1 /*
   2  * CDDL HEADER START
   3  *
   4  * The contents of this file are subject to the terms of the
   5  * Common Development and Distribution License (the "License").
   6  * You may not use this file except in compliance with the License.
   7  *
   8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
   9  * or http://www.opensolaris.org/os/licensing.
  10  * See the License for the specific language governing permissions
  11  * and limitations under the License.
  12  *
  13  * When distributing Covered Code, include this CDDL HEADER in each
  14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
  15  * If applicable, add the following below this CDDL HEADER, with the
  16  * fields enclosed by brackets "[]" replaced with your own identifying
  17  * information: Portions Copyright [yyyy] [name of copyright owner]
  18  *
  19  * CDDL HEADER END
  20  */
  21 /*
  22  * Copyright (c) 1991, 2010, Oracle and/or its affiliates. All rights reserved.
  23  * Copyright (c) 1990 Mentat Inc.
  24  */
  25 /*
  26  * Copyright (c) 2013, Joyent, Inc. All rights reserved.
  27  */
  28 
  29 /*
  30  * This file contains the interface control functions for IP.
  31  */
  32 
  33 #include <sys/types.h>
  34 #include <sys/stream.h>
  35 #include <sys/dlpi.h>
  36 #include <sys/stropts.h>
  37 #include <sys/strsun.h>
  38 #include <sys/sysmacros.h>
  39 #include <sys/strsubr.h>
  40 #include <sys/strlog.h>
  41 #include <sys/ddi.h>
  42 #include <sys/sunddi.h>
  43 #include <sys/cmn_err.h>
  44 #include <sys/kstat.h>
  45 #include <sys/debug.h>
  46 #include <sys/zone.h>
  47 #include <sys/sunldi.h>
  48 #include <sys/file.h>
  49 #include <sys/bitmap.h>
  50 #include <sys/cpuvar.h>
  51 #include <sys/time.h>
  52 #include <sys/ctype.h>
  53 #include <sys/kmem.h>
  54 #include <sys/systm.h>
  55 #include <sys/param.h>
  56 #include <sys/socket.h>
  57 #include <sys/isa_defs.h>
  58 #include <net/if.h>
  59 #include <net/if_arp.h>
  60 #include <net/if_types.h>
  61 #include <net/if_dl.h>
  62 #include <net/route.h>
  63 #include <sys/sockio.h>
  64 #include <netinet/in.h>
  65 #include <netinet/ip6.h>
  66 #include <netinet/icmp6.h>
  67 #include <netinet/igmp_var.h>
  68 #include <sys/policy.h>
  69 #include <sys/ethernet.h>
  70 #include <sys/callb.h>
  71 #include <sys/md5.h>
  72 
  73 #include <inet/common.h>   /* for various inet/mi.h and inet/nd.h needs */
  74 #include <inet/mi.h>
  75 #include <inet/nd.h>
  76 #include <inet/tunables.h>
  77 #include <inet/arp.h>
  78 #include <inet/ip_arp.h>
  79 #include <inet/mib2.h>
  80 #include <inet/ip.h>
  81 #include <inet/ip6.h>
  82 #include <inet/ip6_asp.h>
  83 #include <inet/tcp.h>
  84 #include <inet/ip_multi.h>
  85 #include <inet/ip_ire.h>
  86 #include <inet/ip_ftable.h>
  87 #include <inet/ip_rts.h>
  88 #include <inet/ip_ndp.h>
  89 #include <inet/ip_if.h>
  90 #include <inet/ip_impl.h>
  91 #include <inet/sctp_ip.h>
  92 #include <inet/ip_netinfo.h>
  93 #include <inet/ilb_ip.h>
  94 
  95 #include <netinet/igmp.h>
  96 #include <inet/ip_listutils.h>
  97 #include <inet/ipclassifier.h>
  98 #include <sys/mac_client.h>
  99 #include <sys/dld.h>
 100 #include <sys/mac_flow.h>
 101 
 102 #include <sys/systeminfo.h>
 103 #include <sys/bootconf.h>
 104 
 105 #include <sys/tsol/tndb.h>
 106 #include <sys/tsol/tnet.h>
 107 
 108 #include <inet/rawip_impl.h> /* needed for icmp_stack_t */
 109 #include <inet/udp_impl.h> /* needed for udp_stack_t */
 110 
 111 /* The character which tells where the ill_name ends */
 112 #define IPIF_SEPARATOR_CHAR     ':'
 113 
 114 /* IP ioctl function table entry */
 115 typedef struct ipft_s {
 116         int     ipft_cmd;
 117         pfi_t   ipft_pfi;
 118         int     ipft_min_size;
 119         int     ipft_flags;
 120 } ipft_t;
 121 #define IPFT_F_NO_REPLY         0x1     /* IP ioctl does not expect any reply */
 122 #define IPFT_F_SELF_REPLY       0x2     /* ioctl callee does the ioctl reply */
 123 
 124 static int      nd_ill_forward_get(queue_t *, mblk_t *, caddr_t, cred_t *);
 125 static int      nd_ill_forward_set(queue_t *q, mblk_t *mp,
 126                     char *value, caddr_t cp, cred_t *ioc_cr);
 127 
 128 static boolean_t ill_is_quiescent(ill_t *);
 129 static boolean_t ip_addr_ok_v4(ipaddr_t addr, ipaddr_t subnet_mask);
 130 static ip_m_t   *ip_m_lookup(t_uscalar_t mac_type);
 131 static int      ip_sioctl_addr_tail(ipif_t *ipif, sin_t *sin, queue_t *q,
 132     mblk_t *mp, boolean_t need_up);
 133 static int      ip_sioctl_dstaddr_tail(ipif_t *ipif, sin_t *sin, queue_t *q,
 134     mblk_t *mp, boolean_t need_up);
 135 static int      ip_sioctl_slifzone_tail(ipif_t *ipif, zoneid_t zoneid,
 136     queue_t *q, mblk_t *mp, boolean_t need_up);
 137 static int      ip_sioctl_flags_tail(ipif_t *ipif, uint64_t flags, queue_t *q,
 138     mblk_t *mp);
 139 static int      ip_sioctl_netmask_tail(ipif_t *ipif, sin_t *sin, queue_t *q,
 140     mblk_t *mp);
 141 static int      ip_sioctl_subnet_tail(ipif_t *ipif, in6_addr_t, in6_addr_t,
 142     queue_t *q, mblk_t *mp, boolean_t need_up);
 143 static int      ip_sioctl_plink_ipmod(ipsq_t *ipsq, queue_t *q, mblk_t *mp,
 144     int ioccmd, struct linkblk *li);
 145 static ipaddr_t ip_subnet_mask(ipaddr_t addr, ipif_t **, ip_stack_t *);
 146 static void     ip_wput_ioctl(queue_t *q, mblk_t *mp);
 147 static void     ipsq_flush(ill_t *ill);
 148 
 149 static  int     ip_sioctl_token_tail(ipif_t *ipif, sin6_t *sin6, int addrlen,
 150     queue_t *q, mblk_t *mp, boolean_t need_up);
 151 static void     ipsq_delete(ipsq_t *);
 152 
 153 static ipif_t   *ipif_allocate(ill_t *ill, int id, uint_t ire_type,
 154     boolean_t initialize, boolean_t insert, int *errorp);
 155 static ire_t    **ipif_create_bcast_ires(ipif_t *ipif, ire_t **irep);
 156 static void     ipif_delete_bcast_ires(ipif_t *ipif);
 157 static int      ipif_add_ires_v4(ipif_t *, boolean_t);
 158 static boolean_t ipif_comp_multi(ipif_t *old_ipif, ipif_t *new_ipif,
 159                     boolean_t isv6);
 160 static int      ipif_logical_down(ipif_t *ipif, queue_t *q, mblk_t *mp);
 161 static void     ipif_free(ipif_t *ipif);
 162 static void     ipif_free_tail(ipif_t *ipif);
 163 static void     ipif_set_default(ipif_t *ipif);
 164 static int      ipif_set_values(queue_t *q, mblk_t *mp,
 165     char *interf_name, uint_t *ppa);
 166 static int      ipif_set_values_tail(ill_t *ill, ipif_t *ipif, mblk_t *mp,
 167     queue_t *q);
 168 static ipif_t   *ipif_lookup_on_name(char *name, size_t namelen,
 169     boolean_t do_alloc, boolean_t *exists, boolean_t isv6, zoneid_t zoneid,
 170     ip_stack_t *);
 171 static ipif_t   *ipif_lookup_on_name_async(char *name, size_t namelen,
 172     boolean_t isv6, zoneid_t zoneid, queue_t *q, mblk_t *mp, ipsq_func_t func,
 173     int *error, ip_stack_t *);
 174 
 175 static int      ill_alloc_ppa(ill_if_t *, ill_t *);
 176 static void     ill_delete_interface_type(ill_if_t *);
 177 static int      ill_dl_up(ill_t *ill, ipif_t *ipif, mblk_t *mp, queue_t *q);
 178 static void     ill_dl_down(ill_t *ill);
 179 static void     ill_down(ill_t *ill);
 180 static void     ill_down_ipifs(ill_t *, boolean_t);
 181 static void     ill_free_mib(ill_t *ill);
 182 static void     ill_glist_delete(ill_t *);
 183 static void     ill_phyint_reinit(ill_t *ill);
 184 static void     ill_set_nce_router_flags(ill_t *, boolean_t);
 185 static void     ill_set_phys_addr_tail(ipsq_t *, queue_t *, mblk_t *, void *);
 186 static void     ill_replumb_tail(ipsq_t *, queue_t *, mblk_t *, void *);
 187 
 188 static ip_v6intfid_func_t ip_ether_v6intfid, ip_ib_v6intfid;
 189 static ip_v6intfid_func_t ip_ipv4_v6intfid, ip_ipv6_v6intfid;
 190 static ip_v6intfid_func_t ip_ipmp_v6intfid, ip_nodef_v6intfid;
 191 static ip_v6intfid_func_t ip_ipv4_v6destintfid, ip_ipv6_v6destintfid;
 192 static ip_v4mapinfo_func_t ip_ether_v4_mapping;
 193 static ip_v6mapinfo_func_t ip_ether_v6_mapping;
 194 static ip_v4mapinfo_func_t ip_ib_v4_mapping;
 195 static ip_v6mapinfo_func_t ip_ib_v6_mapping;
 196 static ip_v4mapinfo_func_t ip_mbcast_mapping;
 197 static void     ip_cgtp_bcast_add(ire_t *, ip_stack_t *);
 198 static void     ip_cgtp_bcast_delete(ire_t *, ip_stack_t *);
 199 static void     phyint_free(phyint_t *);
 200 
 201 static void ill_capability_dispatch(ill_t *, mblk_t *, dl_capability_sub_t *);
 202 static void ill_capability_id_ack(ill_t *, mblk_t *, dl_capability_sub_t *);
 203 static void ill_capability_vrrp_ack(ill_t *, mblk_t *, dl_capability_sub_t *);
 204 static void ill_capability_hcksum_ack(ill_t *, mblk_t *, dl_capability_sub_t *);
 205 static void ill_capability_hcksum_reset_fill(ill_t *, mblk_t *);
 206 static void ill_capability_zerocopy_ack(ill_t *, mblk_t *,
 207     dl_capability_sub_t *);
 208 static void ill_capability_zerocopy_reset_fill(ill_t *, mblk_t *);
 209 static void     ill_capability_dld_reset_fill(ill_t *, mblk_t *);
 210 static void     ill_capability_dld_ack(ill_t *, mblk_t *,
 211                     dl_capability_sub_t *);
 212 static void     ill_capability_dld_enable(ill_t *);
 213 static void     ill_capability_ack_thr(void *);
 214 static void     ill_capability_lso_enable(ill_t *);
 215 
 216 static ill_t    *ill_prev_usesrc(ill_t *);
 217 static int      ill_relink_usesrc_ills(ill_t *, ill_t *, uint_t);
 218 static void     ill_disband_usesrc_group(ill_t *);
 219 static void     ip_sioctl_garp_reply(mblk_t *, ill_t *, void *, int);
 220 
 221 #ifdef DEBUG
 222 static  void    ill_trace_cleanup(const ill_t *);
 223 static  void    ipif_trace_cleanup(const ipif_t *);
 224 #endif
 225 
 226 static  void    ill_dlpi_clear_deferred(ill_t *ill);
 227 
 228 static  void    phyint_flags_init(phyint_t *, t_uscalar_t);
 229 
 230 /*
 231  * if we go over the memory footprint limit more than once in this msec
 232  * interval, we'll start pruning aggressively.
 233  */
 234 int ip_min_frag_prune_time = 0;
 235 
 236 static ipft_t   ip_ioctl_ftbl[] = {
 237         { IP_IOC_IRE_DELETE, ip_ire_delete, sizeof (ipid_t), 0 },
 238         { IP_IOC_IRE_DELETE_NO_REPLY, ip_ire_delete, sizeof (ipid_t),
 239                 IPFT_F_NO_REPLY },
 240         { IP_IOC_RTS_REQUEST, ip_rts_request, 0, IPFT_F_SELF_REPLY },
 241         { 0 }
 242 };
 243 
 244 /* Simple ICMP IP Header Template */
 245 static ipha_t icmp_ipha = {
 246         IP_SIMPLE_HDR_VERSION, 0, 0, 0, 0, 0, IPPROTO_ICMP
 247 };
 248 
 249 static uchar_t  ip_six_byte_all_ones[] = { 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF };
 250 
 251 static ip_m_t   ip_m_tbl[] = {
 252         { DL_ETHER, IFT_ETHER, ETHERTYPE_IP, ETHERTYPE_IPV6,
 253             ip_ether_v4_mapping, ip_ether_v6_mapping, ip_ether_v6intfid,
 254             ip_nodef_v6intfid },
 255         { DL_CSMACD, IFT_ISO88023, ETHERTYPE_IP, ETHERTYPE_IPV6,
 256             ip_ether_v4_mapping, ip_ether_v6_mapping, ip_nodef_v6intfid,
 257             ip_nodef_v6intfid },
 258         { DL_TPB, IFT_ISO88024, ETHERTYPE_IP, ETHERTYPE_IPV6,
 259             ip_ether_v4_mapping, ip_ether_v6_mapping, ip_nodef_v6intfid,
 260             ip_nodef_v6intfid },
 261         { DL_TPR, IFT_ISO88025, ETHERTYPE_IP, ETHERTYPE_IPV6,
 262             ip_ether_v4_mapping, ip_ether_v6_mapping, ip_nodef_v6intfid,
 263             ip_nodef_v6intfid },
 264         { DL_FDDI, IFT_FDDI, ETHERTYPE_IP, ETHERTYPE_IPV6,
 265             ip_ether_v4_mapping, ip_ether_v6_mapping, ip_ether_v6intfid,
 266             ip_nodef_v6intfid },
 267         { DL_IB, IFT_IB, ETHERTYPE_IP, ETHERTYPE_IPV6,
 268             ip_ib_v4_mapping, ip_ib_v6_mapping, ip_ib_v6intfid,
 269             ip_nodef_v6intfid },
 270         { DL_IPV4, IFT_IPV4, IPPROTO_ENCAP, IPPROTO_IPV6,
 271             ip_mbcast_mapping, ip_mbcast_mapping, ip_ipv4_v6intfid,
 272             ip_ipv4_v6destintfid },
 273         { DL_IPV6, IFT_IPV6, IPPROTO_ENCAP, IPPROTO_IPV6,
 274             ip_mbcast_mapping, ip_mbcast_mapping, ip_ipv6_v6intfid,
 275             ip_ipv6_v6destintfid },
 276         { DL_6TO4, IFT_6TO4, IPPROTO_ENCAP, IPPROTO_IPV6,
 277             ip_mbcast_mapping, ip_mbcast_mapping, ip_ipv4_v6intfid,
 278             ip_nodef_v6intfid },
 279         { SUNW_DL_VNI, IFT_OTHER, ETHERTYPE_IP, ETHERTYPE_IPV6,
 280             NULL, NULL, ip_nodef_v6intfid, ip_nodef_v6intfid },
 281         { SUNW_DL_IPMP, IFT_OTHER, ETHERTYPE_IP, ETHERTYPE_IPV6,
 282             NULL, NULL, ip_ipmp_v6intfid, ip_nodef_v6intfid },
 283         { DL_OTHER, IFT_OTHER, ETHERTYPE_IP, ETHERTYPE_IPV6,
 284             ip_ether_v4_mapping, ip_ether_v6_mapping, ip_nodef_v6intfid,
 285             ip_nodef_v6intfid }
 286 };
 287 
 288 char    ipif_loopback_name[] = "lo0";
 289 
 290 /* These are used by all IP network modules. */
 291 sin6_t  sin6_null;      /* Zero address for quick clears */
 292 sin_t   sin_null;       /* Zero address for quick clears */
 293 
 294 /* When set search for unused ipif_seqid */
 295 static ipif_t   ipif_zero;
 296 
 297 /*
 298  * ppa arena is created after these many
 299  * interfaces have been plumbed.
 300  */
 301 uint_t  ill_no_arena = 12;      /* Setable in /etc/system */
 302 
 303 /*
 304  * Allocate per-interface mibs.
 305  * Returns true if ok. False otherwise.
 306  *  ipsq  may not yet be allocated (loopback case ).
 307  */
 308 static boolean_t
 309 ill_allocate_mibs(ill_t *ill)
 310 {
 311         /* Already allocated? */
 312         if (ill->ill_ip_mib != NULL) {
 313                 if (ill->ill_isv6)
 314                         ASSERT(ill->ill_icmp6_mib != NULL);
 315                 return (B_TRUE);
 316         }
 317 
 318         ill->ill_ip_mib = kmem_zalloc(sizeof (*ill->ill_ip_mib),
 319             KM_NOSLEEP);
 320         if (ill->ill_ip_mib == NULL) {
 321                 return (B_FALSE);
 322         }
 323 
 324         /* Setup static information */
 325         SET_MIB(ill->ill_ip_mib->ipIfStatsEntrySize,
 326             sizeof (mib2_ipIfStatsEntry_t));
 327         if (ill->ill_isv6) {
 328                 ill->ill_ip_mib->ipIfStatsIPVersion = MIB2_INETADDRESSTYPE_ipv6;
 329                 SET_MIB(ill->ill_ip_mib->ipIfStatsAddrEntrySize,
 330                     sizeof (mib2_ipv6AddrEntry_t));
 331                 SET_MIB(ill->ill_ip_mib->ipIfStatsRouteEntrySize,
 332                     sizeof (mib2_ipv6RouteEntry_t));
 333                 SET_MIB(ill->ill_ip_mib->ipIfStatsNetToMediaEntrySize,
 334                     sizeof (mib2_ipv6NetToMediaEntry_t));
 335                 SET_MIB(ill->ill_ip_mib->ipIfStatsMemberEntrySize,
 336                     sizeof (ipv6_member_t));
 337                 SET_MIB(ill->ill_ip_mib->ipIfStatsGroupSourceEntrySize,
 338                     sizeof (ipv6_grpsrc_t));
 339         } else {
 340                 ill->ill_ip_mib->ipIfStatsIPVersion = MIB2_INETADDRESSTYPE_ipv4;
 341                 SET_MIB(ill->ill_ip_mib->ipIfStatsAddrEntrySize,
 342                     sizeof (mib2_ipAddrEntry_t));
 343                 SET_MIB(ill->ill_ip_mib->ipIfStatsRouteEntrySize,
 344                     sizeof (mib2_ipRouteEntry_t));
 345                 SET_MIB(ill->ill_ip_mib->ipIfStatsNetToMediaEntrySize,
 346                     sizeof (mib2_ipNetToMediaEntry_t));
 347                 SET_MIB(ill->ill_ip_mib->ipIfStatsMemberEntrySize,
 348                     sizeof (ip_member_t));
 349                 SET_MIB(ill->ill_ip_mib->ipIfStatsGroupSourceEntrySize,
 350                     sizeof (ip_grpsrc_t));
 351 
 352                 /*
 353                  * For a v4 ill, we are done at this point, because per ill
 354                  * icmp mibs are only used for v6.
 355                  */
 356                 return (B_TRUE);
 357         }
 358 
 359         ill->ill_icmp6_mib = kmem_zalloc(sizeof (*ill->ill_icmp6_mib),
 360             KM_NOSLEEP);
 361         if (ill->ill_icmp6_mib == NULL) {
 362                 kmem_free(ill->ill_ip_mib, sizeof (*ill->ill_ip_mib));
 363                 ill->ill_ip_mib = NULL;
 364                 return (B_FALSE);
 365         }
 366         /* static icmp info */
 367         ill->ill_icmp6_mib->ipv6IfIcmpEntrySize =
 368             sizeof (mib2_ipv6IfIcmpEntry_t);
 369         /*
 370          * The ipIfStatsIfindex and ipv6IfIcmpIndex will be assigned later
 371          * after the phyint merge occurs in ipif_set_values -> ill_glist_insert
 372          * -> ill_phyint_reinit
 373          */
 374         return (B_TRUE);
 375 }
 376 
 377 /*
 378  * Completely vaporize a lower level tap and all associated interfaces.
 379  * ill_delete is called only out of ip_close when the device control
 380  * stream is being closed.
 381  */
 382 void
 383 ill_delete(ill_t *ill)
 384 {
 385         ipif_t  *ipif;
 386         ill_t   *prev_ill;
 387         ip_stack_t      *ipst = ill->ill_ipst;
 388 
 389         /*
 390          * ill_delete may be forcibly entering the ipsq. The previous
 391          * ioctl may not have completed and may need to be aborted.
 392          * ipsq_flush takes care of it. If we don't need to enter the
 393          * the ipsq forcibly, the 2nd invocation of ipsq_flush in
 394          * ill_delete_tail is sufficient.
 395          */
 396         ipsq_flush(ill);
 397 
 398         /*
 399          * Nuke all interfaces.  ipif_free will take down the interface,
 400          * remove it from the list, and free the data structure.
 401          * Walk down the ipif list and remove the logical interfaces
 402          * first before removing the main ipif. We can't unplumb
 403          * zeroth interface first in the case of IPv6 as update_conn_ill
 404          * -> ip_ll_multireq de-references ill_ipif for checking
 405          * POINTOPOINT.
 406          *
 407          * If ill_ipif was not properly initialized (i.e low on memory),
 408          * then no interfaces to clean up. In this case just clean up the
 409          * ill.
 410          */
 411         for (ipif = ill->ill_ipif; ipif != NULL; ipif = ipif->ipif_next)
 412                 ipif_free(ipif);
 413 
 414         /*
 415          * clean out all the nce_t entries that depend on this
 416          * ill for the ill_phys_addr.
 417          */
 418         nce_flush(ill, B_TRUE);
 419 
 420         /* Clean up msgs on pending upcalls for mrouted */
 421         reset_mrt_ill(ill);
 422 
 423         update_conn_ill(ill, ipst);
 424 
 425         /*
 426          * Remove multicast references added as a result of calls to
 427          * ip_join_allmulti().
 428          */
 429         ip_purge_allmulti(ill);
 430 
 431         /*
 432          * If the ill being deleted is under IPMP, boot it out of the illgrp.
 433          */
 434         if (IS_UNDER_IPMP(ill))
 435                 ipmp_ill_leave_illgrp(ill);
 436 
 437         /*
 438          * ill_down will arrange to blow off any IRE's dependent on this
 439          * ILL, and shut down fragmentation reassembly.
 440          */
 441         ill_down(ill);
 442 
 443         /* Let SCTP know, so that it can remove this from its list. */
 444         sctp_update_ill(ill, SCTP_ILL_REMOVE);
 445 
 446         /*
 447          * Walk all CONNs that can have a reference on an ire or nce for this
 448          * ill (we actually walk all that now have stale references).
 449          */
 450         ipcl_walk(conn_ixa_cleanup, (void *)B_TRUE, ipst);
 451 
 452         /* With IPv6 we have dce_ifindex. Cleanup for neatness */
 453         if (ill->ill_isv6)
 454                 dce_cleanup(ill->ill_phyint->phyint_ifindex, ipst);
 455 
 456         /*
 457          * If an address on this ILL is being used as a source address then
 458          * clear out the pointers in other ILLs that point to this ILL.
 459          */
 460         rw_enter(&ipst->ips_ill_g_usesrc_lock, RW_WRITER);
 461         if (ill->ill_usesrc_grp_next != NULL) {
 462                 if (ill->ill_usesrc_ifindex == 0) { /* usesrc ILL ? */
 463                         ill_disband_usesrc_group(ill);
 464                 } else {        /* consumer of the usesrc ILL */
 465                         prev_ill = ill_prev_usesrc(ill);
 466                         prev_ill->ill_usesrc_grp_next =
 467                             ill->ill_usesrc_grp_next;
 468                 }
 469         }
 470         rw_exit(&ipst->ips_ill_g_usesrc_lock);
 471 }
 472 
 473 static void
 474 ipif_non_duplicate(ipif_t *ipif)
 475 {
 476         ill_t *ill = ipif->ipif_ill;
 477         mutex_enter(&ill->ill_lock);
 478         if (ipif->ipif_flags & IPIF_DUPLICATE) {
 479                 ipif->ipif_flags &= ~IPIF_DUPLICATE;
 480                 ASSERT(ill->ill_ipif_dup_count > 0);
 481                 ill->ill_ipif_dup_count--;
 482         }
 483         mutex_exit(&ill->ill_lock);
 484 }
 485 
 486 /*
 487  * ill_delete_tail is called from ip_modclose after all references
 488  * to the closing ill are gone. The wait is done in ip_modclose
 489  */
 490 void
 491 ill_delete_tail(ill_t *ill)
 492 {
 493         mblk_t  **mpp;
 494         ipif_t  *ipif;
 495         ip_stack_t *ipst = ill->ill_ipst;
 496 
 497         for (ipif = ill->ill_ipif; ipif != NULL; ipif = ipif->ipif_next) {
 498                 ipif_non_duplicate(ipif);
 499                 (void) ipif_down_tail(ipif);
 500         }
 501 
 502         ASSERT(ill->ill_ipif_dup_count == 0);
 503 
 504         /*
 505          * If polling capability is enabled (which signifies direct
 506          * upcall into IP and driver has ill saved as a handle),
 507          * we need to make sure that unbind has completed before we
 508          * let the ill disappear and driver no longer has any reference
 509          * to this ill.
 510          */
 511         mutex_enter(&ill->ill_lock);
 512         while (ill->ill_state_flags & ILL_DL_UNBIND_IN_PROGRESS)
 513                 cv_wait(&ill->ill_cv, &ill->ill_lock);
 514         mutex_exit(&ill->ill_lock);
 515         ASSERT(!(ill->ill_capabilities &
 516             (ILL_CAPAB_DLD | ILL_CAPAB_DLD_POLL | ILL_CAPAB_DLD_DIRECT)));
 517 
 518         if (ill->ill_net_type != IRE_LOOPBACK)
 519                 qprocsoff(ill->ill_rq);
 520 
 521         /*
 522          * We do an ipsq_flush once again now. New messages could have
 523          * landed up from below (M_ERROR or M_HANGUP). Similarly ioctls
 524          * could also have landed up if an ioctl thread had looked up
 525          * the ill before we set the ILL_CONDEMNED flag, but not yet
 526          * enqueued the ioctl when we did the ipsq_flush last time.
 527          */
 528         ipsq_flush(ill);
 529 
 530         /*
 531          * Free capabilities.
 532          */
 533         if (ill->ill_hcksum_capab != NULL) {
 534                 kmem_free(ill->ill_hcksum_capab, sizeof (ill_hcksum_capab_t));
 535                 ill->ill_hcksum_capab = NULL;
 536         }
 537 
 538         if (ill->ill_zerocopy_capab != NULL) {
 539                 kmem_free(ill->ill_zerocopy_capab,
 540                     sizeof (ill_zerocopy_capab_t));
 541                 ill->ill_zerocopy_capab = NULL;
 542         }
 543 
 544         if (ill->ill_lso_capab != NULL) {
 545                 kmem_free(ill->ill_lso_capab, sizeof (ill_lso_capab_t));
 546                 ill->ill_lso_capab = NULL;
 547         }
 548 
 549         if (ill->ill_dld_capab != NULL) {
 550                 kmem_free(ill->ill_dld_capab, sizeof (ill_dld_capab_t));
 551                 ill->ill_dld_capab = NULL;
 552         }
 553 
 554         /* Clean up ill_allowed_ips* related state */
 555         if (ill->ill_allowed_ips != NULL) {
 556                 ASSERT(ill->ill_allowed_ips_cnt > 0);
 557                 kmem_free(ill->ill_allowed_ips,
 558                     ill->ill_allowed_ips_cnt * sizeof (in6_addr_t));
 559                 ill->ill_allowed_ips = NULL;
 560                 ill->ill_allowed_ips_cnt = 0;
 561         }
 562 
 563         while (ill->ill_ipif != NULL)
 564                 ipif_free_tail(ill->ill_ipif);
 565 
 566         /*
 567          * We have removed all references to ilm from conn and the ones joined
 568          * within the kernel.
 569          *
 570          * We don't walk conns, mrts and ires because
 571          *
 572          * 1) update_conn_ill and reset_mrt_ill cleans up conns and mrts.
 573          * 2) ill_down ->ill_downi walks all the ires and cleans up
 574          *    ill references.
 575          */
 576 
 577         /*
 578          * If this ill is an IPMP meta-interface, blow away the illgrp.  This
 579          * is safe to do because the illgrp has already been unlinked from the
 580          * group by I_PUNLINK, and thus SIOCSLIFGROUPNAME cannot find it.
 581          */
 582         if (IS_IPMP(ill)) {
 583                 ipmp_illgrp_destroy(ill->ill_grp);
 584                 ill->ill_grp = NULL;
 585         }
 586 
 587         if (ill->ill_mphysaddr_list != NULL) {
 588                 multiphysaddr_t *mpa, *tmpa;
 589 
 590                 mpa = ill->ill_mphysaddr_list;
 591                 ill->ill_mphysaddr_list = NULL;
 592                 while (mpa) {
 593                         tmpa = mpa->mpa_next;
 594                         kmem_free(mpa, sizeof (*mpa));
 595                         mpa = tmpa;
 596                 }
 597         }
 598         /*
 599          * Take us out of the list of ILLs. ill_glist_delete -> phyint_free
 600          * could free the phyint. No more reference to the phyint after this
 601          * point.
 602          */
 603         (void) ill_glist_delete(ill);
 604 
 605         if (ill->ill_frag_ptr != NULL) {
 606                 uint_t count;
 607 
 608                 for (count = 0; count < ILL_FRAG_HASH_TBL_COUNT; count++) {
 609                         mutex_destroy(&ill->ill_frag_hash_tbl[count].ipfb_lock);
 610                 }
 611                 mi_free(ill->ill_frag_ptr);
 612                 ill->ill_frag_ptr = NULL;
 613                 ill->ill_frag_hash_tbl = NULL;
 614         }
 615 
 616         freemsg(ill->ill_nd_lla_mp);
 617         /* Free all retained control messages. */
 618         mpp = &ill->ill_first_mp_to_free;
 619         do {
 620                 while (mpp[0]) {
 621                         mblk_t  *mp;
 622                         mblk_t  *mp1;
 623 
 624                         mp = mpp[0];
 625                         mpp[0] = mp->b_next;
 626                         for (mp1 = mp; mp1 != NULL; mp1 = mp1->b_cont) {
 627                                 mp1->b_next = NULL;
 628                                 mp1->b_prev = NULL;
 629                         }
 630                         freemsg(mp);
 631                 }
 632         } while (mpp++ != &ill->ill_last_mp_to_free);
 633 
 634         ill_free_mib(ill);
 635 
 636 #ifdef DEBUG
 637         ill_trace_cleanup(ill);
 638 #endif
 639 
 640         /* The default multicast interface might have changed */
 641         ire_increment_multicast_generation(ipst, ill->ill_isv6);
 642 
 643         /* Drop refcnt here */
 644         netstack_rele(ill->ill_ipst->ips_netstack);
 645         ill->ill_ipst = NULL;
 646 }
 647 
 648 static void
 649 ill_free_mib(ill_t *ill)
 650 {
 651         ip_stack_t *ipst = ill->ill_ipst;
 652 
 653         /*
 654          * MIB statistics must not be lost, so when an interface
 655          * goes away the counter values will be added to the global
 656          * MIBs.
 657          */
 658         if (ill->ill_ip_mib != NULL) {
 659                 if (ill->ill_isv6) {
 660                         ip_mib2_add_ip_stats(&ipst->ips_ip6_mib,
 661                             ill->ill_ip_mib);
 662                 } else {
 663                         ip_mib2_add_ip_stats(&ipst->ips_ip_mib,
 664                             ill->ill_ip_mib);
 665                 }
 666 
 667                 kmem_free(ill->ill_ip_mib, sizeof (*ill->ill_ip_mib));
 668                 ill->ill_ip_mib = NULL;
 669         }
 670         if (ill->ill_icmp6_mib != NULL) {
 671                 ip_mib2_add_icmp6_stats(&ipst->ips_icmp6_mib,
 672                     ill->ill_icmp6_mib);
 673                 kmem_free(ill->ill_icmp6_mib, sizeof (*ill->ill_icmp6_mib));
 674                 ill->ill_icmp6_mib = NULL;
 675         }
 676 }
 677 
 678 /*
 679  * Concatenate together a physical address and a sap.
 680  *
 681  * Sap_lengths are interpreted as follows:
 682  *   sap_length == 0    ==>  no sap
 683  *   sap_length > 0  ==>  sap is at the head of the dlpi address
 684  *   sap_length < 0  ==>  sap is at the tail of the dlpi address
 685  */
 686 static void
 687 ill_dlur_copy_address(uchar_t *phys_src, uint_t phys_length,
 688     t_scalar_t sap_src, t_scalar_t sap_length, uchar_t *dst)
 689 {
 690         uint16_t sap_addr = (uint16_t)sap_src;
 691 
 692         if (sap_length == 0) {
 693                 if (phys_src == NULL)
 694                         bzero(dst, phys_length);
 695                 else
 696                         bcopy(phys_src, dst, phys_length);
 697         } else if (sap_length < 0) {
 698                 if (phys_src == NULL)
 699                         bzero(dst, phys_length);
 700                 else
 701                         bcopy(phys_src, dst, phys_length);
 702                 bcopy(&sap_addr, (char *)dst + phys_length, sizeof (sap_addr));
 703         } else {
 704                 bcopy(&sap_addr, dst, sizeof (sap_addr));
 705                 if (phys_src == NULL)
 706                         bzero((char *)dst + sap_length, phys_length);
 707                 else
 708                         bcopy(phys_src, (char *)dst + sap_length, phys_length);
 709         }
 710 }
 711 
 712 /*
 713  * Generate a dl_unitdata_req mblk for the device and address given.
 714  * addr_length is the length of the physical portion of the address.
 715  * If addr is NULL include an all zero address of the specified length.
 716  * TRUE? In any case, addr_length is taken to be the entire length of the
 717  * dlpi address, including the absolute value of sap_length.
 718  */
 719 mblk_t *
 720 ill_dlur_gen(uchar_t *addr, uint_t addr_length, t_uscalar_t sap,
 721                 t_scalar_t sap_length)
 722 {
 723         dl_unitdata_req_t *dlur;
 724         mblk_t  *mp;
 725         t_scalar_t      abs_sap_length;         /* absolute value */
 726 
 727         abs_sap_length = ABS(sap_length);
 728         mp = ip_dlpi_alloc(sizeof (*dlur) + addr_length + abs_sap_length,
 729             DL_UNITDATA_REQ);
 730         if (mp == NULL)
 731                 return (NULL);
 732         dlur = (dl_unitdata_req_t *)mp->b_rptr;
 733         /* HACK: accomodate incompatible DLPI drivers */
 734         if (addr_length == 8)
 735                 addr_length = 6;
 736         dlur->dl_dest_addr_length = addr_length + abs_sap_length;
 737         dlur->dl_dest_addr_offset = sizeof (*dlur);
 738         dlur->dl_priority.dl_min = 0;
 739         dlur->dl_priority.dl_max = 0;
 740         ill_dlur_copy_address(addr, addr_length, sap, sap_length,
 741             (uchar_t *)&dlur[1]);
 742         return (mp);
 743 }
 744 
 745 /*
 746  * Add the pending mp to the list. There can be only 1 pending mp
 747  * in the list. Any exclusive ioctl that needs to wait for a response
 748  * from another module or driver needs to use this function to set
 749  * the ipx_pending_mp to the ioctl mblk and wait for the response from
 750  * the other module/driver. This is also used while waiting for the
 751  * ipif/ill/ire refcnts to drop to zero in bringing down an ipif.
 752  */
 753 boolean_t
 754 ipsq_pending_mp_add(conn_t *connp, ipif_t *ipif, queue_t *q, mblk_t *add_mp,
 755     int waitfor)
 756 {
 757         ipxop_t *ipx = ipif->ipif_ill->ill_phyint->phyint_ipsq->ipsq_xop;
 758 
 759         ASSERT(IAM_WRITER_IPIF(ipif));
 760         ASSERT(MUTEX_HELD(&ipif->ipif_ill->ill_lock));
 761         ASSERT((add_mp->b_next == NULL) && (add_mp->b_prev == NULL));
 762         ASSERT(ipx->ipx_pending_mp == NULL);
 763         /*
 764          * The caller may be using a different ipif than the one passed into
 765          * ipsq_current_start() (e.g., suppose an ioctl that came in on the V4
 766          * ill needs to wait for the V6 ill to quiesce).  So we can't ASSERT
 767          * that `ipx_current_ipif == ipif'.
 768          */
 769         ASSERT(ipx->ipx_current_ipif != NULL);
 770 
 771         /*
 772          * M_IOCDATA from ioctls, M_ERROR/M_HANGUP/M_PROTO/M_PCPROTO from the
 773          * driver.
 774          */
 775         ASSERT((DB_TYPE(add_mp) == M_IOCDATA) || (DB_TYPE(add_mp) == M_ERROR) ||
 776             (DB_TYPE(add_mp) == M_HANGUP) || (DB_TYPE(add_mp) == M_PROTO) ||
 777             (DB_TYPE(add_mp) == M_PCPROTO));
 778 
 779         if (connp != NULL) {
 780                 ASSERT(MUTEX_HELD(&connp->conn_lock));
 781                 /*
 782                  * Return error if the conn has started closing. The conn
 783                  * could have finished cleaning up the pending mp list,
 784                  * If so we should not add another mp to the list negating
 785                  * the cleanup.
 786                  */
 787                 if (connp->conn_state_flags & CONN_CLOSING)
 788                         return (B_FALSE);
 789         }
 790         mutex_enter(&ipx->ipx_lock);
 791         ipx->ipx_pending_ipif = ipif;
 792         /*
 793          * Note down the queue in b_queue. This will be returned by
 794          * ipsq_pending_mp_get. Caller will then use these values to restart
 795          * the processing
 796          */
 797         add_mp->b_next = NULL;
 798         add_mp->b_queue = q;
 799         ipx->ipx_pending_mp = add_mp;
 800         ipx->ipx_waitfor = waitfor;
 801         mutex_exit(&ipx->ipx_lock);
 802 
 803         if (connp != NULL)
 804                 connp->conn_oper_pending_ill = ipif->ipif_ill;
 805 
 806         return (B_TRUE);
 807 }
 808 
 809 /*
 810  * Retrieve the ipx_pending_mp and return it. There can be only 1 mp
 811  * queued in the list.
 812  */
 813 mblk_t *
 814 ipsq_pending_mp_get(ipsq_t *ipsq, conn_t **connpp)
 815 {
 816         mblk_t  *curr = NULL;
 817         ipxop_t *ipx = ipsq->ipsq_xop;
 818 
 819         *connpp = NULL;
 820         mutex_enter(&ipx->ipx_lock);
 821         if (ipx->ipx_pending_mp == NULL) {
 822                 mutex_exit(&ipx->ipx_lock);
 823                 return (NULL);
 824         }
 825 
 826         /* There can be only 1 such excl message */
 827         curr = ipx->ipx_pending_mp;
 828         ASSERT(curr->b_next == NULL);
 829         ipx->ipx_pending_ipif = NULL;
 830         ipx->ipx_pending_mp = NULL;
 831         ipx->ipx_waitfor = 0;
 832         mutex_exit(&ipx->ipx_lock);
 833 
 834         if (CONN_Q(curr->b_queue)) {
 835                 /*
 836                  * This mp did a refhold on the conn, at the start of the ioctl.
 837                  * So we can safely return a pointer to the conn to the caller.
 838                  */
 839                 *connpp = Q_TO_CONN(curr->b_queue);
 840         } else {
 841                 *connpp = NULL;
 842         }
 843         curr->b_next = NULL;
 844         curr->b_prev = NULL;
 845         return (curr);
 846 }
 847 
 848 /*
 849  * Cleanup the ioctl mp queued in ipx_pending_mp
 850  * - Called in the ill_delete path
 851  * - Called in the M_ERROR or M_HANGUP path on the ill.
 852  * - Called in the conn close path.
 853  *
 854  * Returns success on finding the pending mblk associated with the ioctl or
 855  * exclusive operation in progress, failure otherwise.
 856  */
 857 boolean_t
 858 ipsq_pending_mp_cleanup(ill_t *ill, conn_t *connp)
 859 {
 860         mblk_t  *mp;
 861         ipxop_t *ipx;
 862         queue_t *q;
 863         ipif_t  *ipif;
 864         int     cmd;
 865 
 866         ASSERT(IAM_WRITER_ILL(ill));
 867         ipx = ill->ill_phyint->phyint_ipsq->ipsq_xop;
 868 
 869         mutex_enter(&ipx->ipx_lock);
 870         mp = ipx->ipx_pending_mp;
 871         if (connp != NULL) {
 872                 if (mp == NULL || mp->b_queue != CONNP_TO_WQ(connp)) {
 873                         /*
 874                          * Nothing to clean since the conn that is closing
 875                          * does not have a matching pending mblk in
 876                          * ipx_pending_mp.
 877                          */
 878                         mutex_exit(&ipx->ipx_lock);
 879                         return (B_FALSE);
 880                 }
 881         } else {
 882                 /*
 883                  * A non-zero ill_error signifies we are called in the
 884                  * M_ERROR or M_HANGUP path and we need to unconditionally
 885                  * abort any current ioctl and do the corresponding cleanup.
 886                  * A zero ill_error means we are in the ill_delete path and
 887                  * we do the cleanup only if there is a pending mp.
 888                  */
 889                 if (mp == NULL && ill->ill_error == 0) {
 890                         mutex_exit(&ipx->ipx_lock);
 891                         return (B_FALSE);
 892                 }
 893         }
 894 
 895         /* Now remove from the ipx_pending_mp */
 896         ipx->ipx_pending_mp = NULL;
 897         ipif = ipx->ipx_pending_ipif;
 898         ipx->ipx_pending_ipif = NULL;
 899         ipx->ipx_waitfor = 0;
 900         ipx->ipx_current_ipif = NULL;
 901         cmd = ipx->ipx_current_ioctl;
 902         ipx->ipx_current_ioctl = 0;
 903         ipx->ipx_current_done = B_TRUE;
 904         mutex_exit(&ipx->ipx_lock);
 905 
 906         if (mp == NULL)
 907                 return (B_FALSE);
 908 
 909         q = mp->b_queue;
 910         mp->b_next = NULL;
 911         mp->b_prev = NULL;
 912         mp->b_queue = NULL;
 913 
 914         if (DB_TYPE(mp) == M_IOCTL || DB_TYPE(mp) == M_IOCDATA) {
 915                 DTRACE_PROBE4(ipif__ioctl,
 916                     char *, "ipsq_pending_mp_cleanup",
 917                     int, cmd, ill_t *, ipif == NULL ? NULL : ipif->ipif_ill,
 918                     ipif_t *, ipif);
 919                 if (connp == NULL) {
 920                         ip_ioctl_finish(q, mp, ENXIO, NO_COPYOUT, NULL);
 921                 } else {
 922                         ip_ioctl_finish(q, mp, ENXIO, CONN_CLOSE, NULL);
 923                         mutex_enter(&ipif->ipif_ill->ill_lock);
 924                         ipif->ipif_state_flags &= ~IPIF_CHANGING;
 925                         mutex_exit(&ipif->ipif_ill->ill_lock);
 926                 }
 927         } else {
 928                 inet_freemsg(mp);
 929         }
 930         return (B_TRUE);
 931 }
 932 
 933 /*
 934  * Called in the conn close path and ill delete path
 935  */
 936 static void
 937 ipsq_xopq_mp_cleanup(ill_t *ill, conn_t *connp)
 938 {
 939         ipsq_t  *ipsq;
 940         mblk_t  *prev;
 941         mblk_t  *curr;
 942         mblk_t  *next;
 943         queue_t *wq, *rq = NULL;
 944         mblk_t  *tmp_list = NULL;
 945 
 946         ASSERT(IAM_WRITER_ILL(ill));
 947         if (connp != NULL)
 948                 wq = CONNP_TO_WQ(connp);
 949         else
 950                 wq = ill->ill_wq;
 951 
 952         /*
 953          * In the case of lo0 being unplumbed, ill_wq will be NULL. Guard
 954          * against this here.
 955          */
 956         if (wq != NULL)
 957                 rq = RD(wq);
 958 
 959         ipsq = ill->ill_phyint->phyint_ipsq;
 960         /*
 961          * Cleanup the ioctl mp's queued in ipsq_xopq_pending_mp if any.
 962          * In the case of ioctl from a conn, there can be only 1 mp
 963          * queued on the ipsq. If an ill is being unplumbed flush all
 964          * the messages.
 965          */
 966         mutex_enter(&ipsq->ipsq_lock);
 967         for (prev = NULL, curr = ipsq->ipsq_xopq_mphead; curr != NULL;
 968             curr = next) {
 969                 next = curr->b_next;
 970                 if (connp == NULL ||
 971                     (curr->b_queue == wq || curr->b_queue == rq)) {
 972                         /* Unlink the mblk from the pending mp list */
 973                         if (prev != NULL) {
 974                                 prev->b_next = curr->b_next;
 975                         } else {
 976                                 ASSERT(ipsq->ipsq_xopq_mphead == curr);
 977                                 ipsq->ipsq_xopq_mphead = curr->b_next;
 978                         }
 979                         if (ipsq->ipsq_xopq_mptail == curr)
 980                                 ipsq->ipsq_xopq_mptail = prev;
 981                         /*
 982                          * Create a temporary list and release the ipsq lock
 983                          * New elements are added to the head of the tmp_list
 984                          */
 985                         curr->b_next = tmp_list;
 986                         tmp_list = curr;
 987                 } else {
 988                         prev = curr;
 989                 }
 990         }
 991         mutex_exit(&ipsq->ipsq_lock);
 992 
 993         while (tmp_list != NULL) {
 994                 curr = tmp_list;
 995                 tmp_list = curr->b_next;
 996                 curr->b_next = NULL;
 997                 curr->b_prev = NULL;
 998                 wq = curr->b_queue;
 999                 curr->b_queue = NULL;
1000                 if (DB_TYPE(curr) == M_IOCTL || DB_TYPE(curr) == M_IOCDATA) {
1001                         DTRACE_PROBE4(ipif__ioctl,
1002                             char *, "ipsq_xopq_mp_cleanup",
1003                             int, 0, ill_t *, NULL, ipif_t *, NULL);
1004                         ip_ioctl_finish(wq, curr, ENXIO, connp != NULL ?
1005                             CONN_CLOSE : NO_COPYOUT, NULL);
1006                 } else {
1007                         /*
1008                          * IP-MT XXX In the case of TLI/XTI bind / optmgmt
1009                          * this can't be just inet_freemsg. we have to
1010                          * restart it otherwise the thread will be stuck.
1011                          */
1012                         inet_freemsg(curr);
1013                 }
1014         }
1015 }
1016 
1017 /*
1018  * This conn has started closing. Cleanup any pending ioctl from this conn.
1019  * STREAMS ensures that there can be at most 1 active ioctl on a stream.
1020  */
1021 void
1022 conn_ioctl_cleanup(conn_t *connp)
1023 {
1024         ipsq_t  *ipsq;
1025         ill_t   *ill;
1026         boolean_t refheld;
1027 
1028         /*
1029          * Check for a queued ioctl. If the ioctl has not yet started, the mp
1030          * is pending in the list headed by ipsq_xopq_head. If the ioctl has
1031          * started the mp could be present in ipx_pending_mp. Note that if
1032          * conn_oper_pending_ill is NULL, the ioctl may still be in flight and
1033          * not yet queued anywhere. In this case, the conn close code will wait
1034          * until the conn_ref is dropped. If the stream was a tcp stream, then
1035          * tcp_close will wait first until all ioctls have completed for this
1036          * conn.
1037          */
1038         mutex_enter(&connp->conn_lock);
1039         ill = connp->conn_oper_pending_ill;
1040         if (ill == NULL) {
1041                 mutex_exit(&connp->conn_lock);
1042                 return;
1043         }
1044 
1045         /*
1046          * We may not be able to refhold the ill if the ill/ipif
1047          * is changing. But we need to make sure that the ill will
1048          * not vanish. So we just bump up the ill_waiter count.
1049          */
1050         refheld = ill_waiter_inc(ill);
1051         mutex_exit(&connp->conn_lock);
1052         if (refheld) {
1053                 if (ipsq_enter(ill, B_TRUE, NEW_OP)) {
1054                         ill_waiter_dcr(ill);
1055                         /*
1056                          * Check whether this ioctl has started and is
1057                          * pending. If it is not found there then check
1058                          * whether this ioctl has not even started and is in
1059                          * the ipsq_xopq list.
1060                          */
1061                         if (!ipsq_pending_mp_cleanup(ill, connp))
1062                                 ipsq_xopq_mp_cleanup(ill, connp);
1063                         ipsq = ill->ill_phyint->phyint_ipsq;
1064                         ipsq_exit(ipsq);
1065                         return;
1066                 }
1067         }
1068 
1069         /*
1070          * The ill is also closing and we could not bump up the
1071          * ill_waiter_count or we could not enter the ipsq. Leave
1072          * the cleanup to ill_delete
1073          */
1074         mutex_enter(&connp->conn_lock);
1075         while (connp->conn_oper_pending_ill != NULL)
1076                 cv_wait(&connp->conn_refcv, &connp->conn_lock);
1077         mutex_exit(&connp->conn_lock);
1078         if (refheld)
1079                 ill_waiter_dcr(ill);
1080 }
1081 
1082 /*
1083  * ipcl_walk function for cleaning up conn_*_ill fields.
1084  * Note that we leave ixa_multicast_ifindex, conn_incoming_ifindex, and
1085  * conn_bound_if in place. We prefer dropping
1086  * packets instead of sending them out the wrong interface, or accepting
1087  * packets from the wrong ifindex.
1088  */
1089 static void
1090 conn_cleanup_ill(conn_t *connp, caddr_t arg)
1091 {
1092         ill_t   *ill = (ill_t *)arg;
1093 
1094         mutex_enter(&connp->conn_lock);
1095         if (connp->conn_dhcpinit_ill == ill) {
1096                 connp->conn_dhcpinit_ill = NULL;
1097                 ASSERT(ill->ill_dhcpinit != 0);
1098                 atomic_dec_32(&ill->ill_dhcpinit);
1099                 ill_set_inputfn(ill);
1100         }
1101         mutex_exit(&connp->conn_lock);
1102 }
1103 
1104 static int
1105 ill_down_ipifs_tail(ill_t *ill)
1106 {
1107         ipif_t  *ipif;
1108         int err;
1109 
1110         ASSERT(IAM_WRITER_ILL(ill));
1111         for (ipif = ill->ill_ipif; ipif != NULL; ipif = ipif->ipif_next) {
1112                 ipif_non_duplicate(ipif);
1113                 /*
1114                  * ipif_down_tail will call arp_ll_down on the last ipif
1115                  * and typically return EINPROGRESS when the DL_UNBIND is sent.
1116                  */
1117                 if ((err = ipif_down_tail(ipif)) != 0)
1118                         return (err);
1119         }
1120         return (0);
1121 }
1122 
1123 /* ARGSUSED */
1124 void
1125 ipif_all_down_tail(ipsq_t *ipsq, queue_t *q, mblk_t *mp, void *dummy_arg)
1126 {
1127         ASSERT(IAM_WRITER_IPSQ(ipsq));
1128         (void) ill_down_ipifs_tail(q->q_ptr);
1129         freemsg(mp);
1130         ipsq_current_finish(ipsq);
1131 }
1132 
1133 /*
1134  * ill_down_start is called when we want to down this ill and bring it up again
1135  * It is called when we receive an M_ERROR / M_HANGUP. In this case we shut down
1136  * all interfaces, but don't tear down any plumbing.
1137  */
1138 boolean_t
1139 ill_down_start(queue_t *q, mblk_t *mp)
1140 {
1141         ill_t   *ill = q->q_ptr;
1142         ipif_t  *ipif;
1143 
1144         ASSERT(IAM_WRITER_ILL(ill));
1145         /*
1146          * It is possible that some ioctl is already in progress while we
1147          * received the M_ERROR / M_HANGUP in which case, we need to abort
1148          * the ioctl. ill_down_start() is being processed as CUR_OP rather
1149          * than as NEW_OP since the cause of the M_ERROR / M_HANGUP may prevent
1150          * the in progress ioctl from ever completing.
1151          *
1152          * The thread that started the ioctl (if any) must have returned,
1153          * since we are now executing as writer. After the 2 calls below,
1154          * the state of the ipsq and the ill would reflect no trace of any
1155          * pending operation. Subsequently if there is any response to the
1156          * original ioctl from the driver, it would be discarded as an
1157          * unsolicited message from the driver.
1158          */
1159         (void) ipsq_pending_mp_cleanup(ill, NULL);
1160         ill_dlpi_clear_deferred(ill);
1161 
1162         for (ipif = ill->ill_ipif; ipif != NULL; ipif = ipif->ipif_next)
1163                 (void) ipif_down(ipif, NULL, NULL);
1164 
1165         ill_down(ill);
1166 
1167         /*
1168          * Walk all CONNs that can have a reference on an ire or nce for this
1169          * ill (we actually walk all that now have stale references).
1170          */
1171         ipcl_walk(conn_ixa_cleanup, (void *)B_TRUE, ill->ill_ipst);
1172 
1173         /* With IPv6 we have dce_ifindex. Cleanup for neatness */
1174         if (ill->ill_isv6)
1175                 dce_cleanup(ill->ill_phyint->phyint_ifindex, ill->ill_ipst);
1176 
1177         ipsq_current_start(ill->ill_phyint->phyint_ipsq, ill->ill_ipif, 0);
1178 
1179         /*
1180          * Atomically test and add the pending mp if references are active.
1181          */
1182         mutex_enter(&ill->ill_lock);
1183         if (!ill_is_quiescent(ill)) {
1184                 /* call cannot fail since `conn_t *' argument is NULL */
1185                 (void) ipsq_pending_mp_add(NULL, ill->ill_ipif, ill->ill_rq,
1186                     mp, ILL_DOWN);
1187                 mutex_exit(&ill->ill_lock);
1188                 return (B_FALSE);
1189         }
1190         mutex_exit(&ill->ill_lock);
1191         return (B_TRUE);
1192 }
1193 
1194 static void
1195 ill_down(ill_t *ill)
1196 {
1197         mblk_t  *mp;
1198         ip_stack_t      *ipst = ill->ill_ipst;
1199 
1200         /*
1201          * Blow off any IREs dependent on this ILL.
1202          * The caller needs to handle conn_ixa_cleanup
1203          */
1204         ill_delete_ires(ill);
1205 
1206         ire_walk_ill(0, 0, ill_downi, ill, ill);
1207 
1208         /* Remove any conn_*_ill depending on this ill */
1209         ipcl_walk(conn_cleanup_ill, (caddr_t)ill, ipst);
1210 
1211         /*
1212          * Free state for additional IREs.
1213          */
1214         mutex_enter(&ill->ill_saved_ire_lock);
1215         mp = ill->ill_saved_ire_mp;
1216         ill->ill_saved_ire_mp = NULL;
1217         ill->ill_saved_ire_cnt = 0;
1218         mutex_exit(&ill->ill_saved_ire_lock);
1219         freemsg(mp);
1220 }
1221 
1222 /*
1223  * ire_walk routine used to delete every IRE that depends on
1224  * 'ill'.  (Always called as writer, and may only be called from ire_walk.)
1225  *
1226  * Note: since the routes added by the kernel are deleted separately,
1227  * this will only be 1) IRE_IF_CLONE and 2) manually added IRE_INTERFACE.
1228  *
1229  * We also remove references on ire_nce_cache entries that refer to the ill.
1230  */
1231 void
1232 ill_downi(ire_t *ire, char *ill_arg)
1233 {
1234         ill_t   *ill = (ill_t *)ill_arg;
1235         nce_t   *nce;
1236 
1237         mutex_enter(&ire->ire_lock);
1238         nce = ire->ire_nce_cache;
1239         if (nce != NULL && nce->nce_ill == ill)
1240                 ire->ire_nce_cache = NULL;
1241         else
1242                 nce = NULL;
1243         mutex_exit(&ire->ire_lock);
1244         if (nce != NULL)
1245                 nce_refrele(nce);
1246         if (ire->ire_ill == ill) {
1247                 /*
1248                  * The existing interface binding for ire must be
1249                  * deleted before trying to bind the route to another
1250                  * interface. However, since we are using the contents of the
1251                  * ire after ire_delete, the caller has to ensure that
1252                  * CONDEMNED (deleted) ire's are not removed from the list
1253                  * when ire_delete() returns. Currently ill_downi() is
1254                  * only called as part of ire_walk*() routines, so that
1255                  * the irb_refhold() done by ire_walk*() will ensure that
1256                  * ire_delete() does not lead to ire_inactive().
1257                  */
1258                 ASSERT(ire->ire_bucket->irb_refcnt > 0);
1259                 ire_delete(ire);
1260                 if (ire->ire_unbound)
1261                         ire_rebind(ire);
1262         }
1263 }
1264 
1265 /* Remove IRE_IF_CLONE on this ill */
1266 void
1267 ill_downi_if_clone(ire_t *ire, char *ill_arg)
1268 {
1269         ill_t   *ill = (ill_t *)ill_arg;
1270 
1271         ASSERT(ire->ire_type & IRE_IF_CLONE);
1272         if (ire->ire_ill == ill)
1273                 ire_delete(ire);
1274 }
1275 
1276 /* Consume an M_IOCACK of the fastpath probe. */
1277 void
1278 ill_fastpath_ack(ill_t *ill, mblk_t *mp)
1279 {
1280         mblk_t  *mp1 = mp;
1281 
1282         /*
1283          * If this was the first attempt turn on the fastpath probing.
1284          */
1285         mutex_enter(&ill->ill_lock);
1286         if (ill->ill_dlpi_fastpath_state == IDS_INPROGRESS)
1287                 ill->ill_dlpi_fastpath_state = IDS_OK;
1288         mutex_exit(&ill->ill_lock);
1289 
1290         /* Free the M_IOCACK mblk, hold on to the data */
1291         mp = mp->b_cont;
1292         freeb(mp1);
1293         if (mp == NULL)
1294                 return;
1295         if (mp->b_cont != NULL)
1296                 nce_fastpath_update(ill, mp);
1297         else
1298                 ip0dbg(("ill_fastpath_ack:  no b_cont\n"));
1299         freemsg(mp);
1300 }
1301 
1302 /*
1303  * Throw an M_IOCTL message downstream asking "do you know fastpath?"
1304  * The data portion of the request is a dl_unitdata_req_t template for
1305  * what we would send downstream in the absence of a fastpath confirmation.
1306  */
1307 int
1308 ill_fastpath_probe(ill_t *ill, mblk_t *dlur_mp)
1309 {
1310         struct iocblk   *ioc;
1311         mblk_t  *mp;
1312 
1313         if (dlur_mp == NULL)
1314                 return (EINVAL);
1315 
1316         mutex_enter(&ill->ill_lock);
1317         switch (ill->ill_dlpi_fastpath_state) {
1318         case IDS_FAILED:
1319                 /*
1320                  * Driver NAKed the first fastpath ioctl - assume it doesn't
1321                  * support it.
1322                  */
1323                 mutex_exit(&ill->ill_lock);
1324                 return (ENOTSUP);
1325         case IDS_UNKNOWN:
1326                 /* This is the first probe */
1327                 ill->ill_dlpi_fastpath_state = IDS_INPROGRESS;
1328                 break;
1329         default:
1330                 break;
1331         }
1332         mutex_exit(&ill->ill_lock);
1333 
1334         if ((mp = mkiocb(DL_IOC_HDR_INFO)) == NULL)
1335                 return (EAGAIN);
1336 
1337         mp->b_cont = copyb(dlur_mp);
1338         if (mp->b_cont == NULL) {
1339                 freeb(mp);
1340                 return (EAGAIN);
1341         }
1342 
1343         ioc = (struct iocblk *)mp->b_rptr;
1344         ioc->ioc_count = msgdsize(mp->b_cont);
1345 
1346         DTRACE_PROBE3(ill__dlpi, char *, "ill_fastpath_probe",
1347             char *, "DL_IOC_HDR_INFO", ill_t *, ill);
1348         putnext(ill->ill_wq, mp);
1349         return (0);
1350 }
1351 
1352 void
1353 ill_capability_probe(ill_t *ill)
1354 {
1355         mblk_t  *mp;
1356 
1357         ASSERT(IAM_WRITER_ILL(ill));
1358 
1359         if (ill->ill_dlpi_capab_state != IDCS_UNKNOWN &&
1360             ill->ill_dlpi_capab_state != IDCS_FAILED)
1361                 return;
1362 
1363         /*
1364          * We are starting a new cycle of capability negotiation.
1365          * Free up the capab reset messages of any previous incarnation.
1366          * We will do a fresh allocation when we get the response to our probe
1367          */
1368         if (ill->ill_capab_reset_mp != NULL) {
1369                 freemsg(ill->ill_capab_reset_mp);
1370                 ill->ill_capab_reset_mp = NULL;
1371         }
1372 
1373         ip1dbg(("ill_capability_probe: starting capability negotiation\n"));
1374 
1375         mp = ip_dlpi_alloc(sizeof (dl_capability_req_t), DL_CAPABILITY_REQ);
1376         if (mp == NULL)
1377                 return;
1378 
1379         ill_capability_send(ill, mp);
1380         ill->ill_dlpi_capab_state = IDCS_PROBE_SENT;
1381 }
1382 
1383 void
1384 ill_capability_reset(ill_t *ill, boolean_t reneg)
1385 {
1386         ASSERT(IAM_WRITER_ILL(ill));
1387 
1388         if (ill->ill_dlpi_capab_state != IDCS_OK)
1389                 return;
1390 
1391         ill->ill_dlpi_capab_state = reneg ? IDCS_RENEG : IDCS_RESET_SENT;
1392 
1393         ill_capability_send(ill, ill->ill_capab_reset_mp);
1394         ill->ill_capab_reset_mp = NULL;
1395         /*
1396          * We turn off all capabilities except those pertaining to
1397          * direct function call capabilities viz. ILL_CAPAB_DLD*
1398          * which will be turned off by the corresponding reset functions.
1399          */
1400         ill->ill_capabilities &= ~(ILL_CAPAB_HCKSUM  | ILL_CAPAB_ZEROCOPY);
1401 }
1402 
1403 static void
1404 ill_capability_reset_alloc(ill_t *ill)
1405 {
1406         mblk_t *mp;
1407         size_t  size = 0;
1408         int     err;
1409         dl_capability_req_t     *capb;
1410 
1411         ASSERT(IAM_WRITER_ILL(ill));
1412         ASSERT(ill->ill_capab_reset_mp == NULL);
1413 
1414         if (ILL_HCKSUM_CAPABLE(ill)) {
1415                 size += sizeof (dl_capability_sub_t) +
1416                     sizeof (dl_capab_hcksum_t);
1417         }
1418 
1419         if (ill->ill_capabilities & ILL_CAPAB_ZEROCOPY) {
1420                 size += sizeof (dl_capability_sub_t) +
1421                     sizeof (dl_capab_zerocopy_t);
1422         }
1423 
1424         if (ill->ill_capabilities & ILL_CAPAB_DLD) {
1425                 size += sizeof (dl_capability_sub_t) +
1426                     sizeof (dl_capab_dld_t);
1427         }
1428 
1429         mp = allocb_wait(size + sizeof (dl_capability_req_t), BPRI_MED,
1430             STR_NOSIG, &err);
1431 
1432         mp->b_datap->db_type = M_PROTO;
1433         bzero(mp->b_rptr, size + sizeof (dl_capability_req_t));
1434 
1435         capb = (dl_capability_req_t *)mp->b_rptr;
1436         capb->dl_primitive = DL_CAPABILITY_REQ;
1437         capb->dl_sub_offset = sizeof (dl_capability_req_t);
1438         capb->dl_sub_length = size;
1439 
1440         mp->b_wptr += sizeof (dl_capability_req_t);
1441 
1442         /*
1443          * Each handler fills in the corresponding dl_capability_sub_t
1444          * inside the mblk,
1445          */
1446         ill_capability_hcksum_reset_fill(ill, mp);
1447         ill_capability_zerocopy_reset_fill(ill, mp);
1448         ill_capability_dld_reset_fill(ill, mp);
1449 
1450         ill->ill_capab_reset_mp = mp;
1451 }
1452 
1453 static void
1454 ill_capability_id_ack(ill_t *ill, mblk_t *mp, dl_capability_sub_t *outers)
1455 {
1456         dl_capab_id_t *id_ic;
1457         uint_t sub_dl_cap = outers->dl_cap;
1458         dl_capability_sub_t *inners;
1459         uint8_t *capend;
1460 
1461         ASSERT(sub_dl_cap == DL_CAPAB_ID_WRAPPER);
1462 
1463         /*
1464          * Note: range checks here are not absolutely sufficient to
1465          * make us robust against malformed messages sent by drivers;
1466          * this is in keeping with the rest of IP's dlpi handling.
1467          * (Remember, it's coming from something else in the kernel
1468          * address space)
1469          */
1470 
1471         capend = (uint8_t *)(outers + 1) + outers->dl_length;
1472         if (capend > mp->b_wptr) {
1473                 cmn_err(CE_WARN, "ill_capability_id_ack: "
1474                     "malformed sub-capability too long for mblk");
1475                 return;
1476         }
1477 
1478         id_ic = (dl_capab_id_t *)(outers + 1);
1479 
1480         if (outers->dl_length < sizeof (*id_ic) ||
1481             (inners = &id_ic->id_subcap,
1482             inners->dl_length > (outers->dl_length - sizeof (*inners)))) {
1483                 cmn_err(CE_WARN, "ill_capability_id_ack: malformed "
1484                     "encapsulated capab type %d too long for mblk",
1485                     inners->dl_cap);
1486                 return;
1487         }
1488 
1489         if (!dlcapabcheckqid(&id_ic->id_mid, ill->ill_lmod_rq)) {
1490                 ip1dbg(("ill_capability_id_ack: mid token for capab type %d "
1491                     "isn't as expected; pass-thru module(s) detected, "
1492                     "discarding capability\n", inners->dl_cap));
1493                 return;
1494         }
1495 
1496         /* Process the encapsulated sub-capability */
1497         ill_capability_dispatch(ill, mp, inners);
1498 }
1499 
1500 static void
1501 ill_capability_dld_reset_fill(ill_t *ill, mblk_t *mp)
1502 {
1503         dl_capability_sub_t *dl_subcap;
1504 
1505         if (!(ill->ill_capabilities & ILL_CAPAB_DLD))
1506                 return;
1507 
1508         /*
1509          * The dl_capab_dld_t that follows the dl_capability_sub_t is not
1510          * initialized below since it is not used by DLD.
1511          */
1512         dl_subcap = (dl_capability_sub_t *)mp->b_wptr;
1513         dl_subcap->dl_cap = DL_CAPAB_DLD;
1514         dl_subcap->dl_length = sizeof (dl_capab_dld_t);
1515 
1516         mp->b_wptr += sizeof (dl_capability_sub_t) + sizeof (dl_capab_dld_t);
1517 }
1518 
1519 static void
1520 ill_capability_dispatch(ill_t *ill, mblk_t *mp, dl_capability_sub_t *subp)
1521 {
1522         /*
1523          * If no ipif was brought up over this ill, this DL_CAPABILITY_REQ/ACK
1524          * is only to get the VRRP capability.
1525          *
1526          * Note that we cannot check ill_ipif_up_count here since
1527          * ill_ipif_up_count is only incremented when the resolver is setup.
1528          * That is done asynchronously, and can race with this function.
1529          */
1530         if (!ill->ill_dl_up) {
1531                 if (subp->dl_cap == DL_CAPAB_VRRP)
1532                         ill_capability_vrrp_ack(ill, mp, subp);
1533                 return;
1534         }
1535 
1536         switch (subp->dl_cap) {
1537         case DL_CAPAB_HCKSUM:
1538                 ill_capability_hcksum_ack(ill, mp, subp);
1539                 break;
1540         case DL_CAPAB_ZEROCOPY:
1541                 ill_capability_zerocopy_ack(ill, mp, subp);
1542                 break;
1543         case DL_CAPAB_DLD:
1544                 ill_capability_dld_ack(ill, mp, subp);
1545                 break;
1546         case DL_CAPAB_VRRP:
1547                 break;
1548         default:
1549                 ip1dbg(("ill_capability_dispatch: unknown capab type %d\n",
1550                     subp->dl_cap));
1551         }
1552 }
1553 
1554 /*
1555  * Process the vrrp capability received from a DLS Provider. isub must point
1556  * to the sub-capability (DL_CAPAB_VRRP) of a DL_CAPABILITY_ACK message.
1557  */
1558 static void
1559 ill_capability_vrrp_ack(ill_t *ill, mblk_t *mp, dl_capability_sub_t *isub)
1560 {
1561         dl_capab_vrrp_t *vrrp;
1562         uint_t          sub_dl_cap = isub->dl_cap;
1563         uint8_t         *capend;
1564 
1565         ASSERT(IAM_WRITER_ILL(ill));
1566         ASSERT(sub_dl_cap == DL_CAPAB_VRRP);
1567 
1568         /*
1569          * Note: range checks here are not absolutely sufficient to
1570          * make us robust against malformed messages sent by drivers;
1571          * this is in keeping with the rest of IP's dlpi handling.
1572          * (Remember, it's coming from something else in the kernel
1573          * address space)
1574          */
1575         capend = (uint8_t *)(isub + 1) + isub->dl_length;
1576         if (capend > mp->b_wptr) {
1577                 cmn_err(CE_WARN, "ill_capability_vrrp_ack: "
1578                     "malformed sub-capability too long for mblk");
1579                 return;
1580         }
1581         vrrp = (dl_capab_vrrp_t *)(isub + 1);
1582 
1583         /*
1584          * Compare the IP address family and set ILLF_VRRP for the right ill.
1585          */
1586         if ((vrrp->vrrp_af == AF_INET6 && ill->ill_isv6) ||
1587             (vrrp->vrrp_af == AF_INET && !ill->ill_isv6)) {
1588                 ill->ill_flags |= ILLF_VRRP;
1589         }
1590 }
1591 
1592 /*
1593  * Process a hardware checksum offload capability negotiation ack received
1594  * from a DLS Provider.isub must point to the sub-capability (DL_CAPAB_HCKSUM)
1595  * of a DL_CAPABILITY_ACK message.
1596  */
1597 static void
1598 ill_capability_hcksum_ack(ill_t *ill, mblk_t *mp, dl_capability_sub_t *isub)
1599 {
1600         dl_capability_req_t     *ocap;
1601         dl_capab_hcksum_t       *ihck, *ohck;
1602         ill_hcksum_capab_t      **ill_hcksum;
1603         mblk_t                  *nmp = NULL;
1604         uint_t                  sub_dl_cap = isub->dl_cap;
1605         uint8_t                 *capend;
1606 
1607         ASSERT(sub_dl_cap == DL_CAPAB_HCKSUM);
1608 
1609         ill_hcksum = (ill_hcksum_capab_t **)&ill->ill_hcksum_capab;
1610 
1611         /*
1612          * Note: range checks here are not absolutely sufficient to
1613          * make us robust against malformed messages sent by drivers;
1614          * this is in keeping with the rest of IP's dlpi handling.
1615          * (Remember, it's coming from something else in the kernel
1616          * address space)
1617          */
1618         capend = (uint8_t *)(isub + 1) + isub->dl_length;
1619         if (capend > mp->b_wptr) {
1620                 cmn_err(CE_WARN, "ill_capability_hcksum_ack: "
1621                     "malformed sub-capability too long for mblk");
1622                 return;
1623         }
1624 
1625         /*
1626          * There are two types of acks we process here:
1627          * 1. acks in reply to a (first form) generic capability req
1628          *    (no ENABLE flag set)
1629          * 2. acks in reply to a ENABLE capability req.
1630          *    (ENABLE flag set)
1631          */
1632         ihck = (dl_capab_hcksum_t *)(isub + 1);
1633 
1634         if (ihck->hcksum_version != HCKSUM_VERSION_1) {
1635                 cmn_err(CE_CONT, "ill_capability_hcksum_ack: "
1636                     "unsupported hardware checksum "
1637                     "sub-capability (version %d, expected %d)",
1638                     ihck->hcksum_version, HCKSUM_VERSION_1);
1639                 return;
1640         }
1641 
1642         if (!dlcapabcheckqid(&ihck->hcksum_mid, ill->ill_lmod_rq)) {
1643                 ip1dbg(("ill_capability_hcksum_ack: mid token for hardware "
1644                     "checksum capability isn't as expected; pass-thru "
1645                     "module(s) detected, discarding capability\n"));
1646                 return;
1647         }
1648 
1649 #define CURR_HCKSUM_CAPAB                               \
1650         (HCKSUM_INET_PARTIAL | HCKSUM_INET_FULL_V4 |    \
1651         HCKSUM_INET_FULL_V6 | HCKSUM_IPHDRCKSUM)
1652 
1653         if ((ihck->hcksum_txflags & HCKSUM_ENABLE) &&
1654             (ihck->hcksum_txflags & CURR_HCKSUM_CAPAB)) {
1655                 /* do ENABLE processing */
1656                 if (*ill_hcksum == NULL) {
1657                         *ill_hcksum = kmem_zalloc(sizeof (ill_hcksum_capab_t),
1658                             KM_NOSLEEP);
1659 
1660                         if (*ill_hcksum == NULL) {
1661                                 cmn_err(CE_WARN, "ill_capability_hcksum_ack: "
1662                                     "could not enable hcksum version %d "
1663                                     "for %s (ENOMEM)\n", HCKSUM_CURRENT_VERSION,
1664                                     ill->ill_name);
1665                                 return;
1666                         }
1667                 }
1668 
1669                 (*ill_hcksum)->ill_hcksum_version = ihck->hcksum_version;
1670                 (*ill_hcksum)->ill_hcksum_txflags = ihck->hcksum_txflags;
1671                 ill->ill_capabilities |= ILL_CAPAB_HCKSUM;
1672                 ip1dbg(("ill_capability_hcksum_ack: interface %s "
1673                     "has enabled hardware checksumming\n ",
1674                     ill->ill_name));
1675         } else if (ihck->hcksum_txflags & CURR_HCKSUM_CAPAB) {
1676                 /*
1677                  * Enabling hardware checksum offload
1678                  * Currently IP supports {TCP,UDP}/IPv4
1679                  * partial and full cksum offload and
1680                  * IPv4 header checksum offload.
1681                  * Allocate new mblk which will
1682                  * contain a new capability request
1683                  * to enable hardware checksum offload.
1684                  */
1685                 uint_t  size;
1686                 uchar_t *rptr;
1687 
1688                 size = sizeof (dl_capability_req_t) +
1689                     sizeof (dl_capability_sub_t) + isub->dl_length;
1690 
1691                 if ((nmp = ip_dlpi_alloc(size, DL_CAPABILITY_REQ)) == NULL) {
1692                         cmn_err(CE_WARN, "ill_capability_hcksum_ack: "
1693                             "could not enable hardware cksum for %s (ENOMEM)\n",
1694                             ill->ill_name);
1695                         return;
1696                 }
1697 
1698                 rptr = nmp->b_rptr;
1699                 /* initialize dl_capability_req_t */
1700                 ocap = (dl_capability_req_t *)nmp->b_rptr;
1701                 ocap->dl_sub_offset =
1702                     sizeof (dl_capability_req_t);
1703                 ocap->dl_sub_length =
1704                     sizeof (dl_capability_sub_t) +
1705                     isub->dl_length;
1706                 nmp->b_rptr += sizeof (dl_capability_req_t);
1707 
1708                 /* initialize dl_capability_sub_t */
1709                 bcopy(isub, nmp->b_rptr, sizeof (*isub));
1710                 nmp->b_rptr += sizeof (*isub);
1711 
1712                 /* initialize dl_capab_hcksum_t */
1713                 ohck = (dl_capab_hcksum_t *)nmp->b_rptr;
1714                 bcopy(ihck, ohck, sizeof (*ihck));
1715 
1716                 nmp->b_rptr = rptr;
1717                 ASSERT(nmp->b_wptr == (nmp->b_rptr + size));
1718 
1719                 /* Set ENABLE flag */
1720                 ohck->hcksum_txflags &= CURR_HCKSUM_CAPAB;
1721                 ohck->hcksum_txflags |= HCKSUM_ENABLE;
1722 
1723                 /*
1724                  * nmp points to a DL_CAPABILITY_REQ message to enable
1725                  * hardware checksum acceleration.
1726                  */
1727                 ill_capability_send(ill, nmp);
1728         } else {
1729                 ip1dbg(("ill_capability_hcksum_ack: interface %s has "
1730                     "advertised %x hardware checksum capability flags\n",
1731                     ill->ill_name, ihck->hcksum_txflags));
1732         }
1733 }
1734 
1735 static void
1736 ill_capability_hcksum_reset_fill(ill_t *ill, mblk_t *mp)
1737 {
1738         dl_capab_hcksum_t *hck_subcap;
1739         dl_capability_sub_t *dl_subcap;
1740 
1741         if (!ILL_HCKSUM_CAPABLE(ill))
1742                 return;
1743 
1744         ASSERT(ill->ill_hcksum_capab != NULL);
1745 
1746         dl_subcap = (dl_capability_sub_t *)mp->b_wptr;
1747         dl_subcap->dl_cap = DL_CAPAB_HCKSUM;
1748         dl_subcap->dl_length = sizeof (*hck_subcap);
1749 
1750         hck_subcap = (dl_capab_hcksum_t *)(dl_subcap + 1);
1751         hck_subcap->hcksum_version = ill->ill_hcksum_capab->ill_hcksum_version;
1752         hck_subcap->hcksum_txflags = 0;
1753 
1754         mp->b_wptr += sizeof (*dl_subcap) + sizeof (*hck_subcap);
1755 }
1756 
1757 static void
1758 ill_capability_zerocopy_ack(ill_t *ill, mblk_t *mp, dl_capability_sub_t *isub)
1759 {
1760         mblk_t *nmp = NULL;
1761         dl_capability_req_t *oc;
1762         dl_capab_zerocopy_t *zc_ic, *zc_oc;
1763         ill_zerocopy_capab_t **ill_zerocopy_capab;
1764         uint_t sub_dl_cap = isub->dl_cap;
1765         uint8_t *capend;
1766 
1767         ASSERT(sub_dl_cap == DL_CAPAB_ZEROCOPY);
1768 
1769         ill_zerocopy_capab = (ill_zerocopy_capab_t **)&ill->ill_zerocopy_capab;
1770 
1771         /*
1772          * Note: range checks here are not absolutely sufficient to
1773          * make us robust against malformed messages sent by drivers;
1774          * this is in keeping with the rest of IP's dlpi handling.
1775          * (Remember, it's coming from something else in the kernel
1776          * address space)
1777          */
1778         capend = (uint8_t *)(isub + 1) + isub->dl_length;
1779         if (capend > mp->b_wptr) {
1780                 cmn_err(CE_WARN, "ill_capability_zerocopy_ack: "
1781                     "malformed sub-capability too long for mblk");
1782                 return;
1783         }
1784 
1785         zc_ic = (dl_capab_zerocopy_t *)(isub + 1);
1786         if (zc_ic->zerocopy_version != ZEROCOPY_VERSION_1) {
1787                 cmn_err(CE_CONT, "ill_capability_zerocopy_ack: "
1788                     "unsupported ZEROCOPY sub-capability (version %d, "
1789                     "expected %d)", zc_ic->zerocopy_version,
1790                     ZEROCOPY_VERSION_1);
1791                 return;
1792         }
1793 
1794         if (!dlcapabcheckqid(&zc_ic->zerocopy_mid, ill->ill_lmod_rq)) {
1795                 ip1dbg(("ill_capability_zerocopy_ack: mid token for zerocopy "
1796                     "capability isn't as expected; pass-thru module(s) "
1797                     "detected, discarding capability\n"));
1798                 return;
1799         }
1800 
1801         if ((zc_ic->zerocopy_flags & DL_CAPAB_VMSAFE_MEM) != 0) {
1802                 if (*ill_zerocopy_capab == NULL) {
1803                         *ill_zerocopy_capab =
1804                             kmem_zalloc(sizeof (ill_zerocopy_capab_t),
1805                             KM_NOSLEEP);
1806 
1807                         if (*ill_zerocopy_capab == NULL) {
1808                                 cmn_err(CE_WARN, "ill_capability_zerocopy_ack: "
1809                                     "could not enable Zero-copy version %d "
1810                                     "for %s (ENOMEM)\n", ZEROCOPY_VERSION_1,
1811                                     ill->ill_name);
1812                                 return;
1813                         }
1814                 }
1815 
1816                 ip1dbg(("ill_capability_zerocopy_ack: interface %s "
1817                     "supports Zero-copy version %d\n", ill->ill_name,
1818                     ZEROCOPY_VERSION_1));
1819 
1820                 (*ill_zerocopy_capab)->ill_zerocopy_version =
1821                     zc_ic->zerocopy_version;
1822                 (*ill_zerocopy_capab)->ill_zerocopy_flags =
1823                     zc_ic->zerocopy_flags;
1824 
1825                 ill->ill_capabilities |= ILL_CAPAB_ZEROCOPY;
1826         } else {
1827                 uint_t size;
1828                 uchar_t *rptr;
1829 
1830                 size = sizeof (dl_capability_req_t) +
1831                     sizeof (dl_capability_sub_t) +
1832                     sizeof (dl_capab_zerocopy_t);
1833 
1834                 if ((nmp = ip_dlpi_alloc(size, DL_CAPABILITY_REQ)) == NULL) {
1835                         cmn_err(CE_WARN, "ill_capability_zerocopy_ack: "
1836                             "could not enable zerocopy for %s (ENOMEM)\n",
1837                             ill->ill_name);
1838                         return;
1839                 }
1840 
1841                 rptr = nmp->b_rptr;
1842                 /* initialize dl_capability_req_t */
1843                 oc = (dl_capability_req_t *)rptr;
1844                 oc->dl_sub_offset = sizeof (dl_capability_req_t);
1845                 oc->dl_sub_length = sizeof (dl_capability_sub_t) +
1846                     sizeof (dl_capab_zerocopy_t);
1847                 rptr += sizeof (dl_capability_req_t);
1848 
1849                 /* initialize dl_capability_sub_t */
1850                 bcopy(isub, rptr, sizeof (*isub));
1851                 rptr += sizeof (*isub);
1852 
1853                 /* initialize dl_capab_zerocopy_t */
1854                 zc_oc = (dl_capab_zerocopy_t *)rptr;
1855                 *zc_oc = *zc_ic;
1856 
1857                 ip1dbg(("ill_capability_zerocopy_ack: asking interface %s "
1858                     "to enable zero-copy version %d\n", ill->ill_name,
1859                     ZEROCOPY_VERSION_1));
1860 
1861                 /* set VMSAFE_MEM flag */
1862                 zc_oc->zerocopy_flags |= DL_CAPAB_VMSAFE_MEM;
1863 
1864                 /* nmp points to a DL_CAPABILITY_REQ message to enable zcopy */
1865                 ill_capability_send(ill, nmp);
1866         }
1867 }
1868 
1869 static void
1870 ill_capability_zerocopy_reset_fill(ill_t *ill, mblk_t *mp)
1871 {
1872         dl_capab_zerocopy_t *zerocopy_subcap;
1873         dl_capability_sub_t *dl_subcap;
1874 
1875         if (!(ill->ill_capabilities & ILL_CAPAB_ZEROCOPY))
1876                 return;
1877 
1878         ASSERT(ill->ill_zerocopy_capab != NULL);
1879 
1880         dl_subcap = (dl_capability_sub_t *)mp->b_wptr;
1881         dl_subcap->dl_cap = DL_CAPAB_ZEROCOPY;
1882         dl_subcap->dl_length = sizeof (*zerocopy_subcap);
1883 
1884         zerocopy_subcap = (dl_capab_zerocopy_t *)(dl_subcap + 1);
1885         zerocopy_subcap->zerocopy_version =
1886             ill->ill_zerocopy_capab->ill_zerocopy_version;
1887         zerocopy_subcap->zerocopy_flags = 0;
1888 
1889         mp->b_wptr += sizeof (*dl_subcap) + sizeof (*zerocopy_subcap);
1890 }
1891 
1892 /*
1893  * DLD capability
1894  * Refer to dld.h for more information regarding the purpose and usage
1895  * of this capability.
1896  */
1897 static void
1898 ill_capability_dld_ack(ill_t *ill, mblk_t *mp, dl_capability_sub_t *isub)
1899 {
1900         dl_capab_dld_t          *dld_ic, dld;
1901         uint_t                  sub_dl_cap = isub->dl_cap;
1902         uint8_t                 *capend;
1903         ill_dld_capab_t         *idc;
1904 
1905         ASSERT(IAM_WRITER_ILL(ill));
1906         ASSERT(sub_dl_cap == DL_CAPAB_DLD);
1907 
1908         /*
1909          * Note: range checks here are not absolutely sufficient to
1910          * make us robust against malformed messages sent by drivers;
1911          * this is in keeping with the rest of IP's dlpi handling.
1912          * (Remember, it's coming from something else in the kernel
1913          * address space)
1914          */
1915         capend = (uint8_t *)(isub + 1) + isub->dl_length;
1916         if (capend > mp->b_wptr) {
1917                 cmn_err(CE_WARN, "ill_capability_dld_ack: "
1918                     "malformed sub-capability too long for mblk");
1919                 return;
1920         }
1921         dld_ic = (dl_capab_dld_t *)(isub + 1);
1922         if (dld_ic->dld_version != DLD_CURRENT_VERSION) {
1923                 cmn_err(CE_CONT, "ill_capability_dld_ack: "
1924                     "unsupported DLD sub-capability (version %d, "
1925                     "expected %d)", dld_ic->dld_version,
1926                     DLD_CURRENT_VERSION);
1927                 return;
1928         }
1929         if (!dlcapabcheckqid(&dld_ic->dld_mid, ill->ill_lmod_rq)) {
1930                 ip1dbg(("ill_capability_dld_ack: mid token for dld "
1931                     "capability isn't as expected; pass-thru module(s) "
1932                     "detected, discarding capability\n"));
1933                 return;
1934         }
1935 
1936         /*
1937          * Copy locally to ensure alignment.
1938          */
1939         bcopy(dld_ic, &dld, sizeof (dl_capab_dld_t));
1940 
1941         if ((idc = ill->ill_dld_capab) == NULL) {
1942                 idc = kmem_zalloc(sizeof (ill_dld_capab_t), KM_NOSLEEP);
1943                 if (idc == NULL) {
1944                         cmn_err(CE_WARN, "ill_capability_dld_ack: "
1945                             "could not enable DLD version %d "
1946                             "for %s (ENOMEM)\n", DLD_CURRENT_VERSION,
1947                             ill->ill_name);
1948                         return;
1949                 }
1950                 ill->ill_dld_capab = idc;
1951         }
1952         idc->idc_capab_df = (ip_capab_func_t)dld.dld_capab;
1953         idc->idc_capab_dh = (void *)dld.dld_capab_handle;
1954         ip1dbg(("ill_capability_dld_ack: interface %s "
1955             "supports DLD version %d\n", ill->ill_name, DLD_CURRENT_VERSION));
1956 
1957         ill_capability_dld_enable(ill);
1958 }
1959 
1960 /*
1961  * Typically capability negotiation between IP and the driver happens via
1962  * DLPI message exchange. However GLD also offers a direct function call
1963  * mechanism to exchange the DLD_DIRECT_CAPAB and DLD_POLL_CAPAB capabilities,
1964  * But arbitrary function calls into IP or GLD are not permitted, since both
1965  * of them are protected by their own perimeter mechanism. The perimeter can
1966  * be viewed as a coarse lock or serialization mechanism. The hierarchy of
1967  * these perimeters is IP -> MAC. Thus for example to enable the squeue
1968  * polling, IP needs to enter its perimeter, then call ill_mac_perim_enter
1969  * to enter the mac perimeter and then do the direct function calls into
1970  * GLD to enable squeue polling. The ring related callbacks from the mac into
1971  * the stack to add, bind, quiesce, restart or cleanup a ring are all
1972  * protected by the mac perimeter.
1973  */
1974 static void
1975 ill_mac_perim_enter(ill_t *ill, mac_perim_handle_t *mphp)
1976 {
1977         ill_dld_capab_t         *idc = ill->ill_dld_capab;
1978         int                     err;
1979 
1980         err = idc->idc_capab_df(idc->idc_capab_dh, DLD_CAPAB_PERIM, mphp,
1981             DLD_ENABLE);
1982         ASSERT(err == 0);
1983 }
1984 
1985 static void
1986 ill_mac_perim_exit(ill_t *ill, mac_perim_handle_t mph)
1987 {
1988         ill_dld_capab_t         *idc = ill->ill_dld_capab;
1989         int                     err;
1990 
1991         err = idc->idc_capab_df(idc->idc_capab_dh, DLD_CAPAB_PERIM, mph,
1992             DLD_DISABLE);
1993         ASSERT(err == 0);
1994 }
1995 
1996 boolean_t
1997 ill_mac_perim_held(ill_t *ill)
1998 {
1999         ill_dld_capab_t         *idc = ill->ill_dld_capab;
2000 
2001         return (idc->idc_capab_df(idc->idc_capab_dh, DLD_CAPAB_PERIM, NULL,
2002             DLD_QUERY));
2003 }
2004 
2005 static void
2006 ill_capability_direct_enable(ill_t *ill)
2007 {
2008         ill_dld_capab_t         *idc = ill->ill_dld_capab;
2009         ill_dld_direct_t        *idd = &idc->idc_direct;
2010         dld_capab_direct_t      direct;
2011         int                     rc;
2012 
2013         ASSERT(!ill->ill_isv6 && IAM_WRITER_ILL(ill));
2014 
2015         bzero(&direct, sizeof (direct));
2016         direct.di_rx_cf = (uintptr_t)ip_input;
2017         direct.di_rx_ch = ill;
2018 
2019         rc = idc->idc_capab_df(idc->idc_capab_dh, DLD_CAPAB_DIRECT, &direct,
2020             DLD_ENABLE);
2021         if (rc == 0) {
2022                 idd->idd_tx_df = (ip_dld_tx_t)direct.di_tx_df;
2023                 idd->idd_tx_dh = direct.di_tx_dh;
2024                 idd->idd_tx_cb_df = (ip_dld_callb_t)direct.di_tx_cb_df;
2025                 idd->idd_tx_cb_dh = direct.di_tx_cb_dh;
2026                 idd->idd_tx_fctl_df = (ip_dld_fctl_t)direct.di_tx_fctl_df;
2027                 idd->idd_tx_fctl_dh = direct.di_tx_fctl_dh;
2028                 ASSERT(idd->idd_tx_cb_df != NULL);
2029                 ASSERT(idd->idd_tx_fctl_df != NULL);
2030                 ASSERT(idd->idd_tx_df != NULL);
2031                 /*
2032                  * One time registration of flow enable callback function
2033                  */
2034                 ill->ill_flownotify_mh = idd->idd_tx_cb_df(idd->idd_tx_cb_dh,
2035                     ill_flow_enable, ill);
2036                 ill->ill_capabilities |= ILL_CAPAB_DLD_DIRECT;
2037                 DTRACE_PROBE1(direct_on, (ill_t *), ill);
2038         } else {
2039                 cmn_err(CE_WARN, "warning: could not enable DIRECT "
2040                     "capability, rc = %d\n", rc);
2041                 DTRACE_PROBE2(direct_off, (ill_t *), ill, (int), rc);
2042         }
2043 }
2044 
2045 static void
2046 ill_capability_poll_enable(ill_t *ill)
2047 {
2048         ill_dld_capab_t         *idc = ill->ill_dld_capab;
2049         dld_capab_poll_t        poll;
2050         int                     rc;
2051 
2052         ASSERT(!ill->ill_isv6 && IAM_WRITER_ILL(ill));
2053 
2054         bzero(&poll, sizeof (poll));
2055         poll.poll_ring_add_cf = (uintptr_t)ip_squeue_add_ring;
2056         poll.poll_ring_remove_cf = (uintptr_t)ip_squeue_clean_ring;
2057         poll.poll_ring_quiesce_cf = (uintptr_t)ip_squeue_quiesce_ring;
2058         poll.poll_ring_restart_cf = (uintptr_t)ip_squeue_restart_ring;
2059         poll.poll_ring_bind_cf = (uintptr_t)ip_squeue_bind_ring;
2060         poll.poll_ring_ch = ill;
2061         rc = idc->idc_capab_df(idc->idc_capab_dh, DLD_CAPAB_POLL, &poll,
2062             DLD_ENABLE);
2063         if (rc == 0) {
2064                 ill->ill_capabilities |= ILL_CAPAB_DLD_POLL;
2065                 DTRACE_PROBE1(poll_on, (ill_t *), ill);
2066         } else {
2067                 ip1dbg(("warning: could not enable POLL "
2068                     "capability, rc = %d\n", rc));
2069                 DTRACE_PROBE2(poll_off, (ill_t *), ill, (int), rc);
2070         }
2071 }
2072 
2073 /*
2074  * Enable the LSO capability.
2075  */
2076 static void
2077 ill_capability_lso_enable(ill_t *ill)
2078 {
2079         ill_dld_capab_t *idc = ill->ill_dld_capab;
2080         dld_capab_lso_t lso;
2081         int rc;
2082 
2083         ASSERT(!ill->ill_isv6 && IAM_WRITER_ILL(ill));
2084 
2085         if (ill->ill_lso_capab == NULL) {
2086                 ill->ill_lso_capab = kmem_zalloc(sizeof (ill_lso_capab_t),
2087                     KM_NOSLEEP);
2088                 if (ill->ill_lso_capab == NULL) {
2089                         cmn_err(CE_WARN, "ill_capability_lso_enable: "
2090                             "could not enable LSO for %s (ENOMEM)\n",
2091                             ill->ill_name);
2092                         return;
2093                 }
2094         }
2095 
2096         bzero(&lso, sizeof (lso));
2097         if ((rc = idc->idc_capab_df(idc->idc_capab_dh, DLD_CAPAB_LSO, &lso,
2098             DLD_ENABLE)) == 0) {
2099                 ill->ill_lso_capab->ill_lso_flags = lso.lso_flags;
2100                 ill->ill_lso_capab->ill_lso_max = lso.lso_max;
2101                 ill->ill_capabilities |= ILL_CAPAB_LSO;
2102                 ip1dbg(("ill_capability_lso_enable: interface %s "
2103                     "has enabled LSO\n ", ill->ill_name));
2104         } else {
2105                 kmem_free(ill->ill_lso_capab, sizeof (ill_lso_capab_t));
2106                 ill->ill_lso_capab = NULL;
2107                 DTRACE_PROBE2(lso_off, (ill_t *), ill, (int), rc);
2108         }
2109 }
2110 
2111 static void
2112 ill_capability_dld_enable(ill_t *ill)
2113 {
2114         mac_perim_handle_t mph;
2115 
2116         ASSERT(IAM_WRITER_ILL(ill));
2117 
2118         if (ill->ill_isv6)
2119                 return;
2120 
2121         ill_mac_perim_enter(ill, &mph);
2122         if (!ill->ill_isv6) {
2123                 ill_capability_direct_enable(ill);
2124                 ill_capability_poll_enable(ill);
2125                 ill_capability_lso_enable(ill);
2126         }
2127         ill->ill_capabilities |= ILL_CAPAB_DLD;
2128         ill_mac_perim_exit(ill, mph);
2129 }
2130 
2131 static void
2132 ill_capability_dld_disable(ill_t *ill)
2133 {
2134         ill_dld_capab_t *idc;
2135         ill_dld_direct_t *idd;
2136         mac_perim_handle_t      mph;
2137 
2138         ASSERT(IAM_WRITER_ILL(ill));
2139 
2140         if (!(ill->ill_capabilities & ILL_CAPAB_DLD))
2141                 return;
2142 
2143         ill_mac_perim_enter(ill, &mph);
2144 
2145         idc = ill->ill_dld_capab;
2146         if ((ill->ill_capabilities & ILL_CAPAB_DLD_DIRECT) != 0) {
2147                 /*
2148                  * For performance we avoid locks in the transmit data path
2149                  * and don't maintain a count of the number of threads using
2150                  * direct calls. Thus some threads could be using direct
2151                  * transmit calls to GLD, even after the capability mechanism
2152                  * turns it off. This is still safe since the handles used in
2153                  * the direct calls continue to be valid until the unplumb is
2154                  * completed. Remove the callback that was added (1-time) at
2155                  * capab enable time.
2156                  */
2157                 mutex_enter(&ill->ill_lock);
2158                 ill->ill_capabilities &= ~ILL_CAPAB_DLD_DIRECT;
2159                 mutex_exit(&ill->ill_lock);
2160                 if (ill->ill_flownotify_mh != NULL) {
2161                         idd = &idc->idc_direct;
2162                         idd->idd_tx_cb_df(idd->idd_tx_cb_dh, NULL,
2163                             ill->ill_flownotify_mh);
2164                         ill->ill_flownotify_mh = NULL;
2165                 }
2166                 (void) idc->idc_capab_df(idc->idc_capab_dh, DLD_CAPAB_DIRECT,
2167                     NULL, DLD_DISABLE);
2168         }
2169 
2170         if ((ill->ill_capabilities & ILL_CAPAB_DLD_POLL) != 0) {
2171                 ill->ill_capabilities &= ~ILL_CAPAB_DLD_POLL;
2172                 ip_squeue_clean_all(ill);
2173                 (void) idc->idc_capab_df(idc->idc_capab_dh, DLD_CAPAB_POLL,
2174                     NULL, DLD_DISABLE);
2175         }
2176 
2177         if ((ill->ill_capabilities & ILL_CAPAB_LSO) != 0) {
2178                 ASSERT(ill->ill_lso_capab != NULL);
2179                 /*
2180                  * Clear the capability flag for LSO but retain the
2181                  * ill_lso_capab structure since it's possible that another
2182                  * thread is still referring to it.  The structure only gets
2183                  * deallocated when we destroy the ill.
2184                  */
2185 
2186                 ill->ill_capabilities &= ~ILL_CAPAB_LSO;
2187                 (void) idc->idc_capab_df(idc->idc_capab_dh, DLD_CAPAB_LSO,
2188                     NULL, DLD_DISABLE);
2189         }
2190 
2191         ill->ill_capabilities &= ~ILL_CAPAB_DLD;
2192         ill_mac_perim_exit(ill, mph);
2193 }
2194 
2195 /*
2196  * Capability Negotiation protocol
2197  *
2198  * We don't wait for DLPI capability operations to finish during interface
2199  * bringup or teardown. Doing so would introduce more asynchrony and the
2200  * interface up/down operations will need multiple return and restarts.
2201  * Instead the 'ipsq_current_ipif' of the ipsq is not cleared as long as
2202  * the 'ill_dlpi_deferred' chain is non-empty. This ensures that the next
2203  * exclusive operation won't start until the DLPI operations of the previous
2204  * exclusive operation complete.
2205  *
2206  * The capability state machine is shown below.
2207  *
2208  * state                next state              event, action
2209  *
2210  * IDCS_UNKNOWN         IDCS_PROBE_SENT         ill_capability_probe
2211  * IDCS_PROBE_SENT      IDCS_OK                 ill_capability_ack
2212  * IDCS_PROBE_SENT      IDCS_FAILED             ip_rput_dlpi_writer (nack)
2213  * IDCS_OK              IDCS_RENEG              Receipt of DL_NOTE_CAPAB_RENEG
2214  * IDCS_OK              IDCS_RESET_SENT         ill_capability_reset
2215  * IDCS_RESET_SENT      IDCS_UNKNOWN            ill_capability_ack_thr
2216  * IDCS_RENEG           IDCS_PROBE_SENT         ill_capability_ack_thr ->
2217  *                                                  ill_capability_probe.
2218  */
2219 
2220 /*
2221  * Dedicated thread started from ip_stack_init that handles capability
2222  * disable. This thread ensures the taskq dispatch does not fail by waiting
2223  * for resources using TQ_SLEEP. The taskq mechanism is used to ensure
2224  * that direct calls to DLD are done in a cv_waitable context.
