we know we're in the middle of an
8143          * exclusive operation and pass CUR_OP (except for DL_NOTIFY_IND).
8144          *
8145          * As required by qwriter_ip(), we refhold the ill; it will refrele.
8146          * Since this is on the ill stream we unconditionally bump up the
8147          * refcount without doing ILL_CAN_LOOKUP().
8148          */
8149         ill_refhold(ill);
8150         if (prim == DL_NOTIFY_IND)
8151                 qwriter_ip(ill, q, mp, ip_rput_dlpi_writer, NEW_OP, B_FALSE);
8152         else
8153                 qwriter_ip(ill, q, mp, ip_rput_dlpi_writer, CUR_OP, B_FALSE);
8154 }
8155 
8156 /*
8157  * Handling of DLPI messages that require exclusive access to the ipsq.
8158  *
8159  * Need to do ipsq_pending_mp_get on ioctl completion, which could
8160  * happen here. (along with mi_copy_done)
8161  */
8162 /* ARGSUSED */
8163 static void
8164 ip_rput_dlpi_writer(ipsq_t *ipsq, queue_t *q, mblk_t *mp, void *dummy_arg)
8165 {
8166         dl_ok_ack_t     *dloa = (dl_ok_ack_t *)mp->b_rptr;
8167         dl_error_ack_t  *dlea = (dl_error_ack_t *)dloa;
8168         int             err = 0;
8169         ill_t           *ill = (ill_t *)q->q_ptr;
8170         ipif_t          *ipif = NULL;
8171         mblk_t          *mp1 = NULL;
8172         conn_t          *connp = NULL;
8173         t_uscalar_t     paddrreq;
8174         mblk_t          *mp_hw;
8175         boolean_t       success;
8176         boolean_t       ioctl_aborted = B_FALSE;
8177         boolean_t       log = B_TRUE;
8178 
8179         DTRACE_PROBE3(ill__dlpi, char *, "ip_rput_dlpi_writer",
8180             char *, dl_primstr(dloa->dl_primitive), ill_t *, ill);
8181 
8182         ip1dbg(("ip_rput_dlpi_writer .."));
8183         ASSERT(ipsq->ipsq_xop == ill->ill_phyint->phyint_ipsq->ipsq_xop);
8184         ASSERT(IAM_WRITER_ILL(ill));
8185 
8186         ipif = ipsq->ipsq_xop->ipx_pending_ipif;
8187         /*
8188          * The current ioctl could have been aborted by the user and a new
8189          * ioctl to bring up another ill could have started. We could still
8190          * get a response from the driver later.
8191          */
8192         if (ipif != NULL && ipif->ipif_ill != ill)
8193                 ioctl_aborted = B_TRUE;
8194 
8195         switch (dloa->dl_primitive) {
8196         case DL_ERROR_ACK:
8197                 ip1dbg(("ip_rput_dlpi_writer: got DL_ERROR_ACK for %s\n",
8198                     dl_primstr(dlea->dl_error_primitive)));
8199 
8200                 DTRACE_PROBE3(ill__dlpi, char *, "ip_rput_dlpi_writer error",
8201                     char *, dl_primstr(dlea->dl_error_primitive),
8202                     ill_t *, ill);
8203 
8204                 switch (dlea->dl_error_primitive) {
8205                 case DL_DISABMULTI_REQ:
8206                         ill_dlpi_done(ill, dlea->dl_error_primitive);
8207                         break;
8208                 case DL_PROMISCON_REQ:
8209                 case DL_PROMISCOFF_REQ:
8210                 case DL_UNBIND_REQ:
8211                 case DL_ATTACH_REQ:
8212                 case DL_INFO_REQ:
8213                         ill_dlpi_done(ill, dlea->dl_error_primitive);
8214                         break;
8215                 case DL_NOTIFY_REQ:
8216                         ill_dlpi_done(ill, DL_NOTIFY_REQ);
8217                         log = B_FALSE;
8218                         break;
8219                 case DL_PHYS_ADDR_REQ:
8220                         /*
8221                          * For IPv6 only, there are two additional
8222                          * phys_addr_req's sent to the driver to get the
8223                          * IPv6 token and lla. This allows IP to acquire
8224                          * the hardware address format for a given interface
8225                          * without having built in knowledge of the hardware
8226                          * address. ill_phys_addr_pend keeps track of the last
8227                          * DL_PAR sent so we know which response we are
8228                          * dealing with. ill_dlpi_done will update
8229                          * ill_phys_addr_pend when it sends the next req.
8230                          * We don't complete the IOCTL until all three DL_PARs
8231                          * have been attempted, so set *_len to 0 and break.
8232                          */
8233                         paddrreq = ill->ill_phys_addr_pend;
8234                         ill_dlpi_done(ill, DL_PHYS_ADDR_REQ);
8235                         if (paddrreq == DL_IPV6_TOKEN) {
8236                                 ill->ill_token_length = 0;
8237                                 log = B_FALSE;
8238                                 break;
8239                         } else if (paddrreq == DL_IPV6_LINK_LAYER_ADDR) {
8240                                 ill->ill_nd_lla_len = 0;
8241                                 log = B_FALSE;
8242                                 break;
8243                         }
8244                         /*
8245                          * Something went wrong with the DL_PHYS_ADDR_REQ.
8246                          * We presumably have an IOCTL hanging out waiting
8247                          * for completion. Find it and complete the IOCTL
8248                          * with the error noted.
8249                          * However, ill_dl_phys was called on an ill queue
8250                          * (from SIOCSLIFNAME), thus conn_pending_ill is not
8251                          * set. But the ioctl is known to be pending on ill_wq.
8252                          */
8253                         if (!ill->ill_ifname_pending)
8254                                 break;
8255                         ill->ill_ifname_pending = 0;
8256                         if (!ioctl_aborted)
8257                                 mp1 = ipsq_pending_mp_get(ipsq, &connp);
8258                         if (mp1 != NULL) {
8259                                 /*
8260                                  * This operation (SIOCSLIFNAME) must have
8261                                  * happened on the ill. Assert there is no conn
8262                                  */
8263                                 ASSERT(connp == NULL);
8264                                 q = ill->ill_wq;
8265                         }
8266                         break;
8267                 case DL_BIND_REQ:
8268                         ill_dlpi_done(ill, DL_BIND_REQ);
8269                         if (ill->ill_ifname_pending)
8270                                 break;
8271                         mutex_enter(&ill->ill_lock);
8272                         ill->ill_state_flags &= ~ILL_DOWN_IN_PROGRESS;
8273                         mutex_exit(&ill->ill_lock);
8274                         /*
8275                          * Something went wrong with the bind.  We presumably
8276                          * have an IOCTL hanging out waiting for completion.
8277                          * Find it, take down the interface that was coming
8278                          * up, and complete the IOCTL with the error noted.
8279                          */
8280                         if (!ioctl_aborted)
8281                                 mp1 = ipsq_pending_mp_get(ipsq, &connp);
8282                         if (mp1 != NULL) {
8283                                 /*
8284                                  * This might be a result of a DL_NOTE_REPLUMB
8285                                  * notification. In that case, connp is NULL.
8286                                  */
8287                                 if (connp != NULL)
8288                                         q = CONNP_TO_WQ(connp);
8289 
8290                                 (void) ipif_down(ipif, NULL, NULL);
8291                                 /* error is set below the switch */
8292                         }
8293                         break;
8294                 case DL_ENABMULTI_REQ:
8295                         ill_dlpi_done(ill, DL_ENABMULTI_REQ);
8296 
8297                         if (ill->ill_dlpi_multicast_state == IDS_INPROGRESS)
8298                                 ill->ill_dlpi_multicast_state = IDS_FAILED;
8299                         if (ill->ill_dlpi_multicast_state == IDS_FAILED) {
8300 
8301                                 printf("ip: joining multicasts failed (%d)"
8302                                     " on %s - will use link layer "
8303                                     "broadcasts for multicast\n",
8304                                     dlea->dl_errno, ill->ill_name);
8305 
8306                                 /*
8307                                  * Set up for multi_bcast; We are the
8308                                  * writer, so ok to access ill->ill_ipif
8309                                  * without any lock.
8310                                  */
8311                                 mutex_enter(&ill->ill_phyint->phyint_lock);
8312                                 ill->ill_phyint->phyint_flags |=
8313                                     PHYI_MULTI_BCAST;
8314                                 mutex_exit(&ill->ill_phyint->phyint_lock);
8315 
8316                         }
8317                         freemsg(mp);    /* Don't want to pass this up */
8318                         return;
8319                 case DL_CAPABILITY_REQ:
8320                         ip1dbg(("ip_rput_dlpi_writer: got DL_ERROR_ACK for "
8321                             "DL_CAPABILITY REQ\n"));
8322                         if (ill->ill_dlpi_capab_state == IDCS_PROBE_SENT)
8323                                 ill->ill_dlpi_capab_state = IDCS_FAILED;
8324                         ill_capability_done(ill);
8325                         freemsg(mp);
8326                         return;
8327                 }
8328                 /*
8329                  * Note the error for IOCTL completion (mp1 is set when
8330                  * ready to complete ioctl). If ill_ifname_pending_err is
8331                  * set, an error occured during plumbing (ill_ifname_pending),
8332                  * so we want to report that error.
8333                  *
8334                  * NOTE: there are two addtional DL_PHYS_ADDR_REQ's
8335                  * (DL_IPV6_TOKEN and DL_IPV6_LINK_LAYER_ADDR) that are
8336                  * expected to get errack'd if the driver doesn't support
8337                  * these flags (e.g. ethernet). log will be set to B_FALSE
8338                  * if these error conditions are encountered.
8339                  */
8340                 if (mp1 != NULL) {
8341                         if (ill->ill_ifname_pending_err != 0)  {
8342                                 err = ill->ill_ifname_pending_err;
8343                                 ill->ill_ifname_pending_err = 0;
8344                         } else {
8345                                 err = dlea->dl_unix_errno ?
8346                                     dlea->dl_unix_errno : ENXIO;
8347                         }
8348                 /*
8349                  * If we're plumbing an interface and an error hasn't already
8350                  * been saved, set ill_ifname_pending_err to the error passed
8351                  * up. Ignore the error if log is B_FALSE (see comment above).
8352                  */
8353                 } else if (log && ill->ill_ifname_pending &&
8354                     ill->ill_ifname_pending_err == 0) {
8355                         ill->ill_ifname_pending_err = dlea->dl_unix_errno ?
8356                             dlea->dl_unix_errno : ENXIO;
8357                 }
8358 
8359                 if (log)
8360                         ip_dlpi_error(ill, dlea->dl_error_primitive,
8361                             dlea->dl_errno, dlea->dl_unix_errno);
8362                 break;
8363         case DL_CAPABILITY_ACK:
8364                 ill_capability_ack(ill, mp);
8365                 /*
8366                  * The message has been handed off to ill_capability_ack
8367                  * and must not be freed below
8368                  */
8369                 mp = NULL;
8370                 break;
8371 
8372         case DL_INFO_ACK:
8373                 /* Call a routine to handle this one. */
8374                 ill_dlpi_done(ill, DL_INFO_REQ);
8375                 ip_ll_subnet_defaults(ill, mp);
8376                 ASSERT(!MUTEX_HELD(&ill->ill_phyint->phyint_ipsq->ipsq_lock));
8377                 return;
8378         case DL_BIND_ACK:
8379                 /*
8380                  * We should have an IOCTL waiting on this unless
8381                  * sent by ill_dl_phys, in which case just return
8382                  */
8383                 ill_dlpi_done(ill, DL_BIND_REQ);
8384 
8385                 if (ill->ill_ifname_pending) {
8386                         DTRACE_PROBE2(ip__rput__dlpi__ifname__pending,
8387                             ill_t *, ill, mblk_t *, mp);
8388                         break;
8389                 }
8390                 mutex_enter(&ill->ill_lock);
8391                 ill->ill_dl_up = 1;
8392                 ill->ill_state_flags &= ~ILL_DOWN_IN_PROGRESS;
8393                 mutex_exit(&ill->ill_lock);
8394 
8395                 if (!ioctl_aborted)
8396                         mp1 = ipsq_pending_mp_get(ipsq, &connp);
8397                 if (mp1 == NULL) {
8398                         DTRACE_PROBE1(ip__rput__dlpi__no__mblk, ill_t *, ill);
8399                         break;
8400                 }
8401                 /*
8402                  * mp1 was added by ill_dl_up(). if that is a result of
8403                  * a DL_NOTE_REPLUMB notification, connp could be NULL.
8404                  */
8405                 if (connp != NULL)
8406                         q = CONNP_TO_WQ(connp);
8407                 /*
8408                  * We are exclusive. So nothing can change even after
8409                  * we get the pending mp.
8410                  */
8411                 ip1dbg(("ip_rput_dlpi: bind_ack %s\n", ill->ill_name));
8412                 DTRACE_PROBE1(ip__rput__dlpi__bind__ack, ill_t *, ill);
8413                 ill_nic_event_dispatch(ill, 0, NE_UP, NULL, 0);
8414 
8415                 /*
8416                  * Now bring up the resolver; when that is complete, we'll
8417                  * create IREs.  Note that we intentionally mirror what
8418                  * ipif_up() would have done, because we got here by way of
8419                  * ill_dl_up(), which stopped ipif_up()'s processing.
8420                  */
8421                 if (ill->ill_isv6) {
8422                         /*
8423                          * v6 interfaces.
8424                          * Unlike ARP which has to do another bind
8425                          * and attach, once we get here we are
8426                          * done with NDP
8427                          */
8428                         (void) ipif_resolver_up(ipif, Res_act_initial);
8429                         if ((err = ipif_ndp_up(ipif, B_TRUE)) == 0)
8430                                 err = ipif_up_done_v6(ipif);
8431                 } else if (ill->ill_net_type == IRE_IF_RESOLVER) {
8432                         /*
8433                          * ARP and other v4 external resolvers.
8434                          * Leave the pending mblk intact so that
8435                          * the ioctl completes in ip_rput().
8436                          */
8437                         if (connp != NULL)
8438                                 mutex_enter(&connp->conn_lock);
8439                         mutex_enter(&ill->ill_lock);
8440                         success = ipsq_pending_mp_add(connp, ipif, q, mp1, 0);
8441                         mutex_exit(&ill->ill_lock);
8442                         if (connp != NULL)
8443                                 mutex_exit(&connp->conn_lock);
8444                         if (success) {
8445                                 err = ipif_resolver_up(ipif, Res_act_initial);
8446                                 if (err == EINPROGRESS) {
8447                                         freemsg(mp);
8448                                         return;
8449                                 }
8450                                 mp1 = ipsq_pending_mp_get(ipsq, &connp);
8451                         } else {
8452                                 /* The conn has started closing */
8453                                 err = EINTR;
8454                         }
8455                 } else {
8456                         /*
8457                          * This one is complete. Reply to pending ioctl.
8458                          */
8459                         (void) ipif_resolver_up(ipif, Res_act_initial);
8460                         err = ipif_up_done(ipif);
8461                 }
8462 
8463                 if ((err == 0) && (ill->ill_up_ipifs)) {
8464                         err = ill_up_ipifs(ill, q, mp1);
8465                         if (err == EINPROGRESS) {
8466                                 freemsg(mp);
8467                                 return;
8468                         }
8469                 }
8470 
8471                 /*
8472                  * If we have a moved ipif to bring up, and everything has
8473                  * succeeded to this point, bring it up on the IPMP ill.
8474                  * Otherwise, leave it down -- the admin can try to bring it
8475                  * up by hand if need be.
8476                  */
8477                 if (ill->ill_move_ipif != NULL) {
8478                         if (err != 0) {
8479                                 ill->ill_move_ipif = NULL;
8480                         } else {
8481                                 ipif = ill->ill_move_ipif;
8482                                 ill->ill_move_ipif = NULL;
8483                                 err = ipif_up(ipif, q, mp1);
8484                                 if (err == EINPROGRESS) {
8485                                         freemsg(mp);
8486                                         return;
8487                                 }
8488                         }
8489                 }
8490                 break;
8491 
8492         case DL_NOTIFY_IND: {
8493                 dl_notify_ind_t *notify = (dl_notify_ind_t *)mp->b_rptr;
8494                 uint_t orig_mtu, orig_mc_mtu;
8495 
8496                 switch (notify->dl_notification) {
8497                 case DL_NOTE_PHYS_ADDR:
8498                         err = ill_set_phys_addr(ill, mp);
8499                         break;
8500 
8501                 case DL_NOTE_REPLUMB:
8502                         /*
8503                          * Directly return after calling ill_replumb().
8504                          * Note that we should not free mp as it is reused
8505                          * in the ill_replumb() function.
8506                          */
8507                         err = ill_replumb(ill, mp);
8508                         return;
8509 
8510                 case DL_NOTE_FASTPATH_FLUSH:
8511                         nce_flush(ill, B_FALSE);
8512                         break;
8513 
8514                 case DL_NOTE_SDU_SIZE:
8515                 case DL_NOTE_SDU_SIZE2:
8516                         /*
8517                          * The dce and fragmentation code can cope with
8518                          * this changing while packets are being sent.
8519                          * When packets are sent ip_output will discover
8520                          * a change.
8521                          *
8522                          * Change the MTU size of the interface.
8523                          */
8524                         mutex_enter(&ill->ill_lock);
8525                         orig_mtu = ill->ill_mtu;
8526                         orig_mc_mtu = ill->ill_mc_mtu;
8527                         switch (notify->dl_notification) {
8528                         case DL_NOTE_SDU_SIZE:
8529                                 ill->ill_current_frag =
8530                                     (uint_t)notify->dl_data;
8531                                 ill->ill_mc_mtu = (uint_t)notify->dl_data;
8532                                 break;
8533                         case DL_NOTE_SDU_SIZE2:
8534                                 ill->ill_current_frag =
8535                                     (uint_t)notify->dl_data1;
8536                                 ill->ill_mc_mtu = (uint_t)notify->dl_data2;
8537                                 break;
8538                         }
8539                         if (ill->ill_current_frag > ill->ill_max_frag)
8540                                 ill->ill_max_frag = ill->ill_current_frag;
8541 
8542                         if (!(ill->ill_flags & ILLF_FIXEDMTU)) {
8543                                 ill->ill_mtu = ill->ill_current_frag;
8544 
8545                                 /*
8546                                  * If ill_user_mtu was set (via
8547                                  * SIOCSLIFLNKINFO), clamp ill_mtu at it.
8548                                  */
8549                                 if (ill->ill_user_mtu != 0 &&
8550                                     ill->ill_user_mtu < ill->ill_mtu)
8551                                         ill->ill_mtu = ill->ill_user_mtu;
8552 
8553                                 if (ill->ill_user_mtu != 0 &&
8554                                     ill->ill_user_mtu < ill->ill_mc_mtu)
8555                                         ill->ill_mc_mtu = ill->ill_user_mtu;
8556 
8557                                 if (ill->ill_isv6) {
8558                                         if (ill->ill_mtu < IPV6_MIN_MTU)
8559                                                 ill->ill_mtu = IPV6_MIN_MTU;
8560                                         if (ill->ill_mc_mtu < IPV6_MIN_MTU)
8561                                                 ill->ill_mc_mtu = IPV6_MIN_MTU;
8562                                 } else {
8563                                         if (ill->ill_mtu < IP_MIN_MTU)
8564                                                 ill->ill_mtu = IP_MIN_MTU;
8565                                         if (ill->ill_mc_mtu < IP_MIN_MTU)
8566                                                 ill->ill_mc_mtu = IP_MIN_MTU;
8567                                 }
8568                         } else if (ill->ill_mc_mtu > ill->ill_mtu) {
8569                                 ill->ill_mc_mtu = ill->ill_mtu;
8570                         }
8571 
8572                         mutex_exit(&ill->ill_lock);
8573                         /*
8574                          * Make sure all dce_generation checks find out
8575                          * that ill_mtu/ill_mc_mtu has changed.
8576                          */
8577                         if (orig_mtu != ill->ill_mtu ||
8578                             orig_mc_mtu != ill->ill_mc_mtu) {
8579                                 dce_increment_all_generations(ill->ill_isv6,
8580                                     ill->ill_ipst);
8581                         }
8582 
8583                         /*
8584                          * Refresh IPMP meta-interface MTU if necessary.
8585                          */
8586                         if (IS_UNDER_IPMP(ill))
8587                                 ipmp_illgrp_refresh_mtu(ill->ill_grp);
8588                         break;
8589 
8590                 case DL_NOTE_LINK_UP:
8591                 case DL_NOTE_LINK_DOWN: {
8592                         /*
8593                          * We are writer. ill / phyint / ipsq assocs stable.
8594                          * The RUNNING flag reflects the state of the link.
8595                          */
8596                         phyint_t *phyint = ill->ill_phyint;
8597                         uint64_t new_phyint_flags;
8598                         boolean_t changed = B_FALSE;
8599                         boolean_t went_up;
8600 
8601                         went_up = notify->dl_notification == DL_NOTE_LINK_UP;
8602                         mutex_enter(&phyint->phyint_lock);
8603 
8604                         new_phyint_flags = went_up ?
8605                             phyint->phyint_flags | PHYI_RUNNING :
8606                             phyint->phyint_flags & ~PHYI_RUNNING;
8607 
8608                         if (IS_IPMP(ill)) {
8609                                 new_phyint_flags = went_up ?
8610                                     new_phyint_flags & ~PHYI_FAILED :
8611                                     new_phyint_flags | PHYI_FAILED;
8612                         }
8613 
8614                         if (new_phyint_flags != phyint->phyint_flags) {
8615                                 phyint->phyint_flags = new_phyint_flags;
8616                                 changed = B_TRUE;
8617                         }
8618                         mutex_exit(&phyint->phyint_lock);
8619                         /*
8620                          * ill_restart_dad handles the DAD restart and routing
8621                          * socket notification logic.
8622                          */
8623                         if (changed) {
8624                                 ill_restart_dad(phyint->phyint_illv4, went_up);
8625                                 ill_restart_dad(phyint->phyint_illv6, went_up);
8626                         }
8627                         break;
8628                 }
8629                 case DL_NOTE_PROMISC_ON_PHYS: {
8630                         phyint_t *phyint = ill->ill_phyint;
8631 
8632                         mutex_enter(&phyint->phyint_lock);
8633                         phyint->phyint_flags |= PHYI_PROMISC;
8634                         mutex_exit(&phyint->phyint_lock);
8635                         break;
8636                 }
8637                 case DL_NOTE_PROMISC_OFF_PHYS: {
8638                         phyint_t *phyint = ill->ill_phyint;
8639 
8640                         mutex_enter(&phyint->phyint_lock);
8641                         phyint->phyint_flags &= ~PHYI_PROMISC;
8642                         mutex_exit(&phyint->phyint_lock);
8643                         break;
8644                 }
8645                 case DL_NOTE_CAPAB_RENEG:
8646                         /*
8647                          * Something changed on the driver side.
8648                          * It wants us to renegotiate the capabilities
8649                          * on this ill. One possible cause is the aggregation
8650                          * interface under us where a port got added or
8651                          * went away.
8652                          *
8653                          * If the capability negotiation is already done
8654                          * or is in progress, reset the capabilities and
8655                          * mark the ill's ill_capab_reneg to be B_TRUE,
8656                          * so that when the ack comes back, we can start
8657                          * the renegotiation process.
8658                          *
8659                          * Note that if ill_capab_reneg is already B_TRUE
8660                          * (ill_dlpi_capab_state is IDS_UNKNOWN in this case),
8661                          * the capability resetting request has been sent
8662                          * and the renegotiation has not been started yet;
8663                          * nothing needs to be done in this case.
8664                          */
8665                         ipsq_current_start(ipsq, ill->ill_ipif, 0);
8666                         ill_capability_reset(ill, B_TRUE);
8667                         ipsq_current_finish(ipsq);
8668                         break;
8669 
8670                 case DL_NOTE_ALLOWED_IPS:
8671                         ill_set_allowed_ips(ill, mp);
8672                         break;
8673                 default:
8674                         ip0dbg(("ip_rput_dlpi_writer: unknown notification "
8675                             "type 0x%x for DL_NOTIFY_IND\n",
8676                             notify->dl_notification));
8677                         break;
8678                 }
8679 
8680                 /*
8681                  * As this is an asynchronous operation, we
8682                  * should not call ill_dlpi_done
8683                  */
8684                 break;
8685         }
8686         case DL_NOTIFY_ACK: {
8687                 dl_notify_ack_t *noteack = (dl_notify_ack_t *)mp->b_rptr;
8688 
8689                 if (noteack->dl_notifications & DL_NOTE_LINK_UP)
8690                         ill->ill_note_link = 1;
8691                 ill_dlpi_done(ill, DL_NOTIFY_REQ);
8692                 break;
8693         }
8694         case DL_PHYS_ADDR_ACK: {
8695                 /*
8696                  * As part of plumbing the interface via SIOCSLIFNAME,
8697                  * ill_dl_phys() will queue a series of DL_PHYS_ADDR_REQs,
8698                  * whose answers we receive here.  As each answer is received,
8699                  * we call ill_dlpi_done() to dispatch the next request as
8700                  * we're processing the current one.  Once all answers have
8701                  * been received, we use ipsq_pending_mp_get() to dequeue the
8702                  * outstanding IOCTL and reply to it.  (Because ill_dl_phys()
8703                  * is invoked from an ill queue, conn_oper_pending_ill is not
8704                  * available, but we know the ioctl is pending on ill_wq.)
8705                  */
8706                 uint_t  paddrlen, paddroff;
8707                 uint8_t *addr;
8708 
8709                 paddrreq = ill->ill_phys_addr_pend;
8710                 paddrlen = ((dl_phys_addr_ack_t *)mp->b_rptr)->dl_addr_length;
8711                 paddroff = ((dl_phys_addr_ack_t *)mp->b_rptr)->dl_addr_offset;
8712                 addr = mp->b_rptr + paddroff;
8713 
8714                 ill_dlpi_done(ill, DL_PHYS_ADDR_REQ);
8715                 if (paddrreq == DL_IPV6_TOKEN) {
8716                         /*
8717                          * bcopy to low-order bits of ill_token
8718                          *
8719                          * XXX Temporary hack - currently, all known tokens
8720                          * are 64 bits, so I'll cheat for the moment.
8721                          */
8722                         bcopy(addr, &ill->ill_token.s6_addr32[2], paddrlen);
8723                         ill->ill_token_length = paddrlen;
8724                         break;
8725                 } else if (paddrreq == DL_IPV6_LINK_LAYER_ADDR) {
8726                         ASSERT(ill->ill_nd_lla_mp == NULL);
8727                         ill_set_ndmp(ill, mp, paddroff, paddrlen);
8728                         mp = NULL;
8729                         break;
8730                 } else if (paddrreq == DL_CURR_DEST_ADDR) {
8731                         ASSERT(ill->ill_dest_addr_mp == NULL);
8732                         ill->ill_dest_addr_mp = mp;
8733                         ill->ill_dest_addr = addr;
8734                         mp = NULL;
8735                         if (ill->ill_isv6) {
8736                                 ill_setdesttoken(ill);
8737                                 ipif_setdestlinklocal(ill->ill_ipif);
8738                         }
8739                         break;
8740                 }
8741 
8742                 ASSERT(paddrreq == DL_CURR_PHYS_ADDR);
8743                 ASSERT(ill->ill_phys_addr_mp == NULL);
8744                 if (!ill->ill_ifname_pending)
8745                         break;
8746                 ill->ill_ifname_pending = 0;
8747                 if (!ioctl_aborted)
8748                         mp1 = ipsq_pending_mp_get(ipsq, &connp);
8749                 if (mp1 != NULL) {
8750                         ASSERT(connp == NULL);
8751                         q = ill->ill_wq;
8752                 }
8753                 /*
8754                  * If any error acks received during the plumbing sequence,
8755                  * ill_ifname_pending_err will be set. Break out and send up
8756                  * the error to the pending ioctl.
8757                  */
8758                 if (ill->ill_ifname_pending_err != 0) {
8759                         err = ill->ill_ifname_pending_err;
8760                         ill->ill_ifname_pending_err = 0;
8761                         break;
8762                 }
8763 
8764                 ill->ill_phys_addr_mp = mp;
8765                 ill->ill_phys_addr = (paddrlen == 0 ? NULL : addr);
8766                 mp = NULL;
8767 
8768                 /*
8769                  * If paddrlen or ill_phys_addr_length is zero, the DLPI
8770                  * provider doesn't support physical addresses.  We check both
8771                  * paddrlen and ill_phys_addr_length because sppp (PPP) does
8772                  * not have physical addresses, but historically adversises a
8773                  * physical address length of 0 in its DL_INFO_ACK, but 6 in
8774                  * its DL_PHYS_ADDR_ACK.
8775                  */
8776                 if (paddrlen == 0 || ill->ill_phys_addr_length == 0) {
8777                         ill->ill_phys_addr = NULL;
8778                 } else if (paddrlen != ill->ill_phys_addr_length) {
8779                         ip0dbg(("DL_PHYS_ADDR_ACK: got addrlen %d, expected %d",
8780                             paddrlen, ill->ill_phys_addr_length));
8781                         err = EINVAL;
8782                         break;
8783                 }
8784 
8785                 if (ill->ill_nd_lla_mp == NULL) {
8786                         if ((mp_hw = copyb(ill->ill_phys_addr_mp)) == NULL) {
8787                                 err = ENOMEM;
8788                                 break;
8789                         }
8790                         ill_set_ndmp(ill, mp_hw, paddroff, paddrlen);
8791                 }
8792 
8793                 if (ill->ill_isv6) {
8794                         ill_setdefaulttoken(ill);
8795                         ipif_setlinklocal(ill->ill_ipif);
8796                 }
8797                 break;
8798         }
8799         case DL_OK_ACK:
8800                 ip2dbg(("DL_OK_ACK %s (0x%x)\n",
8801                     dl_primstr((int)dloa->dl_correct_primitive),
8802                     dloa->dl_correct_primitive));
8803                 DTRACE_PROBE3(ill__dlpi, char *, "ip_rput_dlpi_writer ok",
8804                     char *, dl_primstr(dloa->dl_correct_primitive),
8805                     ill_t *, ill);
8806 
8807                 switch (dloa->dl_correct_primitive) {
8808                 case DL_ENABMULTI_REQ:
8809                 case DL_DISABMULTI_REQ:
8810                         ill_dlpi_done(ill, dloa->dl_correct_primitive);
8811                         break;
8812                 case DL_PROMISCON_REQ:
8813                 case DL_PROMISCOFF_REQ:
8814                 case DL_UNBIND_REQ:
8815                 case DL_ATTACH_REQ:
8816                         ill_dlpi_done(ill, dloa->dl_correct_primitive);
8817                         break;
8818                 }
8819                 break;
8820         default:
8821                 break;
8822         }
8823 
8824         freemsg(mp);
8825         if (mp1 == NULL)
8826                 return;
8827 
8828         /*
8829          * The operation must complete without EINPROGRESS since
8830          * ipsq_pending_mp_get() has removed the mblk (mp1).  Otherwise,
8831          * the operation will be stuck forever inside the IPSQ.
8832          */
8833         ASSERT(err != EINPROGRESS);
8834 
8835         DTRACE_PROBE4(ipif__ioctl, char *, "ip_rput_dlpi_writer finish",
8836             int, ipsq->ipsq_xop->ipx_current_ioctl, ill_t *, ill,
8837             ipif_t *, NULL);
8838 
8839         switch (ipsq->ipsq_xop->ipx_current_ioctl) {
8840         case 0:
8841                 ipsq_current_finish(ipsq);
8842                 break;
8843 
8844         case SIOCSLIFNAME:
8845         case IF_UNITSEL: {
8846                 ill_t *ill_other = ILL_OTHER(ill);
8847 
8848                 /*
8849                  * If SIOCSLIFNAME or IF_UNITSEL is about to succeed, and the
8850                  * ill has a peer which is in an IPMP group, then place ill
8851                  * into the same group.  One catch: although ifconfig plumbs
8852                  * the appropriate IPMP meta-interface prior to plumbing this
8853                  * ill, it is possible for multiple ifconfig applications to
8854                  * race (or for another application to adjust plumbing), in
8855                  * which case the IPMP meta-interface we need will be missing.
8856                  * If so, kick the phyint out of the group.
8857                  */
8858                 if (err == 0 && ill_other != NULL && IS_UNDER_IPMP(ill_other)) {
8859                         ipmp_grp_t      *grp = ill->ill_phyint->phyint_grp;
8860                         ipmp_illgrp_t   *illg;
8861 
8862                         illg = ill->ill_isv6 ? grp->gr_v6 : grp->gr_v4;
8863                         if (illg == NULL)
8864                                 ipmp_phyint_leave_grp(ill->ill_phyint);
8865                         else
8866                                 ipmp_ill_join_illgrp(ill, illg);
8867                 }
8868 
8869                 if (ipsq->ipsq_xop->ipx_current_ioctl == IF_UNITSEL)
8870                         ip_ioctl_finish(q, mp1, err, NO_COPYOUT, ipsq);
8871                 else
8872                         ip_ioctl_finish(q, mp1, err, COPYOUT, ipsq);
8873                 break;
8874         }
8875         case SIOCLIFADDIF:
8876                 ip_ioctl_finish(q, mp1, err, COPYOUT, ipsq);
8877                 break;
8878 
8879         default:
8880                 ip_ioctl_finish(q, mp1, err, NO_COPYOUT, ipsq);
8881                 break;
8882         }
8883 }
8884 
8885 /*
8886  * ip_rput_other is called by ip_rput to handle messages modifying the global
8887  * state in IP.  If 'ipsq' is non-NULL, caller is writer on it.
8888  */
8889 /* ARGSUSED */
8890 void
8891 ip_rput_other(ipsq_t *ipsq, queue_t *q, mblk_t *mp, void *dummy_arg)
8892 {
8893         ill_t           *ill = q->q_ptr;
8894         struct iocblk   *iocp;
8895 
8896         ip1dbg(("ip_rput_other "));
8897         if (ipsq != NULL) {
8898                 ASSERT(IAM_WRITER_IPSQ(ipsq));
8899                 ASSERT(ipsq->ipsq_xop ==
8900                     ill->ill_phyint->phyint_ipsq->ipsq_xop);
8901         }
8902 
8903         switch (mp->b_datap->db_type) {
8904         case M_ERROR:
8905         case M_HANGUP:
8906                 /*
8907                  * The device has a problem.  We force the ILL down.  It can
8908                  * be brought up again manually using SIOCSIFFLAGS (via
8909                  * ifconfig or equivalent).
8910                  */
8911                 ASSERT(ipsq != NULL);
8912                 if (mp->b_rptr < mp->b_wptr)
8913                         ill->ill_error = (int)(*mp->b_rptr & 0xFF);
8914                 if (ill->ill_error == 0)
8915                         ill->ill_error = ENXIO;
8916                 if (!ill_down_start(q, mp))
8917                         return;
8918                 ipif_all_down_tail(ipsq, q, mp, NULL);
8919                 break;
8920         case M_IOCNAK: {
8921                 iocp = (struct iocblk *)mp->b_rptr;
8922 
8923                 ASSERT(iocp->ioc_cmd == DL_IOC_HDR_INFO);
8924                 /*
8925                  * If this was the first attempt, turn off the fastpath
8926                  * probing.
8927                  */
8928                 mutex_enter(&ill->ill_lock);
8929                 if (ill->ill_dlpi_fastpath_state == IDS_INPROGRESS) {
8930                         ill->ill_dlpi_fastpath_state = IDS_FAILED;
8931                         mutex_exit(&ill->ill_lock);
8932                         /*
8933                          * don't flush the nce_t entries: we use them
8934                          * as an index to the ncec itself.
8935                          */
8936                         ip1dbg(("ip_rput: DLPI fastpath off on interface %s\n",
8937                             ill->ill_name));
8938                 } else {
8939                         mutex_exit(&ill->ill_lock);
8940                 }
8941                 freemsg(mp);
8942                 break;
8943         }
8944         default:
8945                 ASSERT(0);
8946                 break;
8947         }
8948 }
8949 
8950 /*
8951  * Update any source route, record route or timestamp options
8952  * When it fails it has consumed the message and BUMPed the MIB.
8953  */
8954 boolean_t
8955 ip_forward_options(mblk_t *mp, ipha_t *ipha, ill_t *dst_ill,
8956     ip_recv_attr_t *ira)
8957 {
8958         ipoptp_t        opts;
8959         uchar_t         *opt;
8960         uint8_t         optval;
8961         uint8_t         optlen;
8962         ipaddr_t        dst;
8963         ipaddr_t        ifaddr;
8964         uint32_t        ts;
8965         timestruc_t     now;
8966         ip_stack_t      *ipst = ira->ira_ill->ill_ipst;
8967 
8968         ip2dbg(("ip_forward_options\n"));
8969         dst = ipha->ipha_dst;
8970         for (optval = ipoptp_first(&opts, ipha);
8971             optval != IPOPT_EOL;
8972             optval = ipoptp_next(&opts)) {
8973                 ASSERT((opts.ipoptp_flags & IPOPTP_ERROR) == 0);
8974                 opt = opts.ipoptp_cur;
8975                 optlen = opts.ipoptp_len;
8976                 ip2dbg(("ip_forward_options: opt %d, len %d\n",
8977                     optval, opts.ipoptp_len));
8978                 switch (optval) {
8979                         uint32_t off;
8980                 case IPOPT_SSRR:
8981                 case IPOPT_LSRR:
8982                         /* Check if adminstratively disabled */
8983                         if (!ipst->ips_ip_forward_src_routed) {
8984                                 BUMP_MIB(dst_ill->ill_ip_mib,
8985                                     ipIfStatsForwProhibits);
8986                                 ip_drop_input("ICMP_SOURCE_ROUTE_FAILED",
8987                                     mp, dst_ill);
8988                                 icmp_unreachable(mp, ICMP_SOURCE_ROUTE_FAILED,
8989                                     ira);
8990                                 return (B_FALSE);
8991                         }
8992                         if (ip_type_v4(dst, ipst) != IRE_LOCAL) {
8993                                 /*
8994                                  * Must be partial since ip_input_options
8995                                  * checked for strict.
8996                                  */
8997                                 break;
8998                         }
8999                         off = opt[IPOPT_OFFSET];
9000                         off--;
9001                 redo_srr:
9002                         if (optlen < IP_ADDR_LEN ||
9003                             off > optlen - IP_ADDR_LEN) {
9004                                 /* End of source route */
9005                                 ip1dbg((
9006                                     "ip_forward_options: end of SR\n"));
9007                                 break;
9008                         }
9009                         /* Pick a reasonable address on the outbound if */
9010                         ASSERT(dst_ill != NULL);
9011                         if (ip_select_source_v4(dst_ill, INADDR_ANY, dst,
9012                             INADDR_ANY, ALL_ZONES, ipst, &ifaddr, NULL,
9013                             NULL) != 0) {
9014                                 /* No source! Shouldn't happen */
9015                                 ifaddr = INADDR_ANY;
9016                         }
9017                         bcopy((char *)opt + off, &dst, IP_ADDR_LEN);
9018                         bcopy(&ifaddr, (char *)opt + off, IP_ADDR_LEN);
9019                         ip1dbg(("ip_forward_options: next hop 0x%x\n",
9020                             ntohl(dst)));
9021 
9022                         /*
9023                          * Check if our address is present more than
9024                          * once as consecutive hops in source route.
9025                          */
9026                         if (ip_type_v4(dst, ipst) == IRE_LOCAL) {
9027                                 off += IP_ADDR_LEN;
9028                                 opt[IPOPT_OFFSET] += IP_ADDR_LEN;
9029                                 goto redo_srr;
9030                         }
9031                         ipha->ipha_dst = dst;
9032                         opt[IPOPT_OFFSET] += IP_ADDR_LEN;
9033                         break;
9034                 case IPOPT_RR:
9035                         off = opt[IPOPT_OFFSET];
9036                         off--;
9037                         if (optlen < IP_ADDR_LEN ||
9038                             off > optlen - IP_ADDR_LEN) {
9039                                 /* No more room - ignore */
9040                                 ip1dbg((
9041                                     "ip_forward_options: end of RR\n"));
9042                                 break;
9043                         }
9044                         /* Pick a reasonable address on the outbound if */
9045                         ASSERT(dst_ill != NULL);
9046                         if (ip_select_source_v4(dst_ill, INADDR_ANY, dst,
9047                             INADDR_ANY, ALL_ZONES, ipst, &ifaddr, NULL,
9048                             NULL) != 0) {
9049                                 /* No source! Shouldn't happen */
9050                                 ifaddr = INADDR_ANY;
9051                         }
9052                         bcopy(&ifaddr, (char *)opt + off, IP_ADDR_LEN);
9053                         opt[IPOPT_OFFSET] += IP_ADDR_LEN;
9054                         break;
9055                 case IPOPT_TS:
9056                         /* Insert timestamp if there is room */
9057                         switch (opt[IPOPT_POS_OV_FLG] & 0x0F) {
9058                         case IPOPT_TS_TSONLY:
9059                                 off = IPOPT_TS_TIMELEN;
9060                                 break;
9061                         case IPOPT_TS_PRESPEC:
9062                         case IPOPT_TS_PRESPEC_RFC791:
9063                                 /* Verify that the address matched */
9064                                 off = opt[IPOPT_OFFSET] - 1;
9065                                 bcopy((char *)opt + off, &dst, IP_ADDR_LEN);
9066                                 if (ip_type_v4(dst, ipst) != IRE_LOCAL) {
9067                                         /* Not for us */
9068                                         break;
9069                                 }
9070                                 /* FALLTHRU */
9071                         case IPOPT_TS_TSANDADDR:
9072                                 off = IP_ADDR_LEN + IPOPT_TS_TIMELEN;
9073                                 break;
9074                         default:
9075                                 /*
9076                                  * ip_*put_options should have already
9077                                  * dropped this packet.