2225  */
2226 void
2227 ill_taskq_dispatch(ip_stack_t *ipst)
2228 {
2229         callb_cpr_t cprinfo;
2230         char    name[64];
2231         mblk_t  *mp;
2232 
2233         (void) snprintf(name, sizeof (name), "ill_taskq_dispatch_%d",
2234             ipst->ips_netstack->netstack_stackid);
2235         CALLB_CPR_INIT(&cprinfo, &ipst->ips_capab_taskq_lock, callb_generic_cpr,
2236             name);
2237         mutex_enter(&ipst->ips_capab_taskq_lock);
2238 
2239         for (;;) {
2240                 mp = ipst->ips_capab_taskq_head;
2241                 while (mp != NULL) {
2242                         ipst->ips_capab_taskq_head = mp->b_next;
2243                         if (ipst->ips_capab_taskq_head == NULL)
2244                                 ipst->ips_capab_taskq_tail = NULL;
2245                         mutex_exit(&ipst->ips_capab_taskq_lock);
2246                         mp->b_next = NULL;
2247 
2248                         VERIFY(taskq_dispatch(system_taskq,
2249                             ill_capability_ack_thr, mp, TQ_SLEEP) != 0);
2250                         mutex_enter(&ipst->ips_capab_taskq_lock);
2251                         mp = ipst->ips_capab_taskq_head;
2252                 }
2253 
2254                 if (ipst->ips_capab_taskq_quit)
2255                         break;
2256                 CALLB_CPR_SAFE_BEGIN(&cprinfo);
2257                 cv_wait(&ipst->ips_capab_taskq_cv, &ipst->ips_capab_taskq_lock);
2258                 CALLB_CPR_SAFE_END(&cprinfo, &ipst->ips_capab_taskq_lock);
2259         }
2260         VERIFY(ipst->ips_capab_taskq_head == NULL);
2261         VERIFY(ipst->ips_capab_taskq_tail == NULL);
2262         CALLB_CPR_EXIT(&cprinfo);
2263         thread_exit();
2264 }
2265 
2266 /*
2267  * Consume a new-style hardware capabilities negotiation ack.
2268  * Called via taskq on receipt of DL_CAPABILITY_ACK.
2269  */
2270 static void
2271 ill_capability_ack_thr(void *arg)
2272 {
2273         mblk_t  *mp = arg;
2274         dl_capability_ack_t *capp;
2275         dl_capability_sub_t *subp, *endp;
2276         ill_t   *ill;
2277         boolean_t reneg;
2278 
2279         ill = (ill_t *)mp->b_prev;
2280         mp->b_prev = NULL;
2281 
2282         VERIFY(ipsq_enter(ill, B_FALSE, CUR_OP) == B_TRUE);
2283 
2284         if (ill->ill_dlpi_capab_state == IDCS_RESET_SENT ||
2285             ill->ill_dlpi_capab_state == IDCS_RENEG) {
2286                 /*
2287                  * We have received the ack for our DL_CAPAB reset request.
2288                  * There isnt' anything in the message that needs processing.
2289                  * All message based capabilities have been disabled, now
2290                  * do the function call based capability disable.
2291                  */
2292                 reneg = ill->ill_dlpi_capab_state == IDCS_RENEG;
2293                 ill_capability_dld_disable(ill);
2294                 ill->ill_dlpi_capab_state = IDCS_UNKNOWN;
2295                 if (reneg)
2296                         ill_capability_probe(ill);
2297                 goto done;
2298         }
2299 
2300         if (ill->ill_dlpi_capab_state == IDCS_PROBE_SENT)
2301                 ill->ill_dlpi_capab_state = IDCS_OK;
2302 
2303         capp = (dl_capability_ack_t *)mp->b_rptr;
2304 
2305         if (capp->dl_sub_length == 0) {
2306                 /* no new-style capabilities */
2307                 goto done;
2308         }
2309 
2310         /* make sure the driver supplied correct dl_sub_length */
2311         if ((sizeof (*capp) + capp->dl_sub_length) > MBLKL(mp)) {
2312                 ip0dbg(("ill_capability_ack: bad DL_CAPABILITY_ACK, "
2313                     "invalid dl_sub_length (%d)\n", capp->dl_sub_length));
2314                 goto done;
2315         }
2316 
2317 #define SC(base, offset) (dl_capability_sub_t *)(((uchar_t *)(base))+(offset))
2318         /*
2319          * There are sub-capabilities. Process the ones we know about.
2320          * Loop until we don't have room for another sub-cap header..
2321          */
2322         for (subp = SC(capp, capp->dl_sub_offset),
2323             endp = SC(subp, capp->dl_sub_length - sizeof (*subp));
2324             subp <= endp;
2325             subp = SC(subp, sizeof (dl_capability_sub_t) + subp->dl_length)) {
2326 
2327                 switch (subp->dl_cap) {
2328                 case DL_CAPAB_ID_WRAPPER:
2329                         ill_capability_id_ack(ill, mp, subp);
2330                         break;
2331                 default:
2332                         ill_capability_dispatch(ill, mp, subp);
2333                         break;
2334                 }
2335         }
2336 #undef SC
2337 done:
2338         inet_freemsg(mp);
2339         ill_capability_done(ill);
2340         ipsq_exit(ill->ill_phyint->phyint_ipsq);
2341 }
2342 
2343 /*
2344  * This needs to be started in a taskq thread to provide a cv_waitable
2345  * context.
2346  */
2347 void
2348 ill_capability_ack(ill_t *ill, mblk_t *mp)
2349 {
2350         ip_stack_t      *ipst = ill->ill_ipst;
2351 
2352         mp->b_prev = (mblk_t *)ill;
2353         ASSERT(mp->b_next == NULL);
2354 
2355         if (taskq_dispatch(system_taskq, ill_capability_ack_thr, mp,
2356             TQ_NOSLEEP) != 0)
2357                 return;
2358 
2359         /*
2360          * The taskq dispatch failed. Signal the ill_taskq_dispatch thread
2361          * which will do the dispatch using TQ_SLEEP to guarantee success.
2362          */
2363         mutex_enter(&ipst->ips_capab_taskq_lock);
2364         if (ipst->ips_capab_taskq_head == NULL) {
2365                 ASSERT(ipst->ips_capab_taskq_tail == NULL);
2366                 ipst->ips_capab_taskq_head = mp;
2367         } else {
2368                 ipst->ips_capab_taskq_tail->b_next = mp;
2369         }
2370         ipst->ips_capab_taskq_tail = mp;
2371 
2372         cv_signal(&ipst->ips_capab_taskq_cv);
2373         mutex_exit(&ipst->ips_capab_taskq_lock);
2374 }
2375 
2376 /*
2377  * This routine is called to scan the fragmentation reassembly table for
2378  * the specified ILL for any packets that are starting to smell.
2379  * dead_interval is the maximum time in seconds that will be tolerated.  It
2380  * will either be the value specified in ip_g_frag_timeout, or zero if the
2381  * ILL is shutting down and it is time to blow everything off.
2382  *
2383  * It returns the number of seconds (as a time_t) that the next frag timer
2384  * should be scheduled for, 0 meaning that the timer doesn't need to be
2385  * re-started.  Note that the method of calculating next_timeout isn't
2386  * entirely accurate since time will flow between the time we grab
2387  * current_time and the time we schedule the next timeout.  This isn't a
2388  * big problem since this is the timer for sending an ICMP reassembly time
2389  * exceeded messages, and it doesn't have to be exactly accurate.
2390  *
2391  * This function is
2392  * sometimes called as writer, although this is not required.
2393  */
2394 time_t
2395 ill_frag_timeout(ill_t *ill, time_t dead_interval)
2396 {
2397         ipfb_t  *ipfb;
2398         ipfb_t  *endp;
2399         ipf_t   *ipf;
2400         ipf_t   *ipfnext;
2401         mblk_t  *mp;
2402         time_t  current_time = gethrestime_sec();
2403         time_t  next_timeout = 0;
2404         uint32_t        hdr_length;
2405         mblk_t  *send_icmp_head;
2406         mblk_t  *send_icmp_head_v6;
2407         ip_stack_t *ipst = ill->ill_ipst;
2408         ip_recv_attr_t iras;
2409 
2410         bzero(&iras, sizeof (iras));
2411         iras.ira_flags = 0;
2412         iras.ira_ill = iras.ira_rill = ill;
2413         iras.ira_ruifindex = ill->ill_phyint->phyint_ifindex;
2414         iras.ira_rifindex = iras.ira_ruifindex;
2415 
2416         ipfb = ill->ill_frag_hash_tbl;
2417         if (ipfb == NULL)
2418                 return (B_FALSE);
2419         endp = &ipfb[ILL_FRAG_HASH_TBL_COUNT];
2420         /* Walk the frag hash table. */
2421         for (; ipfb < endp; ipfb++) {
2422                 send_icmp_head = NULL;
2423                 send_icmp_head_v6 = NULL;
2424                 mutex_enter(&ipfb->ipfb_lock);
2425                 while ((ipf = ipfb->ipfb_ipf) != 0) {
2426                         time_t frag_time = current_time - ipf->ipf_timestamp;
2427                         time_t frag_timeout;
2428 
2429                         if (frag_time < dead_interval) {
2430                                 /*
2431                                  * There are some outstanding fragments
2432                                  * that will timeout later.  Make note of
2433                                  * the time so that we can reschedule the
2434                                  * next timeout appropriately.
2435                                  */
2436                                 frag_timeout = dead_interval - frag_time;
2437                                 if (next_timeout == 0 ||
2438                                     frag_timeout < next_timeout) {
2439                                         next_timeout = frag_timeout;
2440                                 }
2441                                 break;
2442                         }
2443                         /* Time's up.  Get it out of here. */
2444                         hdr_length = ipf->ipf_nf_hdr_len;
2445                         ipfnext = ipf->ipf_hash_next;
2446                         if (ipfnext)
2447                                 ipfnext->ipf_ptphn = ipf->ipf_ptphn;
2448                         *ipf->ipf_ptphn = ipfnext;
2449                         mp = ipf->ipf_mp->b_cont;
2450                         for (; mp; mp = mp->b_cont) {
2451                                 /* Extra points for neatness. */
2452                                 IP_REASS_SET_START(mp, 0);
2453                                 IP_REASS_SET_END(mp, 0);
2454                         }
2455                         mp = ipf->ipf_mp->b_cont;
2456                         atomic_add_32(&ill->ill_frag_count, -ipf->ipf_count);
2457                         ASSERT(ipfb->ipfb_count >= ipf->ipf_count);
2458                         ipfb->ipfb_count -= ipf->ipf_count;
2459                         ASSERT(ipfb->ipfb_frag_pkts > 0);
2460                         ipfb->ipfb_frag_pkts--;
2461                         /*
2462                          * We do not send any icmp message from here because
2463                          * we currently are holding the ipfb_lock for this
2464                          * hash chain. If we try and send any icmp messages
2465                          * from here we may end up via a put back into ip
2466                          * trying to get the same lock, causing a recursive
2467                          * mutex panic. Instead we build a list and send all
2468                          * the icmp messages after we have dropped the lock.
2469                          */
2470                         if (ill->ill_isv6) {
2471                                 if (hdr_length != 0) {
2472                                         mp->b_next = send_icmp_head_v6;
2473                                         send_icmp_head_v6 = mp;
2474                                 } else {
2475                                         freemsg(mp);
2476                                 }
2477                         } else {
2478                                 if (hdr_length != 0) {
2479                                         mp->b_next = send_icmp_head;
2480                                         send_icmp_head = mp;
2481                                 } else {
2482                                         freemsg(mp);
2483                                 }
2484                         }
2485                         BUMP_MIB(ill->ill_ip_mib, ipIfStatsReasmFails);
2486                         ip_drop_input("ipIfStatsReasmFails", ipf->ipf_mp, ill);
2487                         freeb(ipf->ipf_mp);
2488                 }
2489                 mutex_exit(&ipfb->ipfb_lock);
2490                 /*
2491                  * Now need to send any icmp messages that we delayed from
2492                  * above.
2493                  */
2494                 while (send_icmp_head_v6 != NULL) {
2495                         ip6_t *ip6h;
2496 
2497                         mp = send_icmp_head_v6;
2498                         send_icmp_head_v6 = send_icmp_head_v6->b_next;
2499                         mp->b_next = NULL;
2500                         ip6h = (ip6_t *)mp->b_rptr;
2501                         iras.ira_flags = 0;
2502                         /*
2503                          * This will result in an incorrect ALL_ZONES zoneid
2504                          * for multicast packets, but we
2505                          * don't send ICMP errors for those in any case.
2506                          */
2507                         iras.ira_zoneid =
2508                             ipif_lookup_addr_zoneid_v6(&ip6h->ip6_dst,
2509                             ill, ipst);
2510                         ip_drop_input("ICMP_TIME_EXCEEDED reass", mp, ill);
2511                         icmp_time_exceeded_v6(mp,
2512                             ICMP_REASSEMBLY_TIME_EXCEEDED, B_FALSE,
2513                             &iras);
2514                         ASSERT(!(iras.ira_flags & IRAF_IPSEC_SECURE));
2515                 }
2516                 while (send_icmp_head != NULL) {
2517                         ipaddr_t dst;
2518 
2519                         mp = send_icmp_head;
2520                         send_icmp_head = send_icmp_head->b_next;
2521                         mp->b_next = NULL;
2522 
2523                         dst = ((ipha_t *)mp->b_rptr)->ipha_dst;
2524 
2525                         iras.ira_flags = IRAF_IS_IPV4;
2526                         /*
2527                          * This will result in an incorrect ALL_ZONES zoneid
2528                          * for broadcast and multicast packets, but we
2529                          * don't send ICMP errors for those in any case.
2530                          */
2531                         iras.ira_zoneid = ipif_lookup_addr_zoneid(dst,
2532                             ill, ipst);
2533                         ip_drop_input("ICMP_TIME_EXCEEDED reass", mp, ill);
2534                         icmp_time_exceeded(mp,
2535                             ICMP_REASSEMBLY_TIME_EXCEEDED, &iras);
2536                         ASSERT(!(iras.ira_flags & IRAF_IPSEC_SECURE));
2537                 }
2538         }
2539         /*
2540          * A non-dying ILL will use the return value to decide whether to
2541          * restart the frag timer, and for how long.
2542          */
2543         return (next_timeout);
2544 }
2545 
2546 /*
2547  * This routine is called when the approximate count of mblk memory used
2548  * for the specified ILL has exceeded max_count.
2549  */
2550 void
2551 ill_frag_prune(ill_t *ill, uint_t max_count)
2552 {
2553         ipfb_t  *ipfb;
2554         ipf_t   *ipf;
2555         size_t  count;
2556         clock_t now;
2557 
2558         /*
2559          * If we are here within ip_min_frag_prune_time msecs remove
2560          * ill_frag_free_num_pkts oldest packets from each bucket and increment
2561          * ill_frag_free_num_pkts.
2562          */
2563         mutex_enter(&ill->ill_lock);
2564         now = ddi_get_lbolt();
2565         if (TICK_TO_MSEC(now - ill->ill_last_frag_clean_time) <=
2566             (ip_min_frag_prune_time != 0 ?
2567             ip_min_frag_prune_time : msec_per_tick)) {
2568 
2569                 ill->ill_frag_free_num_pkts++;
2570 
2571         } else {
2572                 ill->ill_frag_free_num_pkts = 0;
2573         }
2574         ill->ill_last_frag_clean_time = now;
2575         mutex_exit(&ill->ill_lock);
2576 
2577         /*
2578          * free ill_frag_free_num_pkts oldest packets from each bucket.
2579          */
2580         if (ill->ill_frag_free_num_pkts != 0) {
2581                 int ix;
2582 
2583                 for (ix = 0; ix < ILL_FRAG_HASH_TBL_COUNT; ix++) {
2584                         ipfb = &ill->ill_frag_hash_tbl[ix];
2585                         mutex_enter(&ipfb->ipfb_lock);
2586                         if (ipfb->ipfb_ipf != NULL) {
2587                                 ill_frag_free_pkts(ill, ipfb, ipfb->ipfb_ipf,
2588                                     ill->ill_frag_free_num_pkts);
2589                         }
2590                         mutex_exit(&ipfb->ipfb_lock);
2591                 }
2592         }
2593         /*
2594          * While the reassembly list for this ILL is too big, prune a fragment
2595          * queue by age, oldest first.
2596          */
2597         while (ill->ill_frag_count > max_count) {
2598                 int     ix;
2599                 ipfb_t  *oipfb = NULL;
2600                 uint_t  oldest = UINT_MAX;
2601 
2602                 count = 0;
2603                 for (ix = 0; ix < ILL_FRAG_HASH_TBL_COUNT; ix++) {
2604                         ipfb = &ill->ill_frag_hash_tbl[ix];
2605                         mutex_enter(&ipfb->ipfb_lock);
2606                         ipf = ipfb->ipfb_ipf;
2607                         if (ipf != NULL && ipf->ipf_gen < oldest) {
2608                                 oldest = ipf->ipf_gen;
2609                                 oipfb = ipfb;
2610                         }
2611                         count += ipfb->ipfb_count;
2612                         mutex_exit(&ipfb->ipfb_lock);
2613                 }
2614                 if (oipfb == NULL)
2615                         break;
2616 
2617                 if (count <= max_count)
2618                         return; /* Somebody beat us to it, nothing to do */
2619                 mutex_enter(&oipfb->ipfb_lock);
2620                 ipf = oipfb->ipfb_ipf;
2621                 if (ipf != NULL) {
2622                         ill_frag_free_pkts(ill, oipfb, ipf, 1);
2623                 }
2624                 mutex_exit(&oipfb->ipfb_lock);
2625         }
2626 }
2627 
2628 /*
2629  * free 'free_cnt' fragmented packets starting at ipf.
2630  */
2631 void
2632 ill_frag_free_pkts(ill_t *ill, ipfb_t *ipfb, ipf_t *ipf, int free_cnt)
2633 {
2634         size_t  count;
2635         mblk_t  *mp;
2636         mblk_t  *tmp;
2637         ipf_t **ipfp = ipf->ipf_ptphn;
2638 
2639         ASSERT(MUTEX_HELD(&ipfb->ipfb_lock));
2640         ASSERT(ipfp != NULL);
2641         ASSERT(ipf != NULL);
2642 
2643         while (ipf != NULL && free_cnt-- > 0) {
2644                 count = ipf->ipf_count;
2645                 mp = ipf->ipf_mp;
2646                 ipf = ipf->ipf_hash_next;
2647                 for (tmp = mp; tmp; tmp = tmp->b_cont) {
2648                         IP_REASS_SET_START(tmp, 0);
2649                         IP_REASS_SET_END(tmp, 0);
2650                 }
2651                 atomic_add_32(&ill->ill_frag_count, -count);
2652                 ASSERT(ipfb->ipfb_count >= count);
2653                 ipfb->ipfb_count -= count;
2654                 ASSERT(ipfb->ipfb_frag_pkts > 0);
2655                 ipfb->ipfb_frag_pkts--;
2656                 BUMP_MIB(ill->ill_ip_mib, ipIfStatsReasmFails);
2657                 ip_drop_input("ipIfStatsReasmFails", mp, ill);
2658                 freemsg(mp);
2659         }
2660 
2661         if (ipf)
2662                 ipf->ipf_ptphn = ipfp;
2663         ipfp[0] = ipf;
2664 }
2665 
2666 /*
2667  * Helper function for ill_forward_set().
2668  */
2669 static void
2670 ill_forward_set_on_ill(ill_t *ill, boolean_t enable)
2671 {
2672         ip_stack_t      *ipst = ill->ill_ipst;
2673 
2674         ASSERT(IAM_WRITER_ILL(ill) || RW_READ_HELD(&ipst->ips_ill_g_lock));
2675 
2676         ip1dbg(("ill_forward_set: %s %s forwarding on %s",
2677             (enable ? "Enabling" : "Disabling"),
2678             (ill->ill_isv6 ? "IPv6" : "IPv4"), ill->ill_name));
2679         mutex_enter(&ill->ill_lock);
2680         if (enable)
2681                 ill->ill_flags |= ILLF_ROUTER;
2682         else
2683                 ill->ill_flags &= ~ILLF_ROUTER;
2684         mutex_exit(&ill->ill_lock);
2685         if (ill->ill_isv6)
2686                 ill_set_nce_router_flags(ill, enable);
2687         /* Notify routing socket listeners of this change. */
2688         if (ill->ill_ipif != NULL)
2689                 ip_rts_ifmsg(ill->ill_ipif, RTSQ_DEFAULT);
2690 }
2691 
2692 /*
2693  * Set an ill's ILLF_ROUTER flag appropriately.  Send up RTS_IFINFO routing
2694  * socket messages for each interface whose flags we change.
2695  */
2696 int
2697 ill_forward_set(ill_t *ill, boolean_t enable)
2698 {
2699         ipmp_illgrp_t *illg;
2700         ip_stack_t *ipst = ill->ill_ipst;
2701 
2702         ASSERT(IAM_WRITER_ILL(ill) || RW_READ_HELD(&ipst->ips_ill_g_lock));
2703 
2704         if ((enable && (ill->ill_flags & ILLF_ROUTER)) ||
2705             (!enable && !(ill->ill_flags & ILLF_ROUTER)))
2706                 return (0);
2707 
2708         if (IS_LOOPBACK(ill))
2709                 return (EINVAL);
2710 
2711         if (enable && ill->ill_allowed_ips_cnt > 0)
2712                 return (EPERM);
2713 
2714         if (IS_IPMP(ill) || IS_UNDER_IPMP(ill)) {
2715                 /*
2716                  * Update all of the interfaces in the group.
2717                  */
2718                 illg = ill->ill_grp;
2719                 ill = list_head(&illg->ig_if);
2720                 for (; ill != NULL; ill = list_next(&illg->ig_if, ill))
2721                         ill_forward_set_on_ill(ill, enable);
2722 
2723                 /*
2724                  * Update the IPMP meta-interface.
2725                  */
2726                 ill_forward_set_on_ill(ipmp_illgrp_ipmp_ill(illg), enable);
2727                 return (0);
2728         }
2729 
2730         ill_forward_set_on_ill(ill, enable);
2731         return (0);
2732 }
2733 
2734 /*
2735  * Based on the ILLF_ROUTER flag of an ill, make sure all local nce's for
2736  * addresses assigned to the ill have the NCE_F_ISROUTER flag appropriately
2737  * set or clear.
2738  */
2739 static void
2740 ill_set_nce_router_flags(ill_t *ill, boolean_t enable)
2741 {
2742         ipif_t *ipif;
2743         ncec_t *ncec;
2744         nce_t *nce;
2745 
2746         for (ipif = ill->ill_ipif; ipif != NULL; ipif = ipif->ipif_next) {
2747                 /*
2748                  * NOTE: we match across the illgrp because nce's for
2749                  * addresses on IPMP interfaces have an nce_ill that points to
2750                  * the bound underlying ill.
2751                  */
2752                 nce = nce_lookup_v6(ill, &ipif->ipif_v6lcl_addr);
2753                 if (nce != NULL) {
2754                         ncec = nce->nce_common;
2755                         mutex_enter(&ncec->ncec_lock);
2756                         if (enable)
2757                                 ncec->ncec_flags |= NCE_F_ISROUTER;
2758                         else
2759                                 ncec->ncec_flags &= ~NCE_F_ISROUTER;
2760                         mutex_exit(&ncec->ncec_lock);
2761                         nce_refrele(nce);
2762                 }
2763         }
2764 }
2765 
2766 /*
2767  * Intializes the context structure and returns the first ill in the list
2768  * cuurently start_list and end_list can have values:
2769  * MAX_G_HEADS          Traverse both IPV4 and IPV6 lists.
2770  * IP_V4_G_HEAD         Traverse IPV4 list only.
2771  * IP_V6_G_HEAD         Traverse IPV6 list only.
2772  */
2773 
2774 /*
2775  * We don't check for CONDEMNED ills here. Caller must do that if
2776  * necessary under the ill lock.
2777  */
2778 ill_t *
2779 ill_first(int start_list, int end_list, ill_walk_context_t *ctx,
2780     ip_stack_t *ipst)
2781 {
2782         ill_if_t *ifp;
2783         ill_t *ill;
2784         avl_tree_t *avl_tree;
2785 
2786         ASSERT(RW_LOCK_HELD(&ipst->ips_ill_g_lock));
2787         ASSERT(end_list <= MAX_G_HEADS && start_list >= 0);
2788 
2789         /*
2790          * setup the lists to search
2791          */
2792         if (end_list != MAX_G_HEADS) {
2793                 ctx->ctx_current_list = start_list;
2794                 ctx->ctx_last_list = end_list;
2795         } else {
2796                 ctx->ctx_last_list = MAX_G_HEADS - 1;
2797                 ctx->ctx_current_list = 0;
2798         }
2799 
2800         while (ctx->ctx_current_list <= ctx->ctx_last_list) {
2801                 ifp = IP_VX_ILL_G_LIST(ctx->ctx_current_list, ipst);
2802                 if (ifp != (ill_if_t *)
2803                     &IP_VX_ILL_G_LIST(ctx->ctx_current_list, ipst)) {
2804                         avl_tree = &ifp->illif_avl_by_ppa;
2805                         ill = avl_first(avl_tree);
2806                         /*
2807                          * ill is guaranteed to be non NULL or ifp should have
2808                          * not existed.
2809                          */
2810                         ASSERT(ill != NULL);
2811                         return (ill);
2812                 }
2813                 ctx->ctx_current_list++;
2814         }
2815 
2816         return (NULL);
2817 }
2818 
2819 /*
2820  * returns the next ill in the list. ill_first() must have been called
2821  * before calling ill_next() or bad things will happen.
2822  */
2823 
2824 /*
2825  * We don't check for CONDEMNED ills here. Caller must do that if
2826  * necessary under the ill lock.
2827  */
2828 ill_t *
2829 ill_next(ill_walk_context_t *ctx, ill_t *lastill)
2830 {
2831         ill_if_t *ifp;
2832         ill_t *ill;
2833         ip_stack_t      *ipst = lastill->ill_ipst;
2834 
2835         ASSERT(lastill->ill_ifptr != (ill_if_t *)
2836             &IP_VX_ILL_G_LIST(ctx->ctx_current_list, ipst));
2837         if ((ill = avl_walk(&lastill->ill_ifptr->illif_avl_by_ppa, lastill,
2838             AVL_AFTER)) != NULL) {
2839                 return (ill);
2840         }
2841 
2842         /* goto next ill_ifp in the list. */
2843         ifp = lastill->ill_ifptr->illif_next;
2844 
2845         /* make sure not at end of circular list */
2846         while (ifp ==
2847             (ill_if_t *)&IP_VX_ILL_G_LIST(ctx->ctx_current_list, ipst)) {
2848                 if (++ctx->ctx_current_list > ctx->ctx_last_list)
2849                         return (NULL);
2850                 ifp = IP_VX_ILL_G_LIST(ctx->ctx_current_list, ipst);
2851         }
2852 
2853         return (avl_first(&ifp->illif_avl_by_ppa));
2854 }
2855 
2856 /*
2857  * Check interface name for correct format: [a-zA-Z]+[a-zA-Z0-9._]*[0-9]+
2858  * The final number (PPA) must not have any leading zeros.  Upon success, a
2859  * pointer to the start of the PPA is returned; otherwise NULL is returned.
2860  */
2861 static char *
2862 ill_get_ppa_ptr(char *name)
2863 {
2864         int namelen = strlen(name);
2865         int end_ndx = namelen - 1;
2866         int ppa_ndx, i;
2867 
2868         /*
2869          * Check that the first character is [a-zA-Z], and that the last
2870          * character is [0-9].
2871          */
2872         if (namelen == 0 || !isalpha(name[0]) || !isdigit(name[end_ndx]))
2873                 return (NULL);
2874 
2875         /*
2876          * Set `ppa_ndx' to the PPA start, and check for leading zeroes.
2877          */
2878         for (ppa_ndx = end_ndx; ppa_ndx > 0; ppa_ndx--)
2879                 if (!isdigit(name[ppa_ndx - 1]))
2880                         break;
2881 
2882         if (name[ppa_ndx] == '0' && ppa_ndx < end_ndx)
2883                 return (NULL);
2884 
2885         /*
2886          * Check that the intermediate characters are [a-z0-9.]
2887          */
2888         for (i = 1; i < ppa_ndx; i++) {
2889                 if (!isalpha(name[i]) && !isdigit(name[i]) &&
2890                     name[i] != '.' && name[i] != '_') {
2891                         return (NULL);
2892                 }
2893         }
2894 
2895         return (name + ppa_ndx);
2896 }
2897 
2898 /*
2899  * use avl tree to locate the ill.
2900  */
2901 static ill_t *
2902 ill_find_by_name(char *name, boolean_t isv6, ip_stack_t *ipst)
2903 {
2904         char *ppa_ptr = NULL;
2905         int len;
2906         uint_t ppa;
2907         ill_t *ill = NULL;
2908         ill_if_t *ifp;
2909         int list;
2910 
2911         /*
2912          * get ppa ptr
2913          */
2914         if (isv6)
2915                 list = IP_V6_G_HEAD;
2916         else
2917                 list = IP_V4_G_HEAD;
2918 
2919         if ((ppa_ptr = ill_get_ppa_ptr(name)) == NULL) {
2920                 return (NULL);
2921         }
2922 
2923         len = ppa_ptr - name + 1;
2924 
2925         ppa = stoi(&ppa_ptr);
2926 
2927         ifp = IP_VX_ILL_G_LIST(list, ipst);
2928 
2929         while (ifp != (ill_if_t *)&IP_VX_ILL_G_LIST(list, ipst)) {
2930                 /*
2931                  * match is done on len - 1 as the name is not null
2932                  * terminated it contains ppa in addition to the interface
2933                  * name.
2934                  */
2935                 if ((ifp->illif_name_len == len) &&
2936                     bcmp(ifp->illif_name, name, len - 1) == 0) {
2937                         break;
2938                 } else {
2939                         ifp = ifp->illif_next;
2940                 }
2941         }
2942 
2943         if (ifp == (ill_if_t *)&IP_VX_ILL_G_LIST(list, ipst)) {
2944                 /*
2945                  * Even the interface type does not exist.
2946                  */
2947                 return (NULL);
2948         }
2949 
2950         ill = avl_find(&ifp->illif_avl_by_ppa, (void *) &ppa, NULL);
2951         if (ill != NULL) {
2952                 mutex_enter(&ill->ill_lock);
2953                 if (ILL_CAN_LOOKUP(ill)) {
2954                         ill_refhold_locked(ill);
2955                         mutex_exit(&ill->ill_lock);
2956                         return (ill);
2957                 }
2958                 mutex_exit(&ill->ill_lock);
2959         }
2960         return (NULL);
2961 }
2962 
2963 /*
2964  * comparison function for use with avl.
2965  */
2966 static int
2967 ill_compare_ppa(const void *ppa_ptr, const void *ill_ptr)
2968 {
2969         uint_t ppa;
2970         uint_t ill_ppa;
2971 
2972         ASSERT(ppa_ptr != NULL && ill_ptr != NULL);
2973 
2974         ppa = *((uint_t *)ppa_ptr);
2975         ill_ppa = ((const ill_t *)ill_ptr)->ill_ppa;
2976         /*
2977          * We want the ill with the lowest ppa to be on the
2978          * top.
2979          */
2980         if (ill_ppa < ppa)
2981                 return (1);
2982         if (ill_ppa > ppa)
2983                 return (-1);
2984         return (0);
2985 }
2986 
2987 /*
2988  * remove an interface type from the global list.
2989  */
2990 static void
2991 ill_delete_interface_type(ill_if_t *interface)
2992 {
2993         ASSERT(interface != NULL);
2994         ASSERT(avl_numnodes(&interface->illif_avl_by_ppa) == 0);
2995 
2996         avl_destroy(&interface->illif_avl_by_ppa);
2997         if (interface->illif_ppa_arena != NULL)
2998                 vmem_destroy(interface->illif_ppa_arena);
2999 
3000         remque(interface);
3001 
3002         mi_free(interface);
3003 }
3004 
3005 /*
3006  * remove ill from the global list.
3007  */
3008 static void
3009 ill_glist_delete(ill_t *ill)
3010 {
3011         ip_stack_t      *ipst;
3012         phyint_t        *phyi;
3013 
3014         if (ill == NULL)
3015                 return;
3016         ipst = ill->ill_ipst;
3017         rw_enter(&ipst->ips_ill_g_lock, RW_WRITER);
3018 
3019         /*
3020          * If the ill was never inserted into the AVL tree
3021          * we skip the if branch.
3022          */
3023         if (ill->ill_ifptr != NULL) {
3024                 /*
3025                  * remove from AVL tree and free ppa number
3026                  */
3027                 avl_remove(&ill->ill_ifptr->illif_avl_by_ppa, ill);
3028 
3029                 if (ill->ill_ifptr->illif_ppa_arena != NULL) {
3030                         vmem_free(ill->ill_ifptr->illif_ppa_arena,
3031                             (void *)(uintptr_t)(ill->ill_ppa+1), 1);
3032                 }
3033                 if (avl_numnodes(&ill->ill_ifptr->illif_avl_by_ppa) == 0) {
3034                         ill_delete_interface_type(ill->ill_ifptr);
3035                 }
3036 
3037                 /*
3038                  * Indicate ill is no longer in the list.
3039                  */
3040                 ill->ill_ifptr = NULL;
3041                 ill->ill_name_length = 0;
3042                 ill->ill_name[0] = '\0';
3043                 ill->ill_ppa = UINT_MAX;
3044         }
3045 
3046         /* Generate one last event for this ill. */
3047         ill_nic_event_dispatch(ill, 0, NE_UNPLUMB, ill->ill_name,
3048             ill->ill_name_length);
3049 
3050         ASSERT(ill->ill_phyint != NULL);
3051         phyi = ill->ill_phyint;
3052         ill->ill_phyint = NULL;
3053 
3054         /*
3055          * ill_init allocates a phyint always to store the copy
3056          * of flags relevant to phyint. At that point in time, we could
3057          * not assign the name and hence phyint_illv4/v6 could not be
3058          * initialized. Later in ipif_set_values, we assign the name to
3059          * the ill, at which point in time we assign phyint_illv4/v6.
3060          * Thus we don't rely on phyint_illv6 to be initialized always.
3061          */
3062         if (ill->ill_flags & ILLF_IPV6)
3063                 phyi->phyint_illv6 = NULL;
3064         else
3065                 phyi->phyint_illv4 = NULL;
3066 
3067         if (phyi->phyint_illv4 != NULL || phyi->phyint_illv6 != NULL) {
3068                 rw_exit(&ipst->ips_ill_g_lock);
3069                 return;
3070         }
3071 
3072         /*
3073          * There are no ills left on this phyint; pull it out of the phyint
3074          * avl trees, and free it.
3075          */
3076         if (phyi->phyint_ifindex > 0) {
3077                 avl_remove(&ipst->ips_phyint_g_list->phyint_list_avl_by_index,
3078                     phyi);
3079                 avl_remove(&ipst->ips_phyint_g_list->phyint_list_avl_by_name,
3080                     phyi);
3081         }
3082         rw_exit(&ipst->ips_ill_g_lock);
3083 
3084         phyint_free(phyi);
3085 }
3086 
3087 /*
3088  * allocate a ppa, if the number of plumbed interfaces of this type are
3089  * less than ill_no_arena do a linear search to find a unused ppa.
3090  * When the number goes beyond ill_no_arena switch to using an arena.
3091  * Note: ppa value of zero cannot be allocated from vmem_arena as it
3092  * is the return value for an error condition, so allocation starts at one
3093  * and is decremented by one.
3094  */
3095 static int
3096 ill_alloc_ppa(ill_if_t *ifp, ill_t *ill)
3097 {
3098         ill_t *tmp_ill;
3099         uint_t start, end;
3100         int ppa;
3101 
3102         if (ifp->illif_ppa_arena == NULL &&
3103             (avl_numnodes(&ifp->illif_avl_by_ppa) + 1 > ill_no_arena)) {
3104                 /*
3105                  * Create an arena.
3106                  */
3107                 ifp->illif_ppa_arena = vmem_create(ifp->illif_name,
3108                     (void *)1, UINT_MAX - 1, 1, NULL, NULL,
3109                     NULL, 0, VM_SLEEP | VMC_IDENTIFIER);
3110                         /* allocate what has already been assigned */
3111                 for (tmp_ill = avl_first(&ifp->illif_avl_by_ppa);
3112                     tmp_ill != NULL; tmp_ill = avl_walk(&ifp->illif_avl_by_ppa,
3113                     tmp_ill, AVL_AFTER)) {
3114                         ppa = (int)(uintptr_t)vmem_xalloc(ifp->illif_ppa_arena,
3115                             1,          /* size */
3116                             1,          /* align/quantum */
3117                             0,          /* phase */
3118                             0,          /* nocross */
3119                             /* minaddr */
3120                             (void *)((uintptr_t)tmp_ill->ill_ppa + 1),
3121                             /* maxaddr */
3122                             (void *)((uintptr_t)tmp_ill->ill_ppa + 2),
3123                             VM_NOSLEEP|VM_FIRSTFIT);
3124                         if (ppa == 0) {
3125                                 ip1dbg(("ill_alloc_ppa: ppa allocation"
3126                                     " failed while switching"));
3127                                 vmem_destroy(ifp->illif_ppa_arena);
3128                                 ifp->illif_ppa_arena = NULL;
3129                                 break;
3130                         }
3131                 }
3132         }
3133 
3134         if (ifp->illif_ppa_arena != NULL) {
3135                 if (ill->ill_ppa == UINT_MAX) {
3136                         ppa = (int)(uintptr_t)vmem_alloc(ifp->illif_ppa_arena,
3137                             1, VM_NOSLEEP|VM_FIRSTFIT);
3138                         if (ppa == 0)
3139                                 return (EAGAIN);
3140                         ill->ill_ppa = --ppa;
3141                 } else {
3142                         ppa = (int)(uintptr_t)vmem_xalloc(ifp->illif_ppa_arena,
3143                             1,          /* size */
3144                             1,          /* align/quantum */
3145                             0,          /* phase */
3146                             0,          /* nocross */
3147                             (void *)(uintptr_t)(ill->ill_ppa + 1), /* minaddr */
3148                             (void *)(uintptr_t)(ill->ill_ppa + 2), /* maxaddr */
3149                             VM_NOSLEEP|VM_FIRSTFIT);
3150                         /*
3151                          * Most likely the allocation failed because
3152                          * the requested ppa was in use.
3153                          */
3154                         if (ppa == 0)
3155                                 return (EEXIST);
3156                 }
3157                 return (0);
3158         }
3159 
3160         /*
3161          * No arena is in use and not enough (>ill_no_arena) interfaces have
3162          * been plumbed to create one. Do a linear search to get a unused ppa.
3163          */
3164         if (ill->ill_ppa == UINT_MAX) {
3165                 end = UINT_MAX - 1;
3166                 start = 0;
3167         } else {
3168                 end = start = ill->ill_ppa;
3169         }
3170 
3171         tmp_ill = avl_find(&ifp->illif_avl_by_ppa, (void *)&start, NULL);
3172         while (tmp_ill != NULL && tmp_ill->ill_ppa == start) {
3173                 if (start++ >= end) {
3174                         if (ill->ill_ppa == UINT_MAX)
3175                                 return (EAGAIN);
3176                         else
3177                                 return (EEXIST);
3178                 }
3179                 tmp_ill = avl_walk(&ifp->illif_avl_by_ppa, tmp_ill, AVL_AFTER);
3180         }
3181         ill->ill_ppa = start;
3182         return (0);
3183 }
3184 
3185 /*
3186  * Insert ill into the list of configured ill's. Once this function completes,
3187  * the ill is globally visible and is available through lookups. More precisely
3188  * this happens after the caller drops the ill_g_lock.
3189  */
3190 static int
3191 ill_glist_insert(ill_t *ill, char *name, boolean_t isv6)
3192 {
3193         ill_if_t *ill_interface;
3194         avl_index_t where = 0;
3195         int error;
3196         int name_length;
3197         int index;
3198         boolean_t check_length = B_FALSE;
3199         ip_stack_t      *ipst = ill->ill_ipst;
3200 
3201         ASSERT(RW_WRITE_HELD(&ipst->ips_ill_g_lock));
3202 
3203         name_length = mi_strlen(name) + 1;
3204 
3205         if (isv6)
3206                 index = IP_V6_G_HEAD;
3207         else
3208                 index = IP_V4_G_HEAD;
3209 
3210         ill_interface = IP_VX_ILL_G_LIST(index, ipst);
3211         /*
3212          * Search for interface type based on name
3213          */
3214         while (ill_interface != (ill_if_t *)&IP_VX_ILL_G_LIST(index, ipst)) {
3215                 if ((ill_interface->illif_name_len == name_length) &&
3216                     (strcmp(ill_interface->illif_name, name) == 0)) {
3217                         break;
3218                 }
3219                 ill_interface = ill_interface->illif_next;
3220         }
3221 
3222         /*
3223          * Interface type not found, create one.
3224          */
3225         if (ill_interface == (ill_if_t *)&IP_VX_ILL_G_LIST(index, ipst)) {
3226                 ill_g_head_t ghead;
3227 
3228                 /*
3229                  * allocate ill_if_t structure
3230                  */
3231                 ill_interface = (ill_if_t *)mi_zalloc(sizeof (ill_if_t));
3232                 if (ill_interface == NULL) {
3233                         return (ENOMEM);
3234                 }
3235 
3236                 (void) strcpy(ill_interface->illif_name, name);
3237                 ill_interface->illif_name_len = name_length;
3238 
3239                 avl_create(&ill_interface->illif_avl_by_ppa,
3240                     ill_compare_ppa, sizeof (ill_t),
3241                     offsetof(struct ill_s, ill_avl_byppa));
3242 
3243                 /*
3244                  * link the structure in the back to maintain order
3245                  * of configuration for ifconfig output.
3246                  */
3247                 ghead = ipst->ips_ill_g_heads[index];
3248                 insque(ill_interface, ghead.ill_g_list_tail);
3249         }
3250 
3251         if (ill->ill_ppa == UINT_MAX)
3252                 check_length = B_TRUE;
3253 
3254         error = ill_alloc_ppa(ill_interface, ill);
3255         if (error != 0) {
3256                 if (avl_numnodes(&ill_interface->illif_avl_by_ppa) == 0)
3257                         ill_delete_interface_type(ill->ill_ifptr);
3258                 return (error);
3259         }
3260 
3261         /*
3262          * When the ppa is choosen by the system, check that there is
3263          * enough space to insert ppa. if a specific ppa was passed in this
3264          * check is not required as the interface name passed in will have
3265          * the right ppa in it.
3266          */
3267         if (check_length) {
3268                 /*
3269                  * UINT_MAX - 1 should fit in 10 chars, alloc 12 chars.
3270                  */
3271                 char buf[sizeof (uint_t) * 3];
3272 
3273                 /*
3274                  * convert ppa to string to calculate the amount of space
3275                  * required for it in the name.
3276                  */
3277                 numtos(ill->ill_ppa, buf);
3278 
3279                 /* Do we have enough space to insert ppa ? */
3280 
3281                 if ((mi_strlen(name) + mi_strlen(buf) + 1) > LIFNAMSIZ) {
3282                         /* Free ppa and interface type struct */
3283                         if (ill_interface->illif_ppa_arena != NULL) {
3284                                 vmem_free(ill_interface->illif_ppa_arena,
3285                                     (void *)(uintptr_t)(ill->ill_ppa+1), 1);
3286                         }
3287                         if (avl_numnodes(&ill_interface->illif_avl_by_ppa) == 0)
3288                                 ill_delete_interface_type(ill->ill_ifptr);
3289 
3290                         return (EINVAL);
3291                 }
3292         }
3293 
3294         (void) sprintf(ill->ill_name, "%s%u", name, ill->ill_ppa);
3295         ill->ill_name_length = mi_strlen(ill->ill_name) + 1;
3296 
3297         (void) avl_find(&ill_interface->illif_avl_by_ppa, &ill->ill_ppa,
3298             &where);
3299         ill->ill_ifptr = ill_interface;
3300         avl_insert(&ill_interface->illif_avl_by_ppa, ill, where);
3301 
3302         ill_phyint_reinit(ill);
3303         return (0);
3304 }
3305 
3306 /* Initialize the per phyint ipsq used for serialization */
3307 static boolean_t
3308 ipsq_init(ill_t *ill, boolean_t enter)
3309 {
3310         ipsq_t  *ipsq;
3311         ipxop_t *ipx;
3312 
3313         if ((ipsq = kmem_zalloc(sizeof (ipsq_t), KM_NOSLEEP)) == NULL)
3314                 return (B_FALSE);
3315 
3316         ill->ill_phyint->phyint_ipsq = ipsq;
3317         ipx = ipsq->ipsq_xop = &ipsq->ipsq_ownxop;
3318         ipx->ipx_ipsq = ipsq;
3319         ipsq->ipsq_next = ipsq;
3320         ipsq->ipsq_phyint = ill->ill_phyint;
3321         mutex_init(&ipsq->ipsq_lock, NULL, MUTEX_DEFAULT, 0);
3322         mutex_init(&ipx->ipx_lock, NULL, MUTEX_DEFAULT, 0);
3323         ipsq->ipsq_ipst = ill->ill_ipst;  /* No netstack_hold */
3324         if (enter) {
3325                 ipx->ipx_writer = curthread;
3326                 ipx->ipx_forced = B_FALSE;
3327                 ipx->ipx_reentry_cnt = 1;
3328 #ifdef DEBUG
3329                 ipx->ipx_depth = getpcstack(ipx->ipx_stack, IPX_STACK_DEPTH);
3330 #endif
3331         }
3332         return (B_TRUE);
3333 }
3334 
3335 /*
3336  * Here we perform initialisation of the ill_t common to both regular
3337  * interface ILLs and the special loopback ILL created by ill_lookup_on_name.
3338  */
3339 static int
3340 ill_init_common(ill_t *ill, queue_t *q, boolean_t isv6, boolean_t is_loopback,
3341     boolean_t ipsq_enter)
3342 {
3343         int count;
3344         uchar_t *frag_ptr;
3345 
3346         mutex_init(&ill->ill_lock, NULL, MUTEX_DEFAULT, 0);
3347         mutex_init(&ill->ill_saved_ire_lock, NULL, MUTEX_DEFAULT, NULL);
3348         ill->ill_saved_ire_cnt = 0;
3349 
3350         if (is_loopback) {
3351                 ill->ill_max_frag = isv6 ? ip_loopback_mtu_v6plus :
3352                     ip_loopback_mtuplus;
3353                 /*
3354                  * No resolver here.
3355                  */
3356                 ill->ill_net_type = IRE_LOOPBACK;
3357         } else {
3358                 ill->ill_rq = q;
3359                 ill->ill_wq = WR(q);
3360                 ill->ill_ppa = UINT_MAX;
3361         }
3362 
3363         ill->ill_isv6 = isv6;
3364 
3365         /*
3366          * Allocate sufficient space to contain our fragment hash table and
3367          * the device name.
3368          */
3369         frag_ptr = (uchar_t *)mi_zalloc(ILL_FRAG_HASH_TBL_SIZE + 2 * LIFNAMSIZ);
3370         if (frag_ptr == NULL)
3371                 return (ENOMEM);
3372         ill->ill_frag_ptr = frag_ptr;
3373         ill->ill_frag_free_num_pkts = 0;
3374         ill->ill_last_frag_clean_time = 0;
3375         ill->ill_frag_hash_tbl = (ipfb_t *)frag_ptr;
3376         ill->ill_name = (char *)(frag_ptr + ILL_FRAG_HASH_TBL_SIZE);
3377         for (count = 0; count < ILL_FRAG_HASH_TBL_COUNT; count++) {
3378                 mutex_init(&ill->ill_frag_hash_tbl[count].ipfb_lock,
3379                     NULL, MUTEX_DEFAULT, NULL);
3380         }
3381 
3382         ill->ill_phyint = (phyint_t *)mi_zalloc(sizeof (phyint_t));
3383         if (ill->ill_phyint == NULL) {
3384                 mi_free(frag_ptr);
3385                 return (ENOMEM);
3386         }
3387 
3388         mutex_init(&ill->ill_phyint->phyint_lock, NULL, MUTEX_DEFAULT, 0);
3389         if (isv6) {
3390                 ill->ill_phyint->phyint_illv6 = ill;
3391         } else {
3392                 ill->ill_phyint->phyint_illv4 = ill;
3393         }
3394         if (is_loopback) {
3395                 phyint_flags_init(ill->ill_phyint, DL_LOOP);
3396         }
3397 
3398         list_create(&ill->ill_nce, sizeof (nce_t), offsetof(nce_t, nce_node));
3399 
3400         ill_set_inputfn(ill);
3401 
3402         if (!ipsq_init(ill, ipsq_enter)) {
3403                 mi_free(frag_ptr);
3404                 mi_free(ill->ill_phyint);
3405                 return (ENOMEM);
3406         }
3407 
3408         /* Frag queue limit stuff */
3409         ill->ill_frag_count = 0;
3410         ill->ill_ipf_gen = 0;
3411 
3412         rw_init(&ill->ill_mcast_lock, NULL, RW_DEFAULT, NULL);
3413         mutex_init(&ill->ill_mcast_serializer, NULL, MUTEX_DEFAULT, NULL);
3414         ill->ill_global_timer = INFINITY;
3415         ill->ill_mcast_v1_time = ill->ill_mcast_v2_time = 0;
3416         ill->ill_mcast_v1_tset = ill->ill_mcast_v2_tset = 0;
3417         ill->ill_mcast_rv = MCAST_DEF_ROBUSTNESS;
3418         ill->ill_mcast_qi = MCAST_DEF_QUERY_INTERVAL;
3419 
3420         /*
3421          * Initialize IPv6 configuration variables.  The IP module is always
3422          * opened as an IPv4 module.  Instead tracking down the cases where
3423          * it switches to do ipv6, we'll just initialize the IPv6 configuration
3424          * here for convenience, this has no effect until the ill is set to do
3425          * IPv6.
3426          */
3427         ill->ill_reachable_time = ND_REACHABLE_TIME;
3428         ill->ill_xmit_count = ND_MAX_MULTICAST_SOLICIT;
3429         ill->ill_max_buf = ND_MAX_Q;
3430         ill->ill_refcnt = 0;
3431 
3432         return (0);
3433 }
3434 
3435 /*
3436  * ill_init is called by ip_open when a device control stream is opened.
3437  * It does a few initializations, and shoots a DL_INFO_REQ message down
3438  * to the driver.  The response is later picked up in ip_rput_dlpi and
3439  * used to set up default mechanisms for talking to the driver.  (Always
3440  * called as writer.)
3441  *
3442  * If this function returns error, ip_open will call ip_close which in
3443  * turn will call ill_delete to clean up any memory allocated here that
3444  * is not yet freed.
3445  *
3446  * Note: ill_ipst and ill_zoneid must be set before calling ill_init.
3447  */
3448 int
3449 ill_init(queue_t *q, ill_t *ill)
3450 {
3451         int ret;
3452         dl_info_req_t   *dlir;
3453         mblk_t  *info_mp;
3454 
3455         info_mp = allocb(MAX(sizeof (dl_info_req_t), sizeof (dl_info_ack_t)),
3456             BPRI_HI);
3457         if (info_mp == NULL)
3458                 return (ENOMEM);
3459 
3460         /*
3461          * The ill is initialized to zero by mi_alloc*(). In addition
3462          * some fields already contain valid values, initialized in
3463          * ip_open(), before we reach here.
3464          *
3465          * For now pretend this is a v4 ill. We need to set phyint_ill*
3466          * at this point because of the following reason. If we can't
3467          * enter the ipsq at some point and cv_wait, the writer that
3468          * wakes us up tries to locate us using the list of all phyints
3469          * in an ipsq and the ills from the phyint thru the phyint_ill*.
3470          * If we don't set it now, we risk a missed wakeup.
3471          */
3472         if ((ret = ill_init_common(ill, q, B_FALSE, B_FALSE, B_TRUE)) != 0) {
3473                 freemsg(info_mp);
3474                 return (ret);
3475         }
3476 
3477         ill->ill_state_flags |= ILL_LL_SUBNET_PENDING;
3478 
3479         /* Send down the Info Request to the driver. */
3480         info_mp->b_datap->db_type = M_PCPROTO;
3481         dlir = (dl_info_req_t *)info_mp->b_rptr;
3482         info_mp->b_wptr = (uchar_t *)&dlir[1];
3483         dlir->dl_primitive = DL_INFO_REQ;
3484 
3485         ill->ill_dlpi_pending = DL_PRIM_INVAL;
3486 
3487         qprocson(q);
3488         ill_dlpi_send(ill, info_mp);
3489 
3490         return (0);
3491 }
3492 
3493 /*
3494  * ill_dls_info
3495  * creates datalink socket info from the device.
3496  */
3497 int
3498 ill_dls_info(struct sockaddr_dl *sdl, const ill_t *ill)
3499 {
3500         size_t  len;
3501 
3502         sdl->sdl_family = AF_LINK;
3503         sdl->sdl_index = ill_get_upper_ifindex(ill);
3504         sdl->sdl_type = ill->ill_type;
3505         ill_get_name(ill, sdl->sdl_data, sizeof (sdl->sdl_data));
3506         len = strlen(sdl->sdl_data);
3507         ASSERT(len < 256);
3508         sdl->sdl_nlen = (uchar_t)len;
3509         sdl->sdl_alen = ill->ill_phys_addr_length;
3510         sdl->sdl_slen = 0;
3511         if (ill->ill_phys_addr_length != 0 && ill->ill_phys_addr != NULL)
3512                 bcopy(ill->ill_phys_addr, &sdl->sdl_data[len], sdl->sdl_alen);
3513 
3514         return (sizeof (struct sockaddr_dl));
3515 }
3516 
3517 /*
3518  * ill_xarp_info
3519  * creates xarp info from the device.
3520  */
3521 static int
3522 ill_xarp_info(struct sockaddr_dl *sdl, ill_t *ill)
3523 {
3524         sdl->sdl_family = AF_LINK;
3525         sdl->sdl_index = ill->ill_phyint->phyint_ifindex;
3526         sdl->sdl_type = ill->ill_type;
3527         ill_get_name(ill, sdl->sdl_data, sizeof (sdl->sdl_data));
3528         sdl->sdl_nlen = (uchar_t)mi_strlen(sdl->sdl_data);
3529         sdl->sdl_alen = ill->ill_phys_addr_length;
3530         sdl->sdl_slen = 0;
3531         return (sdl->sdl_nlen);
3532 }
3533 
3534 static int
3535 loopback_kstat_update(kstat_t *ksp, int rw)
3536 {
3537         kstat_named_t *kn;
3538         netstackid_t    stackid;
3539         netstack_t      *ns;
3540         ip_stack_t      *ipst;
3541 
3542         if (ksp == NULL || ksp->ks_data == NULL)
3543                 return (EIO);
3544 
3545         if (rw == KSTAT_WRITE)
3546                 return (EACCES);
3547 
3548         kn = KSTAT_NAMED_PTR(ksp);
3549         stackid = (zoneid_t)(uintptr_t)ksp->ks_private;
3550 
3551         ns = netstack_find_by_stackid(stackid);
3552         if (ns == NULL)
3553                 return (-1);
3554 
3555         ipst = ns->netstack_ip;
3556         if (ipst == NULL) {
3557                 netstack_rele(ns);
3558                 return (-1);
3559         }
3560         kn[0].value.ui32 = ipst->ips_loopback_packets;
3561         kn[1].value.ui32 = ipst->ips_loopback_packets;
3562         netstack_rele(ns);
3563         return (0);
3564 }
3565 
3566 /*
3567  * Has ifindex been plumbed already?
3568  */
3569 static boolean_t
3570 phyint_exists(uint_t index, ip_stack_t *ipst)
3571 {
3572         ASSERT(index != 0);
3573         ASSERT(RW_LOCK_HELD(&ipst->ips_ill_g_lock));
3574 
3575         return (avl_find(&ipst->ips_phyint_g_list->phyint_list_avl_by_index,
3576             &index, NULL) != NULL);
3577 }
3578 
3579 /*
3580  * Pick a unique ifindex.
3581  * When the index counter passes IF_INDEX_MAX for the first time, the wrap
3582  * flag is set so that next time time ip_assign_ifindex() is called, it
3583  * falls through and resets the index counter back to 1, the minimum value
3584  * for the interface index. The logic below assumes that ips_ill_index
3585  * can hold a value of IF_INDEX_MAX+1 without there being any loss
3586  * (i.e. reset back to 0.)
3587  */
3588 boolean_t
3589 ip_assign_ifindex(uint_t *indexp, ip_stack_t *ipst)
3590 {
3591         uint_t loops;
3592 
3593         if (!ipst->ips_ill_index_wrap) {
3594                 *indexp = ipst->ips_ill_index++;
3595                 if (ipst->ips_ill_index > IF_INDEX_MAX) {
3596                         /*
3597                          * Reached the maximum ifindex value, set the wrap
3598                          * flag to indicate that it is no longer possible
3599                          * to assume that a given index is unallocated.
3600                          */
3601                         ipst->ips_ill_index_wrap = B_TRUE;
3602                 }
3603                 return (B_TRUE);
3604         }
3605 
3606         if (ipst->ips_ill_index > IF_INDEX_MAX)
3607                 ipst->ips_ill_index = 1;
3608 
3609         /*
3610          * Start reusing unused indexes. Note that we hold the ill_g_lock
3611          * at this point and don't want to call any function that attempts
3612          * to get the lock again.
3613          */
3614         for (loops = IF_INDEX_MAX; loops > 0; loops--) {
3615                 if (!phyint_exists(ipst->ips_ill_index, ipst)) {
3616                         /* found unused index - use it */
3617                         *indexp = ipst->ips_ill_index;
3618                         return (B_TRUE);
3619                 }
3620 
3621                 ipst->ips_ill_index++;
3622                 if (ipst->ips_ill_index > IF_INDEX_MAX)
3623                         ipst->ips_ill_index = 1;
3624         }
3625 
3626         /*
3627          * all interface indicies are inuse.
3628          */
3629         return (B_FALSE);
3630 }
3631 
3632 /*
3633  * Assign a unique interface index for the phyint.
3634  */
3635 static boolean_t
3636 phyint_assign_ifindex(phyint_t *phyi, ip_stack_t *ipst)
3637 {
3638         ASSERT(phyi->phyint_ifindex == 0);
3639         return (ip_assign_ifindex(&phyi->phyint_ifindex, ipst));
3640 }
3641 
3642 /*
3643  * Initialize the flags on `phyi' as per the provided mactype.
3644  */
3645 static void
3646 phyint_flags_init(phyint_t *phyi, t_uscalar_t mactype)
3647 {
3648         uint64_t flags = 0;
3649 
3650         /*
3651          * Initialize PHYI_RUNNING and PHYI_FAILED.  For non-IPMP interfaces,
3652          * we always presume the underlying hardware is working and set
3653          * PHYI_RUNNING (if it's not, the driver will subsequently send a
3654          * DL_NOTE_LINK_DOWN message).  For IPMP interfaces, at initialization
3655          * there are no active interfaces in the group so we set PHYI_FAILED.
3656          */
3657         if (mactype == SUNW_DL_IPMP)
3658                 flags |= PHYI_FAILED;
3659         else
3660                 flags |= PHYI_RUNNING;
3661 
3662         switch (mactype) {
3663         case SUNW_DL_VNI:
3664                 flags |= PHYI_VIRTUAL;
3665                 break;
3666         case SUNW_DL_IPMP:
3667                 flags |= PHYI_IPMP;
3668                 break;
3669         case DL_LOOP:
3670                 flags |= (PHYI_LOOPBACK | PHYI_VIRTUAL);
3671                 break;
3672         }
3673 
3674         mutex_enter(&phyi->phyint_lock);
3675         phyi->phyint_flags |= flags;
3676         mutex_exit(&phyi->phyint_lock);
3677 }
3678 
3679 /*
3680  * Return a pointer to the ill which matches the supplied name.  Note that
3681  * the ill name length includes the null termination character.  (May be
3682  * called as writer.)
3683  * If do_alloc and the interface is "lo0" it will be automatically created.
3684  * Cannot bump up reference on condemned ills. So dup detect can't be done
3685  * using this func.
3686  */
3687 ill_t *
3688 ill_lookup_on_name(char *name, boolean_t do_alloc, boolean_t isv6,
3689     boolean_t *did_alloc, ip_stack_t *ipst)
3690 {
3691         ill_t   *ill;
3692         ipif_t  *ipif;
3693         ipsq_t  *ipsq;
3694         kstat_named_t   *kn;
3695         boolean_t isloopback;
3696         in6_addr_t ov6addr;
3697 
3698         isloopback = mi_strcmp(name, ipif_loopback_name) == 0;
3699 
3700         rw_enter(&ipst->ips_ill_g_lock, RW_READER);
3701         ill = ill_find_by_name(name, isv6, ipst);
3702         rw_exit(&ipst->ips_ill_g_lock);
3703         if (ill != NULL)
3704                 return (ill);
3705 
3706         /*
3707          * Couldn't find it.  Does this happen to be a lookup for the
3708          * loopback device and are we allowed to allocate it?
3709          */
3710         if (!isloopback || !do_alloc)
3711                 return (NULL);
3712 
3713         rw_enter(&ipst->ips_ill_g_lock, RW_WRITER);
3714         ill = ill_find_by_name(name, isv6, ipst);
3715         if (ill != NULL) {
3716                 rw_exit(&ipst->ips_ill_g_lock);
3717                 return (ill);
3718         }
3719 
3720         /* Create the loopback device on demand */
3721         ill = (ill_t *)(mi_alloc(sizeof (ill_t) +
3722             sizeof (ipif_loopback_name), BPRI_MED));
3723         if (ill == NULL)
3724                 goto done;
3725 
3726         bzero(ill, sizeof (*ill));
3727         ill->ill_ipst = ipst;
3728         netstack_hold(ipst->ips_netstack);
3729         /*
3730          * For exclusive stacks we set the zoneid to zero
3731          * to make IP operate as if in the global zone.
3732          */
3733         ill->ill_zoneid = GLOBAL_ZONEID;
3734 
3735         if (ill_init_common(ill, NULL, isv6, B_TRUE, B_FALSE) != 0)
3736                 goto done;
3737 
3738         if (!ill_allocate_mibs(ill))
3739                 goto done;
3740 
3741         ill->ill_current_frag = ill->ill_max_frag;
3742         ill->ill_mtu = ill->ill_max_frag; /* Initial value */
3743         ill->ill_mc_mtu = ill->ill_mtu;
3744         /*
3745          * ipif_loopback_name can't be pointed at directly because its used
3746          * by both the ipv4 and ipv6 interfaces.  When the ill is removed
3747          * from the glist, ill_glist_delete() sets the first character of
3748          * ill_name to '\0'.
3749          */
3750         ill->ill_name = (char *)ill + sizeof (*ill);
3751         (void) strcpy(ill->ill_name, ipif_loopback_name);
3752         ill->ill_name_length = sizeof (ipif_loopback_name);
3753         /* Set ill_dlpi_pending for ipsq_current_finish() to work properly */
3754         ill->ill_dlpi_pending = DL_PRIM_INVAL;
3755 
3756         ipif = ipif_allocate(ill, 0L, IRE_LOOPBACK, B_TRUE, B_TRUE, NULL);
3757         if (ipif == NULL)
3758                 goto done;
3759 
3760         ill->ill_flags = ILLF_MULTICAST;
3761 
3762         ov6addr = ipif->ipif_v6lcl_addr;
3763         /* Set up default loopback address and mask. */
3764         if (!isv6) {
3765                 ipaddr_t inaddr_loopback = htonl(INADDR_LOOPBACK);
3766 
3767                 IN6_IPADDR_TO_V4MAPPED(inaddr_loopback, &ipif->ipif_v6lcl_addr);
3768                 V4MASK_TO_V6(htonl(IN_CLASSA_NET), ipif->ipif_v6net_mask);
3769                 V6_MASK_COPY(ipif->ipif_v6lcl_addr, ipif->ipif_v6net_mask,
3770                     ipif->ipif_v6subnet);
3771                 ill->ill_flags |= ILLF_IPV4;
3772         } else {
3773                 ipif->ipif_v6lcl_addr = ipv6_loopback;
3774                 ipif->ipif_v6net_mask = ipv6_all_ones;
3775                 V6_MASK_COPY(ipif->ipif_v6lcl_addr, ipif->ipif_v6net_mask,
3776                     ipif->ipif_v6subnet);
3777                 ill->ill_flags |= ILLF_IPV6;
3778         }
3779 
3780         /*
3781          * Chain us in at the end of the ill list. hold the ill
3782          * before we make it globally visible. 1 for the lookup.
3783          */
3784         ill_refhold(ill);
3785 
3786         ipsq = ill->ill_phyint->phyint_ipsq;
3787 
3788         if (ill_glist_insert(ill, "lo", isv6) != 0)
3789                 cmn_err(CE_PANIC, "cannot insert loopback interface");
3790 
3791         /* Let SCTP know so that it can add this to its list */
3792         sctp_update_ill(ill, SCTP_ILL_INSERT);
3793 
3794         /*
3795          * We have already assigned ipif_v6lcl_addr above, but we need to
3796          * call sctp_update_ipif_addr() after SCTP_ILL_INSERT, which
3797          * requires to be after ill_glist_insert() since we need the
3798          * ill_index set. Pass on ipv6_loopback as the old address.
3799          */
3800         sctp_update_ipif_addr(ipif, ov6addr);
3801 
3802         ip_rts_newaddrmsg(RTM_CHGADDR, 0, ipif, RTSQ_DEFAULT);
3803 
3804         /*
3805          * ill_glist_insert() -> ill_phyint_reinit() may have merged IPSQs.
3806          * If so, free our original one.
3807          */
3808         if (ipsq != ill->ill_phyint->phyint_ipsq)
3809                 ipsq_delete(ipsq);
3810 
3811         if (ipst->ips_loopback_ksp == NULL) {
3812                 /* Export loopback interface statistics */
3813                 ipst->ips_loopback_ksp = kstat_create_netstack("lo", 0,
3814                     ipif_loopback_name, "net",
3815                     KSTAT_TYPE_NAMED, 2, 0,
3816                     ipst->ips_netstack->netstack_stackid);
3817                 if (ipst->ips_loopback_ksp != NULL) {
3818                         ipst->ips_loopback_ksp->ks_update =
3819                             loopback_kstat_update;
3820                         kn = KSTAT_NAMED_PTR(ipst->ips_loopback_ksp);
3821                         kstat_named_init(&kn[0], "ipackets", KSTAT_DATA_UINT32);
3822                         kstat_named_init(&kn[1], "opackets", KSTAT_DATA_UINT32);
3823                         ipst->ips_loopback_ksp->ks_private =
3824                             (void *)(uintptr_t)ipst->ips_netstack->
3825                             netstack_stackid;
3826                         kstat_install(ipst->ips_loopback_ksp);
3827                 }
3828         }
3829 
3830         *did_alloc = B_TRUE;
3831         rw_exit(&ipst->ips_ill_g_lock);
3832         ill_nic_event_dispatch(ill, MAP_IPIF_ID(ill->ill_ipif->ipif_id),
3833             NE_PLUMB, ill->ill_name, ill->ill_name_length);
3834         return (ill);
3835 done:
3836         if (ill != NULL) {
3837                 if (ill->ill_phyint != NULL) {
3838                         ipsq = ill->ill_phyint->phyint_ipsq;
3839                         if (ipsq != NULL) {
3840                                 ipsq->ipsq_phyint = NULL;
3841                                 ipsq_delete(ipsq);
3842                         }
3843                         mi_free(ill->ill_phyint);
3844                 }
3845                 ill_free_mib(ill);
3846                 if (ill->ill_ipst != NULL)
3847                         netstack_rele(ill->ill_ipst->ips_netstack);
3848                 mi_free(ill);
3849         }
3850         rw_exit(&ipst->ips_ill_g_lock);
3851         return (NULL);
3852 }
3853 
3854 /*
3855  * For IPP calls - use the ip_stack_t for global stack.
3856  */
3857 ill_t *
3858 ill_lookup_on_ifindex_global_instance(uint_t index, boolean_t isv6)
3859 {
3860         ip_stack_t      *ipst;
3861         ill_t           *ill;
3862 
3863         ipst = netstack_find_by_stackid(GLOBAL_NETSTACKID)->netstack_ip;
3864         if (ipst == NULL) {
3865                 cmn_err(CE_WARN, "No ip_stack_t for zoneid zero!\n");
3866                 return (NULL);
3867         }
3868 
3869         ill = ill_lookup_on_ifindex(index, isv6, ipst);
3870         netstack_rele(ipst->ips_netstack);
3871         return (ill);
3872 }
3873 
3874 /*
3875  * Return a pointer to the ill which matches the index and IP version type.
3876  */
3877 ill_t *
3878 ill_lookup_on_ifindex(uint_t index, boolean_t isv6, ip_stack_t *ipst)
3879 {
3880         ill_t   *ill;
3881         phyint_t *phyi;
3882 
3883         /*
3884          * Indexes are stored in the phyint - a common structure
3885          * to both IPv4 and IPv6.
3886          */
3887         rw_enter(&ipst->ips_ill_g_lock, RW_READER);
3888         phyi = avl_find(&ipst->ips_phyint_g_list->phyint_list_avl_by_index,
3889             (void *) &index, NULL);
3890         if (phyi != NULL) {
3891                 ill = isv6 ? phyi->phyint_illv6: phyi->phyint_illv4;
3892                 if (ill != NULL) {
3893                         mutex_enter(&ill->ill_lock);
3894                         if (!ILL_IS_CONDEMNED(ill)) {
3895                                 ill_refhold_locked(ill);
3896                                 mutex_exit(&ill->ill_lock);
3897                                 rw_exit(&ipst->ips_ill_g_lock);
3898                                 return (ill);
3899                         }
3900                         mutex_exit(&ill->ill_lock);
3901                 }
3902         }
3903         rw_exit(&ipst->ips_ill_g_lock);
3904         return (NULL);
3905 }
3906 
3907 /*
3908  * Verify whether or not an interface index is valid for the specified zoneid
3909  * to transmit packets.
3910  * It can be zero (meaning "reset") or an interface index assigned
3911  * to a non-VNI interface. (We don't use VNI interface to send packets.)
3912  */
3913 boolean_t
3914 ip_xmit_ifindex_valid(uint_t ifindex, zoneid_t zoneid, boolean_t isv6,
3915     ip_stack_t *ipst)
3916 {
3917         ill_t           *ill;
3918 
3919         if (ifindex == 0)
3920                 return (B_TRUE);
3921 
3922         ill = ill_lookup_on_ifindex_zoneid(ifindex, zoneid, isv6, ipst);
3923         if (ill == NULL)
3924                 return (B_FALSE);
3925         if (IS_VNI(ill)) {
3926                 ill_refrele(ill);
3927                 return (B_FALSE);
3928         }
3929         ill_refrele(ill);
3930         return (B_TRUE);
3931 }
3932 
3933 /*
3934  * Return the ifindex next in sequence after the passed in ifindex.
3935  * If there is no next ifindex for the given protocol, return 0.
3936  */
3937 uint_t
3938 ill_get_next_ifindex(uint_t index, boolean_t isv6, ip_stack_t *ipst)
3939 {
3940         phyint_t *phyi;
3941         phyint_t *phyi_initial;
3942         uint_t   ifindex;
3943 
3944         rw_enter(&ipst->ips_ill_g_lock, RW_READER);
3945 
3946         if (index == 0) {
3947                 phyi = avl_first(
3948                     &ipst->ips_phyint_g_list->phyint_list_avl_by_index);
3949         } else {
3950                 phyi = phyi_initial = avl_find(
3951                     &ipst->ips_phyint_g_list->phyint_list_avl_by_index,
3952                     (void *) &index, NULL);
3953         }
3954 
3955         for (; phyi != NULL;
3956             phyi = avl_walk(&ipst->ips_phyint_g_list->phyint_list_avl_by_index,
3957             phyi, AVL_AFTER)) {
3958                 /*
3959                  * If we're not returning the first interface in the tree
3960                  * and we still haven't moved past the phyint_t that
3961                  * corresponds to index, avl_walk needs to be called again
3962                  */
3963                 if (!((index != 0) && (phyi == phyi_initial))) {
3964                         if (isv6) {
3965                                 if ((phyi->phyint_illv6) &&
3966                                     ILL_CAN_LOOKUP(phyi->phyint_illv6) &&
3967                                     (phyi->phyint_illv6->ill_isv6 == 1))
3968                                         break;
3969                         } else {
3970                                 if ((phyi->phyint_illv4) &&
3971                                     ILL_CAN_LOOKUP(phyi->phyint_illv4) &&
3972                                     (phyi->phyint_illv4->ill_isv6 == 0))
3973                                         break;
3974                         }
3975                 }
3976         }
3977 
3978         rw_exit(&ipst->ips_ill_g_lock);
3979 
3980         if (phyi != NULL)
3981                 ifindex = phyi->phyint_ifindex;
3982         else
3983                 ifindex = 0;
3984 
3985         return (ifindex);
3986 }
3987 
3988 /*
3989  * Return the ifindex for the named interface.
3990  * If there is no next ifindex for the interface, return 0.
3991  */
3992 uint_t
3993 ill_get_ifindex_by_name(char *name, ip_stack_t *ipst)
3994 {
3995         phyint_t        *phyi;
3996         avl_index_t     where = 0;
3997         uint_t          ifindex;
3998 
3999         rw_enter(&ipst->ips_ill_g_lock, RW_READER);
4000 
4001         if ((phyi = avl_find(&ipst->ips_phyint_g_list->phyint_list_avl_by_name,
4002             name, &where)) == NULL) {
4003                 rw_exit(&ipst->ips_ill_g_lock);
4004                 return (0);
4005         }
4006 
4007         ifindex = phyi->phyint_ifindex;
4008 
4009         rw_exit(&ipst->ips_ill_g_lock);
4010 
4011         return (ifindex);
4012 }
4013 
4014 /*
4015  * Return the ifindex to be used by upper layer protocols for instance
4016  * for IPV6_RECVPKTINFO. If IPMP this is the one for the upper ill.
4017  */
4018 uint_t
4019 ill_get_upper_ifindex(const ill_t *ill)
4020 {
4021         if (IS_UNDER_IPMP(ill))
4022                 return (ipmp_ill_get_ipmp_ifindex(ill));
4023         else
4024                 return (ill->ill_phyint->phyint_ifindex);
4025 }
4026 
4027 
4028 /*
4029  * Obtain a reference to the ill. The ill_refcnt is a dynamic refcnt
4030  * that gives a running thread a reference to the ill. This reference must be
4031  * released by the thread when it is done accessing the ill and related
4032  * objects. ill_refcnt can not be used to account for static references
4033  * such as other structures pointing to an ill. Callers must generally
4034  * check whether an ill can be refheld by using ILL_CAN_LOOKUP macros
4035  * or be sure that the ill is not being deleted or changing state before
4036  * calling the refhold functions. A non-zero ill_refcnt ensures that the
4037  * ill won't change any of its critical state such as address, netmask etc.
4038  */
4039 void
4040 ill_refhold(ill_t *ill)
4041 {
4042         mutex_enter(&ill->ill_lock);
4043         ill->ill_refcnt++;
4044         ILL_TRACE_REF(ill);
4045         mutex_exit(&ill->ill_lock);
4046 }
4047 
4048 void
4049 ill_refhold_locked(ill_t *ill)
4050 {
4051         ASSERT(MUTEX_HELD(&ill->ill_lock));
4052         ill->ill_refcnt++;
4053         ILL_TRACE_REF(ill);
4054 }
4055 
4056 /* Returns true if we managed to get a refhold */
4057 boolean_t
4058 ill_check_and_refhold(ill_t *ill)
4059 {
4060         mutex_enter(&ill->ill_lock);
4061         if (!ILL_IS_CONDEMNED(ill)) {
4062                 ill_refhold_locked(ill);
4063                 mutex_exit(&ill->ill_lock);
4064                 return (B_TRUE);
4065         }
4066         mutex_exit(&ill->ill_lock);
4067         return (B_FALSE);
4068 }
4069 
4070 /*
4071  * Must not be called while holding any locks. Otherwise if this is
4072  * the last reference to be released, there is a chance of recursive mutex
4073  * panic due to ill_refrele -> ipif_ill_refrele_tail -> qwriter_ip trying
4074  * to restart an ioctl.
4075  */
4076 void
4077 ill_refrele(ill_t *ill)
4078 {
4079         mutex_enter(&ill->ill_lock);
4080         ASSERT(ill->ill_refcnt != 0);
4081         ill->ill_refcnt--;
4082         ILL_UNTRACE_REF(ill);
4083         if (ill->ill_refcnt != 0) {
4084                 /* Every ire pointing to the ill adds 1 to ill_refcnt */
4085                 mutex_exit(&ill->ill_lock);
4086                 return;
4087         }
4088 
4089         /* Drops the ill_lock */
4090         ipif_ill_refrele_tail(ill);
4091 }
4092 
4093 /*
4094  * Obtain a weak reference count on the ill. This reference ensures the
4095  * ill won't be freed, but the ill may change any of its critical state
4096  * such as netmask, address etc. Returns an error if the ill has started
4097  * closing.
4098  */
4099 boolean_t
4100 ill_waiter_inc(ill_t *ill)
4101 {
4102         mutex_enter(&ill->ill_lock);
4103         if (ill->ill_state_flags & ILL_CONDEMNED) {
4104                 mutex_exit(&ill->ill_lock);
4105                 return (B_FALSE);
4106         }
4107         ill->ill_waiters++;
4108         mutex_exit(&ill->ill_lock);
4109         return (B_TRUE);
4110 }
4111 
4112 void
4113 ill_waiter_dcr(ill_t *ill)
4114 {
4115         mutex_enter(&ill->ill_lock);
4116         ill->ill_waiters--;
4117         if (ill->ill_waiters == 0)
4118                 cv_broadcast(&ill->ill_cv);
4119         mutex_exit(&ill->ill_lock);
4120 }
4121 
4122 /*
4123  * ip_ll_subnet_defaults is called when we get the DL_INFO_ACK back from the
4124  * driver.  We construct best guess defaults for lower level information that
4125  * we need.  If an interface is brought up without injection of any overriding
4126  * information from outside, we have to be ready to go with these defaults.
4127  * When we get the first DL_INFO_ACK (from ip_open() sending a DL_INFO_REQ)
4128  * we primarely want the dl_provider_style.
4129  * The subsequent DL_INFO_ACK is received after doing a DL_ATTACH and DL_BIND
4130  * at which point we assume the other part of the information is valid.
4131  */
4132 void
4133 ip_ll_subnet_defaults(ill_t *ill, mblk_t *mp)
4134 {
4135         uchar_t         *brdcst_addr;
4136         uint_t          brdcst_addr_length, phys_addr_length;
4137         t_scalar_t      sap_length;
4138         dl_info_ack_t   *dlia;
4139         ip_m_t          *ipm;
4140         dl_qos_cl_sel1_t *sel1;
4141         int             min_mtu;
4142 
4143         ASSERT(IAM_WRITER_ILL(ill));
4144 
4145         /*
4146          * Till the ill is fully up  the ill is not globally visible.
4147          * So no need for a lock.
4148          */
4149         dlia = (dl_info_ack_t *)mp->b_rptr;
4150         ill->ill_mactype = dlia->dl_mac_type;
4151 
4152         ipm = ip_m_lookup(dlia->dl_mac_type);
4153         if (ipm == NULL) {
4154                 ipm = ip_m_lookup(DL_OTHER);
4155                 ASSERT(ipm != NULL);
4156         }
4157         ill->ill_media = ipm;
4158 
4159         /*
4160          * When the new DLPI stuff is ready we'll pull lengths
4161          * from dlia.
4162          */
4163         if (dlia->dl_version == DL_VERSION_2) {
4164                 brdcst_addr_length = dlia->dl_brdcst_addr_length;
4165                 brdcst_addr = mi_offset_param(mp, dlia->dl_brdcst_addr_offset,
4166                     brdcst_addr_length);
4167                 if (brdcst_addr == NULL) {
4168                         brdcst_addr_length = 0;
4169                 }
4170                 sap_length = dlia->dl_sap_length;
4171                 phys_addr_length = dlia->dl_addr_length - ABS(sap_length);
4172                 ip1dbg(("ip: bcast_len %d, sap_len %d, phys_len %d\n",
4173                     brdcst_addr_length, sap_length, phys_addr_length));
4174         } else {
4175                 brdcst_addr_length = 6;
4176                 brdcst_addr = ip_six_byte_all_ones;
4177                 sap_length = -2;
4178                 phys_addr_length = brdcst_addr_length;
4179         }
4180 
4181         ill->ill_bcast_addr_length = brdcst_addr_length;
4182         ill->ill_phys_addr_length = phys_addr_length;
4183         ill->ill_sap_length = sap_length;
4184 
4185         /*
4186          * Synthetic DLPI types such as SUNW_DL_IPMP specify a zero SDU,
4187          * but we must ensure a minimum IP MTU is used since other bits of
4188          * IP will fly apart otherwise.
4189          */
4190         min_mtu = ill->ill_isv6 ? IPV6_MIN_MTU : IP_MIN_MTU;
4191         ill->ill_max_frag = MAX(min_mtu, dlia->dl_max_sdu);
4192         ill->ill_current_frag = ill->ill_max_frag;
4193         ill->ill_mtu = ill->ill_max_frag;
4194         ill->ill_mc_mtu = ill->ill_mtu;   /* Overridden by DL_NOTE_SDU_SIZE2 */
4195 
4196         ill->ill_type = ipm->ip_m_type;
4197 
4198         if (!ill->ill_dlpi_style_set) {
4199                 if (dlia->dl_provider_style == DL_STYLE2)
4200                         ill->ill_needs_attach = 1;
4201 
4202                 phyint_flags_init(ill->ill_phyint, ill->ill_mactype);
4203 
4204                 /*
4205                  * Allocate the first ipif on this ill.  We don't delay it
4206                  * further as ioctl handling assumes at least one ipif exists.
4207                  *
4208                  * At this point we don't know whether the ill is v4 or v6.
4209                  * We will know this whan the SIOCSLIFNAME happens and
4210                  * the correct value for ill_isv6 will be assigned in
4211                  * ipif_set_values(). We need to hold the ill lock and
4212                  * clear the ILL_LL_SUBNET_PENDING flag and atomically do
4213                  * the wakeup.
4214                  */
4215                 (void) ipif_allocate(ill, 0, IRE_LOCAL,
4216                     dlia->dl_provider_style != DL_STYLE2, B_TRUE, NULL);
4217                 mutex_enter(&ill->ill_lock);
4218                 ASSERT(ill->ill_dlpi_style_set == 0);
4219                 ill->ill_dlpi_style_set = 1;
4220                 ill->ill_state_flags &= ~ILL_LL_SUBNET_PENDING;
4221                 cv_broadcast(&ill->ill_cv);
4222                 mutex_exit(&ill->ill_lock);
4223                 freemsg(mp);
4224                 return;
4225         }
4226         ASSERT(ill->ill_ipif != NULL);
4227         /*
4228          * We know whether it is IPv4 or IPv6 now, as this is the
4229          * second DL_INFO_ACK we are recieving in response to the
4230          * DL_INFO_REQ sent in ipif_set_values.
4231          */
4232         ill->ill_sap = (ill->ill_isv6) ? ipm->ip_m_ipv6sap : ipm->ip_m_ipv4sap;
4233         /*
4234          * Clear all the flags that were set based on ill_bcast_addr_length
4235          * and ill_phys_addr_length (in ipif_set_values) as these could have
4236          * changed now and we need to re-evaluate.
4237          */
4238         ill->ill_flags &= ~(ILLF_MULTICAST | ILLF_NONUD | ILLF_NOARP);
4239         ill->ill_ipif->ipif_flags &= ~(IPIF_BROADCAST | IPIF_POINTOPOINT);
4240 
4241         /*
4242          * Free ill_bcast_mp as things could have changed now.
4243          *
4244          * NOTE: The IPMP meta-interface is special-cased because it starts
4245          * with no underlying interfaces (and thus an unknown broadcast
4246          * address length), but we enforce that an interface is broadcast-
4247          * capable as part of allowing it to join a group.
4248          */
4249         if (ill->ill_bcast_addr_length == 0 && !IS_IPMP(ill)) {
4250                 if (ill->ill_bcast_mp != NULL)
4251                         freemsg(ill->ill_bcast_mp);
4252                 ill->ill_net_type = IRE_IF_NORESOLVER;
4253 
4254                 ill->ill_bcast_mp = ill_dlur_gen(NULL,
4255                     ill->ill_phys_addr_length,
4256                     ill->ill_sap,
4257                     ill->ill_sap_length);
4258 
4259                 if (ill->ill_isv6)
4260                         /*
4261                          * Note: xresolv interfaces will eventually need NOARP
4262                          * set here as well, but that will require those
4263                          * external resolvers to have some knowledge of
4264                          * that flag and act appropriately. Not to be changed
4265                          * at present.
4266                          */
4267                         ill->ill_flags |= ILLF_NONUD;
4268                 else
4269                         ill->ill_flags |= ILLF_NOARP;
4270 
4271                 if (ill->ill_mactype == SUNW_DL_VNI) {
4272                         ill->ill_ipif->ipif_flags |= IPIF_NOXMIT;
4273                 } else if (ill->ill_phys_addr_length == 0 ||
4274                     ill->ill_mactype == DL_IPV4 ||
4275                     ill->ill_mactype == DL_IPV6) {
4276                         /*
4277                          * The underying link is point-to-point, so mark the
4278                          * interface as such.  We can do IP multicast over
4279                          * such a link since it transmits all network-layer
4280                          * packets to the remote side the same way.
4281                          */
4282                         ill->ill_flags |= ILLF_MULTICAST;
4283                         ill->ill_ipif->ipif_flags |= IPIF_POINTOPOINT;
4284                 }
4285         } else {
4286                 ill->ill_net_type = IRE_IF_RESOLVER;
4287                 if (ill->ill_bcast_mp != NULL)
4288                         freemsg(ill->ill_bcast_mp);
4289                 ill->ill_bcast_mp = ill_dlur_gen(brdcst_addr,
4290                     ill->ill_bcast_addr_length, ill->ill_sap,
4291                     ill->ill_sap_length);
4292                 /*
4293                  * Later detect lack of DLPI driver multicast
4294                  * capability by catching DL_ENABMULTI errors in
4295                  * ip_rput_dlpi.
4296                  */
4297                 ill->ill_flags |= ILLF_MULTICAST;
4298                 if (!ill->ill_isv6)
4299                         ill->ill_ipif->ipif_flags |= IPIF_BROADCAST;
4300         }
4301 
4302         /* For IPMP, PHYI_IPMP should already be set by phyint_flags_init() */
4303         if (ill->ill_mactype == SUNW_DL_IPMP)
4304                 ASSERT(ill->ill_phyint->phyint_flags & PHYI_IPMP);
4305 
4306         /* By default an interface does not support any CoS marking */
4307         ill->ill_flags &= ~ILLF_COS_ENABLED;
4308 
4309         /*
4310          * If we get QoS information in DL_INFO_ACK, the device supports
4311          * some form of CoS marking, set ILLF_COS_ENABLED.
4312          */
4313         sel1 = (dl_qos_cl_sel1_t *)mi_offset_param(mp, dlia->dl_qos_offset,
4314             dlia->dl_qos_length);
4315         if ((sel1 != NULL) && (sel1->dl_qos_type == DL_QOS_CL_SEL1)) {
4316                 ill->ill_flags |= ILLF_COS_ENABLED;
4317         }
4318 
4319         /* Clear any previous error indication. */
4320         ill->ill_error = 0;
4321         freemsg(mp);
4322 }
4323 
4324 /*
4325  * Perform various checks to verify that an address would make sense as a
4326  * local, remote, or subnet interface address.
4327  */
4328 static boolean_t
4329 ip_addr_ok_v4(ipaddr_t addr, ipaddr_t subnet_mask)
4330 {
4331         ipaddr_t        net_mask;
4332 
4333         /*
4334          * Don't allow all zeroes, or all ones, but allow
4335          * all ones netmask.
4336          */
4337         if ((net_mask = ip_net_mask(addr)) == 0)
4338                 return (B_FALSE);
4339         /* A given netmask overrides the "guess" netmask */
4340         if (subnet_mask != 0)
4341                 net_mask = subnet_mask;
4342         if ((net_mask != ~(ipaddr_t)0) && ((addr == (addr & net_mask)) ||
4343             (addr == (addr | ~net_mask)))) {
4344                 return (B_FALSE);
4345         }
4346 
4347         /*
4348          * Even if the netmask is all ones, we do not allow address to be
4349          * 255.255.255.255
4350          */
4351         if (addr == INADDR_BROADCAST)
4352                 return (B_FALSE);
4353 
4354         if (CLASSD(addr))
4355                 return (B_FALSE);
4356 
4357         return (B_TRUE);
4358 }
4359 
4360 #define V6_IPIF_LINKLOCAL(p)    \
4361         IN6_IS_ADDR_LINKLOCAL(&(p)->ipif_v6lcl_addr)
4362 
4363 /*
4364  * Compare two given ipifs and check if the second one is better than
4365  * the first one using the order of preference (not taking deprecated
4366  * into acount) specified in ipif_lookup_multicast().
4367  */
4368 static boolean_t
4369 ipif_comp_multi(ipif_t *old_ipif, ipif_t *new_ipif, boolean_t isv6)
4370 {
4371         /* Check the least preferred first. */
4372         if (IS_LOOPBACK(old_ipif->ipif_ill)) {
4373                 /* If both ipifs are the same, use the first one. */
4374                 if (IS_LOOPBACK(new_ipif->ipif_ill))
4375                         return (B_FALSE);
4376                 else
4377                         return (B_TRUE);
4378         }
4379 
4380         /* For IPv6, check for link local address. */
4381         if (isv6 && V6_IPIF_LINKLOCAL(old_ipif)) {
4382                 if (IS_LOOPBACK(new_ipif->ipif_ill) ||
4383                     V6_IPIF_LINKLOCAL(new_ipif)) {
4384                         /* The second one is equal or less preferred. */
4385                         return (B_FALSE);
4386                 } else {
4387                         return (B_TRUE);
4388                 }
4389         }
4390 
4391         /* Then check for point to point interface. */
4392         if (old_ipif->ipif_flags & IPIF_POINTOPOINT) {
4393                 if (IS_LOOPBACK(new_ipif->ipif_ill) ||
4394                     (isv6 && V6_IPIF_LINKLOCAL(new_ipif)) ||
4395                     (new_ipif->ipif_flags & IPIF_POINTOPOINT)) {
4396                         return (B_FALSE);
4397                 } else {
4398                         return (B_TRUE);
4399                 }
4400         }
4401 
4402         /* old_ipif is a normal interface, so no need to use the new one. */
4403         return (B_FALSE);
4404 }
4405 
4406 /*
4407  * Find a mulitcast-capable ipif given an IP instance and zoneid.
4408  * The ipif must be up, and its ill must multicast-capable, not
4409  * condemned, not an underlying interface in an IPMP group, and
4410  * not a VNI interface.  Order of preference:
4411  *
4412  *      1a. normal
4413  *      1b. normal, but deprecated
4414  *      2a. point to point
4415  *      2b. point to point, but deprecated
4416  *      3a. link local
4417  *      3b. link local, but deprecated
4418  *      4. loopback.
4419  */
4420 static ipif_t *
4421 ipif_lookup_multicast(ip_stack_t *ipst, zoneid_t zoneid, boolean_t isv6)
4422 {
4423         ill_t                   *ill;
4424         ill_walk_context_t      ctx;
4425         ipif_t                  *ipif;
4426         ipif_t                  *saved_ipif = NULL;
4427         ipif_t                  *dep_ipif = NULL;
4428 
4429         rw_enter(&ipst->ips_ill_g_lock, RW_READER);
4430         if (isv6)
4431                 ill = ILL_START_WALK_V6(&ctx, ipst);
4432         else
4433                 ill = ILL_START_WALK_V4(&ctx, ipst);
4434 
4435         for (; ill != NULL; ill = ill_next(&ctx, ill)) {
4436                 mutex_enter(&ill->ill_lock);
4437                 if (IS_VNI(ill) || IS_UNDER_IPMP(ill) ||
4438                     ILL_IS_CONDEMNED(ill) ||
4439                     !(ill->ill_flags & ILLF_MULTICAST)) {
4440                         mutex_exit(&ill->ill_lock);
4441                         continue;
4442                 }
4443                 for (ipif = ill->ill_ipif; ipif != NULL;
4444                     ipif = ipif->ipif_next) {
4445                         if (zoneid != ipif->ipif_zoneid &&
4446                             zoneid != ALL_ZONES &&
4447                             ipif->ipif_zoneid != ALL_ZONES) {
4448                                 continue;
4449                         }
4450                         if (!(ipif->ipif_flags & IPIF_UP) ||
4451                             IPIF_IS_CONDEMNED(ipif)) {
4452                                 continue;
4453                         }
4454 
4455                         /*
4456                          * Found one candidate.  If it is deprecated,
4457                          * remember it in dep_ipif.  If it is not deprecated,
4458                          * remember it in saved_ipif.
4459                          */
4460                         if (ipif->ipif_flags & IPIF_DEPRECATED) {
4461                                 if (dep_ipif == NULL) {
4462                                         dep_ipif = ipif;
4463                                 } else if (ipif_comp_multi(dep_ipif, ipif,
4464                                     isv6)) {
4465                                         /*
4466                                          * If the previous dep_ipif does not
4467                                          * belong to the same ill, we've done
4468                                          * a ipif_refhold() on it.  So we need
4469                                          * to release it.
4470                                          */
4471                                         if (dep_ipif->ipif_ill != ill)
4472                                                 ipif_refrele(dep_ipif);
4473                                         dep_ipif = ipif;
4474                                 }
4475                                 continue;
4476                         }
4477                         if (saved_ipif == NULL) {
4478                                 saved_ipif = ipif;
4479                         } else {
4480                                 if (ipif_comp_multi(saved_ipif, ipif, isv6)) {
4481                                         if (saved_ipif->ipif_ill != ill)
4482                                                 ipif_refrele(saved_ipif);
4483                                         saved_ipif = ipif;
4484                                 }
4485                         }
4486                 }
4487                 /*
4488                  * Before going to the next ill, do a ipif_refhold() on the
4489                  * saved ones.
4490                  */
4491                 if (saved_ipif != NULL && saved_ipif->ipif_ill == ill)
4492                         ipif_refhold_locked(saved_ipif);
4493                 if (dep_ipif != NULL && dep_ipif->ipif_ill == ill)
4494                         ipif_refhold_locked(dep_ipif);
4495                 mutex_exit(&ill->ill_lock);
4496         }
4497         rw_exit(&ipst->ips_ill_g_lock);
4498 
4499         /*
4500          * If we have only the saved_ipif, return it.  But if we have both
4501          * saved_ipif and dep_ipif, check to see which one is better.
4502          */
4503         if (saved_ipif != NULL) {
4504                 if (dep_ipif != NULL) {
4505                         if (ipif_comp_multi(saved_ipif, dep_ipif, isv6)) {
4506                                 ipif_refrele(saved_ipif);
4507                                 return (dep_ipif);
4508                         } else {
4509                                 ipif_refrele(dep_ipif);
4510                                 return (saved_ipif);
4511                         }
4512                 }
4513                 return (saved_ipif);
4514         } else {
4515                 return (dep_ipif);
4516         }
4517 }
4518 
4519 ill_t *
4520 ill_lookup_multicast(ip_stack_t *ipst, zoneid_t zoneid, boolean_t isv6)
4521 {
4522         ipif_t *ipif;
4523         ill_t *ill;
4524 
4525         ipif = ipif_lookup_multicast(ipst, zoneid, isv6);
4526         if (ipif == NULL)
4527                 return (NULL);
4528 
4529         ill = ipif->ipif_ill;
4530         ill_refhold(ill);
4531         ipif_refrele(ipif);
4532         return (ill);
4533 }
4534 
4535 /*
4536  * This function is called when an application does not specify an interface
4537  * to be used for multicast traffic (joining a group/sending data).  It
4538  * calls ire_lookup_multi() to look for an interface route for the
4539  * specified multicast group.  Doing this allows the administrator to add
4540  * prefix routes for multicast to indicate which interface to be used for
4541  * multicast traffic in the above scenario.  The route could be for all
4542  * multicast (224.0/4), for a single multicast group (a /32 route) or
4543  * anything in between.  If there is no such multicast route, we just find
4544  * any multicast capable interface and return it.  The returned ipif
4545  * is refhold'ed.
4546  *
4547  * We support MULTIRT and RTF_SETSRC on the multicast routes added to the
4548  * unicast table. This is used by CGTP.
4549  */
4550 ill_t *
4551 ill_lookup_group_v4(ipaddr_t group, zoneid_t zoneid, ip_stack_t *ipst,
4552     boolean_t *multirtp, ipaddr_t *setsrcp)
4553 {
4554         ill_t                   *ill;
4555 
4556         ill = ire_lookup_multi_ill_v4(group, zoneid, ipst, multirtp, setsrcp);
4557         if (ill != NULL)
4558                 return (ill);
4559 
4560         return (ill_lookup_multicast(ipst, zoneid, B_FALSE));
4561 }
4562 
4563 /*
4564  * Look for an ipif with the specified interface address and destination.
4565  * The destination address is used only for matching point-to-point interfaces.
4566  */
4567 ipif_t *
4568 ipif_lookup_interface(ipaddr_t if_addr, ipaddr_t dst, ip_stack_t *ipst)
4569 {
4570         ipif_t  *ipif;
4571         ill_t   *ill;
4572         ill_walk_context_t ctx;
4573 
4574         /*
4575          * First match all the point-to-point interfaces
4576          * before looking at non-point-to-point interfaces.
4577          * This is done to avoid returning non-point-to-point
4578          * ipif instead of unnumbered point-to-point ipif.
4579          */
4580         rw_enter(&ipst->ips_ill_g_lock, RW_READER);
4581         ill = ILL_START_WALK_V4(&ctx, ipst);
4582         for (; ill != NULL; ill = ill_next(&ctx, ill)) {
4583                 mutex_enter(&ill->ill_lock);
4584                 for (ipif = ill->ill_ipif; ipif != NULL;
4585                     ipif = ipif->ipif_next) {
4586                         /* Allow the ipif to be down */
4587                         if ((ipif->ipif_flags & IPIF_POINTOPOINT) &&
4588                             (ipif->ipif_lcl_addr == if_addr) &&
4589                             (ipif->ipif_pp_dst_addr == dst)) {
4590                                 if (!IPIF_IS_CONDEMNED(ipif)) {
4591                                         ipif_refhold_locked(ipif);
4592                                         mutex_exit(&ill->ill_lock);
4593                                         rw_exit(&ipst->ips_ill_g_lock);
4594                                         return (ipif);
4595                                 }
4596                         }
4597                 }
4598                 mutex_exit(&ill->ill_lock);
4599         }
4600         rw_exit(&ipst->ips_ill_g_lock);
4601 
4602         /* lookup the ipif based on interface address */
4603         ipif = ipif_lookup_addr(if_addr, NULL, ALL_ZONES, ipst);
4604         ASSERT(ipif == NULL || !ipif->ipif_isv6);
4605         return (ipif);
4606 }
4607 
4608 /*
4609  * Common function for ipif_lookup_addr() and ipif_lookup_addr_exact().
4610  */
4611 static ipif_t *
4612 ipif_lookup_addr_common(ipaddr_t addr, ill_t *match_ill, uint32_t match_flags,
4613     zoneid_t zoneid, ip_stack_t *ipst)
4614 {
4615         ipif_t  *ipif;
4616         ill_t   *ill;
4617         boolean_t ptp = B_FALSE;
4618         ill_walk_context_t      ctx;
4619         boolean_t match_illgrp = (match_flags & IPIF_MATCH_ILLGRP);
4620         boolean_t no_duplicate = (match_flags & IPIF_MATCH_NONDUP);
4621 
4622         rw_enter(&ipst->ips_ill_g_lock, RW_READER);
4623         /*
4624          * Repeat twice, first based on local addresses and
4625          * next time for pointopoint.
4626          */
4627 repeat:
4628         ill = ILL_START_WALK_V4(&ctx, ipst);
4629         for (; ill != NULL; ill = ill_next(&ctx, ill)) {
4630                 if (match_ill != NULL && ill != match_ill &&
4631                     (!match_illgrp || !IS_IN_SAME_ILLGRP(ill, match_ill))) {
4632                         continue;
4633                 }
4634                 mutex_enter(&ill->ill_lock);
4635                 for (ipif = ill->ill_ipif; ipif != NULL;
4636                     ipif = ipif->ipif_next) {
4637                         if (zoneid != ALL_ZONES &&
4638                             zoneid != ipif->ipif_zoneid &&
4639                             ipif->ipif_zoneid != ALL_ZONES)
4640                                 continue;
4641 
4642                         if (no_duplicate && !(ipif->ipif_flags & IPIF_UP))
4643                                 continue;
4644 
4645                         /* Allow the ipif to be down */
4646                         if ((!ptp && (ipif->ipif_lcl_addr == addr) &&
4647                             ((ipif->ipif_flags & IPIF_UNNUMBERED) == 0)) ||
4648                             (ptp && (ipif->ipif_flags & IPIF_POINTOPOINT) &&
4649                             (ipif->ipif_pp_dst_addr == addr))) {
4650                                 if (!IPIF_IS_CONDEMNED(ipif)) {
4651                                         ipif_refhold_locked(ipif);
4652                                         mutex_exit(&ill->ill_lock);
4653                                         rw_exit(&ipst->ips_ill_g_lock);
4654                                         return (ipif);
4655                                 }
4656                         }
4657                 }
4658                 mutex_exit(&ill->ill_lock);
4659         }
4660 
4661         /* If we already did the ptp case, then we are done */
4662         if (ptp) {
4663                 rw_exit(&ipst->ips_ill_g_lock);
4664                 return (NULL);
4665         }
4666         ptp = B_TRUE;
4667         goto repeat;
4668 }
4669 
4670 /*
4671  * Lookup an ipif with the specified address.  For point-to-point links we
4672  * look for matches on either the destination address or the local address,
4673  * but we skip the local address check if IPIF_UNNUMBERED is set.  If the
4674  * `match_ill' argument is non-NULL, the lookup is restricted to that ill
4675  * (or illgrp if `match_ill' is in an IPMP group).