9078                                  */
9079                                 cmn_err(CE_PANIC, "ip_forward_options: "
9080                                     "unknown IT - bug in ip_input_options?\n");
9081                                 return (B_TRUE);        /* Keep "lint" happy */
9082                         }
9083                         if (opt[IPOPT_OFFSET] - 1 + off > optlen) {
9084                                 /* Increase overflow counter */
9085                                 off = (opt[IPOPT_POS_OV_FLG] >> 4) + 1;
9086                                 opt[IPOPT_POS_OV_FLG] =
9087                                     (uint8_t)((opt[IPOPT_POS_OV_FLG] & 0x0F) |
9088                                     (off << 4));
9089                                 break;
9090                         }
9091                         off = opt[IPOPT_OFFSET] - 1;
9092                         switch (opt[IPOPT_POS_OV_FLG] & 0x0F) {
9093                         case IPOPT_TS_PRESPEC:
9094                         case IPOPT_TS_PRESPEC_RFC791:
9095                         case IPOPT_TS_TSANDADDR:
9096                                 /* Pick a reasonable addr on the outbound if */
9097                                 ASSERT(dst_ill != NULL);
9098                                 if (ip_select_source_v4(dst_ill, INADDR_ANY,
9099                                     dst, INADDR_ANY, ALL_ZONES, ipst, &ifaddr,
9100                                     NULL, NULL) != 0) {
9101                                         /* No source! Shouldn't happen */
9102                                         ifaddr = INADDR_ANY;
9103                                 }
9104                                 bcopy(&ifaddr, (char *)opt + off, IP_ADDR_LEN);
9105                                 opt[IPOPT_OFFSET] += IP_ADDR_LEN;
9106                                 /* FALLTHRU */
9107                         case IPOPT_TS_TSONLY:
9108                                 off = opt[IPOPT_OFFSET] - 1;
9109                                 /* Compute # of milliseconds since midnight */
9110                                 gethrestime(&now);
9111                                 ts = (now.tv_sec % (24 * 60 * 60)) * 1000 +
9112                                     now.tv_nsec / (NANOSEC / MILLISEC);
9113                                 bcopy(&ts, (char *)opt + off, IPOPT_TS_TIMELEN);
9114                                 opt[IPOPT_OFFSET] += IPOPT_TS_TIMELEN;
9115                                 break;
9116                         }
9117                         break;
9118                 }
9119         }
9120         return (B_TRUE);
9121 }
9122 
9123 /*
9124  * Call ill_frag_timeout to do garbage collection. ill_frag_timeout
9125  * returns 'true' if there are still fragments left on the queue, in
9126  * which case we restart the timer.
9127  */
9128 void
9129 ill_frag_timer(void *arg)
9130 {
9131         ill_t   *ill = (ill_t *)arg;
9132         boolean_t frag_pending;
9133         ip_stack_t *ipst = ill->ill_ipst;
9134         time_t  timeout;
9135 
9136         mutex_enter(&ill->ill_lock);
9137         ASSERT(!ill->ill_fragtimer_executing);
9138         if (ill->ill_state_flags & ILL_CONDEMNED) {
9139                 ill->ill_frag_timer_id = 0;
9140                 mutex_exit(&ill->ill_lock);
9141                 return;
9142         }
9143         ill->ill_fragtimer_executing = 1;
9144         mutex_exit(&ill->ill_lock);
9145 
9146         timeout = (ill->ill_isv6 ? ipst->ips_ipv6_reassembly_timeout :
9147             ipst->ips_ip_reassembly_timeout);
9148 
9149         frag_pending = ill_frag_timeout(ill, timeout);
9150 
9151         /*
9152          * Restart the timer, if we have fragments pending or if someone
9153          * wanted us to be scheduled again.
9154          */
9155         mutex_enter(&ill->ill_lock);
9156         ill->ill_fragtimer_executing = 0;
9157         ill->ill_frag_timer_id = 0;
9158         if (frag_pending || ill->ill_fragtimer_needrestart)
9159                 ill_frag_timer_start(ill);
9160         mutex_exit(&ill->ill_lock);
9161 }
9162 
9163 void
9164 ill_frag_timer_start(ill_t *ill)
9165 {
9166         ip_stack_t *ipst = ill->ill_ipst;
9167         clock_t timeo_ms;
9168 
9169         ASSERT(MUTEX_HELD(&ill->ill_lock));
9170 
9171         /* If the ill is closing or opening don't proceed */
9172         if (ill->ill_state_flags & ILL_CONDEMNED)
9173                 return;
9174 
9175         if (ill->ill_fragtimer_executing) {
9176                 /*
9177                  * ill_frag_timer is currently executing. Just record the
9178                  * the fact that we want the timer to be restarted.
9179                  * ill_frag_timer will post a timeout before it returns,
9180                  * ensuring it will be called again.
9181                  */
9182                 ill->ill_fragtimer_needrestart = 1;
9183                 return;
9184         }
9185 
9186         if (ill->ill_frag_timer_id == 0) {
9187                 timeo_ms = (ill->ill_isv6 ? ipst->ips_ipv6_reassembly_timeout :
9188                     ipst->ips_ip_reassembly_timeout) * SECONDS;
9189 
9190                 /*
9191                  * The timer is neither running nor is the timeout handler
9192                  * executing. Post a timeout so that ill_frag_timer will be
9193                  * called
9194                  */
9195                 ill->ill_frag_timer_id = timeout(ill_frag_timer, ill,
9196                     MSEC_TO_TICK(timeo_ms >> 1));
9197                 ill->ill_fragtimer_needrestart = 0;
9198         }
9199 }
9200 
9201 /*
9202  * Update any source route, record route or timestamp options.
9203  * Check that we are at end of strict source route.
9204  * The options have already been checked for sanity in ip_input_options().
9205  */
9206 boolean_t
9207 ip_input_local_options(mblk_t *mp, ipha_t *ipha, ip_recv_attr_t *ira)
9208 {
9209         ipoptp_t        opts;
9210         uchar_t         *opt;
9211         uint8_t         optval;
9212         uint8_t         optlen;
9213         ipaddr_t        dst;
9214         ipaddr_t        ifaddr;
9215         uint32_t        ts;
9216         timestruc_t     now;
9217         ill_t           *ill = ira->ira_ill;
9218         ip_stack_t      *ipst = ill->ill_ipst;
9219 
9220         ip2dbg(("ip_input_local_options\n"));
9221 
9222         for (optval = ipoptp_first(&opts, ipha);
9223             optval != IPOPT_EOL;
9224             optval = ipoptp_next(&opts)) {
9225                 ASSERT((opts.ipoptp_flags & IPOPTP_ERROR) == 0);
9226                 opt = opts.ipoptp_cur;
9227                 optlen = opts.ipoptp_len;
9228                 ip2dbg(("ip_input_local_options: opt %d, len %d\n",
9229                     optval, optlen));
9230                 switch (optval) {
9231                         uint32_t off;
9232                 case IPOPT_SSRR:
9233                 case IPOPT_LSRR:
9234                         off = opt[IPOPT_OFFSET];
9235                         off--;
9236                         if (optlen < IP_ADDR_LEN ||
9237                             off > optlen - IP_ADDR_LEN) {
9238                                 /* End of source route */
9239                                 ip1dbg(("ip_input_local_options: end of SR\n"));
9240                                 break;
9241                         }
9242                         /*
9243                          * This will only happen if two consecutive entries
9244                          * in the source route contains our address or if
9245                          * it is a packet with a loose source route which
9246                          * reaches us before consuming the whole source route
9247                          */
9248                         ip1dbg(("ip_input_local_options: not end of SR\n"));
9249                         if (optval == IPOPT_SSRR) {
9250                                 goto bad_src_route;
9251                         }
9252                         /*
9253                          * Hack: instead of dropping the packet truncate the
9254                          * source route to what has been used by filling the
9255                          * rest with IPOPT_NOP.
9256                          */
9257                         opt[IPOPT_OLEN] = (uint8_t)off;
9258                         while (off < optlen) {
9259                                 opt[off++] = IPOPT_NOP;
9260                         }
9261                         break;
9262                 case IPOPT_RR:
9263                         off = opt[IPOPT_OFFSET];
9264                         off--;
9265                         if (optlen < IP_ADDR_LEN ||
9266                             off > optlen - IP_ADDR_LEN) {
9267                                 /* No more room - ignore */
9268                                 ip1dbg((
9269                                     "ip_input_local_options: end of RR\n"));
9270                                 break;
9271                         }
9272                         /* Pick a reasonable address on the outbound if */
9273                         if (ip_select_source_v4(ill, INADDR_ANY, ipha->ipha_dst,
9274                             INADDR_ANY, ALL_ZONES, ipst, &ifaddr, NULL,
9275                             NULL) != 0) {
9276                                 /* No source! Shouldn't happen */
9277                                 ifaddr = INADDR_ANY;
9278                         }
9279                         bcopy(&ifaddr, (char *)opt + off, IP_ADDR_LEN);
9280                         opt[IPOPT_OFFSET] += IP_ADDR_LEN;
9281                         break;
9282                 case IPOPT_TS:
9283                         /* Insert timestamp if there is romm */
9284                         switch (opt[IPOPT_POS_OV_FLG] & 0x0F) {
9285                         case IPOPT_TS_TSONLY:
9286                                 off = IPOPT_TS_TIMELEN;
9287                                 break;
9288                         case IPOPT_TS_PRESPEC:
9289                         case IPOPT_TS_PRESPEC_RFC791:
9290                                 /* Verify that the address matched */
9291                                 off = opt[IPOPT_OFFSET] - 1;
9292                                 bcopy((char *)opt + off, &dst, IP_ADDR_LEN);
9293                                 if (ip_type_v4(dst, ipst) != IRE_LOCAL) {
9294                                         /* Not for us */
9295                                         break;
9296                                 }
9297                                 /* FALLTHRU */
9298                         case IPOPT_TS_TSANDADDR:
9299                                 off = IP_ADDR_LEN + IPOPT_TS_TIMELEN;
9300                                 break;
9301                         default:
9302                                 /*
9303                                  * ip_*put_options should have already
9304                                  * dropped this packet.
9305                                  */
9306                                 cmn_err(CE_PANIC, "ip_input_local_options: "
9307                                     "unknown IT - bug in ip_input_options?\n");
9308                                 return (B_TRUE);        /* Keep "lint" happy */
9309                         }
9310                         if (opt[IPOPT_OFFSET] - 1 + off > optlen) {
9311                                 /* Increase overflow counter */
9312                                 off = (opt[IPOPT_POS_OV_FLG] >> 4) + 1;
9313                                 opt[IPOPT_POS_OV_FLG] =
9314                                     (uint8_t)((opt[IPOPT_POS_OV_FLG] & 0x0F) |
9315                                     (off << 4));
9316                                 break;
9317                         }
9318                         off = opt[IPOPT_OFFSET] - 1;
9319                         switch (opt[IPOPT_POS_OV_FLG] & 0x0F) {
9320                         case IPOPT_TS_PRESPEC:
9321                         case IPOPT_TS_PRESPEC_RFC791:
9322                         case IPOPT_TS_TSANDADDR:
9323                                 /* Pick a reasonable addr on the outbound if */
9324                                 if (ip_select_source_v4(ill, INADDR_ANY,
9325                                     ipha->ipha_dst, INADDR_ANY, ALL_ZONES, ipst,
9326                                     &ifaddr, NULL, NULL) != 0) {
9327                                         /* No source! Shouldn't happen */
9328                                         ifaddr = INADDR_ANY;
9329                                 }
9330                                 bcopy(&ifaddr, (char *)opt + off, IP_ADDR_LEN);
9331                                 opt[IPOPT_OFFSET] += IP_ADDR_LEN;
9332                                 /* FALLTHRU */
9333                         case IPOPT_TS_TSONLY:
9334                                 off = opt[IPOPT_OFFSET] - 1;
9335                                 /* Compute # of milliseconds since midnight */
9336                                 gethrestime(&now);
9337                                 ts = (now.tv_sec % (24 * 60 * 60)) * 1000 +
9338                                     now.tv_nsec / (NANOSEC / MILLISEC);
9339                                 bcopy(&ts, (char *)opt + off, IPOPT_TS_TIMELEN);
9340                                 opt[IPOPT_OFFSET] += IPOPT_TS_TIMELEN;
9341                                 break;
9342                         }
9343                         break;
9344                 }
9345         }
9346         return (B_TRUE);
9347 
9348 bad_src_route:
9349         /* make sure we clear any indication of a hardware checksum */
9350         DB_CKSUMFLAGS(mp) = 0;
9351         ip_drop_input("ICMP_SOURCE_ROUTE_FAILED", mp, ill);
9352         icmp_unreachable(mp, ICMP_SOURCE_ROUTE_FAILED, ira);
9353         return (B_FALSE);
9354 
9355 }
9356 
9357 /*
9358  * Process IP options in an inbound packet.  Always returns the nexthop.
9359  * Normally this is the passed in nexthop, but if there is an option
9360  * that effects the nexthop (such as a source route) that will be returned.
9361  * Sets *errorp if there is an error, in which case an ICMP error has been sent
9362  * and mp freed.
9363  */
9364 ipaddr_t
9365 ip_input_options(ipha_t *ipha, ipaddr_t dst, mblk_t *mp,
9366     ip_recv_attr_t *ira, int *errorp)
9367 {
9368         ip_stack_t      *ipst = ira->ira_ill->ill_ipst;
9369         ipoptp_t        opts;
9370         uchar_t         *opt;
9371         uint8_t         optval;
9372         uint8_t         optlen;
9373         intptr_t        code = 0;
9374         ire_t           *ire;
9375 
9376         ip2dbg(("ip_input_options\n"));
9377         *errorp = 0;
9378         for (optval = ipoptp_first(&opts, ipha);
9379             optval != IPOPT_EOL;
9380             optval = ipoptp_next(&opts)) {
9381                 opt = opts.ipoptp_cur;
9382                 optlen = opts.ipoptp_len;
9383                 ip2dbg(("ip_input_options: opt %d, len %d\n",
9384                     optval, optlen));
9385                 /*
9386                  * Note: we need to verify the checksum before we
9387                  * modify anything thus this routine only extracts the next
9388                  * hop dst from any source route.
9389                  */
9390                 switch (optval) {
9391                         uint32_t off;
9392                 case IPOPT_SSRR:
9393                 case IPOPT_LSRR:
9394                         if (ip_type_v4(dst, ipst) != IRE_LOCAL) {
9395                                 if (optval == IPOPT_SSRR) {
9396                                         ip1dbg(("ip_input_options: not next"
9397                                             " strict source route 0x%x\n",
9398                                             ntohl(dst)));
9399                                         code = (char *)&ipha->ipha_dst -
9400                                             (char *)ipha;
9401                                         goto param_prob; /* RouterReq's */
9402                                 }
9403                                 ip2dbg(("ip_input_options: "
9404                                     "not next source route 0x%x\n",
9405                                     ntohl(dst)));
9406                                 break;
9407                         }
9408 
9409                         if ((opts.ipoptp_flags & IPOPTP_ERROR) != 0) {
9410                                 ip1dbg((
9411                                     "ip_input_options: bad option offset\n"));
9412                                 code = (char *)&opt[IPOPT_OLEN] -
9413                                     (char *)ipha;
9414                                 goto param_prob;
9415                         }
9416                         off = opt[IPOPT_OFFSET];
9417                         off--;
9418                 redo_srr:
9419                         if (optlen < IP_ADDR_LEN ||
9420                             off > optlen - IP_ADDR_LEN) {
9421                                 /* End of source route */
9422                                 ip1dbg(("ip_input_options: end of SR\n"));
9423                                 break;
9424                         }
9425                         bcopy((char *)opt + off, &dst, IP_ADDR_LEN);
9426                         ip1dbg(("ip_input_options: next hop 0x%x\n",
9427                             ntohl(dst)));
9428 
9429                         /*
9430                          * Check if our address is present more than
9431                          * once as consecutive hops in source route.
9432                          * XXX verify per-interface ip_forwarding
9433                          * for source route?
9434                          */
9435                         if (ip_type_v4(dst, ipst) == IRE_LOCAL) {
9436                                 off += IP_ADDR_LEN;
9437                                 goto redo_srr;
9438                         }
9439 
9440                         if (dst == htonl(INADDR_LOOPBACK)) {
9441                                 ip1dbg(("ip_input_options: loopback addr in "
9442                                     "source route!\n"));
9443                                 goto bad_src_route;
9444                         }
9445                         /*
9446                          * For strict: verify that dst is directly
9447                          * reachable.
9448                          */
9449                         if (optval == IPOPT_SSRR) {
9450                                 ire = ire_ftable_lookup_v4(dst, 0, 0,
9451                                     IRE_INTERFACE, NULL, ALL_ZONES,
9452                                     ira->ira_tsl,
9453                                     MATCH_IRE_TYPE | MATCH_IRE_SECATTR, 0, ipst,
9454                                     NULL);
9455                                 if (ire == NULL) {
9456                                         ip1dbg(("ip_input_options: SSRR not "
9457                                             "directly reachable: 0x%x\n",
9458                                             ntohl(dst)));
9459                                         goto bad_src_route;
9460                                 }
9461                                 ire_refrele(ire);
9462                         }
9463                         /*
9464                          * Defer update of the offset and the record route
9465                          * until the packet is forwarded.
9466                          */
9467                         break;
9468                 case IPOPT_RR:
9469                         if ((opts.ipoptp_flags & IPOPTP_ERROR) != 0) {
9470                                 ip1dbg((
9471                                     "ip_input_options: bad option offset\n"));
9472                                 code = (char *)&opt[IPOPT_OLEN] -
9473                                     (char *)ipha;
9474                                 goto param_prob;
9475                         }
9476                         break;
9477                 case IPOPT_TS:
9478                         /*
9479                          * Verify that length >= 5 and that there is either
9480                          * room for another timestamp or that the overflow
9481                          * counter is not maxed out.
9482                          */
9483                         code = (char *)&opt[IPOPT_OLEN] - (char *)ipha;
9484                         if (optlen < IPOPT_MINLEN_IT) {
9485                                 goto param_prob;
9486                         }
9487                         if ((opts.ipoptp_flags & IPOPTP_ERROR) != 0) {
9488                                 ip1dbg((
9489                                     "ip_input_options: bad option offset\n"));
9490                                 code = (char *)&opt[IPOPT_OFFSET] -
9491                                     (char *)ipha;
9492                                 goto param_prob;
9493                         }
9494                         switch (opt[IPOPT_POS_OV_FLG] & 0x0F) {
9495                         case IPOPT_TS_TSONLY:
9496                                 off = IPOPT_TS_TIMELEN;
9497                                 break;
9498                         case IPOPT_TS_TSANDADDR:
9499                         case IPOPT_TS_PRESPEC:
9500                         case IPOPT_TS_PRESPEC_RFC791:
9501                                 off = IP_ADDR_LEN + IPOPT_TS_TIMELEN;
9502                                 break;
9503                         default:
9504                                 code = (char *)&opt[IPOPT_POS_OV_FLG] -
9505                                     (char *)ipha;
9506                                 goto param_prob;
9507                         }
9508                         if (opt[IPOPT_OFFSET] - 1 + off > optlen &&
9509                             (opt[IPOPT_POS_OV_FLG] & 0xF0) == 0xF0) {
9510                                 /*
9511                                  * No room and the overflow counter is 15
9512                                  * already.
9513                                  */
9514                                 goto param_prob;
9515                         }
9516                         break;
9517                 }
9518         }
9519 
9520         if ((opts.ipoptp_flags & IPOPTP_ERROR) == 0) {
9521                 return (dst);
9522         }
9523 
9524         ip1dbg(("ip_input_options: error processing IP options."));
9525         code = (char *)&opt[IPOPT_OFFSET] - (char *)ipha;
9526 
9527 param_prob:
9528         /* make sure we clear any indication of a hardware checksum */
9529         DB_CKSUMFLAGS(mp) = 0;
9530         ip_drop_input("ICMP_PARAM_PROBLEM", mp, ira->ira_ill);
9531         icmp_param_problem(mp, (uint8_t)code, ira);
9532         *errorp = -1;
9533         return (dst);
9534 
9535 bad_src_route:
9536         /* make sure we clear any indication of a hardware checksum */
9537         DB_CKSUMFLAGS(mp) = 0;
9538         ip_drop_input("ICMP_SOURCE_ROUTE_FAILED", mp, ira->ira_ill);
9539         icmp_unreachable(mp, ICMP_SOURCE_ROUTE_FAILED, ira);
9540         *errorp = -1;
9541         return (dst);
9542 }
9543 
9544 /*
9545  * IP & ICMP info in >=14 msg's ...
9546  *  - ip fixed part (mib2_ip_t)
9547  *  - icmp fixed part (mib2_icmp_t)
9548  *  - ipAddrEntryTable (ip 20)          all IPv4 ipifs
9549  *  - ipRouteEntryTable (ip 21)         all IPv4 IREs
9550  *  - ipNetToMediaEntryTable (ip 22)    all IPv4 Neighbor Cache entries
9551  *  - ipRouteAttributeTable (ip 102)    labeled routes
9552  *  - ip multicast membership (ip_member_t)
9553  *  - ip multicast source filtering (ip_grpsrc_t)
9554  *  - igmp fixed part (struct igmpstat)
9555  *  - multicast routing stats (struct mrtstat)
9556  *  - multicast routing vifs (array of struct vifctl)
9557  *  - multicast routing routes (array of struct mfcctl)
9558  *  - ip6 fixed part (mib2_ipv6IfStatsEntry_t)
9559  *                                      One per ill plus one generic
9560  *  - icmp6 fixed part (mib2_ipv6IfIcmpEntry_t)
9561  *                                      One per ill plus one generic
9562  *  - ipv6RouteEntry                    all IPv6 IREs
9563  *  - ipv6RouteAttributeTable (ip6 102) labeled routes
9564  *  - ipv6NetToMediaEntry               all IPv6 Neighbor Cache entries
9565  *  - ipv6AddrEntry                     all IPv6 ipifs
9566  *  - ipv6 multicast membership (ipv6_member_t)
9567  *  - ipv6 multicast source filtering (ipv6_grpsrc_t)
9568  *
9569  * NOTE: original mpctl is copied for msg's 2..N, since its ctl part is
9570  * already filled in by the caller.
9571  * If legacy_req is true then MIB structures needs to be truncated to their
9572  * legacy sizes before being returned.
9573  * Return value of 0 indicates that no messages were sent and caller
9574  * should free mpctl.
9575  */
9576 int
9577 ip_snmp_get(queue_t *q, mblk_t *mpctl, int level, boolean_t legacy_req)
9578 {
9579         ip_stack_t *ipst;
9580         sctp_stack_t *sctps;
9581 
9582         if (q->q_next != NULL) {
9583                 ipst = ILLQ_TO_IPST(q);
9584         } else {
9585                 ipst = CONNQ_TO_IPST(q);
9586         }
9587         ASSERT(ipst != NULL);
9588         sctps = ipst->ips_netstack->netstack_sctp;
9589 
9590         if (mpctl == NULL || mpctl->b_cont == NULL) {
9591                 return (0);
9592         }
9593 
9594         /*
9595          * For the purposes of the (broken) packet shell use
9596          * of the level we make sure MIB2_TCP/MIB2_UDP can be used
9597          * to make TCP and UDP appear first in the list of mib items.
9598          * TBD: We could expand this and use it in netstat so that
9599          * the kernel doesn't have to produce large tables (connections,
9600          * routes, etc) when netstat only wants the statistics or a particular
9601          * table.
9602          */
9603         if (!(level == MIB2_TCP || level == MIB2_UDP)) {
9604                 if ((mpctl = icmp_snmp_get(q, mpctl)) == NULL) {
9605                         return (1);
9606                 }
9607         }
9608 
9609         if (level != MIB2_TCP) {
9610                 if ((mpctl = udp_snmp_get(q, mpctl, legacy_req)) == NULL) {
9611                         return (1);
9612                 }
9613         }
9614 
9615         if (level != MIB2_UDP) {
9616                 if ((mpctl = tcp_snmp_get(q, mpctl, legacy_req)) == NULL) {
9617                         return (1);
9618                 }
9619         }
9620 
9621         if ((mpctl = ip_snmp_get_mib2_ip_traffic_stats(q, mpctl,
9622             ipst, legacy_req)) == NULL) {
9623                 return (1);
9624         }
9625 
9626         if ((mpctl = ip_snmp_get_mib2_ip6(q, mpctl, ipst,
9627             legacy_req)) == NULL) {
9628                 return (1);
9629         }
9630 
9631         if ((mpctl = ip_snmp_get_mib2_icmp(q, mpctl, ipst)) == NULL) {
9632                 return (1);
9633         }
9634 
9635         if ((mpctl = ip_snmp_get_mib2_icmp6(q, mpctl, ipst)) == NULL) {
9636                 return (1);
9637         }
9638 
9639         if ((mpctl = ip_snmp_get_mib2_igmp(q, mpctl, ipst)) == NULL) {
9640                 return (1);
9641         }
9642 
9643         if ((mpctl = ip_snmp_get_mib2_multi(q, mpctl, ipst)) == NULL) {
9644                 return (1);
9645         }
9646 
9647         if ((mpctl = ip_snmp_get_mib2_ip_addr(q, mpctl, ipst,
9648             legacy_req)) == NULL) {
9649                 return (1);
9650         }
9651 
9652         if ((mpctl = ip_snmp_get_mib2_ip6_addr(q, mpctl, ipst,
9653             legacy_req)) == NULL) {
9654                 return (1);
9655         }
9656 
9657         if ((mpctl = ip_snmp_get_mib2_ip_group_mem(q, mpctl, ipst)) == NULL) {
9658                 return (1);
9659         }
9660 
9661         if ((mpctl = ip_snmp_get_mib2_ip6_group_mem(q, mpctl, ipst)) == NULL) {
9662                 return (1);
9663         }
9664 
9665         if ((mpctl = ip_snmp_get_mib2_ip_group_src(q, mpctl, ipst)) == NULL) {
9666                 return (1);
9667         }
9668 
9669         if ((mpctl = ip_snmp_get_mib2_ip6_group_src(q, mpctl, ipst)) == NULL) {
9670                 return (1);
9671         }
9672 
9673         if ((mpctl = ip_snmp_get_mib2_virt_multi(q, mpctl, ipst)) == NULL) {
9674                 return (1);
9675         }
9676 
9677         if ((mpctl = ip_snmp_get_mib2_multi_rtable(q, mpctl, ipst)) == NULL) {
9678                 return (1);
9679         }
9680 
9681         mpctl = ip_snmp_get_mib2_ip_route_media(q, mpctl, level, ipst);
9682         if (mpctl == NULL)
9683                 return (1);
9684 
9685         mpctl = ip_snmp_get_mib2_ip6_route_media(q, mpctl, level, ipst);
9686         if (mpctl == NULL)
9687                 return (1);
9688 
9689         if ((mpctl = sctp_snmp_get_mib2(q, mpctl, sctps)) == NULL) {
9690                 return (1);
9691         }
9692 
9693         if ((mpctl = ip_snmp_get_mib2_ip_dce(q, mpctl, ipst)) == NULL) {
9694                 return (1);
9695         }
9696 
9697         if ((mpctl = dccp_snmp_get(q, mpctl, legacy_req)) == NULL) {
9698                 return (1);
9699         }
9700 
9701         freemsg(mpctl);
9702         return (1);
9703 }
9704 
9705 /* Get global (legacy) IPv4 statistics */
9706 static mblk_t *
9707 ip_snmp_get_mib2_ip(queue_t *q, mblk_t *mpctl, mib2_ipIfStatsEntry_t *ipmib,
9708     ip_stack_t *ipst, boolean_t legacy_req)
9709 {
9710         mib2_ip_t               old_ip_mib;
9711         struct opthdr           *optp;
9712         mblk_t                  *mp2ctl;
9713         mib2_ipAddrEntry_t      mae;
9714 
9715         /*
9716          * make a copy of the original message
9717          */
9718         mp2ctl = copymsg(mpctl);
9719 
9720         /* fixed length IP structure... */
9721         optp = (struct opthdr *)&mpctl->b_rptr[sizeof (struct T_optmgmt_ack)];
9722         optp->level = MIB2_IP;
9723         optp->name = 0;
9724         SET_MIB(old_ip_mib.ipForwarding,
9725             (WE_ARE_FORWARDING(ipst) ? 1 : 2));
9726         SET_MIB(old_ip_mib.ipDefaultTTL,
9727             (uint32_t)ipst->ips_ip_def_ttl);
9728         SET_MIB(old_ip_mib.ipReasmTimeout,
9729             ipst->ips_ip_reassembly_timeout);
9730         SET_MIB(old_ip_mib.ipAddrEntrySize,
9731             (legacy_req) ? LEGACY_MIB_SIZE(&mae, mib2_ipAddrEntry_t) :
9732             sizeof (mib2_ipAddrEntry_t));
9733         SET_MIB(old_ip_mib.ipRouteEntrySize,
9734             sizeof (mib2_ipRouteEntry_t));
9735         SET_MIB(old_ip_mib.ipNetToMediaEntrySize,
9736             sizeof (mib2_ipNetToMediaEntry_t));
9737         SET_MIB(old_ip_mib.ipMemberEntrySize, sizeof (ip_member_t));
9738         SET_MIB(old_ip_mib.ipGroupSourceEntrySize, sizeof (ip_grpsrc_t));
9739         SET_MIB(old_ip_mib.ipRouteAttributeSize,
9740             sizeof (mib2_ipAttributeEntry_t));
9741         SET_MIB(old_ip_mib.transportMLPSize, sizeof (mib2_transportMLPEntry_t));
9742         SET_MIB(old_ip_mib.ipDestEntrySize, sizeof (dest_cache_entry_t));
9743 
9744         /*
9745          * Grab the statistics from the new IP MIB
9746          */
9747         SET_MIB(old_ip_mib.ipInReceives,
9748             (uint32_t)ipmib->ipIfStatsHCInReceives);
9749         SET_MIB(old_ip_mib.ipInHdrErrors, ipmib->ipIfStatsInHdrErrors);
9750         SET_MIB(old_ip_mib.ipInAddrErrors, ipmib->ipIfStatsInAddrErrors);
9751         SET_MIB(old_ip_mib.ipForwDatagrams,
9752             (uint32_t)ipmib->ipIfStatsHCOutForwDatagrams);
9753         SET_MIB(old_ip_mib.ipInUnknownProtos,
9754             ipmib->ipIfStatsInUnknownProtos);
9755         SET_MIB(old_ip_mib.ipInDiscards, ipmib->ipIfStatsInDiscards);
9756         SET_MIB(old_ip_mib.ipInDelivers,
9757             (uint32_t)ipmib->ipIfStatsHCInDelivers);
9758         SET_MIB(old_ip_mib.ipOutRequests,
9759             (uint32_t)ipmib->ipIfStatsHCOutRequests);
9760         SET_MIB(old_ip_mib.ipOutDiscards, ipmib->ipIfStatsOutDiscards);
9761         SET_MIB(old_ip_mib.ipOutNoRoutes, ipmib->ipIfStatsOutNoRoutes);
9762         SET_MIB(old_ip_mib.ipReasmReqds, ipmib->ipIfStatsReasmReqds);
9763         SET_MIB(old_ip_mib.ipReasmOKs, ipmib->ipIfStatsReasmOKs);
9764         SET_MIB(old_ip_mib.ipReasmFails, ipmib->ipIfStatsReasmFails);
9765         SET_MIB(old_ip_mib.ipFragOKs, ipmib->ipIfStatsOutFragOKs);
9766         SET_MIB(old_ip_mib.ipFragFails, ipmib->ipIfStatsOutFragFails);
9767         SET_MIB(old_ip_mib.ipFragCreates, ipmib->ipIfStatsOutFragCreates);
9768 
9769         /* ipRoutingDiscards is not being used */
9770         SET_MIB(old_ip_mib.ipRoutingDiscards, 0);
9771         SET_MIB(old_ip_mib.tcpInErrs, ipmib->tcpIfStatsInErrs);
9772         SET_MIB(old_ip_mib.udpNoPorts, ipmib->udpIfStatsNoPorts);
9773         SET_MIB(old_ip_mib.ipInCksumErrs, ipmib->ipIfStatsInCksumErrs);
9774         SET_MIB(old_ip_mib.ipReasmDuplicates,
9775             ipmib->ipIfStatsReasmDuplicates);
9776         SET_MIB(old_ip_mib.ipReasmPartDups, ipmib->ipIfStatsReasmPartDups);
9777         SET_MIB(old_ip_mib.ipForwProhibits, ipmib->ipIfStatsForwProhibits);
9778         SET_MIB(old_ip_mib.udpInCksumErrs, ipmib->udpIfStatsInCksumErrs);
9779         SET_MIB(old_ip_mib.udpInOverflows, ipmib->udpIfStatsInOverflows);
9780         SET_MIB(old_ip_mib.rawipInOverflows,
9781             ipmib->rawipIfStatsInOverflows);
9782 
9783         SET_MIB(old_ip_mib.ipsecInSucceeded, ipmib->ipsecIfStatsInSucceeded);
9784         SET_MIB(old_ip_mib.ipsecInFailed, ipmib->ipsecIfStatsInFailed);
9785         SET_MIB(old_ip_mib.ipInIPv6, ipmib->ipIfStatsInWrongIPVersion);
9786         SET_MIB(old_ip_mib.ipOutIPv6, ipmib->ipIfStatsOutWrongIPVersion);
9787         SET_MIB(old_ip_mib.ipOutSwitchIPv6,
9788             ipmib->ipIfStatsOutSwitchIPVersion);
9789 
9790         if (!snmp_append_data(mpctl->b_cont, (char *)&old_ip_mib,
9791             (int)sizeof (old_ip_mib))) {
9792                 ip1dbg(("ip_snmp_get_mib2_ip: failed to allocate %u bytes\n",
9793                     (uint_t)sizeof (old_ip_mib)));
9794         }
9795 
9796         optp->len = (t_uscalar_t)msgdsize(mpctl->b_cont);
9797         ip3dbg(("ip_snmp_get_mib2_ip: level %d, name %d, len %d\n",
9798             (int)optp->level, (int)optp->name, (int)optp->len));
9799         qreply(q, mpctl);
9800         return (mp2ctl);
9801 }
9802 
9803 /* Per interface IPv4 statistics */
9804 static mblk_t *
9805 ip_snmp_get_mib2_ip_traffic_stats(queue_t *q, mblk_t *mpctl, ip_stack_t *ipst,
9806     boolean_t legacy_req)
9807 {
9808         struct opthdr           *optp;
9809         mblk_t                  *mp2ctl;
9810         ill_t                   *ill;
9811         ill_walk_context_t      ctx;
9812         mblk_t                  *mp_tail = NULL;
9813         mib2_ipIfStatsEntry_t   global_ip_mib;
9814         mib2_ipAddrEntry_t      mae;
9815 
9816         /*
9817          * Make a copy of the original message
9818          */
9819         mp2ctl = copymsg(mpctl);
9820 
9821         optp = (struct opthdr *)&mpctl->b_rptr[sizeof (struct T_optmgmt_ack)];
9822         optp->level = MIB2_IP;
9823         optp->name = MIB2_IP_TRAFFIC_STATS;
9824         /* Include "unknown interface" ip_mib */
9825         ipst->ips_ip_mib.ipIfStatsIPVersion = MIB2_INETADDRESSTYPE_ipv4;
9826         ipst->ips_ip_mib.ipIfStatsIfIndex =
9827             MIB2_UNKNOWN_INTERFACE; /* Flag to netstat */
9828         SET_MIB(ipst->ips_ip_mib.ipIfStatsForwarding,
9829             (ipst->ips_ip_forwarding ? 1 : 2));
9830         SET_MIB(ipst->ips_ip_mib.ipIfStatsDefaultTTL,
9831             (uint32_t)ipst->ips_ip_def_ttl);
9832         SET_MIB(ipst->ips_ip_mib.ipIfStatsEntrySize,
9833             sizeof (mib2_ipIfStatsEntry_t));
9834         SET_MIB(ipst->ips_ip_mib.ipIfStatsAddrEntrySize,
9835             sizeof (mib2_ipAddrEntry_t));
9836         SET_MIB(ipst->ips_ip_mib.ipIfStatsRouteEntrySize,
9837             sizeof (mib2_ipRouteEntry_t));
9838         SET_MIB(ipst->ips_ip_mib.ipIfStatsNetToMediaEntrySize,
9839             sizeof (mib2_ipNetToMediaEntry_t));
9840         SET_MIB(ipst->ips_ip_mib.ipIfStatsMemberEntrySize,
9841             sizeof (ip_member_t));
9842         SET_MIB(ipst->ips_ip_mib.ipIfStatsGroupSourceEntrySize,
9843             sizeof (ip_grpsrc_t));
9844 
9845         bcopy(&ipst->ips_ip_mib, &global_ip_mib, sizeof (global_ip_mib));
9846 
9847         if (legacy_req) {
9848                 SET_MIB(global_ip_mib.ipIfStatsAddrEntrySize,
9849                     LEGACY_MIB_SIZE(&mae, mib2_ipAddrEntry_t));
9850         }
9851 
9852         if (!snmp_append_data2(mpctl->b_cont, &mp_tail,
9853             (char *)&global_ip_mib, (int)sizeof (global_ip_mib))) {
9854                 ip1dbg(("ip_snmp_get_mib2_ip_traffic_stats: "
9855                     "failed to allocate %u bytes\n",
9856                     (uint_t)sizeof (global_ip_mib)));
9857         }
9858 
9859         rw_enter(&ipst->ips_ill_g_lock, RW_READER);
9860         ill = ILL_START_WALK_V4(&ctx, ipst);
9861         for (; ill != NULL; ill = ill_next(&ctx, ill)) {
9862                 ill->ill_ip_mib->ipIfStatsIfIndex =
9863                     ill->ill_phyint->phyint_ifindex;
9864                 SET_MIB(ill->ill_ip_mib->ipIfStatsForwarding,
9865                     (ipst->ips_ip_forwarding ? 1 : 2));
9866                 SET_MIB(ill->ill_ip_mib->ipIfStatsDefaultTTL,
9867                     (uint32_t)ipst->ips_ip_def_ttl);
9868 
9869                 ip_mib2_add_ip_stats(&global_ip_mib, ill->ill_ip_mib);
9870                 if (!snmp_append_data2(mpctl->b_cont, &mp_tail,
9871                     (char *)ill->ill_ip_mib,
9872                     (int)sizeof (*ill->ill_ip_mib))) {
9873                         ip1dbg(("ip_snmp_get_mib2_ip_traffic_stats: "
9874                             "failed to allocate %u bytes\n",
9875                             (uint_t)sizeof (*ill->ill_ip_mib)));
9876                 }
9877         }
9878         rw_exit(&ipst->ips_ill_g_lock);
9879 
9880         optp->len = (t_uscalar_t)msgdsize(mpctl->b_cont);
9881         ip3dbg(("ip_snmp_get_mib2_ip_traffic_stats: "
9882             "level %d, name %d, len %d\n",
9883             (int)optp->level, (int)optp->name, (int)optp->len));
9884         qreply(q, mpctl);
9885 
9886         if (mp2ctl == NULL)
9887                 return (NULL);
9888 
9889         return (ip_snmp_get_mib2_ip(q, mp2ctl, &global_ip_mib, ipst,
9890             legacy_req));
9891 }
9892 
9893 /* Global IPv4 ICMP statistics */
9894 static mblk_t *
9895 ip_snmp_get_mib2_icmp(queue_t *q, mblk_t *mpctl, ip_stack_t *ipst)
9896 {
9897         struct opthdr           *optp;
9898         mblk_t                  *mp2ctl;
9899 
9900         /*
9901          * Make a copy of the original message
9902          */
9903         mp2ctl = copymsg(mpctl);
9904 
9905         optp = (struct opthdr *)&mpctl->b_rptr[sizeof (struct T_optmgmt_ack)];
9906         optp->level = MIB2_ICMP;
9907         optp->name = 0;
9908         if (!snmp_append_data(mpctl->b_cont, (char *)&ipst->ips_icmp_mib,
9909             (int)sizeof (ipst->ips_icmp_mib))) {
9910                 ip1dbg(("ip_snmp_get_mib2_icmp: failed to allocate %u bytes\n",
9911                     (uint_t)sizeof (ipst->ips_icmp_mib)));
9912         }
9913         optp->len = (t_uscalar_t)msgdsize(mpctl->b_cont);
9914         ip3dbg(("ip_snmp_get_mib2_icmp: level %d, name %d, len %d\n",
9915             (int)optp->level, (int)optp->name, (int)optp->len));
9916         qreply(q, mpctl);
9917         return (mp2ctl);
9918 }
9919 
9920 /* Global IPv4 IGMP statistics */
9921 static mblk_t *
9922 ip_snmp_get_mib2_igmp(queue_t *q, mblk_t *mpctl, ip_stack_t *ipst)
9923 {
9924         struct opthdr           *optp;
9925         mblk_t                  *mp2ctl;
9926 
9927         /*
9928          * make a copy of the original message
9929          */
9930         mp2ctl = copymsg(mpctl);
9931 
9932         optp = (struct opthdr *)&mpctl->b_rptr[sizeof (struct T_optmgmt_ack)];
9933         optp->level = EXPER_IGMP;
9934         optp->name = 0;
9935         if (!snmp_append_data(mpctl->b_cont, (char *)&ipst->ips_igmpstat,
9936             (int)sizeof (ipst->ips_igmpstat))) {
9937                 ip1dbg(("ip_snmp_get_mib2_igmp: failed to allocate %u bytes\n",
9938                     (uint_t)sizeof (ipst->ips_igmpstat)));
9939         }
9940         optp->len = (t_uscalar_t)msgdsize(mpctl->b_cont);
9941         ip3dbg(("ip_snmp_get_mib2_igmp: level %d, name %d, len %d\n",
9942             (int)optp->level, (int)optp->name, (int)optp->len));
9943         qreply(q, mpctl);
9944         return (mp2ctl);
9945 }
9946 
9947 /* Global IPv4 Multicast Routing statistics */
9948 static mblk_t *
9949 ip_snmp_get_mib2_multi(queue_t *q, mblk_t *mpctl, ip_stack_t *ipst)
9950 {
9951         struct opthdr           *optp;
9952         mblk_t                  *mp2ctl;
9953 
9954         /*
9955          * make a copy of the original message
9956          */
9957         mp2ctl = copymsg(mpctl);
9958 
9959         optp = (struct opthdr *)&mpctl->b_rptr[sizeof (struct T_optmgmt_ack)];
9960         optp->level = EXPER_DVMRP;
9961         optp->name = 0;
9962         if (!ip_mroute_stats(mpctl->b_cont, ipst)) {
9963                 ip0dbg(("ip_mroute_stats: failed\n"));
9964         }
9965         optp->len = (t_uscalar_t)msgdsize(mpctl->b_cont);
9966         ip3dbg(("ip_snmp_get_mib2_multi: level %d, name %d, len %d\n",
9967             (int)optp->level, (int)optp->name, (int)optp->len));
9968         qreply(q, mpctl);
9969         return (mp2ctl);
9970 }
9971 
9972 /* IPv4 address information */
9973 static mblk_t *
9974 ip_snmp_get_mib2_ip_addr(queue_t *q, mblk_t *mpctl, ip_stack_t *ipst,
9975     boolean_t legacy_req)
9976 {
9977         struct opthdr           *optp;
9978         mblk_t                  *mp2ctl;
9979         mblk_t                  *mp_tail = NULL;
9980         ill_t                   *ill;
9981         ipif_t                  *ipif;
9982         uint_t                  bitval;
9983         mib2_ipAddrEntry_t      mae;
9984         size_t                  mae_size;
9985         zoneid_t                zoneid;
9986         ill_walk_context_t      ctx;
9987 
9988         /*
9989          * make a copy of the original message
9990          */
9991         mp2ctl = copymsg(mpctl);
9992 
9993         mae_size = (legacy_req) ? LEGACY_MIB_SIZE(&mae, mib2_ipAddrEntry_t) :
9994             sizeof (mib2_ipAddrEntry_t);
9995 
9996         /* ipAddrEntryTable */
9997 
9998         optp = (struct opthdr *)&mpctl->b_rptr[sizeof (struct T_optmgmt_ack)];
9999         optp->level = MIB2_IP;
10000         optp->name = MIB2_IP_ADDR;
10001         zoneid = Q_TO_CONN(q)->conn_zoneid;
10002 
10003         rw_enter(&ipst->ips_ill_g_lock, RW_READER);
10004         ill = ILL_START_WALK_V4(&ctx, ipst);
10005         for (; ill != NULL; ill = ill_next(&ctx, ill)) {
10006                 for (ipif = ill->ill_ipif; ipif != NULL;
10007                     ipif = ipif->ipif_next) {
10008                         if (ipif->ipif_zoneid != zoneid &&
10009                             ipif->ipif_zoneid != ALL_ZONES)
10010                                 continue;
10011                         /* Sum of count from dead IRE_LO* and our current */
10012                         mae.ipAdEntInfo.ae_ibcnt = ipif->ipif_ib_pkt_count;
10013                         if (ipif->ipif_ire_local != NULL) {
10014                                 mae.ipAdEntInfo.ae_ibcnt +=
10015                                     ipif->ipif_ire_local->ire_ib_pkt_count;
10016                         }
10017                         mae.ipAdEntInfo.ae_obcnt = 0;
10018                         mae.ipAdEntInfo.ae_focnt = 0;
10019 
10020                         ipif_get_name(ipif, mae.ipAdEntIfIndex.o_bytes,
10021                             OCTET_LENGTH);
10022                         mae.ipAdEntIfIndex.o_length =
10023                             mi_strlen(mae.ipAdEntIfIndex.o_bytes);
10024                         mae.ipAdEntAddr = ipif->ipif_lcl_addr;
10025                         mae.ipAdEntNetMask = ipif->ipif_net_mask;
10026                         mae.ipAdEntInfo.ae_subnet = ipif->ipif_subnet;
10027                         mae.ipAdEntInfo.ae_subnet_len =
10028                             ip_mask_to_plen(ipif->ipif_net_mask);
10029                         mae.ipAdEntInfo.ae_src_addr = ipif->ipif_lcl_addr;
10030                         for (bitval = 1;
10031                             bitval &&
10032                             !(bitval & ipif->ipif_brd_addr);
10033                             bitval <<= 1)
10034                                 noop;
10035                         mae.ipAdEntBcastAddr = bitval;
10036                         mae.ipAdEntReasmMaxSize = IP_MAXPACKET;
10037                         mae.ipAdEntInfo.ae_mtu = ipif->ipif_ill->ill_mtu;
10038                         mae.ipAdEntInfo.ae_metric  = ipif->ipif_ill->ill_metric;
10039                         mae.ipAdEntInfo.ae_broadcast_addr =
10040                             ipif->ipif_brd_addr;
10041                         mae.ipAdEntInfo.ae_pp_dst_addr =
10042                             ipif->ipif_pp_dst_addr;
10043                         mae.ipAdEntInfo.ae_flags = ipif->ipif_flags |
10044                             ill->ill_flags | ill->ill_phyint->phyint_flags;
10045                         mae.ipAdEntRetransmitTime =
10046                             ill->ill_reachable_retrans_time;
10047 
10048                         if (!snmp_append_data2(mpctl->b_cont, &mp_tail,
10049                             (char *)&mae, (int)mae_size)) {
10050                                 ip1dbg(("ip_snmp_get_mib2_ip_addr: failed to "
10051                                     "allocate %u bytes\n", (uint_t)mae_size));
10052                         }
10053                 }
10054         }
10055         rw_exit(&ipst->ips_ill_g_lock);
10056 
10057         optp->len = (t_uscalar_t)msgdsize(mpctl->b_cont);
10058         ip3dbg(("ip_snmp_get_mib2_ip_addr: level %d, name %d, len %d\n",
10059             (int)optp->level, (int)optp->name, (int)optp->len));
10060         qreply(q, mpctl);
10061         return (mp2ctl);
10062 }
10063 
10064 /* IPv6 address information */
10065 static mblk_t *
10066 ip_snmp_get_mib2_ip6_addr(queue_t *q, mblk_t *mpctl, ip_stack_t *ipst,
10067     boolean_t legacy_req)
10068 {
10069         struct opthdr           *optp;
10070         mblk_t                  *mp2ctl;
10071         mblk_t                  *mp_tail = NULL;
10072         ill_t                   *ill;
10073         ipif_t                  *ipif;
10074         mib2_ipv6AddrEntry_t    mae6;
10075         size_t                  mae6_size;
10076         zoneid_t                zoneid;
10077         ill_walk_context_t      ctx;
10078 
10079         /*
10080          * make a copy of the original message
10081          */
10082         mp2ctl = copymsg(mpctl);
10083 
10084         mae6_size = (legacy_req) ?
10085             LEGACY_MIB_SIZE(&mae6, mib2_ipv6AddrEntry_t) :
10086             sizeof (mib2_ipv6AddrEntry_t);
10087 
10088         /* ipv6AddrEntryTable */
10089 
10090         optp = (struct opthdr *)&mpctl->b_rptr[sizeof (struct T_optmgmt_ack)];
10091         optp->level = MIB2_IP6;
10092         optp->name = MIB2_IP6_ADDR;
10093         zoneid = Q_TO_CONN(q)->conn_zoneid;
10094 
10095         rw_enter(&ipst->ips_ill_g_lock, RW_READER);
10096         ill = ILL_START_WALK_V6(&ctx, ipst);
10097         for (; ill != NULL; ill = ill_next(&ctx, ill)) {
10098                 for (ipif = ill->ill_ipif; ipif != NULL;
10099                     ipif = ipif->ipif_next) {
10100                         if (ipif->ipif_zoneid != zoneid &&
10101                             ipif->ipif_zoneid != ALL_ZONES)
10102                                 continue;
10103                         /* Sum of count from dead IRE_LO* and our current */
10104                         mae6.ipv6AddrInfo.ae_ibcnt = ipif->ipif_ib_pkt_count;
10105                         if (ipif->ipif_ire_local != NULL) {
10106                                 mae6.ipv6AddrInfo.ae_ibcnt +=
10107                                     ipif->ipif_ire_local->ire_ib_pkt_count;
10108                         }
10109                         mae6.ipv6AddrInfo.ae_obcnt = 0;
10110                         mae6.ipv6AddrInfo.ae_focnt = 0;
10111 
10112                         ipif_get_name(ipif, mae6.ipv6AddrIfIndex.o_bytes,
10113                             OCTET_LENGTH);
10114                         mae6.ipv6AddrIfIndex.o_length =
10115                             mi_strlen(mae6.ipv6AddrIfIndex.o_bytes);
10116                         mae6.ipv6AddrAddress = ipif->ipif_v6lcl_addr;
10117                         mae6.ipv6AddrPfxLength =
10118                             ip_mask_to_plen_v6(&ipif->ipif_v6net_mask);
10119                         mae6.ipv6AddrInfo.ae_subnet = ipif->ipif_v6subnet;
10120                         mae6.ipv6AddrInfo.ae_subnet_len =
10121                             mae6.ipv6AddrPfxLength;
10122                         mae6.ipv6AddrInfo.ae_src_addr = ipif->ipif_v6lcl_addr;
10123 
10124                         /* Type: stateless(1), stateful(2), unknown(3) */
10125                         if (ipif->ipif_flags & IPIF_ADDRCONF)
10126                                 mae6.ipv6AddrType = 1;
10127                         else
10128                                 mae6.ipv6AddrType = 2;
10129                         /* Anycast: true(1), false(2) */
10130                         if (ipif->ipif_flags & IPIF_ANYCAST)
10131                                 mae6.ipv6AddrAnycastFlag = 1;
10132                         else
10133                                 mae6.ipv6AddrAnycastFlag = 2;
10134 
10135                         /*
10136                          * Address status: preferred(1), deprecated(2),
10137                          * invalid(3), inaccessible(4), unknown(5)
10138                          */
10139                         if (ipif->ipif_flags & IPIF_NOLOCAL)
10140                                 mae6.ipv6AddrStatus = 3;
10141                         else if (ipif->ipif_flags & IPIF_DEPRECATED)
10142                                 mae6.ipv6AddrStatus = 2;
10143                         else
10144                                 mae6.ipv6AddrStatus = 1;
10145                         mae6.ipv6AddrInfo.ae_mtu = ipif->ipif_ill->ill_mtu;
10146                         mae6.ipv6AddrInfo.ae_metric  =
10147                             ipif->ipif_ill->ill_metric;
10148                         mae6.ipv6AddrInfo.ae_pp_dst_addr =
10149                             ipif->ipif_v6pp_dst_addr;
10150                         mae6.ipv6AddrInfo.ae_flags = ipif->ipif_flags |
10151                             ill->ill_flags | ill->ill_phyint->phyint_flags;
10152                         mae6.ipv6AddrReasmMaxSize = IP_MAXPACKET;
10153                         mae6.ipv6AddrIdentifier = ill->ill_token;
10154                         mae6.ipv6AddrIdentifierLen = ill->ill_token_length;
10155                         mae6.ipv6AddrReachableTime = ill->ill_reachable_time;
10156                         mae6.ipv6AddrRetransmitTime =
10157                             ill->ill_reachable_retrans_time;
10158                         if (!snmp_append_data2(mpctl->b_cont, &mp_tail,
10159                             (char *)&mae6, (int)mae6_size)) {
10160                                 ip1dbg(("ip_snmp_get_mib2_ip6_addr: failed to "
10161                                     "allocate %u bytes\n",
10162                                     (uint_t)mae6_size));
10163                         }
10164                 }
10165         }
10166         rw_exit(&ipst->ips_ill_g_lock);
10167 
10168         optp->len = (t_uscalar_t)msgdsize(mpctl->b_cont);
10169         ip3dbg(("ip_snmp_get_mib2_ip6_addr: level %d, name %d, len %d\n",
10170             (int)optp->level, (int)optp->name, (int)optp->len));
10171         qreply(q, mpctl);
10172         return (mp2ctl);
10173 }
10174 
10175 /* IPv4 multicast group membership. */
10176 static mblk_t *
10177 ip_snmp_get_mib2_ip_group_mem(queue_t *q, mblk_t *mpctl, ip_stack_t *ipst)
10178 {
10179         struct opthdr           *optp;
10180         mblk_t                  *mp2ctl;
10181         ill_t                   *ill;
10182         ipif_t                  *ipif;
10183         ilm_t                   *ilm;
10184         ip_member_t             ipm;
10185         mblk_t                  *mp_tail = NULL;
10186         ill_walk_context_t      ctx;
10187         zoneid_t                zoneid;
10188 
10189         /*
10190          * make a copy of the original message
10191          */
10192         mp2ctl = copymsg(mpctl);
10193         zoneid = Q_TO_CONN(q)->conn_zoneid;
10194 
10195         /* ipGroupMember table */
10196         optp = (struct opthdr *)&mpctl->b_rptr[
10197             sizeof (struct T_optmgmt_ack)];
10198         optp->level = MIB2_IP;
10199         optp->name = EXPER_IP_GROUP_MEMBERSHIP;
10200 
10201         rw_enter(&ipst->ips_ill_g_lock, RW_READER);
10202         ill = ILL_START_WALK_V4(&ctx, ipst);
10203         for (; ill != NULL; ill = ill_next(&ctx, ill)) {
10204                 /* Make sure the ill isn't going away. */
10205                 if (!ill_check_and_refhold(ill))
10206                         continue;
10207                 rw_exit(&ipst->ips_ill_g_lock);
10208                 rw_enter(&ill->ill_mcast_lock, RW_READER);
10209                 for (ilm = ill->ill_ilm; ilm; ilm = ilm->ilm_next) {
10210                         if (ilm->ilm_zoneid != zoneid &&
10211                             ilm->ilm_zoneid != ALL_ZONES)
10212                                 continue;
10213 
10214                         /* Is there an ipif for ilm_ifaddr? */
10215                         for (ipif = ill->ill_ipif; ipif != NULL;
10216                             ipif = ipif->ipif_next) {
10217                                 if (!IPIF_IS_CONDEMNED(ipif) &&
10218                                     ipif->ipif_lcl_addr == ilm->ilm_ifaddr &&
10219                                     ilm->ilm_ifaddr != INADDR_ANY)
10220                                         break;
10221                         }
10222                         if (ipif != NULL) {
10223                                 ipif_get_name(ipif,
10224                                     ipm.ipGroupMemberIfIndex.o_bytes,
10225                                     OCTET_LENGTH);
10226                         } else {
10227                                 ill_get_name(ill,
10228                                     ipm.ipGroupMemberIfIndex.o_bytes,
10229                                     OCTET_LENGTH);
10230                         }
10231                         ipm.ipGroupMemberIfIndex.o_length =
10232                             mi_strlen(ipm.ipGroupMemberIfIndex.o_bytes);
10233 
10234                         ipm.ipGroupMemberAddress = ilm->ilm_addr;
10235                         ipm.ipGroupMemberRefCnt = ilm->ilm_refcnt;
10236                         ipm.ipGroupMemberFilterMode = ilm->ilm_fmode;
10237                         if (!snmp_append_data2(mpctl->b_cont, &mp_tail,
10238                             (char *)&ipm, (int)sizeof (ipm))) {
10239                                 ip1dbg(("ip_snmp_get_mib2_ip_group: "
10240                                     "failed to allocate %u bytes\n",
10241                                     (uint_t)sizeof (ipm)));
10242                         }
10243                 }
10244                 rw_exit(&ill->ill_mcast_lock);
10245                 ill_refrele(ill);
10246                 rw_enter(&ipst->ips_ill_g_lock, RW_READER);
10247         }
10248         rw_exit(&ipst->ips_ill_g_lock);
10249         optp->len = (t_uscalar_t)msgdsize(mpctl->b_cont);
10250         ip3dbg(("ip_snmp_get: level %d, name %d, len %d\n",
10251             (int)optp->level, (int)optp->name, (int)optp->len));
10252         qreply(q, mpctl);
10253         return (mp2ctl);
10254 }
10255 
10256 /* IPv6 multicast group membership. */
10257 static mblk_t *
10258 ip_snmp_get_mib2_ip6_group_mem(queue_t *q, mblk_t *mpctl, ip_stack_t *ipst)
10259 {
10260         struct opthdr           *optp;
10261         mblk_t                  *mp2ctl;
10262         ill_t                   *ill;
10263         ilm_t                   *ilm;
10264         ipv6_member_t           ipm6;
10265         mblk_t                  *mp_tail = NULL;
10266         ill_walk_context_t      ctx;
10267         zoneid_t                zoneid;
10268 
10269         /*
10270          * make a copy of the original message
10271          */
10272         mp2ctl = copymsg(mpctl);
10273         zoneid = Q_TO_CONN(q)->conn_zoneid;
10274 
10275         /* ip6GroupMember table */
10276         optp = (struct opthdr *)&mpctl->b_rptr[sizeof (struct T_optmgmt_ack)];
10277         optp->level = MIB2_IP6;
10278         optp->name = EXPER_IP6_GROUP_MEMBERSHIP;
10279 
10280         rw_enter(&ipst->ips_ill_g_lock, RW_READER);
10281         ill = ILL_START_WALK_V6(&ctx, ipst);
10282         for (; ill != NULL; ill = ill_next(&ctx, ill)) {
10283                 /* Make sure the ill isn't going away. */
10284                 if (!ill_check_and_refhold(ill))
10285                         continue;
10286                 rw_exit(&ipst->ips_ill_g_lock);
10287                 /*
10288                  * Normally we don't have any members on under IPMP interfaces.
10289                  * We report them as a debugging aid.
10290                  */
10291                 rw_enter(&ill->ill_mcast_lock, RW_READER);
10292                 ipm6.ipv6GroupMemberIfIndex = ill->ill_phyint->phyint_ifindex;
10293                 for (ilm = ill->ill_ilm; ilm; ilm = ilm->ilm_next) {
10294                         if (ilm->ilm_zoneid != zoneid &&
10295                             ilm->ilm_zoneid != ALL_ZONES)
10296                                 continue;       /* not this zone */
10297                         ipm6.ipv6GroupMemberAddress = ilm->ilm_v6addr;
10298                         ipm6.ipv6GroupMemberRefCnt = ilm->ilm_refcnt;
10299                         ipm6.ipv6GroupMemberFilterMode = ilm->ilm_fmode;
10300                         if (!snmp_append_data2(mpctl->b_cont,
10301                             &mp_tail,
10302                             (char *)&ipm6, (int)sizeof (ipm6))) {
10303                                 ip1dbg(("ip_snmp_get_mib2_ip6_group: "
10304                                     "failed to allocate %u bytes\n",
10305                                     (uint_t)sizeof (ipm6)));
10306                         }
10307                 }
10308                 rw_exit(&ill->ill_mcast_lock);
10309                 ill_refrele(ill);
10310                 rw_enter(&ipst->ips_ill_g_lock, RW_READER);
10311         }
10312         rw_exit(&ipst->ips_ill_g_lock);
10313 
10314         optp->len = (t_uscalar_t)msgdsize(mpctl->b_cont);
10315         ip3dbg(("ip_snmp_get: level %d, name %d, len %d\n",
10316             (int)optp->level, (int)optp->name, (int)optp->len));
10317         qreply(q, mpctl);
10318         return (mp2ctl);
10319 }
10320 
10321 /* IP multicast filtered sources */
10322 static mblk_t *
10323 ip_snmp_get_mib2_ip_group_src(queue_t *q, mblk_t *mpctl, ip_stack_t *ipst)
10324 {
10325         struct opthdr           *optp;
10326         mblk_t                  *mp2ctl;
10327         ill_t                   *ill;
10328         ipif_t                  *ipif;
10329         ilm_t                   *ilm;
10330         ip_grpsrc_t             ips;
10331         mblk_t                  *mp_tail = NULL;
10332         ill_walk_context_t      ctx;
10333         zoneid_t                zoneid;
10334         int                     i;
10335         slist_t                 *sl;
10336 
10337         /*
10338          * make a copy of the original message
10339          */
10340         mp2ctl = copymsg(mpctl);
10341         zoneid = Q_TO_CONN(q)->conn_zoneid;
10342 
10343         /* ipGroupSource table */
10344         optp = (struct opthdr *)&mpctl->b_rptr[
10345             sizeof (struct T_optmgmt_ack)];
10346         optp->level = MIB2_IP;
10347         optp->name = EXPER_IP_GROUP_SOURCES;
10348 
10349         rw_enter(&ipst->ips_ill_g_lock, RW_READER);
10350         ill = ILL_START_WALK_V4(&ctx, ipst);
10351         for (; ill != NULL; ill = ill_next(&ctx, ill)) {
10352                 /* Make sure the ill isn't going away. */
10353                 if (!ill_check_and_refhold(ill))
10354                         continue;
10355                 rw_exit(&ipst->ips_ill_g_lock);
10356                 rw_enter(&ill->ill_mcast_lock, RW_READER);
10357                 for (ilm = ill->ill_ilm; ilm; ilm = ilm->ilm_next) {
10358                         sl = ilm->ilm_filter;
10359                         if (ilm->ilm_zoneid != zoneid &&
10360                             ilm->ilm_zoneid != ALL_ZONES)
10361                                 continue;
10362                         if (SLIST_IS_EMPTY(sl))
10363                                 continue;
10364 
10365                         /* Is there an ipif for ilm_ifaddr? */
10366                         for (ipif = ill->ill_ipif; ipif != NULL;
10367                             ipif = ipif->ipif_next) {
10368                                 if (!IPIF_IS_CONDEMNED(ipif) &&
10369                                     ipif->ipif_lcl_addr == ilm->ilm_ifaddr &&
10370                                     ilm->ilm_ifaddr != INADDR_ANY)
10371                                         break;
10372                         }
10373                         if (ipif != NULL) {
10374                                 ipif_get_name(ipif,
10375                                     ips.ipGroupSourceIfIndex.o_bytes,
10376                                     OCTET_LENGTH);
10377                         } else {
10378                                 ill_get_name(ill,
10379                                     ips.ipGroupSourceIfIndex.o_bytes,
10380                                     OCTET_LENGTH);
10381                         }
10382                         ips.ipGroupSourceIfIndex.o_length =
10383                             mi_strlen(ips.ipGroupSourceIfIndex.o_bytes);
10384 
10385                         ips.ipGroupSourceGroup = ilm->ilm_addr;
10386                         for (i = 0; i < sl->sl_numsrc; i++) {
10387                                 if (!IN6_IS_ADDR_V4MAPPED(&sl->sl_addr[i]))
10388                                         continue;
10389                                 IN6_V4MAPPED_TO_IPADDR(&sl->sl_addr[i],
10390                                     ips.ipGroupSourceAddress);
10391                                 if (snmp_append_data2(mpctl->b_cont, &mp_tail,
10392                                     (char *)&ips, (int)sizeof (ips)) == 0) {
10393                                         ip1dbg(("ip_snmp_get_mib2_ip_group_src:"
10394                                             " failed to allocate %u bytes\n",
10395                                             (uint_t)sizeof (ips)));
10396                                 }
10397                         }
10398                 }
10399                 rw_exit(&ill->ill_mcast_lock);
10400                 ill_refrele(ill);
10401                 rw_enter(&ipst->ips_ill_g_lock, RW_READER);
10402         }
10403         rw_exit(&ipst->ips_ill_g_lock);
10404         optp->len = (t_uscalar_t)msgdsize(mpctl->b_cont);
10405         ip3dbg(("ip_snmp_get: level %d, name %d, len %d\n",
10406             (int)optp->level, (int)optp->name, (int)optp->len));
10407         qreply(q, mpctl);
10408         return (mp2ctl);
10409 }
10410 
10411 /* IPv6 multicast filtered sources. */
10412 static mblk_t *
10413 ip_snmp_get_mib2_ip6_group_src(queue_t *q, mblk_t *mpctl, ip_stack_t *ipst)
10414 {
10415         struct opthdr           *optp;
10416         mblk_t                  *mp2ctl;
10417         ill_t                   *ill;
10418         ilm_t                   *ilm;
10419         ipv6_grpsrc_t           ips6;
10420         mblk_t                  *mp_tail = NULL;
10421         ill_walk_context_t      ctx;
10422         zoneid_t                zoneid;
10423         int                     i;
10424         slist_t                 *sl;
10425 
10426         /*
10427          * make a copy of the original message
10428          */
10429         mp2ctl = copymsg(mpctl);
10430         zoneid = Q_TO_CONN(q)->conn_zoneid;
10431 
10432         /* ip6GroupMember table */
10433         optp = (struct opthdr *)&mpctl->b_rptr[sizeof (struct T_optmgmt_ack)];
10434         optp->level = MIB2_IP6;
10435         optp->name = EXPER_IP6_GROUP_SOURCES;
10436 
10437         rw_enter(&ipst->ips_ill_g_lock, RW_READER);
10438         ill = ILL_START_WALK_V6(&ctx, ipst);
10439         for (; ill != NULL; ill = ill_next(&ctx, ill)) {
10440                 /* Make sure the ill isn't going away. */
10441                 if (!ill_check_and_refhold(ill))
10442                         continue;
10443                 rw_exit(&ipst->ips_ill_g_lock);
10444                 /*
10445                  * Normally we don't have any members on under IPMP interfaces.
10446                  * We report them as a debugging aid.
10447                  */
10448                 rw_enter(&ill->ill_mcast_lock, RW_READER);
10449                 ips6.ipv6GroupSourceIfIndex = ill->ill_phyint->phyint_ifindex;
10450                 for (ilm = ill->ill_ilm; ilm; ilm = ilm->ilm_next) {
10451                         sl = ilm->ilm_filter;
10452                         if (ilm->ilm_zoneid != zoneid &&
10453                             ilm->ilm_zoneid != ALL_ZONES)
10454                                 continue;
10455                         if (SLIST_IS_EMPTY(sl))
10456                                 continue;
10457                         ips6.ipv6GroupSourceGroup = ilm->ilm_v6addr;
10458                         for (i = 0; i < sl->sl_numsrc; i++) {
10459                                 ips6.ipv6GroupSourceAddress = sl->sl_addr[i];
10460                                 if (!snmp_append_data2(mpctl->b_cont, &mp_tail,
10461                                     (char *)&ips6, (int)sizeof (ips6))) {
10462                                         ip1dbg(("ip_snmp_get_mib2_ip6_"
10463                                             "group_src: failed to allocate "
10464                                             "%u bytes\n",
10465                                             (uint_t)sizeof (ips6)));
10466                                 }
10467                         }
10468                 }
10469                 rw_exit(&ill->ill_mcast_lock);
10470                 ill_refrele(ill);
10471                 rw_enter(&ipst->ips_ill_g_lock, RW_READER);
10472         }
10473         rw_exit(&ipst->ips_ill_g_lock);
10474 
10475         optp->len = (t_uscalar_t)msgdsize(mpctl->b_cont);
10476         ip3dbg(("ip_snmp_get: level %d, name %d, len %d\n",
10477             (int)optp->level, (int)optp->name, (int)optp->len));
10478         qreply(q, mpctl);
10479         return (mp2ctl);
10480 }
10481 
10482 /* Multicast routing virtual interface table. */
10483 static mblk_t *
10484 ip_snmp_get_mib2_virt_multi(queue_t *q, mblk_t *mpctl, ip_stack_t *ipst)
10485 {
10486         struct opthdr           *optp;
10487         mblk_t                  *mp2ctl;
10488 
10489         /*
10490          * make a copy of the original message
10491          */
10492         mp2ctl = copymsg(mpctl);
10493 
10494         optp = (struct opthdr *)&mpctl->b_rptr[sizeof (struct T_optmgmt_ack)];
10495         optp->level = EXPER_DVMRP;
10496         optp->name = EXPER_DVMRP_VIF;
10497         if (!ip_mroute_vif(mpctl->b_cont, ipst)) {
10498                 ip0dbg(("ip_mroute_vif: failed\n"));
10499         }
10500         optp->len = (t_uscalar_t)msgdsize(mpctl->b_cont);
10501         ip3dbg(("ip_snmp_get_mib2_virt_multi: level %d, name %d, len %d\n",
10502             (int)optp->level, (int)optp->name, (int)optp->len));
10503         qreply(q, mpctl);
10504         return (mp2ctl);
10505 }
10506 
10507 /* Multicast routing table. */
10508 static mblk_t *
10509 ip_snmp_get_mib2_multi_rtable(queue_t *q, mblk_t *mpctl, ip_stack_t *ipst)
10510 {
10511         struct opthdr           *optp;
10512         mblk_t                  *mp2ctl;
10513 
10514         /*
10515          * make a copy of the original message
10516          */
10517         mp2ctl = copymsg(mpctl);
10518 
10519         optp = (struct opthdr *)&mpctl->b_rptr[sizeof (struct T_optmgmt_ack)];
10520         optp->level = EXPER_DVMRP;
10521         optp->name = EXPER_DVMRP_MRT;
10522         if (!ip_mroute_mrt(mpctl->b_cont, ipst)) {
10523                 ip0dbg(("ip_mroute_mrt: failed\n"));
10524         }
10525         optp->len = (t_uscalar_t)msgdsize(mpctl->b_cont);
10526         ip3dbg(("ip_snmp_get_mib2_multi_rtable: level %d, name %d, len %d\n",
10527             (int)optp->level, (int)optp->name, (int)optp->len));
10528         qreply(q, mpctl);
10529         return (mp2ctl);
10530 }
10531 
10532 /*
10533  * Return ipRouteEntryTable, ipNetToMediaEntryTable, and ipRouteAttributeTable
10534  * in one IRE walk.
10535  */
10536 static mblk_t *
10537 ip_snmp_get_mib2_ip_route_media(queue_t *q, mblk_t *mpctl, int level,
10538     ip_stack_t *ipst)
10539 {
10540         struct opthdr   *optp;
10541         mblk_t          *mp2ctl;        /* Returned */
10542         mblk_t          *mp3ctl;        /* nettomedia */
10543         mblk_t          *mp4ctl;        /* routeattrs */
10544         iproutedata_t   ird;
10545         zoneid_t        zoneid;
10546 
10547         /*
10548          * make copies of the original message
10549          *      - mp2ctl is returned unchanged to the caller for his use
10550          *      - mpctl is sent upstream as ipRouteEntryTable
10551          *      - mp3ctl is sent upstream as ipNetToMediaEntryTable
10552          *      - mp4ctl is sent upstream as ipRouteAttributeTable
10553          */
10554         mp2ctl = copymsg(mpctl);
10555         mp3ctl = copymsg(mpctl);
10556         mp4ctl = copymsg(mpctl);
10557         if (mp3ctl == NULL || mp4ctl == NULL) {
10558                 freemsg(mp4ctl);
10559                 freemsg(mp3ctl);
10560                 freemsg(mp2ctl);
10561                 freemsg(mpctl);
10562                 return (NULL);
10563         }
10564 
10565         bzero(&ird, sizeof (ird));
10566 
10567         ird.ird_route.lp_head = mpctl->b_cont;
10568         ird.ird_netmedia.lp_head = mp3ctl->b_cont;
10569         ird.ird_attrs.lp_head = mp4ctl->b_cont;
10570         /*
10571          * If the level has been set the special EXPER_IP_AND_ALL_IRES value,
10572          * then also include ire_testhidden IREs and IRE_IF_CLONE.  This is
10573          * intended a temporary solution until a proper MIB API is provided
10574          * that provides complete filtering/caller-opt-in.
10575          */
10576         if (level == EXPER_IP_AND_ALL_IRES)
10577                 ird.ird_flags |= IRD_REPORT_ALL;
10578 
10579         zoneid = Q_TO_CONN(q)->conn_zoneid;
10580         ire_walk_v4(ip_snmp_get2_v4, &ird, zoneid, ipst);
10581 
10582         /* ipRouteEntryTable in mpctl */
10583         optp = (struct opthdr *)&mpctl->b_rptr[sizeof (struct T_optmgmt_ack)];
10584         optp->level = MIB2_IP;
10585         optp->name = MIB2_IP_ROUTE;
10586         optp->len = msgdsize(ird.ird_route.lp_head);
10587         ip3dbg(("ip_snmp_get_mib2_ip_route_media: level %d, name %d, len %d\n",
10588             (int)optp->level, (int)optp->name, (int)optp->len));
10589         qreply(q, mpctl);
10590 
10591         /* ipNetToMediaEntryTable in mp3ctl */
10592         ncec_walk(NULL, ip_snmp_get2_v4_media, &ird, ipst);
10593 
10594         optp = (struct opthdr *)&mp3ctl->b_rptr[sizeof (struct T_optmgmt_ack)];
10595         optp->level = MIB2_IP;
10596         optp->name = MIB2_IP_MEDIA;
10597         optp->len = msgdsize(ird.ird_netmedia.lp_head);
10598         ip3dbg(("ip_snmp_get_mib2_ip_route_media: level %d, name %d, len %d\n",
10599             (int)optp->level, (int)optp->name, (int)optp->len));
10600         qreply(q, mp3ctl);
10601 
10602         /* ipRouteAttributeTable in mp4ctl */
10603         optp = (struct opthdr *)&mp4ctl->b_rptr[sizeof (struct T_optmgmt_ack)];
10604         optp->level = MIB2_IP;
10605         optp->name = EXPER_IP_RTATTR;
10606         optp->len = msgdsize(ird.ird_attrs.lp_head);
10607         ip3dbg(("ip_snmp_get_mib2_ip_route_media: level %d, name %d, len %d\n",
10608             (int)optp->level, (int)optp->name, (int)optp->len));
10609         if (optp->len == 0)
10610                 freemsg(mp4ctl);
10611         else
10612                 qreply(q, mp4ctl);
10613 
10614         return (mp2ctl);
10615 }
10616 
10617 /*
10618  * Return ipv6RouteEntryTable and ipv6RouteAttributeTable in one IRE walk, and
10619  * ipv6NetToMediaEntryTable in an NDP walk.
10620  */
10621 static mblk_t *
10622 ip_snmp_get_mib2_ip6_route_media(queue_t *q, mblk_t *mpctl, int level,
10623     ip_stack_t *ipst)
10624 {
10625         struct opthdr   *optp;
10626         mblk_t          *mp2ctl;        /* Returned */
10627         mblk_t          *mp3ctl;        /* nettomedia */
10628         mblk_t          *mp4ctl;        /* routeattrs */
10629         iproutedata_t   ird;
10630         zoneid_t        zoneid;
10631 
10632         /*
10633          * make copies of the original message
10634          *      - mp2ctl is returned unchanged to the caller for his use
10635          *      - mpctl is sent upstream as ipv6RouteEntryTable
10636          *      - mp3ctl is sent upstream as ipv6NetToMediaEntryTable
10637          *      - mp4ctl is sent upstream as ipv6RouteAttributeTable
10638          */
10639         mp2ctl = copymsg(mpctl);
10640         mp3ctl = copymsg(mpctl);
10641         mp4ctl = copymsg(mpctl);
10642         if (mp3ctl == NULL || mp4ctl == NULL) {
10643                 freemsg(mp4ctl);
10644                 freemsg(mp3ctl);
10645                 freemsg(mp2ctl);
10646                 freemsg(mpctl);
10647                 return (NULL);
10648         }
10649 
10650         bzero(&ird, sizeof (ird));
10651 
10652         ird.ird_route.lp_head = mpctl->b_cont;
10653         ird.ird_netmedia.lp_head = mp3ctl->b_cont;
10654         ird.ird_attrs.lp_head = mp4ctl->b_cont;
10655         /*
10656          * If the level has been set the special EXPER_IP_AND_ALL_IRES value,
10657          * then also include ire_testhidden IREs and IRE_IF_CLONE.  This is
10658          * intended a temporary solution until a proper MIB API is provided
10659          * that provides complete filtering/caller-opt-in.