4676  */
4677 ipif_t *
4678 ipif_lookup_addr(ipaddr_t addr, ill_t *match_ill, zoneid_t zoneid,
4679     ip_stack_t *ipst)
4680 {
4681         return (ipif_lookup_addr_common(addr, match_ill, IPIF_MATCH_ILLGRP,
4682             zoneid, ipst));
4683 }
4684 
4685 /*
4686  * Lookup an ipif with the specified address. Similar to ipif_lookup_addr,
4687  * except that we will only return an address if it is not marked as
4688  * IPIF_DUPLICATE
4689  */
4690 ipif_t *
4691 ipif_lookup_addr_nondup(ipaddr_t addr, ill_t *match_ill, zoneid_t zoneid,
4692     ip_stack_t *ipst)
4693 {
4694         return (ipif_lookup_addr_common(addr, match_ill,
4695             (IPIF_MATCH_ILLGRP | IPIF_MATCH_NONDUP),
4696             zoneid, ipst));
4697 }
4698 
4699 /*
4700  * Special abbreviated version of ipif_lookup_addr() that doesn't match
4701  * `match_ill' across the IPMP group.  This function is only needed in some
4702  * corner-cases; almost everything should use ipif_lookup_addr().
4703  */
4704 ipif_t *
4705 ipif_lookup_addr_exact(ipaddr_t addr, ill_t *match_ill, ip_stack_t *ipst)
4706 {
4707         ASSERT(match_ill != NULL);
4708         return (ipif_lookup_addr_common(addr, match_ill, 0, ALL_ZONES,
4709             ipst));
4710 }
4711 
4712 /*
4713  * Look for an ipif with the specified address. For point-point links
4714  * we look for matches on either the destination address and the local
4715  * address, but we ignore the check on the local address if IPIF_UNNUMBERED
4716  * is set.
4717  * If the `match_ill' argument is non-NULL, the lookup is restricted to that
4718  * ill (or illgrp if `match_ill' is in an IPMP group).
4719  * Return the zoneid for the ipif which matches. ALL_ZONES if no match.
4720  */
4721 zoneid_t
4722 ipif_lookup_addr_zoneid(ipaddr_t addr, ill_t *match_ill, ip_stack_t *ipst)
4723 {
4724         zoneid_t zoneid;
4725         ipif_t  *ipif;
4726         ill_t   *ill;
4727         boolean_t ptp = B_FALSE;
4728         ill_walk_context_t      ctx;
4729 
4730         rw_enter(&ipst->ips_ill_g_lock, RW_READER);
4731         /*
4732          * Repeat twice, first based on local addresses and
4733          * next time for pointopoint.
4734          */
4735 repeat:
4736         ill = ILL_START_WALK_V4(&ctx, ipst);
4737         for (; ill != NULL; ill = ill_next(&ctx, ill)) {
4738                 if (match_ill != NULL && ill != match_ill &&
4739                     !IS_IN_SAME_ILLGRP(ill, match_ill)) {
4740                         continue;
4741                 }
4742                 mutex_enter(&ill->ill_lock);
4743                 for (ipif = ill->ill_ipif; ipif != NULL;
4744                     ipif = ipif->ipif_next) {
4745                         /* Allow the ipif to be down */
4746                         if ((!ptp && (ipif->ipif_lcl_addr == addr) &&
4747                             ((ipif->ipif_flags & IPIF_UNNUMBERED) == 0)) ||
4748                             (ptp && (ipif->ipif_flags & IPIF_POINTOPOINT) &&
4749                             (ipif->ipif_pp_dst_addr == addr)) &&
4750                             !(ipif->ipif_state_flags & IPIF_CONDEMNED)) {
4751                                 zoneid = ipif->ipif_zoneid;
4752                                 mutex_exit(&ill->ill_lock);
4753                                 rw_exit(&ipst->ips_ill_g_lock);
4754                                 /*
4755                                  * If ipif_zoneid was ALL_ZONES then we have
4756                                  * a trusted extensions shared IP address.
4757                                  * In that case GLOBAL_ZONEID works to send.
4758                                  */
4759                                 if (zoneid == ALL_ZONES)
4760                                         zoneid = GLOBAL_ZONEID;
4761                                 return (zoneid);
4762                         }
4763                 }
4764                 mutex_exit(&ill->ill_lock);
4765         }
4766 
4767         /* If we already did the ptp case, then we are done */
4768         if (ptp) {
4769                 rw_exit(&ipst->ips_ill_g_lock);
4770                 return (ALL_ZONES);
4771         }
4772         ptp = B_TRUE;
4773         goto repeat;
4774 }
4775 
4776 /*
4777  * Look for an ipif that matches the specified remote address i.e. the
4778  * ipif that would receive the specified packet.
4779  * First look for directly connected interfaces and then do a recursive
4780  * IRE lookup and pick the first ipif corresponding to the source address in the
4781  * ire.
4782  * Returns: held ipif
4783  *
4784  * This is only used for ICMP_ADDRESS_MASK_REQUESTs
4785  */
4786 ipif_t *
4787 ipif_lookup_remote(ill_t *ill, ipaddr_t addr, zoneid_t zoneid)
4788 {
4789         ipif_t  *ipif;
4790 
4791         ASSERT(!ill->ill_isv6);
4792 
4793         /*
4794          * Someone could be changing this ipif currently or change it
4795          * after we return this. Thus  a few packets could use the old
4796          * old values. However structure updates/creates (ire, ilg, ilm etc)
4797          * will atomically be updated or cleaned up with the new value
4798          * Thus we don't need a lock to check the flags or other attrs below.
4799          */
4800         mutex_enter(&ill->ill_lock);
4801         for (ipif = ill->ill_ipif; ipif != NULL; ipif = ipif->ipif_next) {
4802                 if (IPIF_IS_CONDEMNED(ipif))
4803                         continue;
4804                 if (zoneid != ALL_ZONES && zoneid != ipif->ipif_zoneid &&
4805                     ipif->ipif_zoneid != ALL_ZONES)
4806                         continue;
4807                 /* Allow the ipif to be down */
4808                 if (ipif->ipif_flags & IPIF_POINTOPOINT) {
4809                         if ((ipif->ipif_pp_dst_addr == addr) ||
4810                             (!(ipif->ipif_flags & IPIF_UNNUMBERED) &&
4811                             ipif->ipif_lcl_addr == addr)) {
4812                                 ipif_refhold_locked(ipif);
4813                                 mutex_exit(&ill->ill_lock);
4814                                 return (ipif);
4815                         }
4816                 } else if (ipif->ipif_subnet == (addr & ipif->ipif_net_mask)) {
4817                         ipif_refhold_locked(ipif);
4818                         mutex_exit(&ill->ill_lock);
4819                         return (ipif);
4820                 }
4821         }
4822         mutex_exit(&ill->ill_lock);
4823         /*
4824          * For a remote destination it isn't possible to nail down a particular
4825          * ipif.
4826          */
4827 
4828         /* Pick the first interface */
4829         ipif = ipif_get_next_ipif(NULL, ill);
4830         return (ipif);
4831 }
4832 
4833 /*
4834  * This func does not prevent refcnt from increasing. But if
4835  * the caller has taken steps to that effect, then this func
4836  * can be used to determine whether the ill has become quiescent
4837  */
4838 static boolean_t
4839 ill_is_quiescent(ill_t *ill)
4840 {
4841         ipif_t  *ipif;
4842 
4843         ASSERT(MUTEX_HELD(&ill->ill_lock));
4844 
4845         for (ipif = ill->ill_ipif; ipif != NULL; ipif = ipif->ipif_next) {
4846                 if (ipif->ipif_refcnt != 0)
4847                         return (B_FALSE);
4848         }
4849         if (!ILL_DOWN_OK(ill) || ill->ill_refcnt != 0) {
4850                 return (B_FALSE);
4851         }
4852         return (B_TRUE);
4853 }
4854 
4855 boolean_t
4856 ill_is_freeable(ill_t *ill)
4857 {
4858         ipif_t  *ipif;
4859 
4860         ASSERT(MUTEX_HELD(&ill->ill_lock));
4861 
4862         for (ipif = ill->ill_ipif; ipif != NULL; ipif = ipif->ipif_next) {
4863                 if (ipif->ipif_refcnt != 0) {
4864                         return (B_FALSE);
4865                 }
4866         }
4867         if (!ILL_FREE_OK(ill) || ill->ill_refcnt != 0) {
4868                 return (B_FALSE);
4869         }
4870         return (B_TRUE);
4871 }
4872 
4873 /*
4874  * This func does not prevent refcnt from increasing. But if
4875  * the caller has taken steps to that effect, then this func
4876  * can be used to determine whether the ipif has become quiescent
4877  */
4878 static boolean_t
4879 ipif_is_quiescent(ipif_t *ipif)
4880 {
4881         ill_t *ill;
4882 
4883         ASSERT(MUTEX_HELD(&ipif->ipif_ill->ill_lock));
4884 
4885         if (ipif->ipif_refcnt != 0)
4886                 return (B_FALSE);
4887 
4888         ill = ipif->ipif_ill;
4889         if (ill->ill_ipif_up_count != 0 || ill->ill_ipif_dup_count != 0 ||
4890             ill->ill_logical_down) {
4891                 return (B_TRUE);
4892         }
4893 
4894         /* This is the last ipif going down or being deleted on this ill */
4895         if (ill->ill_ire_cnt != 0 || ill->ill_refcnt != 0) {
4896                 return (B_FALSE);
4897         }
4898 
4899         return (B_TRUE);
4900 }
4901 
4902 /*
4903  * return true if the ipif can be destroyed: the ipif has to be quiescent
4904  * with zero references from ire/ilm to it.
4905  */
4906 static boolean_t
4907 ipif_is_freeable(ipif_t *ipif)
4908 {
4909         ASSERT(MUTEX_HELD(&ipif->ipif_ill->ill_lock));
4910         ASSERT(ipif->ipif_id != 0);
4911         return (ipif->ipif_refcnt == 0);
4912 }
4913 
4914 /*
4915  * The ipif/ill/ire has been refreled. Do the tail processing.
4916  * Determine if the ipif or ill in question has become quiescent and if so
4917  * wakeup close and/or restart any queued pending ioctl that is waiting
4918  * for the ipif_down (or ill_down)
4919  */
4920 void
4921 ipif_ill_refrele_tail(ill_t *ill)
4922 {
4923         mblk_t  *mp;
4924         conn_t  *connp;
4925         ipsq_t  *ipsq;
4926         ipxop_t *ipx;
4927         ipif_t  *ipif;
4928         dl_notify_ind_t *dlindp;
4929 
4930         ASSERT(MUTEX_HELD(&ill->ill_lock));
4931 
4932         if ((ill->ill_state_flags & ILL_CONDEMNED) && ill_is_freeable(ill)) {
4933                 /* ip_modclose() may be waiting */
4934                 cv_broadcast(&ill->ill_cv);
4935         }
4936 
4937         ipsq = ill->ill_phyint->phyint_ipsq;
4938         mutex_enter(&ipsq->ipsq_lock);
4939         ipx = ipsq->ipsq_xop;
4940         mutex_enter(&ipx->ipx_lock);
4941         if (ipx->ipx_waitfor == 0)   /* no one's waiting; bail */
4942                 goto unlock;
4943 
4944         ASSERT(ipx->ipx_pending_mp != NULL && ipx->ipx_pending_ipif != NULL);
4945 
4946         ipif = ipx->ipx_pending_ipif;
4947         if (ipif->ipif_ill != ill)   /* wait is for another ill; bail */
4948                 goto unlock;
4949 
4950         switch (ipx->ipx_waitfor) {
4951         case IPIF_DOWN:
4952                 if (!ipif_is_quiescent(ipif))
4953                         goto unlock;
4954                 break;
4955         case IPIF_FREE:
4956                 if (!ipif_is_freeable(ipif))
4957                         goto unlock;
4958                 break;
4959         case ILL_DOWN:
4960                 if (!ill_is_quiescent(ill))
4961                         goto unlock;
4962                 break;
4963         case ILL_FREE:
4964                 /*
4965                  * ILL_FREE is only for loopback; normal ill teardown waits
4966                  * synchronously in ip_modclose() without using ipx_waitfor,
4967                  * handled by the cv_broadcast() at the top of this function.
4968                  */
4969                 if (!ill_is_freeable(ill))
4970                         goto unlock;
4971                 break;
4972         default:
4973                 cmn_err(CE_PANIC, "ipsq: %p unknown ipx_waitfor %d\n",
4974                     (void *)ipsq, ipx->ipx_waitfor);
4975         }
4976 
4977         ill_refhold_locked(ill);        /* for qwriter_ip() call below */
4978         mutex_exit(&ipx->ipx_lock);
4979         mp = ipsq_pending_mp_get(ipsq, &connp);
4980         mutex_exit(&ipsq->ipsq_lock);
4981         mutex_exit(&ill->ill_lock);
4982 
4983         ASSERT(mp != NULL);
4984         /*
4985          * NOTE: all of the qwriter_ip() calls below use CUR_OP since
4986          * we can only get here when the current operation decides it
4987          * it needs to quiesce via ipsq_pending_mp_add().
4988          */
4989         switch (mp->b_datap->db_type) {
4990         case M_PCPROTO:
4991         case M_PROTO:
4992                 /*
4993                  * For now, only DL_NOTIFY_IND messages can use this facility.
4994                  */
4995                 dlindp = (dl_notify_ind_t *)mp->b_rptr;
4996                 ASSERT(dlindp->dl_primitive == DL_NOTIFY_IND);
4997 
4998                 switch (dlindp->dl_notification) {
4999                 case DL_NOTE_PHYS_ADDR:
5000                         qwriter_ip(ill, ill->ill_rq, mp,
5001                             ill_set_phys_addr_tail, CUR_OP, B_TRUE);
5002                         return;
5003                 case DL_NOTE_REPLUMB:
5004                         qwriter_ip(ill, ill->ill_rq, mp,
5005                             ill_replumb_tail, CUR_OP, B_TRUE);
5006                         return;
5007                 default:
5008                         ASSERT(0);
5009                         ill_refrele(ill);
5010                 }
5011                 break;
5012 
5013         case M_ERROR:
5014         case M_HANGUP:
5015                 qwriter_ip(ill, ill->ill_rq, mp, ipif_all_down_tail, CUR_OP,
5016                     B_TRUE);
5017                 return;
5018 
5019         case M_IOCTL:
5020         case M_IOCDATA:
5021                 qwriter_ip(ill, (connp != NULL ? CONNP_TO_WQ(connp) :
5022                     ill->ill_wq), mp, ip_reprocess_ioctl, CUR_OP, B_TRUE);
5023                 return;
5024 
5025         default:
5026                 cmn_err(CE_PANIC, "ipif_ill_refrele_tail mp %p "
5027                     "db_type %d\n", (void *)mp, mp->b_datap->db_type);
5028         }
5029         return;
5030 unlock:
5031         mutex_exit(&ipsq->ipsq_lock);
5032         mutex_exit(&ipx->ipx_lock);
5033         mutex_exit(&ill->ill_lock);
5034 }
5035 
5036 #ifdef DEBUG
5037 /* Reuse trace buffer from beginning (if reached the end) and record trace */
5038 static void
5039 th_trace_rrecord(th_trace_t *th_trace)
5040 {
5041         tr_buf_t *tr_buf;
5042         uint_t lastref;
5043 
5044         lastref = th_trace->th_trace_lastref;
5045         lastref++;
5046         if (lastref == TR_BUF_MAX)
5047                 lastref = 0;
5048         th_trace->th_trace_lastref = lastref;
5049         tr_buf = &th_trace->th_trbuf[lastref];
5050         tr_buf->tr_time = ddi_get_lbolt();
5051         tr_buf->tr_depth = getpcstack(tr_buf->tr_stack, TR_STACK_DEPTH);
5052 }
5053 
5054 static void
5055 th_trace_free(void *value)
5056 {
5057         th_trace_t *th_trace = value;
5058 
5059         ASSERT(th_trace->th_refcnt == 0);
5060         kmem_free(th_trace, sizeof (*th_trace));
5061 }
5062 
5063 /*
5064  * Find or create the per-thread hash table used to track object references.
5065  * The ipst argument is NULL if we shouldn't allocate.
5066  *
5067  * Accesses per-thread data, so there's no need to lock here.
5068  */
5069 static mod_hash_t *
5070 th_trace_gethash(ip_stack_t *ipst)
5071 {
5072         th_hash_t *thh;
5073 
5074         if ((thh = tsd_get(ip_thread_data)) == NULL && ipst != NULL) {
5075                 mod_hash_t *mh;
5076                 char name[256];
5077                 size_t objsize, rshift;
5078                 int retv;
5079 
5080                 if ((thh = kmem_alloc(sizeof (*thh), KM_NOSLEEP)) == NULL)
5081                         return (NULL);
5082                 (void) snprintf(name, sizeof (name), "th_trace_%p",
5083                     (void *)curthread);
5084 
5085                 /*
5086                  * We use mod_hash_create_extended here rather than the more
5087                  * obvious mod_hash_create_ptrhash because the latter has a
5088                  * hard-coded KM_SLEEP, and we'd prefer to fail rather than
5089                  * block.
5090                  */
5091                 objsize = MAX(MAX(sizeof (ill_t), sizeof (ipif_t)),
5092                     MAX(sizeof (ire_t), sizeof (ncec_t)));
5093                 rshift = highbit(objsize);
5094                 mh = mod_hash_create_extended(name, 64, mod_hash_null_keydtor,
5095                     th_trace_free, mod_hash_byptr, (void *)rshift,
5096                     mod_hash_ptrkey_cmp, KM_NOSLEEP);
5097                 if (mh == NULL) {
5098                         kmem_free(thh, sizeof (*thh));
5099                         return (NULL);
5100                 }
5101                 thh->thh_hash = mh;
5102                 thh->thh_ipst = ipst;
5103                 /*
5104                  * We trace ills, ipifs, ires, and nces.  All of these are
5105                  * per-IP-stack, so the lock on the thread list is as well.
5106                  */
5107                 rw_enter(&ip_thread_rwlock, RW_WRITER);
5108                 list_insert_tail(&ip_thread_list, thh);
5109                 rw_exit(&ip_thread_rwlock);
5110                 retv = tsd_set(ip_thread_data, thh);
5111                 ASSERT(retv == 0);
5112         }
5113         return (thh != NULL ? thh->thh_hash : NULL);
5114 }
5115 
5116 boolean_t
5117 th_trace_ref(const void *obj, ip_stack_t *ipst)
5118 {
5119         th_trace_t *th_trace;
5120         mod_hash_t *mh;
5121         mod_hash_val_t val;
5122 
5123         if ((mh = th_trace_gethash(ipst)) == NULL)
5124                 return (B_FALSE);
5125 
5126         /*
5127          * Attempt to locate the trace buffer for this obj and thread.
5128          * If it does not exist, then allocate a new trace buffer and
5129          * insert into the hash.
5130          */
5131         if (mod_hash_find(mh, (mod_hash_key_t)obj, &val) == MH_ERR_NOTFOUND) {
5132                 th_trace = kmem_zalloc(sizeof (th_trace_t), KM_NOSLEEP);
5133                 if (th_trace == NULL)
5134                         return (B_FALSE);
5135 
5136                 th_trace->th_id = curthread;
5137                 if (mod_hash_insert(mh, (mod_hash_key_t)obj,
5138                     (mod_hash_val_t)th_trace) != 0) {
5139                         kmem_free(th_trace, sizeof (th_trace_t));
5140                         return (B_FALSE);
5141                 }
5142         } else {
5143                 th_trace = (th_trace_t *)val;
5144         }
5145 
5146         ASSERT(th_trace->th_refcnt >= 0 &&
5147             th_trace->th_refcnt < TR_BUF_MAX - 1);
5148 
5149         th_trace->th_refcnt++;
5150         th_trace_rrecord(th_trace);
5151         return (B_TRUE);
5152 }
5153 
5154 /*
5155  * For the purpose of tracing a reference release, we assume that global
5156  * tracing is always on and that the same thread initiated the reference hold
5157  * is releasing.
5158  */
5159 void
5160 th_trace_unref(const void *obj)
5161 {
5162         int retv;
5163         mod_hash_t *mh;
5164         th_trace_t *th_trace;
5165         mod_hash_val_t val;
5166 
5167         mh = th_trace_gethash(NULL);
5168         retv = mod_hash_find(mh, (mod_hash_key_t)obj, &val);
5169         ASSERT(retv == 0);
5170         th_trace = (th_trace_t *)val;
5171 
5172         ASSERT(th_trace->th_refcnt > 0);
5173         th_trace->th_refcnt--;
5174         th_trace_rrecord(th_trace);
5175 }
5176 
5177 /*
5178  * If tracing has been disabled, then we assume that the reference counts are
5179  * now useless, and we clear them out before destroying the entries.
5180  */
5181 void
5182 th_trace_cleanup(const void *obj, boolean_t trace_disable)
5183 {
5184         th_hash_t       *thh;
5185         mod_hash_t      *mh;
5186         mod_hash_val_t  val;
5187         th_trace_t      *th_trace;
5188         int             retv;
5189 
5190         rw_enter(&ip_thread_rwlock, RW_READER);
5191         for (thh = list_head(&ip_thread_list); thh != NULL;
5192             thh = list_next(&ip_thread_list, thh)) {
5193                 if (mod_hash_find(mh = thh->thh_hash, (mod_hash_key_t)obj,
5194                     &val) == 0) {
5195                         th_trace = (th_trace_t *)val;
5196                         if (trace_disable)
5197                                 th_trace->th_refcnt = 0;
5198                         retv = mod_hash_destroy(mh, (mod_hash_key_t)obj);
5199                         ASSERT(retv == 0);
5200                 }
5201         }
5202         rw_exit(&ip_thread_rwlock);
5203 }
5204 
5205 void
5206 ipif_trace_ref(ipif_t *ipif)
5207 {
5208         ASSERT(MUTEX_HELD(&ipif->ipif_ill->ill_lock));
5209 
5210         if (ipif->ipif_trace_disable)
5211                 return;
5212 
5213         if (!th_trace_ref(ipif, ipif->ipif_ill->ill_ipst)) {
5214                 ipif->ipif_trace_disable = B_TRUE;
5215                 ipif_trace_cleanup(ipif);
5216         }
5217 }
5218 
5219 void
5220 ipif_untrace_ref(ipif_t *ipif)
5221 {
5222         ASSERT(MUTEX_HELD(&ipif->ipif_ill->ill_lock));
5223 
5224         if (!ipif->ipif_trace_disable)
5225                 th_trace_unref(ipif);
5226 }
5227 
5228 void
5229 ill_trace_ref(ill_t *ill)
5230 {
5231         ASSERT(MUTEX_HELD(&ill->ill_lock));
5232 
5233         if (ill->ill_trace_disable)
5234                 return;
5235 
5236         if (!th_trace_ref(ill, ill->ill_ipst)) {
5237                 ill->ill_trace_disable = B_TRUE;
5238                 ill_trace_cleanup(ill);
5239         }
5240 }
5241 
5242 void
5243 ill_untrace_ref(ill_t *ill)
5244 {
5245         ASSERT(MUTEX_HELD(&ill->ill_lock));
5246 
5247         if (!ill->ill_trace_disable)
5248                 th_trace_unref(ill);
5249 }
5250 
5251 /*
5252  * Called when ipif is unplumbed or when memory alloc fails.  Note that on
5253  * failure, ipif_trace_disable is set.
5254  */
5255 static void
5256 ipif_trace_cleanup(const ipif_t *ipif)
5257 {
5258         th_trace_cleanup(ipif, ipif->ipif_trace_disable);
5259 }
5260 
5261 /*
5262  * Called when ill is unplumbed or when memory alloc fails.  Note that on
5263  * failure, ill_trace_disable is set.
5264  */
5265 static void
5266 ill_trace_cleanup(const ill_t *ill)
5267 {
5268         th_trace_cleanup(ill, ill->ill_trace_disable);
5269 }
5270 #endif /* DEBUG */
5271 
5272 void
5273 ipif_refhold_locked(ipif_t *ipif)
5274 {
5275         ASSERT(MUTEX_HELD(&ipif->ipif_ill->ill_lock));
5276         ipif->ipif_refcnt++;
5277         IPIF_TRACE_REF(ipif);
5278 }
5279 
5280 void
5281 ipif_refhold(ipif_t *ipif)
5282 {
5283         ill_t   *ill;
5284 
5285         ill = ipif->ipif_ill;
5286         mutex_enter(&ill->ill_lock);
5287         ipif->ipif_refcnt++;
5288         IPIF_TRACE_REF(ipif);
5289         mutex_exit(&ill->ill_lock);
5290 }
5291 
5292 /*
5293  * Must not be called while holding any locks. Otherwise if this is
5294  * the last reference to be released there is a chance of recursive mutex
5295  * panic due to ipif_refrele -> ipif_ill_refrele_tail -> qwriter_ip trying
5296  * to restart an ioctl.
5297  */
5298 void
5299 ipif_refrele(ipif_t *ipif)
5300 {
5301         ill_t   *ill;
5302 
5303         ill = ipif->ipif_ill;
5304 
5305         mutex_enter(&ill->ill_lock);
5306         ASSERT(ipif->ipif_refcnt != 0);
5307         ipif->ipif_refcnt--;
5308         IPIF_UNTRACE_REF(ipif);
5309         if (ipif->ipif_refcnt != 0) {
5310                 mutex_exit(&ill->ill_lock);
5311                 return;
5312         }
5313 
5314         /* Drops the ill_lock */
5315         ipif_ill_refrele_tail(ill);
5316 }
5317 
5318 ipif_t *
5319 ipif_get_next_ipif(ipif_t *curr, ill_t *ill)
5320 {
5321         ipif_t  *ipif;
5322 
5323         mutex_enter(&ill->ill_lock);
5324         for (ipif = (curr == NULL ? ill->ill_ipif : curr->ipif_next);
5325             ipif != NULL; ipif = ipif->ipif_next) {
5326                 if (IPIF_IS_CONDEMNED(ipif))
5327                         continue;
5328                 ipif_refhold_locked(ipif);
5329                 mutex_exit(&ill->ill_lock);
5330                 return (ipif);
5331         }
5332         mutex_exit(&ill->ill_lock);
5333         return (NULL);
5334 }
5335 
5336 /*
5337  * TODO: make this table extendible at run time
5338  * Return a pointer to the mac type info for 'mac_type'
5339  */
5340 static ip_m_t *
5341 ip_m_lookup(t_uscalar_t mac_type)
5342 {
5343         ip_m_t  *ipm;
5344 
5345         for (ipm = ip_m_tbl; ipm < A_END(ip_m_tbl); ipm++)
5346                 if (ipm->ip_m_mac_type == mac_type)
5347                         return (ipm);
5348         return (NULL);
5349 }
5350 
5351 /*
5352  * Make a link layer address from the multicast IP address *addr.
5353  * To form the link layer address, invoke the ip_m_v*mapping function
5354  * associated with the link-layer type.
5355  */
5356 void
5357 ip_mcast_mapping(ill_t *ill, uchar_t *addr, uchar_t *hwaddr)
5358 {
5359         ip_m_t *ipm;
5360 
5361         if (ill->ill_net_type == IRE_IF_NORESOLVER)
5362                 return;
5363 
5364         ASSERT(addr != NULL);
5365 
5366         ipm = ip_m_lookup(ill->ill_mactype);
5367         if (ipm == NULL ||
5368             (ill->ill_isv6 && ipm->ip_m_v6mapping == NULL) ||
5369             (!ill->ill_isv6 && ipm->ip_m_v4mapping == NULL)) {
5370                 ip0dbg(("no mapping for ill %s mactype 0x%x\n",
5371                     ill->ill_name, ill->ill_mactype));
5372                 return;
5373         }
5374         if (ill->ill_isv6)
5375                 (*ipm->ip_m_v6mapping)(ill, addr, hwaddr);
5376         else
5377                 (*ipm->ip_m_v4mapping)(ill, addr, hwaddr);
5378 }
5379 
5380 /*
5381  * Returns B_FALSE if the IPv4 netmask pointed by `mask' is non-contiguous.
5382  * Otherwise returns B_TRUE.
5383  *
5384  * The netmask can be verified to be contiguous with 32 shifts and or
5385  * operations. Take the contiguous mask (in host byte order) and compute
5386  *      mask | mask << 1 | mask << 2 | ... | mask << 31
5387  * the result will be the same as the 'mask' for contiguous mask.
5388  */
5389 static boolean_t
5390 ip_contiguous_mask(uint32_t mask)
5391 {
5392         uint32_t        m = mask;
5393         int             i;
5394 
5395         for (i = 1; i < 32; i++)
5396                 m |= (mask << i);
5397 
5398         return (m == mask);
5399 }
5400 
5401 /*
5402  * ip_rt_add is called to add an IPv4 route to the forwarding table.
5403  * ill is passed in to associate it with the correct interface.
5404  * If ire_arg is set, then we return the held IRE in that location.
5405  */
5406 int
5407 ip_rt_add(ipaddr_t dst_addr, ipaddr_t mask, ipaddr_t gw_addr,
5408     ipaddr_t src_addr, int flags, ill_t *ill, ire_t **ire_arg,
5409     boolean_t ioctl_msg, struct rtsa_s *sp, ip_stack_t *ipst, zoneid_t zoneid)
5410 {
5411         ire_t   *ire, *nire;
5412         ire_t   *gw_ire = NULL;
5413         ipif_t  *ipif = NULL;
5414         uint_t  type;
5415         int     match_flags = MATCH_IRE_TYPE;
5416         tsol_gc_t *gc = NULL;
5417         tsol_gcgrp_t *gcgrp = NULL;
5418         boolean_t gcgrp_xtraref = B_FALSE;
5419         boolean_t cgtp_broadcast;
5420         boolean_t unbound = B_FALSE;
5421 
5422         ip1dbg(("ip_rt_add:"));
5423 
5424         if (ire_arg != NULL)
5425                 *ire_arg = NULL;
5426 
5427         /* disallow non-contiguous netmasks */
5428         if (!ip_contiguous_mask(ntohl(mask)))
5429                 return (ENOTSUP);
5430 
5431         /*
5432          * If this is the case of RTF_HOST being set, then we set the netmask
5433          * to all ones (regardless if one was supplied).
5434          */
5435         if (flags & RTF_HOST)
5436                 mask = IP_HOST_MASK;
5437 
5438         /*
5439          * Prevent routes with a zero gateway from being created (since
5440          * interfaces can currently be plumbed and brought up no assigned
5441          * address).
5442          */
5443         if (gw_addr == 0)
5444                 return (ENETUNREACH);
5445         /*
5446          * Get the ipif, if any, corresponding to the gw_addr
5447          * If -ifp was specified we restrict ourselves to the ill, otherwise
5448          * we match on the gatway and destination to handle unnumbered pt-pt
5449          * interfaces.
5450          */
5451         if (ill != NULL)
5452                 ipif = ipif_lookup_addr(gw_addr, ill, ALL_ZONES, ipst);
5453         else
5454                 ipif = ipif_lookup_interface(gw_addr, dst_addr, ipst);
5455         if (ipif != NULL) {
5456                 if (IS_VNI(ipif->ipif_ill)) {
5457                         ipif_refrele(ipif);
5458                         return (EINVAL);
5459                 }
5460         }
5461 
5462         /*
5463          * GateD will attempt to create routes with a loopback interface
5464          * address as the gateway and with RTF_GATEWAY set.  We allow
5465          * these routes to be added, but create them as interface routes
5466          * since the gateway is an interface address.
5467          */
5468         if ((ipif != NULL) && (ipif->ipif_ire_type == IRE_LOOPBACK)) {
5469                 flags &= ~RTF_GATEWAY;
5470                 if (gw_addr == INADDR_LOOPBACK && dst_addr == INADDR_LOOPBACK &&
5471                     mask == IP_HOST_MASK) {
5472                         ire = ire_ftable_lookup_v4(dst_addr, 0, 0, IRE_LOOPBACK,
5473                             NULL, ALL_ZONES, NULL, MATCH_IRE_TYPE, 0, ipst,
5474                             NULL);
5475                         if (ire != NULL) {
5476                                 ire_refrele(ire);
5477                                 ipif_refrele(ipif);
5478                                 return (EEXIST);
5479                         }
5480                         ip1dbg(("ip_rt_add: 0x%p creating IRE 0x%x"
5481                             "for 0x%x\n", (void *)ipif,
5482                             ipif->ipif_ire_type,
5483                             ntohl(ipif->ipif_lcl_addr)));
5484                         ire = ire_create(
5485                             (uchar_t *)&dst_addr,   /* dest address */
5486                             (uchar_t *)&mask,               /* mask */
5487                             NULL,                       /* no gateway */
5488                             ipif->ipif_ire_type,     /* LOOPBACK */
5489                             ipif->ipif_ill,
5490                             zoneid,
5491                             (ipif->ipif_flags & IPIF_PRIVATE) ? RTF_PRIVATE : 0,
5492                             NULL,
5493                             ipst);
5494 
5495                         if (ire == NULL) {
5496                                 ipif_refrele(ipif);
5497                                 return (ENOMEM);
5498                         }
5499                         /* src address assigned by the caller? */
5500                         if ((src_addr != INADDR_ANY) && (flags & RTF_SETSRC))
5501                                 ire->ire_setsrc_addr = src_addr;
5502 
5503                         nire = ire_add(ire);
5504                         if (nire == NULL) {
5505                                 /*
5506                                  * In the result of failure, ire_add() will have
5507                                  * already deleted the ire in question, so there
5508                                  * is no need to do that here.
5509                                  */
5510                                 ipif_refrele(ipif);
5511                                 return (ENOMEM);
5512                         }
5513                         /*
5514                          * Check if it was a duplicate entry. This handles
5515                          * the case of two racing route adds for the same route
5516                          */
5517                         if (nire != ire) {
5518                                 ASSERT(nire->ire_identical_ref > 1);
5519                                 ire_delete(nire);
5520                                 ire_refrele(nire);
5521                                 ipif_refrele(ipif);
5522                                 return (EEXIST);
5523                         }
5524                         ire = nire;
5525                         goto save_ire;
5526                 }
5527         }
5528 
5529         /*
5530          * The routes for multicast with CGTP are quite special in that
5531          * the gateway is the local interface address, yet RTF_GATEWAY
5532          * is set. We turn off RTF_GATEWAY to provide compatibility with
5533          * this undocumented and unusual use of multicast routes.
5534          */
5535         if ((flags & RTF_MULTIRT) && ipif != NULL)
5536                 flags &= ~RTF_GATEWAY;
5537 
5538         /*
5539          * Traditionally, interface routes are ones where RTF_GATEWAY isn't set
5540          * and the gateway address provided is one of the system's interface
5541          * addresses.  By using the routing socket interface and supplying an
5542          * RTA_IFP sockaddr with an interface index, an alternate method of
5543          * specifying an interface route to be created is available which uses
5544          * the interface index that specifies the outgoing interface rather than
5545          * the address of an outgoing interface (which may not be able to
5546          * uniquely identify an interface).  When coupled with the RTF_GATEWAY
5547          * flag, routes can be specified which not only specify the next-hop to
5548          * be used when routing to a certain prefix, but also which outgoing
5549          * interface should be used.
5550          *
5551          * Previously, interfaces would have unique addresses assigned to them
5552          * and so the address assigned to a particular interface could be used
5553          * to identify a particular interface.  One exception to this was the
5554          * case of an unnumbered interface (where IPIF_UNNUMBERED was set).
5555          *
5556          * With the advent of IPv6 and its link-local addresses, this
5557          * restriction was relaxed and interfaces could share addresses between
5558          * themselves.  In fact, typically all of the link-local interfaces on
5559          * an IPv6 node or router will have the same link-local address.  In
5560          * order to differentiate between these interfaces, the use of an
5561          * interface index is necessary and this index can be carried inside a
5562          * RTA_IFP sockaddr (which is actually a sockaddr_dl).  One restriction
5563          * of using the interface index, however, is that all of the ipif's that
5564          * are part of an ill have the same index and so the RTA_IFP sockaddr
5565          * cannot be used to differentiate between ipif's (or logical
5566          * interfaces) that belong to the same ill (physical interface).
5567          *
5568          * For example, in the following case involving IPv4 interfaces and
5569          * logical interfaces
5570          *
5571          *      192.0.2.32      255.255.255.224 192.0.2.33      U       if0
5572          *      192.0.2.32      255.255.255.224 192.0.2.34      U       if0
5573          *      192.0.2.32      255.255.255.224 192.0.2.35      U       if0
5574          *
5575          * the ipif's corresponding to each of these interface routes can be
5576          * uniquely identified by the "gateway" (actually interface address).
5577          *
5578          * In this case involving multiple IPv6 default routes to a particular
5579          * link-local gateway, the use of RTA_IFP is necessary to specify which
5580          * default route is of interest:
5581          *
5582          *      default         fe80::123:4567:89ab:cdef        U       if0
5583          *      default         fe80::123:4567:89ab:cdef        U       if1
5584          */
5585 
5586         /* RTF_GATEWAY not set */
5587         if (!(flags & RTF_GATEWAY)) {
5588                 if (sp != NULL) {
5589                         ip2dbg(("ip_rt_add: gateway security attributes "
5590                             "cannot be set with interface route\n"));
5591                         if (ipif != NULL)
5592                                 ipif_refrele(ipif);
5593                         return (EINVAL);
5594                 }
5595 
5596                 /*
5597                  * Whether or not ill (RTA_IFP) is set, we require that
5598                  * the gateway is one of our local addresses.
5599                  */
5600                 if (ipif == NULL)
5601                         return (ENETUNREACH);
5602 
5603                 /*
5604                  * We use MATCH_IRE_ILL here. If the caller specified an
5605                  * interface (from the RTA_IFP sockaddr) we use it, otherwise
5606                  * we use the ill derived from the gateway address.
5607                  * We can always match the gateway address since we record it
5608                  * in ire_gateway_addr.
5609                  * We don't allow RTA_IFP to specify a different ill than the
5610                  * one matching the ipif to make sure we can delete the route.
5611                  */
5612                 match_flags |= MATCH_IRE_GW | MATCH_IRE_ILL;
5613                 if (ill == NULL) {
5614                         ill = ipif->ipif_ill;
5615                 } else if (ill != ipif->ipif_ill) {
5616                         ipif_refrele(ipif);
5617                         return (EINVAL);
5618                 }
5619 
5620                 /*
5621                  * We check for an existing entry at this point.
5622                  *
5623                  * Since a netmask isn't passed in via the ioctl interface
5624                  * (SIOCADDRT), we don't check for a matching netmask in that
5625                  * case.
5626                  */
5627                 if (!ioctl_msg)
5628                         match_flags |= MATCH_IRE_MASK;
5629                 ire = ire_ftable_lookup_v4(dst_addr, mask, gw_addr,
5630                     IRE_INTERFACE, ill, ALL_ZONES, NULL, match_flags, 0, ipst,
5631                     NULL);
5632                 if (ire != NULL) {
5633                         ire_refrele(ire);
5634                         ipif_refrele(ipif);
5635                         return (EEXIST);
5636                 }
5637 
5638                 /*
5639                  * Some software (for example, GateD and Sun Cluster) attempts
5640                  * to create (what amount to) IRE_PREFIX routes with the
5641                  * loopback address as the gateway.  This is primarily done to
5642                  * set up prefixes with the RTF_REJECT flag set (for example,
5643                  * when generating aggregate routes.)
5644                  *
5645                  * If the IRE type (as defined by ill->ill_net_type) would be
5646                  * IRE_LOOPBACK, then we map the request into a
5647                  * IRE_IF_NORESOLVER. We also OR in the RTF_BLACKHOLE flag as
5648                  * these interface routes, by definition, can only be that.
5649                  *
5650                  * Needless to say, the real IRE_LOOPBACK is NOT created by this
5651                  * routine, but rather using ire_create() directly.
5652                  *
5653                  */
5654                 type = ill->ill_net_type;
5655                 if (type == IRE_LOOPBACK) {
5656                         type = IRE_IF_NORESOLVER;
5657                         flags |= RTF_BLACKHOLE;
5658                 }
5659 
5660                 /*
5661                  * Create a copy of the IRE_IF_NORESOLVER or
5662                  * IRE_IF_RESOLVER with the modified address, netmask, and
5663                  * gateway.
5664                  */
5665                 ire = ire_create(
5666                     (uchar_t *)&dst_addr,
5667                     (uint8_t *)&mask,
5668                     (uint8_t *)&gw_addr,
5669                     type,
5670                     ill,
5671                     zoneid,
5672                     flags,
5673                     NULL,
5674                     ipst);
5675                 if (ire == NULL) {
5676                         ipif_refrele(ipif);
5677                         return (ENOMEM);
5678                 }
5679 
5680                 /* src address assigned by the caller? */
5681                 if ((src_addr != INADDR_ANY) && (flags & RTF_SETSRC))
5682                         ire->ire_setsrc_addr = src_addr;
5683 
5684                 nire = ire_add(ire);
5685                 if (nire == NULL) {
5686                         /*
5687                          * In the result of failure, ire_add() will have
5688                          * already deleted the ire in question, so there
5689                          * is no need to do that here.
5690                          */
5691                         ipif_refrele(ipif);
5692                         return (ENOMEM);
5693                 }
5694                 /*
5695                  * Check if it was a duplicate entry. This handles
5696                  * the case of two racing route adds for the same route
5697                  */
5698                 if (nire != ire) {
5699                         ire_delete(nire);
5700                         ire_refrele(nire);
5701                         ipif_refrele(ipif);
5702                         return (EEXIST);
5703                 }
5704                 ire = nire;
5705                 goto save_ire;
5706         }
5707 
5708         /*
5709          * Get an interface IRE for the specified gateway.
5710          * If we don't have an IRE_IF_NORESOLVER or IRE_IF_RESOLVER for the
5711          * gateway, it is currently unreachable and we fail the request
5712          * accordingly. We reject any RTF_GATEWAY routes where the gateway
5713          * is an IRE_LOCAL or IRE_LOOPBACK.
5714          * If RTA_IFP was specified we look on that particular ill.
5715          */
5716         if (ill != NULL)
5717                 match_flags |= MATCH_IRE_ILL;
5718 
5719         /* Check whether the gateway is reachable. */
5720 again:
5721         type = IRE_INTERFACE | IRE_LOCAL | IRE_LOOPBACK;
5722         if (flags & RTF_INDIRECT)
5723                 type |= IRE_OFFLINK;
5724 
5725         gw_ire = ire_ftable_lookup_v4(gw_addr, 0, 0, type, ill,
5726             ALL_ZONES, NULL, match_flags, 0, ipst, NULL);
5727         if (gw_ire == NULL) {
5728                 /*
5729                  * With IPMP, we allow host routes to influence in.mpathd's
5730                  * target selection.  However, if the test addresses are on
5731                  * their own network, the above lookup will fail since the
5732                  * underlying IRE_INTERFACEs are marked hidden.  So allow
5733                  * hidden test IREs to be found and try again.
5734                  */
5735                 if (!(match_flags & MATCH_IRE_TESTHIDDEN))  {
5736                         match_flags |= MATCH_IRE_TESTHIDDEN;
5737                         goto again;
5738                 }
5739                 if (ipif != NULL)
5740                         ipif_refrele(ipif);
5741                 return (ENETUNREACH);
5742         }
5743         if (gw_ire->ire_type & (IRE_LOCAL|IRE_LOOPBACK)) {
5744                 ire_refrele(gw_ire);
5745                 if (ipif != NULL)
5746                         ipif_refrele(ipif);
5747                 return (ENETUNREACH);
5748         }
5749 
5750         if (ill == NULL && !(flags & RTF_INDIRECT)) {
5751                 unbound = B_TRUE;
5752                 if (ipst->ips_ip_strict_src_multihoming > 0)
5753                         ill = gw_ire->ire_ill;
5754         }
5755 
5756         /*
5757          * We create one of three types of IREs as a result of this request
5758          * based on the netmask.  A netmask of all ones (which is automatically
5759          * assumed when RTF_HOST is set) results in an IRE_HOST being created.
5760          * An all zeroes netmask implies a default route so an IRE_DEFAULT is
5761          * created.  Otherwise, an IRE_PREFIX route is created for the
5762          * destination prefix.
5763          */
5764         if (mask == IP_HOST_MASK)
5765                 type = IRE_HOST;
5766         else if (mask == 0)
5767                 type = IRE_DEFAULT;
5768         else
5769                 type = IRE_PREFIX;
5770 
5771         /* check for a duplicate entry */
5772         ire = ire_ftable_lookup_v4(dst_addr, mask, gw_addr, type, ill,
5773             ALL_ZONES, NULL, match_flags | MATCH_IRE_MASK | MATCH_IRE_GW,
5774             0, ipst, NULL);
5775         if (ire != NULL) {
5776                 if (ipif != NULL)
5777                         ipif_refrele(ipif);
5778                 ire_refrele(gw_ire);
5779                 ire_refrele(ire);
5780                 return (EEXIST);
5781         }
5782 
5783         /* Security attribute exists */
5784         if (sp != NULL) {
5785                 tsol_gcgrp_addr_t ga;
5786 
5787                 /* find or create the gateway credentials group */
5788                 ga.ga_af = AF_INET;
5789                 IN6_IPADDR_TO_V4MAPPED(gw_addr, &ga.ga_addr);
5790 
5791                 /* we hold reference to it upon success */
5792                 gcgrp = gcgrp_lookup(&ga, B_TRUE);
5793                 if (gcgrp == NULL) {
5794                         if (ipif != NULL)
5795                                 ipif_refrele(ipif);
5796                         ire_refrele(gw_ire);
5797                         return (ENOMEM);
5798                 }
5799 
5800                 /*
5801                  * Create and add the security attribute to the group; a
5802                  * reference to the group is made upon allocating a new
5803                  * entry successfully.  If it finds an already-existing
5804                  * entry for the security attribute in the group, it simply
5805                  * returns it and no new reference is made to the group.
5806                  */
5807                 gc = gc_create(sp, gcgrp, &gcgrp_xtraref);
5808                 if (gc == NULL) {
5809                         if (ipif != NULL)
5810                                 ipif_refrele(ipif);
5811                         /* release reference held by gcgrp_lookup */
5812                         GCGRP_REFRELE(gcgrp);
5813                         ire_refrele(gw_ire);
5814                         return (ENOMEM);
5815                 }
5816         }
5817 
5818         /* Create the IRE. */
5819         ire = ire_create(
5820             (uchar_t *)&dst_addr,           /* dest address */
5821             (uchar_t *)&mask,                       /* mask */
5822             (uchar_t *)&gw_addr,            /* gateway address */
5823             (ushort_t)type,                     /* IRE type */
5824             ill,
5825             zoneid,
5826             flags,
5827             gc,                                 /* security attribute */
5828             ipst);
5829 
5830         /*
5831          * The ire holds a reference to the 'gc' and the 'gc' holds a
5832          * reference to the 'gcgrp'. We can now release the extra reference
5833          * the 'gcgrp' acquired in the gcgrp_lookup, if it was not used.
5834          */
5835         if (gcgrp_xtraref)
5836                 GCGRP_REFRELE(gcgrp);
5837         if (ire == NULL) {
5838                 if (gc != NULL)
5839                         GC_REFRELE(gc);
5840                 if (ipif != NULL)
5841                         ipif_refrele(ipif);
5842                 ire_refrele(gw_ire);
5843                 return (ENOMEM);
5844         }
5845 
5846         /* Before we add, check if an extra CGTP broadcast is needed */
5847         cgtp_broadcast = ((flags & RTF_MULTIRT) &&
5848             ip_type_v4(ire->ire_addr, ipst) == IRE_BROADCAST);
5849 
5850         /* src address assigned by the caller? */
5851         if ((src_addr != INADDR_ANY) && (flags & RTF_SETSRC))
5852                 ire->ire_setsrc_addr = src_addr;
5853 
5854         ire->ire_unbound = unbound;
5855 
5856         /*
5857          * POLICY: should we allow an RTF_HOST with address INADDR_ANY?
5858          * SUN/OS socket stuff does but do we really want to allow 0.0.0.0?
5859          */
5860 
5861         /* Add the new IRE. */
5862         nire = ire_add(ire);
5863         if (nire == NULL) {
5864                 /*
5865                  * In the result of failure, ire_add() will have
5866                  * already deleted the ire in question, so there
5867                  * is no need to do that here.
5868                  */
5869                 if (ipif != NULL)
5870                         ipif_refrele(ipif);
5871                 ire_refrele(gw_ire);
5872                 return (ENOMEM);
5873         }
5874         /*
5875          * Check if it was a duplicate entry. This handles
5876          * the case of two racing route adds for the same route
5877          */
5878         if (nire != ire) {
5879                 ire_delete(nire);
5880                 ire_refrele(nire);
5881                 if (ipif != NULL)
5882                         ipif_refrele(ipif);
5883                 ire_refrele(gw_ire);
5884                 return (EEXIST);
5885         }
5886         ire = nire;
5887 
5888         if (flags & RTF_MULTIRT) {
5889                 /*
5890                  * Invoke the CGTP (multirouting) filtering module
5891                  * to add the dst address in the filtering database.
5892                  * Replicated inbound packets coming from that address
5893                  * will be filtered to discard the duplicates.
5894                  * It is not necessary to call the CGTP filter hook
5895                  * when the dst address is a broadcast or multicast,
5896                  * because an IP source address cannot be a broadcast
5897                  * or a multicast.
5898                  */
5899                 if (cgtp_broadcast) {
5900                         ip_cgtp_bcast_add(ire, ipst);
5901                         goto save_ire;
5902                 }
5903                 if (ipst->ips_ip_cgtp_filter_ops != NULL &&
5904                     !CLASSD(ire->ire_addr)) {
5905                         int res;
5906                         ipif_t *src_ipif;
5907 
5908                         /* Find the source address corresponding to gw_ire */
5909                         src_ipif = ipif_lookup_addr(gw_ire->ire_gateway_addr,
5910                             NULL, zoneid, ipst);
5911                         if (src_ipif != NULL) {
5912                                 res = ipst->ips_ip_cgtp_filter_ops->
5913                                     cfo_add_dest_v4(
5914                                     ipst->ips_netstack->netstack_stackid,
5915                                     ire->ire_addr,
5916                                     ire->ire_gateway_addr,
5917                                     ire->ire_setsrc_addr,
5918                                     src_ipif->ipif_lcl_addr);
5919                                 ipif_refrele(src_ipif);
5920                         } else {
5921                                 res = EADDRNOTAVAIL;
5922                         }
5923                         if (res != 0) {
5924                                 if (ipif != NULL)
5925                                         ipif_refrele(ipif);
5926                                 ire_refrele(gw_ire);
5927                                 ire_delete(ire);
5928                                 ire_refrele(ire);       /* Held in ire_add */
5929                                 return (res);
5930                         }
5931                 }
5932         }
5933 
5934 save_ire:
5935         if (gw_ire != NULL) {
5936                 ire_refrele(gw_ire);
5937                 gw_ire = NULL;
5938         }
5939         if (ill != NULL) {
5940                 /*
5941                  * Save enough information so that we can recreate the IRE if
5942                  * the interface goes down and then up.  The metrics associated
5943                  * with the route will be saved as well when rts_setmetrics() is
5944                  * called after the IRE has been created.  In the case where
5945                  * memory cannot be allocated, none of this information will be
5946                  * saved.
5947                  */
5948                 ill_save_ire(ill, ire);
5949         }
5950         if (ioctl_msg)
5951                 ip_rts_rtmsg(RTM_OLDADD, ire, 0, ipst);
5952         if (ire_arg != NULL) {
5953                 /*
5954                  * Store the ire that was successfully added into where ire_arg
5955                  * points to so that callers don't have to look it up
5956                  * themselves (but they are responsible for ire_refrele()ing
5957                  * the ire when they are finished with it).
5958                  */
5959                 *ire_arg = ire;
5960         } else {
5961                 ire_refrele(ire);               /* Held in ire_add */
5962         }
5963         if (ipif != NULL)
5964                 ipif_refrele(ipif);
5965         return (0);
5966 }
5967 
5968 /*
5969  * ip_rt_delete is called to delete an IPv4 route.
5970  * ill is passed in to associate it with the correct interface.
5971  */
5972 /* ARGSUSED4 */
5973 int
5974 ip_rt_delete(ipaddr_t dst_addr, ipaddr_t mask, ipaddr_t gw_addr,
5975     uint_t rtm_addrs, int flags, ill_t *ill, boolean_t ioctl_msg,
5976     ip_stack_t *ipst, zoneid_t zoneid)
5977 {
5978         ire_t   *ire = NULL;
5979         ipif_t  *ipif;
5980         uint_t  type;
5981         uint_t  match_flags = MATCH_IRE_TYPE;
5982         int     err = 0;
5983 
5984         ip1dbg(("ip_rt_delete:"));
5985         /*
5986          * If this is the case of RTF_HOST being set, then we set the netmask
5987          * to all ones.  Otherwise, we use the netmask if one was supplied.
5988          */
5989         if (flags & RTF_HOST) {
5990                 mask = IP_HOST_MASK;
5991                 match_flags |= MATCH_IRE_MASK;
5992         } else if (rtm_addrs & RTA_NETMASK) {
5993                 match_flags |= MATCH_IRE_MASK;
5994         }
5995 
5996         /*
5997          * Note that RTF_GATEWAY is never set on a delete, therefore
5998          * we check if the gateway address is one of our interfaces first,
5999          * and fall back on RTF_GATEWAY routes.
6000          *
6001          * This makes it possible to delete an original
6002          * IRE_IF_NORESOLVER/IRE_IF_RESOLVER - consistent with SunOS 4.1.
6003          * However, we have RTF_KERNEL set on the ones created by ipif_up
6004          * and those can not be deleted here.
6005          *
6006          * We use MATCH_IRE_ILL if we know the interface. If the caller
6007          * specified an interface (from the RTA_IFP sockaddr) we use it,
6008          * otherwise we use the ill derived from the gateway address.
6009          * We can always match the gateway address since we record it
6010          * in ire_gateway_addr.
6011          *
6012          * For more detail on specifying routes by gateway address and by
6013          * interface index, see the comments in ip_rt_add().
6014          */
6015         ipif = ipif_lookup_interface(gw_addr, dst_addr, ipst);
6016         if (ipif != NULL) {
6017                 ill_t   *ill_match;
6018 
6019                 if (ill != NULL)
6020                         ill_match = ill;
6021                 else
6022                         ill_match = ipif->ipif_ill;
6023 
6024                 match_flags |= MATCH_IRE_ILL;
6025                 if (ipif->ipif_ire_type == IRE_LOOPBACK) {
6026                         ire = ire_ftable_lookup_v4(dst_addr, mask, 0,
6027                             IRE_LOOPBACK, ill_match, ALL_ZONES, NULL,
6028                             match_flags, 0, ipst, NULL);
6029                 }
6030                 if (ire == NULL) {
6031                         match_flags |= MATCH_IRE_GW;
6032                         ire = ire_ftable_lookup_v4(dst_addr, mask, gw_addr,
6033                             IRE_INTERFACE, ill_match, ALL_ZONES, NULL,
6034                             match_flags, 0, ipst, NULL);
6035                 }
6036                 /* Avoid deleting routes created by kernel from an ipif */
6037                 if (ire != NULL && (ire->ire_flags & RTF_KERNEL)) {
6038                         ire_refrele(ire);
6039                         ire = NULL;
6040                 }
6041 
6042                 /* Restore in case we didn't find a match */
6043                 match_flags &= ~(MATCH_IRE_GW|MATCH_IRE_ILL);
6044         }
6045 
6046         if (ire == NULL) {
6047                 /*
6048                  * At this point, the gateway address is not one of our own
6049                  * addresses or a matching interface route was not found.  We
6050                  * set the IRE type to lookup based on whether
6051                  * this is a host route, a default route or just a prefix.
6052                  *
6053                  * If an ill was passed in, then the lookup is based on an
6054                  * interface index so MATCH_IRE_ILL is added to match_flags.
6055                  */
6056                 match_flags |= MATCH_IRE_GW;
6057                 if (ill != NULL)
6058                         match_flags |= MATCH_IRE_ILL;
6059                 if (mask == IP_HOST_MASK)
6060                         type = IRE_HOST;
6061                 else if (mask == 0)
6062                         type = IRE_DEFAULT;
6063                 else
6064                         type = IRE_PREFIX;
6065                 ire = ire_ftable_lookup_v4(dst_addr, mask, gw_addr, type, ill,
6066                     ALL_ZONES, NULL, match_flags, 0, ipst, NULL);
6067         }
6068 
6069         if (ipif != NULL) {
6070                 ipif_refrele(ipif);
6071                 ipif = NULL;
6072         }
6073 
6074         if (ire == NULL)
6075                 return (ESRCH);
6076 
6077         if (ire->ire_flags & RTF_MULTIRT) {
6078                 /*
6079                  * Invoke the CGTP (multirouting) filtering module
6080                  * to remove the dst address from the filtering database.
6081                  * Packets coming from that address will no longer be
6082                  * filtered to remove duplicates.
6083                  */
6084                 if (ipst->ips_ip_cgtp_filter_ops != NULL) {
6085                         err = ipst->ips_ip_cgtp_filter_ops->cfo_del_dest_v4(
6086                             ipst->ips_netstack->netstack_stackid,
6087                             ire->ire_addr, ire->ire_gateway_addr);
6088                 }
6089                 ip_cgtp_bcast_delete(ire, ipst);
6090         }
6091 
6092         ill = ire->ire_ill;
6093         if (ill != NULL)
6094                 ill_remove_saved_ire(ill, ire);
6095         if (ioctl_msg)
6096                 ip_rts_rtmsg(RTM_OLDDEL, ire, 0, ipst);
6097         ire_delete(ire);
6098         ire_refrele(ire);
6099         return (err);
6100 }
6101 
6102 /*
6103  * ip_siocaddrt is called to complete processing of an SIOCADDRT IOCTL.
6104  */
6105 /* ARGSUSED */
6106 int
6107 ip_siocaddrt(ipif_t *dummy_ipif, sin_t *dummy_sin, queue_t *q, mblk_t *mp,
6108     ip_ioctl_cmd_t *ipip, void *dummy_if_req)
6109 {
6110         ipaddr_t dst_addr;
6111         ipaddr_t gw_addr;
6112         ipaddr_t mask;
6113         int error = 0;
6114         mblk_t *mp1;
6115         struct rtentry *rt;
6116         ipif_t *ipif = NULL;
6117         ip_stack_t      *ipst;
6118 
6119         ASSERT(q->q_next == NULL);
6120         ipst = CONNQ_TO_IPST(q);
6121 
6122         ip1dbg(("ip_siocaddrt:"));
6123         /* Existence of mp1 verified in ip_wput_nondata */
6124         mp1 = mp->b_cont->b_cont;
6125         rt = (struct rtentry *)mp1->b_rptr;
6126 
6127         dst_addr = ((sin_t *)&rt->rt_dst)->sin_addr.s_addr;
6128         gw_addr = ((sin_t *)&rt->rt_gateway)->sin_addr.s_addr;
6129 
6130         /*
6131          * If the RTF_HOST flag is on, this is a request to assign a gateway
6132          * to a particular host address.  In this case, we set the netmask to
6133          * all ones for the particular destination address.  Otherwise,
6134          * determine the netmask to be used based on dst_addr and the interfaces
6135          * in use.
6136          */
6137         if (rt->rt_flags & RTF_HOST) {
6138                 mask = IP_HOST_MASK;
6139         } else {
6140                 /*
6141                  * Note that ip_subnet_mask returns a zero mask in the case of
6142                  * default (an all-zeroes address).
6143                  */
6144                 mask = ip_subnet_mask(dst_addr, &ipif, ipst);
6145         }
6146 
6147         error = ip_rt_add(dst_addr, mask, gw_addr, 0, rt->rt_flags, NULL, NULL,
6148             B_TRUE, NULL, ipst, ALL_ZONES);
6149         if (ipif != NULL)
6150                 ipif_refrele(ipif);
6151         return (error);
6152 }
6153 
6154 /*
6155  * ip_siocdelrt is called to complete processing of an SIOCDELRT IOCTL.
6156  */
6157 /* ARGSUSED */
6158 int
6159 ip_siocdelrt(ipif_t *dummy_ipif, sin_t *dummy_sin, queue_t *q, mblk_t *mp,
6160     ip_ioctl_cmd_t *ipip, void *dummy_if_req)
6161 {
6162         ipaddr_t dst_addr;
6163         ipaddr_t gw_addr;
6164         ipaddr_t mask;
6165         int error;
6166         mblk_t *mp1;
6167         struct rtentry *rt;
6168         ipif_t *ipif = NULL;
6169         ip_stack_t      *ipst;
6170 
6171         ASSERT(q->q_next == NULL);
6172         ipst = CONNQ_TO_IPST(q);
6173 
6174         ip1dbg(("ip_siocdelrt:"));
6175         /* Existence of mp1 verified in ip_wput_nondata */
6176         mp1 = mp->b_cont->b_cont;
6177         rt = (struct rtentry *)mp1->b_rptr;
6178 
6179         dst_addr = ((sin_t *)&rt->rt_dst)->sin_addr.s_addr;
6180         gw_addr = ((sin_t *)&rt->rt_gateway)->sin_addr.s_addr;
6181 
6182         /*
6183          * If the RTF_HOST flag is on, this is a request to delete a gateway
6184          * to a particular host address.  In this case, we set the netmask to
6185          * all ones for the particular destination address.  Otherwise,
6186          * determine the netmask to be used based on dst_addr and the interfaces
6187          * in use.
6188          */
6189         if (rt->rt_flags & RTF_HOST) {
6190                 mask = IP_HOST_MASK;
6191         } else {
6192                 /*
6193                  * Note that ip_subnet_mask returns a zero mask in the case of
6194                  * default (an all-zeroes address).
6195                  */
6196                 mask = ip_subnet_mask(dst_addr, &ipif, ipst);
6197         }
6198 
6199         error = ip_rt_delete(dst_addr, mask, gw_addr,
6200             RTA_DST | RTA_GATEWAY | RTA_NETMASK, rt->rt_flags, NULL, B_TRUE,
6201             ipst, ALL_ZONES);
6202         if (ipif != NULL)
6203                 ipif_refrele(ipif);
6204         return (error);
6205 }
6206 
6207 /*
6208  * Enqueue the mp onto the ipsq, chained by b_next.
6209  * b_prev stores the function to be executed later, and b_queue the queue
6210  * where this mp originated.
6211  */
6212 void
6213 ipsq_enq(ipsq_t *ipsq, queue_t *q, mblk_t *mp, ipsq_func_t func, int type,
6214     ill_t *pending_ill)
6215 {
6216         conn_t  *connp;
6217         ipxop_t *ipx = ipsq->ipsq_xop;
6218 
6219         ASSERT(MUTEX_HELD(&ipsq->ipsq_lock));
6220         ASSERT(MUTEX_HELD(&ipx->ipx_lock));
6221         ASSERT(func != NULL);
6222 
6223         mp->b_queue = q;
6224         mp->b_prev = (void *)func;
6225         mp->b_next = NULL;
6226 
6227         switch (type) {
6228         case CUR_OP:
6229                 if (ipx->ipx_mptail != NULL) {
6230                         ASSERT(ipx->ipx_mphead != NULL);
6231                         ipx->ipx_mptail->b_next = mp;
6232                 } else {
6233                         ASSERT(ipx->ipx_mphead == NULL);
6234                         ipx->ipx_mphead = mp;
6235                 }
6236                 ipx->ipx_mptail = mp;
6237                 break;
6238 
6239         case NEW_OP:
6240                 if (ipsq->ipsq_xopq_mptail != NULL) {
6241                         ASSERT(ipsq->ipsq_xopq_mphead != NULL);
6242                         ipsq->ipsq_xopq_mptail->b_next = mp;
6243                 } else {
6244                         ASSERT(ipsq->ipsq_xopq_mphead == NULL);
6245                         ipsq->ipsq_xopq_mphead = mp;
6246                 }
6247                 ipsq->ipsq_xopq_mptail = mp;
6248                 ipx->ipx_ipsq_queued = B_TRUE;
6249                 break;
6250 
6251         case SWITCH_OP:
6252                 ASSERT(ipsq->ipsq_swxop != NULL);
6253                 /* only one switch operation is currently allowed */
6254                 ASSERT(ipsq->ipsq_switch_mp == NULL);
6255                 ipsq->ipsq_switch_mp = mp;
6256                 ipx->ipx_ipsq_queued = B_TRUE;
6257                 break;
6258         default:
6259                 cmn_err(CE_PANIC, "ipsq_enq %d type \n", type);
6260         }
6261 
6262         if (CONN_Q(q) && pending_ill != NULL) {
6263                 connp = Q_TO_CONN(q);
6264                 ASSERT(MUTEX_HELD(&connp->conn_lock));
6265                 connp->conn_oper_pending_ill = pending_ill;
6266         }
6267 }
6268 
6269 /*
6270  * Dequeue the next message that requested exclusive access to this IPSQ's
6271  * xop.  Specifically:
6272  *
6273  *  1. If we're still processing the current operation on `ipsq', then
6274  *     dequeue the next message for the operation (from ipx_mphead), or
6275  *     return NULL if there are no queued messages for the operation.
6276  *     These messages are queued via CUR_OP to qwriter_ip() and friends.
6277  *
6278  *  2. If the current operation on `ipsq' has completed (ipx_current_ipif is
6279  *     not set) see if the ipsq has requested an xop switch.  If so, switch
6280  *     `ipsq' to a different xop.  Xop switches only happen when joining or
6281  *     leaving IPMP groups and require a careful dance -- see the comments
6282  *     in-line below for details.  If we're leaving a group xop or if we're
6283  *     joining a group xop and become writer on it, then we proceed to (3).
6284  *     Otherwise, we return NULL and exit the xop.
6285  *
6286  *  3. For each IPSQ in the xop, return any switch operation stored on
6287  *     ipsq_switch_mp (set via SWITCH_OP); these must be processed before
6288  *     any other messages queued on the IPSQ.  Otherwise, dequeue the next
6289  *     exclusive operation (queued via NEW_OP) stored on ipsq_xopq_mphead.
6290  *     Note that if the phyint tied to `ipsq' is not using IPMP there will
6291  *     only be one IPSQ in the xop.  Otherwise, there will be one IPSQ for
6292  *     each phyint in the group, including the IPMP meta-interface phyint.
6293  */
6294 static mblk_t *
6295 ipsq_dq(ipsq_t *ipsq)
6296 {
6297         ill_t   *illv4, *illv6;
6298         mblk_t  *mp;
6299         ipsq_t  *xopipsq;
6300         ipsq_t  *leftipsq = NULL;
6301         ipxop_t *ipx;
6302         phyint_t *phyi = ipsq->ipsq_phyint;
6303         ip_stack_t *ipst = ipsq->ipsq_ipst;
6304         boolean_t emptied = B_FALSE;
6305 
6306         /*
6307          * Grab all the locks we need in the defined order (ill_g_lock ->
6308          * ipsq_lock -> ipx_lock); ill_g_lock is needed to use ipsq_next.
6309          */
6310         rw_enter(&ipst->ips_ill_g_lock,
6311             ipsq->ipsq_swxop != NULL ? RW_WRITER : RW_READER);
6312         mutex_enter(&ipsq->ipsq_lock);
6313         ipx = ipsq->ipsq_xop;
6314         mutex_enter(&ipx->ipx_lock);
6315 
6316         /*
6317          * Dequeue the next message associated with the current exclusive
6318          * operation, if any.
6319          */
6320         if ((mp = ipx->ipx_mphead) != NULL) {
6321                 ipx->ipx_mphead = mp->b_next;
6322                 if (ipx->ipx_mphead == NULL)
6323                         ipx->ipx_mptail = NULL;
6324                 mp->b_next = (void *)ipsq;
6325                 goto out;
6326         }
6327 
6328         if (ipx->ipx_current_ipif != NULL)
6329                 goto empty;
6330 
6331         if (ipsq->ipsq_swxop != NULL) {
6332                 /*
6333                  * The exclusive operation that is now being completed has
6334                  * requested a switch to a different xop.  This happens
6335                  * when an interface joins or leaves an IPMP group.  Joins
6336                  * happen through SIOCSLIFGROUPNAME (ip_sioctl_groupname()).
6337                  * Leaves happen via SIOCSLIFGROUPNAME, interface unplumb
6338                  * (phyint_free()), or interface plumb for an ill type
6339                  * not in the IPMP group (ip_rput_dlpi_writer()).
6340                  *
6341                  * Xop switches are not allowed on the IPMP meta-interface.
6342                  */
6343                 ASSERT(phyi == NULL || !(phyi->phyint_flags & PHYI_IPMP));
6344                 ASSERT(RW_WRITE_HELD(&ipst->ips_ill_g_lock));
6345                 DTRACE_PROBE1(ipsq__switch, (ipsq_t *), ipsq);
6346 
6347                 if (ipsq->ipsq_swxop == &ipsq->ipsq_ownxop) {
6348                         /*
6349                          * We're switching back to our own xop, so we have two
6350                          * xop's to drain/exit: our own, and the group xop
6351                          * that we are leaving.
6352                          *
6353                          * First, pull ourselves out of the group ipsq list.
6354                          * This is safe since we're writer on ill_g_lock.
6355                          */
6356                         ASSERT(ipsq->ipsq_xop != &ipsq->ipsq_ownxop);
6357 
6358                         xopipsq = ipx->ipx_ipsq;
6359                         while (xopipsq->ipsq_next != ipsq)
6360                                 xopipsq = xopipsq->ipsq_next;
6361 
6362                         xopipsq->ipsq_next = ipsq->ipsq_next;
6363                         ipsq->ipsq_next = ipsq;
6364                         ipsq->ipsq_xop = ipsq->ipsq_swxop;
6365                         ipsq->ipsq_swxop = NULL;
6366 
6367                         /*
6368                          * Second, prepare to exit the group xop.  The actual
6369                          * ipsq_exit() is done at the end of this function
6370                          * since we cannot hold any locks across ipsq_exit().
6371                          * Note that although we drop the group's ipx_lock, no
6372                          * threads can proceed since we're still ipx_writer.
6373                          */
6374                         leftipsq = xopipsq;
6375                         mutex_exit(&ipx->ipx_lock);
6376 
6377                         /*
6378                          * Third, set ipx to point to our own xop (which was
6379                          * inactive and therefore can be entered).
6380                          */
6381                         ipx = ipsq->ipsq_xop;
6382                         mutex_enter(&ipx->ipx_lock);
6383                         ASSERT(ipx->ipx_writer == NULL);
6384                         ASSERT(ipx->ipx_current_ipif == NULL);
6385                 } else {
6386                         /*
6387                          * We're switching from our own xop to a group xop.
6388                          * The requestor of the switch must ensure that the
6389                          * group xop cannot go away (e.g. by ensuring the
6390                          * phyint associated with the xop cannot go away).
6391                          *
6392                          * If we can become writer on our new xop, then we'll
6393                          * do the drain.  Otherwise, the current writer of our
6394                          * new xop will do the drain when it exits.
6395                          *
6396                          * First, splice ourselves into the group IPSQ list.
6397                          * This is safe since we're writer on ill_g_lock.
6398                          */
6399                         ASSERT(ipsq->ipsq_xop == &ipsq->ipsq_ownxop);
6400 
6401                         xopipsq = ipsq->ipsq_swxop->ipx_ipsq;
6402                         while (xopipsq->ipsq_next != ipsq->ipsq_swxop->ipx_ipsq)
6403                                 xopipsq = xopipsq->ipsq_next;
6404 
6405                         xopipsq->ipsq_next = ipsq;
6406                         ipsq->ipsq_next = ipsq->ipsq_swxop->ipx_ipsq;
6407                         ipsq->ipsq_xop = ipsq->ipsq_swxop;
6408                         ipsq->ipsq_swxop = NULL;
6409 
6410                         /*
6411                          * Second, exit our own xop, since it's now unused.
6412                          * This is safe since we've got the only reference.
6413                          */
6414                         ASSERT(ipx->ipx_writer == curthread);
6415                         ipx->ipx_writer = NULL;
6416                         VERIFY(--ipx->ipx_reentry_cnt == 0);
6417                         ipx->ipx_ipsq_queued = B_FALSE;
6418                         mutex_exit(&ipx->ipx_lock);
6419 
6420                         /*
6421                          * Third, set ipx to point to our new xop, and check
6422                          * if we can become writer on it.  If we cannot, then
6423                          * the current writer will drain the IPSQ group when
6424                          * it exits.  Our ipsq_xop is guaranteed to be stable
6425                          * because we're still holding ipsq_lock.
6426                          */
6427                         ipx = ipsq->ipsq_xop;
6428                         mutex_enter(&ipx->ipx_lock);
6429                         if (ipx->ipx_writer != NULL ||
6430                             ipx->ipx_current_ipif != NULL) {
6431                                 goto out;
6432                         }
6433                 }
6434 
6435                 /*
6436                  * Fourth, become writer on our new ipx before we continue
6437                  * with the drain.  Note that we never dropped ipsq_lock
6438                  * above, so no other thread could've raced with us to
6439                  * become writer first.  Also, we're holding ipx_lock, so
6440                  * no other thread can examine the ipx right now.
6441                  */
6442                 ASSERT(ipx->ipx_current_ipif == NULL);
6443                 ASSERT(ipx->ipx_mphead == NULL && ipx->ipx_mptail == NULL);
6444                 VERIFY(ipx->ipx_reentry_cnt++ == 0);
6445                 ipx->ipx_writer = curthread;
6446                 ipx->ipx_forced = B_FALSE;
6447 #ifdef DEBUG
6448                 ipx->ipx_depth = getpcstack(ipx->ipx_stack, IPX_STACK_DEPTH);
6449 #endif
6450         }
6451 
6452         xopipsq = ipsq;
6453         do {
6454                 /*
6455                  * So that other operations operate on a consistent and
6456                  * complete phyint, a switch message on an IPSQ must be
6457                  * handled prior to any other operations on that IPSQ.
6458                  */
6459                 if ((mp = xopipsq->ipsq_switch_mp) != NULL) {
6460                         xopipsq->ipsq_switch_mp = NULL;
6461                         ASSERT(mp->b_next == NULL);
6462                         mp->b_next = (void *)xopipsq;
6463                         goto out;
6464                 }
6465 
6466                 if ((mp = xopipsq->ipsq_xopq_mphead) != NULL) {
6467                         xopipsq->ipsq_xopq_mphead = mp->b_next;
6468                         if (xopipsq->ipsq_xopq_mphead == NULL)
6469                                 xopipsq->ipsq_xopq_mptail = NULL;
6470                         mp->b_next = (void *)xopipsq;
6471                         goto out;
6472                 }
6473         } while ((xopipsq = xopipsq->ipsq_next) != ipsq);
6474 empty:
6475         /*
6476          * There are no messages.  Further, we are holding ipx_lock, hence no
6477          * new messages can end up on any IPSQ in the xop.
6478          */
6479         ipx->ipx_writer = NULL;
6480         ipx->ipx_forced = B_FALSE;
6481         VERIFY(--ipx->ipx_reentry_cnt == 0);
6482         ipx->ipx_ipsq_queued = B_FALSE;
6483         emptied = B_TRUE;
6484 #ifdef  DEBUG
6485         ipx->ipx_depth = 0;
6486 #endif
6487 out:
6488         mutex_exit(&ipx->ipx_lock);
6489         mutex_exit(&ipsq->ipsq_lock);
6490 
6491         /*
6492          * If we completely emptied the xop, then wake up any threads waiting
6493          * to enter any of the IPSQ's associated with it.
6494          */
6495         if (emptied) {
6496                 xopipsq = ipsq;
6497                 do {
6498                         if ((phyi = xopipsq->ipsq_phyint) == NULL)
6499                                 continue;
6500 
6501                         illv4 = phyi->phyint_illv4;
6502                         illv6 = phyi->phyint_illv6;
6503 
6504                         GRAB_ILL_LOCKS(illv4, illv6);
6505                         if (illv4 != NULL)
6506                                 cv_broadcast(&illv4->ill_cv);
6507                         if (illv6 != NULL)
6508                                 cv_broadcast(&illv6->ill_cv);
6509                         RELEASE_ILL_LOCKS(illv4, illv6);
6510                 } while ((xopipsq = xopipsq->ipsq_next) != ipsq);
6511         }
6512         rw_exit(&ipst->ips_ill_g_lock);
6513 
6514         /*
6515          * Now that all locks are dropped, exit the IPSQ we left.
6516          */
6517         if (leftipsq != NULL)
6518                 ipsq_exit(leftipsq);
6519 
6520         return (mp);
6521 }
6522 
6523 /*
6524  * Return completion status of previously initiated DLPI operations on
6525  * ills in the purview of an ipsq.
6526  */
6527 static boolean_t
6528 ipsq_dlpi_done(ipsq_t *ipsq)
6529 {
6530         ipsq_t          *ipsq_start;
6531         phyint_t        *phyi;
6532         ill_t           *ill;
6533 
6534         ASSERT(RW_LOCK_HELD(&ipsq->ipsq_ipst->ips_ill_g_lock));
6535         ipsq_start = ipsq;
6536 
6537         do {
6538                 /*
6539                  * The only current users of this function are ipsq_try_enter
6540                  * and ipsq_enter which have made sure that ipsq_writer is
6541                  * NULL before we reach here. ill_dlpi_pending is modified
6542                  * only by an ipsq writer
6543                  */
6544                 ASSERT(ipsq->ipsq_xop->ipx_writer == NULL);
6545                 phyi = ipsq->ipsq_phyint;
6546                 /*
6547                  * phyi could be NULL if a phyint that is part of an
6548                  * IPMP group is being unplumbed. A more detailed
6549                  * comment is in ipmp_grp_update_kstats()
6550                  */
6551                 if (phyi != NULL) {
6552                         ill = phyi->phyint_illv4;
6553                         if (ill != NULL &&
6554                             (ill->ill_dlpi_pending != DL_PRIM_INVAL ||
6555                             ill->ill_arl_dlpi_pending))
6556                                 return (B_FALSE);
6557 
6558                         ill = phyi->phyint_illv6;
6559                         if (ill != NULL &&
6560                             ill->ill_dlpi_pending != DL_PRIM_INVAL)
6561                                 return (B_FALSE);
6562                 }
6563 
6564         } while ((ipsq = ipsq->ipsq_next) != ipsq_start);
6565 
6566         return (B_TRUE);
6567 }
6568 
6569 /*
6570  * Enter the ipsq corresponding to ill, by waiting synchronously till
6571  * we can enter the ipsq exclusively. Unless 'force' is used, the ipsq
6572  * will have to drain completely before ipsq_enter returns success.
6573  * ipx_current_ipif will be set if some exclusive op is in progress,
6574  * and the ipsq_exit logic will start the next enqueued op after
6575  * completion of the current op. If 'force' is used, we don't wait
6576  * for the enqueued ops. This is needed when a conn_close wants to
6577  * enter the ipsq and abort an ioctl that is somehow stuck. Unplumb
6578  * of an ill can also use this option. But we dont' use it currently.
6579  */
6580 #define ENTER_SQ_WAIT_TICKS 100
6581 boolean_t
6582 ipsq_enter(ill_t *ill, boolean_t force, int type)
6583 {
6584         ipsq_t  *ipsq;
6585         ipxop_t *ipx;
6586         boolean_t waited_enough = B_FALSE;
6587         ip_stack_t *ipst = ill->ill_ipst;
6588 
6589         /*
6590          * Note that the relationship between ill and ipsq is fixed as long as
6591          * the ill is not ILL_CONDEMNED.  Holding ipsq_lock ensures the
6592          * relationship between the IPSQ and xop cannot change.  However,
6593          * since we cannot hold ipsq_lock across the cv_wait(), it may change
6594          * while we're waiting.  We wait on ill_cv and rely on ipsq_exit()
6595          * waking up all ills in the xop when it becomes available.
6596          */
6597         for (;;) {
6598                 rw_enter(&ipst->ips_ill_g_lock, RW_READER);
6599                 mutex_enter(&ill->ill_lock);
6600                 if (ill->ill_state_flags & ILL_CONDEMNED) {
6601                         mutex_exit(&ill->ill_lock);
6602                         rw_exit(&ipst->ips_ill_g_lock);
6603                         return (B_FALSE);
6604                 }
6605 
6606                 ipsq = ill->ill_phyint->phyint_ipsq;
6607                 mutex_enter(&ipsq->ipsq_lock);
6608                 ipx = ipsq->ipsq_xop;
6609                 mutex_enter(&ipx->ipx_lock);
6610 
6611                 if (ipx->ipx_writer == NULL && (type == CUR_OP ||
6612                     (ipx->ipx_current_ipif == NULL && ipsq_dlpi_done(ipsq)) ||
6613                     waited_enough))
6614                         break;
6615 
6616                 rw_exit(&ipst->ips_ill_g_lock);
6617 
6618                 if (!force || ipx->ipx_writer != NULL) {
6619                         mutex_exit(&ipx->ipx_lock);
6620                         mutex_exit(&ipsq->ipsq_lock);
6621                         cv_wait(&ill->ill_cv, &ill->ill_lock);
6622                 } else {
6623                         mutex_exit(&ipx->ipx_lock);
6624                         mutex_exit(&ipsq->ipsq_lock);
6625                         (void) cv_reltimedwait(&ill->ill_cv,
6626                             &ill->ill_lock, ENTER_SQ_WAIT_TICKS, TR_CLOCK_TICK);
6627                         waited_enough = B_TRUE;
6628                 }
6629                 mutex_exit(&ill->ill_lock);
6630         }
6631 
6632         ASSERT(ipx->ipx_mphead == NULL && ipx->ipx_mptail == NULL);
6633         ASSERT(ipx->ipx_reentry_cnt == 0);
6634         ipx->ipx_writer = curthread;
6635         ipx->ipx_forced = (ipx->ipx_current_ipif != NULL);
6636         ipx->ipx_reentry_cnt++;
6637 #ifdef DEBUG
6638         ipx->ipx_depth = getpcstack(ipx->ipx_stack, IPX_STACK_DEPTH);
6639 #endif
6640         mutex_exit(&ipx->ipx_lock);
6641         mutex_exit(&ipsq->ipsq_lock);
6642         mutex_exit(&ill->ill_lock);
6643         rw_exit(&ipst->ips_ill_g_lock);
6644 
6645         return (B_TRUE);
6646 }
6647 
6648 /*
6649  * ipif_set_values() has a constraint that it cannot drop the ips_ill_g_lock
6650  * across the call to the core interface ipsq_try_enter() and hence calls this
6651  * function directly. This is explained more fully in ipif_set_values().
6652  * In order to support the above constraint, ipsq_try_enter is implemented as
6653  * a wrapper that grabs the ips_ill_g_lock and calls this function subsequently
6654  */
6655 static ipsq_t *
6656 ipsq_try_enter_internal(ill_t *ill, queue_t *q, mblk_t *mp, ipsq_func_t func,
6657     int type, boolean_t reentry_ok)
6658 {
6659         ipsq_t  *ipsq;
6660         ipxop_t *ipx;
6661         ip_stack_t *ipst = ill->ill_ipst;
6662 
6663         /*
6664          * lock ordering:
6665          * ill_g_lock -> conn_lock -> ill_lock -> ipsq_lock -> ipx_lock.
6666          *
6667          * ipx of an ipsq can't change when ipsq_lock is held.
6668          */
6669         ASSERT(RW_LOCK_HELD(&ipst->ips_ill_g_lock));
6670         GRAB_CONN_LOCK(q);
6671         mutex_enter(&ill->ill_lock);
6672         ipsq = ill->ill_phyint->phyint_ipsq;
6673         mutex_enter(&ipsq->ipsq_lock);
6674         ipx = ipsq->ipsq_xop;
6675         mutex_enter(&ipx->ipx_lock);
6676 
6677         /*
6678          * 1. Enter the ipsq if we are already writer and reentry is ok.
6679          *    (Note: If the caller does not specify reentry_ok then neither
6680          *    'func' nor any of its callees must ever attempt to enter the ipsq
6681          *    again. Otherwise it can lead to an infinite loop
6682          * 2. Enter the ipsq if there is no current writer and this attempted
6683          *    entry is part of the current operation
6684          * 3. Enter the ipsq if there is no current writer and this is a new
6685          *    operation and the operation queue is empty and there is no
6686          *    operation currently in progress and if all previously initiated
6687          *    DLPI operations have completed.
6688          */
6689         if ((ipx->ipx_writer == curthread && reentry_ok) ||
6690             (ipx->ipx_writer == NULL && (type == CUR_OP || (type == NEW_OP &&
6691             !ipx->ipx_ipsq_queued && ipx->ipx_current_ipif == NULL &&
6692             ipsq_dlpi_done(ipsq))))) {
6693                 /* Success. */
6694                 ipx->ipx_reentry_cnt++;
6695                 ipx->ipx_writer = curthread;
6696                 ipx->ipx_forced = B_FALSE;
6697                 mutex_exit(&ipx->ipx_lock);
6698                 mutex_exit(&ipsq->ipsq_lock);
6699                 mutex_exit(&ill->ill_lock);
6700                 RELEASE_CONN_LOCK(q);
6701 #ifdef DEBUG
6702                 ipx->ipx_depth = getpcstack(ipx->ipx_stack, IPX_STACK_DEPTH);
6703 #endif
6704                 return (ipsq);
6705         }
6706 
6707         if (func != NULL)
6708                 ipsq_enq(ipsq, q, mp, func, type, ill);
6709 
6710         mutex_exit(&ipx->ipx_lock);
6711         mutex_exit(&ipsq->ipsq_lock);
6712         mutex_exit(&ill->ill_lock);
6713         RELEASE_CONN_LOCK(q);
6714         return (NULL);
6715 }
6716 
6717 /*
6718  * The ipsq_t (ipsq) is the synchronization data structure used to serialize
6719  * certain critical operations like plumbing (i.e. most set ioctls), etc.
6720  * There is one ipsq per phyint. The ipsq
6721  * serializes exclusive ioctls issued by applications on a per ipsq basis in
6722  * ipsq_xopq_mphead. It also protects against multiple threads executing in
6723  * the ipsq. Responses from the driver pertain to the current ioctl (say a
6724  * DL_BIND_ACK in response to a DL_BIND_REQ initiated as part of bringing
6725  * up the interface) and are enqueued in ipx_mphead.
6726  *
6727  * If a thread does not want to reenter the ipsq when it is already writer,
6728  * it must make sure that the specified reentry point to be called later
6729  * when the ipsq is empty, nor any code path starting from the specified reentry
6730  * point must never ever try to enter the ipsq again. Otherwise it can lead
6731  * to an infinite loop. The reentry point ip_rput_dlpi_writer is an example.
6732  * When the thread that is currently exclusive finishes, it (ipsq_exit)
6733  * dequeues the requests waiting to become exclusive in ipx_mphead and calls
6734  * the reentry point. When the list at ipx_mphead becomes empty ipsq_exit
6735  * proceeds to dequeue the next ioctl in ipsq_xopq_mphead and start the next
6736  * ioctl if the current ioctl has completed. If the current ioctl is still
6737  * in progress it simply returns. The current ioctl could be waiting for
6738  * a response from another module (the driver or could be waiting for
6739  * the ipif/ill/ire refcnts to drop to zero. In such a case the ipx_pending_mp
6740  * and ipx_pending_ipif are set. ipx_current_ipif is set throughout the
6741  * execution of the ioctl and ipsq_exit does not start the next ioctl unless
6742  * ipx_current_ipif is NULL which happens only once the ioctl is complete and
6743  * all associated DLPI operations have completed.
6744  */
6745 
6746 /*
6747  * Try to enter the IPSQ corresponding to `ipif' or `ill' exclusively (`ipif'
6748  * and `ill' cannot both be specified).  Returns a pointer to the entered IPSQ
6749  * on success, or NULL on failure.  The caller ensures ipif/ill is valid by
6750  * refholding it as necessary.  If the IPSQ cannot be entered and `func' is
6751  * non-NULL, then `func' will be called back with `q' and `mp' once the IPSQ
6752  * can be entered.  If `func' is NULL, then `q' and `mp' are ignored.
6753  */
6754 ipsq_t *
6755 ipsq_try_enter(ipif_t *ipif, ill_t *ill, queue_t *q, mblk_t *mp,
6756     ipsq_func_t func, int type, boolean_t reentry_ok)
6757 {
6758         ip_stack_t      *ipst;
6759         ipsq_t          *ipsq;
6760 
6761         /* Only 1 of ipif or ill can be specified */
6762         ASSERT((ipif != NULL) ^ (ill != NULL));
6763 
6764         if (ipif != NULL)
6765                 ill = ipif->ipif_ill;
6766         ipst = ill->ill_ipst;
6767 
6768         rw_enter(&ipst->ips_ill_g_lock, RW_READER);
6769         ipsq = ipsq_try_enter_internal(ill, q, mp, func, type, reentry_ok);
6770         rw_exit(&ipst->ips_ill_g_lock);
6771 
6772         return (ipsq);
6773 }
6774 
6775 /*
6776  * Try to enter the IPSQ corresponding to `ill' as writer.  The caller ensures
6777  * ill is valid by refholding it if necessary; we will refrele.  If the IPSQ
6778  * cannot be entered, the mp is queued for completion.
6779  */
6780 void
6781 qwriter_ip(ill_t *ill, queue_t *q, mblk_t *mp, ipsq_func_t func, int type,
6782     boolean_t reentry_ok)
6783 {
6784         ipsq_t  *ipsq;
6785 
6786         ipsq = ipsq_try_enter(NULL, ill, q, mp, func, type, reentry_ok);
6787 
6788         /*
6789          * Drop the caller's refhold on the ill.  This is safe since we either
6790          * entered the IPSQ (and thus are exclusive), or failed to enter the
6791          * IPSQ, in which case we return without accessing ill anymore.  This
6792          * is needed because func needs to see the correct refcount.
6793          * e.g. removeif can work only then.
6794          */
6795         ill_refrele(ill);
6796         if (ipsq != NULL) {
6797                 (*func)(ipsq, q, mp, NULL);
6798                 ipsq_exit(ipsq);
6799         }
6800 }
6801 
6802 /*
6803  * Exit the specified IPSQ.  If this is the final exit on it then drain it
6804  * prior to exiting.  Caller must be writer on the specified IPSQ.
6805  */
6806 void
6807 ipsq_exit(ipsq_t *ipsq)
6808 {
6809         mblk_t *mp;
6810         ipsq_t *mp_ipsq;
6811         queue_t *q;
6812         phyint_t *phyi;
6813         ipsq_func_t func;
6814 
6815         ASSERT(IAM_WRITER_IPSQ(ipsq));
6816 
6817         ASSERT(ipsq->ipsq_xop->ipx_reentry_cnt >= 1);
6818         if (ipsq->ipsq_xop->ipx_reentry_cnt != 1) {
6819                 ipsq->ipsq_xop->ipx_reentry_cnt--;
6820                 return;
6821         }
6822 
6823         for (;;) {
6824                 phyi = ipsq->ipsq_phyint;
6825                 mp = ipsq_dq(ipsq);
6826                 mp_ipsq = (mp == NULL) ? NULL : (ipsq_t *)mp->b_next;
6827 
6828                 /*
6829                  * If we've changed to a new IPSQ, and the phyint associated
6830                  * with the old one has gone away, free the old IPSQ.  Note
6831                  * that this cannot happen while the IPSQ is in a group.
6832                  */
6833                 if (mp_ipsq != ipsq && phyi == NULL) {
6834                         ASSERT(ipsq->ipsq_next == ipsq);
6835                         ASSERT(ipsq->ipsq_xop == &ipsq->ipsq_ownxop);
6836                         ipsq_delete(ipsq);
6837                 }
6838 
6839                 if (mp == NULL)
6840                         break;
6841 
6842                 q = mp->b_queue;
6843                 func = (ipsq_func_t)mp->b_prev;
6844                 ipsq = mp_ipsq;
6845                 mp->b_next = mp->b_prev = NULL;
6846                 mp->b_queue = NULL;
6847 
6848                 /*
6849                  * If 'q' is an conn queue, it is valid, since we did a
6850                  * a refhold on the conn at the start of the ioctl.
6851                  * If 'q' is an ill queue, it is valid, since close of an
6852                  * ill will clean up its IPSQ.
6853                  */
6854                 (*func)(ipsq, q, mp, NULL);
6855         }
6856 }
6857 
6858 /*
6859  * Used to start any igmp or mld timers that could not be started
6860  * while holding ill_mcast_lock. The timers can't be started while holding
6861  * the lock, since mld/igmp_start_timers may need to call untimeout()
6862  * which can't be done while holding the lock which the timeout handler
6863  * acquires. Otherwise
6864  * there could be a deadlock since the timeout handlers
6865  * mld_timeout_handler_per_ill/igmp_timeout_handler_per_ill also acquire
6866  * ill_mcast_lock.
6867  */
6868 void
6869 ill_mcast_timer_start(ip_stack_t *ipst)
6870 {
6871         int             next;
6872 
6873         mutex_enter(&ipst->ips_igmp_timer_lock);
6874         next = ipst->ips_igmp_deferred_next;
6875         ipst->ips_igmp_deferred_next = INFINITY;
6876         mutex_exit(&ipst->ips_igmp_timer_lock);
6877 
6878         if (next != INFINITY)
6879                 igmp_start_timers(next, ipst);
6880 
6881         mutex_enter(&ipst->ips_mld_timer_lock);
6882         next = ipst->ips_mld_deferred_next;
6883         ipst->ips_mld_deferred_next = INFINITY;
6884         mutex_exit(&ipst->ips_mld_timer_lock);
6885 
6886         if (next != INFINITY)
6887                 mld_start_timers(next, ipst);
6888 }
6889 
6890 /*
6891  * Start the current exclusive operation on `ipsq'; associate it with `ipif'
6892  * and `ioccmd'.
6893  */
6894 void
6895 ipsq_current_start(ipsq_t *ipsq, ipif_t *ipif, int ioccmd)
6896 {
6897         ill_t *ill = ipif->ipif_ill;
6898         ipxop_t *ipx = ipsq->ipsq_xop;
6899 
6900         ASSERT(IAM_WRITER_IPSQ(ipsq));
6901         ASSERT(ipx->ipx_current_ipif == NULL);
6902         ASSERT(ipx->ipx_current_ioctl == 0);
6903 
6904         ipx->ipx_current_done = B_FALSE;
6905         ipx->ipx_current_ioctl = ioccmd;
6906         mutex_enter(&ipx->ipx_lock);
6907         ipx->ipx_current_ipif = ipif;
6908         mutex_exit(&ipx->ipx_lock);
6909 
6910         /*
6911          * Set IPIF_CHANGING on one or more ipifs associated with the
6912          * current exclusive operation.  IPIF_CHANGING prevents any new
6913          * references to the ipif (so that the references will eventually
6914          * drop to zero) and also prevents any "get" operations (e.g.,
6915          * SIOCGLIFFLAGS) from being able to access the ipif until the
6916          * operation has completed and the ipif is again in a stable state.
6917          *
6918          * For ioctls, IPIF_CHANGING is set on the ipif associated with the
6919          * ioctl.  For internal operations (where ioccmd is zero), all ipifs
6920          * on the ill are marked with IPIF_CHANGING since it's unclear which
6921          * ipifs will be affected.
6922          *
6923          * Note that SIOCLIFREMOVEIF is a special case as it sets
6924          * IPIF_CONDEMNED internally after identifying the right ipif to
6925          * operate on.
6926          */
6927         switch (ioccmd) {
6928         case SIOCLIFREMOVEIF:
6929                 break;
6930         case 0:
6931                 mutex_enter(&ill->ill_lock);
6932                 ipif = ipif->ipif_ill->ill_ipif;
6933                 for (; ipif != NULL; ipif = ipif->ipif_next)
6934                         ipif->ipif_state_flags |= IPIF_CHANGING;
6935                 mutex_exit(&ill->ill_lock);
6936                 break;
6937         default:
6938                 mutex_enter(&ill->ill_lock);
6939                 ipif->ipif_state_flags |= IPIF_CHANGING;
6940                 mutex_exit(&ill->ill_lock);
6941         }
6942 }
6943 
6944 /*
6945  * Finish the current exclusive operation on `ipsq'.  Usually, this will allow
6946  * the next exclusive operation to begin once we ipsq_exit().  However, if
6947  * pending DLPI operations remain, then we will wait for the queue to drain
6948  * before allowing the next exclusive operation to begin.  This ensures that
6949  * DLPI operations from one exclusive operation are never improperly processed
6950  * as part of a subsequent exclusive operation.
6951  */
6952 void
6953 ipsq_current_finish(ipsq_t *ipsq)
6954 {
6955         ipxop_t *ipx = ipsq->ipsq_xop;
6956         t_uscalar_t dlpi_pending = DL_PRIM_INVAL;
6957         ipif_t  *ipif = ipx->ipx_current_ipif;
6958 
6959         ASSERT(IAM_WRITER_IPSQ(ipsq));
6960 
6961         /*
6962          * For SIOCLIFREMOVEIF, the ipif has been already been blown away
6963          * (but in that case, IPIF_CHANGING will already be clear and no
6964          * pending DLPI messages can remain).
6965          */
6966         if (ipx->ipx_current_ioctl != SIOCLIFREMOVEIF) {
6967                 ill_t *ill = ipif->ipif_ill;
6968 
6969                 mutex_enter(&ill->ill_lock);
6970                 dlpi_pending = ill->ill_dlpi_pending;
6971                 if (ipx->ipx_current_ioctl == 0) {
6972                         ipif = ill->ill_ipif;
6973                         for (; ipif != NULL; ipif = ipif->ipif_next)
6974                                 ipif->ipif_state_flags &= ~IPIF_CHANGING;
6975                 } else {
6976                         ipif->ipif_state_flags &= ~IPIF_CHANGING;
6977                 }
6978                 mutex_exit(&ill->ill_lock);
6979         }
6980 
6981         ASSERT(!ipx->ipx_current_done);
6982         ipx->ipx_current_done = B_TRUE;
6983         ipx->ipx_current_ioctl = 0;
6984         if (dlpi_pending == DL_PRIM_INVAL) {
6985                 mutex_enter(&ipx->ipx_lock);
6986                 ipx->ipx_current_ipif = NULL;
6987                 mutex_exit(&ipx->ipx_lock);
6988         }
6989 }
6990 
6991 /*
6992  * The ill is closing. Flush all messages on the ipsq that originated
6993  * from this ill. Usually there wont' be any messages on the ipsq_xopq_mphead
6994  * for this ill since ipsq_enter could not have entered until then.
6995  * New messages can't be queued since the CONDEMNED flag is set.
6996  */
6997 static void
6998 ipsq_flush(ill_t *ill)
6999 {
7000         queue_t *q;
7001         mblk_t  *prev;
7002         mblk_t  *mp;
7003         mblk_t  *mp_next;
7004         ipxop_t *ipx = ill->ill_phyint->phyint_ipsq->ipsq_xop;
7005 
7006         ASSERT(IAM_WRITER_ILL(ill));
7007 
7008         /*
7009          * Flush any messages sent up by the driver.
7010          */
7011         mutex_enter(&ipx->ipx_lock);
7012         for (prev = NULL, mp = ipx->ipx_mphead; mp != NULL; mp = mp_next) {
7013                 mp_next = mp->b_next;
7014                 q = mp->b_queue;
7015                 if (q == ill->ill_rq || q == ill->ill_wq) {
7016                         /* dequeue mp */
7017                         if (prev == NULL)
7018                                 ipx->ipx_mphead = mp->b_next;
7019                         else
7020                                 prev->b_next = mp->b_next;
7021                         if (ipx->ipx_mptail == mp) {
7022                                 ASSERT(mp_next == NULL);
7023                                 ipx->ipx_mptail = prev;
7024                         }
7025                         inet_freemsg(mp);
7026                 } else {
7027                         prev = mp;
7028                 }
7029         }
7030         mutex_exit(&ipx->ipx_lock);
7031         (void) ipsq_pending_mp_cleanup(ill, NULL);
7032         ipsq_xopq_mp_cleanup(ill, NULL);
7033 }
7034 
7035 /*
7036  * Parse an ifreq or lifreq struct coming down ioctls and refhold
7037  * and return the associated ipif.
7038  * Return value:
7039  *      Non zero: An error has occurred. ci may not be filled out.
7040  *      zero : ci is filled out with the ioctl cmd in ci.ci_name, and
7041  *      a held ipif in ci.ci_ipif.