10660          */
10661         if (level == EXPER_IP_AND_ALL_IRES)
10662                 ird.ird_flags |= IRD_REPORT_ALL;
10663 
10664         zoneid = Q_TO_CONN(q)->conn_zoneid;
10665         ire_walk_v6(ip_snmp_get2_v6_route, &ird, zoneid, ipst);
10666 
10667         optp = (struct opthdr *)&mpctl->b_rptr[sizeof (struct T_optmgmt_ack)];
10668         optp->level = MIB2_IP6;
10669         optp->name = MIB2_IP6_ROUTE;
10670         optp->len = msgdsize(ird.ird_route.lp_head);
10671         ip3dbg(("ip_snmp_get_mib2_ip6_route_media: level %d, name %d, len %d\n",
10672             (int)optp->level, (int)optp->name, (int)optp->len));
10673         qreply(q, mpctl);
10674 
10675         /* ipv6NetToMediaEntryTable in mp3ctl */
10676         ncec_walk(NULL, ip_snmp_get2_v6_media, &ird, ipst);
10677 
10678         optp = (struct opthdr *)&mp3ctl->b_rptr[sizeof (struct T_optmgmt_ack)];
10679         optp->level = MIB2_IP6;
10680         optp->name = MIB2_IP6_MEDIA;
10681         optp->len = msgdsize(ird.ird_netmedia.lp_head);
10682         ip3dbg(("ip_snmp_get_mib2_ip6_route_media: level %d, name %d, len %d\n",
10683             (int)optp->level, (int)optp->name, (int)optp->len));
10684         qreply(q, mp3ctl);
10685 
10686         /* ipv6RouteAttributeTable in mp4ctl */
10687         optp = (struct opthdr *)&mp4ctl->b_rptr[sizeof (struct T_optmgmt_ack)];
10688         optp->level = MIB2_IP6;
10689         optp->name = EXPER_IP_RTATTR;
10690         optp->len = msgdsize(ird.ird_attrs.lp_head);
10691         ip3dbg(("ip_snmp_get_mib2_ip6_route_media: level %d, name %d, len %d\n",
10692             (int)optp->level, (int)optp->name, (int)optp->len));
10693         if (optp->len == 0)
10694                 freemsg(mp4ctl);
10695         else
10696                 qreply(q, mp4ctl);
10697 
10698         return (mp2ctl);
10699 }
10700 
10701 /*
10702  * IPv6 mib: One per ill
10703  */
10704 static mblk_t *
10705 ip_snmp_get_mib2_ip6(queue_t *q, mblk_t *mpctl, ip_stack_t *ipst,
10706     boolean_t legacy_req)
10707 {
10708         struct opthdr           *optp;
10709         mblk_t                  *mp2ctl;
10710         ill_t                   *ill;
10711         ill_walk_context_t      ctx;
10712         mblk_t                  *mp_tail = NULL;
10713         mib2_ipv6AddrEntry_t    mae6;
10714         mib2_ipIfStatsEntry_t   *ise;
10715         size_t                  ise_size, iae_size;
10716 
10717         /*
10718          * Make a copy of the original message
10719          */
10720         mp2ctl = copymsg(mpctl);
10721 
10722         /* fixed length IPv6 structure ... */
10723 
10724         if (legacy_req) {
10725                 ise_size = LEGACY_MIB_SIZE(&ipst->ips_ip6_mib,
10726                     mib2_ipIfStatsEntry_t);
10727                 iae_size = LEGACY_MIB_SIZE(&mae6, mib2_ipv6AddrEntry_t);
10728         } else {
10729                 ise_size = sizeof (mib2_ipIfStatsEntry_t);
10730                 iae_size = sizeof (mib2_ipv6AddrEntry_t);
10731         }
10732 
10733         optp = (struct opthdr *)&mpctl->b_rptr[sizeof (struct T_optmgmt_ack)];
10734         optp->level = MIB2_IP6;
10735         optp->name = 0;
10736         /* Include "unknown interface" ip6_mib */
10737         ipst->ips_ip6_mib.ipIfStatsIPVersion = MIB2_INETADDRESSTYPE_ipv6;
10738         ipst->ips_ip6_mib.ipIfStatsIfIndex =
10739             MIB2_UNKNOWN_INTERFACE; /* Flag to netstat */
10740         SET_MIB(ipst->ips_ip6_mib.ipIfStatsForwarding,
10741             ipst->ips_ipv6_forwarding ? 1 : 2);
10742         SET_MIB(ipst->ips_ip6_mib.ipIfStatsDefaultHopLimit,
10743             ipst->ips_ipv6_def_hops);
10744         SET_MIB(ipst->ips_ip6_mib.ipIfStatsEntrySize,
10745             sizeof (mib2_ipIfStatsEntry_t));
10746         SET_MIB(ipst->ips_ip6_mib.ipIfStatsAddrEntrySize,
10747             sizeof (mib2_ipv6AddrEntry_t));
10748         SET_MIB(ipst->ips_ip6_mib.ipIfStatsRouteEntrySize,
10749             sizeof (mib2_ipv6RouteEntry_t));
10750         SET_MIB(ipst->ips_ip6_mib.ipIfStatsNetToMediaEntrySize,
10751             sizeof (mib2_ipv6NetToMediaEntry_t));
10752         SET_MIB(ipst->ips_ip6_mib.ipIfStatsMemberEntrySize,
10753             sizeof (ipv6_member_t));
10754         SET_MIB(ipst->ips_ip6_mib.ipIfStatsGroupSourceEntrySize,
10755             sizeof (ipv6_grpsrc_t));
10756 
10757         /*
10758          * Synchronize 64- and 32-bit counters
10759          */
10760         SYNC32_MIB(&ipst->ips_ip6_mib, ipIfStatsInReceives,
10761             ipIfStatsHCInReceives);
10762         SYNC32_MIB(&ipst->ips_ip6_mib, ipIfStatsInDelivers,
10763             ipIfStatsHCInDelivers);
10764         SYNC32_MIB(&ipst->ips_ip6_mib, ipIfStatsOutRequests,
10765             ipIfStatsHCOutRequests);
10766         SYNC32_MIB(&ipst->ips_ip6_mib, ipIfStatsOutForwDatagrams,
10767             ipIfStatsHCOutForwDatagrams);
10768         SYNC32_MIB(&ipst->ips_ip6_mib, ipIfStatsOutMcastPkts,
10769             ipIfStatsHCOutMcastPkts);
10770         SYNC32_MIB(&ipst->ips_ip6_mib, ipIfStatsInMcastPkts,
10771             ipIfStatsHCInMcastPkts);
10772 
10773         if (!snmp_append_data2(mpctl->b_cont, &mp_tail,
10774             (char *)&ipst->ips_ip6_mib, (int)ise_size)) {
10775                 ip1dbg(("ip_snmp_get_mib2_ip6: failed to allocate %u bytes\n",
10776                     (uint_t)ise_size));
10777         } else if (legacy_req) {
10778                 /* Adjust the EntrySize fields for legacy requests. */
10779                 ise =
10780                     (mib2_ipIfStatsEntry_t *)(mp_tail->b_wptr - (int)ise_size);
10781                 SET_MIB(ise->ipIfStatsEntrySize, ise_size);
10782                 SET_MIB(ise->ipIfStatsAddrEntrySize, iae_size);
10783         }
10784 
10785         rw_enter(&ipst->ips_ill_g_lock, RW_READER);
10786         ill = ILL_START_WALK_V6(&ctx, ipst);
10787         for (; ill != NULL; ill = ill_next(&ctx, ill)) {
10788                 ill->ill_ip_mib->ipIfStatsIfIndex =
10789                     ill->ill_phyint->phyint_ifindex;
10790                 SET_MIB(ill->ill_ip_mib->ipIfStatsForwarding,
10791                     ipst->ips_ipv6_forwarding ? 1 : 2);
10792                 SET_MIB(ill->ill_ip_mib->ipIfStatsDefaultHopLimit,
10793                     ill->ill_max_hops);
10794 
10795                 /*
10796                  * Synchronize 64- and 32-bit counters
10797                  */
10798                 SYNC32_MIB(ill->ill_ip_mib, ipIfStatsInReceives,
10799                     ipIfStatsHCInReceives);
10800                 SYNC32_MIB(ill->ill_ip_mib, ipIfStatsInDelivers,
10801                     ipIfStatsHCInDelivers);
10802                 SYNC32_MIB(ill->ill_ip_mib, ipIfStatsOutRequests,
10803                     ipIfStatsHCOutRequests);
10804                 SYNC32_MIB(ill->ill_ip_mib, ipIfStatsOutForwDatagrams,
10805                     ipIfStatsHCOutForwDatagrams);
10806                 SYNC32_MIB(ill->ill_ip_mib, ipIfStatsOutMcastPkts,
10807                     ipIfStatsHCOutMcastPkts);
10808                 SYNC32_MIB(ill->ill_ip_mib, ipIfStatsInMcastPkts,
10809                     ipIfStatsHCInMcastPkts);
10810 
10811                 if (!snmp_append_data2(mpctl->b_cont, &mp_tail,
10812                     (char *)ill->ill_ip_mib, (int)ise_size)) {
10813                         ip1dbg(("ip_snmp_get_mib2_ip6: failed to allocate "
10814                         "%u bytes\n", (uint_t)ise_size));
10815                 } else if (legacy_req) {
10816                         /* Adjust the EntrySize fields for legacy requests. */
10817                         ise = (mib2_ipIfStatsEntry_t *)(mp_tail->b_wptr -
10818                             (int)ise_size);
10819                         SET_MIB(ise->ipIfStatsEntrySize, ise_size);
10820                         SET_MIB(ise->ipIfStatsAddrEntrySize, iae_size);
10821                 }
10822         }
10823         rw_exit(&ipst->ips_ill_g_lock);
10824 
10825         optp->len = (t_uscalar_t)msgdsize(mpctl->b_cont);
10826         ip3dbg(("ip_snmp_get_mib2_ip6: level %d, name %d, len %d\n",
10827             (int)optp->level, (int)optp->name, (int)optp->len));
10828         qreply(q, mpctl);
10829         return (mp2ctl);
10830 }
10831 
10832 /*
10833  * ICMPv6 mib: One per ill
10834  */
10835 static mblk_t *
10836 ip_snmp_get_mib2_icmp6(queue_t *q, mblk_t *mpctl, ip_stack_t *ipst)
10837 {
10838         struct opthdr           *optp;
10839         mblk_t                  *mp2ctl;
10840         ill_t                   *ill;
10841         ill_walk_context_t      ctx;
10842         mblk_t                  *mp_tail = NULL;
10843         /*
10844          * Make a copy of the original message
10845          */
10846         mp2ctl = copymsg(mpctl);
10847 
10848         /* fixed length ICMPv6 structure ... */
10849 
10850         optp = (struct opthdr *)&mpctl->b_rptr[sizeof (struct T_optmgmt_ack)];
10851         optp->level = MIB2_ICMP6;
10852         optp->name = 0;
10853         /* Include "unknown interface" icmp6_mib */
10854         ipst->ips_icmp6_mib.ipv6IfIcmpIfIndex =
10855             MIB2_UNKNOWN_INTERFACE; /* netstat flag */
10856         ipst->ips_icmp6_mib.ipv6IfIcmpEntrySize =
10857             sizeof (mib2_ipv6IfIcmpEntry_t);
10858         if (!snmp_append_data2(mpctl->b_cont, &mp_tail,
10859             (char *)&ipst->ips_icmp6_mib,
10860             (int)sizeof (ipst->ips_icmp6_mib))) {
10861                 ip1dbg(("ip_snmp_get_mib2_icmp6: failed to allocate %u bytes\n",
10862                     (uint_t)sizeof (ipst->ips_icmp6_mib)));
10863         }
10864 
10865         rw_enter(&ipst->ips_ill_g_lock, RW_READER);
10866         ill = ILL_START_WALK_V6(&ctx, ipst);
10867         for (; ill != NULL; ill = ill_next(&ctx, ill)) {
10868                 ill->ill_icmp6_mib->ipv6IfIcmpIfIndex =
10869                     ill->ill_phyint->phyint_ifindex;
10870                 if (!snmp_append_data2(mpctl->b_cont, &mp_tail,
10871                     (char *)ill->ill_icmp6_mib,
10872                     (int)sizeof (*ill->ill_icmp6_mib))) {
10873                         ip1dbg(("ip_snmp_get_mib2_icmp6: failed to allocate "
10874                             "%u bytes\n",
10875                             (uint_t)sizeof (*ill->ill_icmp6_mib)));
10876                 }
10877         }
10878         rw_exit(&ipst->ips_ill_g_lock);
10879 
10880         optp->len = (t_uscalar_t)msgdsize(mpctl->b_cont);
10881         ip3dbg(("ip_snmp_get_mib2_icmp6: level %d, name %d, len %d\n",
10882             (int)optp->level, (int)optp->name, (int)optp->len));
10883         qreply(q, mpctl);
10884         return (mp2ctl);
10885 }
10886 
10887 /*
10888  * ire_walk routine to create both ipRouteEntryTable and
10889  * ipRouteAttributeTable in one IRE walk
10890  */
10891 static void
10892 ip_snmp_get2_v4(ire_t *ire, iproutedata_t *ird)
10893 {
10894         ill_t                           *ill;
10895         mib2_ipRouteEntry_t             *re;
10896         mib2_ipAttributeEntry_t         iaes;
10897         tsol_ire_gw_secattr_t           *attrp;
10898         tsol_gc_t                       *gc = NULL;
10899         tsol_gcgrp_t                    *gcgrp = NULL;
10900         ip_stack_t                      *ipst = ire->ire_ipst;
10901 
10902         ASSERT(ire->ire_ipversion == IPV4_VERSION);
10903 
10904         if (!(ird->ird_flags & IRD_REPORT_ALL)) {
10905                 if (ire->ire_testhidden)
10906                         return;
10907                 if (ire->ire_type & IRE_IF_CLONE)
10908                         return;
10909         }
10910 
10911         if ((re = kmem_zalloc(sizeof (*re), KM_NOSLEEP)) == NULL)
10912                 return;
10913 
10914         if ((attrp = ire->ire_gw_secattr) != NULL) {
10915                 mutex_enter(&attrp->igsa_lock);
10916                 if ((gc = attrp->igsa_gc) != NULL) {
10917                         gcgrp = gc->gc_grp;
10918                         ASSERT(gcgrp != NULL);
10919                         rw_enter(&gcgrp->gcgrp_rwlock, RW_READER);
10920                 }
10921                 mutex_exit(&attrp->igsa_lock);
10922         }
10923         /*
10924          * Return all IRE types for route table... let caller pick and choose
10925          */
10926         re->ipRouteDest = ire->ire_addr;
10927         ill = ire->ire_ill;
10928         re->ipRouteIfIndex.o_length = 0;
10929         if (ill != NULL) {
10930                 ill_get_name(ill, re->ipRouteIfIndex.o_bytes, OCTET_LENGTH);
10931                 re->ipRouteIfIndex.o_length =
10932                     mi_strlen(re->ipRouteIfIndex.o_bytes);
10933         }
10934         re->ipRouteMetric1 = -1;
10935         re->ipRouteMetric2 = -1;
10936         re->ipRouteMetric3 = -1;
10937         re->ipRouteMetric4 = -1;
10938 
10939         re->ipRouteNextHop = ire->ire_gateway_addr;
10940         /* indirect(4), direct(3), or invalid(2) */
10941         if (ire->ire_flags & (RTF_REJECT | RTF_BLACKHOLE))
10942                 re->ipRouteType = 2;
10943         else if (ire->ire_type & IRE_ONLINK)
10944                 re->ipRouteType = 3;
10945         else
10946                 re->ipRouteType = 4;
10947 
10948         re->ipRouteProto = -1;
10949         re->ipRouteAge = gethrestime_sec() - ire->ire_create_time;
10950         re->ipRouteMask = ire->ire_mask;
10951         re->ipRouteMetric5 = -1;
10952         re->ipRouteInfo.re_max_frag = ire->ire_metrics.iulp_mtu;
10953         if (ire->ire_ill != NULL && re->ipRouteInfo.re_max_frag == 0)
10954                 re->ipRouteInfo.re_max_frag = ire->ire_ill->ill_mtu;
10955 
10956         re->ipRouteInfo.re_frag_flag = 0;
10957         re->ipRouteInfo.re_rtt               = 0;
10958         re->ipRouteInfo.re_src_addr  = 0;
10959         re->ipRouteInfo.re_ref               = ire->ire_refcnt;
10960         re->ipRouteInfo.re_obpkt     = ire->ire_ob_pkt_count;
10961         re->ipRouteInfo.re_ibpkt     = ire->ire_ib_pkt_count;
10962         re->ipRouteInfo.re_flags     = ire->ire_flags;
10963 
10964         /* Add the IRE_IF_CLONE's counters to their parent IRE_INTERFACE */
10965         if (ire->ire_type & IRE_INTERFACE) {
10966                 ire_t *child;
10967 
10968                 rw_enter(&ipst->ips_ire_dep_lock, RW_READER);
10969                 child = ire->ire_dep_children;
10970                 while (child != NULL) {
10971                         re->ipRouteInfo.re_obpkt += child->ire_ob_pkt_count;
10972                         re->ipRouteInfo.re_ibpkt += child->ire_ib_pkt_count;
10973                         child = child->ire_dep_sib_next;
10974                 }
10975                 rw_exit(&ipst->ips_ire_dep_lock);
10976         }
10977 
10978         if (ire->ire_flags & RTF_DYNAMIC) {
10979                 re->ipRouteInfo.re_ire_type  = IRE_HOST_REDIRECT;
10980         } else {
10981                 re->ipRouteInfo.re_ire_type  = ire->ire_type;
10982         }
10983 
10984         if (!snmp_append_data2(ird->ird_route.lp_head, &ird->ird_route.lp_tail,
10985             (char *)re, (int)sizeof (*re))) {
10986                 ip1dbg(("ip_snmp_get2_v4: failed to allocate %u bytes\n",
10987                     (uint_t)sizeof (*re)));
10988         }
10989 
10990         if (gc != NULL) {
10991                 iaes.iae_routeidx = ird->ird_idx;
10992                 iaes.iae_doi = gc->gc_db->gcdb_doi;
10993                 iaes.iae_slrange = gc->gc_db->gcdb_slrange;
10994 
10995                 if (!snmp_append_data2(ird->ird_attrs.lp_head,
10996                     &ird->ird_attrs.lp_tail, (char *)&iaes, sizeof (iaes))) {
10997                         ip1dbg(("ip_snmp_get2_v4: failed to allocate %u "
10998                             "bytes\n", (uint_t)sizeof (iaes)));
10999                 }
11000         }
11001 
11002         /* bump route index for next pass */
11003         ird->ird_idx++;
11004 
11005         kmem_free(re, sizeof (*re));
11006         if (gcgrp != NULL)
11007                 rw_exit(&gcgrp->gcgrp_rwlock);
11008 }
11009 
11010 /*
11011  * ire_walk routine to create ipv6RouteEntryTable and ipRouteEntryTable.
11012  */
11013 static void
11014 ip_snmp_get2_v6_route(ire_t *ire, iproutedata_t *ird)
11015 {
11016         ill_t                           *ill;
11017         mib2_ipv6RouteEntry_t           *re;
11018         mib2_ipAttributeEntry_t         iaes;
11019         tsol_ire_gw_secattr_t           *attrp;
11020         tsol_gc_t                       *gc = NULL;
11021         tsol_gcgrp_t                    *gcgrp = NULL;
11022         ip_stack_t                      *ipst = ire->ire_ipst;
11023 
11024         ASSERT(ire->ire_ipversion == IPV6_VERSION);
11025 
11026         if (!(ird->ird_flags & IRD_REPORT_ALL)) {
11027                 if (ire->ire_testhidden)
11028                         return;
11029                 if (ire->ire_type & IRE_IF_CLONE)
11030                         return;
11031         }
11032 
11033         if ((re = kmem_zalloc(sizeof (*re), KM_NOSLEEP)) == NULL)
11034                 return;
11035 
11036         if ((attrp = ire->ire_gw_secattr) != NULL) {
11037                 mutex_enter(&attrp->igsa_lock);
11038                 if ((gc = attrp->igsa_gc) != NULL) {
11039                         gcgrp = gc->gc_grp;
11040                         ASSERT(gcgrp != NULL);
11041                         rw_enter(&gcgrp->gcgrp_rwlock, RW_READER);
11042                 }
11043                 mutex_exit(&attrp->igsa_lock);
11044         }
11045         /*
11046          * Return all IRE types for route table... let caller pick and choose
11047          */
11048         re->ipv6RouteDest = ire->ire_addr_v6;
11049         re->ipv6RoutePfxLength = ip_mask_to_plen_v6(&ire->ire_mask_v6);
11050         re->ipv6RouteIndex = 0;      /* Unique when multiple with same dest/plen */
11051         re->ipv6RouteIfIndex.o_length = 0;
11052         ill = ire->ire_ill;
11053         if (ill != NULL) {
11054                 ill_get_name(ill, re->ipv6RouteIfIndex.o_bytes, OCTET_LENGTH);
11055                 re->ipv6RouteIfIndex.o_length =
11056                     mi_strlen(re->ipv6RouteIfIndex.o_bytes);
11057         }
11058 
11059         ASSERT(!(ire->ire_type & IRE_BROADCAST));
11060 
11061         mutex_enter(&ire->ire_lock);
11062         re->ipv6RouteNextHop = ire->ire_gateway_addr_v6;
11063         mutex_exit(&ire->ire_lock);
11064 
11065         /* remote(4), local(3), or discard(2) */
11066         if (ire->ire_flags & (RTF_REJECT | RTF_BLACKHOLE))
11067                 re->ipv6RouteType = 2;
11068         else if (ire->ire_type & IRE_ONLINK)
11069                 re->ipv6RouteType = 3;
11070         else
11071                 re->ipv6RouteType = 4;
11072 
11073         re->ipv6RouteProtocol        = -1;
11074         re->ipv6RoutePolicy  = 0;
11075         re->ipv6RouteAge     = gethrestime_sec() - ire->ire_create_time;
11076         re->ipv6RouteNextHopRDI      = 0;
11077         re->ipv6RouteWeight  = 0;
11078         re->ipv6RouteMetric  = 0;
11079         re->ipv6RouteInfo.re_max_frag = ire->ire_metrics.iulp_mtu;
11080         if (ire->ire_ill != NULL && re->ipv6RouteInfo.re_max_frag == 0)
11081                 re->ipv6RouteInfo.re_max_frag = ire->ire_ill->ill_mtu;
11082 
11083         re->ipv6RouteInfo.re_frag_flag       = 0;
11084         re->ipv6RouteInfo.re_rtt     = 0;
11085         re->ipv6RouteInfo.re_src_addr        = ipv6_all_zeros;
11086         re->ipv6RouteInfo.re_obpkt   = ire->ire_ob_pkt_count;
11087         re->ipv6RouteInfo.re_ibpkt   = ire->ire_ib_pkt_count;
11088         re->ipv6RouteInfo.re_ref     = ire->ire_refcnt;
11089         re->ipv6RouteInfo.re_flags   = ire->ire_flags;
11090 
11091         /* Add the IRE_IF_CLONE's counters to their parent IRE_INTERFACE */
11092         if (ire->ire_type & IRE_INTERFACE) {
11093                 ire_t *child;
11094 
11095                 rw_enter(&ipst->ips_ire_dep_lock, RW_READER);
11096                 child = ire->ire_dep_children;
11097                 while (child != NULL) {
11098                         re->ipv6RouteInfo.re_obpkt += child->ire_ob_pkt_count;
11099                         re->ipv6RouteInfo.re_ibpkt += child->ire_ib_pkt_count;
11100                         child = child->ire_dep_sib_next;
11101                 }
11102                 rw_exit(&ipst->ips_ire_dep_lock);
11103         }
11104         if (ire->ire_flags & RTF_DYNAMIC) {
11105                 re->ipv6RouteInfo.re_ire_type        = IRE_HOST_REDIRECT;
11106         } else {
11107                 re->ipv6RouteInfo.re_ire_type        = ire->ire_type;
11108         }
11109 
11110         if (!snmp_append_data2(ird->ird_route.lp_head, &ird->ird_route.lp_tail,
11111             (char *)re, (int)sizeof (*re))) {
11112                 ip1dbg(("ip_snmp_get2_v6: failed to allocate %u bytes\n",
11113                     (uint_t)sizeof (*re)));
11114         }
11115 
11116         if (gc != NULL) {
11117                 iaes.iae_routeidx = ird->ird_idx;
11118                 iaes.iae_doi = gc->gc_db->gcdb_doi;
11119                 iaes.iae_slrange = gc->gc_db->gcdb_slrange;
11120 
11121                 if (!snmp_append_data2(ird->ird_attrs.lp_head,
11122                     &ird->ird_attrs.lp_tail, (char *)&iaes, sizeof (iaes))) {
11123                         ip1dbg(("ip_snmp_get2_v6: failed to allocate %u "
11124                             "bytes\n", (uint_t)sizeof (iaes)));
11125                 }
11126         }
11127 
11128         /* bump route index for next pass */
11129         ird->ird_idx++;
11130 
11131         kmem_free(re, sizeof (*re));
11132         if (gcgrp != NULL)
11133                 rw_exit(&gcgrp->gcgrp_rwlock);
11134 }
11135 
11136 /*
11137  * ncec_walk routine to create ipv6NetToMediaEntryTable
11138  */
11139 static int
11140 ip_snmp_get2_v6_media(ncec_t *ncec, iproutedata_t *ird)
11141 {
11142         ill_t                           *ill;
11143         mib2_ipv6NetToMediaEntry_t      ntme;
11144 
11145         ill = ncec->ncec_ill;
11146         /* skip arpce entries, and loopback ncec entries */
11147         if (ill->ill_isv6 == B_FALSE || ill->ill_net_type == IRE_LOOPBACK)
11148                 return (0);
11149         /*
11150          * Neighbor cache entry attached to IRE with on-link
11151          * destination.
11152          * We report all IPMP groups on ncec_ill which is normally the upper.
11153          */
11154         ntme.ipv6NetToMediaIfIndex = ill->ill_phyint->phyint_ifindex;
11155         ntme.ipv6NetToMediaNetAddress = ncec->ncec_addr;
11156         ntme.ipv6NetToMediaPhysAddress.o_length = ill->ill_phys_addr_length;
11157         if (ncec->ncec_lladdr != NULL) {
11158                 bcopy(ncec->ncec_lladdr, ntme.ipv6NetToMediaPhysAddress.o_bytes,
11159                     ntme.ipv6NetToMediaPhysAddress.o_length);
11160         }
11161         /*
11162          * Note: Returns ND_* states. Should be:
11163          * reachable(1), stale(2), delay(3), probe(4),
11164          * invalid(5), unknown(6)
11165          */
11166         ntme.ipv6NetToMediaState = ncec->ncec_state;
11167         ntme.ipv6NetToMediaLastUpdated = 0;
11168 
11169         /* other(1), dynamic(2), static(3), local(4) */
11170         if (NCE_MYADDR(ncec)) {
11171                 ntme.ipv6NetToMediaType = 4;
11172         } else if (ncec->ncec_flags & NCE_F_PUBLISH) {
11173                 ntme.ipv6NetToMediaType = 1; /* proxy */
11174         } else if (ncec->ncec_flags & NCE_F_STATIC) {
11175                 ntme.ipv6NetToMediaType = 3;
11176         } else if (ncec->ncec_flags & (NCE_F_MCAST|NCE_F_BCAST)) {
11177                 ntme.ipv6NetToMediaType = 1;
11178         } else {
11179                 ntme.ipv6NetToMediaType = 2;
11180         }
11181 
11182         if (!snmp_append_data2(ird->ird_netmedia.lp_head,
11183             &ird->ird_netmedia.lp_tail, (char *)&ntme, sizeof (ntme))) {
11184                 ip1dbg(("ip_snmp_get2_v6_media: failed to allocate %u bytes\n",
11185                     (uint_t)sizeof (ntme)));
11186         }
11187         return (0);
11188 }
11189 
11190 int
11191 nce2ace(ncec_t *ncec)
11192 {
11193         int flags = 0;
11194 
11195         if (NCE_ISREACHABLE(ncec))
11196                 flags |= ACE_F_RESOLVED;
11197         if (ncec->ncec_flags & NCE_F_AUTHORITY)
11198                 flags |= ACE_F_AUTHORITY;
11199         if (ncec->ncec_flags & NCE_F_PUBLISH)
11200                 flags |= ACE_F_PUBLISH;
11201         if ((ncec->ncec_flags & NCE_F_NONUD) != 0)
11202                 flags |= ACE_F_PERMANENT;
11203         if (NCE_MYADDR(ncec))
11204                 flags |= (ACE_F_MYADDR | ACE_F_AUTHORITY);
11205         if (ncec->ncec_flags & NCE_F_UNVERIFIED)
11206                 flags |= ACE_F_UNVERIFIED;
11207         if (ncec->ncec_flags & NCE_F_AUTHORITY)
11208                 flags |= ACE_F_AUTHORITY;
11209         if (ncec->ncec_flags & NCE_F_DELAYED)
11210                 flags |= ACE_F_DELAYED;
11211         return (flags);
11212 }
11213 
11214 /*
11215  * ncec_walk routine to create ipNetToMediaEntryTable
11216  */
11217 static int
11218 ip_snmp_get2_v4_media(ncec_t *ncec, iproutedata_t *ird)
11219 {
11220         ill_t                           *ill;
11221         mib2_ipNetToMediaEntry_t        ntme;
11222         const char                      *name = "unknown";
11223         ipaddr_t                        ncec_addr;
11224 
11225         ill = ncec->ncec_ill;
11226         if (ill->ill_isv6 || (ncec->ncec_flags & NCE_F_BCAST) ||
11227             ill->ill_net_type == IRE_LOOPBACK)
11228                 return (0);
11229 
11230         /* We report all IPMP groups on ncec_ill which is normally the upper. */
11231         name = ill->ill_name;
11232         /* Based on RFC 4293: other(1), inval(2), dyn(3), stat(4) */
11233         if (NCE_MYADDR(ncec)) {
11234                 ntme.ipNetToMediaType = 4;
11235         } else if (ncec->ncec_flags & (NCE_F_MCAST|NCE_F_BCAST|NCE_F_PUBLISH)) {
11236                 ntme.ipNetToMediaType = 1;
11237         } else {
11238                 ntme.ipNetToMediaType = 3;
11239         }
11240         ntme.ipNetToMediaIfIndex.o_length = MIN(OCTET_LENGTH, strlen(name));
11241         bcopy(name, ntme.ipNetToMediaIfIndex.o_bytes,
11242             ntme.ipNetToMediaIfIndex.o_length);
11243 
11244         IN6_V4MAPPED_TO_IPADDR(&ncec->ncec_addr, ncec_addr);
11245         bcopy(&ncec_addr, &ntme.ipNetToMediaNetAddress, sizeof (ncec_addr));
11246 
11247         ntme.ipNetToMediaInfo.ntm_mask.o_length = sizeof (ipaddr_t);
11248         ncec_addr = INADDR_BROADCAST;
11249         bcopy(&ncec_addr, ntme.ipNetToMediaInfo.ntm_mask.o_bytes,
11250             sizeof (ncec_addr));
11251         /*
11252          * map all the flags to the ACE counterpart.
11253          */
11254         ntme.ipNetToMediaInfo.ntm_flags = nce2ace(ncec);
11255 
11256         ntme.ipNetToMediaPhysAddress.o_length =
11257             MIN(OCTET_LENGTH, ill->ill_phys_addr_length);
11258 
11259         if (!NCE_ISREACHABLE(ncec))
11260                 ntme.ipNetToMediaPhysAddress.o_length = 0;
11261         else {
11262                 if (ncec->ncec_lladdr != NULL) {
11263                         bcopy(ncec->ncec_lladdr,
11264                             ntme.ipNetToMediaPhysAddress.o_bytes,
11265                             ntme.ipNetToMediaPhysAddress.o_length);
11266                 }
11267         }
11268 
11269         if (!snmp_append_data2(ird->ird_netmedia.lp_head,
11270             &ird->ird_netmedia.lp_tail, (char *)&ntme, sizeof (ntme))) {
11271                 ip1dbg(("ip_snmp_get2_v4_media: failed to allocate %u bytes\n",
11272                     (uint_t)sizeof (ntme)));
11273         }
11274         return (0);
11275 }
11276 
11277 /*
11278  * return (0) if invalid set request, 1 otherwise, including non-tcp requests
11279  */
11280 /* ARGSUSED */
11281 int
11282 ip_snmp_set(queue_t *q, int level, int name, uchar_t *ptr, int len)
11283 {
11284         switch (level) {
11285         case MIB2_IP:
11286         case MIB2_ICMP:
11287                 switch (name) {
11288                 default:
11289                         break;
11290                 }
11291                 return (1);
11292         default:
11293                 return (1);
11294         }
11295 }
11296 
11297 /*
11298  * When there exists both a 64- and 32-bit counter of a particular type
11299  * (i.e., InReceives), only the 64-bit counters are added.
11300  */
11301 void
11302 ip_mib2_add_ip_stats(mib2_ipIfStatsEntry_t *o1, mib2_ipIfStatsEntry_t *o2)
11303 {
11304         UPDATE_MIB(o1, ipIfStatsInHdrErrors, o2->ipIfStatsInHdrErrors);
11305         UPDATE_MIB(o1, ipIfStatsInTooBigErrors, o2->ipIfStatsInTooBigErrors);
11306         UPDATE_MIB(o1, ipIfStatsInNoRoutes, o2->ipIfStatsInNoRoutes);
11307         UPDATE_MIB(o1, ipIfStatsInAddrErrors, o2->ipIfStatsInAddrErrors);
11308         UPDATE_MIB(o1, ipIfStatsInUnknownProtos, o2->ipIfStatsInUnknownProtos);
11309         UPDATE_MIB(o1, ipIfStatsInTruncatedPkts, o2->ipIfStatsInTruncatedPkts);
11310         UPDATE_MIB(o1, ipIfStatsInDiscards, o2->ipIfStatsInDiscards);
11311         UPDATE_MIB(o1, ipIfStatsOutDiscards, o2->ipIfStatsOutDiscards);
11312         UPDATE_MIB(o1, ipIfStatsOutFragOKs, o2->ipIfStatsOutFragOKs);
11313         UPDATE_MIB(o1, ipIfStatsOutFragFails, o2->ipIfStatsOutFragFails);
11314         UPDATE_MIB(o1, ipIfStatsOutFragCreates, o2->ipIfStatsOutFragCreates);
11315         UPDATE_MIB(o1, ipIfStatsReasmReqds, o2->ipIfStatsReasmReqds);
11316         UPDATE_MIB(o1, ipIfStatsReasmOKs, o2->ipIfStatsReasmOKs);
11317         UPDATE_MIB(o1, ipIfStatsReasmFails, o2->ipIfStatsReasmFails);
11318         UPDATE_MIB(o1, ipIfStatsOutNoRoutes, o2->ipIfStatsOutNoRoutes);
11319         UPDATE_MIB(o1, ipIfStatsReasmDuplicates, o2->ipIfStatsReasmDuplicates);
11320         UPDATE_MIB(o1, ipIfStatsReasmPartDups, o2->ipIfStatsReasmPartDups);
11321         UPDATE_MIB(o1, ipIfStatsForwProhibits, o2->ipIfStatsForwProhibits);
11322         UPDATE_MIB(o1, udpInCksumErrs, o2->udpInCksumErrs);
11323         UPDATE_MIB(o1, udpInOverflows, o2->udpInOverflows);
11324         UPDATE_MIB(o1, rawipInOverflows, o2->rawipInOverflows);
11325         UPDATE_MIB(o1, ipIfStatsInWrongIPVersion,
11326             o2->ipIfStatsInWrongIPVersion);
11327         UPDATE_MIB(o1, ipIfStatsOutWrongIPVersion,
11328             o2->ipIfStatsInWrongIPVersion);
11329         UPDATE_MIB(o1, ipIfStatsOutSwitchIPVersion,
11330             o2->ipIfStatsOutSwitchIPVersion);
11331         UPDATE_MIB(o1, ipIfStatsHCInReceives, o2->ipIfStatsHCInReceives);
11332         UPDATE_MIB(o1, ipIfStatsHCInOctets, o2->ipIfStatsHCInOctets);
11333         UPDATE_MIB(o1, ipIfStatsHCInForwDatagrams,
11334             o2->ipIfStatsHCInForwDatagrams);
11335         UPDATE_MIB(o1, ipIfStatsHCInDelivers, o2->ipIfStatsHCInDelivers);
11336         UPDATE_MIB(o1, ipIfStatsHCOutRequests, o2->ipIfStatsHCOutRequests);
11337         UPDATE_MIB(o1, ipIfStatsHCOutForwDatagrams,
11338             o2->ipIfStatsHCOutForwDatagrams);
11339         UPDATE_MIB(o1, ipIfStatsOutFragReqds, o2->ipIfStatsOutFragReqds);
11340         UPDATE_MIB(o1, ipIfStatsHCOutTransmits, o2->ipIfStatsHCOutTransmits);
11341         UPDATE_MIB(o1, ipIfStatsHCOutOctets, o2->ipIfStatsHCOutOctets);
11342         UPDATE_MIB(o1, ipIfStatsHCInMcastPkts, o2->ipIfStatsHCInMcastPkts);
11343         UPDATE_MIB(o1, ipIfStatsHCInMcastOctets, o2->ipIfStatsHCInMcastOctets);
11344         UPDATE_MIB(o1, ipIfStatsHCOutMcastPkts, o2->ipIfStatsHCOutMcastPkts);
11345         UPDATE_MIB(o1, ipIfStatsHCOutMcastOctets,
11346             o2->ipIfStatsHCOutMcastOctets);
11347         UPDATE_MIB(o1, ipIfStatsHCInBcastPkts, o2->ipIfStatsHCInBcastPkts);
11348         UPDATE_MIB(o1, ipIfStatsHCOutBcastPkts, o2->ipIfStatsHCOutBcastPkts);
11349         UPDATE_MIB(o1, ipsecInSucceeded, o2->ipsecInSucceeded);
11350         UPDATE_MIB(o1, ipsecInFailed, o2->ipsecInFailed);
11351         UPDATE_MIB(o1, ipInCksumErrs, o2->ipInCksumErrs);
11352         UPDATE_MIB(o1, tcpInErrs, o2->tcpInErrs);
11353         UPDATE_MIB(o1, udpNoPorts, o2->udpNoPorts);
11354 }
11355 
11356 void
11357 ip_mib2_add_icmp6_stats(mib2_ipv6IfIcmpEntry_t *o1, mib2_ipv6IfIcmpEntry_t *o2)
11358 {
11359         UPDATE_MIB(o1, ipv6IfIcmpInMsgs, o2->ipv6IfIcmpInMsgs);
11360         UPDATE_MIB(o1, ipv6IfIcmpInErrors, o2->ipv6IfIcmpInErrors);
11361         UPDATE_MIB(o1, ipv6IfIcmpInDestUnreachs, o2->ipv6IfIcmpInDestUnreachs);
11362         UPDATE_MIB(o1, ipv6IfIcmpInAdminProhibs, o2->ipv6IfIcmpInAdminProhibs);
11363         UPDATE_MIB(o1, ipv6IfIcmpInTimeExcds, o2->ipv6IfIcmpInTimeExcds);
11364         UPDATE_MIB(o1, ipv6IfIcmpInParmProblems, o2->ipv6IfIcmpInParmProblems);
11365         UPDATE_MIB(o1, ipv6IfIcmpInPktTooBigs, o2->ipv6IfIcmpInPktTooBigs);
11366         UPDATE_MIB(o1, ipv6IfIcmpInEchos, o2->ipv6IfIcmpInEchos);
11367         UPDATE_MIB(o1, ipv6IfIcmpInEchoReplies, o2->ipv6IfIcmpInEchoReplies);
11368         UPDATE_MIB(o1, ipv6IfIcmpInRouterSolicits,
11369             o2->ipv6IfIcmpInRouterSolicits);
11370         UPDATE_MIB(o1, ipv6IfIcmpInRouterAdvertisements,
11371             o2->ipv6IfIcmpInRouterAdvertisements);
11372         UPDATE_MIB(o1, ipv6IfIcmpInNeighborSolicits,
11373             o2->ipv6IfIcmpInNeighborSolicits);
11374         UPDATE_MIB(o1, ipv6IfIcmpInNeighborAdvertisements,
11375             o2->ipv6IfIcmpInNeighborAdvertisements);
11376         UPDATE_MIB(o1, ipv6IfIcmpInRedirects, o2->ipv6IfIcmpInRedirects);
11377         UPDATE_MIB(o1, ipv6IfIcmpInGroupMembQueries,
11378             o2->ipv6IfIcmpInGroupMembQueries);
11379         UPDATE_MIB(o1, ipv6IfIcmpInGroupMembResponses,
11380             o2->ipv6IfIcmpInGroupMembResponses);
11381         UPDATE_MIB(o1, ipv6IfIcmpInGroupMembReductions,
11382             o2->ipv6IfIcmpInGroupMembReductions);
11383         UPDATE_MIB(o1, ipv6IfIcmpOutMsgs, o2->ipv6IfIcmpOutMsgs);
11384         UPDATE_MIB(o1, ipv6IfIcmpOutErrors, o2->ipv6IfIcmpOutErrors);
11385         UPDATE_MIB(o1, ipv6IfIcmpOutDestUnreachs,
11386             o2->ipv6IfIcmpOutDestUnreachs);
11387         UPDATE_MIB(o1, ipv6IfIcmpOutAdminProhibs,
11388             o2->ipv6IfIcmpOutAdminProhibs);
11389         UPDATE_MIB(o1, ipv6IfIcmpOutTimeExcds, o2->ipv6IfIcmpOutTimeExcds);
11390         UPDATE_MIB(o1, ipv6IfIcmpOutParmProblems,
11391             o2->ipv6IfIcmpOutParmProblems);
11392         UPDATE_MIB(o1, ipv6IfIcmpOutPktTooBigs, o2->ipv6IfIcmpOutPktTooBigs);
11393         UPDATE_MIB(o1, ipv6IfIcmpOutEchos, o2->ipv6IfIcmpOutEchos);
11394         UPDATE_MIB(o1, ipv6IfIcmpOutEchoReplies, o2->ipv6IfIcmpOutEchoReplies);
11395         UPDATE_MIB(o1, ipv6IfIcmpOutRouterSolicits,
11396             o2->ipv6IfIcmpOutRouterSolicits);
11397         UPDATE_MIB(o1, ipv6IfIcmpOutRouterAdvertisements,
11398             o2->ipv6IfIcmpOutRouterAdvertisements);
11399         UPDATE_MIB(o1, ipv6IfIcmpOutNeighborSolicits,
11400             o2->ipv6IfIcmpOutNeighborSolicits);
11401         UPDATE_MIB(o1, ipv6IfIcmpOutNeighborAdvertisements,
11402             o2->ipv6IfIcmpOutNeighborAdvertisements);
11403         UPDATE_MIB(o1, ipv6IfIcmpOutRedirects, o2->ipv6IfIcmpOutRedirects);
11404         UPDATE_MIB(o1, ipv6IfIcmpOutGroupMembQueries,
11405             o2->ipv6IfIcmpOutGroupMembQueries);
11406         UPDATE_MIB(o1, ipv6IfIcmpOutGroupMembResponses,
11407             o2->ipv6IfIcmpOutGroupMembResponses);
11408         UPDATE_MIB(o1, ipv6IfIcmpOutGroupMembReductions,
11409             o2->ipv6IfIcmpOutGroupMembReductions);
11410         UPDATE_MIB(o1, ipv6IfIcmpInOverflows, o2->ipv6IfIcmpInOverflows);
11411         UPDATE_MIB(o1, ipv6IfIcmpBadHoplimit, o2->ipv6IfIcmpBadHoplimit);
11412         UPDATE_MIB(o1, ipv6IfIcmpInBadNeighborAdvertisements,
11413             o2->ipv6IfIcmpInBadNeighborAdvertisements);
11414         UPDATE_MIB(o1, ipv6IfIcmpInBadNeighborSolicitations,
11415             o2->ipv6IfIcmpInBadNeighborSolicitations);
11416         UPDATE_MIB(o1, ipv6IfIcmpInBadRedirects, o2->ipv6IfIcmpInBadRedirects);
11417         UPDATE_MIB(o1, ipv6IfIcmpInGroupMembTotal,
11418             o2->ipv6IfIcmpInGroupMembTotal);
11419         UPDATE_MIB(o1, ipv6IfIcmpInGroupMembBadQueries,
11420             o2->ipv6IfIcmpInGroupMembBadQueries);
11421         UPDATE_MIB(o1, ipv6IfIcmpInGroupMembBadReports,
11422             o2->ipv6IfIcmpInGroupMembBadReports);
11423         UPDATE_MIB(o1, ipv6IfIcmpInGroupMembOurReports,
11424             o2->ipv6IfIcmpInGroupMembOurReports);
11425 }
11426 
11427 /*
11428  * Called before the options are updated to check if this packet will
11429  * be source routed from here.
11430  * This routine assumes that the options are well formed i.e. that they
11431  * have already been checked.
11432  */
11433 boolean_t
11434 ip_source_routed(ipha_t *ipha, ip_stack_t *ipst)
11435 {
11436         ipoptp_t        opts;
11437         uchar_t         *opt;
11438         uint8_t         optval;
11439         uint8_t         optlen;
11440         ipaddr_t        dst;
11441 
11442         if (IS_SIMPLE_IPH(ipha)) {
11443                 ip2dbg(("not source routed\n"));
11444                 return (B_FALSE);
11445         }
11446         dst = ipha->ipha_dst;
11447         for (optval = ipoptp_first(&opts, ipha);
11448             optval != IPOPT_EOL;
11449             optval = ipoptp_next(&opts)) {
11450                 ASSERT((opts.ipoptp_flags & IPOPTP_ERROR) == 0);
11451                 opt = opts.ipoptp_cur;
11452                 optlen = opts.ipoptp_len;
11453                 ip2dbg(("ip_source_routed: opt %d, len %d\n",
11454                     optval, optlen));
11455                 switch (optval) {
11456                         uint32_t off;
11457                 case IPOPT_SSRR:
11458                 case IPOPT_LSRR:
11459                         /*
11460                          * If dst is one of our addresses and there are some
11461                          * entries left in the source route return (true).
11462                          */
11463                         if (ip_type_v4(dst, ipst) != IRE_LOCAL) {
11464                                 ip2dbg(("ip_source_routed: not next"
11465                                     " source route 0x%x\n",
11466                                     ntohl(dst)));
11467                                 return (B_FALSE);
11468                         }
11469                         off = opt[IPOPT_OFFSET];
11470                         off--;
11471                         if (optlen < IP_ADDR_LEN ||
11472                             off > optlen - IP_ADDR_LEN) {
11473                                 /* End of source route */
11474                                 ip1dbg(("ip_source_routed: end of SR\n"));
11475                                 return (B_FALSE);
11476                         }
11477                         return (B_TRUE);
11478                 }
11479         }
11480         ip2dbg(("not source routed\n"));
11481         return (B_FALSE);
11482 }
11483 
11484 /*
11485  * ip_unbind is called by the transports to remove a conn from
11486  * the fanout table.
11487  */
11488 void
11489 ip_unbind(conn_t *connp)
11490 {
11491 
11492         ASSERT(!MUTEX_HELD(&connp->conn_lock));
11493 
11494         if (is_system_labeled() && connp->conn_anon_port) {
11495                 (void) tsol_mlp_anon(crgetzone(connp->conn_cred),
11496                     connp->conn_mlp_type, connp->conn_proto,
11497                     ntohs(connp->conn_lport), B_FALSE);
11498                 connp->conn_anon_port = 0;
11499         }
11500         connp->conn_mlp_type = mlptSingle;
11501 
11502         ipcl_hash_remove(connp);
11503 }
11504 
11505 /*
11506  * Used for deciding the MSS size for the upper layer. Thus
11507  * we need to check the outbound policy values in the conn.
11508  */
11509 int
11510 conn_ipsec_length(conn_t *connp)
11511 {
11512         ipsec_latch_t *ipl;
11513 
11514         ipl = connp->conn_latch;
11515         if (ipl == NULL)
11516                 return (0);
11517 
11518         if (connp->conn_ixa->ixa_ipsec_policy == NULL)
11519                 return (0);
11520 
11521         return (connp->conn_ixa->ixa_ipsec_policy->ipsp_act->ipa_ovhd);
11522 }
11523 
11524 /*
11525  * Returns an estimate of the IPsec headers size. This is used if
11526  * we don't want to call into IPsec to get the exact size.
11527  */
11528 int
11529 ipsec_out_extra_length(ip_xmit_attr_t *ixa)
11530 {
11531         ipsec_action_t *a;
11532 
11533         if (!(ixa->ixa_flags & IXAF_IPSEC_SECURE))
11534                 return (0);
11535 
11536         a = ixa->ixa_ipsec_action;
11537         if (a == NULL) {
11538                 ASSERT(ixa->ixa_ipsec_policy != NULL);
11539                 a = ixa->ixa_ipsec_policy->ipsp_act;
11540         }
11541         ASSERT(a != NULL);
11542 
11543         return (a->ipa_ovhd);
11544 }
11545 
11546 /*
11547  * If there are any source route options, return the true final
11548  * destination. Otherwise, return the destination.
11549  */
11550 ipaddr_t
11551 ip_get_dst(ipha_t *ipha)
11552 {
11553         ipoptp_t        opts;
11554         uchar_t         *opt;
11555         uint8_t         optval;
11556         uint8_t         optlen;
11557         ipaddr_t        dst;
11558         uint32_t off;
11559 
11560         dst = ipha->ipha_dst;
11561 
11562         if (IS_SIMPLE_IPH(ipha))
11563                 return (dst);
11564 
11565         for (optval = ipoptp_first(&opts, ipha);
11566             optval != IPOPT_EOL;
11567             optval = ipoptp_next(&opts)) {
11568                 opt = opts.ipoptp_cur;
11569                 optlen = opts.ipoptp_len;
11570                 ASSERT((opts.ipoptp_flags & IPOPTP_ERROR) == 0);
11571                 switch (optval) {
11572                 case IPOPT_SSRR:
11573                 case IPOPT_LSRR:
11574                         off = opt[IPOPT_OFFSET];
11575                         /*
11576                          * If one of the conditions is true, it means
11577                          * end of options and dst already has the right
11578                          * value.
11579                          */
11580                         if (!(optlen < IP_ADDR_LEN || off > optlen - 3)) {
11581                                 off = optlen - IP_ADDR_LEN;
11582                                 bcopy(&opt[off], &dst, IP_ADDR_LEN);
11583                         }
11584                         return (dst);
11585                 default:
11586                         break;
11587                 }
11588         }
11589 
11590         return (dst);
11591 }
11592 
11593 /*
11594  * Outbound IP fragmentation routine.
11595  * Assumes the caller has checked whether or not fragmentation should
11596  * be allowed. Here we copy the DF bit from the header to all the generated
11597  * fragments.
11598  */
11599 int
11600 ip_fragment_v4(mblk_t *mp_orig, nce_t *nce, iaflags_t ixaflags,
11601     uint_t pkt_len, uint32_t max_frag, uint32_t xmit_hint, zoneid_t szone,
11602     zoneid_t nolzid, pfirepostfrag_t postfragfn, uintptr_t *ixa_cookie)
11603 {
11604         int             i1;
11605         int             hdr_len;
11606         mblk_t          *hdr_mp;
11607         ipha_t          *ipha;
11608         int             ip_data_end;
11609         int             len;
11610         mblk_t          *mp = mp_orig;
11611         int             offset;
11612         ill_t           *ill = nce->nce_ill;
11613         ip_stack_t      *ipst = ill->ill_ipst;
11614         mblk_t          *carve_mp;
11615         uint32_t        frag_flag;
11616         uint_t          priority = mp->b_band;
11617         int             error = 0;
11618 
11619         BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutFragReqds);
11620 
11621         if (pkt_len != msgdsize(mp)) {
11622                 ip0dbg(("Packet length mismatch: %d, %ld\n",
11623                     pkt_len, msgdsize(mp)));
11624                 freemsg(mp);
11625                 return (EINVAL);
11626         }
11627 
11628         if (max_frag == 0) {
11629                 ip1dbg(("ip_fragment_v4: max_frag is zero. Dropping packet\n"));
11630                 BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutFragFails);
11631                 ip_drop_output("FragFails: zero max_frag", mp, ill);
11632                 freemsg(mp);
11633                 return (EINVAL);
11634         }
11635 
11636         ASSERT(MBLKL(mp) >= sizeof (ipha_t));
11637         ipha = (ipha_t *)mp->b_rptr;
11638         ASSERT(ntohs(ipha->ipha_length) == pkt_len);
11639         frag_flag = ntohs(ipha->ipha_fragment_offset_and_flags) & IPH_DF;
11640 
11641         /*
11642          * Establish the starting offset.  May not be zero if we are fragging
11643          * a fragment that is being forwarded.
11644          */
11645         offset = ntohs(ipha->ipha_fragment_offset_and_flags) & IPH_OFFSET;
11646 
11647         /* TODO why is this test needed? */
11648         if (((max_frag - ntohs(ipha->ipha_length)) & ~7) < 8) {
11649                 /* TODO: notify ulp somehow */
11650                 BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutFragFails);
11651                 ip_drop_output("FragFails: bad starting offset", mp, ill);
11652                 freemsg(mp);
11653                 return (EINVAL);
11654         }
11655 
11656         hdr_len = IPH_HDR_LENGTH(ipha);
11657         ipha->ipha_hdr_checksum = 0;
11658 
11659         /*
11660          * Establish the number of bytes maximum per frag, after putting
11661          * in the header.
11662          */
11663         len = (max_frag - hdr_len) & ~7;
11664 
11665         /* Get a copy of the header for the trailing frags */
11666         hdr_mp = ip_fragment_copyhdr((uchar_t *)ipha, hdr_len, offset, ipst,
11667             mp);
11668         if (hdr_mp == NULL) {
11669                 BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutFragFails);
11670                 ip_drop_output("FragFails: no hdr_mp", mp, ill);
11671                 freemsg(mp);
11672                 return (ENOBUFS);
11673         }
11674 
11675         /* Store the starting offset, with the MoreFrags flag. */
11676         i1 = offset | IPH_MF | frag_flag;
11677         ipha->ipha_fragment_offset_and_flags = htons((uint16_t)i1);
11678 
11679         /* Establish the ending byte offset, based on the starting offset. */
11680         offset <<= 3;
11681         ip_data_end = offset + ntohs(ipha->ipha_length) - hdr_len;
11682 
11683         /* Store the length of the first fragment in the IP header. */
11684         i1 = len + hdr_len;
11685         ASSERT(i1 <= IP_MAXPACKET);
11686         ipha->ipha_length = htons((uint16_t)i1);
11687 
11688         /*
11689          * Compute the IP header checksum for the first frag.  We have to
11690          * watch out that we stop at the end of the header.
11691          */
11692         ipha->ipha_hdr_checksum = ip_csum_hdr(ipha);
11693 
11694         /*
11695          * Now carve off the first frag.  Note that this will include the
11696          * original IP header.
11697          */
11698         if (!(mp = ip_carve_mp(&mp_orig, i1))) {
11699                 BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutFragFails);
11700                 ip_drop_output("FragFails: could not carve mp", mp_orig, ill);
11701                 freeb(hdr_mp);
11702                 freemsg(mp_orig);
11703                 return (ENOBUFS);
11704         }
11705 
11706         BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutFragCreates);
11707 
11708         error = postfragfn(mp, nce, ixaflags, i1, xmit_hint, szone, nolzid,
11709             ixa_cookie);
11710         if (error != 0 && error != EWOULDBLOCK) {
11711                 /* No point in sending the other fragments */
11712                 BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutFragFails);
11713                 ip_drop_output("FragFails: postfragfn failed", mp_orig, ill);
11714                 freeb(hdr_mp);
11715                 freemsg(mp_orig);
11716                 return (error);
11717         }
11718 
11719         /* No need to redo state machine in loop */
11720         ixaflags &= ~IXAF_REACH_CONF;
11721 
11722         /* Advance the offset to the second frag starting point. */
11723         offset += len;
11724         /*
11725          * Update hdr_len from the copied header - there might be less options
11726          * in the later fragments.
11727          */
11728         hdr_len = IPH_HDR_LENGTH(hdr_mp->b_rptr);
11729         /* Loop until done. */
11730         for (;;) {
11731                 uint16_t        offset_and_flags;
11732                 uint16_t        ip_len;
11733 
11734                 if (ip_data_end - offset > len) {
11735                         /*
11736                          * Carve off the appropriate amount from the original
11737                          * datagram.
11738                          */
11739                         if (!(carve_mp = ip_carve_mp(&mp_orig, len))) {
11740                                 mp = NULL;
11741                                 break;
11742                         }
11743                         /*
11744                          * More frags after this one.  Get another copy
11745                          * of the header.
11746                          */
11747                         if (carve_mp->b_datap->db_ref == 1 &&
11748                             hdr_mp->b_wptr - hdr_mp->b_rptr <
11749                             carve_mp->b_rptr - carve_mp->b_datap->db_base) {
11750                                 /* Inline IP header */
11751                                 carve_mp->b_rptr -= hdr_mp->b_wptr -
11752                                     hdr_mp->b_rptr;
11753                                 bcopy(hdr_mp->b_rptr, carve_mp->b_rptr,
11754                                     hdr_mp->b_wptr - hdr_mp->b_rptr);
11755                                 mp = carve_mp;
11756                         } else {
11757                                 if (!(mp = copyb(hdr_mp))) {
11758                                         freemsg(carve_mp);
11759                                         break;
11760                                 }
11761                                 /* Get priority marking, if any. */
11762                                 mp->b_band = priority;
11763                                 mp->b_cont = carve_mp;
11764                         }
11765                         ipha = (ipha_t *)mp->b_rptr;
11766                         offset_and_flags = IPH_MF;
11767                 } else {
11768                         /*
11769                          * Last frag.  Consume the header. Set len to
11770                          * the length of this last piece.
11771                          */
11772                         len = ip_data_end - offset;
11773 
11774                         /*
11775                          * Carve off the appropriate amount from the original
11776                          * datagram.
11777                          */
11778                         if (!(carve_mp = ip_carve_mp(&mp_orig, len))) {
11779                                 mp = NULL;
11780                                 break;
11781                         }
11782                         if (carve_mp->b_datap->db_ref == 1 &&
11783                             hdr_mp->b_wptr - hdr_mp->b_rptr <
11784                             carve_mp->b_rptr - carve_mp->b_datap->db_base) {
11785                                 /* Inline IP header */
11786                                 carve_mp->b_rptr -= hdr_mp->b_wptr -
11787                                     hdr_mp->b_rptr;
11788                                 bcopy(hdr_mp->b_rptr, carve_mp->b_rptr,
11789                                     hdr_mp->b_wptr - hdr_mp->b_rptr);
11790                                 mp = carve_mp;
11791                                 freeb(hdr_mp);
11792                                 hdr_mp = mp;
11793                         } else {
11794                                 mp = hdr_mp;
11795                                 /* Get priority marking, if any. */
11796                                 mp->b_band = priority;
11797                                 mp->b_cont = carve_mp;
11798                         }
11799                         ipha = (ipha_t *)mp->b_rptr;
11800                         /* A frag of a frag might have IPH_MF non-zero */
11801                         offset_and_flags =
11802                             ntohs(ipha->ipha_fragment_offset_and_flags) &
11803                             IPH_MF;
11804                 }
11805                 offset_and_flags |= (uint16_t)(offset >> 3);
11806                 offset_and_flags |= (uint16_t)frag_flag;
11807                 /* Store the offset and flags in the IP header. */
11808                 ipha->ipha_fragment_offset_and_flags = htons(offset_and_flags);
11809 
11810                 /* Store the length in the IP header. */
11811                 ip_len = (uint16_t)(len + hdr_len);
11812                 ipha->ipha_length = htons(ip_len);
11813 
11814                 /*
11815                  * Set the IP header checksum.  Note that mp is just
11816                  * the header, so this is easy to pass to ip_csum.
11817                  */
11818                 ipha->ipha_hdr_checksum = ip_csum_hdr(ipha);
11819 
11820                 BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutFragCreates);
11821 
11822                 error = postfragfn(mp, nce, ixaflags, ip_len, xmit_hint, szone,
11823                     nolzid, ixa_cookie);
11824                 /* All done if we just consumed the hdr_mp. */
11825                 if (mp == hdr_mp) {
11826                         BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutFragOKs);
11827                         return (error);
11828                 }
11829                 if (error != 0 && error != EWOULDBLOCK) {
11830                         DTRACE_PROBE2(ip__xmit__frag__fail, ill_t *, ill,
11831                             mblk_t *, hdr_mp);
11832                         /* No point in sending the other fragments */
11833                         break;
11834                 }
11835 
11836                 /* Otherwise, advance and loop. */
11837                 offset += len;
11838         }
11839         /* Clean up following allocation failure. */
11840         BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutFragFails);
11841         ip_drop_output("FragFails: loop ended", NULL, ill);
11842         if (mp != hdr_mp)
11843                 freeb(hdr_mp);
11844         if (mp != mp_orig)
11845                 freemsg(mp_orig);
11846         return (error);
11847 }
11848 
11849 /*
11850  * Copy the header plus those options which have the copy bit set
11851  */
11852 static mblk_t *
11853 ip_fragment_copyhdr(uchar_t *rptr, int hdr_len, int offset, ip_stack_t *ipst,
11854     mblk_t *src)
11855 {
11856         mblk_t  *mp;
11857         uchar_t *up;
11858 
11859         /*
11860          * Quick check if we need to look for options without the copy bit
11861          * set
11862          */
11863         mp = allocb_tmpl(ipst->ips_ip_wroff_extra + hdr_len, src);
11864         if (!mp)
11865                 return (mp);
11866         mp->b_rptr += ipst->ips_ip_wroff_extra;
11867         if (hdr_len == IP_SIMPLE_HDR_LENGTH || offset != 0) {
11868                 bcopy(rptr, mp->b_rptr, hdr_len);
11869                 mp->b_wptr += hdr_len + ipst->ips_ip_wroff_extra;
11870                 return (mp);
11871         }
11872         up  = mp->b_rptr;
11873         bcopy(rptr, up, IP_SIMPLE_HDR_LENGTH);
11874         up += IP_SIMPLE_HDR_LENGTH;
11875         rptr += IP_SIMPLE_HDR_LENGTH;
11876         hdr_len -= IP_SIMPLE_HDR_LENGTH;
11877         while (hdr_len > 0) {
11878                 uint32_t optval;
11879                 uint32_t optlen;
11880 
11881                 optval = *rptr;
11882                 if (optval == IPOPT_EOL)
11883                         break;
11884                 if (optval == IPOPT_NOP)
11885                         optlen = 1;
11886                 else
11887                         optlen = rptr[1];
11888                 if (optval & IPOPT_COPY) {
11889                         bcopy(rptr, up, optlen);
11890                         up += optlen;
11891                 }
11892                 rptr += optlen;
11893                 hdr_len -= optlen;
11894         }
11895         /*
11896          * Make sure that we drop an even number of words by filling
11897          * with EOL to the next word boundary.
11898          */
11899         for (hdr_len = up - (mp->b_rptr + IP_SIMPLE_HDR_LENGTH);
11900             hdr_len & 0x3; hdr_len++)
11901                 *up++ = IPOPT_EOL;
11902         mp->b_wptr = up;
11903         /* Update header length */
11904         mp->b_rptr[0] = (uint8_t)((IP_VERSION << 4) | ((up - mp->b_rptr) >> 2));
11905         return (mp);
11906 }
11907 
11908 /*
11909  * Update any source route, record route, or timestamp options when
11910  * sending a packet back to ourselves.
11911  * Check that we are at end of strict source route.
11912  * The options have been sanity checked by ip_output_options().
11913  */
11914 void
11915 ip_output_local_options(ipha_t *ipha, ip_stack_t *ipst)
11916 {
11917         ipoptp_t        opts;
11918         uchar_t         *opt;
11919         uint8_t         optval;
11920         uint8_t         optlen;
11921         ipaddr_t        dst;
11922         uint32_t        ts;
11923         timestruc_t     now;
11924 
11925         for (optval = ipoptp_first(&opts, ipha);
11926             optval != IPOPT_EOL;
11927             optval = ipoptp_next(&opts)) {
11928                 opt = opts.ipoptp_cur;
11929                 optlen = opts.ipoptp_len;
11930                 ASSERT((opts.ipoptp_flags & IPOPTP_ERROR) == 0);
11931                 switch (optval) {
11932                         uint32_t off;
11933                 case IPOPT_SSRR:
11934                 case IPOPT_LSRR:
11935                         off = opt[IPOPT_OFFSET];
11936                         off--;
11937                         if (optlen < IP_ADDR_LEN ||
11938                             off > optlen - IP_ADDR_LEN) {
11939                                 /* End of source route */
11940                                 break;
11941                         }
11942                         /*
11943                          * This will only happen if two consecutive entries
11944                          * in the source route contains our address or if
11945                          * it is a packet with a loose source route which
11946                          * reaches us before consuming the whole source route
11947                          */
11948 
11949                         if (optval == IPOPT_SSRR) {
11950                                 return;
11951                         }
11952                         /*
11953                          * Hack: instead of dropping the packet truncate the
11954                          * source route to what has been used by filling the
11955                          * rest with IPOPT_NOP.
11956                          */
11957                         opt[IPOPT_OLEN] = (uint8_t)off;
11958                         while (off < optlen) {
11959                                 opt[off++] = IPOPT_NOP;
11960                         }
11961                         break;
11962                 case IPOPT_RR:
11963                         off = opt[IPOPT_OFFSET];
11964                         off--;
11965                         if (optlen < IP_ADDR_LEN ||
11966                             off > optlen - IP_ADDR_LEN) {
11967                                 /* No more room - ignore */
11968                                 ip1dbg((
11969                                     "ip_output_local_options: end of RR\n"));
11970                                 break;
11971                         }
11972                         dst = htonl(INADDR_LOOPBACK);
11973                         bcopy(&dst, (char *)opt + off, IP_ADDR_LEN);
11974                         opt[IPOPT_OFFSET] += IP_ADDR_LEN;
11975                         break;
11976                 case IPOPT_TS:
11977                         /* Insert timestamp if there is romm */
11978                         switch (opt[IPOPT_POS_OV_FLG] & 0x0F) {
11979                         case IPOPT_TS_TSONLY:
11980                                 off = IPOPT_TS_TIMELEN;
11981                                 break;
11982                         case IPOPT_TS_PRESPEC:
11983                         case IPOPT_TS_PRESPEC_RFC791:
11984                                 /* Verify that the address matched */
11985                                 off = opt[IPOPT_OFFSET] - 1;
11986                                 bcopy((char *)opt + off, &dst, IP_ADDR_LEN);
11987                                 if (ip_type_v4(dst, ipst) != IRE_LOCAL) {
11988                                         /* Not for us */
11989                                         break;
11990                                 }
11991                                 /* FALLTHRU */
11992                         case IPOPT_TS_TSANDADDR:
11993                                 off = IP_ADDR_LEN + IPOPT_TS_TIMELEN;
11994                                 break;
11995                         default:
11996                                 /*
11997                                  * ip_*put_options should have already
11998                                  * dropped this packet.
11999                                  */
12000                                 cmn_err(CE_PANIC, "ip_output_local_options: "
12001                                     "unknown IT - bug in ip_output_options?\n");
12002                                 return; /* Keep "lint" happy */
12003                         }
12004                         if (opt[IPOPT_OFFSET] - 1 + off > optlen) {
12005                                 /* Increase overflow counter */
12006                                 off = (opt[IPOPT_POS_OV_FLG] >> 4) + 1;
12007                                 opt[IPOPT_POS_OV_FLG] = (uint8_t)
12008                                     (opt[IPOPT_POS_OV_FLG] & 0x0F) |
12009                                     (off << 4);
12010                                 break;
12011                         }
12012                         off = opt[IPOPT_OFFSET] - 1;
12013                         switch (opt[IPOPT_POS_OV_FLG] & 0x0F) {
12014                         case IPOPT_TS_PRESPEC:
12015                         case IPOPT_TS_PRESPEC_RFC791:
12016                         case IPOPT_TS_TSANDADDR:
12017                                 dst = htonl(INADDR_LOOPBACK);
12018                                 bcopy(&dst, (char *)opt + off, IP_ADDR_LEN);
12019                                 opt[IPOPT_OFFSET] += IP_ADDR_LEN;
12020                                 /* FALLTHRU */
12021                         case IPOPT_TS_TSONLY:
12022                                 off = opt[IPOPT_OFFSET] - 1;
12023                                 /* Compute # of milliseconds since midnight */
12024                                 gethrestime(&now);
12025                                 ts = (now.tv_sec % (24 * 60 * 60)) * 1000 +
12026                                     now.tv_nsec / (NANOSEC / MILLISEC);
12027                                 bcopy(&ts, (char *)opt + off, IPOPT_TS_TIMELEN);
12028                                 opt[IPOPT_OFFSET] += IPOPT_TS_TIMELEN;
12029                                 break;
12030                         }
12031                         break;
12032                 }
12033         }
12034 }
12035 
12036 /*
12037  * Prepend an M_DATA fastpath header, and if none present prepend a
12038  * DL_UNITDATA_REQ. Frees the mblk on failure.
12039  *
12040  * nce_dlur_mp and nce_fp_mp can not disappear once they have been set.
12041  * If there is a change to them, the nce will be deleted (condemned) and
12042  * a new nce_t will be created when packets are sent. Thus we need no locks
12043  * to access those fields.
12044  *
12045  * We preserve b_band to support IPQoS. If a DL_UNITDATA_REQ is prepended
12046  * we place b_band in dl_priority.dl_max.
12047  */
12048 static mblk_t *
12049 ip_xmit_attach_llhdr(mblk_t *mp, nce_t *nce)
12050 {
12051         uint_t  hlen;
12052         mblk_t *mp1;
12053         uint_t  priority;
12054         uchar_t *rptr;
12055 
12056         rptr = mp->b_rptr;
12057 
12058         ASSERT(DB_TYPE(mp) == M_DATA);
12059         priority = mp->b_band;
12060 
12061         ASSERT(nce != NULL);
12062         if ((mp1 = nce->nce_fp_mp) != NULL) {
12063                 hlen = MBLKL(mp1);
12064                 /*
12065                  * Check if we have enough room to prepend fastpath
12066                  * header
12067                  */
12068                 if (hlen != 0 && (rptr - mp->b_datap->db_base) >= hlen) {
12069                         rptr -= hlen;
12070                         bcopy(mp1->b_rptr, rptr, hlen);
12071                         /*
12072                          * Set the b_rptr to the start of the link layer
12073                          * header
12074                          */
12075                         mp->b_rptr = rptr;
12076                         return (mp);
12077                 }
12078                 mp1 = copyb(mp1);
12079                 if (mp1 == NULL) {
12080                         ill_t *ill = nce->nce_ill;
12081 
12082                         BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
12083                         ip_drop_output("ipIfStatsOutDiscards", mp, ill);
12084                         freemsg(mp);
12085                         return (NULL);
12086                 }
12087                 mp1->b_band = priority;
12088                 mp1->b_cont = mp;
12089                 DB_CKSUMSTART(mp1) = DB_CKSUMSTART(mp);
12090                 DB_CKSUMSTUFF(mp1) = DB_CKSUMSTUFF(mp);
12091                 DB_CKSUMEND(mp1) = DB_CKSUMEND(mp);
12092                 DB_CKSUMFLAGS(mp1) = DB_CKSUMFLAGS(mp);
12093                 DB_LSOMSS(mp1) = DB_LSOMSS(mp);
12094                 DTRACE_PROBE1(ip__xmit__copyb, (mblk_t *), mp1);
12095                 /*
12096                  * XXX disable ICK_VALID and compute checksum
12097                  * here; can happen if nce_fp_mp changes and
12098                  * it can't be copied now due to insufficient
12099                  * space. (unlikely, fp mp can change, but it
12100                  * does not increase in length)
12101                  */
12102                 return (mp1);
12103         }
12104         mp1 = copyb(nce->nce_dlur_mp);
12105 
12106         if (mp1 == NULL) {
12107                 ill_t *ill = nce->nce_ill;
12108 
12109                 BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
12110                 ip_drop_output("ipIfStatsOutDiscards", mp, ill);
12111                 freemsg(mp);
12112                 return (NULL);
12113         }
12114         mp1->b_cont = mp;
12115         if (priority != 0) {
12116                 mp1->b_band = priority;
12117                 ((dl_unitdata_req_t *)(mp1->b_rptr))->dl_priority.dl_max =
12118                     priority;
12119         }
12120         return (mp1);
12121 #undef rptr
12122 }
12123 
12124 /*
12125  * Finish the outbound IPsec processing. This function is called from
12126  * ipsec_out_process() if the IPsec packet was processed
12127  * synchronously, or from {ah,esp}_kcf_callback_outbound() if it was processed
12128  * asynchronously.
12129  *
12130  * This is common to IPv4 and IPv6.
12131  */
12132 int
12133 ip_output_post_ipsec(mblk_t *mp, ip_xmit_attr_t *ixa)
12134 {
12135         iaflags_t       ixaflags = ixa->ixa_flags;
12136         uint_t          pktlen;
12137 
12138 
12139         /* AH/ESP don't update ixa_pktlen when they modify the packet */
12140         if (ixaflags & IXAF_IS_IPV4) {
12141                 ipha_t          *ipha = (ipha_t *)mp->b_rptr;
12142 
12143                 ASSERT(IPH_HDR_VERSION(ipha) == IPV4_VERSION);
12144                 pktlen = ntohs(ipha->ipha_length);
12145         } else {
12146                 ip6_t           *ip6h = (ip6_t *)mp->b_rptr;
12147 
12148                 ASSERT(IPH_HDR_VERSION(mp->b_rptr) == IPV6_VERSION);
12149                 pktlen = ntohs(ip6h->ip6_plen) + IPV6_HDR_LEN;
12150         }
12151 
12152         /*
12153          * We release any hard reference on the SAs here to make
12154          * sure the SAs can be garbage collected. ipsr_sa has a soft reference
12155          * on the SAs.
12156          * If in the future we want the hard latching of the SAs in the
12157          * ip_xmit_attr_t then we should remove this.
12158          */
12159         if (ixa->ixa_ipsec_esp_sa != NULL) {
12160                 IPSA_REFRELE(ixa->ixa_ipsec_esp_sa);
12161                 ixa->ixa_ipsec_esp_sa = NULL;
12162         }
12163         if (ixa->ixa_ipsec_ah_sa != NULL) {
12164                 IPSA_REFRELE(ixa->ixa_ipsec_ah_sa);
12165                 ixa->ixa_ipsec_ah_sa = NULL;
12166         }
12167 
12168         /* Do we need to fragment? */
12169         if ((ixa->ixa_flags & IXAF_IPV6_ADD_FRAGHDR) ||
12170             pktlen > ixa->ixa_fragsize) {
12171                 if (ixaflags & IXAF_IS_IPV4) {
12172                         ASSERT(!(ixa->ixa_flags & IXAF_IPV6_ADD_FRAGHDR));
12173                         /*
12174                          * We check for the DF case in ipsec_out_process
12175                          * hence this only handles the non-DF case.
12176                          */
12177                         return (ip_fragment_v4(mp, ixa->ixa_nce, ixa->ixa_flags,
12178                             pktlen, ixa->ixa_fragsize,
12179                             ixa->ixa_xmit_hint, ixa->ixa_zoneid,
12180                             ixa->ixa_no_loop_zoneid, ixa->ixa_postfragfn,
12181                             &ixa->ixa_cookie));
12182                 } else {
12183                         mp = ip_fraghdr_add_v6(mp, ixa->ixa_ident, ixa);
12184                         if (mp == NULL) {
12185                                 /* MIB and ip_drop_output already done */
12186                                 return (ENOMEM);
12187                         }
12188                         pktlen += sizeof (ip6_frag_t);
12189                         if (pktlen > ixa->ixa_fragsize) {
12190                                 return (ip_fragment_v6(mp, ixa->ixa_nce,
12191                                     ixa->ixa_flags, pktlen,
12192                                     ixa->ixa_fragsize, ixa->ixa_xmit_hint,
12193                                     ixa->ixa_zoneid, ixa->ixa_no_loop_zoneid,
12194                                     ixa->ixa_postfragfn, &ixa->ixa_cookie));
12195                         }
12196                 }
12197         }
12198         return ((ixa->ixa_postfragfn)(mp, ixa->ixa_nce, ixa->ixa_flags,
12199             pktlen, ixa->ixa_xmit_hint, ixa->ixa_zoneid,
12200             ixa->ixa_no_loop_zoneid, NULL));
12201 }
12202 
12203 /*
12204  * Finish the inbound IPsec processing. This function is called from
12205  * ipsec_out_process() if the IPsec packet was processed
12206  * synchronously, or from {ah,esp}_kcf_callback_outbound() if it was processed
12207  * asynchronously.
12208  *
12209  * This is common to IPv4 and IPv6.
12210  */
12211 void
12212 ip_input_post_ipsec(mblk_t *mp, ip_recv_attr_t *ira)
12213 {
12214         iaflags_t       iraflags = ira->ira_flags;
12215 
12216         /* Length might have changed */
12217         if (iraflags & IRAF_IS_IPV4) {
12218                 ipha_t          *ipha = (ipha_t *)mp->b_rptr;
12219 
12220                 ASSERT(IPH_HDR_VERSION(ipha) == IPV4_VERSION);
12221                 ira->ira_pktlen = ntohs(ipha->ipha_length);
12222                 ira->ira_ip_hdr_length = IPH_HDR_LENGTH(ipha);
12223                 ira->ira_protocol = ipha->ipha_protocol;
12224 
12225                 ip_fanout_v4(mp, ipha, ira);
12226         } else {
12227                 ip6_t           *ip6h = (ip6_t *)mp->b_rptr;
12228                 uint8_t         *nexthdrp;
12229 
12230                 ASSERT(IPH_HDR_VERSION(mp->b_rptr) == IPV6_VERSION);
12231                 ira->ira_pktlen = ntohs(ip6h->ip6_plen) + IPV6_HDR_LEN;
12232                 if (!ip_hdr_length_nexthdr_v6(mp, ip6h, &ira->ira_ip_hdr_length,
12233                     &nexthdrp)) {
12234                         /* Malformed packet */
12235                         BUMP_MIB(ira->ira_ill->ill_ip_mib, ipIfStatsInDiscards);
12236                         ip_drop_input("ipIfStatsInDiscards", mp, ira->ira_ill);
12237                         freemsg(mp);
12238                         return;
12239                 }
12240                 ira->ira_protocol = *nexthdrp;
12241                 ip_fanout_v6(mp, ip6h, ira);
12242         }
12243 }
12244 
12245 /*
12246  * Select which AH & ESP SA's to use (if any) for the outbound packet.
12247  *
12248  * If this function returns B_TRUE, the requested SA's have been filled
12249  * into the ixa_ipsec_*_sa pointers.
12250  *
12251  * If the function returns B_FALSE, the packet has been "consumed", most
12252  * likely by an ACQUIRE sent up via PF_KEY to a key management daemon.
12253  *
12254  * The SA references created by the protocol-specific "select"
12255  * function will be released in ip_output_post_ipsec.
12256  */
12257 static boolean_t
12258 ipsec_out_select_sa(mblk_t *mp, ip_xmit_attr_t *ixa)
12259 {
12260         boolean_t need_ah_acquire = B_FALSE, need_esp_acquire = B_FALSE;
12261         ipsec_policy_t *pp;
12262         ipsec_action_t *ap;
12263 
12264         ASSERT(ixa->ixa_flags & IXAF_IPSEC_SECURE);
12265         ASSERT((ixa->ixa_ipsec_policy != NULL) ||
12266             (ixa->ixa_ipsec_action != NULL));
12267 
12268         ap = ixa->ixa_ipsec_action;
12269         if (ap == NULL) {
12270                 pp = ixa->ixa_ipsec_policy;
12271                 ASSERT(pp != NULL);
12272                 ap = pp->ipsp_act;
12273                 ASSERT(ap != NULL);
12274         }
12275 
12276         /*
12277          * We have an action.  now, let's select SA's.
12278          * A side effect of setting ixa_ipsec_*_sa is that it will
12279          * be cached in the conn_t.
12280          */
12281         if (ap->ipa_want_esp) {
12282                 if (ixa->ixa_ipsec_esp_sa == NULL) {
12283                         need_esp_acquire = !ipsec_outbound_sa(mp, ixa,
12284                             IPPROTO_ESP);
12285                 }
12286                 ASSERT(need_esp_acquire || ixa->ixa_ipsec_esp_sa != NULL);
12287         }
12288 
12289         if (ap->ipa_want_ah) {
12290                 if (ixa->ixa_ipsec_ah_sa == NULL) {
12291                         need_ah_acquire = !ipsec_outbound_sa(mp, ixa,
12292                             IPPROTO_AH);
12293                 }
12294                 ASSERT(need_ah_acquire || ixa->ixa_ipsec_ah_sa != NULL);
12295                 /*
12296                  * The ESP and AH processing order needs to be preserved
12297                  * when both protocols are required (ESP should be applied
12298                  * before AH for an outbound packet). Force an ESP ACQUIRE
12299                  * when both ESP and AH are required, and an AH ACQUIRE
12300                  * is needed.
12301                  */
12302                 if (ap->ipa_want_esp && need_ah_acquire)
12303                         need_esp_acquire = B_TRUE;
12304         }
12305 
12306         /*
12307          * Send an ACQUIRE (extended, regular, or both) if we need one.
12308          * Release SAs that got referenced, but will not be used until we
12309          * acquire _all_ of the SAs we need.
12310          */
12311         if (need_ah_acquire || need_esp_acquire) {
12312                 if (ixa->ixa_ipsec_ah_sa != NULL) {
12313                         IPSA_REFRELE(ixa->ixa_ipsec_ah_sa);
12314                         ixa->ixa_ipsec_ah_sa = NULL;
12315                 }
12316                 if (ixa->ixa_ipsec_esp_sa != NULL) {
12317                         IPSA_REFRELE(ixa->ixa_ipsec_esp_sa);
12318                         ixa->ixa_ipsec_esp_sa = NULL;
12319                 }
12320 
12321                 sadb_acquire(mp, ixa, need_ah_acquire, need_esp_acquire);
12322                 return (B_FALSE);
12323         }
12324 
12325         return (B_TRUE);
12326 }
12327 
12328 /*
12329  * Handle IPsec output processing.
12330  * This function is only entered once for a given packet.
12331  * We try to do things synchronously, but if we need to have user-level
12332  * set up SAs, or ESP or AH uses asynchronous kEF, then the operation
12333  * will be completed
12334  *  - when the SAs are added in esp_add_sa_finish/ah_add_sa_finish
12335  *  - when asynchronous ESP is done it will do AH
12336  *
12337  * In all cases we come back in ip_output_post_ipsec() to fragment and
12338  * send out the packet.
12339  */
12340 int
12341 ipsec_out_process(mblk_t *mp, ip_xmit_attr_t *ixa)
12342 {
12343         ill_t           *ill = ixa->ixa_nce->nce_ill;
12344         ip_stack_t      *ipst = ixa->ixa_ipst;
12345         ipsec_stack_t   *ipss;
12346         ipsec_policy_t  *pp;
12347         ipsec_action_t  *ap;
12348 
12349         ASSERT(ixa->ixa_flags & IXAF_IPSEC_SECURE);
12350 
12351         ASSERT((ixa->ixa_ipsec_policy != NULL) ||
12352             (ixa->ixa_ipsec_action != NULL));
12353 
12354         ipss = ipst->ips_netstack->netstack_ipsec;
12355         if (!ipsec_loaded(ipss)) {
12356                 BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
12357                 ip_drop_packet(mp, B_TRUE, ill,
12358                     DROPPER(ipss, ipds_ip_ipsec_not_loaded),
12359                     &ipss->ipsec_dropper);
12360                 return (ENOTSUP);
12361         }
12362 
12363         ap = ixa->ixa_ipsec_action;
12364         if (ap == NULL) {
12365                 pp = ixa->ixa_ipsec_policy;
12366                 ASSERT(pp != NULL);
12367                 ap = pp->ipsp_act;
12368                 ASSERT(ap != NULL);
12369         }
12370 
12371         /* Handle explicit drop action and bypass. */
12372         switch (ap->ipa_act.ipa_type) {
12373         case IPSEC_ACT_DISCARD:
12374         case IPSEC_ACT_REJECT:
12375                 ip_drop_packet(mp, B_FALSE, ill,
12376                     DROPPER(ipss, ipds_spd_explicit), &ipss->ipsec_spd_dropper);
12377                 return (EHOSTUNREACH);  /* IPsec policy failure */
12378         case IPSEC_ACT_BYPASS:
12379                 return (ip_output_post_ipsec(mp, ixa));
12380         }
12381 
12382         /*
12383          * The order of processing is first insert a IP header if needed.
12384          * Then insert the ESP header and then the AH header.
12385          */
12386         if ((ixa->ixa_flags & IXAF_IS_IPV4) && ap->ipa_want_se) {
12387                 /*
12388                  * First get the outer IP header before sending
12389                  * it to ESP.
12390                  */
12391                 ipha_t *oipha, *iipha;
12392                 mblk_t *outer_mp, *inner_mp;
12393 
12394                 if ((outer_mp = allocb(sizeof (ipha_t), BPRI_HI)) == NULL) {
12395                         (void) mi_strlog(ill->ill_rq, 0,
12396                             SL_ERROR|SL_TRACE|SL_CONSOLE,
12397                             "ipsec_out_process: "
12398                             "Self-Encapsulation failed: Out of memory\n");
12399                         BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
12400                         ip_drop_output("ipIfStatsOutDiscards", mp, ill);
12401                         freemsg(mp);
12402                         return (ENOBUFS);
12403                 }
12404                 inner_mp = mp;
12405                 ASSERT(inner_mp->b_datap->db_type == M_DATA);
12406                 oipha = (ipha_t *)outer_mp->b_rptr;
12407                 iipha = (ipha_t *)inner_mp->b_rptr;
12408                 *oipha = *iipha;
12409                 outer_mp->b_wptr += sizeof (ipha_t);
12410                 oipha->ipha_length = htons(ntohs(iipha->ipha_length) +
12411                     sizeof (ipha_t));
12412                 oipha->ipha_protocol = IPPROTO_ENCAP;
12413                 oipha->ipha_version_and_hdr_length =
12414                     IP_SIMPLE_HDR_VERSION;
12415                 oipha->ipha_hdr_checksum = 0;
12416                 oipha->ipha_hdr_checksum = ip_csum_hdr(oipha);
12417                 outer_mp->b_cont = inner_mp;
12418                 mp = outer_mp;
12419 
12420                 ixa->ixa_flags |= IXAF_IPSEC_TUNNEL;
12421         }
12422 
12423         /* If we need to wait for a SA then we can't return any errno */
12424         if (((ap->ipa_want_ah && (ixa->ixa_ipsec_ah_sa == NULL)) ||
12425             (ap->ipa_want_esp && (ixa->ixa_ipsec_esp_sa == NULL))) &&
12426             !ipsec_out_select_sa(mp, ixa))
12427                 return (0);
12428 
12429         /*
12430          * By now, we know what SA's to use.  Toss over to ESP & AH
12431          * to do the heavy lifting.
12432          */
12433         if (ap->ipa_want_esp) {
12434                 ASSERT(ixa->ixa_ipsec_esp_sa != NULL);
12435 
12436                 mp = ixa->ixa_ipsec_esp_sa->ipsa_output_func(mp, ixa);
12437                 if (mp == NULL) {
12438                         /*
12439                          * Either it failed or is pending. In the former case
12440                          * ipIfStatsInDiscards was increased.
12441                          */
12442                         return (0);
12443                 }
12444         }
12445 
12446         if (ap->ipa_want_ah) {
12447                 ASSERT(ixa->ixa_ipsec_ah_sa != NULL);
12448 
12449                 mp = ixa->ixa_ipsec_ah_sa->ipsa_output_func(mp, ixa);
12450                 if (mp == NULL) {
12451                         /*
12452                          * Either it failed or is pending. In the former case
12453                          * ipIfStatsInDiscards was increased.
12454                          */
12455                         return (0);
12456                 }
12457         }
12458         /*
12459          * We are done with IPsec processing. Send it over
12460          * the wire.
12461          */
12462         return (ip_output_post_ipsec(mp, ixa));
12463 }
12464 
12465 /*
12466  * ioctls that go through a down/up sequence may need to wait for the down
12467  * to complete. This involves waiting for the ire and ipif refcnts to go down
12468  * to zero. Subsequently the ioctl is restarted from ipif_ill_refrele_tail.