7042  */
7043 int
7044 ip_extract_lifreq(queue_t *q, mblk_t *mp, const ip_ioctl_cmd_t *ipip,
7045     cmd_info_t *ci)
7046 {
7047         char            *name;
7048         struct ifreq    *ifr;
7049         struct lifreq    *lifr;
7050         ipif_t          *ipif = NULL;
7051         ill_t           *ill;
7052         conn_t          *connp;
7053         boolean_t       isv6;
7054         int             err;
7055         mblk_t          *mp1;
7056         zoneid_t        zoneid;
7057         ip_stack_t      *ipst;
7058 
7059         if (q->q_next != NULL) {
7060                 ill = (ill_t *)q->q_ptr;
7061                 isv6 = ill->ill_isv6;
7062                 connp = NULL;
7063                 zoneid = ALL_ZONES;
7064                 ipst = ill->ill_ipst;
7065         } else {
7066                 ill = NULL;
7067                 connp = Q_TO_CONN(q);
7068                 isv6 = (connp->conn_family == AF_INET6);
7069                 zoneid = connp->conn_zoneid;
7070                 if (zoneid == GLOBAL_ZONEID) {
7071                         /* global zone can access ipifs in all zones */
7072                         zoneid = ALL_ZONES;
7073                 }
7074                 ipst = connp->conn_netstack->netstack_ip;
7075         }
7076 
7077         /* Has been checked in ip_wput_nondata */
7078         mp1 = mp->b_cont->b_cont;
7079 
7080         if (ipip->ipi_cmd_type == IF_CMD) {
7081                 /* This a old style SIOC[GS]IF* command */
7082                 ifr = (struct ifreq *)mp1->b_rptr;
7083                 /*
7084                  * Null terminate the string to protect against buffer
7085                  * overrun. String was generated by user code and may not
7086                  * be trusted.
7087                  */
7088                 ifr->ifr_name[IFNAMSIZ - 1] = '\0';
7089                 name = ifr->ifr_name;
7090                 ci->ci_sin = (sin_t *)&ifr->ifr_addr;
7091                 ci->ci_sin6 = NULL;
7092                 ci->ci_lifr = (struct lifreq *)ifr;
7093         } else {
7094                 /* This a new style SIOC[GS]LIF* command */
7095                 ASSERT(ipip->ipi_cmd_type == LIF_CMD);
7096                 lifr = (struct lifreq *)mp1->b_rptr;
7097                 /*
7098                  * Null terminate the string to protect against buffer
7099                  * overrun. String was generated by user code and may not
7100                  * be trusted.
7101                  */
7102                 lifr->lifr_name[LIFNAMSIZ - 1] = '\0';
7103                 name = lifr->lifr_name;
7104                 ci->ci_sin = (sin_t *)&lifr->lifr_addr;
7105                 ci->ci_sin6 = (sin6_t *)&lifr->lifr_addr;
7106                 ci->ci_lifr = lifr;
7107         }
7108 
7109         if (ipip->ipi_cmd == SIOCSLIFNAME) {
7110                 /*
7111                  * The ioctl will be failed if the ioctl comes down
7112                  * an conn stream
7113                  */
7114                 if (ill == NULL) {
7115                         /*
7116                          * Not an ill queue, return EINVAL same as the
7117                          * old error code.
7118                          */
7119                         return (ENXIO);
7120                 }
7121                 ipif = ill->ill_ipif;
7122                 ipif_refhold(ipif);
7123         } else {
7124                 /*
7125                  * Ensure that ioctls don't see any internal state changes
7126                  * caused by set ioctls by deferring them if IPIF_CHANGING is
7127                  * set.
7128                  */
7129                 ipif = ipif_lookup_on_name_async(name, mi_strlen(name),
7130                     isv6, zoneid, q, mp, ip_process_ioctl, &err, ipst);
7131                 if (ipif == NULL) {
7132                         if (err == EINPROGRESS)
7133                                 return (err);
7134                         err = 0;        /* Ensure we don't use it below */
7135                 }
7136         }
7137 
7138         /*
7139          * Old style [GS]IFCMD does not admit IPv6 ipif
7140          */
7141         if (ipif != NULL && ipif->ipif_isv6 && ipip->ipi_cmd_type == IF_CMD) {
7142                 ipif_refrele(ipif);
7143                 return (ENXIO);
7144         }
7145 
7146         if (ipif == NULL && ill != NULL && ill->ill_ipif != NULL &&
7147             name[0] == '\0') {
7148                 /*
7149                  * Handle a or a SIOC?IF* with a null name
7150                  * during plumb (on the ill queue before the I_PLINK).
7151                  */
7152                 ipif = ill->ill_ipif;
7153                 ipif_refhold(ipif);
7154         }
7155 
7156         if (ipif == NULL)
7157                 return (ENXIO);
7158 
7159         DTRACE_PROBE4(ipif__ioctl, char *, "ip_extract_lifreq",
7160             int, ipip->ipi_cmd, ill_t *, ipif->ipif_ill, ipif_t *, ipif);
7161 
7162         ci->ci_ipif = ipif;
7163         return (0);
7164 }
7165 
7166 /*
7167  * Return the total number of ipifs.
7168  */
7169 static uint_t
7170 ip_get_numifs(zoneid_t zoneid, ip_stack_t *ipst)
7171 {
7172         uint_t numifs = 0;
7173         ill_t   *ill;
7174         ill_walk_context_t      ctx;
7175         ipif_t  *ipif;
7176 
7177         rw_enter(&ipst->ips_ill_g_lock, RW_READER);
7178         ill = ILL_START_WALK_V4(&ctx, ipst);
7179         for (; ill != NULL; ill = ill_next(&ctx, ill)) {
7180                 if (IS_UNDER_IPMP(ill))
7181                         continue;
7182                 for (ipif = ill->ill_ipif; ipif != NULL;
7183                     ipif = ipif->ipif_next) {
7184                         if (ipif->ipif_zoneid == zoneid ||
7185                             ipif->ipif_zoneid == ALL_ZONES)
7186                                 numifs++;
7187                 }
7188         }
7189         rw_exit(&ipst->ips_ill_g_lock);
7190         return (numifs);
7191 }
7192 
7193 /*
7194  * Return the total number of ipifs.
7195  */
7196 static uint_t
7197 ip_get_numlifs(int family, int lifn_flags, zoneid_t zoneid, ip_stack_t *ipst)
7198 {
7199         uint_t numifs = 0;
7200         ill_t   *ill;
7201         ipif_t  *ipif;
7202         ill_walk_context_t      ctx;
7203 
7204         ip1dbg(("ip_get_numlifs(%d %u %d)\n", family, lifn_flags, (int)zoneid));
7205 
7206         rw_enter(&ipst->ips_ill_g_lock, RW_READER);
7207         if (family == AF_INET)
7208                 ill = ILL_START_WALK_V4(&ctx, ipst);
7209         else if (family == AF_INET6)
7210                 ill = ILL_START_WALK_V6(&ctx, ipst);
7211         else
7212                 ill = ILL_START_WALK_ALL(&ctx, ipst);
7213 
7214         for (; ill != NULL; ill = ill_next(&ctx, ill)) {
7215                 if (IS_UNDER_IPMP(ill) && !(lifn_flags & LIFC_UNDER_IPMP))
7216                         continue;
7217 
7218                 for (ipif = ill->ill_ipif; ipif != NULL;
7219                     ipif = ipif->ipif_next) {
7220                         if ((ipif->ipif_flags & IPIF_NOXMIT) &&
7221                             !(lifn_flags & LIFC_NOXMIT))
7222                                 continue;
7223                         if ((ipif->ipif_flags & IPIF_TEMPORARY) &&
7224                             !(lifn_flags & LIFC_TEMPORARY))
7225                                 continue;
7226                         if (((ipif->ipif_flags &
7227                             (IPIF_NOXMIT|IPIF_NOLOCAL|
7228                             IPIF_DEPRECATED)) ||
7229                             IS_LOOPBACK(ill) ||
7230                             !(ipif->ipif_flags & IPIF_UP)) &&
7231                             (lifn_flags & LIFC_EXTERNAL_SOURCE))
7232                                 continue;
7233 
7234                         if (zoneid != ipif->ipif_zoneid &&
7235                             ipif->ipif_zoneid != ALL_ZONES &&
7236                             (zoneid != GLOBAL_ZONEID ||
7237                             !(lifn_flags & LIFC_ALLZONES)))
7238                                 continue;
7239 
7240                         numifs++;
7241                 }
7242         }
7243         rw_exit(&ipst->ips_ill_g_lock);
7244         return (numifs);
7245 }
7246 
7247 uint_t
7248 ip_get_lifsrcofnum(ill_t *ill)
7249 {
7250         uint_t numifs = 0;
7251         ill_t   *ill_head = ill;
7252         ip_stack_t      *ipst = ill->ill_ipst;
7253 
7254         /*
7255          * ill_g_usesrc_lock protects ill_usesrc_grp_next, for example, some
7256          * other thread may be trying to relink the ILLs in this usesrc group
7257          * and adjusting the ill_usesrc_grp_next pointers
7258          */
7259         rw_enter(&ipst->ips_ill_g_usesrc_lock, RW_READER);
7260         if ((ill->ill_usesrc_ifindex == 0) &&
7261             (ill->ill_usesrc_grp_next != NULL)) {
7262                 for (; (ill != NULL) && (ill->ill_usesrc_grp_next != ill_head);
7263                     ill = ill->ill_usesrc_grp_next)
7264                         numifs++;
7265         }
7266         rw_exit(&ipst->ips_ill_g_usesrc_lock);
7267 
7268         return (numifs);
7269 }
7270 
7271 /* Null values are passed in for ipif, sin, and ifreq */
7272 /* ARGSUSED */
7273 int
7274 ip_sioctl_get_ifnum(ipif_t *dummy_ipif, sin_t *dummy_sin, queue_t *q,
7275     mblk_t *mp, ip_ioctl_cmd_t *ipip, void *ifreq)
7276 {
7277         int *nump;
7278         conn_t *connp = Q_TO_CONN(q);
7279 
7280         ASSERT(q->q_next == NULL); /* not a valid ioctl for ip as a module */
7281 
7282         /* Existence of b_cont->b_cont checked in ip_wput_nondata */
7283         nump = (int *)mp->b_cont->b_cont->b_rptr;
7284 
7285         *nump = ip_get_numifs(connp->conn_zoneid,
7286             connp->conn_netstack->netstack_ip);
7287         ip1dbg(("ip_sioctl_get_ifnum numifs %d", *nump));
7288         return (0);
7289 }
7290 
7291 /* Null values are passed in for ipif, sin, and ifreq */
7292 /* ARGSUSED */
7293 int
7294 ip_sioctl_get_lifnum(ipif_t *dummy_ipif, sin_t *dummy_sin,
7295     queue_t *q, mblk_t *mp, ip_ioctl_cmd_t *ipip, void *ifreq)
7296 {
7297         struct lifnum *lifn;
7298         mblk_t  *mp1;
7299         conn_t *connp = Q_TO_CONN(q);
7300 
7301         ASSERT(q->q_next == NULL); /* not a valid ioctl for ip as a module */
7302 
7303         /* Existence checked in ip_wput_nondata */
7304         mp1 = mp->b_cont->b_cont;
7305 
7306         lifn = (struct lifnum *)mp1->b_rptr;
7307         switch (lifn->lifn_family) {
7308         case AF_UNSPEC:
7309         case AF_INET:
7310         case AF_INET6:
7311                 break;
7312         default:
7313                 return (EAFNOSUPPORT);
7314         }
7315 
7316         lifn->lifn_count = ip_get_numlifs(lifn->lifn_family, lifn->lifn_flags,
7317             connp->conn_zoneid, connp->conn_netstack->netstack_ip);
7318         ip1dbg(("ip_sioctl_get_lifnum numifs %d", lifn->lifn_count));
7319         return (0);
7320 }
7321 
7322 /* ARGSUSED */
7323 int
7324 ip_sioctl_get_ifconf(ipif_t *dummy_ipif, sin_t *dummy_sin, queue_t *q,
7325     mblk_t *mp, ip_ioctl_cmd_t *ipip, void *ifreq)
7326 {
7327         STRUCT_HANDLE(ifconf, ifc);
7328         mblk_t *mp1;
7329         struct iocblk *iocp;
7330         struct ifreq *ifr;
7331         ill_walk_context_t      ctx;
7332         ill_t   *ill;
7333         ipif_t  *ipif;
7334         struct sockaddr_in *sin;
7335         int32_t ifclen;
7336         zoneid_t zoneid;
7337         ip_stack_t *ipst = CONNQ_TO_IPST(q);
7338 
7339         ASSERT(q->q_next == NULL); /* not valid ioctls for ip as a module */
7340 
7341         ip1dbg(("ip_sioctl_get_ifconf"));
7342         /* Existence verified in ip_wput_nondata */
7343         mp1 = mp->b_cont->b_cont;
7344         iocp = (struct iocblk *)mp->b_rptr;
7345         zoneid = Q_TO_CONN(q)->conn_zoneid;
7346 
7347         /*
7348          * The original SIOCGIFCONF passed in a struct ifconf which specified
7349          * the user buffer address and length into which the list of struct
7350          * ifreqs was to be copied.  Since AT&T Streams does not seem to
7351          * allow M_COPYOUT to be used in conjunction with I_STR IOCTLS,
7352          * the SIOCGIFCONF operation was redefined to simply provide
7353          * a large output buffer into which we are supposed to jam the ifreq
7354          * array.  The same ioctl command code was used, despite the fact that
7355          * both the applications and the kernel code had to change, thus making
7356          * it impossible to support both interfaces.
7357          *
7358          * For reasons not good enough to try to explain, the following
7359          * algorithm is used for deciding what to do with one of these:
7360          * If the IOCTL comes in as an I_STR, it is assumed to be of the new
7361          * form with the output buffer coming down as the continuation message.
7362          * If it arrives as a TRANSPARENT IOCTL, it is assumed to be old style,
7363          * and we have to copy in the ifconf structure to find out how big the
7364          * output buffer is and where to copy out to.  Sure no problem...
7365          *
7366          */
7367         STRUCT_SET_HANDLE(ifc, iocp->ioc_flag, NULL);
7368         if ((mp1->b_wptr - mp1->b_rptr) == STRUCT_SIZE(ifc)) {
7369                 int numifs = 0;
7370                 size_t ifc_bufsize;
7371 
7372                 /*
7373                  * Must be (better be!) continuation of a TRANSPARENT
7374                  * IOCTL.  We just copied in the ifconf structure.
7375                  */
7376                 STRUCT_SET_HANDLE(ifc, iocp->ioc_flag,
7377                     (struct ifconf *)mp1->b_rptr);
7378 
7379                 /*
7380                  * Allocate a buffer to hold requested information.
7381                  *
7382                  * If ifc_len is larger than what is needed, we only
7383                  * allocate what we will use.
7384                  *
7385                  * If ifc_len is smaller than what is needed, return
7386                  * EINVAL.
7387                  *
7388                  * XXX: the ill_t structure can hava 2 counters, for
7389                  * v4 and v6 (not just ill_ipif_up_count) to store the
7390                  * number of interfaces for a device, so we don't need
7391                  * to count them here...
7392                  */
7393                 numifs = ip_get_numifs(zoneid, ipst);
7394 
7395                 ifclen = STRUCT_FGET(ifc, ifc_len);
7396                 ifc_bufsize = numifs * sizeof (struct ifreq);
7397                 if (ifc_bufsize > ifclen) {
7398                         if (iocp->ioc_cmd == O_SIOCGIFCONF) {
7399                                 /* old behaviour */
7400                                 return (EINVAL);
7401                         } else {
7402                                 ifc_bufsize = ifclen;
7403                         }
7404                 }
7405 
7406                 mp1 = mi_copyout_alloc(q, mp,
7407                     STRUCT_FGETP(ifc, ifc_buf), ifc_bufsize, B_FALSE);
7408                 if (mp1 == NULL)
7409                         return (ENOMEM);
7410 
7411                 mp1->b_wptr = mp1->b_rptr + ifc_bufsize;
7412         }
7413         bzero(mp1->b_rptr, mp1->b_wptr - mp1->b_rptr);
7414         /*
7415          * the SIOCGIFCONF ioctl only knows about
7416          * IPv4 addresses, so don't try to tell
7417          * it about interfaces with IPv6-only
7418          * addresses. (Last parm 'isv6' is B_FALSE)
7419          */
7420 
7421         ifr = (struct ifreq *)mp1->b_rptr;
7422 
7423         rw_enter(&ipst->ips_ill_g_lock, RW_READER);
7424         ill = ILL_START_WALK_V4(&ctx, ipst);
7425         for (; ill != NULL; ill = ill_next(&ctx, ill)) {
7426                 if (IS_UNDER_IPMP(ill))
7427                         continue;
7428                 for (ipif = ill->ill_ipif; ipif != NULL;
7429                     ipif = ipif->ipif_next) {
7430                         if (zoneid != ipif->ipif_zoneid &&
7431                             ipif->ipif_zoneid != ALL_ZONES)
7432                                 continue;
7433                         if ((uchar_t *)&ifr[1] > mp1->b_wptr) {
7434                                 if (iocp->ioc_cmd == O_SIOCGIFCONF) {
7435                                         /* old behaviour */
7436                                         rw_exit(&ipst->ips_ill_g_lock);
7437                                         return (EINVAL);
7438                                 } else {
7439                                         goto if_copydone;
7440                                 }
7441                         }
7442                         ipif_get_name(ipif, ifr->ifr_name,
7443                             sizeof (ifr->ifr_name));
7444                         sin = (sin_t *)&ifr->ifr_addr;
7445                         *sin = sin_null;
7446                         sin->sin_family = AF_INET;
7447                         sin->sin_addr.s_addr = ipif->ipif_lcl_addr;
7448                         ifr++;
7449                 }
7450         }
7451 if_copydone:
7452         rw_exit(&ipst->ips_ill_g_lock);
7453         mp1->b_wptr = (uchar_t *)ifr;
7454 
7455         if (STRUCT_BUF(ifc) != NULL) {
7456                 STRUCT_FSET(ifc, ifc_len,
7457                     (int)((uchar_t *)ifr - mp1->b_rptr));
7458         }
7459         return (0);
7460 }
7461 
7462 /*
7463  * Get the interfaces using the address hosted on the interface passed in,
7464  * as a source adddress
7465  */
7466 /* ARGSUSED */
7467 int
7468 ip_sioctl_get_lifsrcof(ipif_t *dummy_ipif, sin_t *dummy_sin, queue_t *q,
7469     mblk_t *mp, ip_ioctl_cmd_t *ipip, void *ifreq)
7470 {
7471         mblk_t *mp1;
7472         ill_t   *ill, *ill_head;
7473         ipif_t  *ipif, *orig_ipif;
7474         int     numlifs = 0;
7475         size_t  lifs_bufsize, lifsmaxlen;
7476         struct  lifreq *lifr;
7477         struct iocblk *iocp = (struct iocblk *)mp->b_rptr;
7478         uint_t  ifindex;
7479         zoneid_t zoneid;
7480         boolean_t isv6 = B_FALSE;
7481         struct  sockaddr_in     *sin;
7482         struct  sockaddr_in6    *sin6;
7483         STRUCT_HANDLE(lifsrcof, lifs);
7484         ip_stack_t              *ipst;
7485 
7486         ipst = CONNQ_TO_IPST(q);
7487 
7488         ASSERT(q->q_next == NULL);
7489 
7490         zoneid = Q_TO_CONN(q)->conn_zoneid;
7491 
7492         /* Existence verified in ip_wput_nondata */
7493         mp1 = mp->b_cont->b_cont;
7494 
7495         /*
7496          * Must be (better be!) continuation of a TRANSPARENT
7497          * IOCTL.  We just copied in the lifsrcof structure.
7498          */
7499         STRUCT_SET_HANDLE(lifs, iocp->ioc_flag,
7500             (struct lifsrcof *)mp1->b_rptr);
7501 
7502         if (MBLKL(mp1) != STRUCT_SIZE(lifs))
7503                 return (EINVAL);
7504 
7505         ifindex = STRUCT_FGET(lifs, lifs_ifindex);
7506         isv6 = (Q_TO_CONN(q))->conn_family == AF_INET6;
7507         ipif = ipif_lookup_on_ifindex(ifindex, isv6, zoneid, ipst);
7508         if (ipif == NULL) {
7509                 ip1dbg(("ip_sioctl_get_lifsrcof: no ipif for ifindex %d\n",
7510                     ifindex));
7511                 return (ENXIO);
7512         }
7513 
7514         /* Allocate a buffer to hold requested information */
7515         numlifs = ip_get_lifsrcofnum(ipif->ipif_ill);
7516         lifs_bufsize = numlifs * sizeof (struct lifreq);
7517         lifsmaxlen =  STRUCT_FGET(lifs, lifs_maxlen);
7518         /* The actual size needed is always returned in lifs_len */
7519         STRUCT_FSET(lifs, lifs_len, lifs_bufsize);
7520 
7521         /* If the amount we need is more than what is passed in, abort */
7522         if (lifs_bufsize > lifsmaxlen || lifs_bufsize == 0) {
7523                 ipif_refrele(ipif);
7524                 return (0);
7525         }
7526 
7527         mp1 = mi_copyout_alloc(q, mp,
7528             STRUCT_FGETP(lifs, lifs_buf), lifs_bufsize, B_FALSE);
7529         if (mp1 == NULL) {
7530                 ipif_refrele(ipif);
7531                 return (ENOMEM);
7532         }
7533 
7534         mp1->b_wptr = mp1->b_rptr + lifs_bufsize;
7535         bzero(mp1->b_rptr, lifs_bufsize);
7536 
7537         lifr = (struct lifreq *)mp1->b_rptr;
7538 
7539         ill = ill_head = ipif->ipif_ill;
7540         orig_ipif = ipif;
7541 
7542         /* ill_g_usesrc_lock protects ill_usesrc_grp_next */
7543         rw_enter(&ipst->ips_ill_g_usesrc_lock, RW_READER);
7544         rw_enter(&ipst->ips_ill_g_lock, RW_READER);
7545 
7546         ill = ill->ill_usesrc_grp_next; /* start from next ill */
7547         for (; (ill != NULL) && (ill != ill_head);
7548             ill = ill->ill_usesrc_grp_next) {
7549 
7550                 if ((uchar_t *)&lifr[1] > mp1->b_wptr)
7551                         break;
7552 
7553                 ipif = ill->ill_ipif;
7554                 ipif_get_name(ipif, lifr->lifr_name, sizeof (lifr->lifr_name));
7555                 if (ipif->ipif_isv6) {
7556                         sin6 = (sin6_t *)&lifr->lifr_addr;
7557                         *sin6 = sin6_null;
7558                         sin6->sin6_family = AF_INET6;
7559                         sin6->sin6_addr = ipif->ipif_v6lcl_addr;
7560                         lifr->lifr_addrlen = ip_mask_to_plen_v6(
7561                             &ipif->ipif_v6net_mask);
7562                 } else {
7563                         sin = (sin_t *)&lifr->lifr_addr;
7564                         *sin = sin_null;
7565                         sin->sin_family = AF_INET;
7566                         sin->sin_addr.s_addr = ipif->ipif_lcl_addr;
7567                         lifr->lifr_addrlen = ip_mask_to_plen(
7568                             ipif->ipif_net_mask);
7569                 }
7570                 lifr++;
7571         }
7572         rw_exit(&ipst->ips_ill_g_lock);
7573         rw_exit(&ipst->ips_ill_g_usesrc_lock);
7574         ipif_refrele(orig_ipif);
7575         mp1->b_wptr = (uchar_t *)lifr;
7576         STRUCT_FSET(lifs, lifs_len, (int)((uchar_t *)lifr - mp1->b_rptr));
7577 
7578         return (0);
7579 }
7580 
7581 /* ARGSUSED */
7582 int
7583 ip_sioctl_get_lifconf(ipif_t *dummy_ipif, sin_t *dummy_sin, queue_t *q,
7584     mblk_t *mp, ip_ioctl_cmd_t *ipip, void *ifreq)
7585 {
7586         mblk_t *mp1;
7587         int     list;
7588         ill_t   *ill;
7589         ipif_t  *ipif;
7590         int     flags;
7591         int     numlifs = 0;
7592         size_t  lifc_bufsize;
7593         struct  lifreq *lifr;
7594         sa_family_t     family;
7595         struct  sockaddr_in     *sin;
7596         struct  sockaddr_in6    *sin6;
7597         ill_walk_context_t      ctx;
7598         struct iocblk *iocp = (struct iocblk *)mp->b_rptr;
7599         int32_t lifclen;
7600         zoneid_t zoneid;
7601         STRUCT_HANDLE(lifconf, lifc);
7602         ip_stack_t *ipst = CONNQ_TO_IPST(q);
7603 
7604         ip1dbg(("ip_sioctl_get_lifconf"));
7605 
7606         ASSERT(q->q_next == NULL);
7607 
7608         zoneid = Q_TO_CONN(q)->conn_zoneid;
7609 
7610         /* Existence verified in ip_wput_nondata */
7611         mp1 = mp->b_cont->b_cont;
7612 
7613         /*
7614          * An extended version of SIOCGIFCONF that takes an
7615          * additional address family and flags field.
7616          * AF_UNSPEC retrieve both IPv4 and IPv6.
7617          * Unless LIFC_NOXMIT is specified the IPIF_NOXMIT
7618          * interfaces are omitted.
7619          * Similarly, IPIF_TEMPORARY interfaces are omitted
7620          * unless LIFC_TEMPORARY is specified.
7621          * If LIFC_EXTERNAL_SOURCE is specified, IPIF_NOXMIT,
7622          * IPIF_NOLOCAL, PHYI_LOOPBACK, IPIF_DEPRECATED and
7623          * not IPIF_UP interfaces are omitted. LIFC_EXTERNAL_SOURCE
7624          * has priority over LIFC_NOXMIT.
7625          */
7626         STRUCT_SET_HANDLE(lifc, iocp->ioc_flag, NULL);
7627 
7628         if ((mp1->b_wptr - mp1->b_rptr) != STRUCT_SIZE(lifc))
7629                 return (EINVAL);
7630 
7631         /*
7632          * Must be (better be!) continuation of a TRANSPARENT
7633          * IOCTL.  We just copied in the lifconf structure.
7634          */
7635         STRUCT_SET_HANDLE(lifc, iocp->ioc_flag, (struct lifconf *)mp1->b_rptr);
7636 
7637         family = STRUCT_FGET(lifc, lifc_family);
7638         flags = STRUCT_FGET(lifc, lifc_flags);
7639 
7640         switch (family) {
7641         case AF_UNSPEC:
7642                 /*
7643                  * walk all ILL's.
7644                  */
7645                 list = MAX_G_HEADS;
7646                 break;
7647         case AF_INET:
7648                 /*
7649                  * walk only IPV4 ILL's.
7650                  */
7651                 list = IP_V4_G_HEAD;
7652                 break;
7653         case AF_INET6:
7654                 /*
7655                  * walk only IPV6 ILL's.
7656                  */
7657                 list = IP_V6_G_HEAD;
7658                 break;
7659         default:
7660                 return (EAFNOSUPPORT);
7661         }
7662 
7663         /*
7664          * Allocate a buffer to hold requested information.
7665          *
7666          * If lifc_len is larger than what is needed, we only
7667          * allocate what we will use.
7668          *
7669          * If lifc_len is smaller than what is needed, return
7670          * EINVAL.
7671          */
7672         numlifs = ip_get_numlifs(family, flags, zoneid, ipst);
7673         lifc_bufsize = numlifs * sizeof (struct lifreq);
7674         lifclen = STRUCT_FGET(lifc, lifc_len);
7675         if (lifc_bufsize > lifclen) {
7676                 if (iocp->ioc_cmd == O_SIOCGLIFCONF)
7677                         return (EINVAL);
7678                 else
7679                         lifc_bufsize = lifclen;
7680         }
7681 
7682         mp1 = mi_copyout_alloc(q, mp,
7683             STRUCT_FGETP(lifc, lifc_buf), lifc_bufsize, B_FALSE);
7684         if (mp1 == NULL)
7685                 return (ENOMEM);
7686 
7687         mp1->b_wptr = mp1->b_rptr + lifc_bufsize;
7688         bzero(mp1->b_rptr, mp1->b_wptr - mp1->b_rptr);
7689 
7690         lifr = (struct lifreq *)mp1->b_rptr;
7691 
7692         rw_enter(&ipst->ips_ill_g_lock, RW_READER);
7693         ill = ill_first(list, list, &ctx, ipst);
7694         for (; ill != NULL; ill = ill_next(&ctx, ill)) {
7695                 if (IS_UNDER_IPMP(ill) && !(flags & LIFC_UNDER_IPMP))
7696                         continue;
7697 
7698                 for (ipif = ill->ill_ipif; ipif != NULL;
7699                     ipif = ipif->ipif_next) {
7700                         if ((ipif->ipif_flags & IPIF_NOXMIT) &&
7701                             !(flags & LIFC_NOXMIT))
7702                                 continue;
7703 
7704                         if ((ipif->ipif_flags & IPIF_TEMPORARY) &&
7705                             !(flags & LIFC_TEMPORARY))
7706                                 continue;
7707 
7708                         if (((ipif->ipif_flags &
7709                             (IPIF_NOXMIT|IPIF_NOLOCAL|
7710                             IPIF_DEPRECATED)) ||
7711                             IS_LOOPBACK(ill) ||
7712                             !(ipif->ipif_flags & IPIF_UP)) &&
7713                             (flags & LIFC_EXTERNAL_SOURCE))
7714                                 continue;
7715 
7716                         if (zoneid != ipif->ipif_zoneid &&
7717                             ipif->ipif_zoneid != ALL_ZONES &&
7718                             (zoneid != GLOBAL_ZONEID ||
7719                             !(flags & LIFC_ALLZONES)))
7720                                 continue;
7721 
7722                         if ((uchar_t *)&lifr[1] > mp1->b_wptr) {
7723                                 if (iocp->ioc_cmd == O_SIOCGLIFCONF) {
7724                                         rw_exit(&ipst->ips_ill_g_lock);
7725                                         return (EINVAL);
7726                                 } else {
7727                                         goto lif_copydone;
7728                                 }
7729                         }
7730 
7731                         ipif_get_name(ipif, lifr->lifr_name,
7732                             sizeof (lifr->lifr_name));
7733                         lifr->lifr_type = ill->ill_type;
7734                         if (ipif->ipif_isv6) {
7735                                 sin6 = (sin6_t *)&lifr->lifr_addr;
7736                                 *sin6 = sin6_null;
7737                                 sin6->sin6_family = AF_INET6;
7738                                 sin6->sin6_addr =
7739                                     ipif->ipif_v6lcl_addr;
7740                                 lifr->lifr_addrlen =
7741                                     ip_mask_to_plen_v6(
7742                                     &ipif->ipif_v6net_mask);
7743                         } else {
7744                                 sin = (sin_t *)&lifr->lifr_addr;
7745                                 *sin = sin_null;
7746                                 sin->sin_family = AF_INET;
7747                                 sin->sin_addr.s_addr =
7748                                     ipif->ipif_lcl_addr;
7749                                 lifr->lifr_addrlen =
7750                                     ip_mask_to_plen(
7751                                     ipif->ipif_net_mask);
7752                         }
7753                         lifr++;
7754                 }
7755         }
7756 lif_copydone:
7757         rw_exit(&ipst->ips_ill_g_lock);
7758 
7759         mp1->b_wptr = (uchar_t *)lifr;
7760         if (STRUCT_BUF(lifc) != NULL) {
7761                 STRUCT_FSET(lifc, lifc_len,
7762                     (int)((uchar_t *)lifr - mp1->b_rptr));
7763         }
7764         return (0);
7765 }
7766 
7767 static void
7768 ip_sioctl_ip6addrpolicy(queue_t *q, mblk_t *mp)
7769 {
7770         ip6_asp_t *table;
7771         size_t table_size;
7772         mblk_t *data_mp;
7773         struct iocblk *iocp = (struct iocblk *)mp->b_rptr;
7774         ip_stack_t      *ipst;
7775 
7776         if (q->q_next == NULL)
7777                 ipst = CONNQ_TO_IPST(q);
7778         else
7779                 ipst = ILLQ_TO_IPST(q);
7780 
7781         /* These two ioctls are I_STR only */
7782         if (iocp->ioc_count == TRANSPARENT) {
7783                 miocnak(q, mp, 0, EINVAL);
7784                 return;
7785         }
7786 
7787         data_mp = mp->b_cont;
7788         if (data_mp == NULL) {
7789                 /* The user passed us a NULL argument */
7790                 table = NULL;
7791                 table_size = iocp->ioc_count;
7792         } else {
7793                 /*
7794                  * The user provided a table.  The stream head
7795                  * may have copied in the user data in chunks,
7796                  * so make sure everything is pulled up
7797                  * properly.
7798                  */
7799                 if (MBLKL(data_mp) < iocp->ioc_count) {
7800                         mblk_t *new_data_mp;
7801                         if ((new_data_mp = msgpullup(data_mp, -1)) ==
7802                             NULL) {
7803                                 miocnak(q, mp, 0, ENOMEM);
7804                                 return;
7805                         }
7806                         freemsg(data_mp);
7807                         data_mp = new_data_mp;
7808                         mp->b_cont = data_mp;
7809                 }
7810                 table = (ip6_asp_t *)data_mp->b_rptr;
7811                 table_size = iocp->ioc_count;
7812         }
7813 
7814         switch (iocp->ioc_cmd) {
7815         case SIOCGIP6ADDRPOLICY:
7816                 iocp->ioc_rval = ip6_asp_get(table, table_size, ipst);
7817                 if (iocp->ioc_rval == -1)
7818                         iocp->ioc_error = EINVAL;
7819 #if defined(_SYSCALL32_IMPL) && _LONG_LONG_ALIGNMENT_32 == 4
7820                 else if (table != NULL &&
7821                     (iocp->ioc_flag & IOC_MODELS) == IOC_ILP32) {
7822                         ip6_asp_t *src = table;
7823                         ip6_asp32_t *dst = (void *)table;
7824                         int count = table_size / sizeof (ip6_asp_t);
7825                         int i;
7826 
7827                         /*
7828                          * We need to do an in-place shrink of the array
7829                          * to match the alignment attributes of the
7830                          * 32-bit ABI looking at it.
7831                          */
7832                         /* LINTED: logical expression always true: op "||" */
7833                         ASSERT(sizeof (*src) > sizeof (*dst));
7834                         for (i = 1; i < count; i++)
7835                                 bcopy(src + i, dst + i, sizeof (*dst));
7836                 }
7837 #endif
7838                 break;
7839 
7840         case SIOCSIP6ADDRPOLICY:
7841                 ASSERT(mp->b_prev == NULL);
7842                 mp->b_prev = (void *)q;
7843 #if defined(_SYSCALL32_IMPL) && _LONG_LONG_ALIGNMENT_32 == 4
7844                 /*
7845                  * We pass in the datamodel here so that the ip6_asp_replace()
7846                  * routine can handle converting from 32-bit to native formats
7847                  * where necessary.
7848                  *
7849                  * A better way to handle this might be to convert the inbound
7850                  * data structure here, and hang it off a new 'mp'; thus the
7851                  * ip6_asp_replace() logic would always be dealing with native
7852                  * format data structures..
7853                  *
7854                  * (An even simpler way to handle these ioctls is to just
7855                  * add a 32-bit trailing 'pad' field to the ip6_asp_t structure
7856                  * and just recompile everything that depends on it.)
7857                  */
7858 #endif
7859                 ip6_asp_replace(mp, table, table_size, B_FALSE, ipst,
7860                     iocp->ioc_flag & IOC_MODELS);
7861                 return;
7862         }
7863 
7864         DB_TYPE(mp) =  (iocp->ioc_error == 0) ? M_IOCACK : M_IOCNAK;
7865         qreply(q, mp);
7866 }
7867 
7868 static void
7869 ip_sioctl_dstinfo(queue_t *q, mblk_t *mp)
7870 {
7871         mblk_t          *data_mp;
7872         struct dstinforeq       *dir;
7873         uint8_t         *end, *cur;
7874         in6_addr_t      *daddr, *saddr;
7875         ipaddr_t        v4daddr;
7876         ire_t           *ire;
7877         ipaddr_t        v4setsrc;
7878         in6_addr_t      v6setsrc;
7879         char            *slabel, *dlabel;
7880         boolean_t       isipv4;
7881         int             match_ire;
7882         ill_t           *dst_ill;
7883         struct iocblk *iocp = (struct iocblk *)mp->b_rptr;
7884         conn_t          *connp = Q_TO_CONN(q);
7885         zoneid_t        zoneid = IPCL_ZONEID(connp);
7886         ip_stack_t      *ipst = connp->conn_netstack->netstack_ip;
7887         uint64_t        ipif_flags;
7888 
7889         ASSERT(q->q_next == NULL); /* this ioctl not allowed if ip is module */
7890 
7891         /*
7892          * This ioctl is I_STR only, and must have a
7893          * data mblk following the M_IOCTL mblk.
7894          */
7895         data_mp = mp->b_cont;
7896         if (iocp->ioc_count == TRANSPARENT || data_mp == NULL) {
7897                 miocnak(q, mp, 0, EINVAL);
7898                 return;
7899         }
7900 
7901         if (MBLKL(data_mp) < iocp->ioc_count) {
7902                 mblk_t *new_data_mp;
7903 
7904                 if ((new_data_mp = msgpullup(data_mp, -1)) == NULL) {
7905                         miocnak(q, mp, 0, ENOMEM);
7906                         return;
7907                 }
7908                 freemsg(data_mp);
7909                 data_mp = new_data_mp;
7910                 mp->b_cont = data_mp;
7911         }
7912         match_ire = MATCH_IRE_DSTONLY;
7913 
7914         for (cur = data_mp->b_rptr, end = data_mp->b_wptr;
7915             end - cur >= sizeof (struct dstinforeq);
7916             cur += sizeof (struct dstinforeq)) {
7917                 dir = (struct dstinforeq *)cur;
7918                 daddr = &dir->dir_daddr;
7919                 saddr = &dir->dir_saddr;
7920 
7921                 /*
7922                  * ip_addr_scope_v6() and ip6_asp_lookup() handle
7923                  * v4 mapped addresses; ire_ftable_lookup_v6()
7924                  * and ip_select_source_v6() do not.
7925                  */
7926                 dir->dir_dscope = ip_addr_scope_v6(daddr);
7927                 dlabel = ip6_asp_lookup(daddr, &dir->dir_precedence, ipst);
7928 
7929                 isipv4 = IN6_IS_ADDR_V4MAPPED(daddr);
7930                 if (isipv4) {
7931                         IN6_V4MAPPED_TO_IPADDR(daddr, v4daddr);
7932                         v4setsrc = INADDR_ANY;
7933                         ire = ire_route_recursive_v4(v4daddr, 0, NULL, zoneid,
7934                             NULL, match_ire, IRR_ALLOCATE, 0, ipst, &v4setsrc,
7935                             NULL, NULL);
7936                 } else {
7937                         v6setsrc = ipv6_all_zeros;
7938                         ire = ire_route_recursive_v6(daddr, 0, NULL, zoneid,
7939                             NULL, match_ire, IRR_ALLOCATE, 0, ipst, &v6setsrc,
7940                             NULL, NULL);
7941                 }
7942                 ASSERT(ire != NULL);
7943                 if (ire->ire_flags & (RTF_REJECT|RTF_BLACKHOLE)) {
7944                         ire_refrele(ire);
7945                         dir->dir_dreachable = 0;
7946 
7947                         /* move on to next dst addr */
7948                         continue;
7949                 }
7950                 dir->dir_dreachable = 1;
7951 
7952                 dst_ill = ire_nexthop_ill(ire);
7953                 if (dst_ill == NULL) {
7954                         ire_refrele(ire);
7955                         continue;
7956                 }
7957 
7958                 /* With ipmp we most likely look at the ipmp ill here */
7959                 dir->dir_dmactype = dst_ill->ill_mactype;
7960 
7961                 if (isipv4) {
7962                         ipaddr_t v4saddr;
7963 
7964                         if (ip_select_source_v4(dst_ill, v4setsrc, v4daddr,
7965                             connp->conn_ixa->ixa_multicast_ifaddr, zoneid, ipst,
7966                             &v4saddr, NULL, &ipif_flags) != 0) {
7967                                 v4saddr = INADDR_ANY;
7968                                 ipif_flags = 0;
7969                         }
7970                         IN6_IPADDR_TO_V4MAPPED(v4saddr, saddr);
7971                 } else {
7972                         if (ip_select_source_v6(dst_ill, &v6setsrc, daddr,
7973                             zoneid, ipst, B_FALSE, IPV6_PREFER_SRC_DEFAULT,
7974                             saddr, NULL, &ipif_flags) != 0) {
7975                                 *saddr = ipv6_all_zeros;
7976                                 ipif_flags = 0;
7977                         }
7978                 }
7979 
7980                 dir->dir_sscope = ip_addr_scope_v6(saddr);
7981                 slabel = ip6_asp_lookup(saddr, NULL, ipst);
7982                 dir->dir_labelmatch = ip6_asp_labelcmp(dlabel, slabel);
7983                 dir->dir_sdeprecated = (ipif_flags & IPIF_DEPRECATED) ? 1 : 0;
7984                 ire_refrele(ire);
7985                 ill_refrele(dst_ill);
7986         }
7987         miocack(q, mp, iocp->ioc_count, 0);
7988 }
7989 
7990 /*
7991  * Check if this is an address assigned to this machine.
7992  * Skips interfaces that are down by using ire checks.
7993  * Translates mapped addresses to v4 addresses and then
7994  * treats them as such, returning true if the v4 address
7995  * associated with this mapped address is configured.
7996  * Note: Applications will have to be careful what they do
7997  * with the response; use of mapped addresses limits
7998  * what can be done with the socket, especially with
7999  * respect to socket options and ioctls - neither IPv4
8000  * options nor IPv6 sticky options/ancillary data options
8001  * may be used.
8002  */
8003 /* ARGSUSED */
8004 int
8005 ip_sioctl_tmyaddr(ipif_t *dummy_ipif, sin_t *dummy_sin, queue_t *q, mblk_t *mp,
8006     ip_ioctl_cmd_t *ipip, void *dummy_ifreq)
8007 {
8008         struct sioc_addrreq *sia;
8009         sin_t *sin;
8010         ire_t *ire;
8011         mblk_t *mp1;
8012         zoneid_t zoneid;
8013         ip_stack_t      *ipst;
8014 
8015         ip1dbg(("ip_sioctl_tmyaddr"));
8016 
8017         ASSERT(q->q_next == NULL); /* this ioctl not allowed if ip is module */
8018         zoneid = Q_TO_CONN(q)->conn_zoneid;
8019         ipst = CONNQ_TO_IPST(q);
8020 
8021         /* Existence verified in ip_wput_nondata */
8022         mp1 = mp->b_cont->b_cont;
8023         sia = (struct sioc_addrreq *)mp1->b_rptr;
8024         sin = (sin_t *)&sia->sa_addr;
8025         switch (sin->sin_family) {
8026         case AF_INET6: {
8027                 sin6_t *sin6 = (sin6_t *)sin;
8028 
8029                 if (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) {
8030                         ipaddr_t v4_addr;
8031 
8032                         IN6_V4MAPPED_TO_IPADDR(&sin6->sin6_addr,
8033                             v4_addr);
8034                         ire = ire_ftable_lookup_v4(v4_addr, 0, 0,
8035                             IRE_LOCAL|IRE_LOOPBACK, NULL, zoneid, NULL,
8036                             MATCH_IRE_TYPE | MATCH_IRE_ZONEONLY, 0, ipst, NULL);
8037                 } else {
8038                         in6_addr_t v6addr;
8039 
8040                         v6addr = sin6->sin6_addr;
8041                         ire = ire_ftable_lookup_v6(&v6addr, 0, 0,
8042                             IRE_LOCAL|IRE_LOOPBACK, NULL, zoneid, NULL,
8043                             MATCH_IRE_TYPE | MATCH_IRE_ZONEONLY, 0, ipst, NULL);
8044                 }
8045                 break;
8046         }
8047         case AF_INET: {
8048                 ipaddr_t v4addr;
8049 
8050                 v4addr = sin->sin_addr.s_addr;
8051                 ire = ire_ftable_lookup_v4(v4addr, 0, 0,
8052                     IRE_LOCAL|IRE_LOOPBACK, NULL, zoneid,
8053                     NULL, MATCH_IRE_TYPE | MATCH_IRE_ZONEONLY, 0, ipst, NULL);
8054                 break;
8055         }
8056         default:
8057                 return (EAFNOSUPPORT);
8058         }
8059         if (ire != NULL) {
8060                 sia->sa_res = 1;
8061                 ire_refrele(ire);
8062         } else {
8063                 sia->sa_res = 0;
8064         }
8065         return (0);
8066 }
8067 
8068 /*
8069  * Check if this is an address assigned on-link i.e. neighbor,
8070  * and makes sure it's reachable from the current zone.
8071  * Returns true for my addresses as well.
8072  * Translates mapped addresses to v4 addresses and then
8073  * treats them as such, returning true if the v4 address
8074  * associated with this mapped address is configured.
8075  * Note: Applications will have to be careful what they do
8076  * with the response; use of mapped addresses limits
8077  * what can be done with the socket, especially with
8078  * respect to socket options and ioctls - neither IPv4
8079  * options nor IPv6 sticky options/ancillary data options
8080  * may be used.
8081  */
8082 /* ARGSUSED */
8083 int
8084 ip_sioctl_tonlink(ipif_t *dummy_ipif, sin_t *dummy_sin, queue_t *q, mblk_t *mp,
8085     ip_ioctl_cmd_t *ipip, void *duymmy_ifreq)
8086 {
8087         struct sioc_addrreq *sia;
8088         sin_t *sin;
8089         mblk_t  *mp1;
8090         ire_t *ire = NULL;
8091         zoneid_t zoneid;
8092         ip_stack_t      *ipst;
8093 
8094         ip1dbg(("ip_sioctl_tonlink"));
8095 
8096         ASSERT(q->q_next == NULL); /* this ioctl not allowed if ip is module */
8097         zoneid = Q_TO_CONN(q)->conn_zoneid;
8098         ipst = CONNQ_TO_IPST(q);
8099 
8100         /* Existence verified in ip_wput_nondata */
8101         mp1 = mp->b_cont->b_cont;
8102         sia = (struct sioc_addrreq *)mp1->b_rptr;
8103         sin = (sin_t *)&sia->sa_addr;
8104 
8105         /*
8106          * We check for IRE_ONLINK and exclude IRE_BROADCAST|IRE_MULTICAST
8107          * to make sure we only look at on-link unicast address.
8108          */
8109         switch (sin->sin_family) {
8110         case AF_INET6: {
8111                 sin6_t *sin6 = (sin6_t *)sin;
8112 
8113                 if (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) {
8114                         ipaddr_t v4_addr;
8115 
8116                         IN6_V4MAPPED_TO_IPADDR(&sin6->sin6_addr,
8117                             v4_addr);
8118                         if (!CLASSD(v4_addr)) {
8119                                 ire = ire_ftable_lookup_v4(v4_addr, 0, 0, 0,
8120                                     NULL, zoneid, NULL, MATCH_IRE_DSTONLY,
8121                                     0, ipst, NULL);
8122                         }
8123                 } else {
8124                         in6_addr_t v6addr;
8125 
8126                         v6addr = sin6->sin6_addr;
8127                         if (!IN6_IS_ADDR_MULTICAST(&v6addr)) {
8128                                 ire = ire_ftable_lookup_v6(&v6addr, 0, 0, 0,
8129                                     NULL, zoneid, NULL, MATCH_IRE_DSTONLY, 0,
8130                                     ipst, NULL);
8131                         }
8132                 }
8133                 break;
8134         }
8135         case AF_INET: {
8136                 ipaddr_t v4addr;
8137 
8138                 v4addr = sin->sin_addr.s_addr;
8139                 if (!CLASSD(v4addr)) {
8140                         ire = ire_ftable_lookup_v4(v4addr, 0, 0, 0, NULL,
8141                             zoneid, NULL, MATCH_IRE_DSTONLY, 0, ipst, NULL);
8142                 }
8143                 break;
8144         }
8145         default:
8146                 return (EAFNOSUPPORT);
8147         }
8148         sia->sa_res = 0;
8149         if (ire != NULL) {
8150                 ASSERT(!(ire->ire_type & IRE_MULTICAST));
8151 
8152                 if ((ire->ire_type & IRE_ONLINK) &&
8153                     !(ire->ire_type & IRE_BROADCAST))
8154                         sia->sa_res = 1;
8155                 ire_refrele(ire);
8156         }
8157         return (0);
8158 }
8159 
8160 /*
8161  * TBD: implement when kernel maintaines a list of site prefixes.
8162  */
8163 /* ARGSUSED */
8164 int
8165 ip_sioctl_tmysite(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
8166     ip_ioctl_cmd_t *ipip, void *ifreq)
8167 {
8168         return (ENXIO);
8169 }
8170 
8171 /* ARP IOCTLs. */
8172 /* ARGSUSED */
8173 int
8174 ip_sioctl_arp(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
8175     ip_ioctl_cmd_t *ipip, void *dummy_ifreq)
8176 {
8177         int             err;
8178         ipaddr_t        ipaddr;
8179         struct iocblk   *iocp;
8180         conn_t          *connp;
8181         struct arpreq   *ar;
8182         struct xarpreq  *xar;
8183         int             arp_flags, flags, alength;
8184         uchar_t         *lladdr;
8185         ip_stack_t      *ipst;
8186         ill_t           *ill = ipif->ipif_ill;
8187         ill_t           *proxy_ill = NULL;
8188         ipmp_arpent_t   *entp = NULL;
8189         boolean_t       proxyarp = B_FALSE;
8190         boolean_t       if_arp_ioctl = B_FALSE;
8191         ncec_t          *ncec = NULL;
8192         nce_t           *nce;
8193 
8194         ASSERT(!(q->q_flag & QREADR) && q->q_next == NULL);
8195         connp = Q_TO_CONN(q);
8196         ipst = connp->conn_netstack->netstack_ip;
8197         iocp = (struct iocblk *)mp->b_rptr;
8198 
8199         if (ipip->ipi_cmd_type == XARP_CMD) {
8200                 /* We have a chain - M_IOCTL-->MI_COPY_MBLK-->XARPREQ_MBLK */
8201                 xar = (struct xarpreq *)mp->b_cont->b_cont->b_rptr;
8202                 ar = NULL;
8203 
8204                 arp_flags = xar->xarp_flags;
8205                 lladdr = (uchar_t *)LLADDR(&xar->xarp_ha);
8206                 if_arp_ioctl = (xar->xarp_ha.sdl_nlen != 0);
8207                 /*
8208                  * Validate against user's link layer address length
8209                  * input and name and addr length limits.
8210                  */
8211                 alength = ill->ill_phys_addr_length;
8212                 if (ipip->ipi_cmd == SIOCSXARP) {
8213                         if (alength != xar->xarp_ha.sdl_alen ||
8214                             (alength + xar->xarp_ha.sdl_nlen >
8215                             sizeof (xar->xarp_ha.sdl_data)))
8216                                 return (EINVAL);
8217                 }
8218         } else {
8219                 /* We have a chain - M_IOCTL-->MI_COPY_MBLK-->ARPREQ_MBLK */
8220                 ar = (struct arpreq *)mp->b_cont->b_cont->b_rptr;
8221                 xar = NULL;
8222 
8223                 arp_flags = ar->arp_flags;
8224                 lladdr = (uchar_t *)ar->arp_ha.sa_data;
8225                 /*
8226                  * Theoretically, the sa_family could tell us what link
8227                  * layer type this operation is trying to deal with. By
8228                  * common usage AF_UNSPEC means ethernet. We'll assume
8229                  * any attempt to use the SIOC?ARP ioctls is for ethernet,
8230                  * for now. Our new SIOC*XARP ioctls can be used more
8231                  * generally.
8232                  *
8233                  * If the underlying media happens to have a non 6 byte
8234                  * address, arp module will fail set/get, but the del
8235                  * operation will succeed.
8236                  */
8237                 alength = 6;
8238                 if ((ipip->ipi_cmd != SIOCDARP) &&
8239                     (alength != ill->ill_phys_addr_length)) {
8240                         return (EINVAL);
8241                 }
8242         }
8243 
8244         /* Translate ATF* flags to NCE* flags */
8245         flags = 0;
8246         if (arp_flags & ATF_AUTHORITY)
8247                 flags |= NCE_F_AUTHORITY;
8248         if (arp_flags & ATF_PERM)
8249                 flags |= NCE_F_NONUD; /* not subject to aging */
8250         if (arp_flags & ATF_PUBL)
8251                 flags |= NCE_F_PUBLISH;
8252 
8253         /*
8254          * IPMP ARP special handling:
8255          *
8256          * 1. Since ARP mappings must appear consistent across the group,
8257          *    prohibit changing ARP mappings on the underlying interfaces.
8258          *
8259          * 2. Since ARP mappings for IPMP data addresses are maintained by
8260          *    IP itself, prohibit changing them.
8261          *
8262          * 3. For proxy ARP, use a functioning hardware address in the group,
8263          *    provided one exists.  If one doesn't, just add the entry as-is;
8264          *    ipmp_illgrp_refresh_arpent() will refresh it if things change.
8265          */
8266         if (IS_UNDER_IPMP(ill)) {
8267                 if (ipip->ipi_cmd != SIOCGARP && ipip->ipi_cmd != SIOCGXARP)
8268                         return (EPERM);
8269         }
8270         if (IS_IPMP(ill)) {
8271                 ipmp_illgrp_t *illg = ill->ill_grp;
8272 
8273                 switch (ipip->ipi_cmd) {
8274                 case SIOCSARP:
8275                 case SIOCSXARP:
8276                         proxy_ill = ipmp_illgrp_find_ill(illg, lladdr, alength);
8277                         if (proxy_ill != NULL) {
8278                                 proxyarp = B_TRUE;
8279                                 if (!ipmp_ill_is_active(proxy_ill))
8280                                         proxy_ill = ipmp_illgrp_next_ill(illg);
8281                                 if (proxy_ill != NULL)
8282                                         lladdr = proxy_ill->ill_phys_addr;
8283                         }
8284                         /* FALLTHRU */
8285                 }
8286         }
8287 
8288         ipaddr = sin->sin_addr.s_addr;
8289         /*
8290          * don't match across illgrp per case (1) and (2).
8291          * XXX use IS_IPMP(ill) like ndp_sioc_update?
8292          */
8293         nce = nce_lookup_v4(ill, &ipaddr);
8294         if (nce != NULL)
8295                 ncec = nce->nce_common;
8296 
8297         switch (iocp->ioc_cmd) {
8298         case SIOCDARP:
8299         case SIOCDXARP: {
8300                 /*
8301                  * Delete the NCE if any.
8302                  */
8303                 if (ncec == NULL) {
8304                         iocp->ioc_error = ENXIO;
8305                         break;
8306                 }
8307                 /* Don't allow changes to arp mappings of local addresses. */
8308                 if (NCE_MYADDR(ncec)) {
8309                         nce_refrele(nce);
8310                         return (ENOTSUP);
8311                 }
8312                 iocp->ioc_error = 0;
8313 
8314                 /*
8315                  * Delete the nce_common which has ncec_ill set to ipmp_ill.
8316                  * This will delete all the nce entries on the under_ills.
8317                  */
8318                 ncec_delete(ncec);
8319                 /*
8320                  * Once the NCE has been deleted, then the ire_dep* consistency
8321                  * mechanism will find any IRE which depended on the now
8322                  * condemned NCE (as part of sending packets).
8323                  * That mechanism handles redirects by deleting redirects
8324                  * that refer to UNREACHABLE nces.
8325                  */
8326                 break;
8327         }
8328         case SIOCGARP:
8329         case SIOCGXARP:
8330                 if (ncec != NULL) {
8331                         lladdr = ncec->ncec_lladdr;
8332                         flags = ncec->ncec_flags;
8333                         iocp->ioc_error = 0;
8334                         ip_sioctl_garp_reply(mp, ncec->ncec_ill, lladdr, flags);
8335                 } else {
8336                         iocp->ioc_error = ENXIO;
8337                 }
8338                 break;
8339         case SIOCSARP:
8340         case SIOCSXARP:
8341                 /* Don't allow changes to arp mappings of local addresses. */
8342                 if (ncec != NULL && NCE_MYADDR(ncec)) {
8343                         nce_refrele(nce);
8344                         return (ENOTSUP);
8345                 }
8346 
8347                 /* static arp entries will undergo NUD if ATF_PERM is not set */
8348                 flags |= NCE_F_STATIC;
8349                 if (!if_arp_ioctl) {
8350                         ip_nce_lookup_and_update(&ipaddr, NULL, ipst,
8351                             lladdr, alength, flags);
8352                 } else {
8353                         ipif_t *ipif = ipif_get_next_ipif(NULL, ill);
8354                         if (ipif != NULL) {
8355                                 ip_nce_lookup_and_update(&ipaddr, ipif, ipst,
8356                                     lladdr, alength, flags);
8357                                 ipif_refrele(ipif);
8358                         }
8359                 }
8360                 if (nce != NULL) {
8361                         nce_refrele(nce);
8362                         nce = NULL;
8363                 }
8364                 /*
8365                  * NCE_F_STATIC entries will be added in state ND_REACHABLE
8366                  * by nce_add_common()
8367                  */
8368                 err = nce_lookup_then_add_v4(ill, lladdr,
8369                     ill->ill_phys_addr_length, &ipaddr, flags, ND_UNCHANGED,
8370                     &nce);
8371                 if (err == EEXIST) {
8372                         ncec = nce->nce_common;
8373                         mutex_enter(&ncec->ncec_lock);
8374                         ncec->ncec_state = ND_REACHABLE;
8375                         ncec->ncec_flags = flags;
8376                         nce_update(ncec, ND_UNCHANGED, lladdr);
8377                         mutex_exit(&ncec->ncec_lock);
8378                         err = 0;
8379                 }
8380                 if (nce != NULL) {
8381                         nce_refrele(nce);
8382                         nce = NULL;
8383                 }
8384                 if (IS_IPMP(ill) && err == 0) {
8385                         entp = ipmp_illgrp_create_arpent(ill->ill_grp,
8386                             proxyarp, ipaddr, lladdr, ill->ill_phys_addr_length,
8387                             flags);
8388                         if (entp == NULL || (proxyarp && proxy_ill == NULL)) {
8389                                 iocp->ioc_error = (entp == NULL ? ENOMEM : 0);
8390                                 break;
8391                         }
8392                 }
8393                 iocp->ioc_error = err;
8394         }
8395 
8396         if (nce != NULL) {
8397                 nce_refrele(nce);
8398         }
8399 
8400         /*
8401          * If we created an IPMP ARP entry, mark that we've notified ARP.
8402          */
8403         if (entp != NULL)
8404                 ipmp_illgrp_mark_arpent(ill->ill_grp, entp);
8405 
8406         return (iocp->ioc_error);
8407 }
8408 
8409 /*
8410  * Parse an [x]arpreq structure coming down SIOC[GSD][X]ARP ioctls, identify
8411  * the associated sin and refhold and return the associated ipif via `ci'.
8412  */
8413 int
8414 ip_extract_arpreq(queue_t *q, mblk_t *mp, const ip_ioctl_cmd_t *ipip,
8415     cmd_info_t *ci)
8416 {
8417         mblk_t  *mp1;
8418         sin_t   *sin;
8419         conn_t  *connp;
8420         ipif_t  *ipif;
8421         ire_t   *ire = NULL;
8422         ill_t   *ill = NULL;
8423         boolean_t exists;
8424         ip_stack_t *ipst;
8425         struct arpreq *ar;
8426         struct xarpreq *xar;
8427         struct sockaddr_dl *sdl;
8428 
8429         /* ioctl comes down on a conn */
8430         ASSERT(!(q->q_flag & QREADR) && q->q_next == NULL);
8431         connp = Q_TO_CONN(q);
8432         if (connp->conn_family == AF_INET6)
8433                 return (ENXIO);
8434 
8435         ipst = connp->conn_netstack->netstack_ip;
8436 
8437         /* Verified in ip_wput_nondata */
8438         mp1 = mp->b_cont->b_cont;
8439 
8440         if (ipip->ipi_cmd_type == XARP_CMD) {
8441                 ASSERT(MBLKL(mp1) >= sizeof (struct xarpreq));
8442                 xar = (struct xarpreq *)mp1->b_rptr;
8443                 sin = (sin_t *)&xar->xarp_pa;
8444                 sdl = &xar->xarp_ha;
8445 
8446                 if (sdl->sdl_family != AF_LINK || sin->sin_family != AF_INET)
8447                         return (ENXIO);
8448                 if (sdl->sdl_nlen >= LIFNAMSIZ)
8449                         return (EINVAL);
8450         } else {
8451                 ASSERT(ipip->ipi_cmd_type == ARP_CMD);
8452                 ASSERT(MBLKL(mp1) >= sizeof (struct arpreq));
8453                 ar = (struct arpreq *)mp1->b_rptr;
8454                 sin = (sin_t *)&ar->arp_pa;
8455         }
8456 
8457         if (ipip->ipi_cmd_type == XARP_CMD && sdl->sdl_nlen != 0) {
8458                 ipif = ipif_lookup_on_name(sdl->sdl_data, sdl->sdl_nlen,
8459                     B_FALSE, &exists, B_FALSE, ALL_ZONES, ipst);
8460                 if (ipif == NULL)
8461                         return (ENXIO);
8462                 if (ipif->ipif_id != 0) {
8463                         ipif_refrele(ipif);
8464                         return (ENXIO);
8465                 }
8466         } else {
8467                 /*
8468                  * Either an SIOC[DGS]ARP or an SIOC[DGS]XARP with an sdl_nlen
8469                  * of 0: use the IP address to find the ipif.  If the IP
8470                  * address is an IPMP test address, ire_ftable_lookup() will
8471                  * find the wrong ill, so we first do an ipif_lookup_addr().
8472                  */
8473                 ipif = ipif_lookup_addr(sin->sin_addr.s_addr, NULL, ALL_ZONES,
8474                     ipst);
8475                 if (ipif == NULL) {
8476                         ire = ire_ftable_lookup_v4(sin->sin_addr.s_addr,
8477                             0, 0, IRE_IF_RESOLVER, NULL, ALL_ZONES,
8478                             NULL, MATCH_IRE_TYPE, 0, ipst, NULL);
8479                         if (ire == NULL || ((ill = ire->ire_ill) == NULL)) {
8480                                 if (ire != NULL)
8481                                         ire_refrele(ire);
8482                                 return (ENXIO);
8483                         }
8484                         ASSERT(ire != NULL && ill != NULL);
8485                         ipif = ill->ill_ipif;
8486                         ipif_refhold(ipif);
8487                         ire_refrele(ire);
8488                 }
8489         }
8490 
8491         if (ipif->ipif_ill->ill_net_type != IRE_IF_RESOLVER) {
8492                 ipif_refrele(ipif);
8493                 return (ENXIO);
8494         }
8495 
8496         ci->ci_sin = sin;
8497         ci->ci_ipif = ipif;
8498         return (0);
8499 }
8500 
8501 /*
8502  * Link or unlink the illgrp on IPMP meta-interface `ill' depending on the
8503  * value of `ioccmd'.  While an illgrp is linked to an ipmp_grp_t, it is
8504  * accessible from that ipmp_grp_t, which means SIOCSLIFGROUPNAME can look it
8505  * up and thus an ill can join that illgrp.
8506  *
8507  * We use I_PLINK/I_PUNLINK to do the link/unlink operations rather than
8508  * open()/close() primarily because close() is not allowed to fail or block
8509  * forever.  On the other hand, I_PUNLINK *can* fail, and there's no reason
8510  * why anyone should ever need to I_PUNLINK an in-use IPMP stream.  To ensure
8511  * symmetric behavior (e.g., doing an I_PLINK after and I_PUNLINK undoes the
8512  * I_PUNLINK) we defer linking to I_PLINK.  Separately, we also fail attempts
8513  * to I_LINK since I_UNLINK is optional and we'd end up in an inconsistent
8514  * state if I_UNLINK didn't occur.
8515  *
8516  * Note that for each plumb/unplumb operation, we may end up here more than
8517  * once because of the way ifconfig works.  However, it's OK to link the same
8518  * illgrp more than once, or unlink an illgrp that's already unlinked.
8519  */
8520 static int
8521 ip_sioctl_plink_ipmp(ill_t *ill, int ioccmd)
8522 {
8523         int err;
8524         ip_stack_t *ipst = ill->ill_ipst;
8525 
8526         ASSERT(IS_IPMP(ill));
8527         ASSERT(IAM_WRITER_ILL(ill));
8528 
8529         switch (ioccmd) {
8530         case I_LINK:
8531                 return (ENOTSUP);
8532 
8533         case I_PLINK:
8534                 rw_enter(&ipst->ips_ipmp_lock, RW_WRITER);
8535                 ipmp_illgrp_link_grp(ill->ill_grp, ill->ill_phyint->phyint_grp);
8536                 rw_exit(&ipst->ips_ipmp_lock);
8537                 break;
8538 
8539         case I_PUNLINK:
8540                 /*
8541                  * Require all UP ipifs be brought down prior to unlinking the
8542                  * illgrp so any associated IREs (and other state) is torched.
8543                  */
8544                 if (ill->ill_ipif_up_count + ill->ill_ipif_dup_count > 0)
8545                         return (EBUSY);
8546 
8547                 /*
8548                  * NOTE: We hold ipmp_lock across the unlink to prevent a race
8549                  * with an SIOCSLIFGROUPNAME request from an ill trying to
8550                  * join this group.  Specifically: ills trying to join grab
8551                  * ipmp_lock and bump a "pending join" counter checked by
8552                  * ipmp_illgrp_unlink_grp().  During the unlink no new pending
8553                  * joins can occur (since we have ipmp_lock).  Once we drop
8554                  * ipmp_lock, subsequent SIOCSLIFGROUPNAME requests will not
8555                  * find the illgrp (since we unlinked it) and will return
8556                  * EAFNOSUPPORT.  This will then take them back through the
8557                  * IPMP meta-interface plumbing logic in ifconfig, and thus
8558                  * back through I_PLINK above.
8559                  */
8560                 rw_enter(&ipst->ips_ipmp_lock, RW_WRITER);
8561                 err = ipmp_illgrp_unlink_grp(ill->ill_grp);
8562                 rw_exit(&ipst->ips_ipmp_lock);
8563                 return (err);
8564         default:
8565                 break;
8566         }
8567         return (0);
8568 }
8569 
8570 /*
8571  * Do I_PLINK/I_LINK or I_PUNLINK/I_UNLINK with consistency checks and also
8572  * atomically set/clear the muxids. Also complete the ioctl by acking or
8573  * naking it.  Note that the code is structured such that the link type,
8574  * whether it's persistent or not, is treated equally.  ifconfig(1M) and
8575  * its clones use the persistent link, while pppd(1M) and perhaps many
8576  * other daemons may use non-persistent link.  When combined with some
8577  * ill_t states, linking and unlinking lower streams may be used as
8578  * indicators of dynamic re-plumbing events [see PSARC/1999/348].
8579  */
8580 /* ARGSUSED */
8581 void
8582 ip_sioctl_plink(ipsq_t *ipsq, queue_t *q, mblk_t *mp, void *dummy_arg)
8583 {
8584         mblk_t          *mp1;
8585         struct linkblk  *li;
8586         int             ioccmd = ((struct iocblk *)mp->b_rptr)->ioc_cmd;
8587         int             err = 0;
8588 
8589         ASSERT(ioccmd == I_PLINK || ioccmd == I_PUNLINK ||
8590             ioccmd == I_LINK || ioccmd == I_UNLINK);
8591 
8592         mp1 = mp->b_cont;    /* This is the linkblk info */
8593         li = (struct linkblk *)mp1->b_rptr;
8594 
8595         err = ip_sioctl_plink_ipmod(ipsq, q, mp, ioccmd, li);
8596         if (err == EINPROGRESS)
8597                 return;
8598         if (err == 0)
8599                 miocack(q, mp, 0, 0);
8600         else
8601                 miocnak(q, mp, 0, err);
8602 
8603         /* Conn was refheld in ip_sioctl_copyin_setup */
8604         if (CONN_Q(q)) {
8605                 CONN_DEC_IOCTLREF(Q_TO_CONN(q));
8606                 CONN_OPER_PENDING_DONE(Q_TO_CONN(q));
8607         }
8608 }
8609 
8610 /*
8611  * Process I_{P}LINK and I_{P}UNLINK requests named by `ioccmd' and pointed to
8612  * by `mp' and `li' for the IP module stream (if li->q_bot is in fact an IP
8613  * module stream).
8614  * Returns zero on success, EINPROGRESS if the operation is still pending, or
8615  * an error code on failure.
8616  */
8617 static int
8618 ip_sioctl_plink_ipmod(ipsq_t *ipsq, queue_t *q, mblk_t *mp, int ioccmd,
8619     struct linkblk *li)
8620 {
8621         int             err = 0;
8622         ill_t           *ill;
8623         queue_t         *ipwq, *dwq;
8624         const char      *name;
8625         struct qinit    *qinfo;
8626         boolean_t       islink = (ioccmd == I_PLINK || ioccmd == I_LINK);
8627         boolean_t       entered_ipsq = B_FALSE;
8628         boolean_t       is_ip = B_FALSE;
8629         arl_t           *arl;
8630 
8631         /*
8632          * Walk the lower stream to verify it's the IP module stream.
8633          * The IP module is identified by its name, wput function,
8634          * and non-NULL q_next.  STREAMS ensures that the lower stream
8635          * (li->l_qbot) will not vanish until this ioctl completes.
8636          */
8637         for (ipwq = li->l_qbot; ipwq != NULL; ipwq = ipwq->q_next) {
8638                 qinfo = ipwq->q_qinfo;
8639                 name = qinfo->qi_minfo->mi_idname;
8640                 if (name != NULL && strcmp(name, ip_mod_info.mi_idname) == 0 &&
8641                     qinfo->qi_putp != (pfi_t)ip_lwput && ipwq->q_next != NULL) {
8642                         is_ip = B_TRUE;
8643                         break;
8644                 }
8645                 if (name != NULL && strcmp(name, arp_mod_info.mi_idname) == 0 &&
8646                     qinfo->qi_putp != (pfi_t)ip_lwput && ipwq->q_next != NULL) {
8647                         break;
8648                 }
8649         }
8650 
8651         /*
8652          * If this isn't an IP module stream, bail.
8653          */
8654         if (ipwq == NULL)
8655                 return (0);
8656 
8657         if (!is_ip) {
8658                 arl = (arl_t *)ipwq->q_ptr;
8659                 ill = arl_to_ill(arl);
8660                 if (ill == NULL)
8661                         return (0);
8662         } else {
8663                 ill = ipwq->q_ptr;
8664         }
8665         ASSERT(ill != NULL);
8666 
8667         if (ipsq == NULL) {
8668                 ipsq = ipsq_try_enter(NULL, ill, q, mp, ip_sioctl_plink,
8669                     NEW_OP, B_FALSE);
8670                 if (ipsq == NULL) {
8671                         if (!is_ip)
8672                                 ill_refrele(ill);
8673                         return (EINPROGRESS);
8674                 }
8675                 entered_ipsq = B_TRUE;
8676         }
8677         ASSERT(IAM_WRITER_ILL(ill));
8678         mutex_enter(&ill->ill_lock);
8679         if (!is_ip) {
8680                 if (islink && ill->ill_muxid == 0) {
8681                         /*
8682                          * Plumbing has to be done with IP plumbed first, arp
8683                          * second, but here we have arp being plumbed first.
8684                          */
8685                         mutex_exit(&ill->ill_lock);
8686                         if (entered_ipsq)
8687                                 ipsq_exit(ipsq);
8688                         ill_refrele(ill);
8689                         return (EINVAL);
8690                 }
8691         }
8692         mutex_exit(&ill->ill_lock);
8693         if (!is_ip) {
8694                 arl->arl_muxid = islink ? li->l_index : 0;
8695                 ill_refrele(ill);
8696                 goto done;
8697         }
8698 
8699         if (IS_IPMP(ill) && (err = ip_sioctl_plink_ipmp(ill, ioccmd)) != 0)
8700                 goto done;
8701 
8702         /*
8703          * As part of I_{P}LINKing, stash the number of downstream modules and
8704          * the read queue of the module immediately below IP in the ill.
8705          * These are used during the capability negotiation below.
8706          */
8707         ill->ill_lmod_rq = NULL;
8708         ill->ill_lmod_cnt = 0;
8709         if (islink && ((dwq = ipwq->q_next) != NULL)) {
8710                 ill->ill_lmod_rq = RD(dwq);
8711                 for (; dwq != NULL; dwq = dwq->q_next)
8712                         ill->ill_lmod_cnt++;
8713         }
8714 
8715         ill->ill_muxid = islink ? li->l_index : 0;
8716 
8717         /*
8718          * Mark the ipsq busy until the capability operations initiated below
8719          * complete. The PLINK/UNLINK ioctl itself completes when our caller
8720          * returns, but the capability operation may complete asynchronously
8721          * much later.
8722          */
8723         ipsq_current_start(ipsq, ill->ill_ipif, ioccmd);
8724         /*
8725          * If there's at least one up ipif on this ill, then we're bound to
8726          * the underlying driver via DLPI.  In that case, renegotiate
8727          * capabilities to account for any possible change in modules
8728          * interposed between IP and the driver.
8729          */
8730         if (ill->ill_ipif_up_count > 0) {
8731                 if (islink)
8732                         ill_capability_probe(ill);
8733                 else
8734                         ill_capability_reset(ill, B_FALSE);
8735         }
8736         ipsq_current_finish(ipsq);
8737 done:
8738         if (entered_ipsq)
8739                 ipsq_exit(ipsq);
8740 
8741         return (err);
8742 }
8743 
8744 /*
8745  * Search the ioctl command in the ioctl tables and return a pointer
8746  * to the ioctl command information. The ioctl command tables are
8747  * static and fully populated at compile time.
8748  */
8749 ip_ioctl_cmd_t *
8750 ip_sioctl_lookup(int ioc_cmd)
8751 {
8752         int index;
8753         ip_ioctl_cmd_t *ipip;
8754         ip_ioctl_cmd_t *ipip_end;
8755 
8756         if (ioc_cmd == IPI_DONTCARE)
8757                 return (NULL);
8758 
8759         /*
8760          * Do a 2 step search. First search the indexed table
8761          * based on the least significant byte of the ioctl cmd.
8762          * If we don't find a match, then search the misc table
8763          * serially.
8764          */
8765         index = ioc_cmd & 0xFF;
8766         if (index < ip_ndx_ioctl_count) {
8767                 ipip = &ip_ndx_ioctl_table[index];
8768                 if (ipip->ipi_cmd == ioc_cmd) {
8769                         /* Found a match in the ndx table */
8770                         return (ipip);
8771                 }
8772         }
8773 
8774         /* Search the misc table */
8775         ipip_end = &ip_misc_ioctl_table[ip_misc_ioctl_count];
8776         for (ipip = ip_misc_ioctl_table; ipip < ipip_end; ipip++) {
8777                 if (ipip->ipi_cmd == ioc_cmd)
8778                         /* Found a match in the misc table */
8779                         return (ipip);
8780         }
8781 
8782         return (NULL);
8783 }
8784 
8785 /*
8786  * helper function for ip_sioctl_getsetprop(), which does some sanity checks
8787  */
8788 static boolean_t
8789 getset_ioctl_checks(mblk_t *mp)
8790 {
8791         struct iocblk   *iocp = (struct iocblk *)mp->b_rptr;
8792         mblk_t          *mp1 = mp->b_cont;
8793         mod_ioc_prop_t  *pioc;
8794         uint_t          flags;
8795         uint_t          pioc_size;
8796 
8797         /* do sanity checks on various arguments */
8798         if (mp1 == NULL || iocp->ioc_count == 0 ||
8799             iocp->ioc_count == TRANSPARENT) {
8800                 return (B_FALSE);
8801         }
8802         if (msgdsize(mp1) < iocp->ioc_count) {
8803                 if (!pullupmsg(mp1, iocp->ioc_count))
8804                         return (B_FALSE);
8805         }
8806 
8807         pioc = (mod_ioc_prop_t *)mp1->b_rptr;
8808 
8809         /* sanity checks on mpr_valsize */
8810         pioc_size = sizeof (mod_ioc_prop_t);
8811         if (pioc->mpr_valsize != 0)
8812                 pioc_size += pioc->mpr_valsize - 1;
8813 
8814         if (iocp->ioc_count != pioc_size)
8815                 return (B_FALSE);
8816 
8817         flags = pioc->mpr_flags;
8818         if (iocp->ioc_cmd == SIOCSETPROP) {
8819                 /*
8820                  * One can either reset the value to it's default value or
8821                  * change the current value or append/remove the value from
8822                  * a multi-valued properties.
8823                  */
8824                 if ((flags & MOD_PROP_DEFAULT) != MOD_PROP_DEFAULT &&
8825                     flags != MOD_PROP_ACTIVE &&
8826                     flags != (MOD_PROP_ACTIVE|MOD_PROP_APPEND) &&
8827                     flags != (MOD_PROP_ACTIVE|MOD_PROP_REMOVE))
8828                         return (B_FALSE);
8829         } else {
8830                 ASSERT(iocp->ioc_cmd == SIOCGETPROP);
8831 
8832                 /*
8833                  * One can retrieve only one kind of property information
8834                  * at a time.
8835                  */
8836                 if ((flags & MOD_PROP_ACTIVE) != MOD_PROP_ACTIVE &&
8837                     (flags & MOD_PROP_DEFAULT) != MOD_PROP_DEFAULT &&
8838                     (flags & MOD_PROP_POSSIBLE) != MOD_PROP_POSSIBLE &&
8839                     (flags & MOD_PROP_PERM) != MOD_PROP_PERM)
8840                         return (B_FALSE);
8841         }
8842 
8843         return (B_TRUE);
8844 }
8845 
8846 /*
8847  * process the SIOC{SET|GET}PROP ioctl's
8848  */
8849 /* ARGSUSED */
8850 static void
8851 ip_sioctl_getsetprop(queue_t *q, mblk_t *mp)
8852 {
8853         struct iocblk   *iocp = (struct iocblk *)mp->b_rptr;
8854         mblk_t          *mp1 = mp->b_cont;
8855         mod_ioc_prop_t  *pioc;
8856         mod_prop_info_t *ptbl = NULL, *pinfo = NULL;
8857         ip_stack_t      *ipst;
8858         icmp_stack_t    *is;
8859         tcp_stack_t     *tcps;
8860         sctp_stack_t    *sctps;
8861         udp_stack_t     *us;
8862         netstack_t      *stack;
8863         void            *cbarg;
8864         cred_t          *cr;
8865         boolean_t       set;
8866         int             err;
8867 
8868         ASSERT(q->q_next == NULL);
8869         ASSERT(CONN_Q(q));
8870 
8871         if (!getset_ioctl_checks(mp)) {
8872                 miocnak(q, mp, 0, EINVAL);
8873                 return;
8874         }
8875         ipst = CONNQ_TO_IPST(q);
8876         stack = ipst->ips_netstack;
8877         pioc = (mod_ioc_prop_t *)mp1->b_rptr;
8878 
8879         switch (pioc->mpr_proto) {
8880         case MOD_PROTO_IP:
8881         case MOD_PROTO_IPV4:
8882         case MOD_PROTO_IPV6:
8883                 ptbl = ipst->ips_propinfo_tbl;
8884                 cbarg = ipst;
8885                 break;
8886         case MOD_PROTO_RAWIP:
8887                 is = stack->netstack_icmp;
8888                 ptbl = is->is_propinfo_tbl;
8889                 cbarg = is;
8890                 break;
8891         case MOD_PROTO_TCP:
8892                 tcps = stack->netstack_tcp;
8893                 ptbl = tcps->tcps_propinfo_tbl;
8894                 cbarg = tcps;
8895                 break;
8896         case MOD_PROTO_UDP:
8897                 us = stack->netstack_udp;
8898                 ptbl = us->us_propinfo_tbl;
8899                 cbarg = us;
8900                 break;
8901         case MOD_PROTO_SCTP:
8902                 sctps = stack->netstack_sctp;
8903                 ptbl = sctps->sctps_propinfo_tbl;
8904                 cbarg = sctps;
8905                 break;
8906         default:
8907                 miocnak(q, mp, 0, EINVAL);
8908                 return;
8909         }
8910 
8911         /* search for given property in respective protocol propinfo table */
8912         for (pinfo = ptbl; pinfo->mpi_name != NULL; pinfo++) {
8913                 if (strcmp(pinfo->mpi_name, pioc->mpr_name) == 0 &&
8914                     pinfo->mpi_proto == pioc->mpr_proto)
8915                         break;
8916         }
8917         if (pinfo->mpi_name == NULL) {
8918                 miocnak(q, mp, 0, ENOENT);
8919                 return;
8920         }
8921 
8922         set = (iocp->ioc_cmd == SIOCSETPROP) ? B_TRUE : B_FALSE;
8923         if (set && pinfo->mpi_setf != NULL) {
8924                 cr = msg_getcred(mp, NULL);
8925                 if (cr == NULL)
8926                         cr = iocp->ioc_cr;
8927                 err = pinfo->mpi_setf(cbarg, cr, pinfo, pioc->mpr_ifname,
8928                     pioc->mpr_val, pioc->mpr_flags);
8929         } else if (!set && pinfo->mpi_getf != NULL) {
8930                 err = pinfo->mpi_getf(cbarg, pinfo, pioc->mpr_ifname,
8931                     pioc->mpr_val, pioc->mpr_valsize, pioc->mpr_flags);
8932         } else {
8933                 err = EPERM;
8934         }
8935 
8936         if (err != 0) {
8937                 miocnak(q, mp, 0, err);
8938         } else {
8939                 if (set)
8940                         miocack(q, mp, 0, 0);
8941                 else    /* For get, we need to return back the data */
8942                         miocack(q, mp, iocp->ioc_count, 0);
8943         }
8944 }
8945 
8946 /*
8947  * process the legacy ND_GET, ND_SET ioctl just for {ip|ip6}_forwarding
8948  * as several routing daemons have unfortunately used this 'unpublished'
8949  * but well-known ioctls.
8950  */
8951 /* ARGSUSED */
8952 static void
8953 ip_process_legacy_nddprop(queue_t *q, mblk_t *mp)
8954 {
8955         struct iocblk   *iocp = (struct iocblk *)mp->b_rptr;
8956         mblk_t          *mp1 = mp->b_cont;
8957         char            *pname, *pval, *buf;
8958         uint_t          bufsize, proto;
8959         mod_prop_info_t *ptbl = NULL, *pinfo = NULL;
8960         ip_stack_t      *ipst;
8961         int             err = 0;
8962 
8963         ASSERT(CONN_Q(q));
8964         ipst = CONNQ_TO_IPST(q);
8965 
8966         if (iocp->ioc_count == 0 || mp1 == NULL) {
8967                 miocnak(q, mp, 0, EINVAL);
8968                 return;
8969         }
8970 
8971         mp1->b_datap->db_lim[-1] = '\0';  /* Force null termination */
8972         pval = buf = pname = (char *)mp1->b_rptr;
8973         bufsize = MBLKL(mp1);
8974 
8975         if (strcmp(pname, "ip_forwarding") == 0) {
8976                 pname = "forwarding";
8977                 proto = MOD_PROTO_IPV4;
8978         } else if (strcmp(pname, "ip6_forwarding") == 0) {
8979                 pname = "forwarding";
8980                 proto = MOD_PROTO_IPV6;
8981         } else {
8982                 miocnak(q, mp, 0, EINVAL);
8983                 return;
8984         }
8985 
8986         ptbl = ipst->ips_propinfo_tbl;
8987         for (pinfo = ptbl; pinfo->mpi_name != NULL; pinfo++) {
8988                 if (strcmp(pinfo->mpi_name, pname) == 0 &&
8989                     pinfo->mpi_proto == proto)
8990                         break;
8991         }
8992 
8993         ASSERT(pinfo->mpi_name != NULL);
8994 
8995         switch (iocp->ioc_cmd) {
8996         case ND_GET:
8997                 if ((err = pinfo->mpi_getf(ipst, pinfo, NULL, buf, bufsize,
8998                     0)) == 0) {
8999                         miocack(q, mp, iocp->ioc_count, 0);
9000                         return;
9001                 }
9002                 break;
9003         case ND_SET:
9004                 /*
9005                  * buffer will have property name and value in the following
9006                  * format,
9007                  * <property name>'\0'<property value>'\0', extract them;
9008                  */
9009                 while (*pval++)
9010                         noop;
9011 
9012                 if (!*pval || pval >= (char *)mp1->b_wptr) {
9013                         err = EINVAL;
9014                 } else if ((err = pinfo->mpi_setf(ipst, NULL, pinfo, NULL,
9015                     pval, 0)) == 0) {
9016                         miocack(q, mp, 0, 0);
9017                         return;
9018                 }
9019                 break;
9020         default:
9021                 err = EINVAL;
9022                 break;
9023         }
9024         miocnak(q, mp, 0, err);
9025 }
9026 
9027 /*
9028  * Wrapper function for resuming deferred ioctl processing
9029  * Used for SIOCGDSTINFO, SIOCGIP6ADDRPOLICY, SIOCGMSFILTER,
9030  * SIOCSMSFILTER, SIOCGIPMSFILTER, and SIOCSIPMSFILTER currently.
9031  */
9032 /* ARGSUSED */
9033 void
9034 ip_sioctl_copyin_resume(ipsq_t *dummy_ipsq, queue_t *q, mblk_t *mp,
9035     void *dummy_arg)
9036 {
9037         ip_sioctl_copyin_setup(q, mp);
9038 }
9039 
9040 /*
9041  * ip_sioctl_copyin_setup is called by ip_wput_nondata with any M_IOCTL message
9042  * that arrives.  Most of the IOCTLs are "socket" IOCTLs which we handle
9043  * in either I_STR or TRANSPARENT form, using the mi_copy facility.
9044  * We establish here the size of the block to be copied in.  mi_copyin
9045  * arranges for this to happen, an processing continues in ip_wput_nondata with
9046  * an M_IOCDATA message.
9047  */
9048 void
9049 ip_sioctl_copyin_setup(queue_t *q, mblk_t *mp)
9050 {
9051         int     copyin_size;
9052         struct iocblk *iocp = (struct iocblk *)mp->b_rptr;
9053         ip_ioctl_cmd_t *ipip;
9054         cred_t *cr;
9055         ip_stack_t      *ipst;
9056 
9057         if (CONN_Q(q))
9058                 ipst = CONNQ_TO_IPST(q);
9059         else
9060                 ipst = ILLQ_TO_IPST(q);
9061 
9062         ipip = ip_sioctl_lookup(iocp->ioc_cmd);
9063         if (ipip == NULL) {
9064                 /*
9065                  * The ioctl is not one we understand or own.
9066                  * Pass it along to be processed down stream,
9067                  * if this is a module instance of IP, else nak
9068                  * the ioctl.
9069                  */
9070                 if (q->q_next == NULL) {
9071                         goto nak;
9072                 } else {
9073                         putnext(q, mp);
9074                         return;
9075                 }
9076         }
9077 
9078         /*
9079          * If this is deferred, then we will do all the checks when we
9080          * come back.
9081          */
9082         if ((iocp->ioc_cmd == SIOCGDSTINFO ||
9083             iocp->ioc_cmd == SIOCGIP6ADDRPOLICY) && !ip6_asp_can_lookup(ipst)) {
9084                 ip6_asp_pending_op(q, mp, ip_sioctl_copyin_resume);
9085                 return;
9086         }
9087 
9088         /*
9089          * Only allow a very small subset of IP ioctls on this stream if
9090          * IP is a module and not a driver. Allowing ioctls to be processed
9091          * in this case may cause assert failures or data corruption.
9092          * Typically G[L]IFFLAGS, SLIFNAME/IF_UNITSEL are the only few
9093          * ioctls allowed on an IP module stream, after which this stream
9094          * normally becomes a multiplexor (at which time the stream head
9095          * will fail all ioctls).
9096          */
9097         if ((q->q_next != NULL) && !(ipip->ipi_flags & IPI_MODOK)) {
9098                 goto nak;
9099         }
9100 
9101         /* Make sure we have ioctl data to process. */
9102         if (mp->b_cont == NULL && !(ipip->ipi_flags & IPI_NULL_BCONT))
9103                 goto nak;
9104 
9105         /*
9106          * Prefer dblk credential over ioctl credential; some synthesized
9107          * ioctls have kcred set because there's no way to crhold()
9108          * a credential in some contexts.  (ioc_cr is not crfree() by
9109          * the framework; the caller of ioctl needs to hold the reference
9110          * for the duration of the call).
9111          */
9112         cr = msg_getcred(mp, NULL);
9113         if (cr == NULL)
9114                 cr = iocp->ioc_cr;
9115 
9116         /* Make sure normal users don't send down privileged ioctls */
9117         if ((ipip->ipi_flags & IPI_PRIV) &&
9118             (cr != NULL) && secpolicy_ip_config(cr, B_TRUE) != 0) {
9119                 /* We checked the privilege earlier but log it here */
9120                 miocnak(q, mp, 0, secpolicy_ip_config(cr, B_FALSE));
9121                 return;
9122         }
9123 
9124         /*
9125          * The ioctl command tables can only encode fixed length
9126          * ioctl data. If the length is variable, the table will
9127          * encode the length as zero. Such special cases are handled
9128          * below in the switch.
9129          */
9130         if (ipip->ipi_copyin_size != 0) {
9131                 mi_copyin(q, mp, NULL, ipip->ipi_copyin_size);
9132                 return;
9133         }
9134 
9135         switch (iocp->ioc_cmd) {
9136         case O_SIOCGIFCONF:
9137         case SIOCGIFCONF:
9138                 /*
9139                  * This IOCTL is hilarious.  See comments in
9140                  * ip_sioctl_get_ifconf for the story.
9141                  */
9142                 if (iocp->ioc_count == TRANSPARENT)
9143                         copyin_size = SIZEOF_STRUCT(ifconf,
9144                             iocp->ioc_flag);
9145                 else
9146                         copyin_size = iocp->ioc_count;
9147                 mi_copyin(q, mp, NULL, copyin_size);
9148                 return;
9149 
9150         case O_SIOCGLIFCONF:
9151         case SIOCGLIFCONF:
9152                 copyin_size = SIZEOF_STRUCT(lifconf, iocp->ioc_flag);
9153                 mi_copyin(q, mp, NULL, copyin_size);
9154                 return;
9155 
9156         case SIOCGLIFSRCOF:
9157                 copyin_size = SIZEOF_STRUCT(lifsrcof, iocp->ioc_flag);
9158                 mi_copyin(q, mp, NULL, copyin_size);
9159                 return;
9160 
9161         case SIOCGIP6ADDRPOLICY:
9162                 ip_sioctl_ip6addrpolicy(q, mp);
9163                 ip6_asp_table_refrele(ipst);
9164                 return;
9165 
9166         case SIOCSIP6ADDRPOLICY:
9167                 ip_sioctl_ip6addrpolicy(q, mp);
9168                 return;
9169 
9170         case SIOCGDSTINFO:
9171                 ip_sioctl_dstinfo(q, mp);
9172                 ip6_asp_table_refrele(ipst);
9173                 return;
9174 
9175         case ND_SET:
9176         case ND_GET:
9177                 ip_process_legacy_nddprop(q, mp);
9178                 return;
9179 
9180         case SIOCSETPROP:
9181         case SIOCGETPROP:
9182                 ip_sioctl_getsetprop(q, mp);
9183                 return;
9184 
9185         case I_PLINK:
9186         case I_PUNLINK:
9187         case I_LINK:
9188         case I_UNLINK:
9189                 /*
9190                  * We treat non-persistent link similarly as the persistent
9191                  * link case, in terms of plumbing/unplumbing, as well as
9192                  * dynamic re-plumbing events indicator.  See comments
9193                  * in ip_sioctl_plink() for more.
9194                  *
9195                  * Request can be enqueued in the 'ipsq' while waiting
9196                  * to become exclusive. So bump up the conn ref.
9197                  */
9198                 if (CONN_Q(q)) {
9199                         CONN_INC_REF(Q_TO_CONN(q));
9200                         CONN_INC_IOCTLREF(Q_TO_CONN(q))
9201                 }
9202                 ip_sioctl_plink(NULL, q, mp, NULL);
9203                 return;
9204 
9205         case IP_IOCTL:
9206                 ip_wput_ioctl(q, mp);
9207                 return;
9208 
9209         case SIOCILB:
9210                 /* The ioctl length varies depending on the ILB command. */
9211                 copyin_size = iocp->ioc_count;
9212                 if (copyin_size < sizeof (ilb_cmd_t))
9213                         goto nak;
9214                 mi_copyin(q, mp, NULL, copyin_size);
9215                 return;
9216 
9217         default:
9218                 cmn_err(CE_PANIC, "should not happen ");
9219         }
9220 nak:
9221         if (mp->b_cont != NULL) {
9222                 freemsg(mp->b_cont);
9223                 mp->b_cont = NULL;
9224         }
9225         iocp->ioc_error = EINVAL;
9226         mp->b_datap->db_type = M_IOCNAK;
9227         iocp->ioc_count = 0;
9228         qreply(q, mp);
9229 }
9230 
9231 static void
9232 ip_sioctl_garp_reply(mblk_t *mp, ill_t *ill, void *hwaddr, int flags)
9233 {
9234         struct arpreq *ar;
9235         struct xarpreq *xar;
9236         mblk_t  *tmp;
9237         struct iocblk *iocp;
9238         int x_arp_ioctl = B_FALSE;
9239         int *flagsp;
9240         char *storage = NULL;
9241 
9242         ASSERT(ill != NULL);
9243 
9244         iocp = (struct iocblk *)mp->b_rptr;
9245         ASSERT(iocp->ioc_cmd == SIOCGXARP || iocp->ioc_cmd == SIOCGARP);
9246 
9247         tmp = (mp->b_cont)->b_cont; /* xarpreq/arpreq */
9248         if ((iocp->ioc_cmd == SIOCGXARP) ||
9249             (iocp->ioc_cmd == SIOCSXARP)) {
9250                 x_arp_ioctl = B_TRUE;
9251                 xar = (struct xarpreq *)tmp->b_rptr;
9252                 flagsp = &xar->xarp_flags;
9253                 storage = xar->xarp_ha.sdl_data;
9254         } else {
9255                 ar = (struct arpreq *)tmp->b_rptr;
9256                 flagsp = &ar->arp_flags;
9257                 storage = ar->arp_ha.sa_data;
9258         }
9259 
9260         /*
9261          * We're done if this is not an SIOCG{X}ARP
9262          */
9263         if (x_arp_ioctl) {
9264                 storage += ill_xarp_info(&xar->xarp_ha, ill);
9265                 if ((ill->ill_phys_addr_length + ill->ill_name_length) >
9266                     sizeof (xar->xarp_ha.sdl_data)) {
9267                         iocp->ioc_error = EINVAL;
9268                         return;
9269                 }
9270         }
9271         *flagsp = ATF_INUSE;
9272         /*
9273          * If /sbin/arp told us we are the authority using the "permanent"
9274          * flag, or if this is one of my addresses print "permanent"
9275          * in the /sbin/arp output.
9276          */
9277         if ((flags & NCE_F_MYADDR) || (flags & NCE_F_AUTHORITY))
9278                 *flagsp |= ATF_AUTHORITY;
9279         if (flags & NCE_F_NONUD)
9280                 *flagsp |= ATF_PERM; /* not subject to aging */
9281         if (flags & NCE_F_PUBLISH)
9282                 *flagsp |= ATF_PUBL;
9283         if (hwaddr != NULL) {
9284                 *flagsp |= ATF_COM;
9285                 bcopy((char *)hwaddr, storage, ill->ill_phys_addr_length);
9286         }
9287 }
9288 
9289 /*
9290  * Create a new logical interface. If ipif_id is zero (i.e. not a logical
9291  * interface) create the next available logical interface for this
9292  * physical interface.
9293  * If ipif is NULL (i.e. the lookup didn't find one) attempt to create an
9294  * ipif with the specified name.
9295  *
9296  * If the address family is not AF_UNSPEC then set the address as well.
9297  *
9298  * If ip_sioctl_addr returns EINPROGRESS then the ioctl (the copyout)
9299  * is completed when the DL_BIND_ACK arrive in ip_rput_dlpi_writer.
9300  *
9301  * Executed as a writer on the ill.
9302  * So no lock is needed to traverse the ipif chain, or examine the
9303  * phyint flags.
9304  */
9305 /* ARGSUSED */
9306 int
9307 ip_sioctl_addif(ipif_t *dummy_ipif, sin_t *dummy_sin, queue_t *q, mblk_t *mp,
9308     ip_ioctl_cmd_t *dummy_ipip, void *dummy_ifreq)
9309 {
9310         mblk_t  *mp1;
9311         struct lifreq *lifr;
9312         boolean_t       isv6;
9313         boolean_t       exists;
9314         char    *name;
9315         char    *endp;
9316         char    *cp;
9317         int     namelen;
9318         ipif_t  *ipif;
9319         long    id;
9320         ipsq_t  *ipsq;
9321         ill_t   *ill;
9322         sin_t   *sin;
9323         int     err = 0;
9324         boolean_t found_sep = B_FALSE;
9325         conn_t  *connp;
9326         zoneid_t zoneid;
9327         ip_stack_t *ipst = CONNQ_TO_IPST(q);
9328 
9329         ASSERT(q->q_next == NULL);
9330         ip1dbg(("ip_sioctl_addif\n"));
9331         /* Existence of mp1 has been checked in ip_wput_nondata */
9332         mp1 = mp->b_cont->b_cont;
9333         /*
9334          * Null terminate the string to protect against buffer
9335          * overrun. String was generated by user code and may not
9336          * be trusted.
9337          */
9338         lifr = (struct lifreq *)mp1->b_rptr;
9339         lifr->lifr_name[LIFNAMSIZ - 1] = '\0';
9340         name = lifr->lifr_name;
9341         ASSERT(CONN_Q(q));
9342         connp = Q_TO_CONN(q);
9343         isv6 = (connp->conn_family == AF_INET6);
9344         zoneid = connp->conn_zoneid;
9345         namelen = mi_strlen(name);
9346         if (namelen == 0)
9347                 return (EINVAL);
9348 
9349         exists = B_FALSE;
9350         if ((namelen + 1 == sizeof (ipif_loopback_name)) &&
9351             (mi_strcmp(name, ipif_loopback_name) == 0)) {
9352                 /*
9353                  * Allow creating lo0 using SIOCLIFADDIF.
9354                  * can't be any other writer thread. So can pass null below
9355                  * for the last 4 args to ipif_lookup_name.
9356                  */
9357                 ipif = ipif_lookup_on_name(lifr->lifr_name, namelen, B_TRUE,
9358                     &exists, isv6, zoneid, ipst);
9359                 /* Prevent any further action */
9360                 if (ipif == NULL) {
9361                         return (ENOBUFS);
9362                 } else if (!exists) {
9363                         /* We created the ipif now and as writer */
9364                         ipif_refrele(ipif);
9365                         return (0);
9366                 } else {
9367                         ill = ipif->ipif_ill;
9368                         ill_refhold(ill);
9369                         ipif_refrele(ipif);
9370                 }
9371         } else {
9372                 /* Look for a colon in the name. */
9373                 endp = &name[namelen];
9374                 for (cp = endp; --cp > name; ) {
9375                         if (*cp == IPIF_SEPARATOR_CHAR) {
9376                                 found_sep = B_TRUE;
9377                                 /*
9378                                  * Reject any non-decimal aliases for plumbing
9379                                  * of logical interfaces. Aliases with leading
9380                                  * zeroes are also rejected as they introduce
9381                                  * ambiguity in the naming of the interfaces.
9382                                  * Comparing with "0" takes care of all such
9383                                  * cases.
9384                                  */
9385                                 if ((strncmp("0", cp+1, 1)) == 0)
9386                                         return (EINVAL);
9387 
9388                                 if (ddi_strtol(cp+1, &endp, 10, &id) != 0 ||
9389                                     id <= 0 || *endp != '\0') {
9390                                         return (EINVAL);
9391                                 }
9392                                 *cp = '\0';
9393                                 break;
9394                         }
9395                 }
9396                 ill = ill_lookup_on_name(name, B_FALSE, isv6, NULL, ipst);
9397                 if (found_sep)
9398                         *cp = IPIF_SEPARATOR_CHAR;
9399                 if (ill == NULL)
9400                         return (ENXIO);
9401         }
9402 
9403         ipsq = ipsq_try_enter(NULL, ill, q, mp, ip_process_ioctl, NEW_OP,
9404             B_TRUE);
9405 
9406         /*
9407          * Release the refhold due to the lookup, now that we are excl
9408          * or we are just returning
9409          */
9410         ill_refrele(ill);
9411 
9412         if (ipsq == NULL)
9413                 return (EINPROGRESS);
9414 
9415         /* We are now exclusive on the IPSQ */
9416         ASSERT(IAM_WRITER_ILL(ill));
9417 
9418         if (found_sep) {
9419                 /* Now see if there is an IPIF with this unit number. */
9420                 for (ipif = ill->ill_ipif; ipif != NULL;
9421                     ipif = ipif->ipif_next) {
9422                         if (ipif->ipif_id == id) {
9423                                 err = EEXIST;
9424                                 goto done;
9425                         }
9426                 }
9427         }
9428 
9429         /*
9430          * We use IRE_LOCAL for lo0:1 etc. for "receive only" use
9431          * of lo0.  Plumbing for lo0:0 happens in ipif_lookup_on_name()
9432          * instead.