12469  */
12470 /* ARGSUSED */
12471 void
12472 ip_reprocess_ioctl(ipsq_t *ipsq, queue_t *q, mblk_t *mp, void *dummy_arg)
12473 {
12474         struct iocblk *iocp;
12475         mblk_t *mp1;
12476         ip_ioctl_cmd_t *ipip;
12477         int err;
12478         sin_t   *sin;
12479         struct lifreq *lifr;
12480         struct ifreq *ifr;
12481 
12482         iocp = (struct iocblk *)mp->b_rptr;
12483         ASSERT(ipsq != NULL);
12484         /* Existence of mp1 verified in ip_wput_nondata */
12485         mp1 = mp->b_cont->b_cont;
12486         ipip = ip_sioctl_lookup(iocp->ioc_cmd);
12487         if (ipip->ipi_cmd == SIOCSLIFNAME || ipip->ipi_cmd == IF_UNITSEL) {
12488                 /*
12489                  * Special case where ipx_current_ipif is not set:
12490                  * ill_phyint_reinit merged the v4 and v6 into a single ipsq.
12491                  * We are here as were not able to complete the operation in
12492                  * ipif_set_values because we could not become exclusive on
12493                  * the new ipsq.
12494                  */
12495                 ill_t *ill = q->q_ptr;
12496                 ipsq_current_start(ipsq, ill->ill_ipif, ipip->ipi_cmd);
12497         }
12498         ASSERT(ipsq->ipsq_xop->ipx_current_ipif != NULL);
12499 
12500         if (ipip->ipi_cmd_type == IF_CMD) {
12501                 /* This a old style SIOC[GS]IF* command */
12502                 ifr = (struct ifreq *)mp1->b_rptr;
12503                 sin = (sin_t *)&ifr->ifr_addr;
12504         } else if (ipip->ipi_cmd_type == LIF_CMD) {
12505                 /* This a new style SIOC[GS]LIF* command */
12506                 lifr = (struct lifreq *)mp1->b_rptr;
12507                 sin = (sin_t *)&lifr->lifr_addr;
12508         } else {
12509                 sin = NULL;
12510         }
12511 
12512         err = (*ipip->ipi_func_restart)(ipsq->ipsq_xop->ipx_current_ipif, sin,
12513             q, mp, ipip, mp1->b_rptr);
12514 
12515         DTRACE_PROBE4(ipif__ioctl, char *, "ip_reprocess_ioctl finish",
12516             int, ipip->ipi_cmd,
12517             ill_t *, ipsq->ipsq_xop->ipx_current_ipif->ipif_ill,
12518             ipif_t *, ipsq->ipsq_xop->ipx_current_ipif);
12519 
12520         ip_ioctl_finish(q, mp, err, IPI2MODE(ipip), ipsq);
12521 }
12522 
12523 /*
12524  * ioctl processing
12525  *
12526  * ioctl processing starts with ip_sioctl_copyin_setup(), which looks up
12527  * the ioctl command in the ioctl tables, determines the copyin data size
12528  * from the ipi_copyin_size field, and does an mi_copyin() of that size.
12529  *
12530  * ioctl processing then continues when the M_IOCDATA makes its way down to
12531  * ip_wput_nondata().  The ioctl is looked up again in the ioctl table, its
12532  * associated 'conn' is refheld till the end of the ioctl and the general
12533  * ioctl processing function ip_process_ioctl() is called to extract the
12534  * arguments and process the ioctl.  To simplify extraction, ioctl commands
12535  * are "typed" based on the arguments they take (e.g., LIF_CMD which takes a
12536  * `struct lifreq'), and a common extract function (e.g., ip_extract_lifreq())
12537  * is used to extract the ioctl's arguments.
12538  *
12539  * ip_process_ioctl determines if the ioctl needs to be serialized, and if
12540  * so goes thru the serialization primitive ipsq_try_enter. Then the
12541  * appropriate function to handle the ioctl is called based on the entry in
12542  * the ioctl table. ioctl completion is encapsulated in ip_ioctl_finish
12543  * which also refreleases the 'conn' that was refheld at the start of the
12544  * ioctl. Finally ipsq_exit is called if needed to exit the ipsq.
12545  *
12546  * Many exclusive ioctls go thru an internal down up sequence as part of
12547  * the operation. For example an attempt to change the IP address of an
12548  * ipif entails ipif_down, set address, ipif_up. Bringing down the interface
12549  * does all the cleanup such as deleting all ires that use this address.
12550  * Then we need to wait till all references to the interface go away.
12551  */
12552 void
12553 ip_process_ioctl(ipsq_t *ipsq, queue_t *q, mblk_t *mp, void *arg)
12554 {
12555         struct iocblk *iocp = (struct iocblk *)mp->b_rptr;
12556         ip_ioctl_cmd_t *ipip = arg;
12557         ip_extract_func_t *extract_funcp;
12558         cmd_info_t ci;
12559         int err;
12560         boolean_t entered_ipsq = B_FALSE;
12561 
12562         ip3dbg(("ip_process_ioctl: ioctl %X\n", iocp->ioc_cmd));
12563 
12564         if (ipip == NULL)
12565                 ipip = ip_sioctl_lookup(iocp->ioc_cmd);
12566 
12567         /*
12568          * SIOCLIFADDIF needs to go thru a special path since the
12569          * ill may not exist yet. This happens in the case of lo0
12570          * which is created using this ioctl.
12571          */
12572         if (ipip->ipi_cmd == SIOCLIFADDIF) {
12573                 err = ip_sioctl_addif(NULL, NULL, q, mp, NULL, NULL);
12574                 DTRACE_PROBE4(ipif__ioctl, char *, "ip_process_ioctl finish",
12575                     int, ipip->ipi_cmd, ill_t *, NULL, ipif_t *, NULL);
12576                 ip_ioctl_finish(q, mp, err, IPI2MODE(ipip), NULL);
12577                 return;
12578         }
12579 
12580         ci.ci_ipif = NULL;
12581         switch (ipip->ipi_cmd_type) {
12582         case MISC_CMD:
12583         case MSFILT_CMD:
12584                 /*
12585                  * All MISC_CMD ioctls come in here -- e.g. SIOCGLIFCONF.
12586                  */
12587                 if (ipip->ipi_cmd == IF_UNITSEL) {
12588                         /* ioctl comes down the ill */
12589                         ci.ci_ipif = ((ill_t *)q->q_ptr)->ill_ipif;
12590                         ipif_refhold(ci.ci_ipif);
12591                 }
12592                 err = 0;
12593                 ci.ci_sin = NULL;
12594                 ci.ci_sin6 = NULL;
12595                 ci.ci_lifr = NULL;
12596                 extract_funcp = NULL;
12597                 break;
12598 
12599         case IF_CMD:
12600         case LIF_CMD:
12601                 extract_funcp = ip_extract_lifreq;
12602                 break;
12603 
12604         case ARP_CMD:
12605         case XARP_CMD:
12606                 extract_funcp = ip_extract_arpreq;
12607                 break;
12608 
12609         default:
12610                 ASSERT(0);
12611         }
12612 
12613         if (extract_funcp != NULL) {
12614                 err = (*extract_funcp)(q, mp, ipip, &ci);
12615                 if (err != 0) {
12616                         DTRACE_PROBE4(ipif__ioctl,
12617                             char *, "ip_process_ioctl finish err",
12618                             int, ipip->ipi_cmd, ill_t *, NULL, ipif_t *, NULL);
12619                         ip_ioctl_finish(q, mp, err, IPI2MODE(ipip), NULL);
12620                         return;
12621                 }
12622 
12623                 /*
12624                  * All of the extraction functions return a refheld ipif.
12625                  */
12626                 ASSERT(ci.ci_ipif != NULL);
12627         }
12628 
12629         if (!(ipip->ipi_flags & IPI_WR)) {
12630                 /*
12631                  * A return value of EINPROGRESS means the ioctl is
12632                  * either queued and waiting for some reason or has
12633                  * already completed.
12634                  */
12635                 err = (*ipip->ipi_func)(ci.ci_ipif, ci.ci_sin, q, mp, ipip,
12636                     ci.ci_lifr);
12637                 if (ci.ci_ipif != NULL) {
12638                         DTRACE_PROBE4(ipif__ioctl,
12639                             char *, "ip_process_ioctl finish RD",
12640                             int, ipip->ipi_cmd, ill_t *, ci.ci_ipif->ipif_ill,
12641                             ipif_t *, ci.ci_ipif);
12642                         ipif_refrele(ci.ci_ipif);
12643                 } else {
12644                         DTRACE_PROBE4(ipif__ioctl,
12645                             char *, "ip_process_ioctl finish RD",
12646                             int, ipip->ipi_cmd, ill_t *, NULL, ipif_t *, NULL);
12647                 }
12648                 ip_ioctl_finish(q, mp, err, IPI2MODE(ipip), NULL);
12649                 return;
12650         }
12651 
12652         ASSERT(ci.ci_ipif != NULL);
12653 
12654         /*
12655          * If ipsq is non-NULL, we are already being called exclusively
12656          */
12657         ASSERT(ipsq == NULL || IAM_WRITER_IPSQ(ipsq));
12658         if (ipsq == NULL) {
12659                 ipsq = ipsq_try_enter(ci.ci_ipif, NULL, q, mp, ip_process_ioctl,
12660                     NEW_OP, B_TRUE);
12661                 if (ipsq == NULL) {
12662                         ipif_refrele(ci.ci_ipif);
12663                         return;
12664                 }
12665                 entered_ipsq = B_TRUE;
12666         }
12667         /*
12668          * Release the ipif so that ipif_down and friends that wait for
12669          * references to go away are not misled about the current ipif_refcnt
12670          * values. We are writer so we can access the ipif even after releasing
12671          * the ipif.
12672          */
12673         ipif_refrele(ci.ci_ipif);
12674 
12675         ipsq_current_start(ipsq, ci.ci_ipif, ipip->ipi_cmd);
12676 
12677         /*
12678          * A return value of EINPROGRESS means the ioctl is
12679          * either queued and waiting for some reason or has
12680          * already completed.
12681          */
12682         err = (*ipip->ipi_func)(ci.ci_ipif, ci.ci_sin, q, mp, ipip, ci.ci_lifr);
12683 
12684         DTRACE_PROBE4(ipif__ioctl, char *, "ip_process_ioctl finish WR",
12685             int, ipip->ipi_cmd,
12686             ill_t *, ci.ci_ipif == NULL ? NULL : ci.ci_ipif->ipif_ill,
12687             ipif_t *, ci.ci_ipif);
12688         ip_ioctl_finish(q, mp, err, IPI2MODE(ipip), ipsq);
12689 
12690         if (entered_ipsq)
12691                 ipsq_exit(ipsq);
12692 }
12693 
12694 /*
12695  * Complete the ioctl. Typically ioctls use the mi package and need to
12696  * do mi_copyout/mi_copy_done.
12697  */
12698 void
12699 ip_ioctl_finish(queue_t *q, mblk_t *mp, int err, int mode, ipsq_t *ipsq)
12700 {
12701         conn_t  *connp = NULL;
12702 
12703         if (err == EINPROGRESS)
12704                 return;
12705 
12706         if (CONN_Q(q)) {
12707                 connp = Q_TO_CONN(q);
12708                 ASSERT(connp->conn_ref >= 2);
12709         }
12710 
12711         switch (mode) {
12712         case COPYOUT:
12713                 if (err == 0)
12714                         mi_copyout(q, mp);
12715                 else
12716                         mi_copy_done(q, mp, err);
12717                 break;
12718 
12719         case NO_COPYOUT:
12720                 mi_copy_done(q, mp, err);
12721                 break;
12722 
12723         default:
12724                 ASSERT(mode == CONN_CLOSE);     /* aborted through CONN_CLOSE */
12725                 break;
12726         }
12727 
12728         /*
12729          * The conn refhold and ioctlref placed on the conn at the start of the
12730          * ioctl are released here.
12731          */
12732         if (connp != NULL) {
12733                 CONN_DEC_IOCTLREF(connp);
12734                 CONN_OPER_PENDING_DONE(connp);
12735         }
12736 
12737         if (ipsq != NULL)
12738                 ipsq_current_finish(ipsq);
12739 }
12740 
12741 /* Handles all non data messages */
12742 void
12743 ip_wput_nondata(queue_t *q, mblk_t *mp)
12744 {
12745         mblk_t          *mp1;
12746         struct iocblk   *iocp;
12747         ip_ioctl_cmd_t  *ipip;
12748         conn_t          *connp;
12749         cred_t          *cr;
12750         char            *proto_str;
12751 
12752         if (CONN_Q(q))
12753                 connp = Q_TO_CONN(q);
12754         else
12755                 connp = NULL;
12756 
12757         switch (DB_TYPE(mp)) {
12758         case M_IOCTL:
12759                 /*
12760                  * IOCTL processing begins in ip_sioctl_copyin_setup which
12761                  * will arrange to copy in associated control structures.
12762                  */
12763                 ip_sioctl_copyin_setup(q, mp);
12764                 return;
12765         case M_IOCDATA:
12766                 /*
12767                  * Ensure that this is associated with one of our trans-
12768                  * parent ioctls.  If it's not ours, discard it if we're
12769                  * running as a driver, or pass it on if we're a module.
12770                  */
12771                 iocp = (struct iocblk *)mp->b_rptr;
12772                 ipip = ip_sioctl_lookup(iocp->ioc_cmd);
12773                 if (ipip == NULL) {
12774                         if (q->q_next == NULL) {
12775                                 goto nak;
12776                         } else {
12777                                 putnext(q, mp);
12778                         }
12779                         return;
12780                 }
12781                 if ((q->q_next != NULL) && !(ipip->ipi_flags & IPI_MODOK)) {
12782                         /*
12783                          * The ioctl is one we recognise, but is not consumed
12784                          * by IP as a module and we are a module, so we drop
12785                          */
12786                         goto nak;
12787                 }
12788 
12789                 /* IOCTL continuation following copyin or copyout. */
12790                 if (mi_copy_state(q, mp, NULL) == -1) {
12791                         /*
12792                          * The copy operation failed.  mi_copy_state already
12793                          * cleaned up, so we're out of here.
12794                          */
12795                         return;
12796                 }
12797                 /*
12798                  * If we just completed a copy in, we become writer and
12799                  * continue processing in ip_sioctl_copyin_done.  If it
12800                  * was a copy out, we call mi_copyout again.  If there is
12801                  * nothing more to copy out, it will complete the IOCTL.
12802                  */
12803                 if (MI_COPY_DIRECTION(mp) == MI_COPY_IN) {
12804                         if (!(mp1 = mp->b_cont) || !(mp1 = mp1->b_cont)) {
12805                                 mi_copy_done(q, mp, EPROTO);
12806                                 return;
12807                         }
12808                         /*
12809                          * Check for cases that need more copying.  A return
12810                          * value of 0 means a second copyin has been started,
12811                          * so we return; a return value of 1 means no more
12812                          * copying is needed, so we continue.
12813                          */
12814                         if (ipip->ipi_cmd_type == MSFILT_CMD &&
12815                             MI_COPY_COUNT(mp) == 1) {
12816                                 if (ip_copyin_msfilter(q, mp) == 0)
12817                                         return;
12818                         }
12819                         /*
12820                          * Refhold the conn, till the ioctl completes. This is
12821                          * needed in case the ioctl ends up in the pending mp
12822                          * list. Every mp in the ipx_pending_mp list must have
12823                          * a refhold on the conn to resume processing. The
12824                          * refhold is released when the ioctl completes
12825                          * (whether normally or abnormally). An ioctlref is also
12826                          * placed on the conn to prevent TCP from removing the
12827                          * queue needed to send the ioctl reply back.
12828                          * In all cases ip_ioctl_finish is called to finish
12829                          * the ioctl and release the refholds.
12830                          */
12831                         if (connp != NULL) {
12832                                 /* This is not a reentry */
12833                                 CONN_INC_REF(connp);
12834                                 CONN_INC_IOCTLREF(connp);
12835                         } else {
12836                                 if (!(ipip->ipi_flags & IPI_MODOK)) {
12837                                         mi_copy_done(q, mp, EINVAL);
12838                                         return;
12839                                 }
12840                         }
12841 
12842                         ip_process_ioctl(NULL, q, mp, ipip);
12843 
12844                 } else {
12845                         mi_copyout(q, mp);
12846                 }
12847                 return;
12848 
12849         case M_IOCNAK:
12850                 /*
12851                  * The only way we could get here is if a resolver didn't like
12852                  * an IOCTL we sent it.  This shouldn't happen.
12853                  */
12854                 (void) mi_strlog(q, 1, SL_ERROR|SL_TRACE,
12855                     "ip_wput_nondata: unexpected M_IOCNAK, ioc_cmd 0x%x",
12856                     ((struct iocblk *)mp->b_rptr)->ioc_cmd);
12857                 freemsg(mp);
12858                 return;
12859         case M_IOCACK:
12860                 /* /dev/ip shouldn't see this */
12861                 goto nak;
12862         case M_FLUSH:
12863                 if (*mp->b_rptr & FLUSHW)
12864                         flushq(q, FLUSHALL);
12865                 if (q->q_next) {
12866                         putnext(q, mp);
12867                         return;
12868                 }
12869                 if (*mp->b_rptr & FLUSHR) {
12870                         *mp->b_rptr &= ~FLUSHW;
12871                         qreply(q, mp);
12872                         return;
12873                 }
12874                 freemsg(mp);
12875                 return;
12876         case M_CTL:
12877                 break;
12878         case M_PROTO:
12879         case M_PCPROTO:
12880                 /*
12881                  * The only PROTO messages we expect are SNMP-related.
12882                  */
12883                 switch (((union T_primitives *)mp->b_rptr)->type) {
12884                 case T_SVR4_OPTMGMT_REQ:
12885                         ip2dbg(("ip_wput_nondata: T_SVR4_OPTMGMT_REQ "
12886                             "flags %x\n",
12887                             ((struct T_optmgmt_req *)mp->b_rptr)->MGMT_flags));
12888 
12889                         if (connp == NULL) {
12890                                 proto_str = "T_SVR4_OPTMGMT_REQ";
12891                                 goto protonak;
12892                         }
12893 
12894                         /*
12895                          * All Solaris components should pass a db_credp
12896                          * for this TPI message, hence we ASSERT.
12897                          * But in case there is some other M_PROTO that looks
12898                          * like a TPI message sent by some other kernel
12899                          * component, we check and return an error.
12900                          */
12901                         cr = msg_getcred(mp, NULL);
12902                         ASSERT(cr != NULL);
12903                         if (cr == NULL) {
12904                                 mp = mi_tpi_err_ack_alloc(mp, TSYSERR, EINVAL);
12905                                 if (mp != NULL)
12906                                         qreply(q, mp);
12907                                 return;
12908                         }
12909 
12910                         if (!snmpcom_req(q, mp, ip_snmp_set, ip_snmp_get, cr)) {
12911                                 proto_str = "Bad SNMPCOM request?";
12912                                 goto protonak;
12913                         }
12914                         return;
12915                 default:
12916                         ip1dbg(("ip_wput_nondata: dropping M_PROTO prim %u\n",
12917                             (int)*(uint_t *)mp->b_rptr));
12918                         freemsg(mp);
12919                         return;
12920                 }
12921         default:
12922                 break;
12923         }
12924         if (q->q_next) {
12925                 putnext(q, mp);
12926         } else
12927                 freemsg(mp);
12928         return;
12929 
12930 nak:
12931         iocp->ioc_error = EINVAL;
12932         mp->b_datap->db_type = M_IOCNAK;
12933         iocp->ioc_count = 0;
12934         qreply(q, mp);
12935         return;
12936 
12937 protonak:
12938         cmn_err(CE_NOTE, "IP doesn't process %s as a module", proto_str);
12939         if ((mp = mi_tpi_err_ack_alloc(mp, TPROTO, EINVAL)) != NULL)
12940                 qreply(q, mp);
12941 }
12942 
12943 /*
12944  * Process IP options in an outbound packet.  Verify that the nexthop in a
12945  * strict source route is onlink.
12946  * Returns non-zero if something fails in which case an ICMP error has been
12947  * sent and mp freed.
12948  *
12949  * Assumes the ULP has called ip_massage_options to move nexthop into ipha_dst.
12950  */
12951 int
12952 ip_output_options(mblk_t *mp, ipha_t *ipha, ip_xmit_attr_t *ixa, ill_t *ill)
12953 {
12954         ipoptp_t        opts;
12955         uchar_t         *opt;
12956         uint8_t         optval;
12957         uint8_t         optlen;
12958         ipaddr_t        dst;
12959         intptr_t        code = 0;
12960         ire_t           *ire;
12961         ip_stack_t      *ipst = ixa->ixa_ipst;
12962         ip_recv_attr_t  iras;
12963 
12964         ip2dbg(("ip_output_options\n"));
12965 
12966         dst = ipha->ipha_dst;
12967         for (optval = ipoptp_first(&opts, ipha);
12968             optval != IPOPT_EOL;
12969             optval = ipoptp_next(&opts)) {
12970                 opt = opts.ipoptp_cur;
12971                 optlen = opts.ipoptp_len;
12972                 ip2dbg(("ip_output_options: opt %d, len %d\n",
12973                     optval, optlen));
12974                 switch (optval) {
12975                         uint32_t off;
12976                 case IPOPT_SSRR:
12977                 case IPOPT_LSRR:
12978                         if ((opts.ipoptp_flags & IPOPTP_ERROR) != 0) {
12979                                 ip1dbg((
12980                                     "ip_output_options: bad option offset\n"));
12981                                 code = (char *)&opt[IPOPT_OLEN] -
12982                                     (char *)ipha;
12983                                 goto param_prob;
12984                         }
12985                         off = opt[IPOPT_OFFSET];
12986                         ip1dbg(("ip_output_options: next hop 0x%x\n",
12987                             ntohl(dst)));
12988                         /*
12989                          * For strict: verify that dst is directly
12990                          * reachable.
12991                          */
12992                         if (optval == IPOPT_SSRR) {
12993                                 ire = ire_ftable_lookup_v4(dst, 0, 0,
12994                                     IRE_INTERFACE, NULL, ALL_ZONES,
12995                                     ixa->ixa_tsl,
12996                                     MATCH_IRE_TYPE | MATCH_IRE_SECATTR, 0, ipst,
12997                                     NULL);
12998                                 if (ire == NULL) {
12999                                         ip1dbg(("ip_output_options: SSRR not"
13000                                             " directly reachable: 0x%x\n",
13001                                             ntohl(dst)));
13002                                         goto bad_src_route;
13003                                 }
13004                                 ire_refrele(ire);
13005                         }
13006                         break;
13007                 case IPOPT_RR:
13008                         if ((opts.ipoptp_flags & IPOPTP_ERROR) != 0) {
13009                                 ip1dbg((
13010                                     "ip_output_options: bad option offset\n"));
13011                                 code = (char *)&opt[IPOPT_OLEN] -
13012                                     (char *)ipha;
13013                                 goto param_prob;
13014                         }
13015                         break;
13016                 case IPOPT_TS:
13017                         /*
13018                          * Verify that length >=5 and that there is either
13019                          * room for another timestamp or that the overflow
13020                          * counter is not maxed out.
13021                          */
13022                         code = (char *)&opt[IPOPT_OLEN] - (char *)ipha;
13023                         if (optlen < IPOPT_MINLEN_IT) {
13024                                 goto param_prob;
13025                         }
13026                         if ((opts.ipoptp_flags & IPOPTP_ERROR) != 0) {
13027                                 ip1dbg((
13028                                     "ip_output_options: bad option offset\n"));
13029                                 code = (char *)&opt[IPOPT_OFFSET] -
13030                                     (char *)ipha;
13031                                 goto param_prob;
13032                         }
13033                         switch (opt[IPOPT_POS_OV_FLG] & 0x0F) {
13034                         case IPOPT_TS_TSONLY:
13035                                 off = IPOPT_TS_TIMELEN;
13036                                 break;
13037                         case IPOPT_TS_TSANDADDR:
13038                         case IPOPT_TS_PRESPEC:
13039                         case IPOPT_TS_PRESPEC_RFC791:
13040                                 off = IP_ADDR_LEN + IPOPT_TS_TIMELEN;
13041                                 break;
13042                         default:
13043                                 code = (char *)&opt[IPOPT_POS_OV_FLG] -
13044                                     (char *)ipha;
13045                                 goto param_prob;
13046                         }
13047                         if (opt[IPOPT_OFFSET] - 1 + off > optlen &&
13048                             (opt[IPOPT_POS_OV_FLG] & 0xF0) == 0xF0) {
13049                                 /*
13050                                  * No room and the overflow counter is 15
13051                                  * already.
13052                                  */
13053                                 goto param_prob;
13054                         }
13055                         break;
13056                 }
13057         }
13058 
13059         if ((opts.ipoptp_flags & IPOPTP_ERROR) == 0)
13060                 return (0);
13061 
13062         ip1dbg(("ip_output_options: error processing IP options."));
13063         code = (char *)&opt[IPOPT_OFFSET] - (char *)ipha;
13064 
13065 param_prob:
13066         bzero(&iras, sizeof (iras));
13067         iras.ira_ill = iras.ira_rill = ill;
13068         iras.ira_ruifindex = ill->ill_phyint->phyint_ifindex;
13069         iras.ira_rifindex = iras.ira_ruifindex;
13070         iras.ira_flags = IRAF_IS_IPV4;
13071 
13072         ip_drop_output("ip_output_options", mp, ill);
13073         icmp_param_problem(mp, (uint8_t)code, &iras);
13074         ASSERT(!(iras.ira_flags & IRAF_IPSEC_SECURE));
13075         return (-1);
13076 
13077 bad_src_route:
13078         bzero(&iras, sizeof (iras));
13079         iras.ira_ill = iras.ira_rill = ill;
13080         iras.ira_ruifindex = ill->ill_phyint->phyint_ifindex;
13081         iras.ira_rifindex = iras.ira_ruifindex;
13082         iras.ira_flags = IRAF_IS_IPV4;
13083 
13084         ip_drop_input("ICMP_SOURCE_ROUTE_FAILED", mp, ill);
13085         icmp_unreachable(mp, ICMP_SOURCE_ROUTE_FAILED, &iras);
13086         ASSERT(!(iras.ira_flags & IRAF_IPSEC_SECURE));
13087         return (-1);
13088 }
13089 
13090 /*
13091  * The maximum value of conn_drain_list_cnt is CONN_MAXDRAINCNT.
13092  * conn_drain_list_cnt can be changed by setting conn_drain_nthreads
13093  * thru /etc/system.
13094  */
13095 #define CONN_MAXDRAINCNT        64
13096 
13097 static void
13098 conn_drain_init(ip_stack_t *ipst)
13099 {
13100         int i, j;
13101         idl_tx_list_t *itl_tx;
13102 
13103         ipst->ips_conn_drain_list_cnt = conn_drain_nthreads;
13104 
13105         if ((ipst->ips_conn_drain_list_cnt == 0) ||
13106             (ipst->ips_conn_drain_list_cnt > CONN_MAXDRAINCNT)) {
13107                 /*
13108                  * Default value of the number of drainers is the
13109                  * number of cpus, subject to maximum of 8 drainers.
13110                  */
13111                 if (boot_max_ncpus != -1)
13112                         ipst->ips_conn_drain_list_cnt = MIN(boot_max_ncpus, 8);
13113                 else
13114                         ipst->ips_conn_drain_list_cnt = MIN(max_ncpus, 8);
13115         }
13116 
13117         ipst->ips_idl_tx_list =
13118             kmem_zalloc(TX_FANOUT_SIZE * sizeof (idl_tx_list_t), KM_SLEEP);
13119         for (i = 0; i < TX_FANOUT_SIZE; i++) {
13120                 itl_tx =  &ipst->ips_idl_tx_list[i];
13121                 itl_tx->txl_drain_list =
13122                     kmem_zalloc(ipst->ips_conn_drain_list_cnt *
13123                     sizeof (idl_t), KM_SLEEP);
13124                 mutex_init(&itl_tx->txl_lock, NULL, MUTEX_DEFAULT, NULL);
13125                 for (j = 0; j < ipst->ips_conn_drain_list_cnt; j++) {
13126                         mutex_init(&itl_tx->txl_drain_list[j].idl_lock, NULL,
13127                             MUTEX_DEFAULT, NULL);
13128                         itl_tx->txl_drain_list[j].idl_itl = itl_tx;
13129                 }
13130         }
13131 }
13132 
13133 static void
13134 conn_drain_fini(ip_stack_t *ipst)
13135 {
13136         int i;
13137         idl_tx_list_t *itl_tx;
13138 
13139         for (i = 0; i < TX_FANOUT_SIZE; i++) {
13140                 itl_tx =  &ipst->ips_idl_tx_list[i];
13141                 kmem_free(itl_tx->txl_drain_list,
13142                     ipst->ips_conn_drain_list_cnt * sizeof (idl_t));
13143         }
13144         kmem_free(ipst->ips_idl_tx_list,
13145             TX_FANOUT_SIZE * sizeof (idl_tx_list_t));
13146         ipst->ips_idl_tx_list = NULL;
13147 }
13148 
13149 /*
13150  * Flow control has blocked us from proceeding.  Insert the given conn in one
13151  * of the conn drain lists.  When flow control is unblocked, either ip_wsrv()
13152  * (STREAMS) or ill_flow_enable() (direct) will be called back, which in turn
13153  * will call conn_walk_drain().  See the flow control notes at the top of this
13154  * file for more details.
13155  */
13156 void
13157 conn_drain_insert(conn_t *connp, idl_tx_list_t *tx_list)
13158 {
13159         idl_t   *idl = tx_list->txl_drain_list;
13160         uint_t  index;
13161         ip_stack_t      *ipst = connp->conn_netstack->netstack_ip;
13162 
13163         mutex_enter(&connp->conn_lock);
13164         if (connp->conn_state_flags & CONN_CLOSING) {
13165                 /*
13166                  * The conn is closing as a result of which CONN_CLOSING
13167                  * is set. Return.
13168                  */
13169                 mutex_exit(&connp->conn_lock);
13170                 return;
13171         } else if (connp->conn_idl == NULL) {
13172                 /*
13173                  * Assign the next drain list round robin. We dont' use
13174                  * a lock, and thus it may not be strictly round robin.
13175                  * Atomicity of load/stores is enough to make sure that
13176                  * conn_drain_list_index is always within bounds.
13177                  */
13178                 index = tx_list->txl_drain_index;
13179                 ASSERT(index < ipst->ips_conn_drain_list_cnt);
13180                 connp->conn_idl = &tx_list->txl_drain_list[index];
13181                 index++;
13182                 if (index == ipst->ips_conn_drain_list_cnt)
13183                         index = 0;
13184                 tx_list->txl_drain_index = index;
13185         } else {
13186                 ASSERT(connp->conn_idl->idl_itl == tx_list);
13187         }
13188         mutex_exit(&connp->conn_lock);
13189 
13190         idl = connp->conn_idl;
13191         mutex_enter(&idl->idl_lock);
13192         if ((connp->conn_drain_prev != NULL) ||
13193             (connp->conn_state_flags & CONN_CLOSING)) {
13194                 /*
13195                  * The conn is either already in the drain list or closing.
13196                  * (We needed to check for CONN_CLOSING again since close can
13197                  * sneak in between dropping conn_lock and acquiring idl_lock.)
13198                  */
13199                 mutex_exit(&idl->idl_lock);
13200                 return;
13201         }
13202 
13203         /*
13204          * The conn is not in the drain list. Insert it at the
13205          * tail of the drain list. The drain list is circular
13206          * and doubly linked. idl_conn points to the 1st element
13207          * in the list.
13208          */
13209         if (idl->idl_conn == NULL) {
13210                 idl->idl_conn = connp;
13211                 connp->conn_drain_next = connp;
13212                 connp->conn_drain_prev = connp;
13213         } else {
13214                 conn_t *head = idl->idl_conn;
13215 
13216                 connp->conn_drain_next = head;
13217                 connp->conn_drain_prev = head->conn_drain_prev;
13218                 head->conn_drain_prev->conn_drain_next = connp;
13219                 head->conn_drain_prev = connp;
13220         }
13221         /*
13222          * For non streams based sockets assert flow control.
13223          */
13224         conn_setqfull(connp, NULL);
13225         mutex_exit(&idl->idl_lock);
13226 }
13227 
13228 static void
13229 conn_drain_remove(conn_t *connp)
13230 {
13231         idl_t *idl = connp->conn_idl;
13232 
13233         if (idl != NULL) {
13234                 /*
13235                  * Remove ourself from the drain list.
13236                  */
13237                 if (connp->conn_drain_next == connp) {
13238                         /* Singleton in the list */
13239                         ASSERT(connp->conn_drain_prev == connp);
13240                         idl->idl_conn = NULL;
13241                 } else {
13242                         connp->conn_drain_prev->conn_drain_next =
13243                             connp->conn_drain_next;
13244                         connp->conn_drain_next->conn_drain_prev =
13245                             connp->conn_drain_prev;
13246                         if (idl->idl_conn == connp)
13247                                 idl->idl_conn = connp->conn_drain_next;
13248                 }
13249 
13250                 /*
13251                  * NOTE: because conn_idl is associated with a specific drain
13252                  * list which in turn is tied to the index the TX ring
13253                  * (txl_cookie) hashes to, and because the TX ring can change
13254                  * over the lifetime of the conn_t, we must clear conn_idl so
13255                  * a subsequent conn_drain_insert() will set conn_idl again
13256                  * based on the latest txl_cookie.
13257                  */
13258                 connp->conn_idl = NULL;
13259         }
13260         connp->conn_drain_next = NULL;
13261         connp->conn_drain_prev = NULL;
13262 
13263         conn_clrqfull(connp, NULL);
13264         /*
13265          * For streams based sockets open up flow control.
13266          */
13267         if (!IPCL_IS_NONSTR(connp))
13268                 enableok(connp->conn_wq);
13269 }
13270 
13271 /*
13272  * This conn is closing, and we are called from ip_close. OR
13273  * this conn is draining because flow-control on the ill has been relieved.
13274  *
13275  * We must also need to remove conn's on this idl from the list, and also
13276  * inform the sockfs upcalls about the change in flow-control.
13277  */
13278 static void
13279 conn_drain(conn_t *connp, boolean_t closing)
13280 {
13281         idl_t *idl;
13282         conn_t *next_connp;
13283 
13284         /*
13285          * connp->conn_idl is stable at this point, and no lock is needed
13286          * to check it. If we are called from ip_close, close has already
13287          * set CONN_CLOSING, thus freezing the value of conn_idl, and
13288          * called us only because conn_idl is non-null. If we are called thru
13289          * service, conn_idl could be null, but it cannot change because
13290          * service is single-threaded per queue, and there cannot be another
13291          * instance of service trying to call conn_drain_insert on this conn
13292          * now.
13293          */
13294         ASSERT(!closing || connp == NULL || connp->conn_idl != NULL);
13295 
13296         /*
13297          * If the conn doesn't exist or is not on a drain list, bail.
13298          */
13299         if (connp == NULL || connp->conn_idl == NULL ||
13300             connp->conn_drain_prev == NULL) {
13301                 return;
13302         }
13303 
13304         idl = connp->conn_idl;
13305         ASSERT(MUTEX_HELD(&idl->idl_lock));
13306 
13307         if (!closing) {
13308                 next_connp = connp->conn_drain_next;
13309                 while (next_connp != connp) {
13310                         conn_t *delconnp = next_connp;
13311 
13312                         next_connp = next_connp->conn_drain_next;
13313                         conn_drain_remove(delconnp);
13314                 }
13315                 ASSERT(connp->conn_drain_next == idl->idl_conn);
13316         }
13317         conn_drain_remove(connp);
13318 }
13319 
13320 /*
13321  * Write service routine. Shared perimeter entry point.
13322  * The device queue's messages has fallen below the low water mark and STREAMS
13323  * has backenabled the ill_wq. Send sockfs notification about flow-control on
13324  * each waiting conn.
13325  */
13326 void
13327 ip_wsrv(queue_t *q)
13328 {
13329         ill_t   *ill;
13330 
13331         ill = (ill_t *)q->q_ptr;
13332         if (ill->ill_state_flags == 0) {
13333                 ip_stack_t *ipst = ill->ill_ipst;
13334 
13335                 /*
13336                  * The device flow control has opened up.
13337                  * Walk through conn drain lists and qenable the
13338                  * first conn in each list. This makes sense only
13339                  * if the stream is fully plumbed and setup.
13340                  * Hence the ill_state_flags check above.
13341                  */
13342                 ip1dbg(("ip_wsrv: walking\n"));
13343                 conn_walk_drain(ipst, &ipst->ips_idl_tx_list[0]);
13344                 enableok(ill->ill_wq);
13345         }
13346 }
13347 
13348 /*
13349  * Callback to disable flow control in IP.
13350  *
13351  * This is a mac client callback added when the DLD_CAPAB_DIRECT capability
13352  * is enabled.
13353  *
13354  * When MAC_TX() is not able to send any more packets, dld sets its queue
13355  * to QFULL and enable the STREAMS flow control. Later, when the underlying
13356  * driver is able to continue to send packets, it calls mac_tx_(ring_)update()
13357  * function and wakes up corresponding mac worker threads, which in turn
13358  * calls this callback function, and disables flow control.
13359  */
13360 void
13361 ill_flow_enable(void *arg, ip_mac_tx_cookie_t cookie)
13362 {
13363         ill_t *ill = (ill_t *)arg;
13364         ip_stack_t *ipst = ill->ill_ipst;
13365         idl_tx_list_t *idl_txl;
13366 
13367         idl_txl = &ipst->ips_idl_tx_list[IDLHASHINDEX(cookie)];
13368         mutex_enter(&idl_txl->txl_lock);
13369         /* add code to to set a flag to indicate idl_txl is enabled */
13370         conn_walk_drain(ipst, idl_txl);
13371         mutex_exit(&idl_txl->txl_lock);
13372 }
13373 
13374 /*
13375  * Flow control has been relieved and STREAMS has backenabled us; drain
13376  * all the conn lists on `tx_list'.
13377  */
13378 static void
13379 conn_walk_drain(ip_stack_t *ipst, idl_tx_list_t *tx_list)
13380 {
13381         int i;
13382         idl_t *idl;
13383 
13384         IP_STAT(ipst, ip_conn_walk_drain);
13385 
13386         for (i = 0; i < ipst->ips_conn_drain_list_cnt; i++) {
13387                 idl = &tx_list->txl_drain_list[i];
13388                 mutex_enter(&idl->idl_lock);
13389                 conn_drain(idl->idl_conn, B_FALSE);
13390                 mutex_exit(&idl->idl_lock);
13391         }
13392 }
13393 
13394 /*
13395  * Determine if the ill and multicast aspects of that packets
13396  * "matches" the conn.
13397  */
13398 boolean_t
13399 conn_wantpacket(conn_t *connp, ip_recv_attr_t *ira, ipha_t *ipha)
13400 {
13401         ill_t           *ill = ira->ira_rill;
13402         zoneid_t        zoneid = ira->ira_zoneid;
13403         uint_t          in_ifindex;
13404         ipaddr_t        dst, src;
13405 
13406         dst = ipha->ipha_dst;
13407         src = ipha->ipha_src;
13408 
13409         /*
13410          * conn_incoming_ifindex is set by IP_BOUND_IF which limits
13411          * unicast, broadcast and multicast reception to
13412          * conn_incoming_ifindex.
13413          * conn_wantpacket is called for unicast, broadcast and
13414          * multicast packets.
13415          */
13416         in_ifindex = connp->conn_incoming_ifindex;
13417 
13418         /* mpathd can bind to the under IPMP interface, which we allow */
13419         if (in_ifindex != 0 && in_ifindex != ill->ill_phyint->phyint_ifindex) {
13420                 if (!IS_UNDER_IPMP(ill))
13421                         return (B_FALSE);
13422 
13423                 if (in_ifindex != ipmp_ill_get_ipmp_ifindex(ill))
13424                         return (B_FALSE);
13425         }
13426 
13427         if (!IPCL_ZONE_MATCH(connp, zoneid))
13428                 return (B_FALSE);
13429 
13430         if (!(ira->ira_flags & IRAF_MULTICAST))
13431                 return (B_TRUE);
13432 
13433         if (connp->conn_multi_router) {
13434                 /* multicast packet and multicast router socket: send up */
13435                 return (B_TRUE);
13436         }
13437 
13438         if (ipha->ipha_protocol == IPPROTO_PIM ||
13439             ipha->ipha_protocol == IPPROTO_RSVP)
13440                 return (B_TRUE);
13441 
13442         return (conn_hasmembers_ill_withsrc_v4(connp, dst, src, ira->ira_ill));
13443 }
13444 
13445 void
13446 conn_setqfull(conn_t *connp, boolean_t *flow_stopped)
13447 {
13448         if (IPCL_IS_NONSTR(connp)) {
13449                 (*connp->conn_upcalls->su_txq_full)
13450                     (connp->conn_upper_handle, B_TRUE);
13451                 if (flow_stopped != NULL)
13452                         *flow_stopped = B_TRUE;
13453         } else {
13454                 queue_t *q = connp->conn_wq;
13455 
13456                 ASSERT(q != NULL);
13457                 if (!(q->q_flag & QFULL)) {
13458                         mutex_enter(QLOCK(q));
13459                         if (!(q->q_flag & QFULL)) {
13460                                 /* still need to set QFULL */
13461                                 q->q_flag |= QFULL;
13462                                 /* set flow_stopped to true under QLOCK */
13463                                 if (flow_stopped != NULL)
13464                                         *flow_stopped = B_TRUE;
13465                                 mutex_exit(QLOCK(q));
13466                         } else {
13467                                 /* flow_stopped is left unchanged */
13468                                 mutex_exit(QLOCK(q));
13469                         }
13470                 }
13471         }
13472 }
13473 
13474 void
13475 conn_clrqfull(conn_t *connp, boolean_t *flow_stopped)
13476 {
13477         if (IPCL_IS_NONSTR(connp)) {
13478                 (*connp->conn_upcalls->su_txq_full)
13479                     (connp->conn_upper_handle, B_FALSE);
13480                 if (flow_stopped != NULL)
13481                         *flow_stopped = B_FALSE;
13482         } else {
13483                 queue_t *q = connp->conn_wq;
13484 
13485                 ASSERT(q != NULL);
13486                 if (q->q_flag & QFULL) {
13487                         mutex_enter(QLOCK(q));
13488                         if (q->q_flag & QFULL) {
13489                                 q->q_flag &= ~QFULL;
13490                                 /* set flow_stopped to false under QLOCK */
13491                                 if (flow_stopped != NULL)
13492                                         *flow_stopped = B_FALSE;
13493                                 mutex_exit(QLOCK(q));
13494                                 if (q->q_flag & QWANTW)
13495                                         qbackenable(q, 0);
13496                         } else {
13497                                 /* flow_stopped is left unchanged */
13498                                 mutex_exit(QLOCK(q));
13499                         }
13500                 }
13501         }
13502 
13503         mutex_enter(&connp->conn_lock);
13504         connp->conn_blocked = B_FALSE;
13505         mutex_exit(&connp->conn_lock);
13506 }
13507 
13508 /*
13509  * Return the length in bytes of the IPv4 headers (base header, label, and
13510  * other IP options) that will be needed based on the
13511  * ip_pkt_t structure passed by the caller.
13512  *
13513  * The returned length does not include the length of the upper level
13514  * protocol (ULP) header.
13515  * The caller needs to check that the length doesn't exceed the max for IPv4.
13516  */
13517 int
13518 ip_total_hdrs_len_v4(const ip_pkt_t *ipp)
13519 {
13520         int len;
13521 
13522         len = IP_SIMPLE_HDR_LENGTH;
13523         if (ipp->ipp_fields & IPPF_LABEL_V4) {
13524                 ASSERT(ipp->ipp_label_len_v4 != 0);
13525                 /* We need to round up here */
13526                 len += (ipp->ipp_label_len_v4 + 3) & ~3;
13527         }
13528 
13529         if (ipp->ipp_fields & IPPF_IPV4_OPTIONS) {
13530                 ASSERT(ipp->ipp_ipv4_options_len != 0);
13531                 ASSERT((ipp->ipp_ipv4_options_len & 3) == 0);
13532                 len += ipp->ipp_ipv4_options_len;
13533         }
13534         return (len);
13535 }
13536 
13537 /*
13538  * All-purpose routine to build an IPv4 header with options based
13539  * on the abstract ip_pkt_t.
13540  *
13541  * The caller has to set the source and destination address as well as
13542  * ipha_length. The caller has to massage any source route and compensate
13543  * for the ULP pseudo-header checksum due to the source route.
13544  */
13545 void
13546 ip_build_hdrs_v4(uchar_t *buf, uint_t buf_len, const ip_pkt_t *ipp,
13547     uint8_t protocol)
13548 {
13549         ipha_t  *ipha = (ipha_t *)buf;
13550         uint8_t *cp;
13551 
13552         /* Initialize IPv4 header */
13553         ipha->ipha_type_of_service = ipp->ipp_type_of_service;
13554         ipha->ipha_length = 0;       /* Caller will set later */
13555         ipha->ipha_ident = 0;
13556         ipha->ipha_fragment_offset_and_flags = 0;
13557         ipha->ipha_ttl = ipp->ipp_unicast_hops;
13558         ipha->ipha_protocol = protocol;
13559         ipha->ipha_hdr_checksum = 0;
13560 
13561         if ((ipp->ipp_fields & IPPF_ADDR) &&
13562             IN6_IS_ADDR_V4MAPPED(&ipp->ipp_addr))
13563                 ipha->ipha_src = ipp->ipp_addr_v4;
13564 
13565         cp = (uint8_t *)&ipha[1];
13566         if (ipp->ipp_fields & IPPF_LABEL_V4) {
13567                 ASSERT(ipp->ipp_label_len_v4 != 0);
13568                 bcopy(ipp->ipp_label_v4, cp, ipp->ipp_label_len_v4);
13569                 cp += ipp->ipp_label_len_v4;
13570                 /* We need to round up here */
13571                 while ((uintptr_t)cp & 0x3) {
13572                         *cp++ = IPOPT_NOP;
13573                 }
13574         }
13575 
13576         if (ipp->ipp_fields & IPPF_IPV4_OPTIONS) {
13577                 ASSERT(ipp->ipp_ipv4_options_len != 0);
13578                 ASSERT((ipp->ipp_ipv4_options_len & 3) == 0);
13579                 bcopy(ipp->ipp_ipv4_options, cp, ipp->ipp_ipv4_options_len);
13580                 cp += ipp->ipp_ipv4_options_len;
13581         }
13582         ipha->ipha_version_and_hdr_length =
13583             (uint8_t)((IP_VERSION << 4) + buf_len / 4);
13584 
13585         ASSERT((int)(cp - buf) == buf_len);
13586 }
13587 
13588 /* Allocate the private structure */
13589 static int
13590 ip_priv_alloc(void **bufp)
13591 {
13592         void    *buf;
13593 
13594         if ((buf = kmem_alloc(sizeof (ip_priv_t), KM_NOSLEEP)) == NULL)
13595                 return (ENOMEM);
13596 
13597         *bufp = buf;
13598         return (0);
13599 }
13600 
13601 /* Function to delete the private structure */
13602 void
13603 ip_priv_free(void *buf)
13604 {
13605         ASSERT(buf != NULL);
13606         kmem_free(buf, sizeof (ip_priv_t));
13607 }
13608 
13609 /*
13610  * The entry point for IPPF processing.
13611  * If the classifier (IPGPC_CLASSIFY) is not loaded and configured, the
13612  * routine just returns.
13613  *
13614  * When called, ip_process generates an ipp_packet_t structure
13615  * which holds the state information for this packet and invokes the
13616  * the classifier (via ipp_packet_process). The classification, depending on
13617  * configured filters, results in a list of actions for this packet. Invoking
13618  * an action may cause the packet to be dropped, in which case we return NULL.
13619  * proc indicates the callout position for
13620  * this packet and ill is the interface this packet arrived on or will leave
13621  * on (inbound and outbound resp.).
13622  *
13623  * We do the processing on the rill (mapped to the upper if ipmp), but MIB
13624  * on the ill corrsponding to the destination IP address.
13625  */
13626 mblk_t *
13627 ip_process(ip_proc_t proc, mblk_t *mp, ill_t *rill, ill_t *ill)
13628 {
13629         ip_priv_t       *priv;
13630         ipp_action_id_t aid;
13631         int             rc = 0;
13632         ipp_packet_t    *pp;
13633 
13634         /* If the classifier is not loaded, return  */
13635         if ((aid = ipp_action_lookup(IPGPC_CLASSIFY)) == IPP_ACTION_INVAL) {
13636                 return (mp);
13637         }
13638 
13639         ASSERT(mp != NULL);
13640 
13641         /* Allocate the packet structure */
13642         rc = ipp_packet_alloc(&pp, "ip", aid);
13643         if (rc != 0)
13644                 goto drop;
13645 
13646         /* Allocate the private structure */
13647         rc = ip_priv_alloc((void **)&priv);
13648         if (rc != 0) {
13649                 ipp_packet_free(pp);
13650                 goto drop;
13651         }
13652         priv->proc = proc;
13653         priv->ill_index = ill_get_upper_ifindex(rill);
13654 
13655         ipp_packet_set_private(pp, priv, ip_priv_free);
13656         ipp_packet_set_data(pp, mp);
13657 
13658         /* Invoke the classifier */
13659         rc = ipp_packet_process(&pp);
13660         if (pp != NULL) {
13661                 mp = ipp_packet_get_data(pp);
13662                 ipp_packet_free(pp);
13663                 if (rc != 0)
13664                         goto drop;
13665                 return (mp);
13666         } else {
13667                 /* No mp to trace in ip_drop_input/ip_drop_output  */
13668                 mp = NULL;
13669         }
13670 drop:
13671         if (proc == IPP_LOCAL_IN || proc == IPP_FWD_IN) {
13672                 BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
13673                 ip_drop_input("ip_process", mp, ill);
13674         } else {
13675                 BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
13676                 ip_drop_output("ip_process", mp, ill);
13677         }
13678         freemsg(mp);
13679         return (NULL);
13680 }
13681 
13682 /*
13683  * Propagate a multicast group membership operation (add/drop) on
13684  * all the interfaces crossed by the related multirt routes.
13685  * The call is considered successful if the operation succeeds
13686  * on at least one interface.
13687  *
13688  * This assumes that a set of IRE_HOST/RTF_MULTIRT has been created for the
13689  * multicast addresses with the ire argument being the first one.
13690  * We walk the bucket to find all the of those.
13691  *
13692  * Common to IPv4 and IPv6.
13693  */
13694 static int
13695 ip_multirt_apply_membership(int (*fn)(conn_t *, boolean_t,
13696     const in6_addr_t *, ipaddr_t, uint_t, mcast_record_t, const in6_addr_t *),
13697     ire_t *ire, conn_t *connp, boolean_t checkonly, const in6_addr_t *v6group,
13698     mcast_record_t fmode, const in6_addr_t *v6src)
13699 {
13700         ire_t           *ire_gw;
13701         irb_t           *irb;
13702         int             ifindex;
13703         int             error = 0;
13704         int             result;
13705         ip_stack_t      *ipst = ire->ire_ipst;
13706         ipaddr_t        group;
13707         boolean_t       isv6;
13708         int             match_flags;
13709 
13710         if (IN6_IS_ADDR_V4MAPPED(v6group)) {
13711                 IN6_V4MAPPED_TO_IPADDR(v6group, group);
13712                 isv6 = B_FALSE;
13713         } else {
13714                 isv6 = B_TRUE;
13715         }
13716 
13717         irb = ire->ire_bucket;
13718         ASSERT(irb != NULL);
13719 
13720         result = 0;
13721         irb_refhold(irb);
13722         for (; ire != NULL; ire = ire->ire_next) {
13723                 if ((ire->ire_flags & RTF_MULTIRT) == 0)
13724                         continue;
13725 
13726                 /* We handle -ifp routes by matching on the ill if set */
13727                 match_flags = MATCH_IRE_TYPE;
13728                 if (ire->ire_ill != NULL)
13729                         match_flags |= MATCH_IRE_ILL;
13730 
13731                 if (isv6) {
13732                         if (!IN6_ARE_ADDR_EQUAL(&ire->ire_addr_v6, v6group))
13733                                 continue;
13734 
13735                         ire_gw = ire_ftable_lookup_v6(&ire->ire_gateway_addr_v6,
13736                             0, 0, IRE_INTERFACE, ire->ire_ill, ALL_ZONES, NULL,
13737                             match_flags, 0, ipst, NULL);
13738                 } else {
13739                         if (ire->ire_addr != group)
13740                                 continue;
13741 
13742                         ire_gw = ire_ftable_lookup_v4(ire->ire_gateway_addr,
13743                             0, 0, IRE_INTERFACE, ire->ire_ill, ALL_ZONES, NULL,
13744                             match_flags, 0, ipst, NULL);
13745                 }
13746                 /* No interface route exists for the gateway; skip this ire. */
13747                 if (ire_gw == NULL)
13748                         continue;
13749                 if (ire_gw->ire_flags & (RTF_REJECT|RTF_BLACKHOLE)) {
13750                         ire_refrele(ire_gw);
13751                         continue;
13752                 }
13753                 ASSERT(ire_gw->ire_ill != NULL);     /* IRE_INTERFACE */
13754                 ifindex = ire_gw->ire_ill->ill_phyint->phyint_ifindex;
13755 
13756                 /*
13757                  * The operation is considered a success if
13758                  * it succeeds at least once on any one interface.
13759                  */
13760                 error = fn(connp, checkonly, v6group, INADDR_ANY, ifindex,
13761                     fmode, v6src);
13762                 if (error == 0)
13763                         result = CGTP_MCAST_SUCCESS;
13764 
13765                 ire_refrele(ire_gw);
13766         }
13767         irb_refrele(irb);
13768         /*
13769          * Consider the call as successful if we succeeded on at least
13770          * one interface. Otherwise, return the last encountered error.
13771          */
13772         return (result == CGTP_MCAST_SUCCESS ? 0 : error);
13773 }
13774 
13775 /*
13776  * Return the expected CGTP hooks version number.
13777  */
13778 int
13779 ip_cgtp_filter_supported(void)
13780 {
13781         return (ip_cgtp_filter_rev);
13782 }
13783 
13784 /*
13785  * CGTP hooks can be registered by invoking this function.
13786  * Checks that the version number matches.
13787  */
13788 int
13789 ip_cgtp_filter_register(netstackid_t stackid, cgtp_filter_ops_t *ops)
13790 {
13791         netstack_t *ns;
13792         ip_stack_t *ipst;
13793 
13794         if (ops->cfo_filter_rev != CGTP_FILTER_REV)
13795                 return (ENOTSUP);
13796 
13797         ns = netstack_find_by_stackid(stackid);
13798         if (ns == NULL)
13799                 return (EINVAL);
13800         ipst = ns->netstack_ip;
13801         ASSERT(ipst != NULL);
13802 
13803         if (ipst->ips_ip_cgtp_filter_ops != NULL) {
13804                 netstack_rele(ns);
13805                 return (EALREADY);
13806         }
13807 
13808         ipst->ips_ip_cgtp_filter_ops = ops;
13809 
13810         ill_set_inputfn_all(ipst);
13811 
13812         netstack_rele(ns);
13813         return (0);
13814 }
13815 
13816 /*
13817  * CGTP hooks can be unregistered by invoking this function.
13818  * Returns ENXIO if there was no registration.
13819  * Returns EBUSY if the ndd variable has not been turned off.
13820  */
13821 int
13822 ip_cgtp_filter_unregister(netstackid_t stackid)
13823 {
13824         netstack_t *ns;
13825         ip_stack_t *ipst;
13826 
13827         ns = netstack_find_by_stackid(stackid);
13828         if (ns == NULL)
13829                 return (EINVAL);
13830         ipst = ns->netstack_ip;
13831         ASSERT(ipst != NULL);
13832 
13833         if (ipst->ips_ip_cgtp_filter) {
13834                 netstack_rele(ns);
13835                 return (EBUSY);
13836         }
13837 
13838         if (ipst->ips_ip_cgtp_filter_ops == NULL) {
13839                 netstack_rele(ns);
13840                 return (ENXIO);
13841         }
13842         ipst->ips_ip_cgtp_filter_ops = NULL;
13843 
13844         ill_set_inputfn_all(ipst);
13845 
13846         netstack_rele(ns);
13847         return (0);
13848 }
13849 
13850 /*
13851  * Check whether there is a CGTP filter registration.
13852  * Returns non-zero if there is a registration, otherwise returns zero.
13853  * Note: returns zero if bad stackid.
13854  */
13855 int
13856 ip_cgtp_filter_is_registered(netstackid_t stackid)
13857 {
13858         netstack_t *ns;
13859         ip_stack_t *ipst;
13860         int ret;
13861 
13862         ns = netstack_find_by_stackid(stackid);
13863         if (ns == NULL)
13864                 return (0);
13865         ipst = ns->netstack_ip;
13866         ASSERT(ipst != NULL);
13867 
13868         if (ipst->ips_ip_cgtp_filter_ops != NULL)
13869                 ret = 1;
13870         else
13871                 ret = 0;
13872 
13873         netstack_rele(ns);
13874         return (ret);
13875 }
13876 
13877 static int
13878 ip_squeue_switch(int val)
13879 {
13880         int rval;
13881 
13882         switch (val) {
13883         case IP_SQUEUE_ENTER_NODRAIN:
13884                 rval = SQ_NODRAIN;
13885                 break;
13886         case IP_SQUEUE_ENTER:
13887                 rval = SQ_PROCESS;
13888                 break;
13889         case IP_SQUEUE_FILL:
13890         default:
13891                 rval = SQ_FILL;
13892                 break;
13893         }
13894         return (rval);
13895 }
13896 
13897 static void *
13898 ip_kstat2_init(netstackid_t stackid, ip_stat_t *ip_statisticsp)
13899 {
13900         kstat_t *ksp;
13901 
13902         ip_stat_t template = {
13903                 { "ip_udp_fannorm",             KSTAT_DATA_UINT64 },
13904                 { "ip_udp_fanmb",               KSTAT_DATA_UINT64 },
13905                 { "ip_recv_pullup",             KSTAT_DATA_UINT64 },
13906                 { "ip_db_ref",                  KSTAT_DATA_UINT64 },
13907                 { "ip_notaligned",              KSTAT_DATA_UINT64 },
13908                 { "ip_multimblk",               KSTAT_DATA_UINT64 },
13909                 { "ip_opt",                     KSTAT_DATA_UINT64 },
13910                 { "ipsec_proto_ahesp",          KSTAT_DATA_UINT64 },
13911                 { "ip_conn_flputbq",            KSTAT_DATA_UINT64 },
13912                 { "ip_conn_walk_drain",         KSTAT_DATA_UINT64 },
13913                 { "ip_out_sw_cksum",            KSTAT_DATA_UINT64 },
13914                 { "ip_out_sw_cksum_bytes",      KSTAT_DATA_UINT64 },
13915                 { "ip_in_sw_cksum",             KSTAT_DATA_UINT64 },
13916                 { "ip_ire_reclaim_calls",       KSTAT_DATA_UINT64 },
13917                 { "ip_ire_reclaim_deleted",     KSTAT_DATA_UINT64 },
13918                 { "ip_nce_reclaim_calls",       KSTAT_DATA_UINT64 },
13919                 { "ip_nce_reclaim_deleted",     KSTAT_DATA_UINT64 },
13920                 { "ip_dce_reclaim_calls",       KSTAT_DATA_UINT64 },
13921                 { "ip_dce_reclaim_deleted",     KSTAT_DATA_UINT64 },
13922                 { "ip_tcp_in_full_hw_cksum_err",        KSTAT_DATA_UINT64 },
13923                 { "ip_tcp_in_part_hw_cksum_err",        KSTAT_DATA_UINT64 },
13924                 { "ip_tcp_in_sw_cksum_err",             KSTAT_DATA_UINT64 },
13925                 { "ip_udp_in_full_hw_cksum_err",        KSTAT_DATA_UINT64 },
13926                 { "ip_udp_in_part_hw_cksum_err",        KSTAT_DATA_UINT64 },
13927                 { "ip_udp_in_sw_cksum_err",     KSTAT_DATA_UINT64 },
13928                 { "conn_in_recvdstaddr",        KSTAT_DATA_UINT64 },
13929                 { "conn_in_recvopts",           KSTAT_DATA_UINT64 },
13930                 { "conn_in_recvif",             KSTAT_DATA_UINT64 },
13931                 { "conn_in_recvslla",           KSTAT_DATA_UINT64 },
13932                 { "conn_in_recvucred",          KSTAT_DATA_UINT64 },
13933                 { "conn_in_recvttl",            KSTAT_DATA_UINT64 },
13934                 { "conn_in_recvhopopts",        KSTAT_DATA_UINT64 },
13935                 { "conn_in_recvhoplimit",       KSTAT_DATA_UINT64 },
13936                 { "conn_in_recvdstopts",        KSTAT_DATA_UINT64 },
13937                 { "conn_in_recvrthdrdstopts",   KSTAT_DATA_UINT64 },
13938                 { "conn_in_recvrthdr",          KSTAT_DATA_UINT64 },
13939                 { "conn_in_recvpktinfo",        KSTAT_DATA_UINT64 },
13940                 { "conn_in_recvtclass",         KSTAT_DATA_UINT64 },
13941                 { "conn_in_timestamp",          KSTAT_DATA_UINT64 },
13942         };
13943 
13944         ksp = kstat_create_netstack("ip", 0, "ipstat", "net",
13945             KSTAT_TYPE_NAMED, sizeof (template) / sizeof (kstat_named_t),
13946             KSTAT_FLAG_VIRTUAL, stackid);
13947 
13948         if (ksp == NULL)
13949                 return (NULL);
13950 
13951         bcopy(&template, ip_statisticsp, sizeof (template));
13952         ksp->ks_data = (void *)ip_statisticsp;
13953         ksp->ks_private = (void *)(uintptr_t)stackid;
13954 
13955         kstat_install(ksp);
13956         return (ksp);
13957 }
13958 
13959 static void
13960 ip_kstat2_fini(netstackid_t stackid, kstat_t *ksp)
13961 {
13962         if (ksp != NULL) {
13963                 ASSERT(stackid == (netstackid_t)(uintptr_t)ksp->ks_private);
13964                 kstat_delete_netstack(ksp, stackid);
13965         }
13966 }
13967 
13968 static void *
13969 ip_kstat_init(netstackid_t stackid, ip_stack_t *ipst)
13970 {
13971         kstat_t *ksp;
13972 
13973         ip_named_kstat_t template = {
13974                 { "forwarding",         KSTAT_DATA_UINT32, 0 },
13975                 { "defaultTTL",         KSTAT_DATA_UINT32, 0 },
13976                 { "inReceives",         KSTAT_DATA_UINT64, 0 },
13977                 { "inHdrErrors",        KSTAT_DATA_UINT32, 0 },
13978                 { "inAddrErrors",       KSTAT_DATA_UINT32, 0 },
13979                 { "forwDatagrams",      KSTAT_DATA_UINT64, 0 },
13980                 { "inUnknownProtos",    KSTAT_DATA_UINT32, 0 },
13981                 { "inDiscards",         KSTAT_DATA_UINT32, 0 },
13982                 { "inDelivers",         KSTAT_DATA_UINT64, 0 },
13983                 { "outRequests",        KSTAT_DATA_UINT64, 0 },
13984                 { "outDiscards",        KSTAT_DATA_UINT32, 0 },
13985                 { "outNoRoutes",        KSTAT_DATA_UINT32, 0 },
13986                 { "reasmTimeout",       KSTAT_DATA_UINT32, 0 },
13987                 { "reasmReqds",         KSTAT_DATA_UINT32, 0 },
13988                 { "reasmOKs",           KSTAT_DATA_UINT32, 0 },
13989                 { "reasmFails",         KSTAT_DATA_UINT32, 0 },
13990                 { "fragOKs",            KSTAT_DATA_UINT32, 0 },
13991                 { "fragFails",          KSTAT_DATA_UINT32, 0 },
13992                 { "fragCreates",        KSTAT_DATA_UINT32, 0 },
13993                 { "addrEntrySize",      KSTAT_DATA_INT32, 0 },
13994                 { "routeEntrySize",     KSTAT_DATA_INT32, 0 },
13995                 { "netToMediaEntrySize",        KSTAT_DATA_INT32, 0 },
13996                 { "routingDiscards",    KSTAT_DATA_UINT32, 0 },
13997                 { "inErrs",             KSTAT_DATA_UINT32, 0 },
13998                 { "noPorts",            KSTAT_DATA_UINT32, 0 },
13999                 { "inCksumErrs",        KSTAT_DATA_UINT32, 0 },
14000                 { "reasmDuplicates",    KSTAT_DATA_UINT32, 0 },
14001                 { "reasmPartDups",      KSTAT_DATA_UINT32, 0 },
14002                 { "forwProhibits",      KSTAT_DATA_UINT32, 0 },
14003                 { "udpInCksumErrs",     KSTAT_DATA_UINT32, 0 },
14004                 { "udpInOverflows",     KSTAT_DATA_UINT32, 0 },
14005                 { "rawipInOverflows",   KSTAT_DATA_UINT32, 0 },
14006                 { "ipsecInSucceeded",   KSTAT_DATA_UINT32, 0 },
14007                 { "ipsecInFailed",      KSTAT_DATA_INT32, 0 },
14008                 { "memberEntrySize",    KSTAT_DATA_INT32, 0 },
14009                 { "inIPv6",             KSTAT_DATA_UINT32, 0 },
14010                 { "outIPv6",            KSTAT_DATA_UINT32, 0 },
14011                 { "outSwitchIPv6",      KSTAT_DATA_UINT32, 0 },
14012         };
14013 
14014         ksp = kstat_create_netstack("ip", 0, "ip", "mib2", KSTAT_TYPE_NAMED,
14015             NUM_OF_FIELDS(ip_named_kstat_t), 0, stackid);
14016         if (ksp == NULL || ksp->ks_data == NULL)
14017                 return (NULL);
14018 
14019         template.forwarding.value.ui32 = WE_ARE_FORWARDING(ipst) ? 1:2;
14020         template.defaultTTL.value.ui32 = (uint32_t)ipst->ips_ip_def_ttl;
14021         template.reasmTimeout.value.ui32 = ipst->ips_ip_reassembly_timeout;
14022         template.addrEntrySize.value.i32 = sizeof (mib2_ipAddrEntry_t);
14023         template.routeEntrySize.value.i32 = sizeof (mib2_ipRouteEntry_t);
14024 
14025         template.netToMediaEntrySize.value.i32 =
14026             sizeof (mib2_ipNetToMediaEntry_t);
14027 
14028         template.memberEntrySize.value.i32 = sizeof (ipv6_member_t);
14029 
14030         bcopy(&template, ksp->ks_data, sizeof (template));
14031         ksp->ks_update = ip_kstat_update;
14032         ksp->ks_private = (void *)(uintptr_t)stackid;
14033 
14034         kstat_install(ksp);
14035         return (ksp);
14036 }
14037 
14038 static void
14039 ip_kstat_fini(netstackid_t stackid, kstat_t *ksp)
14040 {
14041         if (ksp != NULL) {
14042                 ASSERT(stackid == (netstackid_t)(uintptr_t)ksp->ks_private);
14043                 kstat_delete_netstack(ksp, stackid);
14044         }
14045 }
14046 
14047 static int
14048 ip_kstat_update(kstat_t *kp, int rw)
14049 {
14050         ip_named_kstat_t *ipkp;
14051         mib2_ipIfStatsEntry_t ipmib;
14052         ill_walk_context_t ctx;
14053         ill_t *ill;
14054         netstackid_t    stackid = (zoneid_t)(uintptr_t)kp->ks_private;
14055         netstack_t      *ns;
14056         ip_stack_t      *ipst;
14057 
14058         if (kp == NULL || kp->ks_data == NULL)
14059                 return (EIO);
14060 
14061         if (rw == KSTAT_WRITE)
14062                 return (EACCES);
14063 
14064         ns = netstack_find_by_stackid(stackid);
14065         if (ns == NULL)
14066                 return (-1);
14067         ipst = ns->netstack_ip;
14068         if (ipst == NULL) {
14069                 netstack_rele(ns);
14070                 return (-1);
14071         }
14072         ipkp = (ip_named_kstat_t *)kp->ks_data;
14073 
14074         bcopy(&ipst->ips_ip_mib, &ipmib, sizeof (ipmib));
14075         rw_enter(&ipst->ips_ill_g_lock, RW_READER);
14076         ill = ILL_START_WALK_V4(&ctx, ipst);
14077         for (; ill != NULL; ill = ill_next(&ctx, ill))
14078                 ip_mib2_add_ip_stats(&ipmib, ill->ill_ip_mib);
14079         rw_exit(&ipst->ips_ill_g_lock);
14080 
14081         ipkp->forwarding.value.ui32 =                ipmib.ipIfStatsForwarding;
14082         ipkp->defaultTTL.value.ui32 =                ipmib.ipIfStatsDefaultTTL;
14083         ipkp->inReceives.value.ui64 =                ipmib.ipIfStatsHCInReceives;
14084         ipkp->inHdrErrors.value.ui32 =               ipmib.ipIfStatsInHdrErrors;
14085         ipkp->inAddrErrors.value.ui32 =              ipmib.ipIfStatsInAddrErrors;
14086         ipkp->forwDatagrams.value.ui64 = ipmib.ipIfStatsHCOutForwDatagrams;
14087         ipkp->inUnknownProtos.value.ui32 =   ipmib.ipIfStatsInUnknownProtos;
14088         ipkp->inDiscards.value.ui32 =                ipmib.ipIfStatsInDiscards;
14089         ipkp->inDelivers.value.ui64 =                ipmib.ipIfStatsHCInDelivers;
14090         ipkp->outRequests.value.ui64 =               ipmib.ipIfStatsHCOutRequests;
14091         ipkp->outDiscards.value.ui32 =               ipmib.ipIfStatsOutDiscards;
14092         ipkp->outNoRoutes.value.ui32 =               ipmib.ipIfStatsOutNoRoutes;
14093         ipkp->reasmTimeout.value.ui32 =              ipst->ips_ip_reassembly_timeout;
14094         ipkp->reasmReqds.value.ui32 =                ipmib.ipIfStatsReasmReqds;
14095         ipkp->reasmOKs.value.ui32 =          ipmib.ipIfStatsReasmOKs;
14096         ipkp->reasmFails.value.ui32 =                ipmib.ipIfStatsReasmFails;
14097         ipkp->fragOKs.value.ui32 =           ipmib.ipIfStatsOutFragOKs;
14098         ipkp->fragFails.value.ui32 =         ipmib.ipIfStatsOutFragFails;
14099         ipkp->fragCreates.value.ui32 =               ipmib.ipIfStatsOutFragCreates;
14100 
14101         ipkp->routingDiscards.value.ui32 =   0;
14102         ipkp->inErrs.value.ui32 =            ipmib.tcpIfStatsInErrs;
14103         ipkp->noPorts.value.ui32 =           ipmib.udpIfStatsNoPorts;
14104         ipkp->inCksumErrs.value.ui32 =               ipmib.ipIfStatsInCksumErrs;
14105         ipkp->reasmDuplicates.value.ui32 =   ipmib.ipIfStatsReasmDuplicates;
14106         ipkp->reasmPartDups.value.ui32 =     ipmib.ipIfStatsReasmPartDups;
14107         ipkp->forwProhibits.value.ui32 =     ipmib.ipIfStatsForwProhibits;
14108         ipkp->udpInCksumErrs.value.ui32 =    ipmib.udpIfStatsInCksumErrs;
14109         ipkp->udpInOverflows.value.ui32 =    ipmib.udpIfStatsInOverflows;
14110         ipkp->rawipInOverflows.value.ui32 =  ipmib.rawipIfStatsInOverflows;
14111         ipkp->ipsecInSucceeded.value.ui32 =  ipmib.ipsecIfStatsInSucceeded;
14112         ipkp->ipsecInFailed.value.i32 =              ipmib.ipsecIfStatsInFailed;
14113 
14114         ipkp->inIPv6.value.ui32 =    ipmib.ipIfStatsInWrongIPVersion;
14115         ipkp->outIPv6.value.ui32 =   ipmib.ipIfStatsOutWrongIPVersion;
14116         ipkp->outSwitchIPv6.value.ui32 = ipmib.ipIfStatsOutSwitchIPVersion;
14117 
14118         netstack_rele(ns);
14119 
14120         return (0);
14121 }
14122 
14123 static void *
14124 icmp_kstat_init(netstackid_t stackid)
14125 {
14126         kstat_t *ksp;
14127 
14128         icmp_named_kstat_t template = {
14129                 { "inMsgs",             KSTAT_DATA_UINT32 },
14130                 { "inErrors",           KSTAT_DATA_UINT32 },
14131                 { "inDestUnreachs",     KSTAT_DATA_UINT32 },
14132                 { "inTimeExcds",        KSTAT_DATA_UINT32 },
14133                 { "inParmProbs",        KSTAT_DATA_UINT32 },
14134                 { "inSrcQuenchs",       KSTAT_DATA_UINT32 },
14135                 { "inRedirects",        KSTAT_DATA_UINT32 },
14136                 { "inEchos",            KSTAT_DATA_UINT32 },
14137                 { "inEchoReps",         KSTAT_DATA_UINT32 },
14138                 { "inTimestamps",       KSTAT_DATA_UINT32 },
14139                 { "inTimestampReps",    KSTAT_DATA_UINT32 },
14140                 { "inAddrMasks",        KSTAT_DATA_UINT32 },
14141                 { "inAddrMaskReps",     KSTAT_DATA_UINT32 },
14142                 { "outMsgs",            KSTAT_DATA_UINT32 },
14143                 { "outErrors",          KSTAT_DATA_UINT32 },
14144                 { "outDestUnreachs",    KSTAT_DATA_UINT32 },
14145                 { "outTimeExcds",       KSTAT_DATA_UINT32 },
14146                 { "outParmProbs",       KSTAT_DATA_UINT32 },
14147                 { "outSrcQuenchs",      KSTAT_DATA_UINT32 },
14148                 { "outRedirects",       KSTAT_DATA_UINT32 },
14149                 { "outEchos",           KSTAT_DATA_UINT32 },
14150                 { "outEchoReps",        KSTAT_DATA_UINT32 },
14151                 { "outTimestamps",      KSTAT_DATA_UINT32 },
14152                 { "outTimestampReps",   KSTAT_DATA_UINT32 },
14153                 { "outAddrMasks",       KSTAT_DATA_UINT32 },
14154                 { "outAddrMaskReps",    KSTAT_DATA_UINT32 },
14155                 { "inChksumErrs",       KSTAT_DATA_UINT32 },
14156                 { "inUnknowns",         KSTAT_DATA_UINT32 },
14157                 { "inFragNeeded",       KSTAT_DATA_UINT32 },
14158                 { "outFragNeeded",      KSTAT_DATA_UINT32 },
14159                 { "outDrops",           KSTAT_DATA_UINT32 },
14160                 { "inOverFlows",        KSTAT_DATA_UINT32 },
14161                 { "inBadRedirects",     KSTAT_DATA_UINT32 },
14162         };
14163 
14164         ksp = kstat_create_netstack("ip", 0, "icmp", "mib2", KSTAT_TYPE_NAMED,
14165             NUM_OF_FIELDS(icmp_named_kstat_t), 0, stackid);
14166         if (ksp == NULL || ksp->ks_data == NULL)
14167                 return (NULL);
14168 
14169         bcopy(&template, ksp->ks_data, sizeof (template));
14170 
14171         ksp->ks_update = icmp_kstat_update;
14172         ksp->ks_private = (void *)(uintptr_t)stackid;
14173 
14174         kstat_install(ksp);
14175         return (ksp);
14176 }
14177 
14178 static void
14179 icmp_kstat_fini(netstackid_t stackid, kstat_t *ksp)
14180 {
14181         if (ksp != NULL) {
14182                 ASSERT(stackid == (netstackid_t)(uintptr_t)ksp->ks_private);
14183                 kstat_delete_netstack(ksp, stackid);
14184         }
14185 }
14186 
14187 static int
14188 icmp_kstat_update(kstat_t *kp, int rw)
14189 {
14190         icmp_named_kstat_t *icmpkp;
14191         netstackid_t    stackid = (zoneid_t)(uintptr_t)kp->ks_private;
14192         netstack_t      *ns;
14193         ip_stack_t      *ipst;
14194 
14195         if ((kp == NULL) || (kp->ks_data == NULL))
14196                 return (EIO);
14197 
14198         if (rw == KSTAT_WRITE)
14199                 return (EACCES);
14200 
14201         ns = netstack_find_by_stackid(stackid);
14202         if (ns == NULL)
14203                 return (-1);
14204         ipst = ns->netstack_ip;
14205         if (ipst == NULL) {
14206                 netstack_rele(ns);
14207                 return (-1);
14208         }
14209         icmpkp = (icmp_named_kstat_t *)kp->ks_data;
14210 
14211         icmpkp->inMsgs.value.ui32 =      ipst->ips_icmp_mib.icmpInMsgs;
14212         icmpkp->inErrors.value.ui32 =            ipst->ips_icmp_mib.icmpInErrors;
14213         icmpkp->inDestUnreachs.value.ui32 =
14214             ipst->ips_icmp_mib.icmpInDestUnreachs;
14215         icmpkp->inTimeExcds.value.ui32 =    ipst->ips_icmp_mib.icmpInTimeExcds;
14216         icmpkp->inParmProbs.value.ui32 =    ipst->ips_icmp_mib.icmpInParmProbs;
14217         icmpkp->inSrcQuenchs.value.ui32 =   ipst->ips_icmp_mib.icmpInSrcQuenchs;
14218         icmpkp->inRedirects.value.ui32 =    ipst->ips_icmp_mib.icmpInRedirects;
14219         icmpkp->inEchos.value.ui32 =     ipst->ips_icmp_mib.icmpInEchos;
14220         icmpkp->inEchoReps.value.ui32 =          ipst->ips_icmp_mib.icmpInEchoReps;
14221         icmpkp->inTimestamps.value.ui32 =   ipst->ips_icmp_mib.icmpInTimestamps;
14222         icmpkp->inTimestampReps.value.ui32 =
14223             ipst->ips_icmp_mib.icmpInTimestampReps;
14224         icmpkp->inAddrMasks.value.ui32 =    ipst->ips_icmp_mib.icmpInAddrMasks;
14225         icmpkp->inAddrMaskReps.value.ui32 =
14226             ipst->ips_icmp_mib.icmpInAddrMaskReps;
14227         icmpkp->outMsgs.value.ui32 =     ipst->ips_icmp_mib.icmpOutMsgs;
14228         icmpkp->outErrors.value.ui32 =           ipst->ips_icmp_mib.icmpOutErrors;
14229         icmpkp->outDestUnreachs.value.ui32 =
14230             ipst->ips_icmp_mib.icmpOutDestUnreachs;
14231         icmpkp->outTimeExcds.value.ui32 =   ipst->ips_icmp_mib.icmpOutTimeExcds;
14232         icmpkp->outParmProbs.value.ui32 =   ipst->ips_icmp_mib.icmpOutParmProbs;
14233         icmpkp->outSrcQuenchs.value.ui32 =
14234             ipst->ips_icmp_mib.icmpOutSrcQuenchs;
14235         icmpkp->outRedirects.value.ui32 =   ipst->ips_icmp_mib.icmpOutRedirects;
14236         icmpkp->outEchos.value.ui32 =            ipst->ips_icmp_mib.icmpOutEchos;
14237         icmpkp->outEchoReps.value.ui32 =    ipst->ips_icmp_mib.icmpOutEchoReps;
14238         icmpkp->outTimestamps.value.ui32 =
14239             ipst->ips_icmp_mib.icmpOutTimestamps;
14240         icmpkp->outTimestampReps.value.ui32 =
14241             ipst->ips_icmp_mib.icmpOutTimestampReps;
14242         icmpkp->outAddrMasks.value.ui32 =
14243             ipst->ips_icmp_mib.icmpOutAddrMasks;
14244         icmpkp->outAddrMaskReps.value.ui32 =
14245             ipst->ips_icmp_mib.icmpOutAddrMaskReps;
14246         icmpkp->inCksumErrs.value.ui32 =    ipst->ips_icmp_mib.icmpInCksumErrs;
14247         icmpkp->inUnknowns.value.ui32 =          ipst->ips_icmp_mib.icmpInUnknowns;
14248         icmpkp->inFragNeeded.value.ui32 =   ipst->ips_icmp_mib.icmpInFragNeeded;
14249         icmpkp->outFragNeeded.value.ui32 =
14250             ipst->ips_icmp_mib.icmpOutFragNeeded;
14251         icmpkp->outDrops.value.ui32 =            ipst->ips_icmp_mib.icmpOutDrops;
14252         icmpkp->inOverflows.value.ui32 =    ipst->ips_icmp_mib.icmpInOverflows;
14253         icmpkp->inBadRedirects.value.ui32 =
14254             ipst->ips_icmp_mib.icmpInBadRedirects;
14255 
14256         netstack_rele(ns);
14257         return (0);
14258 }
14259 
14260 /*
14261  * This is the fanout function for raw socket opened for SCTP.  Note
14262  * that it is called after SCTP checks that there is no socket which
14263  * wants a packet.  Then before SCTP handles this out of the blue packet,
14264  * this function is called to see if there is any raw socket for SCTP.
14265  * If there is and it is bound to the correct address, the packet will
14266  * be sent to that socket.  Note that only one raw socket can be bound to
14267  * a port.  This is assured in ipcl_sctp_hash_insert();
14268  */
14269 void
14270 ip_fanout_sctp_raw(mblk_t *mp, ipha_t *ipha, ip6_t *ip6h, uint32_t ports,
14271     ip_recv_attr_t *ira)
14272 {
14273         conn_t          *connp;
14274         queue_t         *rq;
14275         boolean_t       secure;
14276         ill_t           *ill = ira->ira_ill;
14277         ip_stack_t      *ipst = ill->ill_ipst;
14278         ipsec_stack_t   *ipss = ipst->ips_netstack->netstack_ipsec;
14279         sctp_stack_t    *sctps = ipst->ips_netstack->netstack_sctp;
14280         iaflags_t       iraflags = ira->ira_flags;
14281         ill_t           *rill = ira->ira_rill;
14282 
14283         secure = iraflags & IRAF_IPSEC_SECURE;
14284 
14285         connp = ipcl_classify_raw(mp, IPPROTO_SCTP, ports, ipha, ip6h,
14286             ira, ipst);
14287         if (connp == NULL) {
14288                 /*
14289                  * Although raw sctp is not summed, OOB chunks must be.
14290                  * Drop the packet here if the sctp checksum failed.
14291                  */
14292                 if (iraflags & IRAF_SCTP_CSUM_ERR) {
14293                         SCTPS_BUMP_MIB(sctps, sctpChecksumError);
14294                         freemsg(mp);
14295                         return;
14296                 }
14297                 ira->ira_ill = ira->ira_rill = NULL;
14298                 sctp_ootb_input(mp, ira, ipst);
14299                 ira->ira_ill = ill;
14300                 ira->ira_rill = rill;
14301                 return;
14302         }
14303         rq = connp->conn_rq;
14304         if (IPCL_IS_NONSTR(connp) ? connp->conn_flow_cntrld : !canputnext(rq)) {
14305                 CONN_DEC_REF(connp);
14306                 BUMP_MIB(ill->ill_ip_mib, rawipIfStatsInOverflows);
14307                 freemsg(mp);
14308                 return;
14309         }
14310         if (((iraflags & IRAF_IS_IPV4) ?