9433          */
9434         if ((ipif = ipif_allocate(ill, found_sep ? id : -1, IRE_LOCAL,
9435             B_TRUE, B_TRUE, &err)) == NULL) {
9436                 goto done;
9437         }
9438 
9439         /* Return created name with ioctl */
9440         (void) sprintf(lifr->lifr_name, "%s%c%d", ill->ill_name,
9441             IPIF_SEPARATOR_CHAR, ipif->ipif_id);
9442         ip1dbg(("created %s\n", lifr->lifr_name));
9443 
9444         /* Set address */
9445         sin = (sin_t *)&lifr->lifr_addr;
9446         if (sin->sin_family != AF_UNSPEC) {
9447                 err = ip_sioctl_addr(ipif, sin, q, mp,
9448                     &ip_ndx_ioctl_table[SIOCLIFADDR_NDX], lifr);
9449         }
9450 
9451 done:
9452         ipsq_exit(ipsq);
9453         return (err);
9454 }
9455 
9456 /*
9457  * Remove an existing logical interface. If ipif_id is zero (i.e. not a logical
9458  * interface) delete it based on the IP address (on this physical interface).
9459  * Otherwise delete it based on the ipif_id.
9460  * Also, special handling to allow a removeif of lo0.
9461  */
9462 /* ARGSUSED */
9463 int
9464 ip_sioctl_removeif(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
9465     ip_ioctl_cmd_t *ipip, void *dummy_if_req)
9466 {
9467         conn_t          *connp;
9468         ill_t           *ill = ipif->ipif_ill;
9469         boolean_t        success;
9470         ip_stack_t      *ipst;
9471 
9472         ipst = CONNQ_TO_IPST(q);
9473 
9474         ASSERT(q->q_next == NULL);
9475         ip1dbg(("ip_sioctl_remove_if(%s:%u %p)\n",
9476             ill->ill_name, ipif->ipif_id, (void *)ipif));
9477         ASSERT(IAM_WRITER_IPIF(ipif));
9478 
9479         connp = Q_TO_CONN(q);
9480         /*
9481          * Special case for unplumbing lo0 (the loopback physical interface).
9482          * If unplumbing lo0, the incoming address structure has been
9483          * initialized to all zeros. When unplumbing lo0, all its logical
9484          * interfaces must be removed too.
9485          *
9486          * Note that this interface may be called to remove a specific
9487          * loopback logical interface (eg, lo0:1). But in that case
9488          * ipif->ipif_id != 0 so that the code path for that case is the
9489          * same as any other interface (meaning it skips the code directly
9490          * below).
9491          */
9492         if (ipif->ipif_id == 0 && ill->ill_net_type == IRE_LOOPBACK) {
9493                 if (sin->sin_family == AF_UNSPEC &&
9494                     (IN6_IS_ADDR_UNSPECIFIED(&((sin6_t *)sin)->sin6_addr))) {
9495                         /*
9496                          * Mark it condemned. No new ref. will be made to ill.
9497                          */
9498                         mutex_enter(&ill->ill_lock);
9499                         ill->ill_state_flags |= ILL_CONDEMNED;
9500                         for (ipif = ill->ill_ipif; ipif != NULL;
9501                             ipif = ipif->ipif_next) {
9502                                 ipif->ipif_state_flags |= IPIF_CONDEMNED;
9503                         }
9504                         mutex_exit(&ill->ill_lock);
9505 
9506                         ipif = ill->ill_ipif;
9507                         /* unplumb the loopback interface */
9508                         ill_delete(ill);
9509                         mutex_enter(&connp->conn_lock);
9510                         mutex_enter(&ill->ill_lock);
9511 
9512                         /* Are any references to this ill active */
9513                         if (ill_is_freeable(ill)) {
9514                                 mutex_exit(&ill->ill_lock);
9515                                 mutex_exit(&connp->conn_lock);
9516                                 ill_delete_tail(ill);
9517                                 mi_free(ill);
9518                                 return (0);
9519                         }
9520                         success = ipsq_pending_mp_add(connp, ipif,
9521                             CONNP_TO_WQ(connp), mp, ILL_FREE);
9522                         mutex_exit(&connp->conn_lock);
9523                         mutex_exit(&ill->ill_lock);
9524                         if (success)
9525                                 return (EINPROGRESS);
9526                         else
9527                                 return (EINTR);
9528                 }
9529         }
9530 
9531         if (ipif->ipif_id == 0) {
9532                 ipsq_t *ipsq;
9533 
9534                 /* Find based on address */
9535                 if (ipif->ipif_isv6) {
9536                         sin6_t *sin6;
9537 
9538                         if (sin->sin_family != AF_INET6)
9539                                 return (EAFNOSUPPORT);
9540 
9541                         sin6 = (sin6_t *)sin;
9542                         /* We are a writer, so we should be able to lookup */
9543                         ipif = ipif_lookup_addr_exact_v6(&sin6->sin6_addr, ill,
9544                             ipst);
9545                 } else {
9546                         if (sin->sin_family != AF_INET)
9547                                 return (EAFNOSUPPORT);
9548 
9549                         /* We are a writer, so we should be able to lookup */
9550                         ipif = ipif_lookup_addr_exact(sin->sin_addr.s_addr, ill,
9551                             ipst);
9552                 }
9553                 if (ipif == NULL) {
9554                         return (EADDRNOTAVAIL);
9555                 }
9556 
9557                 /*
9558                  * It is possible for a user to send an SIOCLIFREMOVEIF with
9559                  * lifr_name of the physical interface but with an ip address
9560                  * lifr_addr of a logical interface plumbed over it.
9561                  * So update ipx_current_ipif now that ipif points to the
9562                  * correct one.
9563                  */
9564                 ipsq = ipif->ipif_ill->ill_phyint->phyint_ipsq;
9565                 ipsq->ipsq_xop->ipx_current_ipif = ipif;
9566 
9567                 /* This is a writer */
9568                 ipif_refrele(ipif);
9569         }
9570 
9571         /*
9572          * Can not delete instance zero since it is tied to the ill.
9573          */
9574         if (ipif->ipif_id == 0)
9575                 return (EBUSY);
9576 
9577         mutex_enter(&ill->ill_lock);
9578         ipif->ipif_state_flags |= IPIF_CONDEMNED;
9579         mutex_exit(&ill->ill_lock);
9580 
9581         ipif_free(ipif);
9582 
9583         mutex_enter(&connp->conn_lock);
9584         mutex_enter(&ill->ill_lock);
9585 
9586         /* Are any references to this ipif active */
9587         if (ipif_is_freeable(ipif)) {
9588                 mutex_exit(&ill->ill_lock);
9589                 mutex_exit(&connp->conn_lock);
9590                 ipif_non_duplicate(ipif);
9591                 (void) ipif_down_tail(ipif);
9592                 ipif_free_tail(ipif); /* frees ipif */
9593                 return (0);
9594         }
9595         success = ipsq_pending_mp_add(connp, ipif, CONNP_TO_WQ(connp), mp,
9596             IPIF_FREE);
9597         mutex_exit(&ill->ill_lock);
9598         mutex_exit(&connp->conn_lock);
9599         if (success)
9600                 return (EINPROGRESS);
9601         else
9602                 return (EINTR);
9603 }
9604 
9605 /*
9606  * Restart the removeif ioctl. The refcnt has gone down to 0.
9607  * The ipif is already condemned. So can't find it thru lookups.
9608  */
9609 /* ARGSUSED */
9610 int
9611 ip_sioctl_removeif_restart(ipif_t *ipif, sin_t *dummy_sin, queue_t *q,
9612     mblk_t *mp, ip_ioctl_cmd_t *ipip, void *dummy_if_req)
9613 {
9614         ill_t *ill = ipif->ipif_ill;
9615 
9616         ASSERT(IAM_WRITER_IPIF(ipif));
9617         ASSERT(ipif->ipif_state_flags & IPIF_CONDEMNED);
9618 
9619         ip1dbg(("ip_sioctl_removeif_restart(%s:%u %p)\n",
9620             ill->ill_name, ipif->ipif_id, (void *)ipif));
9621 
9622         if (ipif->ipif_id == 0 && ill->ill_net_type == IRE_LOOPBACK) {
9623                 ASSERT(ill->ill_state_flags & ILL_CONDEMNED);
9624                 ill_delete_tail(ill);
9625                 mi_free(ill);
9626                 return (0);
9627         }
9628 
9629         ipif_non_duplicate(ipif);
9630         (void) ipif_down_tail(ipif);
9631         ipif_free_tail(ipif);
9632 
9633         return (0);
9634 }
9635 
9636 /*
9637  * Set the local interface address using the given prefix and ill_token.
9638  */
9639 /* ARGSUSED */
9640 int
9641 ip_sioctl_prefix(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
9642     ip_ioctl_cmd_t *dummy_ipip, void *dummy_ifreq)
9643 {
9644         int err;
9645         in6_addr_t v6addr;
9646         sin6_t *sin6;
9647         ill_t *ill;
9648         int i;
9649 
9650         ip1dbg(("ip_sioctl_prefix(%s:%u %p)\n",
9651             ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
9652 
9653         ASSERT(IAM_WRITER_IPIF(ipif));
9654 
9655         if (!ipif->ipif_isv6)
9656                 return (EINVAL);
9657 
9658         if (sin->sin_family != AF_INET6)
9659                 return (EAFNOSUPPORT);
9660 
9661         sin6 = (sin6_t *)sin;
9662         v6addr = sin6->sin6_addr;
9663         ill = ipif->ipif_ill;
9664 
9665         if (IN6_IS_ADDR_UNSPECIFIED(&v6addr) ||
9666             IN6_IS_ADDR_UNSPECIFIED(&ill->ill_token))
9667                 return (EADDRNOTAVAIL);
9668 
9669         for (i = 0; i < 4; i++)
9670                 sin6->sin6_addr.s6_addr32[i] |= ill->ill_token.s6_addr32[i];
9671 
9672         err = ip_sioctl_addr(ipif, sin, q, mp,
9673             &ip_ndx_ioctl_table[SIOCLIFADDR_NDX], dummy_ifreq);
9674         return (err);
9675 }
9676 
9677 /*
9678  * Restart entry point to restart the address set operation after the
9679  * refcounts have dropped to zero.
9680  */
9681 /* ARGSUSED */
9682 int
9683 ip_sioctl_prefix_restart(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
9684     ip_ioctl_cmd_t *ipip, void *ifreq)
9685 {
9686         ip1dbg(("ip_sioctl_prefix_restart(%s:%u %p)\n",
9687             ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
9688         return (ip_sioctl_addr_restart(ipif, sin, q, mp, ipip, ifreq));
9689 }
9690 
9691 /*
9692  * Set the local interface address.
9693  * Allow an address of all zero when the interface is down.
9694  */
9695 /* ARGSUSED */
9696 int
9697 ip_sioctl_addr(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
9698     ip_ioctl_cmd_t *dummy_ipip, void *dummy_ifreq)
9699 {
9700         int err = 0;
9701         in6_addr_t v6addr;
9702         boolean_t need_up = B_FALSE;
9703         ill_t *ill;
9704         int i;
9705 
9706         ip1dbg(("ip_sioctl_addr(%s:%u %p)\n",
9707             ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
9708 
9709         ASSERT(IAM_WRITER_IPIF(ipif));
9710 
9711         ill = ipif->ipif_ill;
9712         if (ipif->ipif_isv6) {
9713                 sin6_t *sin6;
9714                 phyint_t *phyi;
9715 
9716                 if (sin->sin_family != AF_INET6)
9717                         return (EAFNOSUPPORT);
9718 
9719                 sin6 = (sin6_t *)sin;
9720                 v6addr = sin6->sin6_addr;
9721                 phyi = ill->ill_phyint;
9722 
9723                 /*
9724                  * Enforce that true multicast interfaces have a link-local
9725                  * address for logical unit 0.
9726                  *
9727                  * However for those ipif's for which link-local address was
9728                  * not created by default, also allow setting :: as the address.
9729                  * This scenario would arise, when we delete an address on ipif
9730                  * with logical unit 0, we would want to set :: as the address.
9731                  */
9732                 if (ipif->ipif_id == 0 &&
9733                     (ill->ill_flags & ILLF_MULTICAST) &&
9734                     !(ipif->ipif_flags & (IPIF_POINTOPOINT)) &&
9735                     !(phyi->phyint_flags & (PHYI_LOOPBACK)) &&
9736                     !IN6_IS_ADDR_LINKLOCAL(&v6addr)) {
9737 
9738                         /*
9739                          * if default link-local was not created by kernel for
9740                          * this ill, allow setting :: as the address on ipif:0.
9741                          */
9742                         if (ill->ill_flags & ILLF_NOLINKLOCAL) {
9743                                 if (!IN6_IS_ADDR_UNSPECIFIED(&v6addr))
9744                                         return (EADDRNOTAVAIL);
9745                         } else {
9746                                 return (EADDRNOTAVAIL);
9747                         }
9748                 }
9749 
9750                 /*
9751                  * up interfaces shouldn't have the unspecified address
9752                  * unless they also have the IPIF_NOLOCAL flags set and
9753                  * have a subnet assigned.
9754                  */
9755                 if ((ipif->ipif_flags & IPIF_UP) &&
9756                     IN6_IS_ADDR_UNSPECIFIED(&v6addr) &&
9757                     (!(ipif->ipif_flags & IPIF_NOLOCAL) ||
9758                     IN6_IS_ADDR_UNSPECIFIED(&ipif->ipif_v6subnet))) {
9759                         return (EADDRNOTAVAIL);
9760                 }
9761 
9762                 if (!ip_local_addr_ok_v6(&v6addr, &ipif->ipif_v6net_mask))
9763                         return (EADDRNOTAVAIL);
9764         } else {
9765                 ipaddr_t addr;
9766 
9767                 if (sin->sin_family != AF_INET)
9768                         return (EAFNOSUPPORT);
9769 
9770                 addr = sin->sin_addr.s_addr;
9771 
9772                 /* Allow INADDR_ANY as the local address. */
9773                 if (addr != INADDR_ANY &&
9774                     !ip_addr_ok_v4(addr, ipif->ipif_net_mask))
9775                         return (EADDRNOTAVAIL);
9776 
9777                 IN6_IPADDR_TO_V4MAPPED(addr, &v6addr);
9778         }
9779         /*
9780          * verify that the address being configured is permitted by the
9781          * ill_allowed_ips[] for the interface.
9782          */
9783         if (ill->ill_allowed_ips_cnt > 0) {
9784                 for (i = 0; i < ill->ill_allowed_ips_cnt; i++) {
9785                         if (IN6_ARE_ADDR_EQUAL(&ill->ill_allowed_ips[i],
9786                             &v6addr))
9787                                 break;
9788                 }
9789                 if (i == ill->ill_allowed_ips_cnt) {
9790                         pr_addr_dbg("!allowed addr %s\n", AF_INET6, &v6addr);
9791                         return (EPERM);
9792                 }
9793         }
9794         /*
9795          * Even if there is no change we redo things just to rerun
9796          * ipif_set_default.
9797          */
9798         if (ipif->ipif_flags & IPIF_UP) {
9799                 /*
9800                  * Setting a new local address, make sure
9801                  * we have net and subnet bcast ire's for
9802                  * the old address if we need them.
9803                  */
9804                 /*
9805                  * If the interface is already marked up,
9806                  * we call ipif_down which will take care
9807                  * of ditching any IREs that have been set
9808                  * up based on the old interface address.
9809                  */
9810                 err = ipif_logical_down(ipif, q, mp);
9811                 if (err == EINPROGRESS)
9812                         return (err);
9813                 (void) ipif_down_tail(ipif);
9814                 need_up = 1;
9815         }
9816 
9817         err = ip_sioctl_addr_tail(ipif, sin, q, mp, need_up);
9818         return (err);
9819 }
9820 
9821 int
9822 ip_sioctl_addr_tail(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
9823     boolean_t need_up)
9824 {
9825         in6_addr_t v6addr;
9826         in6_addr_t ov6addr;
9827         ipaddr_t addr;
9828         sin6_t  *sin6;
9829         int     sinlen;
9830         int     err = 0;
9831         ill_t   *ill = ipif->ipif_ill;
9832         boolean_t need_dl_down;
9833         boolean_t need_arp_down;
9834         struct iocblk *iocp;
9835 
9836         iocp = (mp != NULL) ? (struct iocblk *)mp->b_rptr : NULL;
9837 
9838         ip1dbg(("ip_sioctl_addr_tail(%s:%u %p)\n",
9839             ill->ill_name, ipif->ipif_id, (void *)ipif));
9840         ASSERT(IAM_WRITER_IPIF(ipif));
9841 
9842         /* Must cancel any pending timer before taking the ill_lock */
9843         if (ipif->ipif_recovery_id != 0)
9844                 (void) untimeout(ipif->ipif_recovery_id);
9845         ipif->ipif_recovery_id = 0;
9846 
9847         if (ipif->ipif_isv6) {
9848                 sin6 = (sin6_t *)sin;
9849                 v6addr = sin6->sin6_addr;
9850                 sinlen = sizeof (struct sockaddr_in6);
9851         } else {
9852                 addr = sin->sin_addr.s_addr;
9853                 IN6_IPADDR_TO_V4MAPPED(addr, &v6addr);
9854                 sinlen = sizeof (struct sockaddr_in);
9855         }
9856         mutex_enter(&ill->ill_lock);
9857         ov6addr = ipif->ipif_v6lcl_addr;
9858         ipif->ipif_v6lcl_addr = v6addr;
9859         sctp_update_ipif_addr(ipif, ov6addr);
9860         ipif->ipif_addr_ready = 0;
9861 
9862         ip_rts_newaddrmsg(RTM_CHGADDR, 0, ipif, RTSQ_DEFAULT);
9863 
9864         /*
9865          * If the interface was previously marked as a duplicate, then since
9866          * we've now got a "new" address, it should no longer be considered a
9867          * duplicate -- even if the "new" address is the same as the old one.
9868          * Note that if all ipifs are down, we may have a pending ARP down
9869          * event to handle.  This is because we want to recover from duplicates
9870          * and thus delay tearing down ARP until the duplicates have been
9871          * removed or disabled.
9872          */
9873         need_dl_down = need_arp_down = B_FALSE;
9874         if (ipif->ipif_flags & IPIF_DUPLICATE) {
9875                 need_arp_down = !need_up;
9876                 ipif->ipif_flags &= ~IPIF_DUPLICATE;
9877                 if (--ill->ill_ipif_dup_count == 0 && !need_up &&
9878                     ill->ill_ipif_up_count == 0 && ill->ill_dl_up) {
9879                         need_dl_down = B_TRUE;
9880                 }
9881         }
9882 
9883         ipif_set_default(ipif);
9884 
9885         /*
9886          * If we've just manually set the IPv6 link-local address (0th ipif),
9887          * tag the ill so that future updates to the interface ID don't result
9888          * in this address getting automatically reconfigured from under the
9889          * administrator.
9890          */
9891         if (ipif->ipif_isv6 && ipif->ipif_id == 0) {
9892                 if (iocp == NULL || (iocp->ioc_cmd == SIOCSLIFADDR &&
9893                     !IN6_IS_ADDR_UNSPECIFIED(&v6addr)))
9894                         ill->ill_manual_linklocal = 1;
9895         }
9896 
9897         /*
9898          * When publishing an interface address change event, we only notify
9899          * the event listeners of the new address.  It is assumed that if they
9900          * actively care about the addresses assigned that they will have
9901          * already discovered the previous address assigned (if there was one.)
9902          *
9903          * Don't attach nic event message for SIOCLIFADDIF ioctl.
9904          */
9905         if (iocp != NULL && iocp->ioc_cmd != SIOCLIFADDIF) {
9906                 ill_nic_event_dispatch(ill, MAP_IPIF_ID(ipif->ipif_id),
9907                     NE_ADDRESS_CHANGE, sin, sinlen);
9908         }
9909 
9910         mutex_exit(&ill->ill_lock);
9911 
9912         if (need_up) {
9913                 /*
9914                  * Now bring the interface back up.  If this
9915                  * is the only IPIF for the ILL, ipif_up
9916                  * will have to re-bind to the device, so
9917                  * we may get back EINPROGRESS, in which
9918                  * case, this IOCTL will get completed in
9919                  * ip_rput_dlpi when we see the DL_BIND_ACK.
9920                  */
9921                 err = ipif_up(ipif, q, mp);
9922         } else {
9923                 /* Perhaps ilgs should use this ill */
9924                 update_conn_ill(NULL, ill->ill_ipst);
9925         }
9926 
9927         if (need_dl_down)
9928                 ill_dl_down(ill);
9929 
9930         if (need_arp_down && !ill->ill_isv6)
9931                 (void) ipif_arp_down(ipif);
9932 
9933         /*
9934          * The default multicast interface might have changed (for
9935          * instance if the IPv6 scope of the address changed)
9936          */
9937         ire_increment_multicast_generation(ill->ill_ipst, ill->ill_isv6);
9938 
9939         return (err);
9940 }
9941 
9942 /*
9943  * Restart entry point to restart the address set operation after the
9944  * refcounts have dropped to zero.
9945  */
9946 /* ARGSUSED */
9947 int
9948 ip_sioctl_addr_restart(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
9949     ip_ioctl_cmd_t *ipip, void *ifreq)
9950 {
9951         ip1dbg(("ip_sioctl_addr_restart(%s:%u %p)\n",
9952             ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
9953         ASSERT(IAM_WRITER_IPIF(ipif));
9954         (void) ipif_down_tail(ipif);
9955         return (ip_sioctl_addr_tail(ipif, sin, q, mp, B_TRUE));
9956 }
9957 
9958 /* ARGSUSED */
9959 int
9960 ip_sioctl_get_addr(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
9961     ip_ioctl_cmd_t *ipip, void *if_req)
9962 {
9963         sin6_t *sin6 = (struct sockaddr_in6 *)sin;
9964         struct lifreq *lifr = (struct lifreq *)if_req;
9965 
9966         ip1dbg(("ip_sioctl_get_addr(%s:%u %p)\n",
9967             ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
9968         /*
9969          * The net mask and address can't change since we have a
9970          * reference to the ipif. So no lock is necessary.
9971          */
9972         if (ipif->ipif_isv6) {
9973                 *sin6 = sin6_null;
9974                 sin6->sin6_family = AF_INET6;
9975                 sin6->sin6_addr = ipif->ipif_v6lcl_addr;
9976                 ASSERT(ipip->ipi_cmd_type == LIF_CMD);
9977                 lifr->lifr_addrlen =
9978                     ip_mask_to_plen_v6(&ipif->ipif_v6net_mask);
9979         } else {
9980                 *sin = sin_null;
9981                 sin->sin_family = AF_INET;
9982                 sin->sin_addr.s_addr = ipif->ipif_lcl_addr;
9983                 if (ipip->ipi_cmd_type == LIF_CMD) {
9984                         lifr->lifr_addrlen =
9985                             ip_mask_to_plen(ipif->ipif_net_mask);
9986                 }
9987         }
9988         return (0);
9989 }
9990 
9991 /*
9992  * Set the destination address for a pt-pt interface.
9993  */
9994 /* ARGSUSED */
9995 int
9996 ip_sioctl_dstaddr(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
9997     ip_ioctl_cmd_t *ipip, void *if_req)
9998 {
9999         int err = 0;
10000         in6_addr_t v6addr;
10001         boolean_t need_up = B_FALSE;
10002 
10003         ip1dbg(("ip_sioctl_dstaddr(%s:%u %p)\n",
10004             ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
10005         ASSERT(IAM_WRITER_IPIF(ipif));
10006 
10007         if (ipif->ipif_isv6) {
10008                 sin6_t *sin6;
10009 
10010                 if (sin->sin_family != AF_INET6)
10011                         return (EAFNOSUPPORT);
10012 
10013                 sin6 = (sin6_t *)sin;
10014                 v6addr = sin6->sin6_addr;
10015 
10016                 if (!ip_remote_addr_ok_v6(&v6addr, &ipif->ipif_v6net_mask))
10017                         return (EADDRNOTAVAIL);
10018         } else {
10019                 ipaddr_t addr;
10020 
10021                 if (sin->sin_family != AF_INET)
10022                         return (EAFNOSUPPORT);
10023 
10024                 addr = sin->sin_addr.s_addr;
10025                 if (addr != INADDR_ANY &&
10026                     !ip_addr_ok_v4(addr, ipif->ipif_net_mask)) {
10027                         return (EADDRNOTAVAIL);
10028                 }
10029 
10030                 IN6_IPADDR_TO_V4MAPPED(addr, &v6addr);
10031         }
10032 
10033         if (IN6_ARE_ADDR_EQUAL(&ipif->ipif_v6pp_dst_addr, &v6addr))
10034                 return (0);     /* No change */
10035 
10036         if (ipif->ipif_flags & IPIF_UP) {
10037                 /*
10038                  * If the interface is already marked up,
10039                  * we call ipif_down which will take care
10040                  * of ditching any IREs that have been set
10041                  * up based on the old pp dst address.
10042                  */
10043                 err = ipif_logical_down(ipif, q, mp);
10044                 if (err == EINPROGRESS)
10045                         return (err);
10046                 (void) ipif_down_tail(ipif);
10047                 need_up = B_TRUE;
10048         }
10049         /*
10050          * could return EINPROGRESS. If so ioctl will complete in
10051          * ip_rput_dlpi_writer
10052          */
10053         err = ip_sioctl_dstaddr_tail(ipif, sin, q, mp, need_up);
10054         return (err);
10055 }
10056 
10057 static int
10058 ip_sioctl_dstaddr_tail(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
10059     boolean_t need_up)
10060 {
10061         in6_addr_t v6addr;
10062         ill_t   *ill = ipif->ipif_ill;
10063         int     err = 0;
10064         boolean_t need_dl_down;
10065         boolean_t need_arp_down;
10066 
10067         ip1dbg(("ip_sioctl_dstaddr_tail(%s:%u %p)\n", ill->ill_name,
10068             ipif->ipif_id, (void *)ipif));
10069 
10070         /* Must cancel any pending timer before taking the ill_lock */
10071         if (ipif->ipif_recovery_id != 0)
10072                 (void) untimeout(ipif->ipif_recovery_id);
10073         ipif->ipif_recovery_id = 0;
10074 
10075         if (ipif->ipif_isv6) {
10076                 sin6_t *sin6;
10077 
10078                 sin6 = (sin6_t *)sin;
10079                 v6addr = sin6->sin6_addr;
10080         } else {
10081                 ipaddr_t addr;
10082 
10083                 addr = sin->sin_addr.s_addr;
10084                 IN6_IPADDR_TO_V4MAPPED(addr, &v6addr);
10085         }
10086         mutex_enter(&ill->ill_lock);
10087         /* Set point to point destination address. */
10088         if ((ipif->ipif_flags & IPIF_POINTOPOINT) == 0) {
10089                 /*
10090                  * Allow this as a means of creating logical
10091                  * pt-pt interfaces on top of e.g. an Ethernet.
10092                  * XXX Undocumented HACK for testing.
10093                  * pt-pt interfaces are created with NUD disabled.
10094                  */
10095                 ipif->ipif_flags |= IPIF_POINTOPOINT;
10096                 ipif->ipif_flags &= ~IPIF_BROADCAST;
10097                 if (ipif->ipif_isv6)
10098                         ill->ill_flags |= ILLF_NONUD;
10099         }
10100 
10101         /*
10102          * If the interface was previously marked as a duplicate, then since
10103          * we've now got a "new" address, it should no longer be considered a
10104          * duplicate -- even if the "new" address is the same as the old one.
10105          * Note that if all ipifs are down, we may have a pending ARP down
10106          * event to handle.
10107          */
10108         need_dl_down = need_arp_down = B_FALSE;
10109         if (ipif->ipif_flags & IPIF_DUPLICATE) {
10110                 need_arp_down = !need_up;
10111                 ipif->ipif_flags &= ~IPIF_DUPLICATE;
10112                 if (--ill->ill_ipif_dup_count == 0 && !need_up &&
10113                     ill->ill_ipif_up_count == 0 && ill->ill_dl_up) {
10114                         need_dl_down = B_TRUE;
10115                 }
10116         }
10117 
10118         /*
10119          * If we've just manually set the IPv6 destination link-local address
10120          * (0th ipif), tag the ill so that future updates to the destination
10121          * interface ID (as can happen with interfaces over IP tunnels) don't
10122          * result in this address getting automatically reconfigured from
10123          * under the administrator.
10124          */
10125         if (ipif->ipif_isv6 && ipif->ipif_id == 0)
10126                 ill->ill_manual_dst_linklocal = 1;
10127 
10128         /* Set the new address. */
10129         ipif->ipif_v6pp_dst_addr = v6addr;
10130         /* Make sure subnet tracks pp_dst */
10131         ipif->ipif_v6subnet = ipif->ipif_v6pp_dst_addr;
10132         mutex_exit(&ill->ill_lock);
10133 
10134         if (need_up) {
10135                 /*
10136                  * Now bring the interface back up.  If this
10137                  * is the only IPIF for the ILL, ipif_up
10138                  * will have to re-bind to the device, so
10139                  * we may get back EINPROGRESS, in which
10140                  * case, this IOCTL will get completed in
10141                  * ip_rput_dlpi when we see the DL_BIND_ACK.
10142                  */
10143                 err = ipif_up(ipif, q, mp);
10144         }
10145 
10146         if (need_dl_down)
10147                 ill_dl_down(ill);
10148         if (need_arp_down && !ipif->ipif_isv6)
10149                 (void) ipif_arp_down(ipif);
10150 
10151         return (err);
10152 }
10153 
10154 /*
10155  * Restart entry point to restart the dstaddress set operation after the
10156  * refcounts have dropped to zero.
10157  */
10158 /* ARGSUSED */
10159 int
10160 ip_sioctl_dstaddr_restart(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
10161     ip_ioctl_cmd_t *ipip, void *ifreq)
10162 {
10163         ip1dbg(("ip_sioctl_dstaddr_restart(%s:%u %p)\n",
10164             ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
10165         (void) ipif_down_tail(ipif);
10166         return (ip_sioctl_dstaddr_tail(ipif, sin, q, mp, B_TRUE));
10167 }
10168 
10169 /* ARGSUSED */
10170 int
10171 ip_sioctl_get_dstaddr(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
10172     ip_ioctl_cmd_t *ipip, void *if_req)
10173 {
10174         sin6_t  *sin6 = (struct sockaddr_in6 *)sin;
10175 
10176         ip1dbg(("ip_sioctl_get_dstaddr(%s:%u %p)\n",
10177             ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
10178         /*
10179          * Get point to point destination address. The addresses can't
10180          * change since we hold a reference to the ipif.
10181          */
10182         if ((ipif->ipif_flags & IPIF_POINTOPOINT) == 0)
10183                 return (EADDRNOTAVAIL);
10184 
10185         if (ipif->ipif_isv6) {
10186                 ASSERT(ipip->ipi_cmd_type == LIF_CMD);
10187                 *sin6 = sin6_null;
10188                 sin6->sin6_family = AF_INET6;
10189                 sin6->sin6_addr = ipif->ipif_v6pp_dst_addr;
10190         } else {
10191                 *sin = sin_null;
10192                 sin->sin_family = AF_INET;
10193                 sin->sin_addr.s_addr = ipif->ipif_pp_dst_addr;
10194         }
10195         return (0);
10196 }
10197 
10198 /*
10199  * Check which flags will change by the given flags being set
10200  * silently ignore flags which userland is not allowed to control.
10201  * (Because these flags may change between SIOCGLIFFLAGS and
10202  * SIOCSLIFFLAGS, and that's outside of userland's control,
10203  * we need to silently ignore them rather than fail.)
10204  */
10205 static void
10206 ip_sioctl_flags_onoff(ipif_t *ipif, uint64_t flags, uint64_t *onp,
10207     uint64_t *offp)
10208 {
10209         ill_t           *ill = ipif->ipif_ill;
10210         phyint_t        *phyi = ill->ill_phyint;
10211         uint64_t        cantchange_flags, intf_flags;
10212         uint64_t        turn_on, turn_off;
10213 
10214         intf_flags = ipif->ipif_flags | ill->ill_flags | phyi->phyint_flags;
10215         cantchange_flags = IFF_CANTCHANGE;
10216         if (IS_IPMP(ill))
10217                 cantchange_flags |= IFF_IPMP_CANTCHANGE;
10218         turn_on = (flags ^ intf_flags) & ~cantchange_flags;
10219         turn_off = intf_flags & turn_on;
10220         turn_on ^= turn_off;
10221         *onp = turn_on;
10222         *offp = turn_off;
10223 }
10224 
10225 /*
10226  * Set interface flags.  Many flags require special handling (e.g.,
10227  * bringing the interface down); see below for details.
10228  *
10229  * NOTE : We really don't enforce that ipif_id zero should be used
10230  *        for setting any flags other than IFF_LOGINT_FLAGS. This
10231  *        is because applications generally does SICGLIFFLAGS and
10232  *        ORs in the new flags (that affects the logical) and does a
10233  *        SIOCSLIFFLAGS. Thus, "flags" below could contain bits other
10234  *        than IFF_LOGINT_FLAGS. One could check whether "turn_on" - the
10235  *        flags that will be turned on is correct with respect to
10236  *        ipif_id 0. For backward compatibility reasons, it is not done.
10237  */
10238 /* ARGSUSED */
10239 int
10240 ip_sioctl_flags(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
10241     ip_ioctl_cmd_t *ipip, void *if_req)
10242 {
10243         uint64_t turn_on;
10244         uint64_t turn_off;
10245         int     err = 0;
10246         phyint_t *phyi;
10247         ill_t *ill;
10248         conn_t *connp;
10249         uint64_t intf_flags;
10250         boolean_t phyint_flags_modified = B_FALSE;
10251         uint64_t flags;
10252         struct ifreq *ifr;
10253         struct lifreq *lifr;
10254         boolean_t set_linklocal = B_FALSE;
10255 
10256         ip1dbg(("ip_sioctl_flags(%s:%u %p)\n",
10257             ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
10258 
10259         ASSERT(IAM_WRITER_IPIF(ipif));
10260 
10261         ill = ipif->ipif_ill;
10262         phyi = ill->ill_phyint;
10263 
10264         if (ipip->ipi_cmd_type == IF_CMD) {
10265                 ifr = (struct ifreq *)if_req;
10266                 flags =  (uint64_t)(ifr->ifr_flags & 0x0000ffff);
10267         } else {
10268                 lifr = (struct lifreq *)if_req;
10269                 flags = lifr->lifr_flags;
10270         }
10271 
10272         intf_flags = ipif->ipif_flags | ill->ill_flags | phyi->phyint_flags;
10273 
10274         /*
10275          * Have the flags been set correctly until now?
10276          */
10277         ASSERT((phyi->phyint_flags & ~(IFF_PHYINT_FLAGS)) == 0);
10278         ASSERT((ill->ill_flags & ~(IFF_PHYINTINST_FLAGS)) == 0);
10279         ASSERT((ipif->ipif_flags & ~(IFF_LOGINT_FLAGS)) == 0);
10280         /*
10281          * Compare the new flags to the old, and partition
10282          * into those coming on and those going off.
10283          * For the 16 bit command keep the bits above bit 16 unchanged.
10284          */
10285         if (ipip->ipi_cmd == SIOCSIFFLAGS)
10286                 flags |= intf_flags & ~0xFFFF;
10287 
10288         /*
10289          * Explicitly fail attempts to change flags that are always invalid on
10290          * an IPMP meta-interface.
10291          */
10292         if (IS_IPMP(ill) && ((flags ^ intf_flags) & IFF_IPMP_INVALID))
10293                 return (EINVAL);
10294 
10295         ip_sioctl_flags_onoff(ipif, flags, &turn_on, &turn_off);
10296         if ((turn_on|turn_off) == 0)
10297                 return (0);     /* No change */
10298 
10299         /*
10300          * All test addresses must be IFF_DEPRECATED (to ensure source address
10301          * selection avoids them) -- so force IFF_DEPRECATED on, and do not
10302          * allow it to be turned off.
10303          */
10304         if ((turn_off & (IFF_DEPRECATED|IFF_NOFAILOVER)) == IFF_DEPRECATED &&
10305             (turn_on|intf_flags) & IFF_NOFAILOVER)
10306                 return (EINVAL);
10307 
10308         if ((connp = Q_TO_CONN(q)) == NULL)
10309                 return (EINVAL);
10310 
10311         /*
10312          * Only vrrp control socket is allowed to change IFF_UP and
10313          * IFF_NOACCEPT flags when IFF_VRRP is set.
10314          */
10315         if ((intf_flags & IFF_VRRP) && ((turn_off | turn_on) & IFF_UP)) {
10316                 if (!connp->conn_isvrrp)
10317                         return (EINVAL);
10318         }
10319 
10320         /*
10321          * The IFF_NOACCEPT flag can only be set on an IFF_VRRP IP address by
10322          * VRRP control socket.
10323          */
10324         if ((turn_off | turn_on) & IFF_NOACCEPT) {
10325                 if (!connp->conn_isvrrp || !(intf_flags & IFF_VRRP))
10326                         return (EINVAL);
10327         }
10328 
10329         if (turn_on & IFF_NOFAILOVER) {
10330                 turn_on |= IFF_DEPRECATED;
10331                 flags |= IFF_DEPRECATED;
10332         }
10333 
10334         /*
10335          * On underlying interfaces, only allow applications to manage test
10336          * addresses -- otherwise, they may get confused when the address
10337          * moves as part of being brought up.  Likewise, prevent an
10338          * application-managed test address from being converted to a data
10339          * address.  To prevent migration of administratively up addresses in
10340          * the kernel, we don't allow them to be converted either.
10341          */
10342         if (IS_UNDER_IPMP(ill)) {
10343                 const uint64_t appflags = IFF_DHCPRUNNING | IFF_ADDRCONF;
10344 
10345                 if ((turn_on & appflags) && !(flags & IFF_NOFAILOVER))
10346                         return (EINVAL);
10347 
10348                 if ((turn_off & IFF_NOFAILOVER) &&
10349                     (flags & (appflags | IFF_UP | IFF_DUPLICATE)))
10350                         return (EINVAL);
10351         }
10352 
10353         /*
10354          * Only allow IFF_TEMPORARY flag to be set on
10355          * IPv6 interfaces.
10356          */
10357         if ((turn_on & IFF_TEMPORARY) && !(ipif->ipif_isv6))
10358                 return (EINVAL);
10359 
10360         /*
10361          * cannot turn off IFF_NOXMIT on  VNI interfaces.
10362          */
10363         if ((turn_off & IFF_NOXMIT) && IS_VNI(ipif->ipif_ill))
10364                 return (EINVAL);
10365 
10366         /*
10367          * Don't allow the IFF_ROUTER flag to be turned on on loopback
10368          * interfaces.  It makes no sense in that context.
10369          */
10370         if ((turn_on & IFF_ROUTER) && (phyi->phyint_flags & PHYI_LOOPBACK))
10371                 return (EINVAL);
10372 
10373         /*
10374          * For IPv6 ipif_id 0, don't allow the interface to be up without
10375          * a link local address if IFF_NOLOCAL or IFF_ANYCAST are not set.
10376          * If the link local address isn't set, and can be set, it will get
10377          * set later on in this function.
10378          */
10379         if (ipif->ipif_id == 0 && ipif->ipif_isv6 &&
10380             (flags & IFF_UP) && !(flags & (IFF_NOLOCAL|IFF_ANYCAST)) &&
10381             IN6_IS_ADDR_UNSPECIFIED(&ipif->ipif_v6lcl_addr)) {
10382                 if (ipif_cant_setlinklocal(ipif))
10383                         return (EINVAL);
10384                 set_linklocal = B_TRUE;
10385         }
10386 
10387         /*
10388          * If we modify physical interface flags, we'll potentially need to
10389          * send up two routing socket messages for the changes (one for the
10390          * IPv4 ill, and another for the IPv6 ill).  Note that here.
10391          */
10392         if ((turn_on|turn_off) & IFF_PHYINT_FLAGS)
10393                 phyint_flags_modified = B_TRUE;
10394 
10395         /*
10396          * All functioning PHYI_STANDBY interfaces start life PHYI_INACTIVE
10397          * (otherwise, we'd immediately use them, defeating standby).  Also,
10398          * since PHYI_INACTIVE has a separate meaning when PHYI_STANDBY is not
10399          * set, don't allow PHYI_STANDBY to be set if PHYI_INACTIVE is already
10400          * set, and clear PHYI_INACTIVE if PHYI_STANDBY is being cleared.  We
10401          * also don't allow PHYI_STANDBY if VNI is enabled since its semantics
10402          * will not be honored.
10403          */
10404         if (turn_on & PHYI_STANDBY) {
10405                 /*
10406                  * No need to grab ill_g_usesrc_lock here; see the
10407                  * synchronization notes in ip.c.
10408                  */
10409                 if (ill->ill_usesrc_grp_next != NULL ||
10410                     intf_flags & PHYI_INACTIVE)
10411                         return (EINVAL);
10412                 if (!(flags & PHYI_FAILED)) {
10413                         flags |= PHYI_INACTIVE;
10414                         turn_on |= PHYI_INACTIVE;
10415                 }
10416         }
10417 
10418         if (turn_off & PHYI_STANDBY) {
10419                 flags &= ~PHYI_INACTIVE;
10420                 turn_off |= PHYI_INACTIVE;
10421         }
10422 
10423         /*
10424          * PHYI_FAILED and PHYI_INACTIVE are mutually exclusive; fail if both
10425          * would end up on.
10426          */
10427         if ((flags & (PHYI_FAILED | PHYI_INACTIVE)) ==
10428             (PHYI_FAILED | PHYI_INACTIVE))
10429                 return (EINVAL);
10430 
10431         /*
10432          * If ILLF_ROUTER changes, we need to change the ip forwarding
10433          * status of the interface.
10434          */
10435         if ((turn_on | turn_off) & ILLF_ROUTER) {
10436                 err = ill_forward_set(ill, ((turn_on & ILLF_ROUTER) != 0));
10437                 if (err != 0)
10438                         return (err);
10439         }
10440 
10441         /*
10442          * If the interface is not UP and we are not going to
10443          * bring it UP, record the flags and return. When the
10444          * interface comes UP later, the right actions will be
10445          * taken.
10446          */
10447         if (!(ipif->ipif_flags & IPIF_UP) &&
10448             !(turn_on & IPIF_UP)) {
10449                 /* Record new flags in their respective places. */
10450                 mutex_enter(&ill->ill_lock);
10451                 mutex_enter(&ill->ill_phyint->phyint_lock);
10452                 ipif->ipif_flags |= (turn_on & IFF_LOGINT_FLAGS);
10453                 ipif->ipif_flags &= (~turn_off & IFF_LOGINT_FLAGS);
10454                 ill->ill_flags |= (turn_on & IFF_PHYINTINST_FLAGS);
10455                 ill->ill_flags &= (~turn_off & IFF_PHYINTINST_FLAGS);
10456                 phyi->phyint_flags |= (turn_on & IFF_PHYINT_FLAGS);
10457                 phyi->phyint_flags &= (~turn_off & IFF_PHYINT_FLAGS);
10458                 mutex_exit(&ill->ill_lock);
10459                 mutex_exit(&ill->ill_phyint->phyint_lock);
10460 
10461                 /*
10462                  * PHYI_FAILED, PHYI_INACTIVE, and PHYI_OFFLINE are all the
10463                  * same to the kernel: if any of them has been set by
10464                  * userland, the interface cannot be used for data traffic.
10465                  */
10466                 if ((turn_on|turn_off) &
10467                     (PHYI_FAILED | PHYI_INACTIVE | PHYI_OFFLINE)) {
10468                         ASSERT(!IS_IPMP(ill));
10469                         /*
10470                          * It's possible the ill is part of an "anonymous"
10471                          * IPMP group rather than a real group.  In that case,
10472                          * there are no other interfaces in the group and thus
10473                          * no need to call ipmp_phyint_refresh_active().
10474                          */
10475                         if (IS_UNDER_IPMP(ill))
10476                                 ipmp_phyint_refresh_active(phyi);
10477                 }
10478 
10479                 if (phyint_flags_modified) {
10480                         if (phyi->phyint_illv4 != NULL) {
10481                                 ip_rts_ifmsg(phyi->phyint_illv4->
10482                                     ill_ipif, RTSQ_DEFAULT);
10483                         }
10484                         if (phyi->phyint_illv6 != NULL) {
10485                                 ip_rts_ifmsg(phyi->phyint_illv6->
10486                                     ill_ipif, RTSQ_DEFAULT);
10487                         }
10488                 }
10489                 /* The default multicast interface might have changed */
10490                 ire_increment_multicast_generation(ill->ill_ipst,
10491                     ill->ill_isv6);
10492 
10493                 return (0);
10494         } else if (set_linklocal) {
10495                 mutex_enter(&ill->ill_lock);
10496                 if (set_linklocal)
10497                         ipif->ipif_state_flags |= IPIF_SET_LINKLOCAL;
10498                 mutex_exit(&ill->ill_lock);
10499         }
10500 
10501         /*
10502          * Disallow IPv6 interfaces coming up that have the unspecified address,
10503          * or point-to-point interfaces with an unspecified destination. We do
10504          * allow the address to be unspecified for IPIF_NOLOCAL interfaces that
10505          * have a subnet assigned, which is how in.ndpd currently manages its
10506          * onlink prefix list when no addresses are configured with those
10507          * prefixes.
10508          */
10509         if (ipif->ipif_isv6 &&
10510             ((IN6_IS_ADDR_UNSPECIFIED(&ipif->ipif_v6lcl_addr) &&
10511             (!(ipif->ipif_flags & IPIF_NOLOCAL) && !(turn_on & IPIF_NOLOCAL) ||
10512             IN6_IS_ADDR_UNSPECIFIED(&ipif->ipif_v6subnet))) ||
10513             ((ipif->ipif_flags & IPIF_POINTOPOINT) &&
10514             IN6_IS_ADDR_UNSPECIFIED(&ipif->ipif_v6pp_dst_addr)))) {
10515                 return (EINVAL);
10516         }
10517 
10518         /*
10519          * Prevent IPv4 point-to-point interfaces with a 0.0.0.0 destination
10520          * from being brought up.
10521          */
10522         if (!ipif->ipif_isv6 &&
10523             ((ipif->ipif_flags & IPIF_POINTOPOINT) &&
10524             ipif->ipif_pp_dst_addr == INADDR_ANY)) {
10525                 return (EINVAL);
10526         }
10527 
10528         /*
10529          * If we are going to change one or more of the flags that are
10530          * IPIF_UP, IPIF_DEPRECATED, IPIF_NOXMIT, IPIF_NOLOCAL, ILLF_NOARP,
10531          * ILLF_NONUD, IPIF_PRIVATE, IPIF_ANYCAST, IPIF_PREFERRED, and
10532          * IPIF_NOFAILOVER, we will take special action.  This is
10533          * done by bring the ipif down, changing the flags and bringing
10534          * it back up again.  For IPIF_NOFAILOVER, the act of bringing it
10535          * back up will trigger the address to be moved.
10536          *
10537          * If we are going to change IFF_NOACCEPT, we need to bring
10538          * all the ipifs down then bring them up again.  The act of
10539          * bringing all the ipifs back up will trigger the local
10540          * ires being recreated with "no_accept" set/cleared.
10541          *
10542          * Note that ILLF_NOACCEPT is always set separately from the
10543          * other flags.
10544          */
10545         if ((turn_on|turn_off) &
10546             (IPIF_UP|IPIF_DEPRECATED|IPIF_NOXMIT|IPIF_NOLOCAL|ILLF_NOARP|
10547             ILLF_NONUD|IPIF_PRIVATE|IPIF_ANYCAST|IPIF_PREFERRED|
10548             IPIF_NOFAILOVER)) {
10549                 /*
10550                  * ipif_down() will ire_delete bcast ire's for the subnet,
10551                  * while the ire_identical_ref tracks the case of IRE_BROADCAST
10552                  * entries shared between multiple ipifs on the same subnet.
10553                  */
10554                 if (((ipif->ipif_flags | turn_on) & IPIF_UP) &&
10555                     !(turn_off & IPIF_UP)) {
10556                         if (ipif->ipif_flags & IPIF_UP)
10557                                 ill->ill_logical_down = 1;
10558                         turn_on &= ~IPIF_UP;
10559                 }
10560                 err = ipif_down(ipif, q, mp);
10561                 ip1dbg(("ipif_down returns %d err ", err));
10562                 if (err == EINPROGRESS)
10563                         return (err);
10564                 (void) ipif_down_tail(ipif);
10565         } else if ((turn_on|turn_off) & ILLF_NOACCEPT) {
10566                 /*
10567                  * If we can quiesce the ill, then continue.  If not, then
10568                  * ip_sioctl_flags_tail() will be called from
10569                  * ipif_ill_refrele_tail().
10570                  */
10571                 ill_down_ipifs(ill, B_TRUE);
10572 
10573                 mutex_enter(&connp->conn_lock);
10574                 mutex_enter(&ill->ill_lock);
10575                 if (!ill_is_quiescent(ill)) {
10576                         boolean_t success;
10577 
10578                         success = ipsq_pending_mp_add(connp, ill->ill_ipif,
10579                             q, mp, ILL_DOWN);
10580                         mutex_exit(&ill->ill_lock);
10581                         mutex_exit(&connp->conn_lock);
10582                         return (success ? EINPROGRESS : EINTR);
10583                 }
10584                 mutex_exit(&ill->ill_lock);
10585                 mutex_exit(&connp->conn_lock);
10586         }
10587         return (ip_sioctl_flags_tail(ipif, flags, q, mp));
10588 }
10589 
10590 static int
10591 ip_sioctl_flags_tail(ipif_t *ipif, uint64_t flags, queue_t *q, mblk_t *mp)
10592 {
10593         ill_t   *ill;
10594         phyint_t *phyi;
10595         uint64_t turn_on, turn_off;
10596         boolean_t phyint_flags_modified = B_FALSE;
10597         int     err = 0;
10598         boolean_t set_linklocal = B_FALSE;
10599 
10600         ip1dbg(("ip_sioctl_flags_tail(%s:%u)\n",
10601             ipif->ipif_ill->ill_name, ipif->ipif_id));
10602 
10603         ASSERT(IAM_WRITER_IPIF(ipif));
10604 
10605         ill = ipif->ipif_ill;
10606         phyi = ill->ill_phyint;
10607 
10608         ip_sioctl_flags_onoff(ipif, flags, &turn_on, &turn_off);
10609 
10610         /*
10611          * IFF_UP is handled separately.
10612          */
10613         turn_on &= ~IFF_UP;
10614         turn_off &= ~IFF_UP;
10615 
10616         if ((turn_on|turn_off) & IFF_PHYINT_FLAGS)
10617                 phyint_flags_modified = B_TRUE;
10618 
10619         /*
10620          * Now we change the flags. Track current value of
10621          * other flags in their respective places.
10622          */
10623         mutex_enter(&ill->ill_lock);
10624         mutex_enter(&phyi->phyint_lock);
10625         ipif->ipif_flags |= (turn_on & IFF_LOGINT_FLAGS);
10626         ipif->ipif_flags &= (~turn_off & IFF_LOGINT_FLAGS);
10627         ill->ill_flags |= (turn_on & IFF_PHYINTINST_FLAGS);
10628         ill->ill_flags &= (~turn_off & IFF_PHYINTINST_FLAGS);
10629         phyi->phyint_flags |= (turn_on & IFF_PHYINT_FLAGS);
10630         phyi->phyint_flags &= (~turn_off & IFF_PHYINT_FLAGS);
10631         if (ipif->ipif_state_flags & IPIF_SET_LINKLOCAL) {
10632                 set_linklocal = B_TRUE;
10633                 ipif->ipif_state_flags &= ~IPIF_SET_LINKLOCAL;
10634         }
10635 
10636         mutex_exit(&ill->ill_lock);
10637         mutex_exit(&phyi->phyint_lock);
10638 
10639         if (set_linklocal)
10640                 (void) ipif_setlinklocal(ipif);
10641 
10642         /*
10643          * PHYI_FAILED, PHYI_INACTIVE, and PHYI_OFFLINE are all the same to
10644          * the kernel: if any of them has been set by userland, the interface
10645          * cannot be used for data traffic.
10646          */
10647         if ((turn_on|turn_off) & (PHYI_FAILED | PHYI_INACTIVE | PHYI_OFFLINE)) {
10648                 ASSERT(!IS_IPMP(ill));
10649                 /*
10650                  * It's possible the ill is part of an "anonymous" IPMP group
10651                  * rather than a real group.  In that case, there are no other
10652                  * interfaces in the group and thus no need for us to call
10653                  * ipmp_phyint_refresh_active().
10654                  */
10655                 if (IS_UNDER_IPMP(ill))
10656                         ipmp_phyint_refresh_active(phyi);
10657         }
10658 
10659         if ((turn_on|turn_off) & ILLF_NOACCEPT) {
10660                 /*
10661                  * If the ILLF_NOACCEPT flag is changed, bring up all the
10662                  * ipifs that were brought down.
10663                  *
10664                  * The routing sockets messages are sent as the result
10665                  * of ill_up_ipifs(), further, SCTP's IPIF list was updated
10666                  * as well.
10667                  */
10668                 err = ill_up_ipifs(ill, q, mp);
10669         } else if ((flags & IFF_UP) && !(ipif->ipif_flags & IPIF_UP)) {
10670                 /*
10671                  * XXX ipif_up really does not know whether a phyint flags
10672                  * was modified or not. So, it sends up information on
10673                  * only one routing sockets message. As we don't bring up
10674                  * the interface and also set PHYI_ flags simultaneously
10675                  * it should be okay.
10676                  */
10677                 err = ipif_up(ipif, q, mp);
10678         } else {
10679                 /*
10680                  * Make sure routing socket sees all changes to the flags.
10681                  * ipif_up_done* handles this when we use ipif_up.
10682                  */
10683                 if (phyint_flags_modified) {
10684                         if (phyi->phyint_illv4 != NULL) {
10685                                 ip_rts_ifmsg(phyi->phyint_illv4->
10686                                     ill_ipif, RTSQ_DEFAULT);
10687                         }
10688                         if (phyi->phyint_illv6 != NULL) {
10689                                 ip_rts_ifmsg(phyi->phyint_illv6->
10690                                     ill_ipif, RTSQ_DEFAULT);
10691                         }
10692                 } else {
10693                         ip_rts_ifmsg(ipif, RTSQ_DEFAULT);
10694                 }
10695                 /*
10696                  * Update the flags in SCTP's IPIF list, ipif_up() will do
10697                  * this in need_up case.
10698                  */
10699                 sctp_update_ipif(ipif, SCTP_IPIF_UPDATE);
10700         }
10701 
10702         /* The default multicast interface might have changed */
10703         ire_increment_multicast_generation(ill->ill_ipst, ill->ill_isv6);
10704         return (err);
10705 }
10706 
10707 /*
10708  * Restart the flags operation now that the refcounts have dropped to zero.
10709  */
10710 /* ARGSUSED */
10711 int
10712 ip_sioctl_flags_restart(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
10713     ip_ioctl_cmd_t *ipip, void *if_req)
10714 {
10715         uint64_t flags;
10716         struct ifreq *ifr = if_req;
10717         struct lifreq *lifr = if_req;
10718         uint64_t turn_on, turn_off;
10719 
10720         ip1dbg(("ip_sioctl_flags_restart(%s:%u %p)\n",
10721             ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
10722 
10723         if (ipip->ipi_cmd_type == IF_CMD) {
10724                 /* cast to uint16_t prevents unwanted sign extension */
10725                 flags = (uint16_t)ifr->ifr_flags;
10726         } else {
10727                 flags = lifr->lifr_flags;
10728         }
10729 
10730         /*
10731          * If this function call is a result of the ILLF_NOACCEPT flag
10732          * change, do not call ipif_down_tail(). See ip_sioctl_flags().
10733          */
10734         ip_sioctl_flags_onoff(ipif, flags, &turn_on, &turn_off);
10735         if (!((turn_on|turn_off) & ILLF_NOACCEPT))
10736                 (void) ipif_down_tail(ipif);
10737 
10738         return (ip_sioctl_flags_tail(ipif, flags, q, mp));
10739 }
10740 
10741 /*
10742  * Can operate on either a module or a driver queue.
10743  */
10744 /* ARGSUSED */
10745 int
10746 ip_sioctl_get_flags(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
10747     ip_ioctl_cmd_t *ipip, void *if_req)
10748 {
10749         /*
10750          * Has the flags been set correctly till now ?
10751          */
10752         ill_t *ill = ipif->ipif_ill;
10753         phyint_t *phyi = ill->ill_phyint;
10754 
10755         ip1dbg(("ip_sioctl_get_flags(%s:%u %p)\n",
10756             ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
10757         ASSERT((phyi->phyint_flags & ~(IFF_PHYINT_FLAGS)) == 0);
10758         ASSERT((ill->ill_flags & ~(IFF_PHYINTINST_FLAGS)) == 0);
10759         ASSERT((ipif->ipif_flags & ~(IFF_LOGINT_FLAGS)) == 0);
10760 
10761         /*
10762          * Need a lock since some flags can be set even when there are
10763          * references to the ipif.
10764          */
10765         mutex_enter(&ill->ill_lock);
10766         if (ipip->ipi_cmd_type == IF_CMD) {
10767                 struct ifreq *ifr = (struct ifreq *)if_req;
10768 
10769                 /* Get interface flags (low 16 only). */
10770                 ifr->ifr_flags = ((ipif->ipif_flags |
10771                     ill->ill_flags | phyi->phyint_flags) & 0xffff);
10772         } else {
10773                 struct lifreq *lifr = (struct lifreq *)if_req;
10774 
10775                 /* Get interface flags. */
10776                 lifr->lifr_flags = ipif->ipif_flags |
10777                     ill->ill_flags | phyi->phyint_flags;
10778         }
10779         mutex_exit(&ill->ill_lock);
10780         return (0);
10781 }
10782 
10783 /*
10784  * We allow the MTU to be set on an ILL, but not have it be different
10785  * for different IPIFs since we don't actually send packets on IPIFs.
10786  */
10787 /* ARGSUSED */
10788 int
10789 ip_sioctl_mtu(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
10790     ip_ioctl_cmd_t *ipip, void *if_req)
10791 {
10792         int mtu;
10793         int ip_min_mtu;
10794         struct ifreq    *ifr;
10795         struct lifreq *lifr;
10796         ill_t   *ill;
10797 
10798         ip1dbg(("ip_sioctl_mtu(%s:%u %p)\n", ipif->ipif_ill->ill_name,
10799             ipif->ipif_id, (void *)ipif));
10800         if (ipip->ipi_cmd_type == IF_CMD) {
10801                 ifr = (struct ifreq *)if_req;
10802                 mtu = ifr->ifr_metric;
10803         } else {
10804                 lifr = (struct lifreq *)if_req;
10805                 mtu = lifr->lifr_mtu;
10806         }
10807         /* Only allow for logical unit zero i.e. not on "bge0:17" */
10808         if (ipif->ipif_id != 0)
10809                 return (EINVAL);
10810 
10811         ill = ipif->ipif_ill;
10812         if (ipif->ipif_isv6)
10813                 ip_min_mtu = IPV6_MIN_MTU;
10814         else
10815                 ip_min_mtu = IP_MIN_MTU;
10816 
10817         mutex_enter(&ill->ill_lock);
10818         if (mtu > ill->ill_max_frag || mtu < ip_min_mtu) {
10819                 mutex_exit(&ill->ill_lock);
10820                 return (EINVAL);
10821         }
10822         /* Avoid increasing ill_mc_mtu */
10823         if (ill->ill_mc_mtu > mtu)
10824                 ill->ill_mc_mtu = mtu;
10825 
10826         /*
10827          * The dce and fragmentation code can handle changes to ill_mtu
10828          * concurrent with sending/fragmenting packets.
10829          */
10830         ill->ill_mtu = mtu;
10831         ill->ill_flags |= ILLF_FIXEDMTU;
10832         mutex_exit(&ill->ill_lock);
10833 
10834         /*
10835          * Make sure all dce_generation checks find out
10836          * that ill_mtu/ill_mc_mtu has changed.
10837          */
10838         dce_increment_all_generations(ill->ill_isv6, ill->ill_ipst);
10839 
10840         /*
10841          * Refresh IPMP meta-interface MTU if necessary.
10842          */
10843         if (IS_UNDER_IPMP(ill))
10844                 ipmp_illgrp_refresh_mtu(ill->ill_grp);
10845 
10846         /* Update the MTU in SCTP's list */
10847         sctp_update_ipif(ipif, SCTP_IPIF_UPDATE);
10848         return (0);
10849 }
10850 
10851 /* Get interface MTU. */
10852 /* ARGSUSED */
10853 int
10854 ip_sioctl_get_mtu(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
10855         ip_ioctl_cmd_t *ipip, void *if_req)
10856 {
10857         struct ifreq    *ifr;
10858         struct lifreq   *lifr;
10859 
10860         ip1dbg(("ip_sioctl_get_mtu(%s:%u %p)\n",
10861             ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
10862 
10863         /*
10864          * We allow a get on any logical interface even though the set
10865          * can only be done on logical unit 0.
10866          */
10867         if (ipip->ipi_cmd_type == IF_CMD) {
10868                 ifr = (struct ifreq *)if_req;
10869                 ifr->ifr_metric = ipif->ipif_ill->ill_mtu;
10870         } else {
10871                 lifr = (struct lifreq *)if_req;
10872                 lifr->lifr_mtu = ipif->ipif_ill->ill_mtu;
10873         }
10874         return (0);
10875 }
10876 
10877 /* Set interface broadcast address. */
10878 /* ARGSUSED2 */
10879 int
10880 ip_sioctl_brdaddr(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
10881         ip_ioctl_cmd_t *ipip, void *if_req)
10882 {
10883         ipaddr_t addr;
10884         ire_t   *ire;
10885         ill_t           *ill = ipif->ipif_ill;
10886         ip_stack_t      *ipst = ill->ill_ipst;
10887 
10888         ip1dbg(("ip_sioctl_brdaddr(%s:%u)\n", ill->ill_name,
10889             ipif->ipif_id));
10890 
10891         ASSERT(IAM_WRITER_IPIF(ipif));
10892         if (!(ipif->ipif_flags & IPIF_BROADCAST))
10893                 return (EADDRNOTAVAIL);
10894 
10895         ASSERT(!(ipif->ipif_isv6));  /* No IPv6 broadcast */
10896 
10897         if (sin->sin_family != AF_INET)
10898                 return (EAFNOSUPPORT);
10899 
10900         addr = sin->sin_addr.s_addr;
10901 
10902         if (ipif->ipif_flags & IPIF_UP) {
10903                 /*
10904                  * If we are already up, make sure the new
10905                  * broadcast address makes sense.  If it does,
10906                  * there should be an IRE for it already.
10907                  */
10908                 ire = ire_ftable_lookup_v4(addr, 0, 0, IRE_BROADCAST,
10909                     ill, ipif->ipif_zoneid, NULL,
10910                     (MATCH_IRE_ILL | MATCH_IRE_TYPE), 0, ipst, NULL);
10911                 if (ire == NULL) {
10912                         return (EINVAL);
10913                 } else {
10914                         ire_refrele(ire);
10915                 }
10916         }
10917         /*
10918          * Changing the broadcast addr for this ipif. Since the IRE_BROADCAST
10919          * needs to already exist we never need to change the set of
10920          * IRE_BROADCASTs when we are UP.
10921          */
10922         if (addr != ipif->ipif_brd_addr)
10923                 IN6_IPADDR_TO_V4MAPPED(addr, &ipif->ipif_v6brd_addr);
10924 
10925         return (0);
10926 }
10927 
10928 /* Get interface broadcast address. */
10929 /* ARGSUSED */
10930 int
10931 ip_sioctl_get_brdaddr(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
10932     ip_ioctl_cmd_t *ipip, void *if_req)
10933 {
10934         ip1dbg(("ip_sioctl_get_brdaddr(%s:%u %p)\n",
10935             ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
10936         if (!(ipif->ipif_flags & IPIF_BROADCAST))
10937                 return (EADDRNOTAVAIL);
10938 
10939         /* IPIF_BROADCAST not possible with IPv6 */
10940         ASSERT(!ipif->ipif_isv6);
10941         *sin = sin_null;
10942         sin->sin_family = AF_INET;
10943         sin->sin_addr.s_addr = ipif->ipif_brd_addr;
10944         return (0);
10945 }
10946 
10947 /*
10948  * This routine is called to handle the SIOCS*IFNETMASK IOCTL.
10949  */
10950 /* ARGSUSED */
10951 int
10952 ip_sioctl_netmask(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
10953     ip_ioctl_cmd_t *ipip, void *if_req)
10954 {
10955         int err = 0;
10956         in6_addr_t v6mask;
10957 
10958         ip1dbg(("ip_sioctl_netmask(%s:%u %p)\n",
10959             ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
10960 
10961         ASSERT(IAM_WRITER_IPIF(ipif));
10962 
10963         if (ipif->ipif_isv6) {
10964                 sin6_t *sin6;
10965 
10966                 if (sin->sin_family != AF_INET6)
10967                         return (EAFNOSUPPORT);
10968 
10969                 sin6 = (sin6_t *)sin;
10970                 v6mask = sin6->sin6_addr;
10971         } else {
10972                 ipaddr_t mask;
10973 
10974                 if (sin->sin_family != AF_INET)
10975                         return (EAFNOSUPPORT);
10976 
10977                 mask = sin->sin_addr.s_addr;
10978                 if (!ip_contiguous_mask(ntohl(mask)))
10979                         return (ENOTSUP);
10980                 V4MASK_TO_V6(mask, v6mask);
10981         }
10982 
10983         /*
10984          * No big deal if the interface isn't already up, or the mask
10985          * isn't really changing, or this is pt-pt.
10986          */
10987         if (!(ipif->ipif_flags & IPIF_UP) ||
10988             IN6_ARE_ADDR_EQUAL(&v6mask, &ipif->ipif_v6net_mask) ||
10989             (ipif->ipif_flags & IPIF_POINTOPOINT)) {
10990                 ipif->ipif_v6net_mask = v6mask;
10991                 if ((ipif->ipif_flags & IPIF_POINTOPOINT) == 0) {
10992                         V6_MASK_COPY(ipif->ipif_v6lcl_addr,
10993                             ipif->ipif_v6net_mask,
10994                             ipif->ipif_v6subnet);
10995                 }
10996                 return (0);
10997         }
10998         /*
10999          * Make sure we have valid net and subnet broadcast ire's
11000          * for the old netmask, if needed by other logical interfaces.
11001          */
11002         err = ipif_logical_down(ipif, q, mp);
11003         if (err == EINPROGRESS)
11004                 return (err);
11005         (void) ipif_down_tail(ipif);
11006         err = ip_sioctl_netmask_tail(ipif, sin, q, mp);
11007         return (err);
11008 }
11009 
11010 static int
11011 ip_sioctl_netmask_tail(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp)
11012 {
11013         in6_addr_t v6mask;
11014         int err = 0;
11015 
11016         ip1dbg(("ip_sioctl_netmask_tail(%s:%u %p)\n",
11017             ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
11018 
11019         if (ipif->ipif_isv6) {
11020                 sin6_t *sin6;
11021 
11022                 sin6 = (sin6_t *)sin;
11023                 v6mask = sin6->sin6_addr;
11024         } else {
11025                 ipaddr_t mask;
11026 
11027                 mask = sin->sin_addr.s_addr;
11028                 V4MASK_TO_V6(mask, v6mask);
11029         }
11030 
11031         ipif->ipif_v6net_mask = v6mask;
11032         if ((ipif->ipif_flags & IPIF_POINTOPOINT) == 0) {
11033                 V6_MASK_COPY(ipif->ipif_v6lcl_addr, ipif->ipif_v6net_mask,
11034                     ipif->ipif_v6subnet);
11035         }
11036         err = ipif_up(ipif, q, mp);
11037 
11038         if (err == 0 || err == EINPROGRESS) {
11039                 /*
11040                  * The interface must be DL_BOUND if this packet has to
11041                  * go out on the wire. Since we only go through a logical
11042                  * down and are bound with the driver during an internal
11043                  * down/up that is satisfied.
11044                  */
11045                 if (!ipif->ipif_isv6 && ipif->ipif_ill->ill_wq != NULL) {
11046                         /* Potentially broadcast an address mask reply. */
11047                         ipif_mask_reply(ipif);
11048                 }
11049         }
11050         return (err);
11051 }
11052 
11053 /* ARGSUSED */
11054 int
11055 ip_sioctl_netmask_restart(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
11056     ip_ioctl_cmd_t *ipip, void *if_req)
11057 {
11058         ip1dbg(("ip_sioctl_netmask_restart(%s:%u %p)\n",
11059             ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
11060         (void) ipif_down_tail(ipif);
11061         return (ip_sioctl_netmask_tail(ipif, sin, q, mp));
11062 }
11063 
11064 /* Get interface net mask. */
11065 /* ARGSUSED */
11066 int
11067 ip_sioctl_get_netmask(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
11068     ip_ioctl_cmd_t *ipip, void *if_req)
11069 {
11070         struct lifreq *lifr = (struct lifreq *)if_req;
11071         struct sockaddr_in6 *sin6 = (sin6_t *)sin;
11072 
11073         ip1dbg(("ip_sioctl_get_netmask(%s:%u %p)\n",
11074             ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
11075 
11076         /*
11077          * net mask can't change since we have a reference to the ipif.
11078          */
11079         if (ipif->ipif_isv6) {
11080                 ASSERT(ipip->ipi_cmd_type == LIF_CMD);
11081                 *sin6 = sin6_null;
11082                 sin6->sin6_family = AF_INET6;
11083                 sin6->sin6_addr = ipif->ipif_v6net_mask;
11084                 lifr->lifr_addrlen =
11085                     ip_mask_to_plen_v6(&ipif->ipif_v6net_mask);
11086         } else {
11087                 *sin = sin_null;
11088                 sin->sin_family = AF_INET;
11089                 sin->sin_addr.s_addr = ipif->ipif_net_mask;
11090                 if (ipip->ipi_cmd_type == LIF_CMD) {
11091                         lifr->lifr_addrlen =
11092                             ip_mask_to_plen(ipif->ipif_net_mask);
11093                 }
11094         }
11095         return (0);
11096 }
11097 
11098 /* ARGSUSED */
11099 int
11100 ip_sioctl_metric(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
11101     ip_ioctl_cmd_t *ipip, void *if_req)
11102 {
11103         ip1dbg(("ip_sioctl_metric(%s:%u %p)\n",
11104             ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
11105 
11106         /*
11107          * Since no applications should ever be setting metrics on underlying
11108          * interfaces, we explicitly fail to smoke 'em out.
11109          */
11110         if (IS_UNDER_IPMP(ipif->ipif_ill))
11111                 return (EINVAL);
11112 
11113         /*
11114          * Set interface metric.  We don't use this for
11115          * anything but we keep track of it in case it is
11116          * important to routing applications or such.
11117          */
11118         if (ipip->ipi_cmd_type == IF_CMD) {
11119                 struct ifreq    *ifr;
11120 
11121                 ifr = (struct ifreq *)if_req;
11122                 ipif->ipif_ill->ill_metric = ifr->ifr_metric;
11123         } else {
11124                 struct lifreq   *lifr;
11125 
11126                 lifr = (struct lifreq *)if_req;
11127                 ipif->ipif_ill->ill_metric = lifr->lifr_metric;
11128         }
11129         return (0);
11130 }
11131 
11132 /* ARGSUSED */
11133 int
11134 ip_sioctl_get_metric(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
11135     ip_ioctl_cmd_t *ipip, void *if_req)
11136 {
11137         /* Get interface metric. */
11138         ip1dbg(("ip_sioctl_get_metric(%s:%u %p)\n",
11139             ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
11140 
11141         if (ipip->ipi_cmd_type == IF_CMD) {
11142                 struct ifreq    *ifr;
11143 
11144                 ifr = (struct ifreq *)if_req;
11145                 ifr->ifr_metric = ipif->ipif_ill->ill_metric;
11146         } else {
11147                 struct lifreq   *lifr;
11148 
11149                 lifr = (struct lifreq *)if_req;
11150                 lifr->lifr_metric = ipif->ipif_ill->ill_metric;
11151         }
11152 
11153         return (0);
11154 }
11155 
11156 /* ARGSUSED */
11157 int
11158 ip_sioctl_muxid(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
11159     ip_ioctl_cmd_t *ipip, void *if_req)
11160 {
11161         int     arp_muxid;
11162 
11163         ip1dbg(("ip_sioctl_muxid(%s:%u %p)\n",
11164             ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
11165         /*
11166          * Set the muxid returned from I_PLINK.
11167          */
11168         if (ipip->ipi_cmd_type == IF_CMD) {
11169                 struct ifreq *ifr = (struct ifreq *)if_req;
11170 
11171                 ipif->ipif_ill->ill_muxid = ifr->ifr_ip_muxid;
11172                 arp_muxid = ifr->ifr_arp_muxid;
11173         } else {
11174                 struct lifreq *lifr = (struct lifreq *)if_req;
11175 
11176                 ipif->ipif_ill->ill_muxid = lifr->lifr_ip_muxid;
11177                 arp_muxid = lifr->lifr_arp_muxid;
11178         }
11179         arl_set_muxid(ipif->ipif_ill, arp_muxid);
11180         return (0);
11181 }
11182 
11183 /* ARGSUSED */
11184 int
11185 ip_sioctl_get_muxid(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
11186     ip_ioctl_cmd_t *ipip, void *if_req)
11187 {
11188         int     arp_muxid = 0;
11189 
11190         ip1dbg(("ip_sioctl_get_muxid(%s:%u %p)\n",
11191             ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
11192         /*
11193          * Get the muxid saved in ill for I_PUNLINK.
11194          */
11195         arp_muxid = arl_get_muxid(ipif->ipif_ill);
11196         if (ipip->ipi_cmd_type == IF_CMD) {
11197                 struct ifreq *ifr = (struct ifreq *)if_req;
11198 
11199                 ifr->ifr_ip_muxid = ipif->ipif_ill->ill_muxid;
11200                 ifr->ifr_arp_muxid = arp_muxid;
11201         } else {
11202                 struct lifreq *lifr = (struct lifreq *)if_req;
11203 
11204                 lifr->lifr_ip_muxid = ipif->ipif_ill->ill_muxid;
11205                 lifr->lifr_arp_muxid = arp_muxid;
11206         }
11207         return (0);
11208 }
11209 
11210 /*
11211  * Set the subnet prefix. Does not modify the broadcast address.
11212  */
11213 /* ARGSUSED */
11214 int
11215 ip_sioctl_subnet(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
11216     ip_ioctl_cmd_t *ipip, void *if_req)
11217 {
11218         int err = 0;
11219         in6_addr_t v6addr;
11220         in6_addr_t v6mask;
11221         boolean_t need_up = B_FALSE;
11222         int addrlen;
11223 
11224         ip1dbg(("ip_sioctl_subnet(%s:%u %p)\n",
11225             ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
11226 
11227         ASSERT(IAM_WRITER_IPIF(ipif));
11228         addrlen = ((struct lifreq *)if_req)->lifr_addrlen;
11229 
11230         if (ipif->ipif_isv6) {
11231                 sin6_t *sin6;
11232 
11233                 if (sin->sin_family != AF_INET6)
11234                         return (EAFNOSUPPORT);
11235 
11236                 sin6 = (sin6_t *)sin;
11237                 v6addr = sin6->sin6_addr;
11238                 if (!ip_remote_addr_ok_v6(&v6addr, &ipv6_all_ones))
11239                         return (EADDRNOTAVAIL);
11240         } else {
11241                 ipaddr_t addr;
11242 
11243                 if (sin->sin_family != AF_INET)
11244                         return (EAFNOSUPPORT);
11245 
11246                 addr = sin->sin_addr.s_addr;
11247                 if (!ip_addr_ok_v4(addr, 0xFFFFFFFF))
11248                         return (EADDRNOTAVAIL);
11249                 IN6_IPADDR_TO_V4MAPPED(addr, &v6addr);
11250                 /* Add 96 bits */
11251                 addrlen += IPV6_ABITS - IP_ABITS;
11252         }
11253 
11254         if (ip_plen_to_mask_v6(addrlen, &v6mask) == NULL)
11255                 return (EINVAL);
11256 
11257         /* Check if bits in the address is set past the mask */
11258         if (!V6_MASK_EQ(v6addr, v6mask, v6addr))
11259                 return (EINVAL);
11260 
11261         if (IN6_ARE_ADDR_EQUAL(&ipif->ipif_v6subnet, &v6addr) &&
11262             IN6_ARE_ADDR_EQUAL(&ipif->ipif_v6net_mask, &v6mask))
11263                 return (0);     /* No change */
11264 
11265         if (ipif->ipif_flags & IPIF_UP) {
11266                 /*
11267                  * If the interface is already marked up,
11268                  * we call ipif_down which will take care
11269                  * of ditching any IREs that have been set
11270                  * up based on the old interface address.
11271                  */
11272                 err = ipif_logical_down(ipif, q, mp);
11273                 if (err == EINPROGRESS)
11274                         return (err);
11275                 (void) ipif_down_tail(ipif);
11276                 need_up = B_TRUE;
11277         }
11278 
11279         err = ip_sioctl_subnet_tail(ipif, v6addr, v6mask, q, mp, need_up);
11280         return (err);
11281 }
11282 
11283 static int
11284 ip_sioctl_subnet_tail(ipif_t *ipif, in6_addr_t v6addr, in6_addr_t v6mask,
11285     queue_t *q, mblk_t *mp, boolean_t need_up)
11286 {
11287         ill_t   *ill = ipif->ipif_ill;
11288         int     err = 0;
11289 
11290         ip1dbg(("ip_sioctl_subnet_tail(%s:%u %p)\n",
11291             ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
11292 
11293         /* Set the new address. */
11294         mutex_enter(&ill->ill_lock);
11295         ipif->ipif_v6net_mask = v6mask;
11296         if ((ipif->ipif_flags & IPIF_POINTOPOINT) == 0) {
11297                 V6_MASK_COPY(v6addr, ipif->ipif_v6net_mask,
11298                     ipif->ipif_v6subnet);
11299         }
11300         mutex_exit(&ill->ill_lock);
11301 
11302         if (need_up) {
11303                 /*
11304                  * Now bring the interface back up.  If this
11305                  * is the only IPIF for the ILL, ipif_up
11306                  * will have to re-bind to the device, so
11307                  * we may get back EINPROGRESS, in which
11308                  * case, this IOCTL will get completed in
11309                  * ip_rput_dlpi when we see the DL_BIND_ACK.
11310                  */
11311                 err = ipif_up(ipif, q, mp);
11312                 if (err == EINPROGRESS)
11313                         return (err);
11314         }
11315         return (err);
11316 }
11317 
11318 /* ARGSUSED */
11319 int
11320 ip_sioctl_subnet_restart(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
11321     ip_ioctl_cmd_t *ipip, void *if_req)
11322 {
11323         int     addrlen;
11324         in6_addr_t v6addr;
11325         in6_addr_t v6mask;
11326         struct lifreq *lifr = (struct lifreq *)if_req;
11327 
11328         ip1dbg(("ip_sioctl_subnet_restart(%s:%u %p)\n",
11329             ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
11330         (void) ipif_down_tail(ipif);
11331 
11332         addrlen = lifr->lifr_addrlen;
11333         if (ipif->ipif_isv6) {
11334                 sin6_t *sin6;
11335 
11336                 sin6 = (sin6_t *)sin;
11337                 v6addr = sin6->sin6_addr;
11338         } else {
11339                 ipaddr_t addr;
11340 
11341                 addr = sin->sin_addr.s_addr;
11342                 IN6_IPADDR_TO_V4MAPPED(addr, &v6addr);
11343                 addrlen += IPV6_ABITS - IP_ABITS;
11344         }
11345         (void) ip_plen_to_mask_v6(addrlen, &v6mask);
11346 
11347         return (ip_sioctl_subnet_tail(ipif, v6addr, v6mask, q, mp, B_TRUE));
11348 }
11349 
11350 /* ARGSUSED */
11351 int
11352 ip_sioctl_get_subnet(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
11353     ip_ioctl_cmd_t *ipip, void *if_req)
11354 {
11355         struct lifreq *lifr = (struct lifreq *)if_req;
11356         struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)sin;
11357 
11358         ip1dbg(("ip_sioctl_get_subnet(%s:%u %p)\n",
11359             ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
11360         ASSERT(ipip->ipi_cmd_type == LIF_CMD);
11361 
11362         if (ipif->ipif_isv6) {
11363                 *sin6 = sin6_null;
11364                 sin6->sin6_family = AF_INET6;
11365                 sin6->sin6_addr = ipif->ipif_v6subnet;
11366                 lifr->lifr_addrlen =
11367                     ip_mask_to_plen_v6(&ipif->ipif_v6net_mask);
11368         } else {
11369                 *sin = sin_null;
11370                 sin->sin_family = AF_INET;
11371                 sin->sin_addr.s_addr = ipif->ipif_subnet;
11372                 lifr->lifr_addrlen = ip_mask_to_plen(ipif->ipif_net_mask);
11373         }
11374         return (0);
11375 }
11376 
11377 /*
11378  * Set the IPv6 address token.
11379  */
11380 /* ARGSUSED */
11381 int
11382 ip_sioctl_token(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
11383     ip_ioctl_cmd_t *ipi, void *if_req)
11384 {
11385         ill_t *ill = ipif->ipif_ill;
11386         int err;
11387         in6_addr_t v6addr;
11388         in6_addr_t v6mask;
11389         boolean_t need_up = B_FALSE;
11390         int i;
11391         sin6_t *sin6 = (sin6_t *)sin;
11392         struct lifreq *lifr = (struct lifreq *)if_req;
11393         int addrlen;
11394 
11395         ip1dbg(("ip_sioctl_token(%s:%u %p)\n",
11396             ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
11397         ASSERT(IAM_WRITER_IPIF(ipif));
11398 
11399         addrlen = lifr->lifr_addrlen;
11400         /* Only allow for logical unit zero i.e. not on "le0:17" */
11401         if (ipif->ipif_id != 0)
11402                 return (EINVAL);
11403 
11404         if (!ipif->ipif_isv6)
11405                 return (EINVAL);
11406 
11407         if (addrlen > IPV6_ABITS)
11408                 return (EINVAL);
11409 
11410         v6addr = sin6->sin6_addr;
11411 
11412         /*
11413          * The length of the token is the length from the end.  To get
11414          * the proper mask for this, compute the mask of the bits not
11415          * in the token; ie. the prefix, and then xor to get the mask.
11416          */
11417         if (ip_plen_to_mask_v6(IPV6_ABITS - addrlen, &v6mask) == NULL)
11418                 return (EINVAL);
11419         for (i = 0; i < 4; i++) {
11420                 v6mask.s6_addr32[i] ^= (uint32_t)0xffffffff;
11421         }
11422 
11423         if (V6_MASK_EQ(v6addr, v6mask, ill->ill_token) &&
11424             ill->ill_token_length == addrlen)
11425                 return (0);     /* No change */
11426 
11427         if (ipif->ipif_flags & IPIF_UP) {
11428                 err = ipif_logical_down(ipif, q, mp);
11429                 if (err == EINPROGRESS)
11430                         return (err);
11431                 (void) ipif_down_tail(ipif);
11432                 need_up = B_TRUE;
11433         }
11434         err = ip_sioctl_token_tail(ipif, sin6, addrlen, q, mp, need_up);
11435         return (err);
11436 }
11437 
11438 static int
11439 ip_sioctl_token_tail(ipif_t *ipif, sin6_t *sin6, int addrlen, queue_t *q,
11440     mblk_t *mp, boolean_t need_up)
11441 {
11442         in6_addr_t v6addr;
11443         in6_addr_t v6mask;
11444         ill_t   *ill = ipif->ipif_ill;
11445         int     i;
11446         int     err = 0;
11447 
11448         ip1dbg(("ip_sioctl_token_tail(%s:%u %p)\n",
11449             ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
11450         v6addr = sin6->sin6_addr;
11451         /*
11452          * The length of the token is the length from the end.  To get
11453          * the proper mask for this, compute the mask of the bits not
11454          * in the token; ie. the prefix, and then xor to get the mask.
11455          */
11456         (void) ip_plen_to_mask_v6(IPV6_ABITS - addrlen, &v6mask);
11457         for (i = 0; i < 4; i++)
11458                 v6mask.s6_addr32[i] ^= (uint32_t)0xffffffff;
11459 
11460         mutex_enter(&ill->ill_lock);
11461         V6_MASK_COPY(v6addr, v6mask, ill->ill_token);
11462         ill->ill_token_length = addrlen;
11463         ill->ill_manual_token = 1;
11464 
11465         /* Reconfigure the link-local address based on this new token */
11466         ipif_setlinklocal(ill->ill_ipif);
11467 
11468         mutex_exit(&ill->ill_lock);
11469 
11470         if (need_up) {
11471                 /*
11472                  * Now bring the interface back up.  If this
11473                  * is the only IPIF for the ILL, ipif_up
11474                  * will have to re-bind to the device, so
11475                  * we may get back EINPROGRESS, in which
11476                  * case, this IOCTL will get completed in
11477                  * ip_rput_dlpi when we see the DL_BIND_ACK.
11478                  */
11479                 err = ipif_up(ipif, q, mp);
11480                 if (err == EINPROGRESS)
11481                         return (err);
11482         }
11483         return (err);
11484 }
11485 
11486 /* ARGSUSED */
11487 int
11488 ip_sioctl_get_token(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
11489     ip_ioctl_cmd_t *ipi, void *if_req)
11490 {
11491         ill_t *ill;
11492         sin6_t *sin6 = (sin6_t *)sin;
11493         struct lifreq *lifr = (struct lifreq *)if_req;
11494 
11495         ip1dbg(("ip_sioctl_get_token(%s:%u %p)\n",
11496             ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
11497         if (ipif->ipif_id != 0)
11498                 return (EINVAL);
11499 
11500         ill = ipif->ipif_ill;
11501         if (!ill->ill_isv6)
11502                 return (ENXIO);
11503 
11504         *sin6 = sin6_null;
11505         sin6->sin6_family = AF_INET6;
11506         ASSERT(!IN6_IS_ADDR_V4MAPPED(&ill->ill_token));
11507         sin6->sin6_addr = ill->ill_token;
11508         lifr->lifr_addrlen = ill->ill_token_length;
11509         return (0);
11510 }
11511 
11512 /*
11513  * Set (hardware) link specific information that might override
11514  * what was acquired through the DL_INFO_ACK.
11515  */
11516 /* ARGSUSED */
11517 int
11518 ip_sioctl_lnkinfo(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
11519     ip_ioctl_cmd_t *ipi, void *if_req)
11520 {
11521         ill_t           *ill = ipif->ipif_ill;
11522         int             ip_min_mtu;
11523         struct lifreq   *lifr = (struct lifreq *)if_req;
11524         lif_ifinfo_req_t *lir;
11525 
11526         ip1dbg(("ip_sioctl_lnkinfo(%s:%u %p)\n",
11527             ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
11528         lir = &lifr->lifr_ifinfo;
11529         ASSERT(IAM_WRITER_IPIF(ipif));
11530 
11531         /* Only allow for logical unit zero i.e. not on "bge0:17" */
11532         if (ipif->ipif_id != 0)
11533                 return (EINVAL);
11534 
11535         /* Set interface MTU. */
11536         if (ipif->ipif_isv6)
11537                 ip_min_mtu = IPV6_MIN_MTU;
11538         else
11539                 ip_min_mtu = IP_MIN_MTU;
11540 
11541         /*
11542          * Verify values before we set anything. Allow zero to
11543          * mean unspecified.
11544          *
11545          * XXX We should be able to set the user-defined lir_mtu to some value
11546          * that is greater than ill_current_frag but less than ill_max_frag- the
11547          * ill_max_frag value tells us the max MTU that can be handled by the
11548          * datalink, whereas the ill_current_frag is dynamically computed for
11549          * some link-types like tunnels, based on the tunnel PMTU. However,
11550          * since there is currently no way of distinguishing between
11551          * administratively fixed link mtu values (e.g., those set via
11552          * /sbin/dladm) and dynamically discovered MTUs (e.g., those discovered
11553          * for tunnels) we conservatively choose the  ill_current_frag as the
11554          * upper-bound.
11555          */
11556         if (lir->lir_maxmtu != 0 &&
11557             (lir->lir_maxmtu > ill->ill_current_frag ||
11558             lir->lir_maxmtu < ip_min_mtu))
11559                 return (EINVAL);
11560         if (lir->lir_reachtime != 0 &&
11561             lir->lir_reachtime > ND_MAX_REACHTIME)
11562                 return (EINVAL);
11563         if (lir->lir_reachretrans != 0 &&
11564             lir->lir_reachretrans > ND_MAX_REACHRETRANSTIME)
11565                 return (EINVAL);
11566 
11567         mutex_enter(&ill->ill_lock);
11568         /*
11569          * The dce and fragmentation code can handle changes to ill_mtu
11570          * concurrent with sending/fragmenting packets.
11571          */
11572         if (lir->lir_maxmtu != 0)
11573                 ill->ill_user_mtu = lir->lir_maxmtu;
11574 
11575         if (lir->lir_reachtime != 0)
11576                 ill->ill_reachable_time = lir->lir_reachtime;
11577 
11578         if (lir->lir_reachretrans != 0)
11579                 ill->ill_reachable_retrans_time = lir->lir_reachretrans;
11580 
11581         ill->ill_max_hops = lir->lir_maxhops;
11582         ill->ill_max_buf = ND_MAX_Q;
11583         if (!(ill->ill_flags & ILLF_FIXEDMTU) && ill->ill_user_mtu != 0) {
11584                 /*
11585                  * ill_mtu is the actual interface MTU, obtained as the min
11586                  * of user-configured mtu and the value announced by the
11587                  * driver (via DL_NOTE_SDU_SIZE/DL_INFO_ACK). Note that since
11588                  * we have already made the choice of requiring
11589                  * ill_user_mtu < ill_current_frag by the time we get here,
11590                  * the ill_mtu effectively gets assigned to the ill_user_mtu
11591                  * here.
11592                  */
11593                 ill->ill_mtu = MIN(ill->ill_current_frag, ill->ill_user_mtu);
11594                 ill->ill_mc_mtu = MIN(ill->ill_mc_mtu, ill->ill_user_mtu);
11595         }
11596         mutex_exit(&ill->ill_lock);
11597 
11598         /*
11599          * Make sure all dce_generation checks find out
11600          * that ill_mtu/ill_mc_mtu has changed.
11601          */
11602         if (!(ill->ill_flags & ILLF_FIXEDMTU) && (lir->lir_maxmtu != 0))
11603                 dce_increment_all_generations(ill->ill_isv6, ill->ill_ipst);
11604 
11605         /*
11606          * Refresh IPMP meta-interface MTU if necessary.
11607          */
11608         if (IS_UNDER_IPMP(ill))
11609                 ipmp_illgrp_refresh_mtu(ill->ill_grp);
11610 
11611         return (0);
11612 }
11613 
11614 /* ARGSUSED */
11615 int
11616 ip_sioctl_get_lnkinfo(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
11617     ip_ioctl_cmd_t *ipi, void *if_req)
11618 {
11619         struct lif_ifinfo_req *lir;
11620         ill_t *ill = ipif->ipif_ill;
11621 
11622         ip1dbg(("ip_sioctl_get_lnkinfo(%s:%u %p)\n",
11623             ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
11624         if (ipif->ipif_id != 0)
11625                 return (EINVAL);
11626 
11627         lir = &((struct lifreq *)if_req)->lifr_ifinfo;
11628         lir->lir_maxhops = ill->ill_max_hops;
11629         lir->lir_reachtime = ill->ill_reachable_time;
11630         lir->lir_reachretrans = ill->ill_reachable_retrans_time;
11631         lir->lir_maxmtu = ill->ill_mtu;
11632 
11633         return (0);
11634 }
11635 
11636 /*
11637  * Return best guess as to the subnet mask for the specified address.
11638  * Based on the subnet masks for all the configured interfaces.
11639  *
11640  * We end up returning a zero mask in the case of default, multicast or
11641  * experimental.
11642  */
11643 static ipaddr_t
11644 ip_subnet_mask(ipaddr_t addr, ipif_t **ipifp, ip_stack_t *ipst)
11645 {
11646         ipaddr_t net_mask;
11647         ill_t   *ill;
11648         ipif_t  *ipif;
11649         ill_walk_context_t ctx;
11650         ipif_t  *fallback_ipif = NULL;
11651 
11652         net_mask = ip_net_mask(addr);
11653         if (net_mask == 0) {
11654                 *ipifp = NULL;
11655                 return (0);
11656         }
11657 
11658         /* Let's check to see if this is maybe a local subnet route. */
11659         /* this function only applies to IPv4 interfaces */
11660         rw_enter(&ipst->ips_ill_g_lock, RW_READER);
11661         ill = ILL_START_WALK_V4(&ctx, ipst);
11662         for (; ill != NULL; ill = ill_next(&ctx, ill)) {
11663                 mutex_enter(&ill->ill_lock);
11664                 for (ipif = ill->ill_ipif; ipif != NULL;
11665                     ipif = ipif->ipif_next) {
11666                         if (IPIF_IS_CONDEMNED(ipif))
11667                                 continue;
11668                         if (!(ipif->ipif_flags & IPIF_UP))
11669                                 continue;
11670                         if ((ipif->ipif_subnet & net_mask) ==
11671                             (addr & net_mask)) {
11672                                 /*
11673                                  * Don't trust pt-pt interfaces if there are
11674                                  * other interfaces.
11675                                  */
11676                                 if (ipif->ipif_flags & IPIF_POINTOPOINT) {
11677                                         if (fallback_ipif == NULL) {
11678                                                 ipif_refhold_locked(ipif);
11679                                                 fallback_ipif = ipif;
11680                                         }
11681                                         continue;
11682                                 }
11683 
11684                                 /*
11685                                  * Fine. Just assume the same net mask as the
11686                                  * directly attached subnet interface is using.
11687                                  */
11688                                 ipif_refhold_locked(ipif);
11689                                 mutex_exit(&ill->ill_lock);
11690                                 rw_exit(&ipst->ips_ill_g_lock);
11691                                 if (fallback_ipif != NULL)
11692                                         ipif_refrele(fallback_ipif);
11693                                 *ipifp = ipif;
11694                                 return (ipif->ipif_net_mask);
11695                         }
11696                 }
11697                 mutex_exit(&ill->ill_lock);
11698         }
11699         rw_exit(&ipst->ips_ill_g_lock);
11700 
11701         *ipifp = fallback_ipif;
11702         return ((fallback_ipif != NULL) ?
11703             fallback_ipif->ipif_net_mask : net_mask);
11704 }
11705 
11706 /*
11707  * ip_sioctl_copyin_setup calls ip_wput_ioctl to process the IP_IOCTL ioctl.
11708  */
11709 static void
11710 ip_wput_ioctl(queue_t *q, mblk_t *mp)
11711 {
11712         IOCP    iocp;
11713         ipft_t  *ipft;
11714         ipllc_t *ipllc;
11715         mblk_t  *mp1;
11716         cred_t  *cr;
11717         int     error = 0;
11718         conn_t  *connp;
11719 
11720         ip1dbg(("ip_wput_ioctl"));
11721         iocp = (IOCP)mp->b_rptr;
11722         mp1 = mp->b_cont;
11723         if (mp1 == NULL) {
11724                 iocp->ioc_error = EINVAL;
11725                 mp->b_datap->db_type = M_IOCNAK;
11726                 iocp->ioc_count = 0;
11727                 qreply(q, mp);
11728                 return;
11729         }
11730 
11731         /*
11732          * These IOCTLs provide various control capabilities to
11733          * upstream agents such as ULPs and processes.  There
11734          * are currently two such IOCTLs implemented.  They
11735          * are used by TCP to provide update information for
11736          * existing IREs and to forcibly delete an IRE for a
11737          * host that is not responding, thereby forcing an
11738          * attempt at a new route.
11739          */
11740         iocp->ioc_error = EINVAL;
11741         if (!pullupmsg(mp1, sizeof (ipllc->ipllc_cmd)))
11742                 goto done;
11743 
11744         ipllc = (ipllc_t *)mp1->b_rptr;
11745         for (ipft = ip_ioctl_ftbl; ipft->ipft_pfi; ipft++) {
11746                 if (ipllc->ipllc_cmd == ipft->ipft_cmd)
11747                         break;
11748         }
11749         /*
11750          * prefer credential from mblk over ioctl;
11751          * see ip_sioctl_copyin_setup
11752          */
11753         cr = msg_getcred(mp, NULL);
11754         if (cr == NULL)
11755                 cr = iocp->ioc_cr;
11756 
11757         /*
11758          * Refhold the conn in case the request gets queued up in some lookup
11759          */
11760         ASSERT(CONN_Q(q));
11761         connp = Q_TO_CONN(q);
11762         CONN_INC_REF(connp);
11763         CONN_INC_IOCTLREF(connp);
11764         if (ipft->ipft_pfi &&
11765             ((mp1->b_wptr - mp1->b_rptr) >= ipft->ipft_min_size ||
11766             pullupmsg(mp1, ipft->ipft_min_size))) {
11767                 error = (*ipft->ipft_pfi)(q,
11768                     (ipft->ipft_flags & IPFT_F_SELF_REPLY) ? mp : mp1, cr);
11769         }
11770         if (ipft->ipft_flags & IPFT_F_SELF_REPLY) {
11771                 /*
11772                  * CONN_OPER_PENDING_DONE happens in the function called
11773                  * through ipft_pfi above.
11774                  */
11775                 return;
11776         }
11777 
11778         CONN_DEC_IOCTLREF(connp);
11779         CONN_OPER_PENDING_DONE(connp);
11780         if (ipft->ipft_flags & IPFT_F_NO_REPLY) {
11781                 freemsg(mp);
11782                 return;
11783         }
11784         iocp->ioc_error = error;
11785 
11786 done:
11787         mp->b_datap->db_type = M_IOCACK;
11788         if (iocp->ioc_error)
11789                 iocp->ioc_count = 0;
11790         qreply(q, mp);
11791 }
11792 
11793 /*
11794  * Assign a unique id for the ipif. This is used by sctp_addr.c
11795  * Note: remove if sctp_addr.c is redone to not shadow ill/ipif data structures.
11796  */
11797 static void
11798 ipif_assign_seqid(ipif_t *ipif)
11799 {
11800         ip_stack_t      *ipst = ipif->ipif_ill->ill_ipst;
11801 
11802         ipif->ipif_seqid = atomic_add_64_nv(&ipst->ips_ipif_g_seqid, 1);
11803 }
11804 
11805 /*
11806  * Clone the contents of `sipif' to `dipif'.  Requires that both ipifs are
11807  * administratively down (i.e., no DAD), of the same type, and locked.  Note
11808  * that the clone is complete -- including the seqid -- and the expectation is
11809  * that the caller will either free or overwrite `sipif' before it's unlocked.
11810  */
11811 static void
11812 ipif_clone(const ipif_t *sipif, ipif_t *dipif)
11813 {
11814         ASSERT(MUTEX_HELD(&sipif->ipif_ill->ill_lock));
11815         ASSERT(MUTEX_HELD(&dipif->ipif_ill->ill_lock));
11816         ASSERT(!(sipif->ipif_flags & (IPIF_UP|IPIF_DUPLICATE)));
11817         ASSERT(!(dipif->ipif_flags & (IPIF_UP|IPIF_DUPLICATE)));
11818         ASSERT(sipif->ipif_ire_type == dipif->ipif_ire_type);
11819 
11820         dipif->ipif_flags = sipif->ipif_flags;
11821         dipif->ipif_zoneid = sipif->ipif_zoneid;
11822         dipif->ipif_v6subnet = sipif->ipif_v6subnet;
11823         dipif->ipif_v6lcl_addr = sipif->ipif_v6lcl_addr;
11824         dipif->ipif_v6net_mask = sipif->ipif_v6net_mask;
11825         dipif->ipif_v6brd_addr = sipif->ipif_v6brd_addr;
11826         dipif->ipif_v6pp_dst_addr = sipif->ipif_v6pp_dst_addr;
11827 
11828         /*
11829          * As per the comment atop the function, we assume that these sipif
11830          * fields will be changed before sipif is unlocked.
11831          */
11832         dipif->ipif_seqid = sipif->ipif_seqid;
11833         dipif->ipif_state_flags = sipif->ipif_state_flags;
11834 }
11835 
11836 /*
11837  * Transfer the contents of `sipif' to `dipif', and then free (if `virgipif'
11838  * is NULL) or overwrite `sipif' with `virgipif', which must be a virgin
11839  * (unreferenced) ipif.  Also, if `sipif' is used by the current xop, then
11840  * transfer the xop to `dipif'.  Requires that all ipifs are administratively
11841  * down (i.e., no DAD), of the same type, and unlocked.
11842  */
11843 static void
11844 ipif_transfer(ipif_t *sipif, ipif_t *dipif, ipif_t *virgipif)
11845 {
11846         ipsq_t *ipsq = sipif->ipif_ill->ill_phyint->phyint_ipsq;
11847         ipxop_t *ipx = ipsq->ipsq_xop;
11848 
11849         ASSERT(sipif != dipif);
11850         ASSERT(sipif != virgipif);
11851 
11852         /*
11853          * Grab all of the locks that protect the ipif in a defined order.
11854          */
11855         GRAB_ILL_LOCKS(sipif->ipif_ill, dipif->ipif_ill);
11856 
11857         ipif_clone(sipif, dipif);
11858         if (virgipif != NULL) {
11859                 ipif_clone(virgipif, sipif);
11860                 mi_free(virgipif);
11861         }
11862 
11863         RELEASE_ILL_LOCKS(sipif->ipif_ill, dipif->ipif_ill);
11864 
11865         /*
11866          * Transfer ownership of the current xop, if necessary.
11867          */
11868         if (ipx->ipx_current_ipif == sipif) {
11869                 ASSERT(ipx->ipx_pending_ipif == NULL);
11870                 mutex_enter(&ipx->ipx_lock);
11871                 ipx->ipx_current_ipif = dipif;
11872                 mutex_exit(&ipx->ipx_lock);
11873         }
11874 
11875         if (virgipif == NULL)
11876                 mi_free(sipif);
11877 }
11878 
11879 /*
11880  * checks if:
11881  *      - <ill_name>:<ipif_id> is at most LIFNAMSIZ - 1 and
11882  *      - logical interface is within the allowed range
11883  */
11884 static int
11885 is_lifname_valid(ill_t *ill, unsigned int ipif_id)
11886 {
11887         if (snprintf(NULL, 0, "%s:%d", ill->ill_name, ipif_id) >= LIFNAMSIZ)
11888                 return (ENAMETOOLONG);
11889 
11890         if (ipif_id >= ill->ill_ipst->ips_ip_addrs_per_if)
11891                 return (ERANGE);
11892         return (0);
11893 }
11894 
11895 /*
11896  * Insert the ipif, so that the list of ipifs on the ill will be sorted
11897  * with respect to ipif_id. Note that an ipif with an ipif_id of -1 will
11898  * be inserted into the first space available in the list. The value of
11899  * ipif_id will then be set to the appropriate value for its position.
11900  */
11901 static int
11902 ipif_insert(ipif_t *ipif, boolean_t acquire_g_lock)
11903 {
11904         ill_t *ill;
11905         ipif_t *tipif;
11906         ipif_t **tipifp;
11907         int id, err;
11908         ip_stack_t      *ipst;
11909 
11910         ASSERT(ipif->ipif_ill->ill_net_type == IRE_LOOPBACK ||
11911             IAM_WRITER_IPIF(ipif));
11912 
11913         ill = ipif->ipif_ill;
11914         ASSERT(ill != NULL);
11915         ipst = ill->ill_ipst;
11916 
11917         /*
11918          * In the case of lo0:0 we already hold the ill_g_lock.
11919          * ill_lookup_on_name (acquires ill_g_lock) -> ipif_allocate ->
11920          * ipif_insert.
11921          */
11922         if (acquire_g_lock)
11923                 rw_enter(&ipst->ips_ill_g_lock, RW_WRITER);
11924         mutex_enter(&ill->ill_lock);
11925         id = ipif->ipif_id;
11926         tipifp = &(ill->ill_ipif);
11927         if (id == -1) { /* need to find a real id */
11928                 id = 0;
11929                 while ((tipif = *tipifp) != NULL) {
11930                         ASSERT(tipif->ipif_id >= id);
11931                         if (tipif->ipif_id != id)
11932                                 break; /* non-consecutive id */
11933                         id++;
11934                         tipifp = &(tipif->ipif_next);
11935                 }
11936                 if ((err = is_lifname_valid(ill, id)) != 0) {
11937                         mutex_exit(&ill->ill_lock);
11938                         if (acquire_g_lock)
11939                                 rw_exit(&ipst->ips_ill_g_lock);
11940                         return (err);
11941                 }
11942                 ipif->ipif_id = id; /* assign new id */
11943         } else if ((err = is_lifname_valid(ill, id)) == 0) {
11944                 /* we have a real id; insert ipif in the right place */
11945                 while ((tipif = *tipifp) != NULL) {
11946                         ASSERT(tipif->ipif_id != id);
11947                         if (tipif->ipif_id > id)
11948                                 break; /* found correct location */
11949                         tipifp = &(tipif->ipif_next);
11950                 }
11951         } else {
11952                 mutex_exit(&ill->ill_lock);
11953                 if (acquire_g_lock)
11954                         rw_exit(&ipst->ips_ill_g_lock);
11955                 return (err);
11956         }
11957 
11958         ASSERT(tipifp != &(ill->ill_ipif) || id == 0);
11959 
11960         ipif->ipif_next = tipif;
11961         *tipifp = ipif;
11962         mutex_exit(&ill->ill_lock);
11963         if (acquire_g_lock)
11964                 rw_exit(&ipst->ips_ill_g_lock);
11965 
11966         return (0);
11967 }
11968 
11969 static void
11970 ipif_remove(ipif_t *ipif)
11971 {
11972         ipif_t  **ipifp;
11973         ill_t   *ill = ipif->ipif_ill;
11974 
11975         ASSERT(RW_WRITE_HELD(&ill->ill_ipst->ips_ill_g_lock));
11976 
11977         mutex_enter(&ill->ill_lock);
11978         ipifp = &ill->ill_ipif;
11979         for (; *ipifp != NULL; ipifp = &ipifp[0]->ipif_next) {
11980                 if (*ipifp == ipif) {
11981                         *ipifp = ipif->ipif_next;
11982                         break;
11983                 }
11984         }
11985         mutex_exit(&ill->ill_lock);
11986 }
11987 
11988 /*
11989  * Allocate and initialize a new interface control structure.  (Always
11990  * called as writer.)
11991  * When ipif_allocate() is called from ip_ll_subnet_defaults, the ill
11992  * is not part of the global linked list of ills. ipif_seqid is unique
11993  * in the system and to preserve the uniqueness, it is assigned only
11994  * when ill becomes part of the global list. At that point ill will
11995  * have a name. If it doesn't get assigned here, it will get assigned
11996  * in ipif_set_values() as part of SIOCSLIFNAME processing.
11997  * Aditionally, if we come here from ip_ll_subnet_defaults, we don't set
11998  * the interface flags or any other information from the DL_INFO_ACK for
11999  * DL_STYLE2 drivers (initialize == B_FALSE), since we won't have them at
12000  * this point. The flags etc. will be set in ip_ll_subnet_defaults when the
12001  * second DL_INFO_ACK comes in from the driver.
12002  */
12003 static ipif_t *
12004 ipif_allocate(ill_t *ill, int id, uint_t ire_type, boolean_t initialize,
12005     boolean_t insert, int *errorp)
12006 {
12007         int err;
12008         ipif_t  *ipif;
12009         ip_stack_t *ipst = ill->ill_ipst;
12010 
12011         ip1dbg(("ipif_allocate(%s:%d ill %p)\n",
12012             ill->ill_name, id, (void *)ill));
12013         ASSERT(ire_type == IRE_LOOPBACK || IAM_WRITER_ILL(ill));
12014 
12015         if (errorp != NULL)
12016                 *errorp = 0;
12017 
12018         if ((ipif = mi_alloc(sizeof (ipif_t), BPRI_MED)) == NULL) {
12019                 if (errorp != NULL)
12020                         *errorp = ENOMEM;
12021                 return (NULL);
12022         }
12023         *ipif = ipif_zero;      /* start clean */
12024 
12025         ipif->ipif_ill = ill;
12026         ipif->ipif_id = id;  /* could be -1 */
12027         /*
12028          * Inherit the zoneid from the ill; for the shared stack instance
12029          * this is always the global zone
12030          */
12031         ipif->ipif_zoneid = ill->ill_zoneid;
12032 
12033         ipif->ipif_refcnt = 0;
12034 
12035         if (insert) {
12036                 if ((err = ipif_insert(ipif, ire_type != IRE_LOOPBACK)) != 0) {
12037                         mi_free(ipif);
12038                         if (errorp != NULL)
12039                                 *errorp = err;
12040                         return (NULL);
12041                 }
12042                 /* -1 id should have been replaced by real id */
12043                 id = ipif->ipif_id;
12044                 ASSERT(id >= 0);
12045         }
12046 
12047         if (ill->ill_name[0] != '\0')
12048                 ipif_assign_seqid(ipif);
12049 
12050         /*
12051          * If this is the zeroth ipif on the IPMP ill, create the illgrp
12052          * (which must not exist yet because the zeroth ipif is created once
12053          * per ill).  However, do not not link it to the ipmp_grp_t until
12054          * I_PLINK is called; see ip_sioctl_plink_ipmp() for details.
12055          */
12056         if (id == 0 && IS_IPMP(ill)) {
12057                 if (ipmp_illgrp_create(ill) == NULL) {
12058                         if (insert) {
12059                                 rw_enter(&ipst->ips_ill_g_lock, RW_WRITER);
12060                                 ipif_remove(ipif);
12061                                 rw_exit(&ipst->ips_ill_g_lock);
12062                         }
12063                         mi_free(ipif);
12064                         if (errorp != NULL)
12065                                 *errorp = ENOMEM;
12066                         return (NULL);
12067                 }
12068         }
12069 
12070         /*
12071          * We grab ill_lock to protect the flag changes.  The ipif is still
12072          * not up and can't be looked up until the ioctl completes and the
12073          * IPIF_CHANGING flag is cleared.
12074          */
12075         mutex_enter(&ill->ill_lock);
12076 
12077         ipif->ipif_ire_type = ire_type;
12078 
12079         if (ipif->ipif_isv6) {
12080                 ill->ill_flags |= ILLF_IPV6;
12081         } else {
12082                 ipaddr_t inaddr_any = INADDR_ANY;
12083 
12084                 ill->ill_flags |= ILLF_IPV4;
12085 
12086                 /* Keep the IN6_IS_ADDR_V4MAPPED assertions happy */
12087                 IN6_IPADDR_TO_V4MAPPED(inaddr_any,
12088                     &ipif->ipif_v6lcl_addr);
12089                 IN6_IPADDR_TO_V4MAPPED(inaddr_any,
12090                     &ipif->ipif_v6subnet);
12091                 IN6_IPADDR_TO_V4MAPPED(inaddr_any,
12092                     &ipif->ipif_v6net_mask);
12093                 IN6_IPADDR_TO_V4MAPPED(inaddr_any,
12094                     &ipif->ipif_v6brd_addr);
12095                 IN6_IPADDR_TO_V4MAPPED(inaddr_any,
12096                     &ipif->ipif_v6pp_dst_addr);
12097         }
12098 
12099         /*
12100          * Don't set the interface flags etc. now, will do it in
12101          * ip_ll_subnet_defaults.
12102          */
12103         if (!initialize)
12104                 goto out;
12105 
12106         /*
12107          * NOTE: The IPMP meta-interface is special-cased because it starts
12108          * with no underlying interfaces (and thus an unknown broadcast
12109          * address length), but all interfaces that can be placed into an IPMP
12110          * group are required to be broadcast-capable.
12111          */
12112         if (ill->ill_bcast_addr_length != 0 || IS_IPMP(ill)) {
12113                 /*
12114                  * Later detect lack of DLPI driver multicast capability by
12115                  * catching DL_ENABMULTI_REQ errors in ip_rput_dlpi().
12116                  */
12117                 ill->ill_flags |= ILLF_MULTICAST;
12118                 if (!ipif->ipif_isv6)
12119                         ipif->ipif_flags |= IPIF_BROADCAST;
12120         } else {
12121                 if (ill->ill_net_type != IRE_LOOPBACK) {
12122                         if (ipif->ipif_isv6)
12123                                 /*
12124                                  * Note: xresolv interfaces will eventually need
12125                                  * NOARP set here as well, but that will require
12126                                  * those external resolvers to have some
12127                                  * knowledge of that flag and act appropriately.
12128                                  * Not to be changed at present.
12129                                  */
12130                                 ill->ill_flags |= ILLF_NONUD;
12131                         else
12132                                 ill->ill_flags |= ILLF_NOARP;
12133                 }
12134                 if (ill->ill_phys_addr_length == 0) {
12135                         if (IS_VNI(ill)) {
12136                                 ipif->ipif_flags |= IPIF_NOXMIT;
12137                         } else {
12138                                 /* pt-pt supports multicast. */
12139                                 ill->ill_flags |= ILLF_MULTICAST;
12140                                 if (ill->ill_net_type != IRE_LOOPBACK)
12141                                         ipif->ipif_flags |= IPIF_POINTOPOINT;
12142                         }
12143                 }
12144         }
12145 out:
12146         mutex_exit(&ill->ill_lock);
12147         return (ipif);
12148 }
12149 
12150 /*
12151  * Remove the neighbor cache entries associated with this logical
12152  * interface.
12153  */
12154 int
12155 ipif_arp_down(ipif_t *ipif)
12156 {
12157         ill_t   *ill = ipif->ipif_ill;
12158         int     err = 0;
12159 
12160         ip1dbg(("ipif_arp_down(%s:%u)\n", ill->ill_name, ipif->ipif_id));
12161         ASSERT(IAM_WRITER_IPIF(ipif));
12162 
12163         DTRACE_PROBE3(ipif__downup, char *, "ipif_arp_down",
12164             ill_t *, ill, ipif_t *, ipif);
12165         ipif_nce_down(ipif);
12166 
12167         /*
12168          * If this is the last ipif that is going down and there are no
12169          * duplicate addresses we may yet attempt to re-probe, then we need to
12170          * clean up ARP completely.
12171          */
12172         if (ill->ill_ipif_up_count == 0 && ill->ill_ipif_dup_count == 0 &&
12173             !ill->ill_logical_down && ill->ill_net_type == IRE_IF_RESOLVER) {
12174                 /*
12175                  * If this was the last ipif on an IPMP interface, purge any
12176                  * static ARP entries associated with it.
12177                  */
12178                 if (IS_IPMP(ill))
12179                         ipmp_illgrp_refresh_arpent(ill->ill_grp);
12180 
12181                 /* UNBIND, DETACH */
12182                 err = arp_ll_down(ill);
12183         }
12184 
12185         return (err);
12186 }
12187 
12188 /*
12189  * Get the resolver set up for a new IP address.  (Always called as writer.)
12190  * Called both for IPv4 and IPv6 interfaces, though it only does some
12191  * basic DAD related initialization for IPv6. Honors ILLF_NOARP.
12192  *
12193  * The enumerated value res_act tunes the behavior:
12194  *      * Res_act_initial: set up all the resolver structures for a new
12195  *        IP address.
12196  *      * Res_act_defend: tell ARP that it needs to send a single gratuitous
12197  *        ARP message in defense of the address.
12198  *      * Res_act_rebind: tell ARP to change the hardware address for an IP
12199  *        address (and issue gratuitous ARPs).  Used by ipmp_ill_bind_ipif().
12200  *
12201  * Returns zero on success, or an errno upon failure.
12202  */
12203 int
12204 ipif_resolver_up(ipif_t *ipif, enum ip_resolver_action res_act)
12205 {
12206         ill_t           *ill = ipif->ipif_ill;
12207         int             err;
12208         boolean_t       was_dup;
12209 
12210         ip1dbg(("ipif_resolver_up(%s:%u) flags 0x%x\n",
12211             ill->ill_name, ipif->ipif_id, (uint_t)ipif->ipif_flags));
12212         ASSERT(IAM_WRITER_IPIF(ipif));
12213 
12214         was_dup = B_FALSE;
12215         if (res_act == Res_act_initial) {
12216                 ipif->ipif_addr_ready = 0;
12217                 /*
12218                  * We're bringing an interface up here.  There's no way that we
12219                  * should need to shut down ARP now.
12220                  */
12221                 mutex_enter(&ill->ill_lock);
12222                 if (ipif->ipif_flags & IPIF_DUPLICATE) {
12223                         ipif->ipif_flags &= ~IPIF_DUPLICATE;
12224                         ill->ill_ipif_dup_count--;
12225                         was_dup = B_TRUE;
12226                 }
12227                 mutex_exit(&ill->ill_lock);
12228         }
12229         if (ipif->ipif_recovery_id != 0)
12230                 (void) untimeout(ipif->ipif_recovery_id);
12231         ipif->ipif_recovery_id = 0;
12232         if (ill->ill_net_type != IRE_IF_RESOLVER) {
12233                 ipif->ipif_addr_ready = 1;
12234                 return (0);
12235         }
12236         /* NDP will set the ipif_addr_ready flag when it's ready */
12237         if (ill->ill_isv6)
12238                 return (0);
12239 
12240         err = ipif_arp_up(ipif, res_act, was_dup);
12241         return (err);
12242 }
12243 
12244 /*
12245  * This routine restarts IPv4/IPv6 duplicate address detection (DAD)
12246  * when a link has just gone back up.
12247  */
12248 static void
12249 ipif_nce_start_dad(ipif_t *ipif)
12250 {
12251         ncec_t *ncec;
12252         ill_t *ill = ipif->ipif_ill;
12253         boolean_t isv6 = ill->ill_isv6;
12254 
12255         if (isv6) {
12256                 ncec = ncec_lookup_illgrp_v6(ipif->ipif_ill,
12257                     &ipif->ipif_v6lcl_addr);
12258         } else {
12259                 ipaddr_t v4addr;
12260 
12261                 if (ill->ill_net_type != IRE_IF_RESOLVER ||
12262                     (ipif->ipif_flags & IPIF_UNNUMBERED) ||
12263                     ipif->ipif_lcl_addr == INADDR_ANY) {
12264                         /*
12265                          * If we can't contact ARP for some reason,
12266                          * that's not really a problem.  Just send
12267                          * out the routing socket notification that
12268                          * DAD completion would have done, and continue.
12269                          */
12270                         ipif_mask_reply(ipif);
12271                         ipif_up_notify(ipif);
12272                         ipif->ipif_addr_ready = 1;
12273                         return;
12274                 }
12275 
12276                 IN6_V4MAPPED_TO_IPADDR(&ipif->ipif_v6lcl_addr, v4addr);
12277                 ncec = ncec_lookup_illgrp_v4(ipif->ipif_ill, &v4addr);
12278         }
12279 
12280         if (ncec == NULL) {
12281                 ip1dbg(("couldn't find ncec for ipif %p leaving !ready\n",
12282                     (void *)ipif));
12283                 return;
12284         }
12285         if (!nce_restart_dad(ncec)) {
12286                 /*
12287                  * If we can't restart DAD for some reason, that's not really a
12288                  * problem.  Just send out the routing socket notification that
12289                  * DAD completion would have done, and continue.
12290                  */
12291                 ipif_up_notify(ipif);
12292                 ipif->ipif_addr_ready = 1;
12293         }
12294         ncec_refrele(ncec);
12295 }
12296 
12297 /*
12298  * Restart duplicate address detection on all interfaces on the given ill.
12299  *
12300  * This is called when an interface transitions from down to up
12301  * (DL_NOTE_LINK_UP) or up to down (DL_NOTE_LINK_DOWN).
12302  *
12303  * Note that since the underlying physical link has transitioned, we must cause
12304  * at least one routing socket message to be sent here, either via DAD
12305  * completion or just by default on the first ipif.  (If we don't do this, then
12306  * in.mpathd will see long delays when doing link-based failure recovery.)
12307  */
12308 void
12309 ill_restart_dad(ill_t *ill, boolean_t went_up)
12310 {
12311         ipif_t *ipif;
12312 
12313         if (ill == NULL)
12314                 return;
12315 
12316         /*
12317          * If layer two doesn't support duplicate address detection, then just
12318          * send the routing socket message now and be done with it.
12319          */
12320         if (!ill->ill_isv6 && arp_no_defense) {
12321                 ip_rts_ifmsg(ill->ill_ipif, RTSQ_DEFAULT);
12322                 return;
12323         }
12324 
12325         for (ipif = ill->ill_ipif; ipif != NULL; ipif = ipif->ipif_next) {
12326                 if (went_up) {
12327 
12328                         if (ipif->ipif_flags & IPIF_UP) {
12329                                 ipif_nce_start_dad(ipif);
12330                         } else if (ipif->ipif_flags & IPIF_DUPLICATE) {
12331                                 /*
12332                                  * kick off the bring-up process now.
12333                                  */
12334                                 ipif_do_recovery(ipif);
12335                         } else {
12336                                 /*
12337                                  * Unfortunately, the first ipif is "special"
12338                                  * and represents the underlying ill in the
12339                                  * routing socket messages.  Thus, when this
12340                                  * one ipif is down, we must still notify so
12341                                  * that the user knows the IFF_RUNNING status
12342                                  * change.  (If the first ipif is up, then
12343                                  * we'll handle eventual routing socket
12344                                  * notification via DAD completion.)
12345                                  */
12346                                 if (ipif == ill->ill_ipif) {
12347                                         ip_rts_ifmsg(ill->ill_ipif,
12348                                             RTSQ_DEFAULT);
12349                                 }
12350                         }
12351                 } else {
12352                         /*
12353                          * After link down, we'll need to send a new routing
12354                          * message when the link comes back, so clear
12355                          * ipif_addr_ready.
12356                          */
12357                         ipif->ipif_addr_ready = 0;
12358                 }
12359         }
12360 
12361         /*
12362          * If we've torn down links, then notify the user right away.
12363          */
12364         if (!went_up)
12365                 ip_rts_ifmsg(ill->ill_ipif, RTSQ_DEFAULT);
12366 }
12367 
12368 static void
12369 ipsq_delete(ipsq_t *ipsq)
12370 {
12371         ipxop_t *ipx = ipsq->ipsq_xop;
12372 
12373         ipsq->ipsq_ipst = NULL;
12374         ASSERT(ipsq->ipsq_phyint == NULL);
12375         ASSERT(ipsq->ipsq_xop != NULL);
12376         ASSERT(ipsq->ipsq_xopq_mphead == NULL && ipx->ipx_mphead == NULL);
12377         ASSERT(ipx->ipx_pending_mp == NULL);
12378         kmem_free(ipsq, sizeof (ipsq_t));
12379 }
12380 
12381 static int
12382 ill_up_ipifs_on_ill(ill_t *ill, queue_t *q, mblk_t *mp)
12383 {
12384         int err = 0;
12385         ipif_t *ipif;
12386 
12387         if (ill == NULL)
12388                 return (0);
12389 
12390         ASSERT(IAM_WRITER_ILL(ill));
12391         ill->ill_up_ipifs = B_TRUE;
12392         for (ipif = ill->ill_ipif; ipif != NULL; ipif = ipif->ipif_next) {
12393                 if (ipif->ipif_was_up) {
12394                         if (!(ipif->ipif_flags & IPIF_UP))
12395                                 err = ipif_up(ipif, q, mp);
12396                         ipif->ipif_was_up = B_FALSE;
12397                         if (err != 0) {
12398                                 ASSERT(err == EINPROGRESS);
12399                                 return (err);
12400                         }
12401                 }
12402         }
12403         ill->ill_up_ipifs = B_FALSE;
12404         return (0);
12405 }
12406 
12407 /*
12408  * This function is called to bring up all the ipifs that were up before
12409  * bringing the ill down via ill_down_ipifs().
12410  */
12411 int
12412 ill_up_ipifs(ill_t *ill, queue_t *q, mblk_t *mp)
12413 {
12414         int err;
12415 
12416         ASSERT(IAM_WRITER_ILL(ill));
12417 
12418         if (ill->ill_replumbing) {
12419                 ill->ill_replumbing = 0;
12420                 /*
12421                  * Send down REPLUMB_DONE notification followed by the
12422                  * BIND_REQ on the arp stream.
12423                  */
12424                 if (!ill->ill_isv6)
12425                         arp_send_replumb_conf(ill);
12426         }
12427         err = ill_up_ipifs_on_ill(ill->ill_phyint->phyint_illv4, q, mp);
12428         if (err != 0)
12429                 return (err);
12430 
12431         return (ill_up_ipifs_on_ill(ill->ill_phyint->phyint_illv6, q, mp));
12432 }
12433 
12434 /*
12435  * Bring down any IPIF_UP ipifs on ill. If "logical" is B_TRUE, we bring
12436  * down the ipifs without sending DL_UNBIND_REQ to the driver.
12437  */
12438 static void
12439 ill_down_ipifs(ill_t *ill, boolean_t logical)
12440 {
12441         ipif_t *ipif;
12442 
12443         ASSERT(IAM_WRITER_ILL(ill));
12444 
12445         for (ipif = ill->ill_ipif; ipif != NULL; ipif = ipif->ipif_next) {
12446                 /*
12447                  * We go through the ipif_down logic even if the ipif
12448                  * is already down, since routes can be added based
12449                  * on down ipifs. Going through ipif_down once again
12450                  * will delete any IREs created based on these routes.
12451                  */
12452                 if (ipif->ipif_flags & IPIF_UP)
12453                         ipif->ipif_was_up = B_TRUE;
12454 
12455                 if (logical) {
12456                         (void) ipif_logical_down(ipif, NULL, NULL);
12457                         ipif_non_duplicate(ipif);
12458                         (void) ipif_down_tail(ipif);
12459                 } else {
12460                         (void) ipif_down(ipif, NULL, NULL);
12461                 }
12462         }
12463 }
12464 
12465 /*
12466  * Redo source address selection.  This makes IXAF_VERIFY_SOURCE take
12467  * a look again at valid source addresses.
12468  * This should be called each time after the set of source addresses has been
12469  * changed.
12470  */
12471 void
12472 ip_update_source_selection(ip_stack_t *ipst)
12473 {
12474         /* We skip past SRC_GENERATION_VERIFY */
12475         if (atomic_add_32_nv(&ipst->ips_src_generation, 1) ==
12476             SRC_GENERATION_VERIFY)
12477                 atomic_add_32(&ipst->ips_src_generation, 1);
12478 }
12479 
12480 /*
12481  * Finish the group join started in ip_sioctl_groupname().
12482  */
12483 /* ARGSUSED */
12484 static void
12485 ip_join_illgrps(ipsq_t *ipsq, queue_t *q, mblk_t *mp, void *dummy)
12486 {
12487         ill_t           *ill = q->q_ptr;
12488         phyint_t        *phyi = ill->ill_phyint;
12489         ipmp_grp_t      *grp = phyi->phyint_grp;
12490         ip_stack_t      *ipst = ill->ill_ipst;
12491 
12492         /* IS_UNDER_IPMP() won't work until ipmp_ill_join_illgrp() is called */
12493         ASSERT(!IS_IPMP(ill) && grp != NULL);
12494         ASSERT(IAM_WRITER_IPSQ(ipsq));
12495 
12496         if (phyi->phyint_illv4 != NULL) {
12497                 rw_enter(&ipst->ips_ipmp_lock, RW_WRITER);
12498                 VERIFY(grp->gr_pendv4-- > 0);
12499                 rw_exit(&ipst->ips_ipmp_lock);
12500                 ipmp_ill_join_illgrp(phyi->phyint_illv4, grp->gr_v4);
12501         }
12502         if (phyi->phyint_illv6 != NULL) {
12503                 rw_enter(&ipst->ips_ipmp_lock, RW_WRITER);
12504                 VERIFY(grp->gr_pendv6-- > 0);
12505                 rw_exit(&ipst->ips_ipmp_lock);
12506                 ipmp_ill_join_illgrp(phyi->phyint_illv6, grp->gr_v6);
12507         }
12508         freemsg(mp);
12509 }
12510 
12511 /*
12512  * Process an SIOCSLIFGROUPNAME request.
12513  */
12514 /* ARGSUSED */
12515 int
12516 ip_sioctl_groupname(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
12517     ip_ioctl_cmd_t *ipip, void *ifreq)
12518 {
12519         struct lifreq   *lifr = ifreq;
12520         ill_t           *ill = ipif->ipif_ill;
12521         ip_stack_t      *ipst = ill->ill_ipst;
12522         phyint_t        *phyi = ill->ill_phyint;
12523         ipmp_grp_t      *grp = phyi->phyint_grp;
12524         mblk_t          *ipsq_mp;
12525         int             err = 0;
12526 
12527         /*
12528          * Note that phyint_grp can only change here, where we're exclusive.
12529          */
12530         ASSERT(IAM_WRITER_ILL(ill));
12531 
12532         if (ipif->ipif_id != 0 || ill->ill_usesrc_grp_next != NULL ||
12533             (phyi->phyint_flags & PHYI_VIRTUAL))
12534                 return (EINVAL);
12535 
12536         lifr->lifr_groupname[LIFGRNAMSIZ - 1] = '\0';
12537 
12538         rw_enter(&ipst->ips_ipmp_lock, RW_WRITER);
12539 
12540         /*
12541          * If the name hasn't changed, there's nothing to do.
12542          */
12543         if (grp != NULL && strcmp(grp->gr_name, lifr->lifr_groupname) == 0)
12544                 goto unlock;
12545 
12546         /*
12547          * Handle requests to rename an IPMP meta-interface.
12548          *
12549          * Note that creation of the IPMP meta-interface is handled in
12550          * userland through the standard plumbing sequence.  As part of the
12551          * plumbing the IPMP meta-interface, its initial groupname is set to
12552          * the name of the interface (see ipif_set_values_tail()).
12553          */
12554         if (IS_IPMP(ill)) {
12555                 err = ipmp_grp_rename(grp, lifr->lifr_groupname);
12556                 goto unlock;
12557         }
12558 
12559         /*
12560          * Handle requests to add or remove an IP interface from a group.
12561          */
12562         if (lifr->lifr_groupname[0] != '\0') {                       /* add */
12563                 /*
12564                  * Moves are handled by first removing the interface from
12565                  * its existing group, and then adding it to another group.
12566                  * So, fail if it's already in a group.
12567                  */
12568                 if (IS_UNDER_IPMP(ill)) {
12569                         err = EALREADY;
12570                         goto unlock;
12571                 }
12572 
12573                 grp = ipmp_grp_lookup(lifr->lifr_groupname, ipst);
12574                 if (grp == NULL) {
12575                         err = ENOENT;
12576                         goto unlock;
12577                 }
12578 
12579                 /*
12580                  * Check if the phyint and its ills are suitable for
12581                  * inclusion into the group.
12582                  */
12583                 if ((err = ipmp_grp_vet_phyint(grp, phyi)) != 0)
12584                         goto unlock;
12585 
12586                 /*
12587                  * Checks pass; join the group, and enqueue the remaining
12588                  * illgrp joins for when we've become part of the group xop
12589                  * and are exclusive across its IPSQs.  Since qwriter_ip()
12590                  * requires an mblk_t to scribble on, and since `mp' will be
12591                  * freed as part of completing the ioctl, allocate another.
12592                  */
12593                 if ((ipsq_mp = allocb(0, BPRI_MED)) == NULL) {
12594                         err = ENOMEM;
12595                         goto unlock;
12596                 }
12597 
12598                 /*
12599                  * Before we drop ipmp_lock, bump gr_pend* to ensure that the
12600                  * IPMP meta-interface ills needed by `phyi' cannot go away
12601                  * before ip_join_illgrps() is called back.  See the comments
12602                  * in ip_sioctl_plink_ipmp() for more.
12603                  */
12604                 if (phyi->phyint_illv4 != NULL)
12605                         grp->gr_pendv4++;
12606                 if (phyi->phyint_illv6 != NULL)
12607                         grp->gr_pendv6++;
12608 
12609                 rw_exit(&ipst->ips_ipmp_lock);
12610 
12611                 ipmp_phyint_join_grp(phyi, grp);
12612                 ill_refhold(ill);
12613                 qwriter_ip(ill, ill->ill_rq, ipsq_mp, ip_join_illgrps,
12614                     SWITCH_OP, B_FALSE);
12615                 return (0);
12616         } else {
12617                 /*
12618                  * Request to remove the interface from a group.  If the
12619                  * interface is not in a group, this trivially succeeds.
12620                  */
12621                 rw_exit(&ipst->ips_ipmp_lock);
12622                 if (IS_UNDER_IPMP(ill))
12623                         ipmp_phyint_leave_grp(phyi);
12624                 return (0);
12625         }
12626 unlock:
12627         rw_exit(&ipst->ips_ipmp_lock);
12628         return (err);
12629 }
12630 
12631 /*
12632  * Process an SIOCGLIFBINDING request.
12633  */
12634 /* ARGSUSED */
12635 int
12636 ip_sioctl_get_binding(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
12637     ip_ioctl_cmd_t *ipip, void *ifreq)
12638 {
12639         ill_t           *ill;
12640         struct lifreq   *lifr = ifreq;
12641         ip_stack_t      *ipst = ipif->ipif_ill->ill_ipst;
12642 
12643         if (!IS_IPMP(ipif->ipif_ill))
12644                 return (EINVAL);
12645 
12646         rw_enter(&ipst->ips_ipmp_lock, RW_READER);
12647         if ((ill = ipif->ipif_bound_ill) == NULL)
12648                 lifr->lifr_binding[0] = '\0';
12649         else
12650                 (void) strlcpy(lifr->lifr_binding, ill->ill_name, LIFNAMSIZ);
12651         rw_exit(&ipst->ips_ipmp_lock);
12652         return (0);
12653 }
12654 
12655 /*
12656  * Process an SIOCGLIFGROUPNAME request.
12657  */
12658 /* ARGSUSED */
12659 int
12660 ip_sioctl_get_groupname(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
12661     ip_ioctl_cmd_t *ipip, void *ifreq)
12662 {
12663         ipmp_grp_t      *grp;
12664         struct lifreq   *lifr = ifreq;
12665         ip_stack_t      *ipst = ipif->ipif_ill->ill_ipst;
12666 
12667         rw_enter(&ipst->ips_ipmp_lock, RW_READER);
12668         if ((grp = ipif->ipif_ill->ill_phyint->phyint_grp) == NULL)
12669                 lifr->lifr_groupname[0] = '\0';
12670         else
12671                 (void) strlcpy(lifr->lifr_groupname, grp->gr_name, LIFGRNAMSIZ);
12672         rw_exit(&ipst->ips_ipmp_lock);
12673         return (0);
12674 }
12675 
12676 /*
12677  * Process an SIOCGLIFGROUPINFO request.
12678  */
12679 /* ARGSUSED */
12680 int
12681 ip_sioctl_groupinfo(ipif_t *dummy_ipif, sin_t *sin, queue_t *q, mblk_t *mp,
12682     ip_ioctl_cmd_t *ipip, void *dummy)
12683 {
12684         ipmp_grp_t      *grp;
12685         lifgroupinfo_t  *lifgr;
12686         ip_stack_t      *ipst = CONNQ_TO_IPST(q);
12687 
12688         /* ip_wput_nondata() verified mp->b_cont->b_cont */
12689         lifgr = (lifgroupinfo_t *)mp->b_cont->b_cont->b_rptr;
12690         lifgr->gi_grname[LIFGRNAMSIZ - 1] = '\0';
12691 
12692         rw_enter(&ipst->ips_ipmp_lock, RW_READER);
12693         if ((grp = ipmp_grp_lookup(lifgr->gi_grname, ipst)) == NULL) {
12694                 rw_exit(&ipst->ips_ipmp_lock);
12695                 return (ENOENT);
12696         }
12697         ipmp_grp_info(grp, lifgr);
12698         rw_exit(&ipst->ips_ipmp_lock);
12699         return (0);
12700 }
12701 
12702 static void
12703 ill_dl_down(ill_t *ill)
12704 {
12705         DTRACE_PROBE2(ill__downup, char *, "ill_dl_down", ill_t *, ill);
12706 
12707         /*
12708          * The ill is down; unbind but stay attached since we're still
12709          * associated with a PPA. If we have negotiated DLPI capabilites
12710          * with the data link service provider (IDS_OK) then reset them.
12711          * The interval between unbinding and rebinding is potentially
12712          * unbounded hence we cannot assume things will be the same.
12713          * The DLPI capabilities will be probed again when the data link
12714          * is brought up.
12715          */
12716         mblk_t  *mp = ill->ill_unbind_mp;
12717 
12718         ip1dbg(("ill_dl_down(%s)\n", ill->ill_name));
12719 
12720         if (!ill->ill_replumbing) {
12721                 /* Free all ilms for this ill */
12722                 update_conn_ill(ill, ill->ill_ipst);
12723         } else {
12724                 ill_leave_multicast(ill);
12725         }
12726 
12727         ill->ill_unbind_mp = NULL;
12728         if (mp != NULL) {
12729                 ip1dbg(("ill_dl_down: %s (%u) for %s\n",
12730                     dl_primstr(*(int *)mp->b_rptr), *(int *)mp->b_rptr,
12731                     ill->ill_name));
12732                 mutex_enter(&ill->ill_lock);
12733                 ill->ill_state_flags |= ILL_DL_UNBIND_IN_PROGRESS;
12734                 mutex_exit(&ill->ill_lock);
12735                 /*
12736                  * ip_rput does not pass up normal (M_PROTO) DLPI messages
12737                  * after ILL_CONDEMNED is set. So in the unplumb case, we call
12738                  * ill_capability_dld_disable disable rightaway. If this is not
12739                  * an unplumb operation then the disable happens on receipt of
12740                  * the capab ack via ip_rput_dlpi_writer ->
12741                  * ill_capability_ack_thr. In both cases the order of
12742                  * the operations seen by DLD is capability disable followed
12743                  * by DL_UNBIND. Also the DLD capability disable needs a
12744                  * cv_wait'able context.
12745                  */
12746                 if (ill->ill_state_flags & ILL_CONDEMNED)
12747                         ill_capability_dld_disable(ill);
12748                 ill_capability_reset(ill, B_FALSE);
12749                 ill_dlpi_send(ill, mp);
12750         }
12751         mutex_enter(&ill->ill_lock);
12752         ill->ill_dl_up = 0;
12753         ill_nic_event_dispatch(ill, 0, NE_DOWN, NULL, 0);
12754         mutex_exit(&ill->ill_lock);
12755 }
12756 
12757 void
12758 ill_dlpi_dispatch(ill_t *ill, mblk_t *mp)
12759 {
12760         union DL_primitives *dlp;
12761         t_uscalar_t prim;
12762         boolean_t waitack = B_FALSE;
12763 
12764         ASSERT(DB_TYPE(mp) == M_PROTO || DB_TYPE(mp) == M_PCPROTO);
12765 
12766         dlp = (union DL_primitives *)mp->b_rptr;
12767         prim = dlp->dl_primitive;
12768 
12769         ip1dbg(("ill_dlpi_dispatch: sending %s (%u) to %s\n",
12770             dl_primstr(prim), prim, ill->ill_name));
12771 
12772         switch (prim) {
12773         case DL_PHYS_ADDR_REQ:
12774         {
12775                 dl_phys_addr_req_t *dlpap = (dl_phys_addr_req_t *)mp->b_rptr;
12776                 ill->ill_phys_addr_pend = dlpap->dl_addr_type;
12777                 break;
12778         }
12779         case DL_BIND_REQ:
12780                 mutex_enter(&ill->ill_lock);
12781                 ill->ill_state_flags &= ~ILL_DL_UNBIND_IN_PROGRESS;
12782                 mutex_exit(&ill->ill_lock);
12783                 break;
12784         }
12785 
12786         /*
12787          * Except for the ACKs for the M_PCPROTO messages, all other ACKs
12788          * are dropped by ip_rput() if ILL_CONDEMNED is set. Therefore
12789          * we only wait for the ACK of the DL_UNBIND_REQ.
12790          */
12791         mutex_enter(&ill->ill_lock);
12792         if (!(ill->ill_state_flags & ILL_CONDEMNED) ||
12793             (prim == DL_UNBIND_REQ)) {
12794                 ill->ill_dlpi_pending = prim;
12795                 waitack = B_TRUE;
12796         }
12797 
12798         mutex_exit(&ill->ill_lock);
12799         DTRACE_PROBE3(ill__dlpi, char *, "ill_dlpi_dispatch",
12800             char *, dl_primstr(prim), ill_t *, ill);
12801         putnext(ill->ill_wq, mp);
12802 
12803         /*
12804          * There is no ack for DL_NOTIFY_CONF messages
12805          */
12806         if (waitack && prim == DL_NOTIFY_CONF)
12807                 ill_dlpi_done(ill, prim);
12808 }
12809 
12810 /*
12811  * Helper function for ill_dlpi_send().
12812  */
12813 /* ARGSUSED */
12814 static void
12815 ill_dlpi_send_writer(ipsq_t *ipsq, queue_t *q, mblk_t *mp, void *arg)
12816 {
12817         ill_dlpi_send(q->q_ptr, mp);
12818 }
12819 
12820 /*
12821  * Send a DLPI control message to the driver but make sure there
12822  * is only one outstanding message. Uses ill_dlpi_pending to tell
12823  * when it must queue. ip_rput_dlpi_writer calls ill_dlpi_done()
12824  * when an ACK or a NAK is received to process the next queued message.
12825  */
12826 void
12827 ill_dlpi_send(ill_t *ill, mblk_t *mp)
12828 {
12829         mblk_t **mpp;
12830 
12831         ASSERT(DB_TYPE(mp) == M_PROTO || DB_TYPE(mp) == M_PCPROTO);
12832 
12833         /*
12834          * To ensure that any DLPI requests for current exclusive operation
12835          * are always completely sent before any DLPI messages for other
12836          * operations, require writer access before enqueuing.
12837          */
12838         if (!IAM_WRITER_ILL(ill)) {
12839                 ill_refhold(ill);
12840                 /* qwriter_ip() does the ill_refrele() */
12841                 qwriter_ip(ill, ill->ill_wq, mp, ill_dlpi_send_writer,
12842                     NEW_OP, B_TRUE);
12843                 return;
12844         }
12845 
12846         mutex_enter(&ill->ill_lock);
12847         if (ill->ill_dlpi_pending != DL_PRIM_INVAL) {
12848                 /* Must queue message. Tail insertion */
12849                 mpp = &ill->ill_dlpi_deferred;
12850                 while (*mpp != NULL)
12851                         mpp = &((*mpp)->b_next);
12852 
12853                 ip1dbg(("ill_dlpi_send: deferring request for %s "
12854                     "while %s pending\n", ill->ill_name,
12855                     dl_primstr(ill->ill_dlpi_pending)));
12856 
12857                 *mpp = mp;
12858                 mutex_exit(&ill->ill_lock);
12859                 return;
12860         }
12861         mutex_exit(&ill->ill_lock);
12862         ill_dlpi_dispatch(ill, mp);
12863 }
12864 
12865 void
12866 ill_capability_send(ill_t *ill, mblk_t *mp)
12867 {
12868         ill->ill_capab_pending_cnt++;
12869         ill_dlpi_send(ill, mp);
12870 }
12871 
12872 void
12873 ill_capability_done(ill_t *ill)
12874 {
12875         ASSERT(ill->ill_capab_pending_cnt != 0);
12876 
12877         ill_dlpi_done(ill, DL_CAPABILITY_REQ);
12878 
12879         ill->ill_capab_pending_cnt--;
12880         if (ill->ill_capab_pending_cnt == 0 &&
12881             ill->ill_dlpi_capab_state == IDCS_OK)
12882                 ill_capability_reset_alloc(ill);
12883 }
12884 
12885 /*
12886  * Send all deferred DLPI messages without waiting for their ACKs.
12887  */
12888 void
12889 ill_dlpi_send_deferred(ill_t *ill)
12890 {
12891         mblk_t *mp, *nextmp;
12892 
12893         /*
12894          * Clear ill_dlpi_pending so that the message is not queued in
12895          * ill_dlpi_send().
12896          */
12897         mutex_enter(&ill->ill_lock);
12898         ill->ill_dlpi_pending = DL_PRIM_INVAL;
12899         mp = ill->ill_dlpi_deferred;
12900         ill->ill_dlpi_deferred = NULL;
12901         mutex_exit(&ill->ill_lock);
12902 
12903         for (; mp != NULL; mp = nextmp) {
12904                 nextmp = mp->b_next;
12905                 mp->b_next = NULL;
12906                 ill_dlpi_send(ill, mp);
12907         }
12908 }
12909 
12910 /*
12911  * Clear all the deferred DLPI messages. Called on receiving an M_ERROR
12912  * or M_HANGUP
12913  */
12914 static void
12915 ill_dlpi_clear_deferred(ill_t *ill)
12916 {
12917         mblk_t  *mp, *nextmp;
12918 
12919         mutex_enter(&ill->ill_lock);
12920         ill->ill_dlpi_pending = DL_PRIM_INVAL;
12921         mp = ill->ill_dlpi_deferred;
12922         ill->ill_dlpi_deferred = NULL;
12923         mutex_exit(&ill->ill_lock);
12924 
12925         for (; mp != NULL; mp = nextmp) {
12926                 nextmp = mp->b_next;
12927                 inet_freemsg(mp);
12928         }
12929 }
12930 
12931 /*
12932  * Check if the DLPI primitive `prim' is pending; print a warning if not.
12933  */
12934 boolean_t
12935 ill_dlpi_pending(ill_t *ill, t_uscalar_t prim)
12936 {
12937         t_uscalar_t pending;
12938 
12939         mutex_enter(&ill->ill_lock);
12940         if (ill->ill_dlpi_pending == prim) {
12941                 mutex_exit(&ill->ill_lock);
12942                 return (B_TRUE);
12943         }
12944 
12945         /*
12946          * During teardown, ill_dlpi_dispatch() will send DLPI requests
12947          * without waiting, so don't print any warnings in that case.
12948          */
12949         if (ill->ill_state_flags & ILL_CONDEMNED) {
12950                 mutex_exit(&ill->ill_lock);
12951                 return (B_FALSE);
12952         }
12953         pending = ill->ill_dlpi_pending;
12954         mutex_exit(&ill->ill_lock);
12955 
12956         if (pending == DL_PRIM_INVAL) {
12957                 (void) mi_strlog(ill->ill_rq, 1, SL_CONSOLE|SL_ERROR|SL_TRACE,
12958                     "received unsolicited ack for %s on %s\n",
12959                     dl_primstr(prim), ill->ill_name);
12960         } else {
12961                 (void) mi_strlog(ill->ill_rq, 1, SL_CONSOLE|SL_ERROR|SL_TRACE,
12962                     "received unexpected ack for %s on %s (expecting %s)\n",
12963                     dl_primstr(prim), ill->ill_name, dl_primstr(pending));
12964         }
12965         return (B_FALSE);
12966 }
12967 
12968 /*
12969  * Complete the current DLPI operation associated with `prim' on `ill' and
12970  * start the next queued DLPI operation (if any).  If there are no queued DLPI
12971  * operations and the ill's current exclusive IPSQ operation has finished
12972  * (i.e., ipsq_current_finish() was called), then clear ipsq_current_ipif to
12973  * allow the next exclusive IPSQ operation to begin upon ipsq_exit().  See
12974  * the comments above ipsq_current_finish() for details.
12975  */
12976 void
12977 ill_dlpi_done(ill_t *ill, t_uscalar_t prim)
12978 {
12979         mblk_t *mp;
12980         ipsq_t *ipsq = ill->ill_phyint->phyint_ipsq;
12981         ipxop_t *ipx = ipsq->ipsq_xop;
12982 
12983         ASSERT(IAM_WRITER_IPSQ(ipsq));
12984         mutex_enter(&ill->ill_lock);
12985 
12986         ASSERT(prim != DL_PRIM_INVAL);
12987         ASSERT(ill->ill_dlpi_pending == prim);
12988 
12989         ip1dbg(("ill_dlpi_done: %s has completed %s (%u)\n", ill->ill_name,
12990             dl_primstr(ill->ill_dlpi_pending), ill->ill_dlpi_pending));
12991 
12992         if ((mp = ill->ill_dlpi_deferred) == NULL) {
12993                 ill->ill_dlpi_pending = DL_PRIM_INVAL;
12994                 if (ipx->ipx_current_done) {
12995                         mutex_enter(&ipx->ipx_lock);
12996                         ipx->ipx_current_ipif = NULL;
12997                         mutex_exit(&ipx->ipx_lock);
12998                 }
12999                 cv_signal(&ill->ill_cv);
13000                 mutex_exit(&ill->ill_lock);
13001                 return;
13002         }
13003 
13004         ill->ill_dlpi_deferred = mp->b_next;
13005         mp->b_next = NULL;
13006         mutex_exit(&ill->ill_lock);
13007 
13008         ill_dlpi_dispatch(ill, mp);
13009 }
13010 
13011 /*
13012  * Queue a (multicast) DLPI control message to be sent to the driver by
13013  * later calling ill_dlpi_send_queued.
13014  * We queue them while holding a lock (ill_mcast_lock) to ensure that they
13015  * are sent in order i.e., prevent a DL_DISABMULTI_REQ and DL_ENABMULTI_REQ
13016  * for the same group to race.
13017  * We send DLPI control messages in order using ill_lock.
13018  * For IPMP we should be called on the cast_ill.
13019  */
13020 void
13021 ill_dlpi_queue(ill_t *ill, mblk_t *mp)
13022 {
13023         mblk_t **mpp;
13024 
13025         ASSERT(DB_TYPE(mp) == M_PROTO || DB_TYPE(mp) == M_PCPROTO);
13026 
13027         mutex_enter(&ill->ill_lock);
13028         /* Must queue message. Tail insertion */
13029         mpp = &ill->ill_dlpi_deferred;
13030         while (*mpp != NULL)
13031                 mpp = &((*mpp)->b_next);
13032 
13033         *mpp = mp;
13034         mutex_exit(&ill->ill_lock);
13035 }
13036 
13037 /*
13038  * Send the messages that were queued. Make sure there is only
13039  * one outstanding message. ip_rput_dlpi_writer calls ill_dlpi_done()
13040  * when an ACK or a NAK is received to process the next queued message.
13041  * For IPMP we are called on the upper ill, but when send what is queued
13042  * on the cast_ill.
13043  */
13044 void
13045 ill_dlpi_send_queued(ill_t *ill)
13046 {
13047         mblk_t  *mp;
13048         union DL_primitives *dlp;
13049         t_uscalar_t prim;
13050         ill_t *release_ill = NULL;
13051 
13052         if (IS_IPMP(ill)) {
13053                 /* On the upper IPMP ill. */
13054                 release_ill = ipmp_illgrp_hold_cast_ill(ill->ill_grp);
13055                 if (release_ill == NULL) {
13056                         /* Avoid ever sending anything down to the ipmpstub */
13057                         return;
13058                 }
13059                 ill = release_ill;
13060         }
13061         mutex_enter(&ill->ill_lock);
13062         while ((mp = ill->ill_dlpi_deferred) != NULL) {
13063                 if (ill->ill_dlpi_pending != DL_PRIM_INVAL) {
13064                         /* Can't send. Somebody else will send it */
13065                         mutex_exit(&ill->ill_lock);
13066                         goto done;
13067                 }
13068                 ill->ill_dlpi_deferred = mp->b_next;
13069                 mp->b_next = NULL;
13070                 if (!ill->ill_dl_up) {
13071                         /*
13072                          * Nobody there. All multicast addresses will be
13073                          * re-joined when we get the DL_BIND_ACK bringing the
13074                          * interface up.
13075                          */
13076                         freemsg(mp);
13077                         continue;
13078                 }
13079                 dlp = (union DL_primitives *)mp->b_rptr;
13080                 prim = dlp->dl_primitive;
13081 
13082                 if (!(ill->ill_state_flags & ILL_CONDEMNED) ||
13083                     (prim == DL_UNBIND_REQ)) {
13084                         ill->ill_dlpi_pending = prim;
13085                 }
13086                 mutex_exit(&ill->ill_lock);
13087 
13088                 DTRACE_PROBE3(ill__dlpi, char *, "ill_dlpi_send_queued",
13089                     char *, dl_primstr(prim), ill_t *, ill);
13090                 putnext(ill->ill_wq, mp);
13091                 mutex_enter(&ill->ill_lock);
13092         }
13093         mutex_exit(&ill->ill_lock);
13094 done:
13095         if (release_ill != NULL)
13096                 ill_refrele(release_ill);
13097 }
13098 
13099 /*
13100  * Queue an IP (IGMP/MLD) message to be sent by IP from
13101  * ill_mcast_send_queued
13102  * We queue them while holding a lock (ill_mcast_lock) to ensure that they
13103  * are sent in order i.e., prevent a IGMP leave and IGMP join for the same
13104  * group to race.
13105  * We send them in order using ill_lock.
13106  * For IPMP we are called on the upper ill, but we queue on the cast_ill.
13107  */
13108 void
13109 ill_mcast_queue(ill_t *ill, mblk_t *mp)
13110 {
13111         mblk_t **mpp;
13112         ill_t *release_ill = NULL;
13113 
13114         ASSERT(RW_LOCK_HELD(&ill->ill_mcast_lock));
13115 
13116         if (IS_IPMP(ill)) {
13117                 /* On the upper IPMP ill. */
13118                 release_ill = ipmp_illgrp_hold_cast_ill(ill->ill_grp);
13119                 if (release_ill == NULL) {
13120                         /* Discard instead of queuing for the ipmp interface */
13121                         BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
13122                         ip_drop_output("ipIfStatsOutDiscards - no cast_ill",
13123                             mp, ill);
13124                         freemsg(mp);
13125                         return;
13126                 }
13127                 ill = release_ill;
13128         }
13129 
13130         mutex_enter(&ill->ill_lock);
13131         /* Must queue message. Tail insertion */
13132         mpp = &ill->ill_mcast_deferred;
13133         while (*mpp != NULL)
13134                 mpp = &((*mpp)->b_next);
13135 
13136         *mpp = mp;
13137         mutex_exit(&ill->ill_lock);
13138         if (release_ill != NULL)
13139                 ill_refrele(release_ill);
13140 }
13141 
13142 /*
13143  * Send the IP packets that were queued by ill_mcast_queue.
13144  * These are IGMP/MLD packets.
13145  *
13146  * For IPMP we are called on the upper ill, but when send what is queued
13147  * on the cast_ill.
13148  *
13149  * Request loopback of the report if we are acting as a multicast
13150  * router, so that the process-level routing demon can hear it.
13151  * This will run multiple times for the same group if there are members
13152  * on the same group for multiple ipif's on the same ill. The
13153  * igmp_input/mld_input code will suppress this due to the loopback thus we
13154  * always loopback membership report.
13155  *
13156  * We also need to make sure that this does not get load balanced
13157  * by IPMP. We do this by passing an ill to ip_output_simple.
13158  */
13159 void
13160 ill_mcast_send_queued(ill_t *ill)
13161 {
13162         mblk_t  *mp;
13163         ip_xmit_attr_t ixas;
13164         ill_t *release_ill = NULL;
13165 
13166         if (IS_IPMP(ill)) {
13167                 /* On the upper IPMP ill. */
13168                 release_ill = ipmp_illgrp_hold_cast_ill(ill->ill_grp);
13169                 if (release_ill == NULL) {
13170                         /*
13171                          * We should have no messages on the ipmp interface
13172                          * but no point in trying to send them.
13173                          */
13174                         return;
13175                 }
13176                 ill = release_ill;
13177         }
13178         bzero(&ixas, sizeof (ixas));
13179         ixas.ixa_zoneid = ALL_ZONES;
13180         ixas.ixa_cred = kcred;
13181         ixas.ixa_cpid = NOPID;
13182         ixas.ixa_tsl = NULL;
13183         /*
13184          * Here we set ixa_ifindex. If IPMP it will be the lower ill which
13185          * makes ip_select_route pick the IRE_MULTICAST for the cast_ill.
13186          * That is necessary to handle IGMP/MLD snooping switches.
13187          */
13188         ixas.ixa_ifindex = ill->ill_phyint->phyint_ifindex;
13189         ixas.ixa_ipst = ill->ill_ipst;
13190 
13191         mutex_enter(&ill->ill_lock);
13192         while ((mp = ill->ill_mcast_deferred) != NULL) {
13193                 ill->ill_mcast_deferred = mp->b_next;
13194                 mp->b_next = NULL;
13195                 if (!ill->ill_dl_up) {
13196                         /*
13197                          * Nobody there. Just drop the ip packets.
13198                          * IGMP/MLD will resend later, if this is a replumb.
13199                          */
13200                         freemsg(mp);
13201                         continue;
13202                 }
13203                 mutex_enter(&ill->ill_phyint->phyint_lock);
13204                 if (IS_UNDER_IPMP(ill) && !ipmp_ill_is_active(ill)) {
13205                         /*
13206                          * When the ill is getting deactivated, we only want to
13207                          * send the DLPI messages, so drop IGMP/MLD packets.
13208                          * DLPI messages are handled by ill_dlpi_send_queued()
13209                          */
13210                         mutex_exit(&ill->ill_phyint->phyint_lock);
13211                         freemsg(mp);
13212                         continue;
13213                 }
13214                 mutex_exit(&ill->ill_phyint->phyint_lock);
13215                 mutex_exit(&ill->ill_lock);
13216 
13217                 /* Check whether we are sending IPv4 or IPv6. */
13218                 if (ill->ill_isv6) {
13219                         ip6_t  *ip6h = (ip6_t *)mp->b_rptr;
13220 
13221                         ixas.ixa_multicast_ttl = ip6h->ip6_hops;
13222                         ixas.ixa_flags = IXAF_BASIC_SIMPLE_V6;
13223                 } else {
13224                         ipha_t *ipha = (ipha_t *)mp->b_rptr;
13225 
13226                         ixas.ixa_multicast_ttl = ipha->ipha_ttl;
13227                         ixas.ixa_flags = IXAF_BASIC_SIMPLE_V4;
13228                         ixas.ixa_flags &= ~IXAF_SET_ULP_CKSUM;
13229                 }
13230                 ixas.ixa_flags &= ~IXAF_VERIFY_SOURCE;
13231                 ixas.ixa_flags |= IXAF_MULTICAST_LOOP | IXAF_SET_SOURCE;
13232                 (void) ip_output_simple(mp, &ixas);
13233                 ixa_cleanup(&ixas);
13234 
13235                 mutex_enter(&ill->ill_lock);
13236         }
13237         mutex_exit(&ill->ill_lock);
13238 
13239 done:
13240         if (release_ill != NULL)
13241                 ill_refrele(release_ill);
13242 }
13243 
13244 /*
13245  * Take down a specific interface, but don't lose any information about it.
13246  * (Always called as writer.)
13247  * This function goes through the down sequence even if the interface is
13248  * already down. There are 2 reasons.
13249  * a. Currently we permit interface routes that depend on down interfaces
13250  *    to be added. This behaviour itself is questionable. However it appears
13251  *    that both Solaris and 4.3 BSD have exhibited this behaviour for a long
13252  *    time. We go thru the cleanup in order to remove these routes.
13253  * b. The bringup of the interface could fail in ill_dl_up i.e. we get
13254  *    DL_ERROR_ACK in response to the DL_BIND request. The interface is
13255  *    down, but we need to cleanup i.e. do ill_dl_down and
13256  *    ip_rput_dlpi_writer (DL_ERROR_ACK) -> ipif_down.
13257  *
13258  * IP-MT notes:
13259  *
13260  * Model of reference to interfaces.
13261  *
13262  * The following members in ipif_t track references to the ipif.
13263  *      int     ipif_refcnt;    Active reference count
13264  *
13265  * The following members in ill_t track references to the ill.
13266  *      int             ill_refcnt;     active refcnt
13267  *      uint_t          ill_ire_cnt;    Number of ires referencing ill
13268  *      uint_t          ill_ncec_cnt;   Number of ncecs referencing ill
13269  *      uint_t          ill_nce_cnt;    Number of nces referencing ill
13270  *      uint_t          ill_ilm_cnt;    Number of ilms referencing ill
13271  *
13272  * Reference to an ipif or ill can be obtained in any of the following ways.
13273  *
13274  * Through the lookup functions ipif_lookup_* / ill_lookup_* functions
13275  * Pointers to ipif / ill from other data structures viz ire and conn.
13276  * Implicit reference to the ipif / ill by holding a reference to the ire.
13277  *
13278  * The ipif/ill lookup functions return a reference held ipif / ill.
13279  * ipif_refcnt and ill_refcnt track the reference counts respectively.
13280  * This is a purely dynamic reference count associated with threads holding
13281  * references to the ipif / ill. Pointers from other structures do not
13282  * count towards this reference count.
13283  *
13284  * ill_ire_cnt is the number of ire's associated with the
13285  * ill. This is incremented whenever a new ire is created referencing the
13286  * ill. This is done atomically inside ire_add_v[46] where the ire is
13287  * actually added to the ire hash table. The count is decremented in
13288  * ire_inactive where the ire is destroyed.
13289  *
13290  * ill_ncec_cnt is the number of ncec's referencing the ill thru ncec_ill.
13291  * This is incremented atomically in
13292  * ndp_add_v4()/ndp_add_v6() where the nce is actually added to the
13293  * table. Similarly it is decremented in ncec_inactive() where the ncec
13294  * is destroyed.
13295  *
13296  * ill_nce_cnt is the number of nce's referencing the ill thru nce_ill. This is
13297  * incremented atomically in nce_add() where the nce is actually added to the
13298  * ill_nce. Similarly it is decremented in nce_inactive() where the nce
13299  * is destroyed.
13300  *
13301  * ill_ilm_cnt is the ilm's reference to the ill. It is incremented in
13302  * ilm_add() and decremented before the ilm is freed in ilm_delete().
13303  *
13304  * Flow of ioctls involving interface down/up
13305  *
13306  * The following is the sequence of an attempt to set some critical flags on an
13307  * up interface.
13308  * ip_sioctl_flags
13309  * ipif_down
13310  * wait for ipif to be quiescent
13311  * ipif_down_tail
13312  * ip_sioctl_flags_tail
13313  *
13314  * All set ioctls that involve down/up sequence would have a skeleton similar
13315  * to the above. All the *tail functions are called after the refcounts have
13316  * dropped to the appropriate values.
13317  *
13318  * SIOC ioctls during the IPIF_CHANGING interval.
13319  *
13320  * Threads handling SIOC set ioctls serialize on the squeue, but this
13321  * is not done for SIOC get ioctls. Since a set ioctl can cause several
13322  * steps of internal changes to the state, some of which are visible in
13323  * ipif_flags (such as IFF_UP being cleared and later set), and we want
13324  * the set ioctl to be atomic related to the get ioctls, the SIOC get code
13325  * will wait and restart ioctls if IPIF_CHANGING is set. The mblk is then
13326  * enqueued in the ipsq and the operation is restarted by ipsq_exit() when
13327  * the current exclusive operation completes. The IPIF_CHANGING check
13328  * and enqueue is atomic using the ill_lock and ipsq_lock. The
13329  * lookup is done holding the ill_lock. Hence the ill/ipif state flags can't
13330  * change while the ill_lock is held. Before dropping the ill_lock we acquire
13331  * the ipsq_lock and call ipsq_enq. This ensures that ipsq_exit can't finish
13332  * until we release the ipsq_lock, even though the ill/ipif state flags
13333  * can change after we drop the ill_lock.
13334  */
13335 int
13336 ipif_down(ipif_t *ipif, queue_t *q, mblk_t *mp)
13337 {
13338         ill_t           *ill = ipif->ipif_ill;
13339         conn_t          *connp;
13340         boolean_t       success;
13341         boolean_t       ipif_was_up = B_FALSE;
13342         ip_stack_t      *ipst = ill->ill_ipst;
13343 
13344         ASSERT(IAM_WRITER_IPIF(ipif));
13345 
13346         ip1dbg(("ipif_down(%s:%u)\n", ill->ill_name, ipif->ipif_id));
13347 
13348         DTRACE_PROBE3(ipif__downup, char *, "ipif_down",
13349             ill_t *, ill, ipif_t *, ipif);
13350 
13351         if (ipif->ipif_flags & IPIF_UP) {
13352                 mutex_enter(&ill->ill_lock);
13353                 ipif->ipif_flags &= ~IPIF_UP;
13354                 ASSERT(ill->ill_ipif_up_count > 0);
13355                 --ill->ill_ipif_up_count;
13356                 mutex_exit(&ill->ill_lock);
13357                 ipif_was_up = B_TRUE;
13358                 /* Update status in SCTP's list */
13359                 sctp_update_ipif(ipif, SCTP_IPIF_DOWN);
13360                 ill_nic_event_dispatch(ipif->ipif_ill,
13361                     MAP_IPIF_ID(ipif->ipif_id), NE_LIF_DOWN, NULL, 0);
13362         }
13363 
13364         /*
13365          * Removal of the last ipif from an ill may result in a DL_UNBIND
13366          * being sent to the driver, and we must not send any data packets to
13367          * the driver after the DL_UNBIND_REQ. To ensure this, all the
13368          * ire and nce entries used in the data path will be cleaned
13369          * up, and we also set  the ILL_DOWN_IN_PROGRESS bit to make
13370          * sure on new entries will be added until the ill is bound
13371          * again. The ILL_DOWN_IN_PROGRESS bit is turned off upon
13372          * receipt of a DL_BIND_ACK.
13373          */
13374         if (ill->ill_wq != NULL && !ill->ill_logical_down &&
13375             ill->ill_ipif_up_count == 0 && ill->ill_ipif_dup_count == 0 &&
13376             ill->ill_dl_up) {
13377                 ill->ill_state_flags |= ILL_DOWN_IN_PROGRESS;
13378         }
13379 
13380         /*
13381          * Blow away memberships we established in ipif_multicast_up().
13382          */
13383         ipif_multicast_down(ipif);
13384 
13385         /*
13386          * Remove from the mapping for __sin6_src_id. We insert only
13387          * when the address is not INADDR_ANY. As IPv4 addresses are
13388          * stored as mapped addresses, we need to check for mapped
13389          * INADDR_ANY also.
13390          */
13391         if (ipif_was_up && !IN6_IS_ADDR_UNSPECIFIED(&ipif->ipif_v6lcl_addr) &&
13392             !IN6_IS_ADDR_V4MAPPED_ANY(&ipif->ipif_v6lcl_addr) &&
13393             !(ipif->ipif_flags & IPIF_NOLOCAL)) {
13394                 int err;
13395 
13396                 err = ip_srcid_remove(&ipif->ipif_v6lcl_addr,
13397                     ipif->ipif_zoneid, ipst);
13398                 if (err != 0) {
13399                         ip0dbg(("ipif_down: srcid_remove %d\n", err));
13400                 }
13401         }
13402 
13403         if (ipif_was_up) {
13404                 /* only delete if we'd added ire's before */
13405                 if (ipif->ipif_isv6)
13406                         ipif_delete_ires_v6(ipif);
13407                 else
13408                         ipif_delete_ires_v4(ipif);
13409         }
13410 
13411         if (ipif_was_up && ill->ill_ipif_up_count == 0) {
13412                 /*
13413                  * Since the interface is now down, it may have just become
13414                  * inactive.  Note that this needs to be done even for a
13415                  * lll_logical_down(), or ARP entries will not get correctly
13416                  * restored when the interface comes back up.
13417                  */
13418                 if (IS_UNDER_IPMP(ill))
13419                         ipmp_ill_refresh_active(ill);
13420         }
13421 
13422         /*
13423          * neighbor-discovery or arp entries for this interface. The ipif
13424          * has to be quiesced, so we walk all the nce's and delete those
13425          * that point at the ipif->ipif_ill. At the same time, we also
13426          * update IPMP so that ipifs for data addresses are unbound. We dont
13427          * call ipif_arp_down to DL_UNBIND the arp stream itself here, but defer
13428          * that for ipif_down_tail()
13429          */
13430         ipif_nce_down(ipif);
13431 
13432         /*
13433          * If this is the last ipif on the ill, we also need to remove
13434          * any IREs with ire_ill set. Otherwise ipif_is_quiescent() will
13435          * never succeed.
13436          */
13437         if (ill->ill_ipif_up_count == 0 && ill->ill_ipif_dup_count == 0)
13438                 ire_walk_ill(0, 0, ill_downi, ill, ill);
13439 
13440         /*
13441          * Walk all CONNs that can have a reference on an ire for this
13442          * ipif (we actually walk all that now have stale references).
13443          */
13444         ipcl_walk(conn_ixa_cleanup, (void *)B_TRUE, ipst);
13445 
13446         /*
13447          * If mp is NULL the caller will wait for the appropriate refcnt.
13448          * Eg. ip_sioctl_removeif -> ipif_free  -> ipif_down
13449          * and ill_delete -> ipif_free -> ipif_down
13450          */
13451         if (mp == NULL) {
13452                 ASSERT(q == NULL);
13453                 return (0);
13454         }
13455 
13456         if (CONN_Q(q)) {
13457                 connp = Q_TO_CONN(q);
13458                 mutex_enter(&connp->conn_lock);
13459         } else {
13460                 connp = NULL;
13461         }
13462         mutex_enter(&ill->ill_lock);
13463         /*
13464          * Are there any ire's pointing to this ipif that are still active ?
13465          * If this is the last ipif going down, are there any ire's pointing
13466          * to this ill that are still active ?
13467          */
13468         if (ipif_is_quiescent(ipif)) {
13469                 mutex_exit(&ill->ill_lock);
13470                 if (connp != NULL)
13471                         mutex_exit(&connp->conn_lock);
13472                 return (0);
13473         }
13474 
13475         ip1dbg(("ipif_down: need to wait, adding pending mp %s ill %p",
13476             ill->ill_name, (void *)ill));
13477         /*
13478          * Enqueue the mp atomically in ipsq_pending_mp. When the refcount
13479          * drops down, the operation will be restarted by ipif_ill_refrele_tail
13480          * which in turn is called by the last refrele on the ipif/ill/ire.
13481          */
13482         success = ipsq_pending_mp_add(connp, ipif, q, mp, IPIF_DOWN);
13483         if (!success) {
13484                 /* The conn is closing. So just return */
13485                 ASSERT(connp != NULL);
13486                 mutex_exit(&ill->ill_lock);
13487                 mutex_exit(&connp->conn_lock);
13488                 return (EINTR);
13489         }
13490 
13491         mutex_exit(&ill->ill_lock);
13492         if (connp != NULL)
13493                 mutex_exit(&connp->conn_lock);
13494         return (EINPROGRESS);
13495 }
13496 
13497 int
13498 ipif_down_tail(ipif_t *ipif)
13499 {
13500         ill_t   *ill = ipif->ipif_ill;
13501         int     err = 0;
13502 
13503         DTRACE_PROBE3(ipif__downup, char *, "ipif_down_tail",
13504             ill_t *, ill, ipif_t *, ipif);
13505 
13506         /*
13507          * Skip any loopback interface (null wq).
13508          * If this is the last logical interface on the ill
13509          * have ill_dl_down tell the driver we are gone (unbind)
13510          * Note that lun 0 can ipif_down even though
13511          * there are other logical units that are up.
13512          * This occurs e.g. when we change a "significant" IFF_ flag.
13513          */
13514         if (ill->ill_wq != NULL && !ill->ill_logical_down &&
13515             ill->ill_ipif_up_count == 0 && ill->ill_ipif_dup_count == 0 &&
13516             ill->ill_dl_up) {
13517                 ill_dl_down(ill);
13518         }
13519         if (!ipif->ipif_isv6)
13520                 err = ipif_arp_down(ipif);
13521 
13522         ill->ill_logical_down = 0;
13523 
13524         ip_rts_ifmsg(ipif, RTSQ_DEFAULT);
13525         ip_rts_newaddrmsg(RTM_DELETE, 0, ipif, RTSQ_DEFAULT);
13526         return (err);
13527 }
13528 
13529 /*
13530  * Bring interface logically down without bringing the physical interface
13531  * down e.g. when the netmask is changed. This avoids long lasting link
13532  * negotiations between an ethernet interface and a certain switches.
13533  */
13534 static int
13535 ipif_logical_down(ipif_t *ipif, queue_t *q, mblk_t *mp)
13536 {
13537         DTRACE_PROBE3(ipif__downup, char *, "ipif_logical_down",
13538             ill_t *, ipif->ipif_ill, ipif_t *, ipif);
13539 
13540         /*
13541          * The ill_logical_down flag is a transient flag. It is set here
13542          * and is cleared once the down has completed in ipif_down_tail.
13543          * This flag does not indicate whether the ill stream is in the
13544          * DL_BOUND state with the driver. Instead this flag is used by
13545          * ipif_down_tail to determine whether to DL_UNBIND the stream with
13546          * the driver. The state of the ill stream i.e. whether it is
13547          * DL_BOUND with the driver or not is indicated by the ill_dl_up flag.
13548          */
13549         ipif->ipif_ill->ill_logical_down = 1;
13550         return (ipif_down(ipif, q, mp));
13551 }
13552 
13553 /*
13554  * Initiate deallocate of an IPIF. Always called as writer. Called by
13555  * ill_delete or ip_sioctl_removeif.
13556  */
13557 static void
13558 ipif_free(ipif_t *ipif)
13559 {
13560         ip_stack_t      *ipst = ipif->ipif_ill->ill_ipst;
13561 
13562         ASSERT(IAM_WRITER_IPIF(ipif));
13563 
13564         if (ipif->ipif_recovery_id != 0)
13565                 (void) untimeout(ipif->ipif_recovery_id);
13566         ipif->ipif_recovery_id = 0;
13567 
13568         /*
13569          * Take down the interface. We can be called either from ill_delete
13570          * or from ip_sioctl_removeif.
13571          */
13572         (void) ipif_down(ipif, NULL, NULL);
13573 
13574         /*
13575          * Now that the interface is down, there's no chance it can still
13576          * become a duplicate.  Cancel any timer that may have been set while
13577          * tearing down.
13578          */
13579         if (ipif->ipif_recovery_id != 0)
13580                 (void) untimeout(ipif->ipif_recovery_id);
13581         ipif->ipif_recovery_id = 0;
13582 
13583         rw_enter(&ipst->ips_ill_g_lock, RW_WRITER);
13584         /* Remove pointers to this ill in the multicast routing tables */
13585         reset_mrt_vif_ipif(ipif);
13586         /* If necessary, clear the cached source ipif rotor. */
13587         if (ipif->ipif_ill->ill_src_ipif == ipif)
13588                 ipif->ipif_ill->ill_src_ipif = NULL;
13589         rw_exit(&ipst->ips_ill_g_lock);
13590 }
13591 
13592 static void
13593 ipif_free_tail(ipif_t *ipif)
13594 {
13595         ip_stack_t *ipst = ipif->ipif_ill->ill_ipst;
13596 
13597         /*
13598          * Need to hold both ill_g_lock and ill_lock while
13599          * inserting or removing an ipif from the linked list
13600          * of ipifs hanging off the ill.
13601          */
13602         rw_enter(&ipst->ips_ill_g_lock, RW_WRITER);
13603 
13604 #ifdef DEBUG
13605         ipif_trace_cleanup(ipif);
13606 #endif
13607 
13608         /* Ask SCTP to take it out of it list */
13609         sctp_update_ipif(ipif, SCTP_IPIF_REMOVE);
13610         ip_rts_newaddrmsg(RTM_FREEADDR, 0, ipif, RTSQ_DEFAULT);
13611 
13612         /* Get it out of the ILL interface list. */
13613         ipif_remove(ipif);
13614         rw_exit(&ipst->ips_ill_g_lock);
13615 
13616         ASSERT(!(ipif->ipif_flags & (IPIF_UP | IPIF_DUPLICATE)));
13617         ASSERT(ipif->ipif_recovery_id == 0);
13618         ASSERT(ipif->ipif_ire_local == NULL);
13619         ASSERT(ipif->ipif_ire_if == NULL);
13620 
13621         /* Free the memory. */
13622         mi_free(ipif);
13623 }
13624 
13625 /*
13626  * Sets `buf' to an ipif name of the form "ill_name:id", or "ill_name" if "id"
13627  * is zero.
13628  */
13629 void
13630 ipif_get_name(const ipif_t *ipif, char *buf, int len)
13631 {
13632         char    lbuf[LIFNAMSIZ];
13633         char    *name;
13634         size_t  name_len;
13635 
13636         buf[0] = '\0';
13637         name = ipif->ipif_ill->ill_name;
13638         name_len = ipif->ipif_ill->ill_name_length;
13639         if (ipif->ipif_id != 0) {
13640                 (void) sprintf(lbuf, "%s%c%d", name, IPIF_SEPARATOR_CHAR,
13641                     ipif->ipif_id);
13642                 name = lbuf;
13643                 name_len = mi_strlen(name) + 1;
13644         }
13645         len -= 1;
13646         buf[len] = '\0';
13647         len = MIN(len, name_len);
13648         bcopy(name, buf, len);
13649 }
13650 
13651 /*
13652  * Sets `buf' to an ill name.
13653  */
13654 void
13655 ill_get_name(const ill_t *ill, char *buf, int len)
13656 {
13657         char    *name;
13658         size_t  name_len;
13659 
13660         name = ill->ill_name;
13661         name_len = ill->ill_name_length;
13662         len -= 1;
13663         buf[len] = '\0';
13664         len = MIN(len, name_len);
13665         bcopy(name, buf, len);
13666 }
13667 
13668 /*
13669  * Find an IPIF based on the name passed in.  Names can be of the form <phys>
13670  * (e.g., le0) or <phys>:<#> (e.g., le0:1).  When there is no colon, the
13671  * implied unit id is zero. <phys> must correspond to the name of an ILL.
13672  * (May be called as writer.)
13673  */
13674 static ipif_t *
13675 ipif_lookup_on_name(char *name, size_t namelen, boolean_t do_alloc,
13676     boolean_t *exists, boolean_t isv6, zoneid_t zoneid, ip_stack_t *ipst)
13677 {
13678         char    *cp;
13679         char    *endp;
13680         long    id;
13681         ill_t   *ill;
13682         ipif_t  *ipif;
13683         uint_t  ire_type;
13684         boolean_t did_alloc = B_FALSE;
13685         char    last;
13686 
13687         /*
13688          * If the caller wants to us to create the ipif, make sure we have a
13689          * valid zoneid
13690          */
13691         ASSERT(!do_alloc || zoneid != ALL_ZONES);
13692 
13693         if (namelen == 0) {
13694                 return (NULL);
13695         }
13696 
13697         *exists = B_FALSE;
13698         /* Look for a colon in the name. */
13699         endp = &name[namelen];
13700         for (cp = endp; --cp > name; ) {
13701                 if (*cp == IPIF_SEPARATOR_CHAR)
13702                         break;
13703         }
13704 
13705         if (*cp == IPIF_SEPARATOR_CHAR) {
13706                 /*
13707                  * Reject any non-decimal aliases for logical
13708                  * interfaces. Aliases with leading zeroes
13709                  * are also rejected as they introduce ambiguity
13710                  * in the naming of the interfaces.
13711                  * In order to confirm with existing semantics,
13712                  * and to not break any programs/script relying
13713                  * on that behaviour, if<0>:0 is considered to be
13714                  * a valid interface.
13715                  *
13716                  * If alias has two or more digits and the first
13717                  * is zero, fail.
13718                  */
13719                 if (&cp[2] < endp && cp[1] == '0') {
13720                         return (NULL);
13721                 }
13722         }
13723 
13724         if (cp <= name) {
13725                 cp = endp;
13726         }
13727         last = *cp;
13728         *cp = '\0';
13729 
13730         /*
13731          * Look up the ILL, based on the portion of the name
13732          * before the slash. ill_lookup_on_name returns a held ill.
13733          * Temporary to check whether ill exists already. If so
13734          * ill_lookup_on_name will clear it.
13735          */
13736         ill = ill_lookup_on_name(name, do_alloc, isv6,
13737             &did_alloc, ipst);
13738         *cp = last;
13739         if (ill == NULL)
13740                 return (NULL);
13741 
13742         /* Establish the unit number in the name. */
13743         id = 0;
13744         if (cp < endp && *endp == '\0') {
13745                 /* If there was a colon, the unit number follows. */
13746                 cp++;
13747                 if (ddi_strtol(cp, NULL, 0, &id) != 0) {
13748                         ill_refrele(ill);
13749                         return (NULL);
13750                 }
13751         }
13752 
13753         mutex_enter(&ill->ill_lock);
13754         /* Now see if there is an IPIF with this unit number. */
13755         for (ipif = ill->ill_ipif; ipif != NULL; ipif = ipif->ipif_next) {
13756                 if (ipif->ipif_id == id) {
13757                         if (zoneid != ALL_ZONES &&
13758                             zoneid != ipif->ipif_zoneid &&
13759                             ipif->ipif_zoneid != ALL_ZONES) {
13760                                 mutex_exit(&ill->ill_lock);
13761                                 ill_refrele(ill);
13762                                 return (NULL);
13763                         }
13764                         if (IPIF_CAN_LOOKUP(ipif)) {
13765                                 ipif_refhold_locked(ipif);
13766                                 mutex_exit(&ill->ill_lock);
13767                                 if (!did_alloc)
13768                                         *exists = B_TRUE;
13769                                 /*
13770                                  * Drop locks before calling ill_refrele
13771                                  * since it can potentially call into
13772                                  * ipif_ill_refrele_tail which can end up
13773                                  * in trying to acquire any lock.
13774                                  */
13775                                 ill_refrele(ill);
13776                                 return (ipif);
13777                         }
13778                 }
13779         }
13780 
13781         if (!do_alloc) {
13782                 mutex_exit(&ill->ill_lock);
13783                 ill_refrele(ill);
13784                 return (NULL);
13785         }
13786 
13787         /*
13788          * If none found, atomically allocate and return a new one.
13789          * Historically, we used IRE_LOOPBACK only for lun 0, and IRE_LOCAL
13790          * to support "receive only" use of lo0:1 etc. as is still done
13791          * below as an initial guess.
13792          * However, this is now likely to be overriden later in ipif_up_done()
13793          * when we know for sure what address has been configured on the
13794          * interface, since we might have more than one loopback interface
13795          * with a loopback address, e.g. in the case of zones, and all the
13796          * interfaces with loopback addresses need to be marked IRE_LOOPBACK.
13797          */
13798         if (ill->ill_net_type == IRE_LOOPBACK && id == 0)
13799                 ire_type = IRE_LOOPBACK;
13800         else
13801                 ire_type = IRE_LOCAL;
13802         ipif = ipif_allocate(ill, id, ire_type, B_TRUE, B_TRUE, NULL);
13803         if (ipif != NULL)
13804                 ipif_refhold_locked(ipif);
13805         mutex_exit(&ill->ill_lock);
13806         ill_refrele(ill);
13807         return (ipif);
13808 }
13809 
13810 /*
13811  * Variant of the above that queues the request on the ipsq when
13812  * IPIF_CHANGING is set.
13813  */
13814 static ipif_t *
13815 ipif_lookup_on_name_async(char *name, size_t namelen, boolean_t isv6,
13816     zoneid_t zoneid, queue_t *q, mblk_t *mp, ipsq_func_t func, int *error,
13817     ip_stack_t *ipst)
13818 {
13819         char    *cp;
13820         char    *endp;
13821         long    id;
13822         ill_t   *ill;
13823         ipif_t  *ipif;
13824         boolean_t did_alloc = B_FALSE;
13825         ipsq_t  *ipsq;
13826 
13827         if (error != NULL)
13828                 *error = 0;
13829 
13830         if (namelen == 0) {
13831                 if (error != NULL)
13832                         *error = ENXIO;
13833                 return (NULL);
13834         }
13835 
13836         /* Look for a colon in the name. */
13837         endp = &name[namelen];
13838         for (cp = endp; --cp > name; ) {
13839                 if (*cp == IPIF_SEPARATOR_CHAR)
13840                         break;
13841         }
13842 
13843         if (*cp == IPIF_SEPARATOR_CHAR) {
13844                 /*
13845                  * Reject any non-decimal aliases for logical
13846                  * interfaces. Aliases with leading zeroes
13847                  * are also rejected as they introduce ambiguity
13848                  * in the naming of the interfaces.
13849                  * In order to confirm with existing semantics,
13850                  * and to not break any programs/script relying
13851                  * on that behaviour, if<0>:0 is considered to be
13852                  * a valid interface.
13853                  *
13854                  * If alias has two or more digits and the first
13855                  * is zero, fail.
13856                  */
13857                 if (&cp[2] < endp && cp[1] == '0') {
13858                         if (error != NULL)
13859                                 *error = EINVAL;
13860                         return (NULL);
13861                 }
13862         }
13863 
13864         if (cp <= name) {
13865                 cp = endp;
13866         } else {
13867                 *cp = '\0';
13868         }
13869 
13870         /*
13871          * Look up the ILL, based on the portion of the name
13872          * before the slash. ill_lookup_on_name returns a held ill.
13873          * Temporary to check whether ill exists already. If so
13874          * ill_lookup_on_name will clear it.
13875          */
13876         ill = ill_lookup_on_name(name, B_FALSE, isv6, &did_alloc, ipst);
13877         if (cp != endp)
13878                 *cp = IPIF_SEPARATOR_CHAR;
13879         if (ill == NULL)
13880                 return (NULL);
13881 
13882         /* Establish the unit number in the name. */
13883         id = 0;
13884         if (cp < endp && *endp == '\0') {
13885                 /* If there was a colon, the unit number follows. */
13886                 cp++;
13887                 if (ddi_strtol(cp, NULL, 0, &id) != 0) {
13888                         ill_refrele(ill);
13889                         if (error != NULL)
13890                                 *error = ENXIO;
13891                         return (NULL);
13892                 }
13893         }
13894 
13895         GRAB_CONN_LOCK(q);
13896         mutex_enter(&ill->ill_lock);
13897         /* Now see if there is an IPIF with this unit number. */
13898         for (ipif = ill->ill_ipif; ipif != NULL; ipif = ipif->ipif_next) {
13899                 if (ipif->ipif_id == id) {
13900                         if (zoneid != ALL_ZONES &&
13901                             zoneid != ipif->ipif_zoneid &&
13902                             ipif->ipif_zoneid != ALL_ZONES) {
13903                                 mutex_exit(&ill->ill_lock);
13904                                 RELEASE_CONN_LOCK(q);
13905                                 ill_refrele(ill);
13906                                 if (error != NULL)
13907                                         *error = ENXIO;
13908                                 return (NULL);
13909                         }
13910 
13911                         if (!(IPIF_IS_CHANGING(ipif) ||
13912                             IPIF_IS_CONDEMNED(ipif)) ||
13913                             IAM_WRITER_IPIF(ipif)) {
13914                                 ipif_refhold_locked(ipif);
13915                                 mutex_exit(&ill->ill_lock);
13916                                 /*
13917                                  * Drop locks before calling ill_refrele
13918                                  * since it can potentially call into
13919                                  * ipif_ill_refrele_tail which can end up
13920                                  * in trying to acquire any lock.
13921                                  */
13922                                 RELEASE_CONN_LOCK(q);
13923                                 ill_refrele(ill);
13924                                 return (ipif);
13925                         } else if (q != NULL && !IPIF_IS_CONDEMNED(ipif)) {
13926                                 ipsq = ill->ill_phyint->phyint_ipsq;
13927                                 mutex_enter(&ipsq->ipsq_lock);
13928                                 mutex_enter(&ipsq->ipsq_xop->ipx_lock);
13929                                 mutex_exit(&ill->ill_lock);
13930                                 ipsq_enq(ipsq, q, mp, func, NEW_OP, ill);
13931                                 mutex_exit(&ipsq->ipsq_xop->ipx_lock);
13932                                 mutex_exit(&ipsq->ipsq_lock);
13933                                 RELEASE_CONN_LOCK(q);
13934                                 ill_refrele(ill);
13935                                 if (error != NULL)
13936                                         *error = EINPROGRESS;
13937                                 return (NULL);
13938                         }
13939                 }
13940         }
13941         RELEASE_CONN_LOCK(q);
13942         mutex_exit(&ill->ill_lock);
13943         ill_refrele(ill);
13944         if (error != NULL)
13945                 *error = ENXIO;
13946         return (NULL);
13947 }
13948 
13949 /*
13950  * This routine is called whenever a new address comes up on an ipif.  If
13951  * we are configured to respond to address mask requests, then we are supposed
13952  * to broadcast an address mask reply at this time.  This routine is also
13953  * called if we are already up, but a netmask change is made.  This is legal
13954  * but might not make the system manager very popular.  (May be called
13955  * as writer.)
13956  */
13957 void
13958 ipif_mask_reply(ipif_t *ipif)
13959 {
13960         icmph_t *icmph;
13961         ipha_t  *ipha;
13962         mblk_t  *mp;
13963         ip_stack_t      *ipst = ipif->ipif_ill->ill_ipst;
13964         ip_xmit_attr_t ixas;
13965 
13966 #define REPLY_LEN       (sizeof (icmp_ipha) + sizeof (icmph_t) + IP_ADDR_LEN)
13967 
13968         if (!ipst->ips_ip_respond_to_address_mask_broadcast)
13969                 return;
13970 
13971         /* ICMP mask reply is IPv4 only */
13972         ASSERT(!ipif->ipif_isv6);
13973         /* ICMP mask reply is not for a loopback interface */
13974         ASSERT(ipif->ipif_ill->ill_wq != NULL);
13975 
13976         if (ipif->ipif_lcl_addr == INADDR_ANY)
13977                 return;
13978 
13979         mp = allocb(REPLY_LEN, BPRI_HI);
13980         if (mp == NULL)
13981                 return;
13982         mp->b_wptr = mp->b_rptr + REPLY_LEN;
13983 
13984         ipha = (ipha_t *)mp->b_rptr;
13985         bzero(ipha, REPLY_LEN);
13986         *ipha = icmp_ipha;
13987         ipha->ipha_ttl = ipst->ips_ip_broadcast_ttl;
13988         ipha->ipha_src = ipif->ipif_lcl_addr;
13989         ipha->ipha_dst = ipif->ipif_brd_addr;
13990         ipha->ipha_length = htons(REPLY_LEN);
13991         ipha->ipha_ident = 0;
13992 
13993         icmph = (icmph_t *)&ipha[1];
13994         icmph->icmph_type = ICMP_ADDRESS_MASK_REPLY;
13995         bcopy(&ipif->ipif_net_mask, &icmph[1], IP_ADDR_LEN);
13996         icmph->icmph_checksum = IP_CSUM(mp, sizeof (ipha_t), 0);
13997 
13998         bzero(&ixas, sizeof (ixas));
13999         ixas.ixa_flags = IXAF_BASIC_SIMPLE_V4;
14000         ixas.ixa_zoneid = ALL_ZONES;
14001         ixas.ixa_ifindex = 0;
14002         ixas.ixa_ipst = ipst;
14003         ixas.ixa_multicast_ttl = IP_DEFAULT_MULTICAST_TTL;
14004         (void) ip_output_simple(mp, &ixas);
14005         ixa_cleanup(&ixas);
14006 #undef  REPLY_LEN
14007 }
14008 
14009 /*
14010  * Join the ipif specific multicast groups.
14011  * Must be called after a mapping has been set up in the resolver.  (Always
14012  * called as writer.)
14013  */
14014 void
14015 ipif_multicast_up(ipif_t *ipif)
14016 {
14017         int err;
14018         ill_t *ill;
14019         ilm_t *ilm;
14020 
14021         ASSERT(IAM_WRITER_IPIF(ipif));
14022 
14023         ill = ipif->ipif_ill;
14024 
14025         ip1dbg(("ipif_multicast_up\n"));
14026         if (!(ill->ill_flags & ILLF_MULTICAST) ||
14027             ipif->ipif_allhosts_ilm != NULL)
14028                 return;
14029 
14030         if (ipif->ipif_isv6) {
14031                 in6_addr_t v6allmc = ipv6_all_hosts_mcast;
14032                 in6_addr_t v6solmc = ipv6_solicited_node_mcast;
14033 
14034                 v6solmc.s6_addr32[3] |= ipif->ipif_v6lcl_addr.s6_addr32[3];
14035 
14036                 if (IN6_IS_ADDR_UNSPECIFIED(&ipif->ipif_v6lcl_addr))
14037                         return;
14038 
14039                 ip1dbg(("ipif_multicast_up - addmulti\n"));
14040 
14041                 /*
14042                  * Join the all hosts multicast address.  We skip this for
14043                  * underlying IPMP interfaces since they should be invisible.
14044                  */
14045                 if (!IS_UNDER_IPMP(ill)) {
14046                         ilm = ip_addmulti(&v6allmc, ill, ipif->ipif_zoneid,
14047                             &err);
14048                         if (ilm == NULL) {
14049                                 ASSERT(err != 0);
14050                                 ip0dbg(("ipif_multicast_up: "
14051                                     "all_hosts_mcast failed %d\n", err));
14052                                 return;
14053                         }
14054                         ipif->ipif_allhosts_ilm = ilm;
14055                 }
14056 
14057                 /*
14058                  * Enable multicast for the solicited node multicast address.
14059                  * If IPMP we need to put the membership on the upper ill.
14060                  */
14061                 if (!(ipif->ipif_flags & IPIF_NOLOCAL)) {
14062                         ill_t *mcast_ill = NULL;
14063                         boolean_t need_refrele;
14064 
14065                         if (IS_UNDER_IPMP(ill) &&
14066                             (mcast_ill = ipmp_ill_hold_ipmp_ill(ill)) != NULL) {
14067                                 need_refrele = B_TRUE;
14068                         } else {
14069                                 mcast_ill = ill;
14070                                 need_refrele = B_FALSE;
14071                         }
14072 
14073                         ilm = ip_addmulti(&v6solmc, mcast_ill,
14074                             ipif->ipif_zoneid, &err);
14075                         if (need_refrele)
14076                                 ill_refrele(mcast_ill);
14077 
14078                         if (ilm == NULL) {
14079                                 ASSERT(err != 0);
14080                                 ip0dbg(("ipif_multicast_up: solicited MC"
14081                                     " failed %d\n", err));
14082                                 if ((ilm = ipif->ipif_allhosts_ilm) != NULL) {
14083                                         ipif->ipif_allhosts_ilm = NULL;
14084                                         (void) ip_delmulti(ilm);
14085                                 }
14086                                 return;
14087                         }
14088                         ipif->ipif_solmulti_ilm = ilm;
14089                 }
14090         } else {
14091                 in6_addr_t v6group;
14092 
14093                 if (ipif->ipif_lcl_addr == INADDR_ANY || IS_UNDER_IPMP(ill))
14094                         return;
14095 
14096                 /* Join the all hosts multicast address */
14097                 ip1dbg(("ipif_multicast_up - addmulti\n"));
14098                 IN6_IPADDR_TO_V4MAPPED(htonl(INADDR_ALLHOSTS_GROUP), &v6group);
14099 
14100                 ilm = ip_addmulti(&v6group, ill, ipif->ipif_zoneid, &err);
14101                 if (ilm == NULL) {
14102                         ASSERT(err != 0);
14103                         ip0dbg(("ipif_multicast_up: failed %d\n", err));
14104                         return;
14105                 }
14106                 ipif->ipif_allhosts_ilm = ilm;
14107         }
14108 }
14109 
14110 /*
14111  * Blow away any multicast groups that we joined in ipif_multicast_up().
14112  * (ilms from explicit memberships are handled in conn_update_ill.)
14113  */
14114 void
14115 ipif_multicast_down(ipif_t *ipif)
14116 {
14117         ASSERT(IAM_WRITER_IPIF(ipif));
14118 
14119         ip1dbg(("ipif_multicast_down\n"));
14120 
14121         if (ipif->ipif_allhosts_ilm != NULL) {
14122                 (void) ip_delmulti(ipif->ipif_allhosts_ilm);
14123                 ipif->ipif_allhosts_ilm = NULL;
14124         }
14125         if (ipif->ipif_solmulti_ilm != NULL) {
14126                 (void) ip_delmulti(ipif->ipif_solmulti_ilm);
14127                 ipif->ipif_solmulti_ilm = NULL;
14128         }
14129 }
14130 
14131 /*
14132  * Used when an interface comes up to recreate any extra routes on this
14133  * interface.
14134  */
14135 int
14136 ill_recover_saved_ire(ill_t *ill)
14137 {
14138         mblk_t          *mp;
14139         ip_stack_t      *ipst = ill->ill_ipst;
14140 
14141         ip1dbg(("ill_recover_saved_ire(%s)", ill->ill_name));
14142 
14143         mutex_enter(&ill->ill_saved_ire_lock);
14144         for (mp = ill->ill_saved_ire_mp; mp != NULL; mp = mp->b_cont) {
14145                 ire_t           *ire, *nire;
14146                 ifrt_t          *ifrt;
14147 
14148                 ifrt = (ifrt_t *)mp->b_rptr;
14149                 /*
14150                  * Create a copy of the IRE with the saved address and netmask.
14151                  */
14152                 if (ill->ill_isv6) {
14153                         ire = ire_create_v6(
14154                             &ifrt->ifrt_v6addr,
14155                             &ifrt->ifrt_v6mask,
14156                             &ifrt->ifrt_v6gateway_addr,
14157                             ifrt->ifrt_type,
14158                             ill,
14159                             ifrt->ifrt_zoneid,
14160                             ifrt->ifrt_flags,
14161                             NULL,
14162                             ipst);
14163                 } else {
14164                         ire = ire_create(
14165                             (uint8_t *)&ifrt->ifrt_addr,
14166                             (uint8_t *)&ifrt->ifrt_mask,
14167                             (uint8_t *)&ifrt->ifrt_gateway_addr,
14168                             ifrt->ifrt_type,
14169                             ill,
14170                             ifrt->ifrt_zoneid,
14171                             ifrt->ifrt_flags,
14172                             NULL,
14173                             ipst);
14174                 }
14175                 if (ire == NULL) {
14176                         mutex_exit(&ill->ill_saved_ire_lock);
14177                         return (ENOMEM);
14178                 }
14179 
14180                 if (ifrt->ifrt_flags & RTF_SETSRC) {
14181                         if (ill->ill_isv6) {
14182                                 ire->ire_setsrc_addr_v6 =
14183                                     ifrt->ifrt_v6setsrc_addr;
14184                         } else {
14185                                 ire->ire_setsrc_addr = ifrt->ifrt_setsrc_addr;
14186                         }
14187                 }
14188 
14189                 /*
14190                  * Some software (for example, GateD and Sun Cluster) attempts
14191                  * to create (what amount to) IRE_PREFIX routes with the
14192                  * loopback address as the gateway.  This is primarily done to
14193                  * set up prefixes with the RTF_REJECT flag set (for example,
14194                  * when generating aggregate routes.)
14195                  *
14196                  * If the IRE type (as defined by ill->ill_net_type) is
14197                  * IRE_LOOPBACK, then we map the request into a
14198                  * IRE_IF_NORESOLVER.
14199                  */
14200                 if (ill->ill_net_type == IRE_LOOPBACK)
14201                         ire->ire_type = IRE_IF_NORESOLVER;
14202 
14203                 /*
14204                  * ire held by ire_add, will be refreled' towards the
14205                  * the end of ipif_up_done
14206                  */
14207                 nire = ire_add(ire);
14208                 /*
14209                  * Check if it was a duplicate entry. This handles
14210                  * the case of two racing route adds for the same route
14211                  */
14212                 if (nire == NULL) {
14213                         ip1dbg(("ill_recover_saved_ire: FAILED\n"));
14214                 } else if (nire != ire) {
14215                         ip1dbg(("ill_recover_saved_ire: duplicate ire %p\n",
14216                             (void *)nire));
14217                         ire_delete(nire);
14218                 } else {
14219                         ip1dbg(("ill_recover_saved_ire: added ire %p\n",
14220                             (void *)nire));
14221                 }
14222                 if (nire != NULL)
14223                         ire_refrele(nire);
14224         }
14225         mutex_exit(&ill->ill_saved_ire_lock);
14226         return (0);
14227 }
14228 
14229 /*
14230  * Used to set the netmask and broadcast address to default values when the
14231  * interface is brought up.  (Always called as writer.)
14232  */
14233 static void
14234 ipif_set_default(ipif_t *ipif)
14235 {
14236         ASSERT(MUTEX_HELD(&ipif->ipif_ill->ill_lock));
14237 
14238         if (!ipif->ipif_isv6) {
14239                 /*
14240                  * Interface holds an IPv4 address. Default
14241                  * mask is the natural netmask.
14242                  */
14243                 if (!ipif->ipif_net_mask) {
14244                         ipaddr_t        v4mask;
14245 
14246                         v4mask = ip_net_mask(ipif->ipif_lcl_addr);
14247                         V4MASK_TO_V6(v4mask, ipif->ipif_v6net_mask);
14248                 }
14249                 if (ipif->ipif_flags & IPIF_POINTOPOINT) {
14250                         /* ipif_subnet is ipif_pp_dst_addr for pt-pt */
14251                         ipif->ipif_v6subnet = ipif->ipif_v6pp_dst_addr;
14252                 } else {
14253                         V6_MASK_COPY(ipif->ipif_v6lcl_addr,
14254                             ipif->ipif_v6net_mask, ipif->ipif_v6subnet);
14255                 }
14256                 /*
14257                  * NOTE: SunOS 4.X does this even if the broadcast address
14258                  * has been already set thus we do the same here.
14259                  */
14260                 if (ipif->ipif_flags & IPIF_BROADCAST) {
14261                         ipaddr_t        v4addr;
14262 
14263                         v4addr = ipif->ipif_subnet | ~ipif->ipif_net_mask;
14264                         IN6_IPADDR_TO_V4MAPPED(v4addr, &ipif->ipif_v6brd_addr);
14265                 }
14266         } else {
14267                 /*
14268                  * Interface holds an IPv6-only address.  Default
14269                  * mask is all-ones.
14270                  */
14271                 if (IN6_IS_ADDR_UNSPECIFIED(&ipif->ipif_v6net_mask))
14272                         ipif->ipif_v6net_mask = ipv6_all_ones;
14273                 if (ipif->ipif_flags & IPIF_POINTOPOINT) {
14274                         /* ipif_subnet is ipif_pp_dst_addr for pt-pt */
14275                         ipif->ipif_v6subnet = ipif->ipif_v6pp_dst_addr;
14276                 } else {
14277                         V6_MASK_COPY(ipif->ipif_v6lcl_addr,
14278                             ipif->ipif_v6net_mask, ipif->ipif_v6subnet);
14279                 }
14280         }
14281 }
14282 
14283 /*
14284  * Return 0 if this address can be used as local address without causing
14285  * duplicate address problems. Otherwise, return EADDRNOTAVAIL if the address
14286  * is already up on a different ill, and EADDRINUSE if it's up on the same ill.
14287  * Note that the same IPv6 link-local address is allowed as long as the ills
14288  * are not on the same link.