14311             CONN_INBOUND_POLICY_PRESENT(connp, ipss) :
14312             CONN_INBOUND_POLICY_PRESENT_V6(connp, ipss)) ||
14313             secure) {
14314                 mp = ipsec_check_inbound_policy(mp, connp, ipha,
14315                     ip6h, ira);
14316                 if (mp == NULL) {
14317                         BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
14318                         /* Note that mp is NULL */
14319                         ip_drop_input("ipIfStatsInDiscards", mp, ill);
14320                         CONN_DEC_REF(connp);
14321                         return;
14322                 }
14323         }
14324 
14325         if (iraflags & IRAF_ICMP_ERROR) {
14326                 (connp->conn_recvicmp)(connp, mp, NULL, ira);
14327         } else {
14328                 ill_t *rill = ira->ira_rill;
14329 
14330                 BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInDelivers);
14331                 /* This is the SOCK_RAW, IPPROTO_SCTP case. */
14332                 ira->ira_ill = ira->ira_rill = NULL;
14333                 (connp->conn_recv)(connp, mp, NULL, ira);
14334                 ira->ira_ill = ill;
14335                 ira->ira_rill = rill;
14336         }
14337         CONN_DEC_REF(connp);
14338 }
14339 
14340 /*
14341  * Free a packet that has the link-layer dl_unitdata_req_t or fast-path
14342  * header before the ip payload.
14343  */
14344 static void
14345 ip_xmit_flowctl_drop(ill_t *ill, mblk_t *mp, boolean_t is_fp_mp, int fp_mp_len)
14346 {
14347         int len = (mp->b_wptr - mp->b_rptr);
14348         mblk_t *ip_mp;
14349 
14350         BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
14351         if (is_fp_mp || len != fp_mp_len) {
14352                 if (len > fp_mp_len) {
14353                         /*
14354                          * fastpath header and ip header in the first mblk
14355                          */
14356                         mp->b_rptr += fp_mp_len;
14357                 } else {
14358                         /*
14359                          * ip_xmit_attach_llhdr had to prepend an mblk to
14360                          * attach the fastpath header before ip header.
14361                          */
14362                         ip_mp = mp->b_cont;
14363                         freeb(mp);
14364                         mp = ip_mp;
14365                         mp->b_rptr += (fp_mp_len - len);
14366                 }
14367         } else {
14368                 ip_mp = mp->b_cont;
14369                 freeb(mp);
14370                 mp = ip_mp;
14371         }
14372         ip_drop_output("ipIfStatsOutDiscards - flow ctl", mp, ill);
14373         freemsg(mp);
14374 }
14375 
14376 /*
14377  * Normal post fragmentation function.
14378  *
14379  * Send a packet using the passed in nce. This handles both IPv4 and IPv6
14380  * using the same state machine.
14381  *
14382  * We return an error on failure. In particular we return EWOULDBLOCK
14383  * when the driver flow controls. In that case this ensures that ip_wsrv runs
14384  * (currently by canputnext failure resulting in backenabling from GLD.)
14385  * This allows the callers of conn_ip_output() to use EWOULDBLOCK as an
14386  * indication that they can flow control until ip_wsrv() tells then to restart.
14387  *
14388  * If the nce passed by caller is incomplete, this function
14389  * queues the packet and if necessary, sends ARP request and bails.
14390  * If the Neighbor Cache passed is fully resolved, we simply prepend
14391  * the link-layer header to the packet, do ipsec hw acceleration
14392  * work if necessary, and send the packet out on the wire.
14393  */
14394 /* ARGSUSED6 */
14395 int
14396 ip_xmit(mblk_t *mp, nce_t *nce, iaflags_t ixaflags, uint_t pkt_len,
14397     uint32_t xmit_hint, zoneid_t szone, zoneid_t nolzid, uintptr_t *ixacookie)
14398 {
14399         queue_t         *wq;
14400         ill_t           *ill = nce->nce_ill;
14401         ip_stack_t      *ipst = ill->ill_ipst;
14402         uint64_t        delta;
14403         boolean_t       isv6 = ill->ill_isv6;
14404         boolean_t       fp_mp;
14405         ncec_t          *ncec = nce->nce_common;
14406         int64_t         now = LBOLT_FASTPATH64;
14407         boolean_t       is_probe;
14408 
14409         DTRACE_PROBE1(ip__xmit, nce_t *, nce);
14410 
14411         ASSERT(mp != NULL);
14412         ASSERT(mp->b_datap->db_type == M_DATA);
14413         ASSERT(pkt_len == msgdsize(mp));
14414 
14415         /*
14416          * If we have already been here and are coming back after ARP/ND.
14417          * the IXAF_NO_TRACE flag is set. We skip FW_HOOKS, DTRACE and ipobs
14418          * in that case since they have seen the packet when it came here
14419          * the first time.
14420          */
14421         if (ixaflags & IXAF_NO_TRACE)
14422                 goto sendit;
14423 
14424         if (ixaflags & IXAF_IS_IPV4) {
14425                 ipha_t *ipha = (ipha_t *)mp->b_rptr;
14426 
14427                 ASSERT(!isv6);
14428                 ASSERT(pkt_len == ntohs(((ipha_t *)mp->b_rptr)->ipha_length));
14429                 if (HOOKS4_INTERESTED_PHYSICAL_OUT(ipst) &&
14430                     !(ixaflags & IXAF_NO_PFHOOK)) {
14431                         int     error;
14432 
14433                         FW_HOOKS(ipst->ips_ip4_physical_out_event,
14434                             ipst->ips_ipv4firewall_physical_out,
14435                             NULL, ill, ipha, mp, mp, 0, ipst, error);
14436                         DTRACE_PROBE1(ip4__physical__out__end,
14437                             mblk_t *, mp);
14438                         if (mp == NULL)
14439                                 return (error);
14440 
14441                         /* The length could have changed */
14442                         pkt_len = msgdsize(mp);
14443                 }
14444                 if (ipst->ips_ip4_observe.he_interested) {
14445                         /*
14446                          * Note that for TX the zoneid is the sending
14447                          * zone, whether or not MLP is in play.
14448                          * Since the szone argument is the IP zoneid (i.e.,
14449                          * zero for exclusive-IP zones) and ipobs wants
14450                          * the system zoneid, we map it here.
14451                          */
14452                         szone = IP_REAL_ZONEID(szone, ipst);
14453 
14454                         /*
14455                          * On the outbound path the destination zone will be
14456                          * unknown as we're sending this packet out on the
14457                          * wire.
14458                          */
14459                         ipobs_hook(mp, IPOBS_HOOK_OUTBOUND, szone, ALL_ZONES,
14460                             ill, ipst);
14461                 }
14462                 DTRACE_IP7(send, mblk_t *, mp,  conn_t *, NULL,
14463                     void_ip_t *, ipha,  __dtrace_ipsr_ill_t *, ill,
14464                     ipha_t *, ipha, ip6_t *, NULL, int, 0);
14465         } else {
14466                 ip6_t *ip6h = (ip6_t *)mp->b_rptr;
14467 
14468                 ASSERT(isv6);
14469                 ASSERT(pkt_len ==
14470                     ntohs(((ip6_t *)mp->b_rptr)->ip6_plen) + IPV6_HDR_LEN);
14471                 if (HOOKS6_INTERESTED_PHYSICAL_OUT(ipst) &&
14472                     !(ixaflags & IXAF_NO_PFHOOK)) {
14473                         int     error;
14474 
14475                         FW_HOOKS6(ipst->ips_ip6_physical_out_event,
14476                             ipst->ips_ipv6firewall_physical_out,
14477                             NULL, ill, ip6h, mp, mp, 0, ipst, error);
14478                         DTRACE_PROBE1(ip6__physical__out__end,
14479                             mblk_t *, mp);
14480                         if (mp == NULL)
14481                                 return (error);
14482 
14483                         /* The length could have changed */
14484                         pkt_len = msgdsize(mp);
14485                 }
14486                 if (ipst->ips_ip6_observe.he_interested) {
14487                         /* See above */
14488                         szone = IP_REAL_ZONEID(szone, ipst);
14489 
14490                         ipobs_hook(mp, IPOBS_HOOK_OUTBOUND, szone, ALL_ZONES,
14491                             ill, ipst);
14492                 }
14493                 DTRACE_IP7(send, mblk_t *, mp,  conn_t *, NULL,
14494                     void_ip_t *, ip6h,  __dtrace_ipsr_ill_t *, ill,
14495                     ipha_t *, NULL, ip6_t *, ip6h, int, 0);
14496         }
14497 
14498 sendit:
14499         /*
14500          * We check the state without a lock because the state can never
14501          * move "backwards" to initial or incomplete.
14502          */
14503         switch (ncec->ncec_state) {
14504         case ND_REACHABLE:
14505         case ND_STALE:
14506         case ND_DELAY:
14507         case ND_PROBE:
14508                 mp = ip_xmit_attach_llhdr(mp, nce);
14509                 if (mp == NULL) {
14510                         /*
14511                          * ip_xmit_attach_llhdr has increased
14512                          * ipIfStatsOutDiscards and called ip_drop_output()
14513                          */
14514                         return (ENOBUFS);
14515                 }
14516                 /*
14517                  * check if nce_fastpath completed and we tagged on a
14518                  * copy of nce_fp_mp in ip_xmit_attach_llhdr().
14519                  */
14520                 fp_mp = (mp->b_datap->db_type == M_DATA);
14521 
14522                 if (fp_mp &&
14523                     (ill->ill_capabilities & ILL_CAPAB_DLD_DIRECT)) {
14524                         ill_dld_direct_t *idd;
14525 
14526                         idd = &ill->ill_dld_capab->idc_direct;
14527                         /*
14528                          * Send the packet directly to DLD, where it
14529                          * may be queued depending on the availability
14530                          * of transmit resources at the media layer.
14531                          * Return value should be taken into
14532                          * account and flow control the TCP.
14533                          */
14534                         BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCOutTransmits);
14535                         UPDATE_MIB(ill->ill_ip_mib, ipIfStatsHCOutOctets,
14536                             pkt_len);
14537 
14538                         if (ixaflags & IXAF_NO_DEV_FLOW_CTL) {
14539                                 (void) idd->idd_tx_df(idd->idd_tx_dh, mp,
14540                                     (uintptr_t)xmit_hint, IP_DROP_ON_NO_DESC);
14541                         } else {
14542                                 uintptr_t cookie;
14543 
14544                                 if ((cookie = idd->idd_tx_df(idd->idd_tx_dh,
14545                                     mp, (uintptr_t)xmit_hint, 0)) != 0) {
14546                                         if (ixacookie != NULL)
14547                                                 *ixacookie = cookie;
14548                                         return (EWOULDBLOCK);
14549                                 }
14550                         }
14551                 } else {
14552                         wq = ill->ill_wq;
14553 
14554                         if (!(ixaflags & IXAF_NO_DEV_FLOW_CTL) &&
14555                             !canputnext(wq)) {
14556                                 if (ixacookie != NULL)
14557                                         *ixacookie = 0;
14558                                 ip_xmit_flowctl_drop(ill, mp, fp_mp,
14559                                     nce->nce_fp_mp != NULL ?
14560                                     MBLKL(nce->nce_fp_mp) : 0);
14561                                 return (EWOULDBLOCK);
14562                         }
14563                         BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCOutTransmits);
14564                         UPDATE_MIB(ill->ill_ip_mib, ipIfStatsHCOutOctets,
14565                             pkt_len);
14566                         putnext(wq, mp);
14567                 }
14568 
14569                 /*
14570                  * The rest of this function implements Neighbor Unreachability
14571                  * detection. Determine if the ncec is eligible for NUD.
14572                  */
14573                 if (ncec->ncec_flags & NCE_F_NONUD)
14574                         return (0);
14575 
14576                 ASSERT(ncec->ncec_state != ND_INCOMPLETE);
14577 
14578                 /*
14579                  * Check for upper layer advice
14580                  */
14581                 if (ixaflags & IXAF_REACH_CONF) {
14582                         timeout_id_t tid;
14583 
14584                         /*
14585                          * It should be o.k. to check the state without
14586                          * a lock here, at most we lose an advice.
14587                          */
14588                         ncec->ncec_last = TICK_TO_MSEC(now);
14589                         if (ncec->ncec_state != ND_REACHABLE) {
14590                                 mutex_enter(&ncec->ncec_lock);
14591                                 ncec->ncec_state = ND_REACHABLE;
14592                                 tid = ncec->ncec_timeout_id;
14593                                 ncec->ncec_timeout_id = 0;
14594                                 mutex_exit(&ncec->ncec_lock);
14595                                 (void) untimeout(tid);
14596                                 if (ip_debug > 2) {
14597                                         /* ip1dbg */
14598                                         pr_addr_dbg("ip_xmit: state"
14599                                             " for %s changed to"
14600                                             " REACHABLE\n", AF_INET6,
14601                                             &ncec->ncec_addr);
14602                                 }
14603                         }
14604                         return (0);
14605                 }
14606 
14607                 delta =  TICK_TO_MSEC(now) - ncec->ncec_last;
14608                 ip1dbg(("ip_xmit: delta = %" PRId64
14609                     " ill_reachable_time = %d \n", delta,
14610                     ill->ill_reachable_time));
14611                 if (delta > (uint64_t)ill->ill_reachable_time) {
14612                         mutex_enter(&ncec->ncec_lock);
14613                         switch (ncec->ncec_state) {
14614                         case ND_REACHABLE:
14615                                 ASSERT((ncec->ncec_flags & NCE_F_NONUD) == 0);
14616                                 /* FALLTHROUGH */
14617                         case ND_STALE:
14618                                 /*
14619                                  * ND_REACHABLE is identical to
14620                                  * ND_STALE in this specific case. If
14621                                  * reachable time has expired for this
14622                                  * neighbor (delta is greater than
14623                                  * reachable time), conceptually, the
14624                                  * neighbor cache is no longer in
14625                                  * REACHABLE state, but already in
14626                                  * STALE state.  So the correct
14627                                  * transition here is to ND_DELAY.
14628                                  */
14629                                 ncec->ncec_state = ND_DELAY;
14630                                 mutex_exit(&ncec->ncec_lock);
14631                                 nce_restart_timer(ncec,
14632                                     ipst->ips_delay_first_probe_time);
14633                                 if (ip_debug > 3) {
14634                                         /* ip2dbg */
14635                                         pr_addr_dbg("ip_xmit: state"
14636                                             " for %s changed to"
14637                                             " DELAY\n", AF_INET6,
14638                                             &ncec->ncec_addr);
14639                                 }
14640                                 break;
14641                         case ND_DELAY:
14642                         case ND_PROBE:
14643                                 mutex_exit(&ncec->ncec_lock);
14644                                 /* Timers have already started */
14645                                 break;
14646                         case ND_UNREACHABLE:
14647                                 /*
14648                                  * nce_timer has detected that this ncec
14649                                  * is unreachable and initiated deleting
14650                                  * this ncec.
14651                                  * This is a harmless race where we found the
14652                                  * ncec before it was deleted and have
14653                                  * just sent out a packet using this
14654                                  * unreachable ncec.
14655                                  */
14656                                 mutex_exit(&ncec->ncec_lock);
14657                                 break;
14658                         default:
14659                                 ASSERT(0);
14660                                 mutex_exit(&ncec->ncec_lock);
14661                         }
14662                 }
14663                 return (0);
14664 
14665         case ND_INCOMPLETE:
14666                 /*
14667                  * the state could have changed since we didn't hold the lock.
14668                  * Re-verify state under lock.
14669                  */
14670                 is_probe = ipmp_packet_is_probe(mp, nce->nce_ill);
14671                 mutex_enter(&ncec->ncec_lock);
14672                 if (NCE_ISREACHABLE(ncec)) {
14673                         mutex_exit(&ncec->ncec_lock);
14674                         goto sendit;
14675                 }
14676                 /* queue the packet */
14677                 nce_queue_mp(ncec, mp, is_probe);
14678                 mutex_exit(&ncec->ncec_lock);
14679                 DTRACE_PROBE2(ip__xmit__incomplete,
14680                     (ncec_t *), ncec, (mblk_t *), mp);
14681                 return (0);
14682 
14683         case ND_INITIAL:
14684                 /*
14685                  * State could have changed since we didn't hold the lock, so
14686                  * re-verify state.
14687                  */
14688                 is_probe = ipmp_packet_is_probe(mp, nce->nce_ill);
14689                 mutex_enter(&ncec->ncec_lock);
14690                 if (NCE_ISREACHABLE(ncec))  {
14691                         mutex_exit(&ncec->ncec_lock);
14692                         goto sendit;
14693                 }
14694                 nce_queue_mp(ncec, mp, is_probe);
14695                 if (ncec->ncec_state == ND_INITIAL) {
14696                         ncec->ncec_state = ND_INCOMPLETE;
14697                         mutex_exit(&ncec->ncec_lock);
14698                         /*
14699                          * figure out the source we want to use
14700                          * and resolve it.
14701                          */
14702                         ip_ndp_resolve(ncec);
14703                 } else  {
14704                         mutex_exit(&ncec->ncec_lock);
14705                 }
14706                 return (0);
14707 
14708         case ND_UNREACHABLE:
14709                 BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
14710                 ip_drop_output("ipIfStatsOutDiscards - ND_UNREACHABLE",
14711                     mp, ill);
14712                 freemsg(mp);
14713                 return (0);
14714 
14715         default:
14716                 ASSERT(0);
14717                 BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
14718                 ip_drop_output("ipIfStatsOutDiscards - ND_other",
14719                     mp, ill);
14720                 freemsg(mp);
14721                 return (ENETUNREACH);
14722         }
14723 }
14724 
14725 /*
14726  * Return B_TRUE if the buffers differ in length or content.
14727  * This is used for comparing extension header buffers.
14728  * Note that an extension header would be declared different
14729  * even if all that changed was the next header value in that header i.e.
14730  * what really changed is the next extension header.
14731  */
14732 boolean_t
14733 ip_cmpbuf(const void *abuf, uint_t alen, boolean_t b_valid, const void *bbuf,
14734     uint_t blen)
14735 {
14736         if (!b_valid)
14737                 blen = 0;
14738 
14739         if (alen != blen)
14740                 return (B_TRUE);
14741         if (alen == 0)
14742                 return (B_FALSE);       /* Both zero length */
14743         return (bcmp(abuf, bbuf, alen));
14744 }
14745 
14746 /*
14747  * Preallocate memory for ip_savebuf(). Returns B_TRUE if ok.
14748  * Return B_FALSE if memory allocation fails - don't change any state!
14749  */
14750 boolean_t
14751 ip_allocbuf(void **dstp, uint_t *dstlenp, boolean_t src_valid,
14752     const void *src, uint_t srclen)
14753 {
14754         void *dst;
14755 
14756         if (!src_valid)
14757                 srclen = 0;
14758 
14759         ASSERT(*dstlenp == 0);
14760         if (src != NULL && srclen != 0) {
14761                 dst = mi_alloc(srclen, BPRI_MED);
14762                 if (dst == NULL)
14763                         return (B_FALSE);
14764         } else {
14765                 dst = NULL;
14766         }
14767         if (*dstp != NULL)
14768                 mi_free(*dstp);
14769         *dstp = dst;
14770         *dstlenp = dst == NULL ? 0 : srclen;
14771         return (B_TRUE);
14772 }
14773 
14774 /*
14775  * Replace what is in *dst, *dstlen with the source.
14776  * Assumes ip_allocbuf has already been called.
14777  */
14778 void
14779 ip_savebuf(void **dstp, uint_t *dstlenp, boolean_t src_valid,
14780     const void *src, uint_t srclen)
14781 {
14782         if (!src_valid)
14783                 srclen = 0;
14784 
14785         ASSERT(*dstlenp == srclen);
14786         if (src != NULL && srclen != 0)
14787                 bcopy(src, *dstp, srclen);
14788 }
14789 
14790 /*
14791  * Free the storage pointed to by the members of an ip_pkt_t.
14792  */
14793 void
14794 ip_pkt_free(ip_pkt_t *ipp)
14795 {
14796         uint_t  fields = ipp->ipp_fields;
14797 
14798         if (fields & IPPF_HOPOPTS) {
14799                 kmem_free(ipp->ipp_hopopts, ipp->ipp_hopoptslen);
14800                 ipp->ipp_hopopts = NULL;
14801                 ipp->ipp_hopoptslen = 0;
14802         }
14803         if (fields & IPPF_RTHDRDSTOPTS) {
14804                 kmem_free(ipp->ipp_rthdrdstopts, ipp->ipp_rthdrdstoptslen);
14805                 ipp->ipp_rthdrdstopts = NULL;
14806                 ipp->ipp_rthdrdstoptslen = 0;
14807         }
14808         if (fields & IPPF_DSTOPTS) {
14809                 kmem_free(ipp->ipp_dstopts, ipp->ipp_dstoptslen);
14810                 ipp->ipp_dstopts = NULL;
14811                 ipp->ipp_dstoptslen = 0;
14812         }
14813         if (fields & IPPF_RTHDR) {
14814                 kmem_free(ipp->ipp_rthdr, ipp->ipp_rthdrlen);
14815                 ipp->ipp_rthdr = NULL;
14816                 ipp->ipp_rthdrlen = 0;
14817         }
14818         if (fields & IPPF_IPV4_OPTIONS) {
14819                 kmem_free(ipp->ipp_ipv4_options, ipp->ipp_ipv4_options_len);
14820                 ipp->ipp_ipv4_options = NULL;
14821                 ipp->ipp_ipv4_options_len = 0;
14822         }
14823         if (fields & IPPF_LABEL_V4) {
14824                 kmem_free(ipp->ipp_label_v4, ipp->ipp_label_len_v4);
14825                 ipp->ipp_label_v4 = NULL;
14826                 ipp->ipp_label_len_v4 = 0;
14827         }
14828         if (fields & IPPF_LABEL_V6) {
14829                 kmem_free(ipp->ipp_label_v6, ipp->ipp_label_len_v6);
14830                 ipp->ipp_label_v6 = NULL;
14831                 ipp->ipp_label_len_v6 = 0;
14832         }
14833         ipp->ipp_fields &= ~(IPPF_HOPOPTS | IPPF_RTHDRDSTOPTS | IPPF_DSTOPTS |
14834             IPPF_RTHDR | IPPF_IPV4_OPTIONS | IPPF_LABEL_V4 | IPPF_LABEL_V6);
14835 }
14836 
14837 /*
14838  * Copy from src to dst and allocate as needed.
14839  * Returns zero or ENOMEM.
14840  *
14841  * The caller must initialize dst to zero.
14842  */
14843 int
14844 ip_pkt_copy(ip_pkt_t *src, ip_pkt_t *dst, int kmflag)
14845 {
14846         uint_t  fields = src->ipp_fields;
14847 
14848         /* Start with fields that don't require memory allocation */
14849         dst->ipp_fields = fields &
14850             ~(IPPF_HOPOPTS | IPPF_RTHDRDSTOPTS | IPPF_DSTOPTS |
14851             IPPF_RTHDR | IPPF_IPV4_OPTIONS | IPPF_LABEL_V4 | IPPF_LABEL_V6);
14852 
14853         dst->ipp_addr = src->ipp_addr;
14854         dst->ipp_unicast_hops = src->ipp_unicast_hops;
14855         dst->ipp_hoplimit = src->ipp_hoplimit;
14856         dst->ipp_tclass = src->ipp_tclass;
14857         dst->ipp_type_of_service = src->ipp_type_of_service;
14858 
14859         if (!(fields & (IPPF_HOPOPTS | IPPF_RTHDRDSTOPTS | IPPF_DSTOPTS |
14860             IPPF_RTHDR | IPPF_IPV4_OPTIONS | IPPF_LABEL_V4 | IPPF_LABEL_V6)))
14861                 return (0);
14862 
14863         if (fields & IPPF_HOPOPTS) {
14864                 dst->ipp_hopopts = kmem_alloc(src->ipp_hopoptslen, kmflag);
14865                 if (dst->ipp_hopopts == NULL) {
14866                         ip_pkt_free(dst);
14867                         return (ENOMEM);
14868                 }
14869                 dst->ipp_fields |= IPPF_HOPOPTS;
14870                 bcopy(src->ipp_hopopts, dst->ipp_hopopts,
14871                     src->ipp_hopoptslen);
14872                 dst->ipp_hopoptslen = src->ipp_hopoptslen;
14873         }
14874         if (fields & IPPF_RTHDRDSTOPTS) {
14875                 dst->ipp_rthdrdstopts = kmem_alloc(src->ipp_rthdrdstoptslen,
14876                     kmflag);
14877                 if (dst->ipp_rthdrdstopts == NULL) {
14878                         ip_pkt_free(dst);
14879                         return (ENOMEM);
14880                 }
14881                 dst->ipp_fields |= IPPF_RTHDRDSTOPTS;
14882                 bcopy(src->ipp_rthdrdstopts, dst->ipp_rthdrdstopts,
14883                     src->ipp_rthdrdstoptslen);
14884                 dst->ipp_rthdrdstoptslen = src->ipp_rthdrdstoptslen;
14885         }
14886         if (fields & IPPF_DSTOPTS) {
14887                 dst->ipp_dstopts = kmem_alloc(src->ipp_dstoptslen, kmflag);
14888                 if (dst->ipp_dstopts == NULL) {
14889                         ip_pkt_free(dst);
14890                         return (ENOMEM);
14891                 }
14892                 dst->ipp_fields |= IPPF_DSTOPTS;
14893                 bcopy(src->ipp_dstopts, dst->ipp_dstopts,
14894                     src->ipp_dstoptslen);
14895                 dst->ipp_dstoptslen = src->ipp_dstoptslen;
14896         }
14897         if (fields & IPPF_RTHDR) {
14898                 dst->ipp_rthdr = kmem_alloc(src->ipp_rthdrlen, kmflag);
14899                 if (dst->ipp_rthdr == NULL) {
14900                         ip_pkt_free(dst);
14901                         return (ENOMEM);
14902                 }
14903                 dst->ipp_fields |= IPPF_RTHDR;
14904                 bcopy(src->ipp_rthdr, dst->ipp_rthdr,
14905                     src->ipp_rthdrlen);
14906                 dst->ipp_rthdrlen = src->ipp_rthdrlen;
14907         }
14908         if (fields & IPPF_IPV4_OPTIONS) {
14909                 dst->ipp_ipv4_options = kmem_alloc(src->ipp_ipv4_options_len,
14910                     kmflag);
14911                 if (dst->ipp_ipv4_options == NULL) {
14912                         ip_pkt_free(dst);
14913                         return (ENOMEM);
14914                 }
14915                 dst->ipp_fields |= IPPF_IPV4_OPTIONS;
14916                 bcopy(src->ipp_ipv4_options, dst->ipp_ipv4_options,
14917                     src->ipp_ipv4_options_len);
14918                 dst->ipp_ipv4_options_len = src->ipp_ipv4_options_len;
14919         }
14920         if (fields & IPPF_LABEL_V4) {
14921                 dst->ipp_label_v4 = kmem_alloc(src->ipp_label_len_v4, kmflag);
14922                 if (dst->ipp_label_v4 == NULL) {
14923                         ip_pkt_free(dst);
14924                         return (ENOMEM);
14925                 }
14926                 dst->ipp_fields |= IPPF_LABEL_V4;
14927                 bcopy(src->ipp_label_v4, dst->ipp_label_v4,
14928                     src->ipp_label_len_v4);
14929                 dst->ipp_label_len_v4 = src->ipp_label_len_v4;
14930         }
14931         if (fields & IPPF_LABEL_V6) {
14932                 dst->ipp_label_v6 = kmem_alloc(src->ipp_label_len_v6, kmflag);
14933                 if (dst->ipp_label_v6 == NULL) {
14934                         ip_pkt_free(dst);
14935                         return (ENOMEM);
14936                 }
14937                 dst->ipp_fields |= IPPF_LABEL_V6;
14938                 bcopy(src->ipp_label_v6, dst->ipp_label_v6,
14939                     src->ipp_label_len_v6);
14940                 dst->ipp_label_len_v6 = src->ipp_label_len_v6;
14941         }
14942         if (fields & IPPF_FRAGHDR) {
14943                 dst->ipp_fraghdr = kmem_alloc(src->ipp_fraghdrlen, kmflag);
14944                 if (dst->ipp_fraghdr == NULL) {
14945                         ip_pkt_free(dst);
14946                         return (ENOMEM);
14947                 }
14948                 dst->ipp_fields |= IPPF_FRAGHDR;
14949                 bcopy(src->ipp_fraghdr, dst->ipp_fraghdr,
14950                     src->ipp_fraghdrlen);
14951                 dst->ipp_fraghdrlen = src->ipp_fraghdrlen;
14952         }
14953         return (0);
14954 }
14955 
14956 /*
14957  * Returns INADDR_ANY if no source route
14958  */
14959 ipaddr_t
14960 ip_pkt_source_route_v4(const ip_pkt_t *ipp)
14961 {
14962         ipaddr_t        nexthop = INADDR_ANY;
14963         ipoptp_t        opts;
14964         uchar_t         *opt;
14965         uint8_t         optval;
14966         uint8_t         optlen;
14967         uint32_t        totallen;
14968 
14969         if (!(ipp->ipp_fields & IPPF_IPV4_OPTIONS))
14970                 return (INADDR_ANY);
14971 
14972         totallen = ipp->ipp_ipv4_options_len;
14973         if (totallen & 0x3)
14974                 return (INADDR_ANY);
14975 
14976         for (optval = ipoptp_first2(&opts, totallen, ipp->ipp_ipv4_options);
14977             optval != IPOPT_EOL;
14978             optval = ipoptp_next(&opts)) {
14979                 opt = opts.ipoptp_cur;
14980                 switch (optval) {
14981                         uint8_t off;
14982                 case IPOPT_SSRR:
14983                 case IPOPT_LSRR:
14984                         if ((opts.ipoptp_flags & IPOPTP_ERROR) != 0) {
14985                                 break;
14986                         }
14987                         optlen = opts.ipoptp_len;
14988                         off = opt[IPOPT_OFFSET];
14989                         off--;
14990                         if (optlen < IP_ADDR_LEN ||
14991                             off > optlen - IP_ADDR_LEN) {
14992                                 /* End of source route */
14993                                 break;
14994                         }
14995                         bcopy((char *)opt + off, &nexthop, IP_ADDR_LEN);
14996                         if (nexthop == htonl(INADDR_LOOPBACK)) {
14997                                 /* Ignore */
14998                                 nexthop = INADDR_ANY;
14999                                 break;
15000                         }
15001                         break;
15002                 }
15003         }
15004         return (nexthop);
15005 }
15006 
15007 /*
15008  * Reverse a source route.
15009  */
15010 void
15011 ip_pkt_source_route_reverse_v4(ip_pkt_t *ipp)
15012 {
15013         ipaddr_t        tmp;
15014         ipoptp_t        opts;
15015         uchar_t         *opt;
15016         uint8_t         optval;
15017         uint32_t        totallen;
15018 
15019         if (!(ipp->ipp_fields & IPPF_IPV4_OPTIONS))
15020                 return;
15021 
15022         totallen = ipp->ipp_ipv4_options_len;
15023         if (totallen & 0x3)
15024                 return;
15025 
15026         for (optval = ipoptp_first2(&opts, totallen, ipp->ipp_ipv4_options);
15027             optval != IPOPT_EOL;
15028             optval = ipoptp_next(&opts)) {
15029                 uint8_t off1, off2;
15030 
15031                 opt = opts.ipoptp_cur;
15032                 switch (optval) {
15033                 case IPOPT_SSRR:
15034                 case IPOPT_LSRR:
15035                         if ((opts.ipoptp_flags & IPOPTP_ERROR) != 0) {
15036                                 break;
15037                         }
15038                         off1 = IPOPT_MINOFF_SR - 1;
15039                         off2 = opt[IPOPT_OFFSET] - IP_ADDR_LEN - 1;
15040                         while (off2 > off1) {
15041                                 bcopy(opt + off2, &tmp, IP_ADDR_LEN);
15042                                 bcopy(opt + off1, opt + off2, IP_ADDR_LEN);
15043                                 bcopy(&tmp, opt + off2, IP_ADDR_LEN);
15044                                 off2 -= IP_ADDR_LEN;
15045                                 off1 += IP_ADDR_LEN;
15046                         }
15047                         opt[IPOPT_OFFSET] = IPOPT_MINOFF_SR;
15048                         break;
15049                 }
15050         }
15051 }
15052 
15053 /*
15054  * Returns NULL if no routing header
15055  */
15056 in6_addr_t *
15057 ip_pkt_source_route_v6(const ip_pkt_t *ipp)
15058 {
15059         in6_addr_t      *nexthop = NULL;
15060         ip6_rthdr0_t    *rthdr;
15061 
15062         if (!(ipp->ipp_fields & IPPF_RTHDR))
15063                 return (NULL);
15064 
15065         rthdr = (ip6_rthdr0_t *)ipp->ipp_rthdr;
15066         if (rthdr->ip6r0_segleft == 0)
15067                 return (NULL);
15068 
15069         nexthop = (in6_addr_t *)((char *)rthdr + sizeof (*rthdr));
15070         return (nexthop);
15071 }
15072 
15073 zoneid_t
15074 ip_get_zoneid_v4(ipaddr_t addr, mblk_t *mp, ip_recv_attr_t *ira,
15075     zoneid_t lookup_zoneid)
15076 {
15077         ip_stack_t      *ipst = ira->ira_ill->ill_ipst;
15078         ire_t           *ire;
15079         int             ire_flags = MATCH_IRE_TYPE;
15080         zoneid_t        zoneid = ALL_ZONES;
15081 
15082         if (is_system_labeled() && !tsol_can_accept_raw(mp, ira, B_FALSE))
15083                 return (ALL_ZONES);
15084 
15085         if (lookup_zoneid != ALL_ZONES)
15086                 ire_flags |= MATCH_IRE_ZONEONLY;
15087         ire = ire_ftable_lookup_v4(addr, NULL, NULL, IRE_LOCAL | IRE_LOOPBACK,
15088             NULL, lookup_zoneid, NULL, ire_flags, 0, ipst, NULL);
15089         if (ire != NULL) {
15090                 zoneid = IP_REAL_ZONEID(ire->ire_zoneid, ipst);
15091                 ire_refrele(ire);
15092         }
15093         return (zoneid);
15094 }
15095 
15096 zoneid_t
15097 ip_get_zoneid_v6(in6_addr_t *addr, mblk_t *mp, const ill_t *ill,
15098     ip_recv_attr_t *ira, zoneid_t lookup_zoneid)
15099 {
15100         ip_stack_t      *ipst = ira->ira_ill->ill_ipst;
15101         ire_t           *ire;
15102         int             ire_flags = MATCH_IRE_TYPE;
15103         zoneid_t        zoneid = ALL_ZONES;
15104 
15105         if (is_system_labeled() && !tsol_can_accept_raw(mp, ira, B_FALSE))
15106                 return (ALL_ZONES);
15107 
15108         if (IN6_IS_ADDR_LINKLOCAL(addr))
15109                 ire_flags |= MATCH_IRE_ILL;
15110 
15111         if (lookup_zoneid != ALL_ZONES)
15112                 ire_flags |= MATCH_IRE_ZONEONLY;
15113         ire = ire_ftable_lookup_v6(addr, NULL, NULL, IRE_LOCAL | IRE_LOOPBACK,
15114             ill, lookup_zoneid, NULL, ire_flags, 0, ipst, NULL);
15115         if (ire != NULL) {
15116                 zoneid = IP_REAL_ZONEID(ire->ire_zoneid, ipst);
15117                 ire_refrele(ire);
15118         }
15119         return (zoneid);
15120 }
15121 
15122 /*
15123  * IP obserability hook support functions.
15124  */
15125 static void
15126 ipobs_init(ip_stack_t *ipst)
15127 {
15128         netid_t id;
15129 
15130         id = net_getnetidbynetstackid(ipst->ips_netstack->netstack_stackid);
15131 
15132         ipst->ips_ip4_observe_pr = net_protocol_lookup(id, NHF_INET);
15133         VERIFY(ipst->ips_ip4_observe_pr != NULL);
15134 
15135         ipst->ips_ip6_observe_pr = net_protocol_lookup(id, NHF_INET6);
15136         VERIFY(ipst->ips_ip6_observe_pr != NULL);
15137 }
15138 
15139 static void
15140 ipobs_fini(ip_stack_t *ipst)
15141 {
15142 
15143         VERIFY(net_protocol_release(ipst->ips_ip4_observe_pr) == 0);
15144         VERIFY(net_protocol_release(ipst->ips_ip6_observe_pr) == 0);
15145 }
15146 
15147 /*
15148  * hook_pkt_observe_t is composed in network byte order so that the
15149  * entire mblk_t chain handed into hook_run can be used as-is.
15150  * The caveat is that use of the fields, such as the zone fields,
15151  * requires conversion into host byte order first.
15152  */
15153 void
15154 ipobs_hook(mblk_t *mp, int htype, zoneid_t zsrc, zoneid_t zdst,
15155     const ill_t *ill, ip_stack_t *ipst)
15156 {
15157         hook_pkt_observe_t *hdr;
15158         uint64_t grifindex;
15159         mblk_t *imp;
15160 
15161         imp = allocb(sizeof (*hdr), BPRI_HI);
15162         if (imp == NULL)
15163                 return;
15164 
15165         hdr = (hook_pkt_observe_t *)imp->b_rptr;
15166         /*
15167          * b_wptr is set to make the apparent size of the data in the mblk_t
15168          * to exclude the pointers at the end of hook_pkt_observer_t.
15169          */
15170         imp->b_wptr = imp->b_rptr + sizeof (dl_ipnetinfo_t);
15171         imp->b_cont = mp;
15172 
15173         ASSERT(DB_TYPE(mp) == M_DATA);
15174 
15175         if (IS_UNDER_IPMP(ill))
15176                 grifindex = ipmp_ill_get_ipmp_ifindex(ill);
15177         else
15178                 grifindex = 0;
15179 
15180         hdr->hpo_version = 1;
15181         hdr->hpo_htype = htons(htype);
15182         hdr->hpo_pktlen = htonl((ulong_t)msgdsize(mp));
15183         hdr->hpo_ifindex = htonl(ill->ill_phyint->phyint_ifindex);
15184         hdr->hpo_grifindex = htonl(grifindex);
15185         hdr->hpo_zsrc = htonl(zsrc);
15186         hdr->hpo_zdst = htonl(zdst);
15187         hdr->hpo_pkt = imp;
15188         hdr->hpo_ctx = ipst->ips_netstack;
15189 
15190         if (ill->ill_isv6) {
15191                 hdr->hpo_family = AF_INET6;
15192                 (void) hook_run(ipst->ips_ipv6_net_data->netd_hooks,
15193                     ipst->ips_ipv6observing, (hook_data_t)hdr);
15194         } else {
15195                 hdr->hpo_family = AF_INET;
15196                 (void) hook_run(ipst->ips_ipv4_net_data->netd_hooks,
15197                     ipst->ips_ipv4observing, (hook_data_t)hdr);
15198         }
15199 
15200         imp->b_cont = NULL;
15201         freemsg(imp);
15202 }
15203 
15204 /*
15205  * Utility routine that checks if `v4srcp' is a valid address on underlying
15206  * interface `ill'.  If `ipifp' is non-NULL, it's set to a held ipif
15207  * associated with `v4srcp' on success.  NOTE: if this is not called from
15208  * inside the IPSQ (ill_g_lock is not held), `ill' may be removed from the
15209  * group during or after this lookup.
15210  */
15211 boolean_t
15212 ipif_lookup_testaddr_v4(ill_t *ill, const in_addr_t *v4srcp, ipif_t **ipifp)
15213 {
15214         ipif_t *ipif;
15215 
15216         ipif = ipif_lookup_addr_exact(*v4srcp, ill, ill->ill_ipst);
15217         if (ipif != NULL) {
15218                 if (ipifp != NULL)
15219                         *ipifp = ipif;
15220                 else
15221                         ipif_refrele(ipif);
15222                 return (B_TRUE);
15223         }
15224 
15225         ip1dbg(("ipif_lookup_testaddr_v4: cannot find ipif for src %x\n",
15226             *v4srcp));
15227         return (B_FALSE);
15228 }
15229 
15230 /*
15231  * Transport protocol call back function for CPU state change.
15232  */
15233 /* ARGSUSED */
15234 static int
15235 ip_tp_cpu_update(cpu_setup_t what, int id, void *arg)
15236 {
15237         processorid_t cpu_seqid;
15238         netstack_handle_t nh;
15239         netstack_t *ns;
15240 
15241         ASSERT(MUTEX_HELD(&cpu_lock));
15242 
15243         switch (what) {
15244         case CPU_CONFIG:
15245         case CPU_ON:
15246         case CPU_INIT:
15247         case CPU_CPUPART_IN:
15248                 cpu_seqid = cpu[id]->cpu_seqid;
15249                 netstack_next_init(&nh);
15250                 while ((ns = netstack_next(&nh)) != NULL) {
15251                         dccp_stack_cpu_add(ns->netstack_dccp, cpu_seqid);
15252                         tcp_stack_cpu_add(ns->netstack_tcp, cpu_seqid);
15253                         sctp_stack_cpu_add(ns->netstack_sctp, cpu_seqid);
15254                         udp_stack_cpu_add(ns->netstack_udp, cpu_seqid);
15255                         netstack_rele(ns);
15256                 }
15257                 netstack_next_fini(&nh);
15258                 break;
15259         case CPU_UNCONFIG:
15260         case CPU_OFF:
15261         case CPU_CPUPART_OUT:
15262                 /*
15263                  * Nothing to do.  We don't remove the per CPU stats from
15264                  * the IP stack even when the CPU goes offline.
15265                  */
15266                 break;
15267         default:
15268                 break;
15269         }
15270         return (0);
15271 }