14289  */
14290 int
14291 ip_addr_availability_check(ipif_t *new_ipif)
14292 {
14293         in6_addr_t our_v6addr;
14294         ill_t *ill;
14295         ipif_t *ipif;
14296         ill_walk_context_t ctx;
14297         ip_stack_t      *ipst = new_ipif->ipif_ill->ill_ipst;
14298 
14299         ASSERT(IAM_WRITER_IPIF(new_ipif));
14300         ASSERT(MUTEX_HELD(&ipst->ips_ip_addr_avail_lock));
14301         ASSERT(RW_READ_HELD(&ipst->ips_ill_g_lock));
14302 
14303         new_ipif->ipif_flags &= ~IPIF_UNNUMBERED;
14304         if (IN6_IS_ADDR_UNSPECIFIED(&new_ipif->ipif_v6lcl_addr) ||
14305             IN6_IS_ADDR_V4MAPPED_ANY(&new_ipif->ipif_v6lcl_addr))
14306                 return (0);
14307 
14308         our_v6addr = new_ipif->ipif_v6lcl_addr;
14309 
14310         if (new_ipif->ipif_isv6)
14311                 ill = ILL_START_WALK_V6(&ctx, ipst);
14312         else
14313                 ill = ILL_START_WALK_V4(&ctx, ipst);
14314 
14315         for (; ill != NULL; ill = ill_next(&ctx, ill)) {
14316                 for (ipif = ill->ill_ipif; ipif != NULL;
14317                     ipif = ipif->ipif_next) {
14318                         if ((ipif == new_ipif) ||
14319                             !(ipif->ipif_flags & IPIF_UP) ||
14320                             (ipif->ipif_flags & IPIF_UNNUMBERED) ||
14321                             !IN6_ARE_ADDR_EQUAL(&ipif->ipif_v6lcl_addr,
14322                             &our_v6addr))
14323                                 continue;
14324 
14325                         if (new_ipif->ipif_flags & IPIF_POINTOPOINT)
14326                                 new_ipif->ipif_flags |= IPIF_UNNUMBERED;
14327                         else if (ipif->ipif_flags & IPIF_POINTOPOINT)
14328                                 ipif->ipif_flags |= IPIF_UNNUMBERED;
14329                         else if ((IN6_IS_ADDR_LINKLOCAL(&our_v6addr) ||
14330                             IN6_IS_ADDR_SITELOCAL(&our_v6addr)) &&
14331                             !IS_ON_SAME_LAN(ill, new_ipif->ipif_ill))
14332                                 continue;
14333                         else if (new_ipif->ipif_zoneid != ipif->ipif_zoneid &&
14334                             ipif->ipif_zoneid != ALL_ZONES && IS_LOOPBACK(ill))
14335                                 continue;
14336                         else if (new_ipif->ipif_ill == ill)
14337                                 return (EADDRINUSE);
14338                         else
14339                                 return (EADDRNOTAVAIL);
14340                 }
14341         }
14342 
14343         return (0);
14344 }
14345 
14346 /*
14347  * Bring up an ipif: bring up arp/ndp, bring up the DLPI stream, and add
14348  * IREs for the ipif.
14349  * When the routine returns EINPROGRESS then mp has been consumed and
14350  * the ioctl will be acked from ip_rput_dlpi.
14351  */
14352 int
14353 ipif_up(ipif_t *ipif, queue_t *q, mblk_t *mp)
14354 {
14355         ill_t           *ill = ipif->ipif_ill;
14356         boolean_t       isv6 = ipif->ipif_isv6;
14357         int             err = 0;
14358         boolean_t       success;
14359         uint_t          ipif_orig_id;
14360         ip_stack_t      *ipst = ill->ill_ipst;
14361 
14362         ASSERT(IAM_WRITER_IPIF(ipif));
14363 
14364         ip1dbg(("ipif_up(%s:%u)\n", ill->ill_name, ipif->ipif_id));
14365         DTRACE_PROBE3(ipif__downup, char *, "ipif_up",
14366             ill_t *, ill, ipif_t *, ipif);
14367 
14368         /* Shouldn't get here if it is already up. */
14369         if (ipif->ipif_flags & IPIF_UP)
14370                 return (EALREADY);
14371 
14372         /*
14373          * If this is a request to bring up a data address on an interface
14374          * under IPMP, then move the address to its IPMP meta-interface and
14375          * try to bring it up.  One complication is that the zeroth ipif for
14376          * an ill is special, in that every ill always has one, and that code
14377          * throughout IP deferences ill->ill_ipif without holding any locks.
14378          */
14379         if (IS_UNDER_IPMP(ill) && ipmp_ipif_is_dataaddr(ipif) &&
14380             (!ipif->ipif_isv6 || !V6_IPIF_LINKLOCAL(ipif))) {
14381                 ipif_t  *stubipif = NULL, *moveipif = NULL;
14382                 ill_t   *ipmp_ill = ipmp_illgrp_ipmp_ill(ill->ill_grp);
14383 
14384                 /*
14385                  * The ipif being brought up should be quiesced.  If it's not,
14386                  * something has gone amiss and we need to bail out.  (If it's
14387                  * quiesced, we know it will remain so via IPIF_CONDEMNED.)
14388                  */
14389                 mutex_enter(&ill->ill_lock);
14390                 if (!ipif_is_quiescent(ipif)) {
14391                         mutex_exit(&ill->ill_lock);
14392                         return (EINVAL);
14393                 }
14394                 mutex_exit(&ill->ill_lock);
14395 
14396                 /*
14397                  * If we're going to need to allocate ipifs, do it prior
14398                  * to starting the move (and grabbing locks).
14399                  */
14400                 if (ipif->ipif_id == 0) {
14401                         if ((moveipif = ipif_allocate(ill, 0, IRE_LOCAL, B_TRUE,
14402                             B_FALSE, &err)) == NULL) {
14403                                 return (err);
14404                         }
14405                         if ((stubipif = ipif_allocate(ill, 0, IRE_LOCAL, B_TRUE,
14406                             B_FALSE, &err)) == NULL) {
14407                                 mi_free(moveipif);
14408                                 return (err);
14409                         }
14410                 }
14411 
14412                 /*
14413                  * Grab or transfer the ipif to move.  During the move, keep
14414                  * ill_g_lock held to prevent any ill walker threads from
14415                  * seeing things in an inconsistent state.
14416                  */
14417                 rw_enter(&ipst->ips_ill_g_lock, RW_WRITER);
14418                 if (ipif->ipif_id != 0) {
14419                         ipif_remove(ipif);
14420                 } else {
14421                         ipif_transfer(ipif, moveipif, stubipif);
14422                         ipif = moveipif;
14423                 }
14424 
14425                 /*
14426                  * Place the ipif on the IPMP ill.  If the zeroth ipif on
14427                  * the IPMP ill is a stub (0.0.0.0 down address) then we
14428                  * replace that one.  Otherwise, pick the next available slot.
14429                  */
14430                 ipif->ipif_ill = ipmp_ill;
14431                 ipif_orig_id = ipif->ipif_id;
14432 
14433                 if (ipmp_ipif_is_stubaddr(ipmp_ill->ill_ipif)) {
14434                         ipif_transfer(ipif, ipmp_ill->ill_ipif, NULL);
14435                         ipif = ipmp_ill->ill_ipif;
14436                 } else {
14437                         ipif->ipif_id = -1;
14438                         if ((err = ipif_insert(ipif, B_FALSE)) != 0) {
14439                                 /*
14440                                  * No more available ipif_id's -- put it back
14441                                  * on the original ill and fail the operation.
14442                                  * Since we're writer on the ill, we can be
14443                                  * sure our old slot is still available.
14444                                  */
14445                                 ipif->ipif_id = ipif_orig_id;
14446                                 ipif->ipif_ill = ill;
14447                                 if (ipif_orig_id == 0) {
14448                                         ipif_transfer(ipif, ill->ill_ipif,
14449                                             NULL);
14450                                 } else {
14451                                         VERIFY(ipif_insert(ipif, B_FALSE) == 0);
14452                                 }
14453                                 rw_exit(&ipst->ips_ill_g_lock);
14454                                 return (err);
14455                         }
14456                 }
14457                 rw_exit(&ipst->ips_ill_g_lock);
14458 
14459                 /*
14460                  * Tell SCTP that the ipif has moved.  Note that even if we
14461                  * had to allocate a new ipif, the original sequence id was
14462                  * preserved and therefore SCTP won't know.
14463                  */
14464                 sctp_move_ipif(ipif, ill, ipmp_ill);
14465 
14466                 /*
14467                  * If the ipif being brought up was on slot zero, then we
14468                  * first need to bring up the placeholder we stuck there.  In
14469                  * ip_rput_dlpi_writer(), arp_bringup_done(), or the recursive
14470                  * call to ipif_up() itself, if we successfully bring up the
14471                  * placeholder, we'll check ill_move_ipif and bring it up too.
14472                  */
14473                 if (ipif_orig_id == 0) {
14474                         ASSERT(ill->ill_move_ipif == NULL);
14475                         ill->ill_move_ipif = ipif;
14476                         if ((err = ipif_up(ill->ill_ipif, q, mp)) == 0)
14477                                 ASSERT(ill->ill_move_ipif == NULL);
14478                         if (err != EINPROGRESS)
14479                                 ill->ill_move_ipif = NULL;
14480                         return (err);
14481                 }
14482 
14483                 /*
14484                  * Bring it up on the IPMP ill.
14485                  */
14486                 return (ipif_up(ipif, q, mp));
14487         }
14488 
14489         /* Skip arp/ndp for any loopback interface. */
14490         if (ill->ill_wq != NULL) {
14491                 conn_t *connp = CONN_Q(q) ? Q_TO_CONN(q) : NULL;
14492                 ipsq_t  *ipsq = ill->ill_phyint->phyint_ipsq;
14493 
14494                 if (!ill->ill_dl_up) {
14495                         /*
14496                          * ill_dl_up is not yet set. i.e. we are yet to
14497                          * DL_BIND with the driver and this is the first
14498                          * logical interface on the ill to become "up".
14499                          * Tell the driver to get going (via DL_BIND_REQ).
14500                          * Note that changing "significant" IFF_ flags
14501                          * address/netmask etc cause a down/up dance, but
14502                          * does not cause an unbind (DL_UNBIND) with the driver
14503                          */
14504                         return (ill_dl_up(ill, ipif, mp, q));
14505                 }
14506 
14507                 /*
14508                  * ipif_resolver_up may end up needeing to bind/attach
14509                  * the ARP stream, which in turn necessitates a
14510                  * DLPI message exchange with the driver. ioctls are
14511                  * serialized and so we cannot send more than one
14512                  * interface up message at a time. If ipif_resolver_up
14513                  * does need to wait for the DLPI handshake for the ARP stream,
14514                  * we get EINPROGRESS and we will complete in arp_bringup_done.
14515                  */
14516 
14517                 ASSERT(connp != NULL || !CONN_Q(q));
14518                 if (connp != NULL)
14519                         mutex_enter(&connp->conn_lock);
14520                 mutex_enter(&ill->ill_lock);
14521                 success = ipsq_pending_mp_add(connp, ipif, q, mp, 0);
14522                 mutex_exit(&ill->ill_lock);
14523                 if (connp != NULL)
14524                         mutex_exit(&connp->conn_lock);
14525                 if (!success)
14526                         return (EINTR);
14527 
14528                 /*
14529                  * Crank up IPv6 neighbor discovery. Unlike ARP, this should
14530                  * complete when ipif_ndp_up returns.
14531                  */
14532                 err = ipif_resolver_up(ipif, Res_act_initial);
14533                 if (err == EINPROGRESS) {
14534                         /* We will complete it in arp_bringup_done() */
14535                         return (err);
14536                 }
14537 
14538                 if (isv6 && err == 0)
14539                         err = ipif_ndp_up(ipif, B_TRUE);
14540 
14541                 ASSERT(err != EINPROGRESS);
14542                 mp = ipsq_pending_mp_get(ipsq, &connp);
14543                 ASSERT(mp != NULL);
14544                 if (err != 0)
14545                         return (err);
14546         } else {
14547                 /*
14548                  * Interfaces without underlying hardware don't do duplicate
14549                  * address detection.
14550                  */
14551                 ASSERT(!(ipif->ipif_flags & IPIF_DUPLICATE));
14552                 ipif->ipif_addr_ready = 1;
14553                 err = ill_add_ires(ill);
14554                 /* allocation failure? */
14555                 if (err != 0)
14556                         return (err);
14557         }
14558 
14559         err = (isv6 ? ipif_up_done_v6(ipif) : ipif_up_done(ipif));
14560         if (err == 0 && ill->ill_move_ipif != NULL) {
14561                 ipif = ill->ill_move_ipif;
14562                 ill->ill_move_ipif = NULL;
14563                 return (ipif_up(ipif, q, mp));
14564         }
14565         return (err);
14566 }
14567 
14568 /*
14569  * Add any IREs tied to the ill. For now this is just an IRE_MULTICAST.
14570  * The identical set of IREs need to be removed in ill_delete_ires().
14571  */
14572 int
14573 ill_add_ires(ill_t *ill)
14574 {
14575         ire_t   *ire;
14576         in6_addr_t dummy6 = {(uint32_t)V6_MCAST, 0, 0, 1};
14577         in_addr_t dummy4 = htonl(INADDR_ALLHOSTS_GROUP);
14578 
14579         if (ill->ill_ire_multicast != NULL)
14580                 return (0);
14581 
14582         /*
14583          * provide some dummy ire_addr for creating the ire.
14584          */
14585         if (ill->ill_isv6) {
14586                 ire = ire_create_v6(&dummy6, 0, 0, IRE_MULTICAST, ill,
14587                     ALL_ZONES, RTF_UP, NULL, ill->ill_ipst);
14588         } else {
14589                 ire = ire_create((uchar_t *)&dummy4, 0, 0, IRE_MULTICAST, ill,
14590                     ALL_ZONES, RTF_UP, NULL, ill->ill_ipst);
14591         }
14592         if (ire == NULL)
14593                 return (ENOMEM);
14594 
14595         ill->ill_ire_multicast = ire;
14596         return (0);
14597 }
14598 
14599 void
14600 ill_delete_ires(ill_t *ill)
14601 {
14602         if (ill->ill_ire_multicast != NULL) {
14603                 /*
14604                  * BIND/ATTACH completed; Release the ref for ill_ire_multicast
14605                  * which was taken without any th_tracing enabled.
14606                  * We also mark it as condemned (note that it was never added)
14607                  * so that caching conn's can move off of it.
14608                  */
14609                 ire_make_condemned(ill->ill_ire_multicast);
14610                 ire_refrele_notr(ill->ill_ire_multicast);
14611                 ill->ill_ire_multicast = NULL;
14612         }
14613 }
14614 
14615 /*
14616  * Perform a bind for the physical device.
14617  * When the routine returns EINPROGRESS then mp has been consumed and
14618  * the ioctl will be acked from ip_rput_dlpi.
14619  * Allocate an unbind message and save it until ipif_down.
14620  */
14621 static int
14622 ill_dl_up(ill_t *ill, ipif_t *ipif, mblk_t *mp, queue_t *q)
14623 {
14624         mblk_t  *bind_mp = NULL;
14625         mblk_t  *unbind_mp = NULL;
14626         conn_t  *connp;
14627         boolean_t success;
14628         int     err;
14629 
14630         DTRACE_PROBE2(ill__downup, char *, "ill_dl_up", ill_t *, ill);
14631 
14632         ip1dbg(("ill_dl_up(%s)\n", ill->ill_name));
14633         ASSERT(IAM_WRITER_ILL(ill));
14634         ASSERT(mp != NULL);
14635 
14636         /*
14637          * Make sure we have an IRE_MULTICAST in case we immediately
14638          * start receiving packets.
14639          */
14640         err = ill_add_ires(ill);
14641         if (err != 0)
14642                 goto bad;
14643 
14644         bind_mp = ip_dlpi_alloc(sizeof (dl_bind_req_t) + sizeof (long),
14645             DL_BIND_REQ);
14646         if (bind_mp == NULL)
14647                 goto bad;
14648         ((dl_bind_req_t *)bind_mp->b_rptr)->dl_sap = ill->ill_sap;
14649         ((dl_bind_req_t *)bind_mp->b_rptr)->dl_service_mode = DL_CLDLS;
14650 
14651         /*
14652          * ill_unbind_mp would be non-null if the following sequence had
14653          * happened:
14654          * - send DL_BIND_REQ to driver, wait for response
14655          * - multiple ioctls that need to bring the ipif up are encountered,
14656          *   but they cannot enter the ipsq due to the outstanding DL_BIND_REQ.
14657          *   These ioctls will then be enqueued on the ipsq
14658          * - a DL_ERROR_ACK is returned for the DL_BIND_REQ
14659          * At this point, the pending ioctls in the ipsq will be drained, and
14660          * since ill->ill_dl_up was not set, ill_dl_up would be invoked with
14661          * a non-null ill->ill_unbind_mp
14662          */
14663         if (ill->ill_unbind_mp == NULL) {
14664                 unbind_mp = ip_dlpi_alloc(sizeof (dl_unbind_req_t),
14665                     DL_UNBIND_REQ);
14666                 if (unbind_mp == NULL)
14667                         goto bad;
14668         }
14669         /*
14670          * Record state needed to complete this operation when the
14671          * DL_BIND_ACK shows up.  Also remember the pre-allocated mblks.
14672          */
14673         connp = CONN_Q(q) ? Q_TO_CONN(q) : NULL;
14674         ASSERT(connp != NULL || !CONN_Q(q));
14675         GRAB_CONN_LOCK(q);
14676         mutex_enter(&ipif->ipif_ill->ill_lock);
14677         success = ipsq_pending_mp_add(connp, ipif, q, mp, 0);
14678         mutex_exit(&ipif->ipif_ill->ill_lock);
14679         RELEASE_CONN_LOCK(q);
14680         if (!success)
14681                 goto bad;
14682 
14683         /*
14684          * Save the unbind message for ill_dl_down(); it will be consumed when
14685          * the interface goes down.
14686          */
14687         if (ill->ill_unbind_mp == NULL)
14688                 ill->ill_unbind_mp = unbind_mp;
14689 
14690         ill_dlpi_send(ill, bind_mp);
14691         /* Send down link-layer capabilities probe if not already done. */
14692         ill_capability_probe(ill);
14693 
14694         /*
14695          * Sysid used to rely on the fact that netboots set domainname
14696          * and the like. Now that miniroot boots aren't strictly netboots
14697          * and miniroot network configuration is driven from userland
14698          * these things still need to be set. This situation can be detected
14699          * by comparing the interface being configured here to the one
14700          * dhcifname was set to reference by the boot loader. Once sysid is
14701          * converted to use dhcp_ipc_getinfo() this call can go away.
14702          */
14703         if ((ipif->ipif_flags & IPIF_DHCPRUNNING) &&
14704             (strcmp(ill->ill_name, dhcifname) == 0) &&
14705             (strlen(srpc_domain) == 0)) {
14706                 if (dhcpinit() != 0)
14707                         cmn_err(CE_WARN, "no cached dhcp response");
14708         }
14709 
14710         /*
14711          * This operation will complete in ip_rput_dlpi with either
14712          * a DL_BIND_ACK or DL_ERROR_ACK.
14713          */
14714         return (EINPROGRESS);
14715 bad:
14716         ip1dbg(("ill_dl_up(%s) FAILED\n", ill->ill_name));
14717 
14718         freemsg(bind_mp);
14719         freemsg(unbind_mp);
14720         return (ENOMEM);
14721 }
14722 
14723 /* Add room for tcp+ip headers */
14724 uint_t ip_loopback_mtuplus = IP_LOOPBACK_MTU + IP_SIMPLE_HDR_LENGTH + 20;
14725 
14726 /*
14727  * DLPI and ARP is up.
14728  * Create all the IREs associated with an interface. Bring up multicast.
14729  * Set the interface flag and finish other initialization
14730  * that potentially had to be deferred to after DL_BIND_ACK.
14731  */
14732 int
14733 ipif_up_done(ipif_t *ipif)
14734 {
14735         ill_t           *ill = ipif->ipif_ill;
14736         int             err = 0;
14737         boolean_t       loopback = B_FALSE;
14738         boolean_t       update_src_selection = B_TRUE;
14739         ipif_t          *tmp_ipif;
14740 
14741         ip1dbg(("ipif_up_done(%s:%u)\n",
14742             ipif->ipif_ill->ill_name, ipif->ipif_id));
14743         DTRACE_PROBE3(ipif__downup, char *, "ipif_up_done",
14744             ill_t *, ill, ipif_t *, ipif);
14745 
14746         /* Check if this is a loopback interface */
14747         if (ipif->ipif_ill->ill_wq == NULL)
14748                 loopback = B_TRUE;
14749 
14750         ASSERT(!MUTEX_HELD(&ipif->ipif_ill->ill_lock));
14751 
14752         /*
14753          * If all other interfaces for this ill are down or DEPRECATED,
14754          * or otherwise unsuitable for source address selection,
14755          * reset the src generation numbers to make sure source
14756          * address selection gets to take this new ipif into account.
14757          * No need to hold ill_lock while traversing the ipif list since
14758          * we are writer
14759          */
14760         for (tmp_ipif = ill->ill_ipif; tmp_ipif;
14761             tmp_ipif = tmp_ipif->ipif_next) {
14762                 if (((tmp_ipif->ipif_flags &
14763                     (IPIF_NOXMIT|IPIF_ANYCAST|IPIF_NOLOCAL|IPIF_DEPRECATED)) ||
14764                     !(tmp_ipif->ipif_flags & IPIF_UP)) ||
14765                     (tmp_ipif == ipif))
14766                         continue;
14767                 /* first useable pre-existing interface */
14768                 update_src_selection = B_FALSE;
14769                 break;
14770         }
14771         if (update_src_selection)
14772                 ip_update_source_selection(ill->ill_ipst);
14773 
14774         if (IS_LOOPBACK(ill) || ill->ill_net_type == IRE_IF_NORESOLVER) {
14775                 nce_t *loop_nce = NULL;
14776                 uint16_t flags = (NCE_F_MYADDR | NCE_F_AUTHORITY | NCE_F_NONUD);
14777 
14778                 /*
14779                  * lo0:1 and subsequent ipifs were marked IRE_LOCAL in
14780                  * ipif_lookup_on_name(), but in the case of zones we can have
14781                  * several loopback addresses on lo0. So all the interfaces with
14782                  * loopback addresses need to be marked IRE_LOOPBACK.
14783                  */
14784                 if (V4_PART_OF_V6(ipif->ipif_v6lcl_addr) ==
14785                     htonl(INADDR_LOOPBACK))
14786                         ipif->ipif_ire_type = IRE_LOOPBACK;
14787                 else
14788                         ipif->ipif_ire_type = IRE_LOCAL;
14789                 if (ill->ill_net_type != IRE_LOOPBACK)
14790                         flags |= NCE_F_PUBLISH;
14791 
14792                 /* add unicast nce for the local addr */
14793                 err = nce_lookup_then_add_v4(ill, NULL,
14794                     ill->ill_phys_addr_length, &ipif->ipif_lcl_addr, flags,
14795                     ND_REACHABLE, &loop_nce);
14796                 /* A shared-IP zone sees EEXIST for lo0:N */
14797                 if (err == 0 || err == EEXIST) {
14798                         ipif->ipif_added_nce = 1;
14799                         loop_nce->nce_ipif_cnt++;
14800                         nce_refrele(loop_nce);
14801                         err = 0;
14802                 } else {
14803                         ASSERT(loop_nce == NULL);
14804                         return (err);
14805                 }
14806         }
14807 
14808         /* Create all the IREs associated with this interface */
14809         err = ipif_add_ires_v4(ipif, loopback);
14810         if (err != 0) {
14811                 /*
14812                  * see comments about return value from
14813                  * ip_addr_availability_check() in ipif_add_ires_v4().
14814                  */
14815                 if (err != EADDRINUSE) {
14816                         (void) ipif_arp_down(ipif);
14817                 } else {
14818                         /*
14819                          * Make IPMP aware of the deleted ipif so that
14820                          * the needed ipmp cleanup (e.g., of ipif_bound_ill)
14821                          * can be completed. Note that we do not want to
14822                          * destroy the nce that was created on the ipmp_ill
14823                          * for the active copy of the duplicate address in
14824                          * use.
14825                          */
14826                         if (IS_IPMP(ill))
14827                                 ipmp_illgrp_del_ipif(ill->ill_grp, ipif);
14828                         err = EADDRNOTAVAIL;
14829                 }
14830                 return (err);
14831         }
14832 
14833         if (ill->ill_ipif_up_count == 1 && !loopback) {
14834                 /* Recover any additional IREs entries for this ill */
14835                 (void) ill_recover_saved_ire(ill);
14836         }
14837 
14838         if (ill->ill_need_recover_multicast) {
14839                 /*
14840                  * Need to recover all multicast memberships in the driver.
14841                  * This had to be deferred until we had attached.  The same
14842                  * code exists in ipif_up_done_v6() to recover IPv6
14843                  * memberships.
14844                  *
14845                  * Note that it would be preferable to unconditionally do the
14846                  * ill_recover_multicast() in ill_dl_up(), but we cannot do
14847                  * that since ill_join_allmulti() depends on ill_dl_up being
14848                  * set, and it is not set until we receive a DL_BIND_ACK after
14849                  * having called ill_dl_up().
14850                  */
14851                 ill_recover_multicast(ill);
14852         }
14853 
14854         if (ill->ill_ipif_up_count == 1) {
14855                 /*
14856                  * Since the interface is now up, it may now be active.
14857                  */
14858                 if (IS_UNDER_IPMP(ill))
14859                         ipmp_ill_refresh_active(ill);
14860 
14861                 /*
14862                  * If this is an IPMP interface, we may now be able to
14863                  * establish ARP entries.
14864                  */
14865                 if (IS_IPMP(ill))
14866                         ipmp_illgrp_refresh_arpent(ill->ill_grp);
14867         }
14868 
14869         /* Join the allhosts multicast address */
14870         ipif_multicast_up(ipif);
14871 
14872         if (!loopback && !update_src_selection &&
14873             !(ipif->ipif_flags & (IPIF_NOLOCAL|IPIF_ANYCAST|IPIF_DEPRECATED)))
14874                 ip_update_source_selection(ill->ill_ipst);
14875 
14876         if (!loopback && ipif->ipif_addr_ready) {
14877                 /* Broadcast an address mask reply. */
14878                 ipif_mask_reply(ipif);
14879         }
14880         /* Perhaps ilgs should use this ill */
14881         update_conn_ill(NULL, ill->ill_ipst);
14882 
14883         /*
14884          * This had to be deferred until we had bound.  Tell routing sockets and
14885          * others that this interface is up if it looks like the address has
14886          * been validated.  Otherwise, if it isn't ready yet, wait for
14887          * duplicate address detection to do its thing.
14888          */
14889         if (ipif->ipif_addr_ready)
14890                 ipif_up_notify(ipif);
14891         return (0);
14892 }
14893 
14894 /*
14895  * Add the IREs associated with the ipif.
14896  * Those MUST be explicitly removed in ipif_delete_ires_v4.
14897  */
14898 static int
14899 ipif_add_ires_v4(ipif_t *ipif, boolean_t loopback)
14900 {
14901         ill_t           *ill = ipif->ipif_ill;
14902         ip_stack_t      *ipst = ill->ill_ipst;
14903         ire_t           *ire_array[20];
14904         ire_t           **irep = ire_array;
14905         ire_t           **irep1;
14906         ipaddr_t        net_mask = 0;
14907         ipaddr_t        subnet_mask, route_mask;
14908         int             err;
14909         ire_t           *ire_local = NULL;      /* LOCAL or LOOPBACK */
14910         ire_t           *ire_if = NULL;
14911         uchar_t         *gw;
14912 
14913         if ((ipif->ipif_lcl_addr != INADDR_ANY) &&
14914             !(ipif->ipif_flags & IPIF_NOLOCAL)) {
14915                 /*
14916                  * If we're on a labeled system then make sure that zone-
14917                  * private addresses have proper remote host database entries.
14918                  */
14919                 if (is_system_labeled() &&
14920                     ipif->ipif_ire_type != IRE_LOOPBACK &&
14921                     !tsol_check_interface_address(ipif))
14922                         return (EINVAL);
14923 
14924                 /* Register the source address for __sin6_src_id */
14925                 err = ip_srcid_insert(&ipif->ipif_v6lcl_addr,
14926                     ipif->ipif_zoneid, ipst);
14927                 if (err != 0) {
14928                         ip0dbg(("ipif_add_ires: srcid_insert %d\n", err));
14929                         return (err);
14930                 }
14931 
14932                 if (loopback)
14933                         gw = (uchar_t *)&ipif->ipif_lcl_addr;
14934                 else
14935                         gw = NULL;
14936 
14937                 /* If the interface address is set, create the local IRE. */
14938                 ire_local = ire_create(
14939                     (uchar_t *)&ipif->ipif_lcl_addr,     /* dest address */
14940                     (uchar_t *)&ip_g_all_ones,              /* mask */
14941                     gw,                                 /* gateway */
14942                     ipif->ipif_ire_type,             /* LOCAL or LOOPBACK */
14943                     ipif->ipif_ill,
14944                     ipif->ipif_zoneid,
14945                     ((ipif->ipif_flags & IPIF_PRIVATE) ?
14946                     RTF_PRIVATE : 0) | RTF_KERNEL,
14947                     NULL,
14948                     ipst);
14949                 ip1dbg(("ipif_add_ires: 0x%p creating IRE %p type 0x%x"
14950                     " for 0x%x\n", (void *)ipif, (void *)ire_local,
14951                     ipif->ipif_ire_type,
14952                     ntohl(ipif->ipif_lcl_addr)));
14953                 if (ire_local == NULL) {
14954                         ip1dbg(("ipif_up_done: NULL ire_local\n"));
14955                         err = ENOMEM;
14956                         goto bad;
14957                 }
14958         } else {
14959                 ip1dbg((
14960                     "ipif_add_ires: not creating IRE %d for 0x%x: flags 0x%x\n",
14961                     ipif->ipif_ire_type,
14962                     ntohl(ipif->ipif_lcl_addr),
14963                     (uint_t)ipif->ipif_flags));
14964         }
14965         if ((ipif->ipif_lcl_addr != INADDR_ANY) &&
14966             !(ipif->ipif_flags & IPIF_NOLOCAL)) {
14967                 net_mask = ip_net_mask(ipif->ipif_lcl_addr);
14968         } else {
14969                 net_mask = htonl(IN_CLASSA_NET);        /* fallback */
14970         }
14971 
14972         subnet_mask = ipif->ipif_net_mask;
14973 
14974         /*
14975          * If mask was not specified, use natural netmask of
14976          * interface address. Also, store this mask back into the
14977          * ipif struct.
14978          */
14979         if (subnet_mask == 0) {
14980                 subnet_mask = net_mask;
14981                 V4MASK_TO_V6(subnet_mask, ipif->ipif_v6net_mask);
14982                 V6_MASK_COPY(ipif->ipif_v6lcl_addr, ipif->ipif_v6net_mask,
14983                     ipif->ipif_v6subnet);
14984         }
14985 
14986         /* Set up the IRE_IF_RESOLVER or IRE_IF_NORESOLVER, as appropriate. */
14987         if (!loopback && !(ipif->ipif_flags & IPIF_NOXMIT) &&
14988             ipif->ipif_subnet != INADDR_ANY) {
14989                 /* ipif_subnet is ipif_pp_dst_addr for pt-pt */
14990 
14991                 if (ipif->ipif_flags & IPIF_POINTOPOINT) {
14992                         route_mask = IP_HOST_MASK;
14993                 } else {
14994                         route_mask = subnet_mask;
14995                 }
14996 
14997                 ip1dbg(("ipif_add_ires: ipif 0x%p ill 0x%p "
14998                     "creating if IRE ill_net_type 0x%x for 0x%x\n",
14999                     (void *)ipif, (void *)ill, ill->ill_net_type,
15000                     ntohl(ipif->ipif_subnet)));
15001                 ire_if = ire_create(
15002                     (uchar_t *)&ipif->ipif_subnet,
15003                     (uchar_t *)&route_mask,
15004                     (uchar_t *)&ipif->ipif_lcl_addr,
15005                     ill->ill_net_type,
15006                     ill,
15007                     ipif->ipif_zoneid,
15008                     ((ipif->ipif_flags & IPIF_PRIVATE) ?
15009                     RTF_PRIVATE: 0) | RTF_KERNEL,
15010                     NULL,
15011                     ipst);
15012                 if (ire_if == NULL) {
15013                         ip1dbg(("ipif_up_done: NULL ire_if\n"));
15014                         err = ENOMEM;
15015                         goto bad;
15016                 }
15017         }
15018 
15019         /*
15020          * Create any necessary broadcast IREs.
15021          */
15022         if ((ipif->ipif_flags & IPIF_BROADCAST) &&
15023             !(ipif->ipif_flags & IPIF_NOXMIT))
15024                 irep = ipif_create_bcast_ires(ipif, irep);
15025 
15026         /* If an earlier ire_create failed, get out now */
15027         for (irep1 = irep; irep1 > ire_array; ) {
15028                 irep1--;
15029                 if (*irep1 == NULL) {
15030                         ip1dbg(("ipif_up_done: NULL ire found in ire_array\n"));
15031                         err = ENOMEM;
15032                         goto bad;
15033                 }
15034         }
15035 
15036         /*
15037          * Need to atomically check for IP address availability under
15038          * ip_addr_avail_lock.  ill_g_lock is held as reader to ensure no new
15039          * ills or new ipifs can be added while we are checking availability.
15040          */
15041         rw_enter(&ipst->ips_ill_g_lock, RW_READER);
15042         mutex_enter(&ipst->ips_ip_addr_avail_lock);
15043         /* Mark it up, and increment counters. */
15044         ipif->ipif_flags |= IPIF_UP;
15045         ill->ill_ipif_up_count++;
15046         err = ip_addr_availability_check(ipif);
15047         mutex_exit(&ipst->ips_ip_addr_avail_lock);
15048         rw_exit(&ipst->ips_ill_g_lock);
15049 
15050         if (err != 0) {
15051                 /*
15052                  * Our address may already be up on the same ill. In this case,
15053                  * the ARP entry for our ipif replaced the one for the other
15054                  * ipif. So we don't want to delete it (otherwise the other ipif
15055                  * would be unable to send packets).
15056                  * ip_addr_availability_check() identifies this case for us and
15057                  * returns EADDRINUSE; Caller should turn it into EADDRNOTAVAIL
15058                  * which is the expected error code.
15059                  */
15060                 ill->ill_ipif_up_count--;
15061                 ipif->ipif_flags &= ~IPIF_UP;
15062                 goto bad;
15063         }
15064 
15065         /*
15066          * Add in all newly created IREs.  ire_create_bcast() has
15067          * already checked for duplicates of the IRE_BROADCAST type.
15068          * We add the IRE_INTERFACE before the IRE_LOCAL to ensure
15069          * that lookups find the IRE_LOCAL even if the IRE_INTERFACE is
15070          * a /32 route.
15071          */
15072         if (ire_if != NULL) {
15073                 ire_if = ire_add(ire_if);
15074                 if (ire_if == NULL) {
15075                         err = ENOMEM;
15076                         goto bad2;
15077                 }
15078 #ifdef DEBUG
15079                 ire_refhold_notr(ire_if);
15080                 ire_refrele(ire_if);
15081 #endif
15082         }
15083         if (ire_local != NULL) {
15084                 ire_local = ire_add(ire_local);
15085                 if (ire_local == NULL) {
15086                         err = ENOMEM;
15087                         goto bad2;
15088                 }
15089 #ifdef DEBUG
15090                 ire_refhold_notr(ire_local);
15091                 ire_refrele(ire_local);
15092 #endif
15093         }
15094         rw_enter(&ipst->ips_ill_g_lock, RW_WRITER);
15095         if (ire_local != NULL)
15096                 ipif->ipif_ire_local = ire_local;
15097         if (ire_if != NULL)
15098                 ipif->ipif_ire_if = ire_if;
15099         rw_exit(&ipst->ips_ill_g_lock);
15100         ire_local = NULL;
15101         ire_if = NULL;
15102 
15103         /*
15104          * We first add all of them, and if that succeeds we refrele the
15105          * bunch. That enables us to delete all of them should any of the
15106          * ire_adds fail.
15107          */
15108         for (irep1 = irep; irep1 > ire_array; ) {
15109                 irep1--;
15110                 ASSERT(!MUTEX_HELD(&((*irep1)->ire_ill->ill_lock)));
15111                 *irep1 = ire_add(*irep1);
15112                 if (*irep1 == NULL) {
15113                         err = ENOMEM;
15114                         goto bad2;
15115                 }
15116         }
15117 
15118         for (irep1 = irep; irep1 > ire_array; ) {
15119                 irep1--;
15120                 /* refheld by ire_add. */
15121                 if (*irep1 != NULL) {
15122                         ire_refrele(*irep1);
15123                         *irep1 = NULL;
15124                 }
15125         }
15126 
15127         if (!loopback) {
15128                 /*
15129                  * If the broadcast address has been set, make sure it makes
15130                  * sense based on the interface address.
15131                  * Only match on ill since we are sharing broadcast addresses.
15132                  */
15133                 if ((ipif->ipif_brd_addr != INADDR_ANY) &&
15134                     (ipif->ipif_flags & IPIF_BROADCAST)) {
15135                         ire_t   *ire;
15136 
15137                         ire = ire_ftable_lookup_v4(ipif->ipif_brd_addr, 0, 0,
15138                             IRE_BROADCAST, ipif->ipif_ill, ALL_ZONES, NULL,
15139                             (MATCH_IRE_TYPE | MATCH_IRE_ILL), 0, ipst, NULL);
15140 
15141                         if (ire == NULL) {
15142                                 /*
15143                                  * If there isn't a matching broadcast IRE,
15144                                  * revert to the default for this netmask.
15145                                  */
15146                                 ipif->ipif_v6brd_addr = ipv6_all_zeros;
15147                                 mutex_enter(&ipif->ipif_ill->ill_lock);
15148                                 ipif_set_default(ipif);
15149                                 mutex_exit(&ipif->ipif_ill->ill_lock);
15150                         } else {
15151                                 ire_refrele(ire);
15152                         }
15153                 }
15154 
15155         }
15156         return (0);
15157 
15158 bad2:
15159         ill->ill_ipif_up_count--;
15160         ipif->ipif_flags &= ~IPIF_UP;
15161 
15162 bad:
15163         ip1dbg(("ipif_add_ires: FAILED \n"));
15164         if (ire_local != NULL)
15165                 ire_delete(ire_local);
15166         if (ire_if != NULL)
15167                 ire_delete(ire_if);
15168 
15169         rw_enter(&ipst->ips_ill_g_lock, RW_WRITER);
15170         ire_local = ipif->ipif_ire_local;
15171         ipif->ipif_ire_local = NULL;
15172         ire_if = ipif->ipif_ire_if;
15173         ipif->ipif_ire_if = NULL;
15174         rw_exit(&ipst->ips_ill_g_lock);
15175         if (ire_local != NULL) {
15176                 ire_delete(ire_local);
15177                 ire_refrele_notr(ire_local);
15178         }
15179         if (ire_if != NULL) {
15180                 ire_delete(ire_if);
15181                 ire_refrele_notr(ire_if);
15182         }
15183 
15184         while (irep > ire_array) {
15185                 irep--;
15186                 if (*irep != NULL) {
15187                         ire_delete(*irep);
15188                 }
15189         }
15190         (void) ip_srcid_remove(&ipif->ipif_v6lcl_addr, ipif->ipif_zoneid, ipst);
15191 
15192         return (err);
15193 }
15194 
15195 /* Remove all the IREs created by ipif_add_ires_v4 */
15196 void
15197 ipif_delete_ires_v4(ipif_t *ipif)
15198 {
15199         ill_t           *ill = ipif->ipif_ill;
15200         ip_stack_t      *ipst = ill->ill_ipst;
15201         ire_t           *ire;
15202 
15203         rw_enter(&ipst->ips_ill_g_lock, RW_WRITER);
15204         ire = ipif->ipif_ire_local;
15205         ipif->ipif_ire_local = NULL;
15206         rw_exit(&ipst->ips_ill_g_lock);
15207         if (ire != NULL) {
15208                 /*
15209                  * Move count to ipif so we don't loose the count due to
15210                  * a down/up dance.
15211                  */
15212                 atomic_add_32(&ipif->ipif_ib_pkt_count, ire->ire_ib_pkt_count);
15213 
15214                 ire_delete(ire);
15215                 ire_refrele_notr(ire);
15216         }
15217         rw_enter(&ipst->ips_ill_g_lock, RW_WRITER);
15218         ire = ipif->ipif_ire_if;
15219         ipif->ipif_ire_if = NULL;
15220         rw_exit(&ipst->ips_ill_g_lock);
15221         if (ire != NULL) {
15222                 ire_delete(ire);
15223                 ire_refrele_notr(ire);
15224         }
15225 
15226         /*
15227          * Delete the broadcast IREs.
15228          */
15229         if ((ipif->ipif_flags & IPIF_BROADCAST) &&
15230             !(ipif->ipif_flags & IPIF_NOXMIT))
15231                 ipif_delete_bcast_ires(ipif);
15232 }
15233 
15234 /*
15235  * Checks for availbility of a usable source address (if there is one) when the
15236  * destination ILL has the ill_usesrc_ifindex pointing to another ILL. Note
15237  * this selection is done regardless of the destination.
15238  */
15239 boolean_t
15240 ipif_zone_avail(uint_t ifindex, boolean_t isv6, zoneid_t zoneid,
15241     ip_stack_t *ipst)
15242 {
15243         ipif_t          *ipif = NULL;
15244         ill_t           *uill;
15245 
15246         ASSERT(ifindex != 0);
15247 
15248         uill = ill_lookup_on_ifindex(ifindex, isv6, ipst);
15249         if (uill == NULL)
15250                 return (B_FALSE);
15251 
15252         mutex_enter(&uill->ill_lock);
15253         for (ipif = uill->ill_ipif; ipif != NULL; ipif = ipif->ipif_next) {
15254                 if (IPIF_IS_CONDEMNED(ipif))
15255                         continue;
15256                 if (ipif->ipif_flags & (IPIF_NOLOCAL|IPIF_ANYCAST))
15257                         continue;
15258                 if (!(ipif->ipif_flags & IPIF_UP))
15259                         continue;
15260                 if (ipif->ipif_zoneid != zoneid)
15261                         continue;
15262                 if (isv6 ? IN6_IS_ADDR_UNSPECIFIED(&ipif->ipif_v6lcl_addr) :
15263                     ipif->ipif_lcl_addr == INADDR_ANY)
15264                         continue;
15265                 mutex_exit(&uill->ill_lock);
15266                 ill_refrele(uill);
15267                 return (B_TRUE);
15268         }
15269         mutex_exit(&uill->ill_lock);
15270         ill_refrele(uill);
15271         return (B_FALSE);
15272 }
15273 
15274 /*
15275  * Find an ipif with a good local address on the ill+zoneid.
15276  */
15277 ipif_t *
15278 ipif_good_addr(ill_t *ill, zoneid_t zoneid)
15279 {
15280         ipif_t          *ipif;
15281 
15282         mutex_enter(&ill->ill_lock);
15283         for (ipif = ill->ill_ipif; ipif != NULL; ipif = ipif->ipif_next) {
15284                 if (IPIF_IS_CONDEMNED(ipif))
15285                         continue;
15286                 if (ipif->ipif_flags & (IPIF_NOLOCAL|IPIF_ANYCAST))
15287                         continue;
15288                 if (!(ipif->ipif_flags & IPIF_UP))
15289                         continue;
15290                 if (ipif->ipif_zoneid != zoneid &&
15291                     ipif->ipif_zoneid != ALL_ZONES && zoneid != ALL_ZONES)
15292                         continue;
15293                 if (ill->ill_isv6 ?
15294                     IN6_IS_ADDR_UNSPECIFIED(&ipif->ipif_v6lcl_addr) :
15295                     ipif->ipif_lcl_addr == INADDR_ANY)
15296                         continue;
15297                 ipif_refhold_locked(ipif);
15298                 mutex_exit(&ill->ill_lock);
15299                 return (ipif);
15300         }
15301         mutex_exit(&ill->ill_lock);
15302         return (NULL);
15303 }
15304 
15305 /*
15306  * IP source address type, sorted from worst to best.  For a given type,
15307  * always prefer IP addresses on the same subnet.  All-zones addresses are
15308  * suboptimal because they pose problems with unlabeled destinations.
15309  */
15310 typedef enum {
15311         IPIF_NONE,
15312         IPIF_DIFFNET_DEPRECATED,        /* deprecated and different subnet */
15313         IPIF_SAMENET_DEPRECATED,        /* deprecated and same subnet */
15314         IPIF_DIFFNET_ALLZONES,          /* allzones and different subnet */
15315         IPIF_SAMENET_ALLZONES,          /* allzones and same subnet */
15316         IPIF_DIFFNET,                   /* normal and different subnet */
15317         IPIF_SAMENET,                   /* normal and same subnet */
15318         IPIF_LOCALADDR                  /* local loopback */
15319 } ipif_type_t;
15320 
15321 /*
15322  * Pick the optimal ipif on `ill' for sending to destination `dst' from zone
15323  * `zoneid'.  We rate usable ipifs from low -> high as per the ipif_type_t
15324  * enumeration, and return the highest-rated ipif.  If there's a tie, we pick
15325  * the first one, unless IPMP is used in which case we round-robin among them;
15326  * see below for more.
15327  *
15328  * Returns NULL if there is no suitable source address for the ill.
15329  * This only occurs when there is no valid source address for the ill.
15330  */
15331 ipif_t *
15332 ipif_select_source_v4(ill_t *ill, ipaddr_t dst, zoneid_t zoneid,
15333     boolean_t allow_usesrc, boolean_t *notreadyp)
15334 {
15335         ill_t   *usill = NULL;
15336         ill_t   *ipmp_ill = NULL;
15337         ipif_t  *start_ipif, *next_ipif, *ipif, *best_ipif;
15338         ipif_type_t type, best_type;
15339         tsol_tpc_t *src_rhtp, *dst_rhtp;
15340         ip_stack_t *ipst = ill->ill_ipst;
15341         boolean_t samenet;
15342 
15343         if (ill->ill_usesrc_ifindex != 0 && allow_usesrc) {
15344                 usill = ill_lookup_on_ifindex(ill->ill_usesrc_ifindex,
15345                     B_FALSE, ipst);
15346                 if (usill != NULL)
15347                         ill = usill;    /* Select source from usesrc ILL */
15348                 else
15349                         return (NULL);
15350         }
15351 
15352         /*
15353          * Test addresses should never be used for source address selection,
15354          * so if we were passed one, switch to the IPMP meta-interface.
15355          */
15356         if (IS_UNDER_IPMP(ill)) {
15357                 if ((ipmp_ill = ipmp_ill_hold_ipmp_ill(ill)) != NULL)
15358                         ill = ipmp_ill; /* Select source from IPMP ill */
15359                 else
15360                         return (NULL);
15361         }
15362 
15363         /*
15364          * If we're dealing with an unlabeled destination on a labeled system,
15365          * make sure that we ignore source addresses that are incompatible with
15366          * the destination's default label.  That destination's default label
15367          * must dominate the minimum label on the source address.
15368          */
15369         dst_rhtp = NULL;
15370         if (is_system_labeled()) {
15371                 dst_rhtp = find_tpc(&dst, IPV4_VERSION, B_FALSE);
15372                 if (dst_rhtp == NULL)
15373                         return (NULL);
15374                 if (dst_rhtp->tpc_tp.host_type != UNLABELED) {
15375                         TPC_RELE(dst_rhtp);
15376                         dst_rhtp = NULL;
15377                 }
15378         }
15379 
15380         /*
15381          * Hold the ill_g_lock as reader. This makes sure that no ipif/ill
15382          * can be deleted. But an ipif/ill can get CONDEMNED any time.
15383          * After selecting the right ipif, under ill_lock make sure ipif is
15384          * not condemned, and increment refcnt. If ipif is CONDEMNED,
15385          * we retry. Inside the loop we still need to check for CONDEMNED,
15386          * but not under a lock.
15387          */
15388         rw_enter(&ipst->ips_ill_g_lock, RW_READER);
15389 retry:
15390         /*
15391          * For source address selection, we treat the ipif list as circular
15392          * and continue until we get back to where we started.  This allows
15393          * IPMP to vary source address selection (which improves inbound load
15394          * spreading) by caching its last ending point and starting from
15395          * there.  NOTE: we don't have to worry about ill_src_ipif changing
15396          * ills since that can't happen on the IPMP ill.
15397          */
15398         start_ipif = ill->ill_ipif;
15399         if (IS_IPMP(ill) && ill->ill_src_ipif != NULL)
15400                 start_ipif = ill->ill_src_ipif;
15401 
15402         ipif = start_ipif;
15403         best_ipif = NULL;
15404         best_type = IPIF_NONE;
15405         do {
15406                 if ((next_ipif = ipif->ipif_next) == NULL)
15407                         next_ipif = ill->ill_ipif;
15408 
15409                 if (IPIF_IS_CONDEMNED(ipif))
15410                         continue;
15411                 /* Always skip NOLOCAL and ANYCAST interfaces */
15412                 if (ipif->ipif_flags & (IPIF_NOLOCAL|IPIF_ANYCAST))
15413                         continue;
15414                 /* Always skip NOACCEPT interfaces */
15415                 if (ipif->ipif_ill->ill_flags & ILLF_NOACCEPT)
15416                         continue;
15417                 if (!(ipif->ipif_flags & IPIF_UP))
15418                         continue;
15419 
15420                 if (!ipif->ipif_addr_ready) {
15421                         if (notreadyp != NULL)
15422                                 *notreadyp = B_TRUE;
15423                         continue;
15424                 }
15425 
15426                 if (zoneid != ALL_ZONES &&
15427                     ipif->ipif_zoneid != zoneid &&
15428                     ipif->ipif_zoneid != ALL_ZONES)
15429                         continue;
15430 
15431                 /*
15432                  * Interfaces with 0.0.0.0 address are allowed to be UP, but
15433                  * are not valid as source addresses.
15434                  */
15435                 if (ipif->ipif_lcl_addr == INADDR_ANY)
15436                         continue;
15437 
15438                 /*
15439                  * Check compatibility of local address for destination's
15440                  * default label if we're on a labeled system.  Incompatible
15441                  * addresses can't be used at all.
15442                  */
15443                 if (dst_rhtp != NULL) {
15444                         boolean_t incompat;
15445 
15446                         src_rhtp = find_tpc(&ipif->ipif_lcl_addr,
15447                             IPV4_VERSION, B_FALSE);
15448                         if (src_rhtp == NULL)
15449                                 continue;
15450                         incompat = src_rhtp->tpc_tp.host_type != SUN_CIPSO ||
15451                             src_rhtp->tpc_tp.tp_doi !=
15452                             dst_rhtp->tpc_tp.tp_doi ||
15453                             (!_blinrange(&dst_rhtp->tpc_tp.tp_def_label,
15454                             &src_rhtp->tpc_tp.tp_sl_range_cipso) &&
15455                             !blinlset(&dst_rhtp->tpc_tp.tp_def_label,
15456                             src_rhtp->tpc_tp.tp_sl_set_cipso));
15457                         TPC_RELE(src_rhtp);
15458                         if (incompat)
15459                                 continue;
15460                 }
15461 
15462                 samenet = ((ipif->ipif_net_mask & dst) == ipif->ipif_subnet);
15463 
15464                 if (ipif->ipif_lcl_addr == dst) {
15465                         type = IPIF_LOCALADDR;
15466                 } else if (ipif->ipif_flags & IPIF_DEPRECATED) {
15467                         type = samenet ? IPIF_SAMENET_DEPRECATED :
15468                             IPIF_DIFFNET_DEPRECATED;
15469                 } else if (ipif->ipif_zoneid == ALL_ZONES) {
15470                         type = samenet ? IPIF_SAMENET_ALLZONES :
15471                             IPIF_DIFFNET_ALLZONES;
15472                 } else {
15473                         type = samenet ? IPIF_SAMENET : IPIF_DIFFNET;
15474                 }
15475 
15476                 if (type > best_type) {
15477                         best_type = type;
15478                         best_ipif = ipif;
15479                         if (best_type == IPIF_LOCALADDR)
15480                                 break; /* can't get better */
15481                 }
15482         } while ((ipif = next_ipif) != start_ipif);
15483 
15484         if ((ipif = best_ipif) != NULL) {
15485                 mutex_enter(&ipif->ipif_ill->ill_lock);
15486                 if (IPIF_IS_CONDEMNED(ipif)) {
15487                         mutex_exit(&ipif->ipif_ill->ill_lock);
15488                         goto retry;
15489                 }
15490                 ipif_refhold_locked(ipif);
15491 
15492                 /*
15493                  * For IPMP, update the source ipif rotor to the next ipif,
15494                  * provided we can look it up.  (We must not use it if it's
15495                  * IPIF_CONDEMNED since we may have grabbed ill_g_lock after
15496                  * ipif_free() checked ill_src_ipif.)
15497                  */
15498                 if (IS_IPMP(ill) && ipif != NULL) {
15499                         next_ipif = ipif->ipif_next;
15500                         if (next_ipif != NULL && !IPIF_IS_CONDEMNED(next_ipif))
15501                                 ill->ill_src_ipif = next_ipif;
15502                         else
15503                                 ill->ill_src_ipif = NULL;
15504                 }
15505                 mutex_exit(&ipif->ipif_ill->ill_lock);
15506         }
15507 
15508         rw_exit(&ipst->ips_ill_g_lock);
15509         if (usill != NULL)
15510                 ill_refrele(usill);
15511         if (ipmp_ill != NULL)
15512                 ill_refrele(ipmp_ill);
15513         if (dst_rhtp != NULL)
15514                 TPC_RELE(dst_rhtp);
15515 
15516 #ifdef DEBUG
15517         if (ipif == NULL) {
15518                 char buf1[INET6_ADDRSTRLEN];
15519 
15520                 ip1dbg(("ipif_select_source_v4(%s, %s) -> NULL\n",
15521                     ill->ill_name,
15522                     inet_ntop(AF_INET, &dst, buf1, sizeof (buf1))));
15523         } else {
15524                 char buf1[INET6_ADDRSTRLEN];
15525                 char buf2[INET6_ADDRSTRLEN];
15526 
15527                 ip1dbg(("ipif_select_source_v4(%s, %s) -> %s\n",
15528                     ipif->ipif_ill->ill_name,
15529                     inet_ntop(AF_INET, &dst, buf1, sizeof (buf1)),
15530                     inet_ntop(AF_INET, &ipif->ipif_lcl_addr,
15531                     buf2, sizeof (buf2))));
15532         }
15533 #endif /* DEBUG */
15534         return (ipif);
15535 }
15536 
15537 /*
15538  * Pick a source address based on the destination ill and an optional setsrc
15539  * address.
15540  * The result is stored in srcp. If generation is set, then put the source
15541  * generation number there before we look for the source address (to avoid
15542  * missing changes in the set of source addresses.
15543  * If flagsp is set, then us it to pass back ipif_flags.
15544  *
15545  * If the caller wants to cache the returned source address and detect when
15546  * that might be stale, the caller should pass in a generation argument,
15547  * which the caller can later compare against ips_src_generation
15548  *
15549  * The precedence order for selecting an IPv4 source address is:
15550  *  - RTF_SETSRC on the offlink ire always wins.
15551  *  - If usrsrc is set, swap the ill to be the usesrc one.
15552  *  - If IPMP is used on the ill, select a random address from the most
15553  *    preferred ones below:
15554  * 1. If onlink destination, same subnet and not deprecated, not ALL_ZONES
15555  * 2. Not deprecated, not ALL_ZONES
15556  * 3. If onlink destination, same subnet and not deprecated, ALL_ZONES
15557  * 4. Not deprecated, ALL_ZONES
15558  * 5. If onlink destination, same subnet and deprecated
15559  * 6. Deprecated.
15560  *
15561  * We have lower preference for ALL_ZONES IP addresses,
15562  * as they pose problems with unlabeled destinations.
15563  *
15564  * Note that when multiple IP addresses match e.g., #1 we pick
15565  * the first one if IPMP is not in use. With IPMP we randomize.
15566  */
15567 int
15568 ip_select_source_v4(ill_t *ill, ipaddr_t setsrc, ipaddr_t dst,
15569     ipaddr_t multicast_ifaddr,
15570     zoneid_t zoneid, ip_stack_t *ipst, ipaddr_t *srcp,
15571     uint32_t *generation, uint64_t *flagsp)
15572 {
15573         ipif_t *ipif;
15574         boolean_t notready = B_FALSE;   /* Set if !ipif_addr_ready found */
15575 
15576         if (flagsp != NULL)
15577                 *flagsp = 0;
15578 
15579         /*
15580          * Need to grab the generation number before we check to
15581          * avoid a race with a change to the set of local addresses.
15582          * No lock needed since the thread which updates the set of local
15583          * addresses use ipif/ill locks and exit those (hence a store memory
15584          * barrier) before doing the atomic increase of ips_src_generation.
15585          */
15586         if (generation != NULL) {
15587                 *generation = ipst->ips_src_generation;
15588         }
15589 
15590         if (CLASSD(dst) && multicast_ifaddr != INADDR_ANY) {
15591                 *srcp = multicast_ifaddr;
15592                 return (0);
15593         }
15594 
15595         /* Was RTF_SETSRC set on the first IRE in the recursive lookup? */
15596         if (setsrc != INADDR_ANY) {
15597                 *srcp = setsrc;
15598                 return (0);
15599         }
15600         ipif = ipif_select_source_v4(ill, dst, zoneid, B_TRUE, &notready);
15601         if (ipif == NULL) {
15602                 if (notready)
15603                         return (ENETDOWN);
15604                 else
15605                         return (EADDRNOTAVAIL);
15606         }
15607         *srcp = ipif->ipif_lcl_addr;
15608         if (flagsp != NULL)
15609                 *flagsp = ipif->ipif_flags;
15610         ipif_refrele(ipif);
15611         return (0);
15612 }
15613 
15614 /* ARGSUSED */
15615 int
15616 if_unitsel_restart(ipif_t *ipif, sin_t *dummy_sin, queue_t *q, mblk_t *mp,
15617         ip_ioctl_cmd_t *ipip, void *dummy_ifreq)
15618 {
15619         /*
15620          * ill_phyint_reinit merged the v4 and v6 into a single
15621          * ipsq.  We might not have been able to complete the
15622          * operation in ipif_set_values, if we could not become
15623          * exclusive.  If so restart it here.
15624          */
15625         return (ipif_set_values_tail(ipif->ipif_ill, ipif, mp, q));
15626 }
15627 
15628 /*
15629  * Can operate on either a module or a driver queue.
15630  * Returns an error if not a module queue.
15631  */
15632 /* ARGSUSED */
15633 int
15634 if_unitsel(ipif_t *dummy_ipif, sin_t *dummy_sin, queue_t *q, mblk_t *mp,
15635     ip_ioctl_cmd_t *ipip, void *dummy_ifreq)
15636 {
15637         queue_t         *q1 = q;
15638         char            *cp;
15639         char            interf_name[LIFNAMSIZ];
15640         uint_t          ppa = *(uint_t *)mp->b_cont->b_cont->b_rptr;
15641 
15642         if (q->q_next == NULL) {
15643                 ip1dbg((
15644                     "if_unitsel: IF_UNITSEL: no q_next\n"));
15645                 return (EINVAL);
15646         }
15647 
15648         if (((ill_t *)(q->q_ptr))->ill_name[0] != '\0')
15649                 return (EALREADY);
15650 
15651         do {
15652                 q1 = q1->q_next;
15653         } while (q1->q_next);
15654         cp = q1->q_qinfo->qi_minfo->mi_idname;
15655         (void) sprintf(interf_name, "%s%d", cp, ppa);
15656 
15657         /*
15658          * Here we are not going to delay the ioack until after
15659          * ACKs from DL_ATTACH_REQ/DL_BIND_REQ. So no need to save the
15660          * original ioctl message before sending the requests.
15661          */
15662         return (ipif_set_values(q, mp, interf_name, &ppa));
15663 }
15664 
15665 /* ARGSUSED */
15666 int
15667 ip_sioctl_sifname(ipif_t *dummy_ipif, sin_t *dummy_sin, queue_t *q, mblk_t *mp,
15668     ip_ioctl_cmd_t *ipip, void *dummy_ifreq)
15669 {
15670         return (ENXIO);
15671 }
15672 
15673 /*
15674  * Create any IRE_BROADCAST entries for `ipif', and store those entries in
15675  * `irep'.  Returns a pointer to the next free `irep' entry
15676  * A mirror exists in ipif_delete_bcast_ires().
15677  *
15678  * The management of any "extra" or seemingly duplicate IRE_BROADCASTs is
15679  * done in ire_add.
15680  */
15681 static ire_t **
15682 ipif_create_bcast_ires(ipif_t *ipif, ire_t **irep)
15683 {
15684         ipaddr_t addr;
15685         ipaddr_t netmask = ip_net_mask(ipif->ipif_lcl_addr);
15686         ipaddr_t subnetmask = ipif->ipif_net_mask;
15687         ill_t *ill = ipif->ipif_ill;
15688         zoneid_t zoneid = ipif->ipif_zoneid;
15689 
15690         ip1dbg(("ipif_create_bcast_ires: creating broadcast IREs\n"));
15691 
15692         ASSERT(ipif->ipif_flags & IPIF_BROADCAST);
15693         ASSERT(!(ipif->ipif_flags & IPIF_NOXMIT));
15694 
15695         if (ipif->ipif_lcl_addr == INADDR_ANY ||
15696             (ipif->ipif_flags & IPIF_NOLOCAL))
15697                 netmask = htonl(IN_CLASSA_NET);         /* fallback */
15698 
15699         irep = ire_create_bcast(ill, 0, zoneid, irep);
15700         irep = ire_create_bcast(ill, INADDR_BROADCAST, zoneid, irep);
15701 
15702         /*
15703          * For backward compatibility, we create net broadcast IREs based on
15704          * the old "IP address class system", since some old machines only
15705          * respond to these class derived net broadcast.  However, we must not
15706          * create these net broadcast IREs if the subnetmask is shorter than
15707          * the IP address class based derived netmask.  Otherwise, we may
15708          * create a net broadcast address which is the same as an IP address
15709          * on the subnet -- and then TCP will refuse to talk to that address.
15710          */
15711         if (netmask < subnetmask) {
15712                 addr = netmask & ipif->ipif_subnet;
15713                 irep = ire_create_bcast(ill, addr, zoneid, irep);
15714                 irep = ire_create_bcast(ill, ~netmask | addr, zoneid, irep);
15715         }
15716 
15717         /*
15718          * Don't create IRE_BROADCAST IREs for the interface if the subnetmask
15719          * is 0xFFFFFFFF, as an IRE_LOCAL for that interface is already
15720          * created.  Creating these broadcast IREs will only create confusion
15721          * as `addr' will be the same as the IP address.
15722          */
15723         if (subnetmask != 0xFFFFFFFF) {
15724                 addr = ipif->ipif_subnet;
15725                 irep = ire_create_bcast(ill, addr, zoneid, irep);
15726                 irep = ire_create_bcast(ill, ~subnetmask | addr, zoneid, irep);
15727         }
15728 
15729         return (irep);
15730 }
15731 
15732 /*
15733  * Mirror of ipif_create_bcast_ires()
15734  */
15735 static void
15736 ipif_delete_bcast_ires(ipif_t *ipif)
15737 {
15738         ipaddr_t        addr;
15739         ipaddr_t        netmask = ip_net_mask(ipif->ipif_lcl_addr);
15740         ipaddr_t        subnetmask = ipif->ipif_net_mask;
15741         ill_t           *ill = ipif->ipif_ill;
15742         zoneid_t        zoneid = ipif->ipif_zoneid;
15743         ire_t           *ire;
15744 
15745         ASSERT(ipif->ipif_flags & IPIF_BROADCAST);
15746         ASSERT(!(ipif->ipif_flags & IPIF_NOXMIT));
15747 
15748         if (ipif->ipif_lcl_addr == INADDR_ANY ||
15749             (ipif->ipif_flags & IPIF_NOLOCAL))
15750                 netmask = htonl(IN_CLASSA_NET);         /* fallback */
15751 
15752         ire = ire_lookup_bcast(ill, 0, zoneid);
15753         ASSERT(ire != NULL);
15754         ire_delete(ire); ire_refrele(ire);
15755         ire = ire_lookup_bcast(ill, INADDR_BROADCAST, zoneid);
15756         ASSERT(ire != NULL);
15757         ire_delete(ire); ire_refrele(ire);
15758 
15759         /*
15760          * For backward compatibility, we create net broadcast IREs based on
15761          * the old "IP address class system", since some old machines only
15762          * respond to these class derived net broadcast.  However, we must not
15763          * create these net broadcast IREs if the subnetmask is shorter than
15764          * the IP address class based derived netmask.  Otherwise, we may
15765          * create a net broadcast address which is the same as an IP address
15766          * on the subnet -- and then TCP will refuse to talk to that address.
15767          */
15768         if (netmask < subnetmask) {
15769                 addr = netmask & ipif->ipif_subnet;
15770                 ire = ire_lookup_bcast(ill, addr, zoneid);
15771                 ASSERT(ire != NULL);
15772                 ire_delete(ire); ire_refrele(ire);
15773                 ire = ire_lookup_bcast(ill, ~netmask | addr, zoneid);
15774                 ASSERT(ire != NULL);
15775                 ire_delete(ire); ire_refrele(ire);
15776         }
15777 
15778         /*
15779          * Don't create IRE_BROADCAST IREs for the interface if the subnetmask
15780          * is 0xFFFFFFFF, as an IRE_LOCAL for that interface is already
15781          * created.  Creating these broadcast IREs will only create confusion
15782          * as `addr' will be the same as the IP address.
15783          */
15784         if (subnetmask != 0xFFFFFFFF) {
15785                 addr = ipif->ipif_subnet;
15786                 ire = ire_lookup_bcast(ill, addr, zoneid);
15787                 ASSERT(ire != NULL);
15788                 ire_delete(ire); ire_refrele(ire);
15789                 ire = ire_lookup_bcast(ill, ~subnetmask | addr, zoneid);
15790                 ASSERT(ire != NULL);
15791                 ire_delete(ire); ire_refrele(ire);
15792         }
15793 }
15794 
15795 /*
15796  * Extract both the flags (including IFF_CANTCHANGE) such as IFF_IPV*
15797  * from lifr_flags and the name from lifr_name.
15798  * Set IFF_IPV* and ill_isv6 prior to doing the lookup
15799  * since ipif_lookup_on_name uses the _isv6 flags when matching.
15800  * Returns EINPROGRESS when mp has been consumed by queueing it on
15801  * ipx_pending_mp and the ioctl will complete in ip_rput.
15802  *
15803  * Can operate on either a module or a driver queue.
15804  * Returns an error if not a module queue.
15805  */
15806 /* ARGSUSED */
15807 int
15808 ip_sioctl_slifname(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
15809     ip_ioctl_cmd_t *ipip, void *if_req)
15810 {
15811         ill_t   *ill = q->q_ptr;
15812         phyint_t *phyi;
15813         ip_stack_t *ipst;
15814         struct lifreq *lifr = if_req;
15815         uint64_t new_flags;
15816 
15817         ASSERT(ipif != NULL);
15818         ip1dbg(("ip_sioctl_slifname %s\n", lifr->lifr_name));
15819 
15820         if (q->q_next == NULL) {
15821                 ip1dbg(("if_sioctl_slifname: SIOCSLIFNAME: no q_next\n"));
15822                 return (EINVAL);
15823         }
15824 
15825         /*
15826          * If we are not writer on 'q' then this interface exists already
15827          * and previous lookups (ip_extract_lifreq()) found this ipif --
15828          * so return EALREADY.
15829          */
15830         if (ill != ipif->ipif_ill)
15831                 return (EALREADY);
15832 
15833         if (ill->ill_name[0] != '\0')
15834                 return (EALREADY);
15835 
15836         /*
15837          * If there's another ill already with the requested name, ensure
15838          * that it's of the same type.  Otherwise, ill_phyint_reinit() will
15839          * fuse together two unrelated ills, which will cause chaos.
15840          */
15841         ipst = ill->ill_ipst;
15842         phyi = avl_find(&ipst->ips_phyint_g_list->phyint_list_avl_by_name,
15843             lifr->lifr_name, NULL);
15844         if (phyi != NULL) {
15845                 ill_t *ill_mate = phyi->phyint_illv4;
15846 
15847                 if (ill_mate == NULL)
15848                         ill_mate = phyi->phyint_illv6;
15849                 ASSERT(ill_mate != NULL);
15850 
15851                 if (ill_mate->ill_media->ip_m_mac_type !=
15852                     ill->ill_media->ip_m_mac_type) {
15853                         ip1dbg(("if_sioctl_slifname: SIOCSLIFNAME: attempt to "
15854                             "use the same ill name on differing media\n"));
15855                         return (EINVAL);
15856                 }
15857         }
15858 
15859         /*
15860          * We start off as IFF_IPV4 in ipif_allocate and become
15861          * IFF_IPV4 or IFF_IPV6 here depending  on lifr_flags value.
15862          * The only flags that we read from user space are IFF_IPV4,
15863          * IFF_IPV6, and IFF_BROADCAST.
15864          *
15865          * This ill has not been inserted into the global list.
15866          * So we are still single threaded and don't need any lock
15867          *
15868          * Saniy check the flags.
15869          */
15870 
15871         if ((lifr->lifr_flags & IFF_BROADCAST) &&
15872             ((lifr->lifr_flags & IFF_IPV6) ||
15873             (!ill->ill_needs_attach && ill->ill_bcast_addr_length == 0))) {
15874                 ip1dbg(("ip_sioctl_slifname: link not broadcast capable "
15875                     "or IPv6 i.e., no broadcast \n"));
15876                 return (EINVAL);
15877         }
15878 
15879         new_flags =
15880             lifr->lifr_flags & (IFF_IPV6|IFF_IPV4|IFF_BROADCAST);
15881 
15882         if ((new_flags ^ (IFF_IPV6|IFF_IPV4)) == 0) {
15883                 ip1dbg(("ip_sioctl_slifname: flags must be exactly one of "
15884                     "IFF_IPV4 or IFF_IPV6\n"));
15885                 return (EINVAL);
15886         }
15887 
15888         /*
15889          * We always start off as IPv4, so only need to check for IPv6.
15890          */
15891         if ((new_flags & IFF_IPV6) != 0) {
15892                 ill->ill_flags |= ILLF_IPV6;
15893                 ill->ill_flags &= ~ILLF_IPV4;
15894 
15895                 if (lifr->lifr_flags & IFF_NOLINKLOCAL)
15896                         ill->ill_flags |= ILLF_NOLINKLOCAL;
15897         }
15898 
15899         if ((new_flags & IFF_BROADCAST) != 0)
15900                 ipif->ipif_flags |= IPIF_BROADCAST;
15901         else
15902                 ipif->ipif_flags &= ~IPIF_BROADCAST;
15903 
15904         /* We started off as V4. */
15905         if (ill->ill_flags & ILLF_IPV6) {
15906                 ill->ill_phyint->phyint_illv6 = ill;
15907                 ill->ill_phyint->phyint_illv4 = NULL;
15908         }
15909 
15910         return (ipif_set_values(q, mp, lifr->lifr_name, &lifr->lifr_ppa));
15911 }
15912 
15913 /* ARGSUSED */
15914 int
15915 ip_sioctl_slifname_restart(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
15916     ip_ioctl_cmd_t *ipip, void *if_req)
15917 {
15918         /*
15919          * ill_phyint_reinit merged the v4 and v6 into a single
15920          * ipsq.  We might not have been able to complete the
15921          * slifname in ipif_set_values, if we could not become
15922          * exclusive.  If so restart it here
15923          */
15924         return (ipif_set_values_tail(ipif->ipif_ill, ipif, mp, q));
15925 }
15926 
15927 /*
15928  * Return a pointer to the ipif which matches the index, IP version type and
15929  * zoneid.
15930  */
15931 ipif_t *
15932 ipif_lookup_on_ifindex(uint_t index, boolean_t isv6, zoneid_t zoneid,
15933     ip_stack_t *ipst)
15934 {
15935         ill_t   *ill;
15936         ipif_t  *ipif = NULL;
15937 
15938         ill = ill_lookup_on_ifindex(index, isv6, ipst);
15939         if (ill != NULL) {
15940                 mutex_enter(&ill->ill_lock);
15941                 for (ipif = ill->ill_ipif; ipif != NULL;
15942                     ipif = ipif->ipif_next) {
15943                         if (!IPIF_IS_CONDEMNED(ipif) && (zoneid == ALL_ZONES ||
15944                             zoneid == ipif->ipif_zoneid ||
15945                             ipif->ipif_zoneid == ALL_ZONES)) {
15946                                 ipif_refhold_locked(ipif);
15947                                 break;
15948                         }
15949                 }
15950                 mutex_exit(&ill->ill_lock);
15951                 ill_refrele(ill);
15952         }
15953         return (ipif);
15954 }
15955 
15956 /*
15957  * Change an existing physical interface's index. If the new index
15958  * is acceptable we update the index and the phyint_list_avl_by_index tree.
15959  * Finally, we update other systems which may have a dependence on the
15960  * index value.
15961  */
15962 /* ARGSUSED */
15963 int
15964 ip_sioctl_slifindex(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
15965     ip_ioctl_cmd_t *ipip, void *ifreq)
15966 {
15967         ill_t           *ill;
15968         phyint_t        *phyi;
15969         struct ifreq    *ifr = (struct ifreq *)ifreq;
15970         struct lifreq   *lifr = (struct lifreq *)ifreq;
15971         uint_t  old_index, index;
15972         ip_stack_t      *ipst = ipif->ipif_ill->ill_ipst;
15973         avl_index_t     where;
15974 
15975         if (ipip->ipi_cmd_type == IF_CMD)
15976                 index = ifr->ifr_index;
15977         else
15978                 index = lifr->lifr_index;
15979 
15980         /*
15981          * Only allow on physical interface. Also, index zero is illegal.
15982          */
15983         ill = ipif->ipif_ill;
15984         phyi = ill->ill_phyint;
15985         if (ipif->ipif_id != 0 || index == 0 || index > IF_INDEX_MAX) {
15986                 return (EINVAL);
15987         }
15988 
15989         /* If the index is not changing, no work to do */
15990         if (phyi->phyint_ifindex == index)
15991                 return (0);
15992 
15993         /*
15994          * Use phyint_exists() to determine if the new interface index
15995          * is already in use. If the index is unused then we need to
15996          * change the phyint's position in the phyint_list_avl_by_index
15997          * tree. If we do not do this, subsequent lookups (using the new
15998          * index value) will not find the phyint.
15999          */
16000         rw_enter(&ipst->ips_ill_g_lock, RW_WRITER);
16001         if (phyint_exists(index, ipst)) {
16002                 rw_exit(&ipst->ips_ill_g_lock);
16003                 return (EEXIST);
16004         }
16005 
16006         /*
16007          * The new index is unused. Set it in the phyint. However we must not
16008          * forget to trigger NE_IFINDEX_CHANGE event before the ifindex
16009          * changes. The event must be bound to old ifindex value.
16010          */
16011         ill_nic_event_dispatch(ill, 0, NE_IFINDEX_CHANGE,
16012             &index, sizeof (index));
16013 
16014         old_index = phyi->phyint_ifindex;
16015         phyi->phyint_ifindex = index;
16016 
16017         avl_remove(&ipst->ips_phyint_g_list->phyint_list_avl_by_index, phyi);
16018         (void) avl_find(&ipst->ips_phyint_g_list->phyint_list_avl_by_index,
16019             &index, &where);
16020         avl_insert(&ipst->ips_phyint_g_list->phyint_list_avl_by_index,
16021             phyi, where);
16022         rw_exit(&ipst->ips_ill_g_lock);
16023 
16024         /* Update SCTP's ILL list */
16025         sctp_ill_reindex(ill, old_index);
16026 
16027         /* Send the routing sockets message */
16028         ip_rts_ifmsg(ipif, RTSQ_DEFAULT);
16029         if (ILL_OTHER(ill))
16030                 ip_rts_ifmsg(ILL_OTHER(ill)->ill_ipif, RTSQ_DEFAULT);
16031 
16032         /* Perhaps ilgs should use this ill */
16033         update_conn_ill(NULL, ill->ill_ipst);
16034         return (0);
16035 }
16036 
16037 /* ARGSUSED */
16038 int
16039 ip_sioctl_get_lifindex(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
16040     ip_ioctl_cmd_t *ipip, void *ifreq)
16041 {
16042         struct ifreq    *ifr = (struct ifreq *)ifreq;
16043         struct lifreq   *lifr = (struct lifreq *)ifreq;
16044 
16045         ip1dbg(("ip_sioctl_get_lifindex(%s:%u %p)\n",
16046             ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
16047         /* Get the interface index */
16048         if (ipip->ipi_cmd_type == IF_CMD) {
16049                 ifr->ifr_index = ipif->ipif_ill->ill_phyint->phyint_ifindex;
16050         } else {
16051                 lifr->lifr_index = ipif->ipif_ill->ill_phyint->phyint_ifindex;
16052         }
16053         return (0);
16054 }
16055 
16056 /* ARGSUSED */
16057 int
16058 ip_sioctl_get_lifzone(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
16059     ip_ioctl_cmd_t *ipip, void *ifreq)
16060 {
16061         struct lifreq   *lifr = (struct lifreq *)ifreq;
16062 
16063         ip1dbg(("ip_sioctl_get_lifzone(%s:%u %p)\n",
16064             ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
16065         /* Get the interface zone */
16066         ASSERT(ipip->ipi_cmd_type == LIF_CMD);
16067         lifr->lifr_zoneid = ipif->ipif_zoneid;
16068         return (0);
16069 }
16070 
16071 /*
16072  * Set the zoneid of an interface.
16073  */
16074 /* ARGSUSED */
16075 int
16076 ip_sioctl_slifzone(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
16077     ip_ioctl_cmd_t *ipip, void *ifreq)
16078 {
16079         struct lifreq   *lifr = (struct lifreq *)ifreq;
16080         int err = 0;
16081         boolean_t need_up = B_FALSE;
16082         zone_t *zptr;
16083         zone_status_t status;
16084         zoneid_t zoneid;
16085 
16086         ASSERT(ipip->ipi_cmd_type == LIF_CMD);
16087         if ((zoneid = lifr->lifr_zoneid) == ALL_ZONES) {
16088                 if (!is_system_labeled())
16089                         return (ENOTSUP);
16090                 zoneid = GLOBAL_ZONEID;
16091         }
16092 
16093         /* cannot assign instance zero to a non-global zone */
16094         if (ipif->ipif_id == 0 && zoneid != GLOBAL_ZONEID)
16095                 return (ENOTSUP);
16096 
16097         /*
16098          * Cannot assign to a zone that doesn't exist or is shutting down.  In
16099          * the event of a race with the zone shutdown processing, since IP
16100          * serializes this ioctl and SIOCGLIFCONF/SIOCLIFREMOVEIF, we know the
16101          * interface will be cleaned up even if the zone is shut down
16102          * immediately after the status check. If the interface can't be brought
16103          * down right away, and the zone is shut down before the restart
16104          * function is called, we resolve the possible races by rechecking the
16105          * zone status in the restart function.
16106          */
16107         if ((zptr = zone_find_by_id(zoneid)) == NULL)
16108                 return (EINVAL);
16109         status = zone_status_get(zptr);
16110         zone_rele(zptr);
16111 
16112         if (status != ZONE_IS_READY && status != ZONE_IS_RUNNING)
16113                 return (EINVAL);
16114 
16115         if (ipif->ipif_flags & IPIF_UP) {
16116                 /*
16117                  * If the interface is already marked up,
16118                  * we call ipif_down which will take care
16119                  * of ditching any IREs that have been set
16120                  * up based on the old interface address.
16121                  */
16122                 err = ipif_logical_down(ipif, q, mp);
16123                 if (err == EINPROGRESS)
16124                         return (err);
16125                 (void) ipif_down_tail(ipif);
16126                 need_up = B_TRUE;
16127         }
16128 
16129         err = ip_sioctl_slifzone_tail(ipif, lifr->lifr_zoneid, q, mp, need_up);
16130         return (err);
16131 }
16132 
16133 static int
16134 ip_sioctl_slifzone_tail(ipif_t *ipif, zoneid_t zoneid,
16135     queue_t *q, mblk_t *mp, boolean_t need_up)
16136 {
16137         int     err = 0;
16138         ip_stack_t      *ipst;
16139 
16140         ip1dbg(("ip_sioctl_zoneid_tail(%s:%u %p)\n",
16141             ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
16142 
16143         if (CONN_Q(q))
16144                 ipst = CONNQ_TO_IPST(q);
16145         else
16146                 ipst = ILLQ_TO_IPST(q);
16147 
16148         /*
16149          * For exclusive stacks we don't allow a different zoneid than
16150          * global.
16151          */
16152         if (ipst->ips_netstack->netstack_stackid != GLOBAL_NETSTACKID &&
16153             zoneid != GLOBAL_ZONEID)
16154                 return (EINVAL);
16155 
16156         /* Set the new zone id. */
16157         ipif->ipif_zoneid = zoneid;
16158 
16159         /* Update sctp list */
16160         sctp_update_ipif(ipif, SCTP_IPIF_UPDATE);
16161 
16162         /* The default multicast interface might have changed */
16163         ire_increment_multicast_generation(ipst, ipif->ipif_ill->ill_isv6);
16164 
16165         if (need_up) {
16166                 /*
16167                  * Now bring the interface back up.  If this
16168                  * is the only IPIF for the ILL, ipif_up
16169                  * will have to re-bind to the device, so
16170                  * we may get back EINPROGRESS, in which
16171                  * case, this IOCTL will get completed in
16172                  * ip_rput_dlpi when we see the DL_BIND_ACK.
16173                  */
16174                 err = ipif_up(ipif, q, mp);
16175         }
16176         return (err);
16177 }
16178 
16179 /* ARGSUSED */
16180 int
16181 ip_sioctl_slifzone_restart(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
16182     ip_ioctl_cmd_t *ipip, void *if_req)
16183 {
16184         struct lifreq *lifr = (struct lifreq *)if_req;
16185         zoneid_t zoneid;
16186         zone_t *zptr;
16187         zone_status_t status;
16188 
16189         ASSERT(ipip->ipi_cmd_type == LIF_CMD);
16190         if ((zoneid = lifr->lifr_zoneid) == ALL_ZONES)
16191                 zoneid = GLOBAL_ZONEID;
16192 
16193         ip1dbg(("ip_sioctl_slifzone_restart(%s:%u %p)\n",
16194             ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
16195 
16196         /*
16197          * We recheck the zone status to resolve the following race condition:
16198          * 1) process sends SIOCSLIFZONE to put hme0:1 in zone "myzone";
16199          * 2) hme0:1 is up and can't be brought down right away;
16200          * ip_sioctl_slifzone() returns EINPROGRESS and the request is queued;
16201          * 3) zone "myzone" is halted; the zone status switches to
16202          * 'shutting_down' and the zones framework sends SIOCGLIFCONF to list
16203          * the interfaces to remove - hme0:1 is not returned because it's not
16204          * yet in "myzone", so it won't be removed;
16205          * 4) the restart function for SIOCSLIFZONE is called; without the
16206          * status check here, we would have hme0:1 in "myzone" after it's been
16207          * destroyed.
16208          * Note that if the status check fails, we need to bring the interface
16209          * back to its state prior to ip_sioctl_slifzone(), hence the call to
16210          * ipif_up_done[_v6]().
16211          */
16212         status = ZONE_IS_UNINITIALIZED;
16213         if ((zptr = zone_find_by_id(zoneid)) != NULL) {
16214                 status = zone_status_get(zptr);
16215                 zone_rele(zptr);
16216         }
16217         if (status != ZONE_IS_READY && status != ZONE_IS_RUNNING) {
16218                 if (ipif->ipif_isv6) {
16219                         (void) ipif_up_done_v6(ipif);
16220                 } else {
16221                         (void) ipif_up_done(ipif);
16222                 }
16223                 return (EINVAL);
16224         }
16225 
16226         (void) ipif_down_tail(ipif);
16227 
16228         return (ip_sioctl_slifzone_tail(ipif, lifr->lifr_zoneid, q, mp,
16229             B_TRUE));
16230 }
16231 
16232 /*
16233  * Return the number of addresses on `ill' with one or more of the values
16234  * in `set' set and all of the values in `clear' clear.
16235  */
16236 static uint_t
16237 ill_flagaddr_cnt(const ill_t *ill, uint64_t set, uint64_t clear)
16238 {
16239         ipif_t  *ipif;
16240         uint_t  cnt = 0;
16241 
16242         ASSERT(IAM_WRITER_ILL(ill));
16243 
16244         for (ipif = ill->ill_ipif; ipif != NULL; ipif = ipif->ipif_next)
16245                 if ((ipif->ipif_flags & set) && !(ipif->ipif_flags & clear))
16246                         cnt++;
16247 
16248         return (cnt);
16249 }
16250 
16251 /*
16252  * Return the number of migratable addresses on `ill' that are under
16253  * application control.
16254  */
16255 uint_t
16256 ill_appaddr_cnt(const ill_t *ill)
16257 {
16258         return (ill_flagaddr_cnt(ill, IPIF_DHCPRUNNING | IPIF_ADDRCONF,
16259             IPIF_NOFAILOVER));
16260 }
16261 
16262 /*
16263  * Return the number of point-to-point addresses on `ill'.
16264  */
16265 uint_t
16266 ill_ptpaddr_cnt(const ill_t *ill)
16267 {
16268         return (ill_flagaddr_cnt(ill, IPIF_POINTOPOINT, 0));
16269 }
16270 
16271 /* ARGSUSED */
16272 int
16273 ip_sioctl_get_lifusesrc(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
16274         ip_ioctl_cmd_t *ipip, void *ifreq)
16275 {
16276         struct lifreq   *lifr = ifreq;
16277 
16278         ASSERT(q->q_next == NULL);
16279         ASSERT(CONN_Q(q));
16280 
16281         ip1dbg(("ip_sioctl_get_lifusesrc(%s:%u %p)\n",
16282             ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
16283         lifr->lifr_index = ipif->ipif_ill->ill_usesrc_ifindex;
16284         ip1dbg(("ip_sioctl_get_lifusesrc:lifr_index = %d\n", lifr->lifr_index));
16285 
16286         return (0);
16287 }
16288 
16289 /* Find the previous ILL in this usesrc group */
16290 static ill_t *
16291 ill_prev_usesrc(ill_t *uill)
16292 {
16293         ill_t *ill;
16294 
16295         for (ill = uill->ill_usesrc_grp_next;
16296             ASSERT(ill), ill->ill_usesrc_grp_next != uill;
16297             ill = ill->ill_usesrc_grp_next)
16298                 /* do nothing */;
16299         return (ill);
16300 }
16301 
16302 /*
16303  * Release all members of the usesrc group. This routine is called
16304  * from ill_delete when the interface being unplumbed is the
16305  * group head.
16306  *
16307  * This silently clears the usesrc that ifconfig setup.
16308  * An alternative would be to keep that ifindex, and drop packets on the floor
16309  * since no source address can be selected.
16310  * Even if we keep the current semantics, don't need a lock and a linked list.
16311  * Can walk all the ills checking if they have a ill_usesrc_ifindex matching
16312  * the one that is being removed. Issue is how we return the usesrc users
16313  * (SIOCGLIFSRCOF). We want to be able to find the ills which have an
16314  * ill_usesrc_ifindex matching a target ill. We could also do that with an
16315  * ill walk, but the walker would need to insert in the ioctl response.
16316  */
16317 static void
16318 ill_disband_usesrc_group(ill_t *uill)
16319 {
16320         ill_t *next_ill, *tmp_ill;
16321         ip_stack_t      *ipst = uill->ill_ipst;
16322 
16323         ASSERT(RW_WRITE_HELD(&ipst->ips_ill_g_usesrc_lock));
16324         next_ill = uill->ill_usesrc_grp_next;
16325 
16326         do {
16327                 ASSERT(next_ill != NULL);
16328                 tmp_ill = next_ill->ill_usesrc_grp_next;
16329                 ASSERT(tmp_ill != NULL);
16330                 next_ill->ill_usesrc_grp_next = NULL;
16331                 next_ill->ill_usesrc_ifindex = 0;
16332                 next_ill = tmp_ill;
16333         } while (next_ill->ill_usesrc_ifindex != 0);
16334         uill->ill_usesrc_grp_next = NULL;
16335 }
16336 
16337 /*
16338  * Remove the client usesrc ILL from the list and relink to a new list
16339  */
16340 int
16341 ill_relink_usesrc_ills(ill_t *ucill, ill_t *uill, uint_t ifindex)
16342 {
16343         ill_t *ill, *tmp_ill;
16344         ip_stack_t      *ipst = ucill->ill_ipst;
16345 
16346         ASSERT((ucill != NULL) && (ucill->ill_usesrc_grp_next != NULL) &&
16347             (uill != NULL) && RW_WRITE_HELD(&ipst->ips_ill_g_usesrc_lock));
16348 
16349         /*
16350          * Check if the usesrc client ILL passed in is not already
16351          * in use as a usesrc ILL i.e one whose source address is
16352          * in use OR a usesrc ILL is not already in use as a usesrc
16353          * client ILL
16354          */
16355         if ((ucill->ill_usesrc_ifindex == 0) ||
16356             (uill->ill_usesrc_ifindex != 0)) {
16357                 return (-1);
16358         }
16359 
16360         ill = ill_prev_usesrc(ucill);
16361         ASSERT(ill->ill_usesrc_grp_next != NULL);
16362 
16363         /* Remove from the current list */
16364         if (ill->ill_usesrc_grp_next->ill_usesrc_grp_next == ill) {
16365                 /* Only two elements in the list */
16366                 ASSERT(ill->ill_usesrc_ifindex == 0);
16367                 ill->ill_usesrc_grp_next = NULL;
16368         } else {
16369                 ill->ill_usesrc_grp_next = ucill->ill_usesrc_grp_next;
16370         }
16371 
16372         if (ifindex == 0) {
16373                 ucill->ill_usesrc_ifindex = 0;
16374                 ucill->ill_usesrc_grp_next = NULL;
16375                 return (0);
16376         }
16377 
16378         ucill->ill_usesrc_ifindex = ifindex;
16379         tmp_ill = uill->ill_usesrc_grp_next;
16380         uill->ill_usesrc_grp_next = ucill;
16381         ucill->ill_usesrc_grp_next =
16382             (tmp_ill != NULL) ? tmp_ill : uill;
16383         return (0);
16384 }
16385 
16386 /*
16387  * Set the ill_usesrc and ill_usesrc_head fields. See synchronization notes in
16388  * ip.c for locking details.
16389  */
16390 /* ARGSUSED */
16391 int
16392 ip_sioctl_slifusesrc(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
16393     ip_ioctl_cmd_t *ipip, void *ifreq)
16394 {
16395         struct lifreq *lifr = (struct lifreq *)ifreq;
16396         boolean_t isv6 = B_FALSE, reset_flg = B_FALSE;
16397         ill_t *usesrc_ill, *usesrc_cli_ill = ipif->ipif_ill;
16398         int err = 0, ret;
16399         uint_t ifindex;
16400         ipsq_t *ipsq = NULL;
16401         ip_stack_t      *ipst = ipif->ipif_ill->ill_ipst;
16402 
16403         ASSERT(IAM_WRITER_IPIF(ipif));
16404         ASSERT(q->q_next == NULL);
16405         ASSERT(CONN_Q(q));
16406 
16407         isv6 = (Q_TO_CONN(q))->conn_family == AF_INET6;
16408 
16409         ifindex = lifr->lifr_index;
16410         if (ifindex == 0) {
16411                 if (usesrc_cli_ill->ill_usesrc_grp_next == NULL) {
16412                         /* non usesrc group interface, nothing to reset */
16413                         return (0);
16414                 }
16415                 ifindex = usesrc_cli_ill->ill_usesrc_ifindex;
16416                 /* valid reset request */
16417                 reset_flg = B_TRUE;
16418         }
16419 
16420         usesrc_ill = ill_lookup_on_ifindex(ifindex, isv6, ipst);
16421         if (usesrc_ill == NULL)
16422                 return (ENXIO);
16423         if (usesrc_ill == ipif->ipif_ill) {
16424                 ill_refrele(usesrc_ill);
16425                 return (EINVAL);
16426         }
16427 
16428         ipsq = ipsq_try_enter(NULL, usesrc_ill, q, mp, ip_process_ioctl,
16429             NEW_OP, B_TRUE);
16430         if (ipsq == NULL) {
16431                 err = EINPROGRESS;
16432                 /* Operation enqueued on the ipsq of the usesrc ILL */
16433                 goto done;
16434         }
16435 
16436         /* USESRC isn't currently supported with IPMP */
16437         if (IS_IPMP(usesrc_ill) || IS_UNDER_IPMP(usesrc_ill)) {
16438                 err = ENOTSUP;
16439                 goto done;
16440         }
16441 
16442         /*
16443          * USESRC isn't compatible with the STANDBY flag.  (STANDBY is only
16444          * used by IPMP underlying interfaces, but someone might think it's
16445          * more general and try to use it independently with VNI.)
16446          */
16447         if (usesrc_ill->ill_phyint->phyint_flags & PHYI_STANDBY) {
16448                 err = ENOTSUP;
16449                 goto done;
16450         }
16451 
16452         /*
16453          * If the client is already in use as a usesrc_ill or a usesrc_ill is
16454          * already a client then return EINVAL
16455          */
16456         if (IS_USESRC_ILL(usesrc_cli_ill) || IS_USESRC_CLI_ILL(usesrc_ill)) {
16457                 err = EINVAL;
16458                 goto done;
16459         }
16460 
16461         /*
16462          * If the ill_usesrc_ifindex field is already set to what it needs to
16463          * be then this is a duplicate operation.
16464          */
16465         if (!reset_flg && usesrc_cli_ill->ill_usesrc_ifindex == ifindex) {
16466                 err = 0;
16467                 goto done;
16468         }
16469 
16470         ip1dbg(("ip_sioctl_slifusesrc: usesrc_cli_ill %s, usesrc_ill %s,"
16471             " v6 = %d", usesrc_cli_ill->ill_name, usesrc_ill->ill_name,
16472             usesrc_ill->ill_isv6));
16473 
16474         /*
16475          * ill_g_usesrc_lock global lock protects the ill_usesrc_grp_next
16476          * and the ill_usesrc_ifindex fields
16477          */
16478         rw_enter(&ipst->ips_ill_g_usesrc_lock, RW_WRITER);
16479 
16480         if (reset_flg) {
16481                 ret = ill_relink_usesrc_ills(usesrc_cli_ill, usesrc_ill, 0);
16482                 if (ret != 0) {
16483                         err = EINVAL;
16484                 }
16485                 rw_exit(&ipst->ips_ill_g_usesrc_lock);
16486                 goto done;
16487         }
16488 
16489         /*
16490          * Four possibilities to consider:
16491          * 1. Both usesrc_ill and usesrc_cli_ill are not part of any usesrc grp
16492          * 2. usesrc_ill is part of a group but usesrc_cli_ill isn't
16493          * 3. usesrc_cli_ill is part of a group but usesrc_ill isn't
16494          * 4. Both are part of their respective usesrc groups
16495          */
16496         if ((usesrc_ill->ill_usesrc_grp_next == NULL) &&
16497             (usesrc_cli_ill->ill_usesrc_grp_next == NULL)) {
16498                 ASSERT(usesrc_ill->ill_usesrc_ifindex == 0);
16499                 usesrc_cli_ill->ill_usesrc_ifindex = ifindex;
16500                 usesrc_ill->ill_usesrc_grp_next = usesrc_cli_ill;
16501                 usesrc_cli_ill->ill_usesrc_grp_next = usesrc_ill;
16502         } else if ((usesrc_ill->ill_usesrc_grp_next != NULL) &&
16503             (usesrc_cli_ill->ill_usesrc_grp_next == NULL)) {
16504                 usesrc_cli_ill->ill_usesrc_ifindex = ifindex;
16505                 /* Insert at head of list */
16506                 usesrc_cli_ill->ill_usesrc_grp_next =
16507                     usesrc_ill->ill_usesrc_grp_next;
16508                 usesrc_ill->ill_usesrc_grp_next = usesrc_cli_ill;
16509         } else {
16510                 ret = ill_relink_usesrc_ills(usesrc_cli_ill, usesrc_ill,
16511                     ifindex);
16512                 if (ret != 0)
16513                         err = EINVAL;
16514         }
16515         rw_exit(&ipst->ips_ill_g_usesrc_lock);
16516 
16517 done:
16518         if (ipsq != NULL)
16519                 ipsq_exit(ipsq);
16520         /* The refrele on the lifr_name ipif is done by ip_process_ioctl */
16521         ill_refrele(usesrc_ill);
16522 
16523         /* Let conn_ixa caching know that source address selection changed */
16524         ip_update_source_selection(ipst);
16525 
16526         return (err);
16527 }
16528 
16529 /* ARGSUSED */
16530 int
16531 ip_sioctl_get_dadstate(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
16532     ip_ioctl_cmd_t *ipip, void *if_req)
16533 {
16534         struct lifreq   *lifr = (struct lifreq *)if_req;
16535         ill_t           *ill = ipif->ipif_ill;
16536 
16537         /*
16538          * Need a lock since IFF_UP can be set even when there are
16539          * references to the ipif.
16540          */
16541         mutex_enter(&ill->ill_lock);
16542         if ((ipif->ipif_flags & IPIF_UP) && ipif->ipif_addr_ready == 0)
16543                 lifr->lifr_dadstate = DAD_IN_PROGRESS;
16544         else
16545                 lifr->lifr_dadstate = DAD_DONE;
16546         mutex_exit(&ill->ill_lock);
16547         return (0);
16548 }
16549 
16550 /*
16551  * comparison function used by avl.
16552  */
16553 static int
16554 ill_phyint_compare_index(const void *index_ptr, const void *phyip)
16555 {
16556 
16557         uint_t index;
16558 
16559         ASSERT(phyip != NULL && index_ptr != NULL);
16560 
16561         index = *((uint_t *)index_ptr);
16562         /*
16563          * let the phyint with the lowest index be on top.
16564          */
16565         if (((phyint_t *)phyip)->phyint_ifindex < index)
16566                 return (1);
16567         if (((phyint_t *)phyip)->phyint_ifindex > index)
16568                 return (-1);
16569         return (0);
16570 }
16571 
16572 /*
16573  * comparison function used by avl.
16574  */
16575 static int
16576 ill_phyint_compare_name(const void *name_ptr, const void *phyip)
16577 {
16578         ill_t *ill;
16579         int res = 0;
16580 
16581         ASSERT(phyip != NULL && name_ptr != NULL);
16582 
16583         if (((phyint_t *)phyip)->phyint_illv4)
16584                 ill = ((phyint_t *)phyip)->phyint_illv4;
16585         else
16586                 ill = ((phyint_t *)phyip)->phyint_illv6;
16587         ASSERT(ill != NULL);
16588 
16589         res = strcmp(ill->ill_name, (char *)name_ptr);
16590         if (res > 0)
16591                 return (1);
16592         else if (res < 0)
16593                 return (-1);
16594         return (0);
16595 }
16596 
16597 /*
16598  * This function is called on the unplumb path via ill_glist_delete() when
16599  * there are no ills left on the phyint and thus the phyint can be freed.
16600  */
16601 static void
16602 phyint_free(phyint_t *phyi)
16603 {
16604         ip_stack_t *ipst = PHYINT_TO_IPST(phyi);
16605 
16606         ASSERT(phyi->phyint_illv4 == NULL && phyi->phyint_illv6 == NULL);
16607 
16608         /*
16609          * If this phyint was an IPMP meta-interface, blow away the group.
16610          * This is safe to do because all of the illgrps have already been
16611          * removed by I_PUNLINK, and thus SIOCSLIFGROUPNAME cannot find us.
16612          * If we're cleaning up as a result of failed initialization,
16613          * phyint_grp may be NULL.
16614          */
16615         if ((phyi->phyint_flags & PHYI_IPMP) && (phyi->phyint_grp != NULL)) {
16616                 rw_enter(&ipst->ips_ipmp_lock, RW_WRITER);
16617                 ipmp_grp_destroy(phyi->phyint_grp);
16618                 phyi->phyint_grp = NULL;
16619                 rw_exit(&ipst->ips_ipmp_lock);
16620         }
16621 
16622         /*
16623          * If this interface was under IPMP, take it out of the group.
16624          */
16625         if (phyi->phyint_grp != NULL)
16626                 ipmp_phyint_leave_grp(phyi);
16627 
16628         /*
16629          * Delete the phyint and disassociate its ipsq.  The ipsq itself
16630          * will be freed in ipsq_exit().
16631          */
16632         phyi->phyint_ipsq->ipsq_phyint = NULL;
16633         phyi->phyint_name[0] = '\0';
16634 
16635         mi_free(phyi);
16636 }
16637 
16638 /*
16639  * Attach the ill to the phyint structure which can be shared by both
16640  * IPv4 and IPv6 ill. ill_init allocates a phyint to just hold flags. This
16641  * function is called from ipif_set_values and ill_lookup_on_name (for
16642  * loopback) where we know the name of the ill. We lookup the ill and if
16643  * there is one present already with the name use that phyint. Otherwise
16644  * reuse the one allocated by ill_init.
16645  */
16646 static void
16647 ill_phyint_reinit(ill_t *ill)
16648 {
16649         boolean_t isv6 = ill->ill_isv6;
16650         phyint_t *phyi_old;
16651         phyint_t *phyi;
16652         avl_index_t where = 0;
16653         ill_t   *ill_other = NULL;
16654         ip_stack_t      *ipst = ill->ill_ipst;
16655 
16656         ASSERT(RW_WRITE_HELD(&ipst->ips_ill_g_lock));
16657 
16658         phyi_old = ill->ill_phyint;
16659         ASSERT(isv6 || (phyi_old->phyint_illv4 == ill &&
16660             phyi_old->phyint_illv6 == NULL));
16661         ASSERT(!isv6 || (phyi_old->phyint_illv6 == ill &&
16662             phyi_old->phyint_illv4 == NULL));
16663         ASSERT(phyi_old->phyint_ifindex == 0);
16664 
16665         /*
16666          * Now that our ill has a name, set it in the phyint.
16667          */
16668         (void) strlcpy(ill->ill_phyint->phyint_name, ill->ill_name, LIFNAMSIZ);
16669 
16670         phyi = avl_find(&ipst->ips_phyint_g_list->phyint_list_avl_by_name,
16671             ill->ill_name, &where);
16672 
16673         /*
16674          * 1. We grabbed the ill_g_lock before inserting this ill into
16675          *    the global list of ills. So no other thread could have located
16676          *    this ill and hence the ipsq of this ill is guaranteed to be empty.
16677          * 2. Now locate the other protocol instance of this ill.
16678          * 3. Now grab both ill locks in the right order, and the phyint lock of
16679          *    the new ipsq. Holding ill locks + ill_g_lock ensures that the ipsq
16680          *    of neither ill can change.
16681          * 4. Merge the phyint and thus the ipsq as well of this ill onto the
16682          *    other ill.
16683          * 5. Release all locks.
16684          */
16685 
16686         /*
16687          * Look for IPv4 if we are initializing IPv6 or look for IPv6 if
16688          * we are initializing IPv4.
16689          */
16690         if (phyi != NULL) {
16691                 ill_other = (isv6) ? phyi->phyint_illv4 : phyi->phyint_illv6;
16692                 ASSERT(ill_other->ill_phyint != NULL);
16693                 ASSERT((isv6 && !ill_other->ill_isv6) ||
16694                     (!isv6 && ill_other->ill_isv6));
16695                 GRAB_ILL_LOCKS(ill, ill_other);
16696                 /*
16697                  * We are potentially throwing away phyint_flags which
16698                  * could be different from the one that we obtain from
16699                  * ill_other->ill_phyint. But it is okay as we are assuming
16700                  * that the state maintained within IP is correct.
16701                  */
16702                 mutex_enter(&phyi->phyint_lock);
16703                 if (isv6) {
16704                         ASSERT(phyi->phyint_illv6 == NULL);
16705                         phyi->phyint_illv6 = ill;
16706                 } else {
16707                         ASSERT(phyi->phyint_illv4 == NULL);
16708                         phyi->phyint_illv4 = ill;
16709                 }
16710 
16711                 /*
16712                  * Delete the old phyint and make its ipsq eligible
16713                  * to be freed in ipsq_exit().
16714                  */
16715                 phyi_old->phyint_illv4 = NULL;
16716                 phyi_old->phyint_illv6 = NULL;
16717                 phyi_old->phyint_ipsq->ipsq_phyint = NULL;
16718                 phyi_old->phyint_name[0] = '\0';
16719                 mi_free(phyi_old);
16720         } else {
16721                 mutex_enter(&ill->ill_lock);
16722                 /*
16723                  * We don't need to acquire any lock, since
16724                  * the ill is not yet visible globally  and we
16725                  * have not yet released the ill_g_lock.
16726                  */
16727                 phyi = phyi_old;
16728                 mutex_enter(&phyi->phyint_lock);
16729                 /* XXX We need a recovery strategy here. */
16730                 if (!phyint_assign_ifindex(phyi, ipst))
16731                         cmn_err(CE_PANIC, "phyint_assign_ifindex() failed");
16732 
16733                 avl_insert(&ipst->ips_phyint_g_list->phyint_list_avl_by_name,
16734                     (void *)phyi, where);
16735 
16736                 (void) avl_find(&ipst->ips_phyint_g_list->
16737                     phyint_list_avl_by_index,
16738                     &phyi->phyint_ifindex, &where);
16739                 avl_insert(&ipst->ips_phyint_g_list->phyint_list_avl_by_index,
16740                     (void *)phyi, where);
16741         }
16742 
16743         /*
16744          * Reassigning ill_phyint automatically reassigns the ipsq also.
16745          * pending mp is not affected because that is per ill basis.
16746          */
16747         ill->ill_phyint = phyi;
16748 
16749         /*
16750          * Now that the phyint's ifindex has been assigned, complete the
16751          * remaining
16752          */
16753         ill->ill_ip_mib->ipIfStatsIfIndex = ill->ill_phyint->phyint_ifindex;
16754         if (ill->ill_isv6) {
16755                 ill->ill_icmp6_mib->ipv6IfIcmpIfIndex =
16756                     ill->ill_phyint->phyint_ifindex;
16757                 ill->ill_mcast_type = ipst->ips_mld_max_version;
16758         } else {
16759                 ill->ill_mcast_type = ipst->ips_igmp_max_version;
16760         }
16761 
16762         /*
16763          * Generate an event within the hooks framework to indicate that
16764          * a new interface has just been added to IP.  For this event to
16765          * be generated, the network interface must, at least, have an
16766          * ifindex assigned to it.  (We don't generate the event for
16767          * loopback since ill_lookup_on_name() has its own NE_PLUMB event.)
16768          *
16769          * This needs to be run inside the ill_g_lock perimeter to ensure
16770          * that the ordering of delivered events to listeners matches the
16771          * order of them in the kernel.
16772          */
16773         if (!IS_LOOPBACK(ill)) {
16774                 ill_nic_event_dispatch(ill, 0, NE_PLUMB, ill->ill_name,
16775                     ill->ill_name_length);
16776         }
16777         RELEASE_ILL_LOCKS(ill, ill_other);
16778         mutex_exit(&phyi->phyint_lock);
16779 }
16780 
16781 /*
16782  * Notify any downstream modules of the name of this interface.
16783  * An M_IOCTL is used even though we don't expect a successful reply.
16784  * Any reply message from the driver (presumably an M_IOCNAK) will
16785  * eventually get discarded somewhere upstream.  The message format is
16786  * simply an SIOCSLIFNAME ioctl just as might be sent from ifconfig
16787  * to IP.
16788  */
16789 static void
16790 ip_ifname_notify(ill_t *ill, queue_t *q)
16791 {
16792         mblk_t *mp1, *mp2;
16793         struct iocblk *iocp;
16794         struct lifreq *lifr;
16795 
16796         mp1 = mkiocb(SIOCSLIFNAME);
16797         if (mp1 == NULL)
16798                 return;
16799         mp2 = allocb(sizeof (struct lifreq), BPRI_HI);
16800         if (mp2 == NULL) {
16801                 freeb(mp1);
16802                 return;
16803         }
16804 
16805         mp1->b_cont = mp2;
16806         iocp = (struct iocblk *)mp1->b_rptr;
16807         iocp->ioc_count = sizeof (struct lifreq);
16808 
16809         lifr = (struct lifreq *)mp2->b_rptr;
16810         mp2->b_wptr += sizeof (struct lifreq);
16811         bzero(lifr, sizeof (struct lifreq));
16812 
16813         (void) strncpy(lifr->lifr_name, ill->ill_name, LIFNAMSIZ);
16814         lifr->lifr_ppa = ill->ill_ppa;
16815         lifr->lifr_flags = (ill->ill_flags & (ILLF_IPV4|ILLF_IPV6));
16816 
16817         DTRACE_PROBE3(ill__dlpi, char *, "ip_ifname_notify",
16818             char *, "SIOCSLIFNAME", ill_t *, ill);
16819         putnext(q, mp1);
16820 }
16821 
16822 static int
16823 ipif_set_values_tail(ill_t *ill, ipif_t *ipif, mblk_t *mp, queue_t *q)
16824 {
16825         int             err;
16826         ip_stack_t      *ipst = ill->ill_ipst;
16827         phyint_t        *phyi = ill->ill_phyint;
16828 
16829         /*
16830          * Now that ill_name is set, the configuration for the IPMP
16831          * meta-interface can be performed.
16832          */
16833         if (IS_IPMP(ill)) {
16834                 rw_enter(&ipst->ips_ipmp_lock, RW_WRITER);
16835                 /*
16836                  * If phyi->phyint_grp is NULL, then this is the first IPMP
16837                  * meta-interface and we need to create the IPMP group.
16838                  */
16839                 if (phyi->phyint_grp == NULL) {
16840                         /*
16841                          * If someone has renamed another IPMP group to have
16842                          * the same name as our interface, bail.
16843                          */
16844                         if (ipmp_grp_lookup(ill->ill_name, ipst) != NULL) {
16845                                 rw_exit(&ipst->ips_ipmp_lock);
16846                                 return (EEXIST);
16847                         }
16848                         phyi->phyint_grp = ipmp_grp_create(ill->ill_name, phyi);
16849                         if (phyi->phyint_grp == NULL) {
16850                                 rw_exit(&ipst->ips_ipmp_lock);
16851                                 return (ENOMEM);
16852                         }
16853                 }
16854                 rw_exit(&ipst->ips_ipmp_lock);
16855         }
16856 
16857         /* Tell downstream modules where they are. */
16858         ip_ifname_notify(ill, q);
16859 
16860         /*
16861          * ill_dl_phys returns EINPROGRESS in the usual case.
16862          * Error cases are ENOMEM ...
16863          */
16864         err = ill_dl_phys(ill, ipif, mp, q);
16865 
16866         if (ill->ill_isv6) {
16867                 mutex_enter(&ipst->ips_mld_slowtimeout_lock);
16868                 if (ipst->ips_mld_slowtimeout_id == 0) {
16869                         ipst->ips_mld_slowtimeout_id = timeout(mld_slowtimo,
16870                             (void *)ipst,
16871                             MSEC_TO_TICK(MCAST_SLOWTIMO_INTERVAL));
16872                 }
16873                 mutex_exit(&ipst->ips_mld_slowtimeout_lock);
16874         } else {
16875                 mutex_enter(&ipst->ips_igmp_slowtimeout_lock);
16876                 if (ipst->ips_igmp_slowtimeout_id == 0) {
16877                         ipst->ips_igmp_slowtimeout_id = timeout(igmp_slowtimo,
16878                             (void *)ipst,
16879                             MSEC_TO_TICK(MCAST_SLOWTIMO_INTERVAL));
16880                 }
16881                 mutex_exit(&ipst->ips_igmp_slowtimeout_lock);
16882         }
16883 
16884         return (err);
16885 }
16886 
16887 /*
16888  * Common routine for ppa and ifname setting. Should be called exclusive.
16889  *
16890  * Returns EINPROGRESS when mp has been consumed by queueing it on
16891  * ipx_pending_mp and the ioctl will complete in ip_rput.
16892  *
16893  * NOTE : If ppa is UNIT_MAX, we assign the next valid ppa and return
16894  * the new name and new ppa in lifr_name and lifr_ppa respectively.
16895  * For SLIFNAME, we pass these values back to the userland.
16896  */
16897 static int
16898 ipif_set_values(queue_t *q, mblk_t *mp, char *interf_name, uint_t *new_ppa_ptr)
16899 {
16900         ill_t   *ill;
16901         ipif_t  *ipif;
16902         ipsq_t  *ipsq;
16903         char    *ppa_ptr;
16904         char    *old_ptr;
16905         char    old_char;
16906         int     error;
16907         ip_stack_t      *ipst;
16908 
16909         ip1dbg(("ipif_set_values: interface %s\n", interf_name));
16910         ASSERT(q->q_next != NULL);
16911         ASSERT(interf_name != NULL);
16912 
16913         ill = (ill_t *)q->q_ptr;
16914         ipst = ill->ill_ipst;
16915 
16916         ASSERT(ill->ill_ipst != NULL);
16917         ASSERT(ill->ill_name[0] == '\0');
16918         ASSERT(IAM_WRITER_ILL(ill));
16919         ASSERT((mi_strlen(interf_name) + 1) <= LIFNAMSIZ);
16920         ASSERT(ill->ill_ppa == UINT_MAX);
16921 
16922         ill->ill_defend_start = ill->ill_defend_count = 0;
16923         /* The ppa is sent down by ifconfig or is chosen */
16924         if ((ppa_ptr = ill_get_ppa_ptr(interf_name)) == NULL) {
16925                 return (EINVAL);
16926         }
16927 
16928         /*
16929          * make sure ppa passed in is same as ppa in the name.
16930          * This check is not made when ppa == UINT_MAX in that case ppa
16931          * in the name could be anything. System will choose a ppa and
16932          * update new_ppa_ptr and inter_name to contain the choosen ppa.
16933          */
16934         if (*new_ppa_ptr != UINT_MAX) {
16935                 /* stoi changes the pointer */
16936                 old_ptr = ppa_ptr;
16937                 /*
16938                  * ifconfig passed in 0 for the ppa for DLPI 1 style devices
16939                  * (they don't have an externally visible ppa).  We assign one
16940                  * here so that we can manage the interface.  Note that in
16941                  * the past this value was always 0 for DLPI 1 drivers.
16942                  */
16943                 if (*new_ppa_ptr == 0)
16944                         *new_ppa_ptr = stoi(&old_ptr);
16945                 else if (*new_ppa_ptr != (uint_t)stoi(&old_ptr))
16946                         return (EINVAL);
16947         }
16948         /*
16949          * terminate string before ppa
16950          * save char at that location.
16951          */
16952         old_char = ppa_ptr[0];
16953         ppa_ptr[0] = '\0';
16954 
16955         ill->ill_ppa = *new_ppa_ptr;
16956         /*
16957          * Finish as much work now as possible before calling ill_glist_insert
16958          * which makes the ill globally visible and also merges it with the
16959          * other protocol instance of this phyint. The remaining work is
16960          * done after entering the ipsq which may happen sometime later.
16961          */
16962         ipif = ill->ill_ipif;
16963 
16964         /* We didn't do this when we allocated ipif in ip_ll_subnet_defaults */
16965         ipif_assign_seqid(ipif);
16966 
16967         if (!(ill->ill_flags & (ILLF_IPV4|ILLF_IPV6)))
16968                 ill->ill_flags |= ILLF_IPV4;
16969 
16970         ASSERT(ipif->ipif_next == NULL);     /* Only one ipif on ill */
16971         ASSERT((ipif->ipif_flags & IPIF_UP) == 0);
16972 
16973         if (ill->ill_flags & ILLF_IPV6) {
16974 
16975                 ill->ill_isv6 = B_TRUE;
16976                 ill_set_inputfn(ill);
16977                 if (ill->ill_rq != NULL) {
16978                         ill->ill_rq->q_qinfo = &iprinitv6;
16979                 }
16980 
16981                 /* Keep the !IN6_IS_ADDR_V4MAPPED assertions happy */
16982                 ipif->ipif_v6lcl_addr = ipv6_all_zeros;
16983                 ipif->ipif_v6subnet = ipv6_all_zeros;
16984                 ipif->ipif_v6net_mask = ipv6_all_zeros;
16985                 ipif->ipif_v6brd_addr = ipv6_all_zeros;
16986                 ipif->ipif_v6pp_dst_addr = ipv6_all_zeros;
16987                 ill->ill_reachable_retrans_time = ND_RETRANS_TIMER;
16988                 /*
16989                  * point-to-point or Non-mulicast capable
16990                  * interfaces won't do NUD unless explicitly
16991                  * configured to do so.
16992                  */
16993                 if (ipif->ipif_flags & IPIF_POINTOPOINT ||
16994                     !(ill->ill_flags & ILLF_MULTICAST)) {
16995                         ill->ill_flags |= ILLF_NONUD;
16996                 }
16997                 /* Make sure IPv4 specific flag is not set on IPv6 if */
16998                 if (ill->ill_flags & ILLF_NOARP) {
16999                         /*
17000                          * Note: xresolv interfaces will eventually need
17001                          * NOARP set here as well, but that will require
17002                          * those external resolvers to have some
17003                          * knowledge of that flag and act appropriately.
17004                          * Not to be changed at present.
17005                          */
17006                         ill->ill_flags &= ~ILLF_NOARP;
17007                 }
17008                 /*
17009                  * Set the ILLF_ROUTER flag according to the global
17010                  * IPv6 forwarding policy.
17011                  */
17012                 if (ipst->ips_ipv6_forwarding != 0)
17013                         ill->ill_flags |= ILLF_ROUTER;
17014         } else if (ill->ill_flags & ILLF_IPV4) {
17015                 ill->ill_isv6 = B_FALSE;
17016                 ill_set_inputfn(ill);
17017                 ill->ill_reachable_retrans_time = ARP_RETRANS_TIMER;
17018                 IN6_IPADDR_TO_V4MAPPED(INADDR_ANY, &ipif->ipif_v6lcl_addr);
17019                 IN6_IPADDR_TO_V4MAPPED(INADDR_ANY, &ipif->ipif_v6subnet);
17020                 IN6_IPADDR_TO_V4MAPPED(INADDR_ANY, &ipif->ipif_v6net_mask);
17021                 IN6_IPADDR_TO_V4MAPPED(INADDR_ANY, &ipif->ipif_v6brd_addr);
17022                 IN6_IPADDR_TO_V4MAPPED(INADDR_ANY, &ipif->ipif_v6pp_dst_addr);
17023                 /*
17024                  * Set the ILLF_ROUTER flag according to the global
17025                  * IPv4 forwarding policy.
17026                  */
17027                 if (ipst->ips_ip_forwarding != 0)
17028                         ill->ill_flags |= ILLF_ROUTER;
17029         }
17030 
17031         ASSERT(ill->ill_phyint != NULL);
17032 
17033         /*
17034          * The ipIfStatsIfindex and ipv6IfIcmpIfIndex assignments will
17035          * be completed in ill_glist_insert -> ill_phyint_reinit
17036          */
17037         if (!ill_allocate_mibs(ill))
17038                 return (ENOMEM);
17039 
17040         /*
17041          * Pick a default sap until we get the DL_INFO_ACK back from
17042          * the driver.
17043          */
17044         ill->ill_sap = (ill->ill_isv6) ? ill->ill_media->ip_m_ipv6sap :
17045             ill->ill_media->ip_m_ipv4sap;
17046 
17047         ill->ill_ifname_pending = 1;
17048         ill->ill_ifname_pending_err = 0;
17049 
17050         /*
17051          * When the first ipif comes up in ipif_up_done(), multicast groups
17052          * that were joined while this ill was not bound to the DLPI link need
17053          * to be recovered by ill_recover_multicast().
17054          */
17055         ill->ill_need_recover_multicast = 1;
17056 
17057         ill_refhold(ill);
17058         rw_enter(&ipst->ips_ill_g_lock, RW_WRITER);
17059         if ((error = ill_glist_insert(ill, interf_name,
17060             (ill->ill_flags & ILLF_IPV6) == ILLF_IPV6)) > 0) {
17061                 ill->ill_ppa = UINT_MAX;
17062                 ill->ill_name[0] = '\0';
17063                 /*
17064                  * undo null termination done above.
17065                  */
17066                 ppa_ptr[0] = old_char;
17067                 rw_exit(&ipst->ips_ill_g_lock);
17068                 ill_refrele(ill);
17069                 return (error);
17070         }
17071 
17072         ASSERT(ill->ill_name_length <= LIFNAMSIZ);
17073 
17074         /*
17075          * When we return the buffer pointed to by interf_name should contain
17076          * the same name as in ill_name.
17077          * If a ppa was choosen by the system (ppa passed in was UINT_MAX)
17078          * the buffer pointed to by new_ppa_ptr would not contain the right ppa
17079          * so copy full name and update the ppa ptr.
17080          * When ppa passed in != UINT_MAX all values are correct just undo
17081          * null termination, this saves a bcopy.
17082          */
17083         if (*new_ppa_ptr == UINT_MAX) {
17084                 bcopy(ill->ill_name, interf_name, ill->ill_name_length);
17085                 *new_ppa_ptr = ill->ill_ppa;
17086         } else {
17087                 /*
17088                  * undo null termination done above.
17089                  */
17090                 ppa_ptr[0] = old_char;
17091         }
17092 
17093         /* Let SCTP know about this ILL */
17094         sctp_update_ill(ill, SCTP_ILL_INSERT);
17095 
17096         /*
17097          * ill_glist_insert has made the ill visible globally, and
17098          * ill_phyint_reinit could have changed the ipsq. At this point,
17099          * we need to hold the ips_ill_g_lock across the call to enter the
17100          * ipsq to enforce atomicity and prevent reordering. In the event
17101          * the ipsq has changed, and if the new ipsq is currently busy,
17102          * we need to make sure that this half-completed ioctl is ahead of
17103          * any subsequent ioctl. We achieve this by not dropping the
17104          * ips_ill_g_lock which prevents any ill lookup itself thereby
17105          * ensuring that new ioctls can't start.
17106          */
17107         ipsq = ipsq_try_enter_internal(ill, q, mp, ip_reprocess_ioctl, NEW_OP,
17108             B_TRUE);
17109 
17110         rw_exit(&ipst->ips_ill_g_lock);
17111         ill_refrele(ill);
17112         if (ipsq == NULL)
17113                 return (EINPROGRESS);
17114 
17115         /*
17116          * If ill_phyint_reinit() changed our ipsq, then start on the new ipsq.
17117          */
17118         if (ipsq->ipsq_xop->ipx_current_ipif == NULL)
17119                 ipsq_current_start(ipsq, ipif, SIOCSLIFNAME);
17120         else
17121                 ASSERT(ipsq->ipsq_xop->ipx_current_ipif == ipif);
17122 
17123         error = ipif_set_values_tail(ill, ipif, mp, q);
17124         ipsq_exit(ipsq);
17125         if (error != 0 && error != EINPROGRESS) {
17126                 /*
17127                  * restore previous values
17128                  */
17129                 ill->ill_isv6 = B_FALSE;
17130                 ill_set_inputfn(ill);
17131         }
17132         return (error);
17133 }
17134 
17135 void
17136 ipif_init(ip_stack_t *ipst)
17137 {
17138         int i;
17139 
17140         for (i = 0; i < MAX_G_HEADS; i++) {
17141                 ipst->ips_ill_g_heads[i].ill_g_list_head =
17142                     (ill_if_t *)&ipst->ips_ill_g_heads[i];
17143                 ipst->ips_ill_g_heads[i].ill_g_list_tail =
17144                     (ill_if_t *)&ipst->ips_ill_g_heads[i];
17145         }
17146 
17147         avl_create(&ipst->ips_phyint_g_list->phyint_list_avl_by_index,
17148             ill_phyint_compare_index,
17149             sizeof (phyint_t),
17150             offsetof(struct phyint, phyint_avl_by_index));
17151         avl_create(&ipst->ips_phyint_g_list->phyint_list_avl_by_name,
17152             ill_phyint_compare_name,
17153             sizeof (phyint_t),
17154             offsetof(struct phyint, phyint_avl_by_name));
17155 }
17156 
17157 /*
17158  * Save enough information so that we can recreate the IRE if
17159  * the interface goes down and then up.
17160  */
17161 void
17162 ill_save_ire(ill_t *ill, ire_t *ire)
17163 {
17164         mblk_t  *save_mp;
17165 
17166         save_mp = allocb(sizeof (ifrt_t), BPRI_MED);
17167         if (save_mp != NULL) {
17168                 ifrt_t  *ifrt;
17169 
17170                 save_mp->b_wptr += sizeof (ifrt_t);
17171                 ifrt = (ifrt_t *)save_mp->b_rptr;
17172                 bzero(ifrt, sizeof (ifrt_t));
17173                 ifrt->ifrt_type = ire->ire_type;
17174                 if (ire->ire_ipversion == IPV4_VERSION) {
17175                         ASSERT(!ill->ill_isv6);
17176                         ifrt->ifrt_addr = ire->ire_addr;
17177                         ifrt->ifrt_gateway_addr = ire->ire_gateway_addr;
17178                         ifrt->ifrt_setsrc_addr = ire->ire_setsrc_addr;
17179                         ifrt->ifrt_mask = ire->ire_mask;
17180                 } else {
17181                         ASSERT(ill->ill_isv6);
17182                         ifrt->ifrt_v6addr = ire->ire_addr_v6;
17183                         /* ire_gateway_addr_v6 can change due to RTM_CHANGE */
17184                         mutex_enter(&ire->ire_lock);
17185                         ifrt->ifrt_v6gateway_addr = ire->ire_gateway_addr_v6;
17186                         mutex_exit(&ire->ire_lock);
17187                         ifrt->ifrt_v6setsrc_addr = ire->ire_setsrc_addr_v6;
17188                         ifrt->ifrt_v6mask = ire->ire_mask_v6;
17189                 }
17190                 ifrt->ifrt_flags = ire->ire_flags;
17191                 ifrt->ifrt_zoneid = ire->ire_zoneid;
17192                 mutex_enter(&ill->ill_saved_ire_lock);
17193                 save_mp->b_cont = ill->ill_saved_ire_mp;
17194                 ill->ill_saved_ire_mp = save_mp;
17195                 ill->ill_saved_ire_cnt++;
17196                 mutex_exit(&ill->ill_saved_ire_lock);
17197         }
17198 }
17199 
17200 /*
17201  * Remove one entry from ill_saved_ire_mp.
17202  */
17203 void
17204 ill_remove_saved_ire(ill_t *ill, ire_t *ire)
17205 {
17206         mblk_t  **mpp;
17207         mblk_t  *mp;
17208         ifrt_t  *ifrt;
17209 
17210         /* Remove from ill_saved_ire_mp list if it is there */
17211         mutex_enter(&ill->ill_saved_ire_lock);
17212         for (mpp = &ill->ill_saved_ire_mp; *mpp != NULL;
17213             mpp = &(*mpp)->b_cont) {
17214                 in6_addr_t      gw_addr_v6;
17215 
17216                 /*
17217                  * On a given ill, the tuple of address, gateway, mask,
17218                  * ire_type, and zoneid is unique for each saved IRE.
17219                  */
17220                 mp = *mpp;
17221                 ifrt = (ifrt_t *)mp->b_rptr;
17222                 /* ire_gateway_addr_v6 can change - need lock */
17223                 mutex_enter(&ire->ire_lock);
17224                 gw_addr_v6 = ire->ire_gateway_addr_v6;
17225                 mutex_exit(&ire->ire_lock);
17226 
17227                 if (ifrt->ifrt_zoneid != ire->ire_zoneid ||
17228                     ifrt->ifrt_type != ire->ire_type)
17229                         continue;
17230 
17231                 if (ill->ill_isv6 ?
17232                     (IN6_ARE_ADDR_EQUAL(&ifrt->ifrt_v6addr,
17233                     &ire->ire_addr_v6) &&
17234                     IN6_ARE_ADDR_EQUAL(&ifrt->ifrt_v6gateway_addr,
17235                     &gw_addr_v6) &&
17236                     IN6_ARE_ADDR_EQUAL(&ifrt->ifrt_v6mask,
17237                     &ire->ire_mask_v6)) :
17238                     (ifrt->ifrt_addr == ire->ire_addr &&
17239                     ifrt->ifrt_gateway_addr == ire->ire_gateway_addr &&
17240                     ifrt->ifrt_mask == ire->ire_mask)) {
17241                         *mpp = mp->b_cont;
17242                         ill->ill_saved_ire_cnt--;
17243                         freeb(mp);
17244                         break;
17245                 }
17246         }
17247         mutex_exit(&ill->ill_saved_ire_lock);
17248 }
17249 
17250 /*
17251  * IP multirouting broadcast routes handling
17252  * Append CGTP broadcast IREs to regular ones created
17253  * at ifconfig time.
17254  * The usage is a route add <cgtp_bc> <nic_bc> -multirt i.e., both
17255  * the destination and the gateway are broadcast addresses.
17256  * The caller has verified that the destination is an IRE_BROADCAST and that
17257  * RTF_MULTIRT was set. Here if the gateway is a broadcast address, then
17258  * we create a MULTIRT IRE_BROADCAST.
17259  * Note that the IRE_HOST created by ire_rt_add doesn't get found by anything
17260  * since the IRE_BROADCAST takes precedence; ire_add_v4 does head insertion.
17261  */
17262 static void
17263 ip_cgtp_bcast_add(ire_t *ire, ip_stack_t *ipst)
17264 {
17265         ire_t *ire_prim;
17266 
17267         ASSERT(ire != NULL);
17268 
17269         ire_prim = ire_ftable_lookup_v4(ire->ire_gateway_addr, 0, 0,
17270             IRE_BROADCAST, NULL, ALL_ZONES, NULL, MATCH_IRE_TYPE, 0, ipst,
17271             NULL);
17272         if (ire_prim != NULL) {
17273                 /*
17274                  * We are in the special case of broadcasts for
17275                  * CGTP. We add an IRE_BROADCAST that holds
17276                  * the RTF_MULTIRT flag, the destination
17277                  * address and the low level
17278                  * info of ire_prim. In other words, CGTP
17279                  * broadcast is added to the redundant ipif.
17280                  */
17281                 ill_t *ill_prim;
17282                 ire_t  *bcast_ire;
17283 
17284                 ill_prim = ire_prim->ire_ill;
17285 
17286                 ip2dbg(("ip_cgtp_filter_bcast_add: ire_prim %p, ill_prim %p\n",
17287                     (void *)ire_prim, (void *)ill_prim));
17288 
17289                 bcast_ire = ire_create(
17290                     (uchar_t *)&ire->ire_addr,
17291                     (uchar_t *)&ip_g_all_ones,
17292                     (uchar_t *)&ire->ire_gateway_addr,
17293                     IRE_BROADCAST,
17294                     ill_prim,
17295                     GLOBAL_ZONEID,      /* CGTP is only for the global zone */
17296                     ire->ire_flags | RTF_KERNEL,
17297                     NULL,
17298                     ipst);
17299 
17300                 /*
17301                  * Here we assume that ire_add does head insertion so that
17302                  * the added IRE_BROADCAST comes before the existing IRE_HOST.
17303                  */
17304                 if (bcast_ire != NULL) {
17305                         if (ire->ire_flags & RTF_SETSRC) {
17306                                 bcast_ire->ire_setsrc_addr =
17307                                     ire->ire_setsrc_addr;
17308                         }
17309                         bcast_ire = ire_add(bcast_ire);
17310                         if (bcast_ire != NULL) {
17311                                 ip2dbg(("ip_cgtp_filter_bcast_add: "
17312                                     "added bcast_ire %p\n",
17313                                     (void *)bcast_ire));
17314 
17315                                 ill_save_ire(ill_prim, bcast_ire);
17316                                 ire_refrele(bcast_ire);
17317                         }
17318                 }
17319                 ire_refrele(ire_prim);
17320         }
17321 }
17322 
17323 /*
17324  * IP multirouting broadcast routes handling
17325  * Remove the broadcast ire.
17326  * The usage is a route delete <cgtp_bc> <nic_bc> -multirt i.e., both
17327  * the destination and the gateway are broadcast addresses.
17328  * The caller has only verified that RTF_MULTIRT was set. We check
17329  * that the destination is broadcast and that the gateway is a broadcast
17330  * address, and if so delete the IRE added by ip_cgtp_bcast_add().
17331  */
17332 static void
17333 ip_cgtp_bcast_delete(ire_t *ire, ip_stack_t *ipst)
17334 {
17335         ASSERT(ire != NULL);
17336 
17337         if (ip_type_v4(ire->ire_addr, ipst) == IRE_BROADCAST) {
17338                 ire_t *ire_prim;
17339 
17340                 ire_prim = ire_ftable_lookup_v4(ire->ire_gateway_addr, 0, 0,
17341                     IRE_BROADCAST, NULL, ALL_ZONES, NULL, MATCH_IRE_TYPE, 0,
17342                     ipst, NULL);
17343                 if (ire_prim != NULL) {
17344                         ill_t *ill_prim;
17345                         ire_t  *bcast_ire;
17346 
17347                         ill_prim = ire_prim->ire_ill;
17348 
17349                         ip2dbg(("ip_cgtp_filter_bcast_delete: "
17350                             "ire_prim %p, ill_prim %p\n",
17351                             (void *)ire_prim, (void *)ill_prim));
17352 
17353                         bcast_ire = ire_ftable_lookup_v4(ire->ire_addr, 0,
17354                             ire->ire_gateway_addr, IRE_BROADCAST,
17355                             ill_prim, ALL_ZONES, NULL,
17356                             MATCH_IRE_TYPE | MATCH_IRE_GW | MATCH_IRE_ILL |
17357                             MATCH_IRE_MASK, 0, ipst, NULL);
17358 
17359                         if (bcast_ire != NULL) {
17360                                 ip2dbg(("ip_cgtp_filter_bcast_delete: "
17361                                     "looked up bcast_ire %p\n",
17362                                     (void *)bcast_ire));
17363                                 ill_remove_saved_ire(bcast_ire->ire_ill,
17364                                     bcast_ire);
17365                                 ire_delete(bcast_ire);
17366                                 ire_refrele(bcast_ire);
17367                         }
17368                         ire_refrele(ire_prim);
17369                 }
17370         }
17371 }
17372 
17373 /*
17374  * Derive an interface id from the link layer address.
17375  * Knows about IEEE 802 and IEEE EUI-64 mappings.
17376  */
17377 static void
17378 ip_ether_v6intfid(ill_t *ill, in6_addr_t *v6addr)
17379 {
17380         char            *addr;
17381 
17382         /*
17383          * Note that some IPv6 interfaces get plumbed over links that claim to
17384          * be DL_ETHER, but don't actually have Ethernet MAC addresses (e.g.
17385          * PPP links).  The ETHERADDRL check here ensures that we only set the
17386          * interface ID on IPv6 interfaces above links that actually have real
17387          * Ethernet addresses.
17388          */
17389         if (ill->ill_phys_addr_length == ETHERADDRL) {
17390                 /* Form EUI-64 like address */
17391                 addr = (char *)&v6addr->s6_addr32[2];
17392                 bcopy(ill->ill_phys_addr, addr, 3);
17393                 addr[0] ^= 0x2;         /* Toggle Universal/Local bit */
17394                 addr[3] = (char)0xff;
17395                 addr[4] = (char)0xfe;
17396                 bcopy(ill->ill_phys_addr + 3, addr + 5, 3);
17397         }
17398 }
17399 
17400 /* ARGSUSED */
17401 static void
17402 ip_nodef_v6intfid(ill_t *ill, in6_addr_t *v6addr)
17403 {
17404 }
17405 
17406 typedef struct ipmp_ifcookie {
17407         uint32_t        ic_hostid;
17408         char            ic_ifname[LIFNAMSIZ];
17409         char            ic_zonename[ZONENAME_MAX];
17410 } ipmp_ifcookie_t;
17411 
17412 /*
17413  * Construct a pseudo-random interface ID for the IPMP interface that's both
17414  * predictable and (almost) guaranteed to be unique.
17415  */
17416 static void
17417 ip_ipmp_v6intfid(ill_t *ill, in6_addr_t *v6addr)
17418 {
17419         zone_t          *zp;
17420         uint8_t         *addr;
17421         uchar_t         hash[16];
17422         ulong_t         hostid;
17423         MD5_CTX         ctx;
17424         ipmp_ifcookie_t ic = { 0 };
17425 
17426         ASSERT(IS_IPMP(ill));
17427 
17428         (void) ddi_strtoul(hw_serial, NULL, 10, &hostid);
17429         ic.ic_hostid = htonl((uint32_t)hostid);
17430 
17431         (void) strlcpy(ic.ic_ifname, ill->ill_name, LIFNAMSIZ);
17432 
17433         if ((zp = zone_find_by_id(ill->ill_zoneid)) != NULL) {
17434                 (void) strlcpy(ic.ic_zonename, zp->zone_name, ZONENAME_MAX);
17435                 zone_rele(zp);
17436         }
17437 
17438         MD5Init(&ctx);
17439         MD5Update(&ctx, &ic, sizeof (ic));
17440         MD5Final(hash, &ctx);
17441 
17442         /*
17443          * Map the hash to an interface ID per the basic approach in RFC3041.
17444          */
17445         addr = &v6addr->s6_addr8[8];
17446         bcopy(hash + 8, addr, sizeof (uint64_t));
17447         addr[0] &= ~0x2;                            /* set local bit */
17448 }
17449 
17450 /*
17451  * Map the multicast in6_addr_t in m_ip6addr to the physaddr for ethernet.
17452  */
17453 static void
17454 ip_ether_v6_mapping(ill_t *ill, uchar_t *m_ip6addr, uchar_t *m_physaddr)
17455 {
17456         phyint_t *phyi = ill->ill_phyint;
17457 
17458         /*
17459          * Check PHYI_MULTI_BCAST and length of physical
17460          * address to determine if we use the mapping or the
17461          * broadcast address.
17462          */
17463         if ((phyi->phyint_flags & PHYI_MULTI_BCAST) != 0 ||
17464             ill->ill_phys_addr_length != ETHERADDRL) {
17465                 ip_mbcast_mapping(ill, m_ip6addr, m_physaddr);
17466                 return;
17467         }
17468         m_physaddr[0] = 0x33;
17469         m_physaddr[1] = 0x33;
17470         m_physaddr[2] = m_ip6addr[12];
17471         m_physaddr[3] = m_ip6addr[13];
17472         m_physaddr[4] = m_ip6addr[14];
17473         m_physaddr[5] = m_ip6addr[15];
17474 }
17475 
17476 /*
17477  * Map the multicast ipaddr_t in m_ipaddr to the physaddr for ethernet.
17478  */
17479 static void
17480 ip_ether_v4_mapping(ill_t *ill, uchar_t *m_ipaddr, uchar_t *m_physaddr)
17481 {
17482         phyint_t *phyi = ill->ill_phyint;
17483 
17484         /*
17485          * Check PHYI_MULTI_BCAST and length of physical
17486          * address to determine if we use the mapping or the
17487          * broadcast address.
17488          */
17489         if ((phyi->phyint_flags & PHYI_MULTI_BCAST) != 0 ||
17490             ill->ill_phys_addr_length != ETHERADDRL) {
17491                 ip_mbcast_mapping(ill, m_ipaddr, m_physaddr);
17492                 return;
17493         }
17494         m_physaddr[0] = 0x01;
17495         m_physaddr[1] = 0x00;
17496         m_physaddr[2] = 0x5e;
17497         m_physaddr[3] = m_ipaddr[1] & 0x7f;
17498         m_physaddr[4] = m_ipaddr[2];
17499         m_physaddr[5] = m_ipaddr[3];
17500 }
17501 
17502 /* ARGSUSED */
17503 static void
17504 ip_mbcast_mapping(ill_t *ill, uchar_t *m_ipaddr, uchar_t *m_physaddr)
17505 {
17506         /*
17507          * for the MULTI_BCAST case and other cases when we want to
17508          * use the link-layer broadcast address for multicast.
17509          */
17510         uint8_t *bphys_addr;
17511         dl_unitdata_req_t *dlur;
17512 
17513         dlur = (dl_unitdata_req_t *)ill->ill_bcast_mp->b_rptr;
17514         if (ill->ill_sap_length < 0) {
17515                 bphys_addr = (uchar_t *)dlur +
17516                     dlur->dl_dest_addr_offset;
17517         } else  {
17518                 bphys_addr = (uchar_t *)dlur +
17519                     dlur->dl_dest_addr_offset + ill->ill_sap_length;
17520         }
17521 
17522         bcopy(bphys_addr, m_physaddr, ill->ill_phys_addr_length);
17523 }
17524 
17525 /*
17526  * Derive IPoIB interface id from the link layer address.
17527  */
17528 static void
17529 ip_ib_v6intfid(ill_t *ill, in6_addr_t *v6addr)
17530 {
17531         char            *addr;
17532 
17533         ASSERT(ill->ill_phys_addr_length == 20);
17534         addr = (char *)&v6addr->s6_addr32[2];
17535         bcopy(ill->ill_phys_addr + 12, addr, 8);
17536         /*
17537          * In IBA 1.1 timeframe, some vendors erroneously set the u/l bit
17538          * in the globally assigned EUI-64 GUID to 1, in violation of IEEE
17539          * rules. In these cases, the IBA considers these GUIDs to be in
17540          * "Modified EUI-64" format, and thus toggling the u/l bit is not
17541          * required; vendors are required not to assign global EUI-64's
17542          * that differ only in u/l bit values, thus guaranteeing uniqueness
17543          * of the interface identifier. Whether the GUID is in modified
17544          * or proper EUI-64 format, the ipv6 identifier must have the u/l
17545          * bit set to 1.
17546          */
17547         addr[0] |= 2;                   /* Set Universal/Local bit to 1 */
17548 }
17549 
17550 /*
17551  * Map the multicast ipaddr_t in m_ipaddr to the physaddr for InfiniBand.
17552  * Note on mapping from multicast IP addresses to IPoIB multicast link
17553  * addresses. IPoIB multicast link addresses are based on IBA link addresses.
17554  * The format of an IPoIB multicast address is:
17555  *
17556  *  4 byte QPN      Scope Sign.  Pkey
17557  * +--------------------------------------------+
17558  * | 00FFFFFF | FF | 1X | X01B | Pkey | GroupID |
17559  * +--------------------------------------------+
17560  *
17561  * The Scope and Pkey components are properties of the IBA port and
17562  * network interface. They can be ascertained from the broadcast address.
17563  * The Sign. part is the signature, and is 401B for IPv4 and 601B for IPv6.
17564  */
17565 static void
17566 ip_ib_v4_mapping(ill_t *ill, uchar_t *m_ipaddr, uchar_t *m_physaddr)
17567 {
17568         static uint8_t ipv4_g_phys_ibmulti_addr[] = { 0x00, 0xff, 0xff, 0xff,
17569             0xff, 0x10, 0x40, 0x1b, 0x00, 0x00, 0x00, 0x00,
17570             0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
17571         uint8_t *bphys_addr;
17572         dl_unitdata_req_t *dlur;
17573 
17574         bcopy(ipv4_g_phys_ibmulti_addr, m_physaddr, ill->ill_phys_addr_length);
17575 
17576         /*
17577          * RFC 4391: IPv4 MGID is 28-bit long.
17578          */
17579         m_physaddr[16] = m_ipaddr[0] & 0x0f;
17580         m_physaddr[17] = m_ipaddr[1];
17581         m_physaddr[18] = m_ipaddr[2];
17582         m_physaddr[19] = m_ipaddr[3];
17583 
17584 
17585         dlur = (dl_unitdata_req_t *)ill->ill_bcast_mp->b_rptr;
17586         if (ill->ill_sap_length < 0) {
17587                 bphys_addr = (uchar_t *)dlur + dlur->dl_dest_addr_offset;
17588         } else  {
17589                 bphys_addr = (uchar_t *)dlur + dlur->dl_dest_addr_offset +
17590                     ill->ill_sap_length;
17591         }
17592         /*
17593          * Now fill in the IBA scope/Pkey values from the broadcast address.
17594          */
17595         m_physaddr[5] = bphys_addr[5];
17596         m_physaddr[8] = bphys_addr[8];
17597         m_physaddr[9] = bphys_addr[9];
17598 }
17599 
17600 static void
17601 ip_ib_v6_mapping(ill_t *ill, uchar_t *m_ipaddr, uchar_t *m_physaddr)
17602 {
17603         static uint8_t ipv4_g_phys_ibmulti_addr[] = { 0x00, 0xff, 0xff, 0xff,
17604             0xff, 0x10, 0x60, 0x1b, 0x00, 0x00, 0x00, 0x00,
17605             0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
17606         uint8_t *bphys_addr;
17607         dl_unitdata_req_t *dlur;
17608 
17609         bcopy(ipv4_g_phys_ibmulti_addr, m_physaddr, ill->ill_phys_addr_length);
17610 
17611         /*
17612          * RFC 4391: IPv4 MGID is 80-bit long.
17613          */
17614         bcopy(&m_ipaddr[6], &m_physaddr[10], 10);
17615 
17616         dlur = (dl_unitdata_req_t *)ill->ill_bcast_mp->b_rptr;
17617         if (ill->ill_sap_length < 0) {
17618                 bphys_addr = (uchar_t *)dlur + dlur->dl_dest_addr_offset;
17619         } else  {
17620                 bphys_addr = (uchar_t *)dlur + dlur->dl_dest_addr_offset +
17621                     ill->ill_sap_length;
17622         }
17623         /*
17624          * Now fill in the IBA scope/Pkey values from the broadcast address.
17625          */
17626         m_physaddr[5] = bphys_addr[5];
17627         m_physaddr[8] = bphys_addr[8];
17628         m_physaddr[9] = bphys_addr[9];
17629 }
17630 
17631 /*
17632  * Derive IPv6 interface id from an IPv4 link-layer address (e.g. from an IPv4
17633  * tunnel).  The IPv4 address simply get placed in the lower 4 bytes of the
17634  * IPv6 interface id.  This is a suggested mechanism described in section 3.7
17635  * of RFC4213.
17636  */
17637 static void
17638 ip_ipv4_genv6intfid(ill_t *ill, uint8_t *physaddr, in6_addr_t *v6addr)
17639 {
17640         ASSERT(ill->ill_phys_addr_length == sizeof (ipaddr_t));
17641         v6addr->s6_addr32[2] = 0;
17642         bcopy(physaddr, &v6addr->s6_addr32[3], sizeof (ipaddr_t));
17643 }
17644 
17645 /*
17646  * Derive IPv6 interface id from an IPv6 link-layer address (e.g. from an IPv6
17647  * tunnel).  The lower 8 bytes of the IPv6 address simply become the interface
17648  * id.
17649  */
17650 static void
17651 ip_ipv6_genv6intfid(ill_t *ill, uint8_t *physaddr, in6_addr_t *v6addr)
17652 {
17653         in6_addr_t *v6lladdr = (in6_addr_t *)physaddr;
17654 
17655         ASSERT(ill->ill_phys_addr_length == sizeof (in6_addr_t));
17656         bcopy(&v6lladdr->s6_addr32[2], &v6addr->s6_addr32[2], 8);
17657 }
17658 
17659 static void
17660 ip_ipv6_v6intfid(ill_t *ill, in6_addr_t *v6addr)
17661 {
17662         ip_ipv6_genv6intfid(ill, ill->ill_phys_addr, v6addr);
17663 }
17664 
17665 static void
17666 ip_ipv6_v6destintfid(ill_t *ill, in6_addr_t *v6addr)
17667 {
17668         ip_ipv6_genv6intfid(ill, ill->ill_dest_addr, v6addr);
17669 }
17670 
17671 static void
17672 ip_ipv4_v6intfid(ill_t *ill, in6_addr_t *v6addr)
17673 {
17674         ip_ipv4_genv6intfid(ill, ill->ill_phys_addr, v6addr);
17675 }
17676 
17677 static void
17678 ip_ipv4_v6destintfid(ill_t *ill, in6_addr_t *v6addr)
17679 {
17680         ip_ipv4_genv6intfid(ill, ill->ill_dest_addr, v6addr);
17681 }
17682 
17683 /*
17684  * Lookup an ill and verify that the zoneid has an ipif on that ill.
17685  * Returns an held ill, or NULL.
17686  */
17687 ill_t *
17688 ill_lookup_on_ifindex_zoneid(uint_t index, zoneid_t zoneid, boolean_t isv6,
17689     ip_stack_t *ipst)
17690 {
17691         ill_t   *ill;
17692         ipif_t  *ipif;
17693 
17694         ill = ill_lookup_on_ifindex(index, isv6, ipst);
17695         if (ill == NULL)
17696                 return (NULL);
17697 
17698         mutex_enter(&ill->ill_lock);
17699         for (ipif = ill->ill_ipif; ipif != NULL; ipif = ipif->ipif_next) {
17700                 if (IPIF_IS_CONDEMNED(ipif))
17701                         continue;
17702                 if (zoneid != ALL_ZONES && ipif->ipif_zoneid != zoneid &&
17703                     ipif->ipif_zoneid != ALL_ZONES)
17704                         continue;
17705 
17706                 mutex_exit(&ill->ill_lock);
17707                 return (ill);
17708         }
17709         mutex_exit(&ill->ill_lock);
17710         ill_refrele(ill);
17711         return (NULL);
17712 }
17713 
17714 /*
17715  * Return a pointer to an ipif_t given a combination of (ill_idx,ipif_id)
17716  * If a pointer to an ipif_t is returned then the caller will need to do
17717  * an ill_refrele().
17718  */
17719 ipif_t *
17720 ipif_getby_indexes(uint_t ifindex, uint_t lifidx, boolean_t isv6,
17721     ip_stack_t *ipst)
17722 {
17723         ipif_t *ipif;
17724         ill_t *ill;
17725 
17726         ill = ill_lookup_on_ifindex(ifindex, isv6, ipst);
17727         if (ill == NULL)
17728                 return (NULL);
17729 
17730         mutex_enter(&ill->ill_lock);
17731         if (ill->ill_state_flags & ILL_CONDEMNED) {
17732                 mutex_exit(&ill->ill_lock);
17733                 ill_refrele(ill);
17734                 return (NULL);
17735         }
17736 
17737         for (ipif = ill->ill_ipif; ipif != NULL; ipif = ipif->ipif_next) {
17738                 if (!IPIF_CAN_LOOKUP(ipif))
17739                         continue;
17740                 if (lifidx == ipif->ipif_id) {
17741                         ipif_refhold_locked(ipif);
17742                         break;
17743                 }
17744         }
17745 
17746         mutex_exit(&ill->ill_lock);
17747         ill_refrele(ill);
17748         return (ipif);
17749 }
17750 
17751 /*
17752  * Set ill_inputfn based on the current know state.
17753  * This needs to be called when any of the factors taken into
17754  * account changes.
17755  */
17756 void
17757 ill_set_inputfn(ill_t *ill)
17758 {
17759         ip_stack_t      *ipst = ill->ill_ipst;
17760 
17761         if (ill->ill_isv6) {
17762                 if (is_system_labeled())
17763                         ill->ill_inputfn = ill_input_full_v6;
17764                 else
17765                         ill->ill_inputfn = ill_input_short_v6;
17766         } else {
17767                 if (is_system_labeled())
17768                         ill->ill_inputfn = ill_input_full_v4;
17769                 else if (ill->ill_dhcpinit != 0)
17770                         ill->ill_inputfn = ill_input_full_v4;
17771                 else if (ipst->ips_ipcl_proto_fanout_v4[IPPROTO_RSVP].connf_head
17772                     != NULL)
17773                         ill->ill_inputfn = ill_input_full_v4;
17774                 else if (ipst->ips_ip_cgtp_filter &&
17775                     ipst->ips_ip_cgtp_filter_ops != NULL)
17776                         ill->ill_inputfn = ill_input_full_v4;
17777                 else
17778                         ill->ill_inputfn = ill_input_short_v4;
17779         }
17780 }
17781 
17782 /*
17783  * Re-evaluate ill_inputfn for all the IPv4 ills.
17784  * Used when RSVP and CGTP comes and goes.
17785  */
17786 void
17787 ill_set_inputfn_all(ip_stack_t *ipst)
17788 {
17789         ill_walk_context_t      ctx;
17790         ill_t                   *ill;
17791 
17792         rw_enter(&ipst->ips_ill_g_lock, RW_READER);
17793         ill = ILL_START_WALK_V4(&ctx, ipst);
17794         for (; ill != NULL; ill = ill_next(&ctx, ill))
17795                 ill_set_inputfn(ill);
17796 
17797         rw_exit(&ipst->ips_ill_g_lock);
17798 }
17799 
17800 /*
17801  * Set the physical address information for `ill' to the contents of the
17802  * dl_notify_ind_t pointed to by `mp'.  Must be called as writer, and will be
17803  * asynchronous if `ill' cannot immediately be quiesced -- in which case
17804  * EINPROGRESS will be returned.
17805  */
17806 int
17807 ill_set_phys_addr(ill_t *ill, mblk_t *mp)
17808 {
17809         ipsq_t *ipsq = ill->ill_phyint->phyint_ipsq;
17810         dl_notify_ind_t *dlindp = (dl_notify_ind_t *)mp->b_rptr;
17811 
17812         ASSERT(IAM_WRITER_IPSQ(ipsq));
17813 
17814         if (dlindp->dl_data != DL_IPV6_LINK_LAYER_ADDR &&
17815             dlindp->dl_data != DL_CURR_DEST_ADDR &&
17816             dlindp->dl_data != DL_CURR_PHYS_ADDR) {
17817                 /* Changing DL_IPV6_TOKEN is not yet supported */
17818                 return (0);
17819         }
17820 
17821         /*
17822          * We need to store up to two copies of `mp' in `ill'.  Due to the
17823          * design of ipsq_pending_mp_add(), we can't pass them as separate
17824          * arguments to ill_set_phys_addr_tail().  Instead, chain them
17825          * together here, then pull 'em apart in ill_set_phys_addr_tail().
17826          */
17827         if ((mp = copyb(mp)) == NULL || (mp->b_cont = copyb(mp)) == NULL) {
17828                 freemsg(mp);
17829                 return (ENOMEM);
17830         }
17831 
17832         ipsq_current_start(ipsq, ill->ill_ipif, 0);
17833 
17834         /*
17835          * Since we'll only do a logical down, we can't rely on ipif_down
17836          * to turn on ILL_DOWN_IN_PROGRESS, or for the DL_BIND_ACK to reset
17837          * ILL_DOWN_IN_PROGRESS. We instead manage this separately for this
17838          * case, to quiesce ire's and nce's for ill_is_quiescent.
17839          */
17840         mutex_enter(&ill->ill_lock);
17841         ill->ill_state_flags |= ILL_DOWN_IN_PROGRESS;
17842         /* no more ire/nce addition allowed */
17843         mutex_exit(&ill->ill_lock);
17844 
17845         /*
17846          * If we can quiesce the ill, then set the address.  If not, then
17847          * ill_set_phys_addr_tail() will be called from ipif_ill_refrele_tail().
17848          */
17849         ill_down_ipifs(ill, B_TRUE);
17850         mutex_enter(&ill->ill_lock);
17851         if (!ill_is_quiescent(ill)) {
17852                 /* call cannot fail since `conn_t *' argument is NULL */
17853                 (void) ipsq_pending_mp_add(NULL, ill->ill_ipif, ill->ill_rq,
17854                     mp, ILL_DOWN);
17855                 mutex_exit(&ill->ill_lock);
17856                 return (EINPROGRESS);
17857         }
17858         mutex_exit(&ill->ill_lock);
17859 
17860         ill_set_phys_addr_tail(ipsq, ill->ill_rq, mp, NULL);
17861         return (0);
17862 }
17863 
17864 /*
17865  * When the allowed-ips link property is set on the datalink, IP receives a
17866  * DL_NOTE_ALLOWED_IPS notification that is processed in ill_set_allowed_ips()
17867  * to initialize the ill_allowed_ips[] array in the ill_t. This array is then
17868  * used to vet addresses passed to ip_sioctl_addr() and to ensure that the
17869  * only IP addresses configured on the ill_t are those in the ill_allowed_ips[]
17870  * array.
17871  */
17872 void
17873 ill_set_allowed_ips(ill_t *ill, mblk_t *mp)
17874 {
17875         ipsq_t *ipsq = ill->ill_phyint->phyint_ipsq;
17876         dl_notify_ind_t *dlip = (dl_notify_ind_t *)mp->b_rptr;
17877         mac_protect_t *mrp;
17878         int i;
17879 
17880         ASSERT(IAM_WRITER_IPSQ(ipsq));
17881         mrp = (mac_protect_t *)&dlip[1];
17882 
17883         if (mrp->mp_ipaddrcnt == 0) { /* reset allowed-ips */
17884                 kmem_free(ill->ill_allowed_ips,
17885                     ill->ill_allowed_ips_cnt * sizeof (in6_addr_t));
17886                 ill->ill_allowed_ips_cnt = 0;
17887                 ill->ill_allowed_ips = NULL;
17888                 mutex_enter(&ill->ill_phyint->phyint_lock);
17889                 ill->ill_phyint->phyint_flags &= ~PHYI_L3PROTECT;
17890                 mutex_exit(&ill->ill_phyint->phyint_lock);
17891                 return;
17892         }
17893 
17894         if (ill->ill_allowed_ips != NULL) {
17895                 kmem_free(ill->ill_allowed_ips,
17896                     ill->ill_allowed_ips_cnt * sizeof (in6_addr_t));
17897         }
17898         ill->ill_allowed_ips_cnt = mrp->mp_ipaddrcnt;
17899         ill->ill_allowed_ips = kmem_alloc(
17900             ill->ill_allowed_ips_cnt * sizeof (in6_addr_t), KM_SLEEP);
17901         for (i = 0; i < mrp->mp_ipaddrcnt;  i++)
17902                 ill->ill_allowed_ips[i] = mrp->mp_ipaddrs[i].ip_addr;
17903 
17904         mutex_enter(&ill->ill_phyint->phyint_lock);
17905         ill->ill_phyint->phyint_flags |= PHYI_L3PROTECT;
17906         mutex_exit(&ill->ill_phyint->phyint_lock);
17907 }
17908 
17909 /*
17910  * Once the ill associated with `q' has quiesced, set its physical address
17911  * information to the values in `addrmp'.  Note that two copies of `addrmp'
17912  * are passed (linked by b_cont), since we sometimes need to save two distinct
17913  * copies in the ill_t, and our context doesn't permit sleeping or allocation
17914  * failure (we'll free the other copy if it's not needed).  Since the ill_t
17915  * is quiesced, we know any stale nce's with the old address information have
17916  * already been removed, so we don't need to call nce_flush().
17917  */
17918 /* ARGSUSED */
17919 static void
17920 ill_set_phys_addr_tail(ipsq_t *ipsq, queue_t *q, mblk_t *addrmp, void *dummy)
17921 {
17922         ill_t           *ill = q->q_ptr;
17923         mblk_t          *addrmp2 = unlinkb(addrmp);
17924         dl_notify_ind_t *dlindp = (dl_notify_ind_t *)addrmp->b_rptr;
17925         uint_t          addrlen, addroff;
17926         int             status;
17927 
17928         ASSERT(IAM_WRITER_IPSQ(ipsq));
17929 
17930         addroff = dlindp->dl_addr_offset;
17931         addrlen = dlindp->dl_addr_length - ABS(ill->ill_sap_length);
17932 
17933         switch (dlindp->dl_data) {
17934         case DL_IPV6_LINK_LAYER_ADDR:
17935                 ill_set_ndmp(ill, addrmp, addroff, addrlen);
17936                 freemsg(addrmp2);
17937                 break;
17938 
17939         case DL_CURR_DEST_ADDR:
17940                 freemsg(ill->ill_dest_addr_mp);
17941                 ill->ill_dest_addr = addrmp->b_rptr + addroff;
17942                 ill->ill_dest_addr_mp = addrmp;
17943                 if (ill->ill_isv6) {
17944                         ill_setdesttoken(ill);
17945                         ipif_setdestlinklocal(ill->ill_ipif);
17946                 }
17947                 freemsg(addrmp2);
17948                 break;
17949 
17950         case DL_CURR_PHYS_ADDR:
17951                 freemsg(ill->ill_phys_addr_mp);
17952                 ill->ill_phys_addr = addrmp->b_rptr + addroff;
17953                 ill->ill_phys_addr_mp = addrmp;
17954                 ill->ill_phys_addr_length = addrlen;
17955                 if (ill->ill_isv6)
17956                         ill_set_ndmp(ill, addrmp2, addroff, addrlen);
17957                 else
17958                         freemsg(addrmp2);
17959                 if (ill->ill_isv6) {
17960                         ill_setdefaulttoken(ill);
17961                         ipif_setlinklocal(ill->ill_ipif);
17962                 }
17963                 break;
17964         default:
17965                 ASSERT(0);
17966         }
17967 
17968         /*
17969          * reset ILL_DOWN_IN_PROGRESS so that we can successfully add ires
17970          * as we bring the ipifs up again.
17971          */
17972         mutex_enter(&ill->ill_lock);
17973         ill->ill_state_flags &= ~ILL_DOWN_IN_PROGRESS;
17974         mutex_exit(&ill->ill_lock);
17975         /*
17976          * If there are ipifs to bring up, ill_up_ipifs() will return
17977          * EINPROGRESS, and ipsq_current_finish() will be called by
17978          * ip_rput_dlpi_writer() or arp_bringup_done() when the last ipif is
17979          * brought up.
17980          */
17981         status = ill_up_ipifs(ill, q, addrmp);
17982         if (status != EINPROGRESS)
17983                 ipsq_current_finish(ipsq);
17984 }
17985 
17986 /*
17987  * Helper routine for setting the ill_nd_lla fields.
17988  */
17989 void
17990 ill_set_ndmp(ill_t *ill, mblk_t *ndmp, uint_t addroff, uint_t addrlen)
17991 {
17992         freemsg(ill->ill_nd_lla_mp);
17993         ill->ill_nd_lla = ndmp->b_rptr + addroff;
17994         ill->ill_nd_lla_mp = ndmp;
17995         ill->ill_nd_lla_len = addrlen;
17996 }
17997 
17998 /*
17999  * Replumb the ill.
18000  */
18001 int
18002 ill_replumb(ill_t *ill, mblk_t *mp)
18003 {
18004         ipsq_t *ipsq = ill->ill_phyint->phyint_ipsq;
18005 
18006         ASSERT(IAM_WRITER_IPSQ(ipsq));
18007 
18008         ipsq_current_start(ipsq, ill->ill_ipif, 0);
18009 
18010         /*
18011          * If we can quiesce the ill, then continue.  If not, then
18012          * ill_replumb_tail() will be called from ipif_ill_refrele_tail().
18013          */
18014         ill_down_ipifs(ill, B_FALSE);
18015 
18016         mutex_enter(&ill->ill_lock);
18017         if (!ill_is_quiescent(ill)) {
18018                 /* call cannot fail since `conn_t *' argument is NULL */
18019                 (void) ipsq_pending_mp_add(NULL, ill->ill_ipif, ill->ill_rq,
18020                     mp, ILL_DOWN);
18021                 mutex_exit(&ill->ill_lock);
18022                 return (EINPROGRESS);
18023         }
18024         mutex_exit(&ill->ill_lock);
18025 
18026         ill_replumb_tail(ipsq, ill->ill_rq, mp, NULL);
18027         return (0);
18028 }
18029 
18030 /* ARGSUSED */
18031 static void
18032 ill_replumb_tail(ipsq_t *ipsq, queue_t *q, mblk_t *mp, void *dummy)
18033 {
18034         ill_t *ill = q->q_ptr;
18035         int err;
18036         conn_t *connp = NULL;
18037 
18038         ASSERT(IAM_WRITER_IPSQ(ipsq));
18039         freemsg(ill->ill_replumb_mp);
18040         ill->ill_replumb_mp = copyb(mp);
18041 
18042         if (ill->ill_replumb_mp == NULL) {
18043                 /* out of memory */
18044                 ipsq_current_finish(ipsq);
18045                 return;
18046         }
18047 
18048         mutex_enter(&ill->ill_lock);
18049         ill->ill_up_ipifs = ipsq_pending_mp_add(NULL, ill->ill_ipif,
18050             ill->ill_rq, ill->ill_replumb_mp, 0);
18051         mutex_exit(&ill->ill_lock);
18052 
18053         if (!ill->ill_up_ipifs) {
18054                 /* already closing */
18055                 ipsq_current_finish(ipsq);
18056                 return;
18057         }
18058         ill->ill_replumbing = 1;
18059         err = ill_down_ipifs_tail(ill);
18060 
18061         /*
18062          * Successfully quiesced and brought down the interface, now we send
18063          * the DL_NOTE_REPLUMB_DONE message down to the driver. Reuse the
18064          * DL_NOTE_REPLUMB message.
18065          */
18066         mp = mexchange(NULL, mp, sizeof (dl_notify_conf_t), M_PROTO,
18067             DL_NOTIFY_CONF);
18068         ASSERT(mp != NULL);
18069         ((dl_notify_conf_t *)mp->b_rptr)->dl_notification =
18070             DL_NOTE_REPLUMB_DONE;
18071         ill_dlpi_send(ill, mp);
18072 
18073         /*
18074          * For IPv4, we would usually get EINPROGRESS because the ETHERTYPE_ARP
18075          * streams have to be unbound. When all the DLPI exchanges are done,
18076          * ipsq_current_finish() will be called by arp_bringup_done(). The
18077          * remainder of ipif bringup via ill_up_ipifs() will also be done in
18078          * arp_bringup_done().
18079          */
18080         ASSERT(ill->ill_replumb_mp != NULL);
18081         if (err == EINPROGRESS)
18082                 return;
18083         else
18084                 ill->ill_replumb_mp = ipsq_pending_mp_get(ipsq, &connp);
18085         ASSERT(connp == NULL);
18086         if (err == 0 && ill->ill_replumb_mp != NULL &&
18087             ill_up_ipifs(ill, q, ill->ill_replumb_mp) == EINPROGRESS) {
18088                 return;
18089         }
18090         ipsq_current_finish(ipsq);
18091 }
18092 
18093 /*
18094  * Issue ioctl `cmd' on `lh'; caller provides the initial payload in `buf'
18095  * which is `bufsize' bytes.  On success, zero is returned and `buf' updated
18096  * as per the ioctl.  On failure, an errno is returned.
18097  */
18098 static int
18099 ip_ioctl(ldi_handle_t lh, int cmd, void *buf, uint_t bufsize, cred_t *cr)
18100 {
18101         int rval;
18102         struct strioctl iocb;
18103 
18104         iocb.ic_cmd = cmd;
18105         iocb.ic_timout = 15;
18106         iocb.ic_len = bufsize;
18107         iocb.ic_dp = buf;
18108 
18109         return (ldi_ioctl(lh, I_STR, (intptr_t)&iocb, FKIOCTL, cr, &rval));
18110 }
18111 
18112 /*
18113  * Issue an SIOCGLIFCONF for address family `af' and store the result into a
18114  * dynamically-allocated `lifcp' that will be `bufsizep' bytes on success.
18115  */
18116 static int
18117 ip_lifconf_ioctl(ldi_handle_t lh, int af, struct lifconf *lifcp,
18118     uint_t *bufsizep, cred_t *cr)
18119 {
18120         int err;
18121         struct lifnum lifn;
18122 
18123         bzero(&lifn, sizeof (lifn));
18124         lifn.lifn_family = af;
18125         lifn.lifn_flags = LIFC_UNDER_IPMP;
18126 
18127         if ((err = ip_ioctl(lh, SIOCGLIFNUM, &lifn, sizeof (lifn), cr)) != 0)
18128                 return (err);
18129 
18130         /*
18131          * Pad the interface count to account for additional interfaces that
18132          * may have been configured between the SIOCGLIFNUM and SIOCGLIFCONF.
18133          */
18134         lifn.lifn_count += 4;
18135         bzero(lifcp, sizeof (*lifcp));
18136         lifcp->lifc_flags = LIFC_UNDER_IPMP;
18137         lifcp->lifc_family = af;
18138         lifcp->lifc_len = *bufsizep = lifn.lifn_count * sizeof (struct lifreq);
18139         lifcp->lifc_buf = kmem_zalloc(*bufsizep, KM_SLEEP);
18140 
18141         err = ip_ioctl(lh, SIOCGLIFCONF, lifcp, sizeof (*lifcp), cr);
18142         if (err != 0) {
18143                 kmem_free(lifcp->lifc_buf, *bufsizep);
18144                 return (err);
18145         }
18146 
18147         return (0);
18148 }
18149 
18150 /*
18151  * Helper for ip_interface_cleanup() that removes the loopback interface.
18152  */
18153 static void
18154 ip_loopback_removeif(ldi_handle_t lh, boolean_t isv6, cred_t *cr)
18155 {
18156         int err;
18157         struct lifreq lifr;
18158 
18159         bzero(&lifr, sizeof (lifr));
18160         (void) strcpy(lifr.lifr_name, ipif_loopback_name);
18161 
18162         /*
18163          * Attempt to remove the interface.  It may legitimately not exist
18164          * (e.g. the zone administrator unplumbed it), so ignore ENXIO.
18165          */
18166         err = ip_ioctl(lh, SIOCLIFREMOVEIF, &lifr, sizeof (lifr), cr);
18167         if (err != 0 && err != ENXIO) {
18168                 ip0dbg(("ip_loopback_removeif: IP%s SIOCLIFREMOVEIF failed: "
18169                     "error %d\n", isv6 ? "v6" : "v4", err));
18170         }
18171 }
18172 
18173 /*
18174  * Helper for ip_interface_cleanup() that ensures no IP interfaces are in IPMP
18175  * groups and that IPMP data addresses are down.  These conditions must be met
18176  * so that IPMP interfaces can be I_PUNLINK'd, as per ip_sioctl_plink_ipmp().
18177  */
18178 static void
18179 ip_ipmp_cleanup(ldi_handle_t lh, boolean_t isv6, cred_t *cr)
18180 {
18181         int af = isv6 ? AF_INET6 : AF_INET;
18182         int i, nifs;
18183         int err;
18184         uint_t bufsize;
18185         uint_t lifrsize = sizeof (struct lifreq);
18186         struct lifconf lifc;
18187         struct lifreq *lifrp;
18188 
18189         if ((err = ip_lifconf_ioctl(lh, af, &lifc, &bufsize, cr)) != 0) {
18190                 cmn_err(CE_WARN, "ip_ipmp_cleanup: cannot get interface list "
18191                     "(error %d); any IPMP interfaces cannot be shutdown", err);
18192                 return;
18193         }
18194 
18195         nifs = lifc.lifc_len / lifrsize;
18196         for (lifrp = lifc.lifc_req, i = 0; i < nifs; i++, lifrp++) {
18197                 err = ip_ioctl(lh, SIOCGLIFFLAGS, lifrp, lifrsize, cr);
18198                 if (err != 0) {
18199                         cmn_err(CE_WARN, "ip_ipmp_cleanup: %s: cannot get "
18200                             "flags: error %d", lifrp->lifr_name, err);
18201                         continue;
18202                 }
18203 
18204                 if (lifrp->lifr_flags & IFF_IPMP) {
18205                         if ((lifrp->lifr_flags & (IFF_UP|IFF_DUPLICATE)) == 0)
18206                                 continue;
18207 
18208                         lifrp->lifr_flags &= ~IFF_UP;
18209                         err = ip_ioctl(lh, SIOCSLIFFLAGS, lifrp, lifrsize, cr);
18210                         if (err != 0) {
18211                                 cmn_err(CE_WARN, "ip_ipmp_cleanup: %s: cannot "
18212                                     "bring down (error %d); IPMP interface may "
18213                                     "not be shutdown", lifrp->lifr_name, err);
18214                         }
18215 
18216                         /*
18217                          * Check if IFF_DUPLICATE is still set -- and if so,
18218                          * reset the address to clear it.
18219                          */
18220                         err = ip_ioctl(lh, SIOCGLIFFLAGS, lifrp, lifrsize, cr);
18221                         if (err != 0 || !(lifrp->lifr_flags & IFF_DUPLICATE))
18222                                 continue;
18223 
18224                         err = ip_ioctl(lh, SIOCGLIFADDR, lifrp, lifrsize, cr);
18225                         if (err != 0 || (err = ip_ioctl(lh, SIOCGLIFADDR,
18226                             lifrp, lifrsize, cr)) != 0) {
18227                                 cmn_err(CE_WARN, "ip_ipmp_cleanup: %s: cannot "
18228                                     "reset DAD (error %d); IPMP interface may "
18229                                     "not be shutdown", lifrp->lifr_name, err);
18230                         }
18231                         continue;
18232                 }
18233 
18234                 if (strchr(lifrp->lifr_name, IPIF_SEPARATOR_CHAR) == 0) {
18235                         lifrp->lifr_groupname[0] = '\0';
18236                         if ((err = ip_ioctl(lh, SIOCSLIFGROUPNAME, lifrp,
18237                             lifrsize, cr)) != 0) {
18238                                 cmn_err(CE_WARN, "ip_ipmp_cleanup: %s: cannot "
18239                                     "leave IPMP group (error %d); associated "
18240                                     "IPMP interface may not be shutdown",
18241                                     lifrp->lifr_name, err);
18242                                 continue;
18243                         }
18244                 }
18245         }
18246 
18247         kmem_free(lifc.lifc_buf, bufsize);
18248 }
18249 
18250 #define UDPDEV          "/devices/pseudo/udp@0:udp"
18251 #define UDP6DEV         "/devices/pseudo/udp6@0:udp6"
18252 
18253 /*
18254  * Remove the loopback interfaces and prep the IPMP interfaces to be torn down.
18255  * Non-loopback interfaces are either I_LINK'd or I_PLINK'd; the former go away
18256  * when the user-level processes in the zone are killed and the latter are
18257  * cleaned up by str_stack_shutdown().
18258  */
18259 void
18260 ip_interface_cleanup(ip_stack_t *ipst)
18261 {
18262         ldi_handle_t    lh;
18263         ldi_ident_t     li;
18264         cred_t          *cr;
18265         int             err;
18266         int             i;
18267         char            *devs[] = { UDP6DEV, UDPDEV };
18268         netstackid_t    stackid = ipst->ips_netstack->netstack_stackid;
18269 
18270         if ((err = ldi_ident_from_major(ddi_name_to_major("ip"), &li)) != 0) {
18271                 cmn_err(CE_WARN, "ip_interface_cleanup: cannot get ldi ident:"
18272                     " error %d", err);
18273                 return;
18274         }
18275 
18276         cr = zone_get_kcred(netstackid_to_zoneid(stackid));
18277         ASSERT(cr != NULL);
18278 
18279         /*
18280          * NOTE: loop executes exactly twice and is hardcoded to know that the
18281          * first iteration is IPv6.  (Unrolling yields repetitious code, hence
18282          * the loop.)
18283          */
18284         for (i = 0; i < 2; i++) {
18285                 err = ldi_open_by_name(devs[i], FREAD|FWRITE, cr, &lh, li);
18286                 if (err != 0) {
18287                         cmn_err(CE_WARN, "ip_interface_cleanup: cannot open %s:"
18288                             " error %d", devs[i], err);
18289                         continue;
18290                 }
18291 
18292                 ip_loopback_removeif(lh, i == 0, cr);
18293                 ip_ipmp_cleanup(lh, i == 0, cr);
18294 
18295                 (void) ldi_close(lh, FREAD|FWRITE, cr);
18296         }
18297 
18298         ldi_ident_release(li);
18299         crfree(cr);
18300 }
18301 
18302 /*
18303  * This needs to be in-sync with nic_event_t definition
18304  */
18305 static const char *
18306 ill_hook_event2str(nic_event_t event)
18307 {
18308         switch (event) {
18309         case NE_PLUMB:
18310                 return ("PLUMB");
18311         case NE_UNPLUMB:
18312                 return ("UNPLUMB");
18313         case NE_UP:
18314                 return ("UP");
18315         case NE_DOWN:
18316                 return ("DOWN");
18317         case NE_ADDRESS_CHANGE:
18318                 return ("ADDRESS_CHANGE");
18319         case NE_LIF_UP:
18320                 return ("LIF_UP");
18321         case NE_LIF_DOWN:
18322                 return ("LIF_DOWN");
18323         case NE_IFINDEX_CHANGE:
18324                 return ("IFINDEX_CHANGE");
18325         default:
18326                 return ("UNKNOWN");
18327         }
18328 }
18329 
18330 void
18331 ill_nic_event_dispatch(ill_t *ill, lif_if_t lif, nic_event_t event,
18332     nic_event_data_t data, size_t datalen)
18333 {
18334         ip_stack_t              *ipst = ill->ill_ipst;
18335         hook_nic_event_int_t    *info;
18336         const char              *str = NULL;
18337 
18338         /* create a new nic event info */
18339         if ((info = kmem_alloc(sizeof (*info), KM_NOSLEEP)) == NULL)
18340                 goto fail;
18341 
18342         info->hnei_event.hne_nic = ill->ill_phyint->phyint_ifindex;
18343         info->hnei_event.hne_lif = lif;
18344         info->hnei_event.hne_event = event;
18345         info->hnei_event.hne_protocol = ill->ill_isv6 ?
18346             ipst->ips_ipv6_net_data : ipst->ips_ipv4_net_data;
18347         info->hnei_event.hne_data = NULL;
18348         info->hnei_event.hne_datalen = 0;
18349         info->hnei_stackid = ipst->ips_netstack->netstack_stackid;
18350 
18351         if (data != NULL && datalen != 0) {
18352                 info->hnei_event.hne_data = kmem_alloc(datalen, KM_NOSLEEP);
18353                 if (info->hnei_event.hne_data == NULL)
18354                         goto fail;
18355                 bcopy(data, info->hnei_event.hne_data, datalen);
18356                 info->hnei_event.hne_datalen = datalen;
18357         }
18358 
18359         if (ddi_taskq_dispatch(eventq_queue_nic, ip_ne_queue_func, info,
18360             DDI_NOSLEEP) == DDI_SUCCESS)
18361                 return;
18362 
18363 fail:
18364         if (info != NULL) {
18365                 if (info->hnei_event.hne_data != NULL) {
18366                         kmem_free(info->hnei_event.hne_data,
18367                             info->hnei_event.hne_datalen);
18368                 }
18369                 kmem_free(info, sizeof (hook_nic_event_t));
18370         }
18371         str = ill_hook_event2str(event);
18372         ip2dbg(("ill_nic_event_dispatch: could not dispatch %s nic event "
18373             "information for %s (ENOMEM)\n", str, ill->ill_name));
18374 }
18375 
18376 static int
18377 ipif_arp_up_done_tail(ipif_t *ipif, enum ip_resolver_action res_act)
18378 {
18379         int             err = 0;
18380         const in_addr_t *addr = NULL;
18381         nce_t           *nce = NULL;
18382         ill_t           *ill = ipif->ipif_ill;
18383         ill_t           *bound_ill;
18384         boolean_t       added_ipif = B_FALSE;
18385         uint16_t        state;
18386         uint16_t        flags;
18387 
18388         DTRACE_PROBE3(ipif__downup, char *, "ipif_arp_up_done_tail",
18389             ill_t *, ill, ipif_t *, ipif);
18390         if (ipif->ipif_lcl_addr != INADDR_ANY) {
18391                 addr = &ipif->ipif_lcl_addr;
18392         }
18393 
18394         if ((ipif->ipif_flags & IPIF_UNNUMBERED) || addr == NULL) {
18395                 if (res_act != Res_act_initial)
18396                         return (EINVAL);
18397         }
18398 
18399         if (addr != NULL) {
18400                 ipmp_illgrp_t   *illg = ill->ill_grp;
18401 
18402                 /* add unicast nce for the local addr */
18403 
18404                 if (IS_IPMP(ill)) {
18405                         /*
18406                          * If we're here via ipif_up(), then the ipif
18407                          * won't be bound yet -- add it to the group,
18408                          * which will bind it if possible. (We would
18409                          * add it in ipif_up(), but deleting on failure
18410                          * there is gruesome.)  If we're here via
18411                          * ipmp_ill_bind_ipif(), then the ipif has
18412                          * already been added to the group and we
18413                          * just need to use the binding.
18414                          */
18415                         if ((bound_ill = ipmp_ipif_bound_ill(ipif)) == NULL) {
18416                                 bound_ill  = ipmp_illgrp_add_ipif(illg, ipif);
18417                                 if (bound_ill == NULL) {
18418                                         /*
18419                                          * We couldn't bind the ipif to an ill
18420                                          * yet, so we have nothing to publish.
18421                                          * Mark the address as ready and return.
18422                                          */
18423                                         ipif->ipif_addr_ready = 1;
18424                                         return (0);
18425                                 }
18426                                 added_ipif = B_TRUE;
18427                         }
18428                 } else {
18429                         bound_ill = ill;
18430                 }
18431 
18432                 flags = (NCE_F_MYADDR | NCE_F_PUBLISH | NCE_F_AUTHORITY |
18433                     NCE_F_NONUD);
18434                 /*
18435                  * If this is an initial bring-up (or the ipif was never
18436                  * completely brought up), do DAD.  Otherwise, we're here
18437                  * because IPMP has rebound an address to this ill: send
18438                  * unsolicited advertisements (ARP announcements) to
18439                  * inform others.
18440                  */
18441                 if (res_act == Res_act_initial || !ipif->ipif_addr_ready) {
18442                         state = ND_UNCHANGED; /* compute in nce_add_common() */
18443                 } else {
18444                         state = ND_REACHABLE;
18445                         flags |= NCE_F_UNSOL_ADV;
18446                 }
18447 
18448 retry:
18449                 err = nce_lookup_then_add_v4(ill,
18450                     bound_ill->ill_phys_addr, bound_ill->ill_phys_addr_length,
18451                     addr, flags, state, &nce);
18452 
18453                 /*
18454                  * note that we may encounter EEXIST if we are moving
18455                  * the nce as a result of a rebind operation.
18456                  */
18457                 switch (err) {
18458                 case 0:
18459                         ipif->ipif_added_nce = 1;
18460                         nce->nce_ipif_cnt++;
18461                         break;
18462                 case EEXIST:
18463                         ip1dbg(("ipif_arp_up: NCE already exists for %s\n",
18464                             ill->ill_name));
18465                         if (!NCE_MYADDR(nce->nce_common)) {
18466                                 /*
18467                                  * A leftover nce from before this address
18468                                  * existed
18469                                  */
18470                                 ncec_delete(nce->nce_common);
18471                                 nce_refrele(nce);
18472                                 nce = NULL;
18473                                 goto retry;
18474                         }
18475                         if ((ipif->ipif_flags & IPIF_POINTOPOINT) == 0) {
18476                                 nce_refrele(nce);
18477                                 nce = NULL;
18478                                 ip1dbg(("ipif_arp_up: NCE already exists "
18479                                     "for %s:%u\n", ill->ill_name,
18480                                     ipif->ipif_id));
18481                                 goto arp_up_done;
18482                         }
18483                         /*
18484                          * Duplicate local addresses are permissible for
18485                          * IPIF_POINTOPOINT interfaces which will get marked
18486                          * IPIF_UNNUMBERED later in
18487                          * ip_addr_availability_check().
18488                          *
18489                          * The nce_ipif_cnt field tracks the number of
18490                          * ipifs that have nce_addr as their local address.
18491                          */
18492                         ipif->ipif_addr_ready = 1;
18493                         ipif->ipif_added_nce = 1;
18494                         nce->nce_ipif_cnt++;
18495                         err = 0;
18496                         break;
18497                 default:
18498                         ASSERT(nce == NULL);
18499                         goto arp_up_done;
18500                 }
18501                 if (arp_no_defense) {
18502                         if ((ipif->ipif_flags & IPIF_UP) &&
18503                             !ipif->ipif_addr_ready)
18504                                 ipif_up_notify(ipif);
18505                         ipif->ipif_addr_ready = 1;
18506                 }
18507         } else {
18508                 /* zero address. nothing to publish */
18509                 ipif->ipif_addr_ready = 1;
18510         }
18511         if (nce != NULL)
18512                 nce_refrele(nce);
18513 arp_up_done:
18514         if (added_ipif && err != 0)
18515                 ipmp_illgrp_del_ipif(ill->ill_grp, ipif);
18516         return (err);
18517 }
18518 
18519 int
18520 ipif_arp_up(ipif_t *ipif, enum ip_resolver_action res_act, boolean_t was_dup)
18521 {
18522         int             err = 0;
18523         ill_t           *ill = ipif->ipif_ill;
18524         boolean_t       first_interface, wait_for_dlpi = B_FALSE;
18525 
18526         DTRACE_PROBE3(ipif__downup, char *, "ipif_arp_up",
18527             ill_t *, ill, ipif_t *, ipif);
18528 
18529         /*
18530          * need to bring up ARP or setup mcast mapping only
18531          * when the first interface is coming UP.
18532          */
18533         first_interface = (ill->ill_ipif_up_count == 0 &&
18534             ill->ill_ipif_dup_count == 0 && !was_dup);
18535 
18536         if (res_act == Res_act_initial && first_interface) {
18537                 /*
18538                  * Send ATTACH + BIND
18539                  */
18540                 err = arp_ll_up(ill);
18541                 if (err != EINPROGRESS && err != 0)
18542                         return (err);
18543 
18544                 /*
18545                  * Add NCE for local address. Start DAD.
18546                  * we'll wait to hear that DAD has finished
18547                  * before using the interface.
18548                  */
18549                 if (err == EINPROGRESS)
18550                         wait_for_dlpi = B_TRUE;
18551         }
18552 
18553         if (!wait_for_dlpi)
18554                 (void) ipif_arp_up_done_tail(ipif, res_act);
18555 
18556         return (!wait_for_dlpi ? 0 : EINPROGRESS);
18557 }
18558 
18559 /*
18560  * Finish processing of "arp_up" after all the DLPI message
18561  * exchanges have completed between arp and the driver.
18562  */
18563 void
18564 arp_bringup_done(ill_t *ill, int err)
18565 {
18566         mblk_t  *mp1;
18567         ipif_t  *ipif;
18568         conn_t *connp = NULL;
18569         ipsq_t  *ipsq;
18570         queue_t *q;
18571 
18572         ip1dbg(("arp_bringup_done(%s)\n", ill->ill_name));
18573 
18574         ASSERT(IAM_WRITER_ILL(ill));
18575 
18576         ipsq = ill->ill_phyint->phyint_ipsq;
18577         ipif = ipsq->ipsq_xop->ipx_pending_ipif;
18578         mp1 = ipsq_pending_mp_get(ipsq, &connp);
18579         ASSERT(!((mp1 != NULL) ^ (ipif != NULL)));
18580         if (mp1 == NULL) /* bringup was aborted by the user */
18581                 return;
18582 
18583         /*
18584          * If an IOCTL is waiting on this (ipsq_current_ioctl != 0), then we
18585          * must have an associated conn_t.  Otherwise, we're bringing this
18586          * interface back up as part of handling an asynchronous event (e.g.,
18587          * physical address change).
18588          */
18589         if (ipsq->ipsq_xop->ipx_current_ioctl != 0) {
18590                 ASSERT(connp != NULL);
18591                 q = CONNP_TO_WQ(connp);
18592         } else {
18593                 ASSERT(connp == NULL);
18594                 q = ill->ill_rq;
18595         }
18596         if (err == 0) {
18597                 if (ipif->ipif_isv6) {
18598                         if ((err = ipif_up_done_v6(ipif)) != 0)
18599                                 ip0dbg(("arp_bringup_done: init failed\n"));
18600                 } else {
18601                         err = ipif_arp_up_done_tail(ipif, Res_act_initial);
18602                         if (err != 0 ||
18603                             (err = ipif_up_done(ipif)) != 0) {
18604                                 ip0dbg(("arp_bringup_done: "
18605                                     "init failed err %x\n", err));
18606                                 (void) ipif_arp_down(ipif);
18607                         }
18608 
18609                 }
18610         } else {
18611                 ip0dbg(("arp_bringup_done: DL_BIND_REQ failed\n"));
18612         }
18613 
18614         if ((err == 0) && (ill->ill_up_ipifs)) {
18615                 err = ill_up_ipifs(ill, q, mp1);
18616                 if (err == EINPROGRESS)
18617                         return;
18618         }
18619 
18620         /*
18621          * If we have a moved ipif to bring up, and everything has succeeded
18622          * to this point, bring it up on the IPMP ill.  Otherwise, leave it
18623          * down -- the admin can try to bring it up by hand if need be.
18624          */
18625         if (ill->ill_move_ipif != NULL) {
18626                 ipif = ill->ill_move_ipif;
18627                 ip1dbg(("bringing up ipif %p on ill %s\n", (void *)ipif,
18628                     ipif->ipif_ill->ill_name));
18629                 ill->ill_move_ipif = NULL;
18630                 if (err == 0) {
18631                         err = ipif_up(ipif, q, mp1);
18632                         if (err == EINPROGRESS)
18633                                 return;
18634                 }
18635         }
18636 
18637         /*
18638          * The operation must complete without EINPROGRESS since
18639          * ipsq_pending_mp_get() has removed the mblk from ipsq_pending_mp.
18640          * Otherwise, the operation will be stuck forever in the ipsq.
18641          */
18642         ASSERT(err != EINPROGRESS);
18643         if (ipsq->ipsq_xop->ipx_current_ioctl != 0) {
18644                 DTRACE_PROBE4(ipif__ioctl, char *, "arp_bringup_done finish",
18645                     int, ipsq->ipsq_xop->ipx_current_ioctl,
18646                     ill_t *, ill, ipif_t *, ipif);
18647                 ip_ioctl_finish(q, mp1, err, NO_COPYOUT, ipsq);
18648         } else {
18649                 ipsq_current_finish(ipsq);
18650         }
18651 }
18652 
18653 /*
18654  * Finish processing of arp replumb after all the DLPI message
18655  * exchanges have completed between arp and the driver.
18656  */
18657 void
18658 arp_replumb_done(ill_t *ill, int err)
18659 {
18660         mblk_t  *mp1;
18661         ipif_t  *ipif;
18662         conn_t *connp = NULL;
18663         ipsq_t  *ipsq;
18664         queue_t *q;
18665 
18666         ASSERT(IAM_WRITER_ILL(ill));
18667 
18668         ipsq = ill->ill_phyint->phyint_ipsq;
18669         ipif = ipsq->ipsq_xop->ipx_pending_ipif;
18670         mp1 = ipsq_pending_mp_get(ipsq, &connp);
18671         ASSERT(!((mp1 != NULL) ^ (ipif != NULL)));
18672         if (mp1 == NULL) {
18673                 ip0dbg(("arp_replumb_done: bringup aborted ioctl %x\n",
18674                     ipsq->ipsq_xop->ipx_current_ioctl));
18675                 /* bringup was aborted by the user */
18676                 return;
18677         }
18678         /*
18679          * If an IOCTL is waiting on this (ipsq_current_ioctl != 0), then we
18680          * must have an associated conn_t.  Otherwise, we're bringing this
18681          * interface back up as part of handling an asynchronous event (e.g.,
18682          * physical address change).
18683          */
18684         if (ipsq->ipsq_xop->ipx_current_ioctl != 0) {
18685                 ASSERT(connp != NULL);
18686                 q = CONNP_TO_WQ(connp);
18687         } else {
18688                 ASSERT(connp == NULL);
18689                 q = ill->ill_rq;
18690         }
18691         if ((err == 0) && (ill->ill_up_ipifs)) {
18692                 err = ill_up_ipifs(ill, q, mp1);
18693                 if (err == EINPROGRESS)
18694                         return;
18695         }
18696         /*
18697          * The operation must complete without EINPROGRESS since
18698          * ipsq_pending_mp_get() has removed the mblk from ipsq_pending_mp.
18699          * Otherwise, the operation will be stuck forever in the ipsq.
18700          */
18701         ASSERT(err != EINPROGRESS);
18702         if (ipsq->ipsq_xop->ipx_current_ioctl != 0) {
18703                 DTRACE_PROBE4(ipif__ioctl, char *,
18704                     "arp_replumb_done finish",
18705                     int, ipsq->ipsq_xop->ipx_current_ioctl,
18706                     ill_t *, ill, ipif_t *, ipif);
18707                 ip_ioctl_finish(q, mp1, err, NO_COPYOUT, ipsq);
18708         } else {
18709                 ipsq_current_finish(ipsq);
18710         }
18711 }
18712 
18713 void
18714 ipif_up_notify(ipif_t *ipif)
18715 {
18716         ip_rts_ifmsg(ipif, RTSQ_DEFAULT);
18717         ip_rts_newaddrmsg(RTM_ADD, 0, ipif, RTSQ_DEFAULT);
18718         sctp_update_ipif(ipif, SCTP_IPIF_UP);
18719         ill_nic_event_dispatch(ipif->ipif_ill, MAP_IPIF_ID(ipif->ipif_id),
18720             NE_LIF_UP, NULL, 0);
18721 }
18722 
18723 /*
18724  * ILB ioctl uses cv_wait (such as deleting a rule or adding a server) and
18725  * this assumes the context is cv_wait'able.  Hence it shouldnt' be used on
18726  * TPI end points with STREAMS modules pushed above.  This is assured by not
18727  * having the IPI_MODOK flag for the ioctl.  And IP ensures the ILB ioctl
18728  * never ends up on an ipsq, otherwise we may end up processing the ioctl
18729  * while unwinding from the ispq and that could be a thread from the bottom.
18730  */
18731 /* ARGSUSED */
18732 int
18733 ip_sioctl_ilb_cmd(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
18734     ip_ioctl_cmd_t *ipip, void *arg)
18735 {
18736         mblk_t *cmd_mp = mp->b_cont->b_cont;
18737         ilb_cmd_t command = *((ilb_cmd_t *)cmd_mp->b_rptr);
18738         int ret = 0;
18739         int i;
18740         size_t size;
18741         ip_stack_t *ipst;
18742         zoneid_t zoneid;
18743         ilb_stack_t *ilbs;
18744 
18745         ipst = CONNQ_TO_IPST(q);
18746         ilbs = ipst->ips_netstack->netstack_ilb;
18747         zoneid = Q_TO_CONN(q)->conn_zoneid;
18748 
18749         switch (command) {
18750         case ILB_CREATE_RULE: {
18751                 ilb_rule_cmd_t *cmd = (ilb_rule_cmd_t *)cmd_mp->b_rptr;
18752 
18753                 if (MBLKL(cmd_mp) != sizeof (ilb_rule_cmd_t)) {
18754                         ret = EINVAL;
18755                         break;
18756                 }
18757 
18758                 ret = ilb_rule_add(ilbs, zoneid, cmd);
18759                 break;
18760         }
18761         case ILB_DESTROY_RULE:
18762         case ILB_ENABLE_RULE:
18763         case ILB_DISABLE_RULE: {
18764                 ilb_name_cmd_t *cmd = (ilb_name_cmd_t *)cmd_mp->b_rptr;
18765 
18766                 if (MBLKL(cmd_mp) != sizeof (ilb_name_cmd_t)) {
18767                         ret = EINVAL;
18768                         break;
18769                 }
18770 
18771                 if (cmd->flags & ILB_RULE_ALLRULES) {
18772                         if (command == ILB_DESTROY_RULE) {
18773                                 ilb_rule_del_all(ilbs, zoneid);
18774                                 break;
18775                         } else if (command == ILB_ENABLE_RULE) {
18776                                 ilb_rule_enable_all(ilbs, zoneid);
18777                                 break;
18778                         } else if (command == ILB_DISABLE_RULE) {
18779                                 ilb_rule_disable_all(ilbs, zoneid);
18780                                 break;
18781                         }
18782                 } else {
18783                         if (command == ILB_DESTROY_RULE) {
18784                                 ret = ilb_rule_del(ilbs, zoneid, cmd->name);
18785                         } else if (command == ILB_ENABLE_RULE) {
18786                                 ret = ilb_rule_enable(ilbs, zoneid, cmd->name,
18787                                     NULL);
18788                         } else if (command == ILB_DISABLE_RULE) {
18789                                 ret = ilb_rule_disable(ilbs, zoneid, cmd->name,
18790                                     NULL);
18791                         }
18792                 }
18793                 break;
18794         }
18795         case ILB_NUM_RULES: {
18796                 ilb_num_rules_cmd_t *cmd;
18797 
18798                 if (MBLKL(cmd_mp) != sizeof (ilb_num_rules_cmd_t)) {
18799                         ret = EINVAL;
18800                         break;
18801                 }
18802                 cmd = (ilb_num_rules_cmd_t *)cmd_mp->b_rptr;
18803                 ilb_get_num_rules(ilbs, zoneid, &(cmd->num));
18804                 break;
18805         }
18806         case ILB_RULE_NAMES: {
18807                 ilb_rule_names_cmd_t *cmd;
18808 
18809                 cmd = (ilb_rule_names_cmd_t *)cmd_mp->b_rptr;
18810                 if (MBLKL(cmd_mp) < sizeof (ilb_rule_names_cmd_t) ||
18811                     cmd->num_names == 0) {
18812                         ret = EINVAL;
18813                         break;
18814                 }
18815                 size = cmd->num_names * ILB_RULE_NAMESZ;
18816                 if (cmd_mp->b_rptr + offsetof(ilb_rule_names_cmd_t, buf) +
18817                     size != cmd_mp->b_wptr) {
18818                         ret = EINVAL;
18819                         break;
18820                 }
18821                 ilb_get_rulenames(ilbs, zoneid, &cmd->num_names, cmd->buf);
18822                 break;
18823         }
18824         case ILB_NUM_SERVERS: {
18825                 ilb_num_servers_cmd_t *cmd;
18826 
18827                 if (MBLKL(cmd_mp) != sizeof (ilb_num_servers_cmd_t)) {
18828                         ret = EINVAL;
18829                         break;
18830                 }
18831                 cmd = (ilb_num_servers_cmd_t *)cmd_mp->b_rptr;
18832                 ret = ilb_get_num_servers(ilbs, zoneid, cmd->name,
18833                     &(cmd->num));
18834                 break;
18835         }
18836         case ILB_LIST_RULE: {
18837                 ilb_rule_cmd_t *cmd = (ilb_rule_cmd_t *)cmd_mp->b_rptr;
18838 
18839                 if (MBLKL(cmd_mp) != sizeof (ilb_rule_cmd_t)) {
18840                         ret = EINVAL;
18841                         break;
18842                 }
18843                 ret = ilb_rule_list(ilbs, zoneid, cmd);
18844                 break;
18845         }
18846         case ILB_LIST_SERVERS: {
18847                 ilb_servers_info_cmd_t *cmd;
18848 
18849                 cmd = (ilb_servers_info_cmd_t *)cmd_mp->b_rptr;
18850                 if (MBLKL(cmd_mp) < sizeof (ilb_servers_info_cmd_t) ||
18851                     cmd->num_servers == 0) {
18852                         ret = EINVAL;
18853                         break;
18854                 }
18855                 size = cmd->num_servers * sizeof (ilb_server_info_t);
18856                 if (cmd_mp->b_rptr + offsetof(ilb_servers_info_cmd_t, servers) +
18857                     size != cmd_mp->b_wptr) {
18858                         ret = EINVAL;
18859                         break;
18860                 }
18861 
18862                 ret = ilb_get_servers(ilbs, zoneid, cmd->name, cmd->servers,
18863                     &cmd->num_servers);
18864                 break;
18865         }
18866         case ILB_ADD_SERVERS: {
18867                 ilb_servers_info_cmd_t *cmd;
18868                 ilb_rule_t *rule;
18869 
18870                 cmd = (ilb_servers_info_cmd_t *)cmd_mp->b_rptr;
18871                 if (MBLKL(cmd_mp) < sizeof (ilb_servers_info_cmd_t)) {
18872                         ret = EINVAL;
18873                         break;
18874                 }
18875                 size = cmd->num_servers * sizeof (ilb_server_info_t);
18876                 if (cmd_mp->b_rptr + offsetof(ilb_servers_info_cmd_t, servers) +
18877                     size != cmd_mp->b_wptr) {
18878                         ret = EINVAL;
18879                         break;
18880                 }
18881                 rule = ilb_find_rule(ilbs, zoneid, cmd->name, &ret);
18882                 if (rule == NULL) {
18883                         ASSERT(ret != 0);
18884                         break;
18885                 }
18886                 for (i = 0; i < cmd->num_servers; i++) {
18887                         ilb_server_info_t *s;
18888 
18889                         s = &cmd->servers[i];
18890                         s->err = ilb_server_add(ilbs, rule, s);
18891                 }
18892                 ILB_RULE_REFRELE(rule);
18893                 break;
18894         }
18895         case ILB_DEL_SERVERS:
18896         case ILB_ENABLE_SERVERS:
18897         case ILB_DISABLE_SERVERS: {
18898                 ilb_servers_cmd_t *cmd;
18899                 ilb_rule_t *rule;
18900                 int (*f)();
18901 
18902                 cmd = (ilb_servers_cmd_t *)cmd_mp->b_rptr;
18903                 if (MBLKL(cmd_mp) < sizeof (ilb_servers_cmd_t)) {
18904                         ret = EINVAL;
18905                         break;
18906                 }
18907                 size = cmd->num_servers * sizeof (ilb_server_arg_t);
18908                 if (cmd_mp->b_rptr + offsetof(ilb_servers_cmd_t, servers) +
18909                     size != cmd_mp->b_wptr) {
18910                         ret = EINVAL;
18911                         break;
18912                 }
18913 
18914                 if (command == ILB_DEL_SERVERS)
18915                         f = ilb_server_del;
18916                 else if (command == ILB_ENABLE_SERVERS)
18917                         f = ilb_server_enable;
18918                 else if (command == ILB_DISABLE_SERVERS)
18919                         f = ilb_server_disable;
18920 
18921                 rule = ilb_find_rule(ilbs, zoneid, cmd->name, &ret);
18922                 if (rule == NULL) {
18923                         ASSERT(ret != 0);
18924                         break;
18925                 }
18926 
18927                 for (i = 0; i < cmd->num_servers; i++) {
18928                         ilb_server_arg_t *s;
18929 
18930                         s = &cmd->servers[i];
18931                         s->err = f(ilbs, zoneid, NULL, rule, &s->addr);
18932                 }
18933                 ILB_RULE_REFRELE(rule);
18934                 break;
18935         }
18936         case ILB_LIST_NAT_TABLE: {
18937                 ilb_list_nat_cmd_t *cmd;
18938 
18939                 cmd = (ilb_list_nat_cmd_t *)cmd_mp->b_rptr;
18940                 if (MBLKL(cmd_mp) < sizeof (ilb_list_nat_cmd_t)) {
18941                         ret = EINVAL;
18942                         break;
18943                 }
18944                 size = cmd->num_nat * sizeof (ilb_nat_entry_t);
18945                 if (cmd_mp->b_rptr + offsetof(ilb_list_nat_cmd_t, entries) +
18946                     size != cmd_mp->b_wptr) {
18947                         ret = EINVAL;
18948                         break;
18949                 }
18950 
18951                 ret = ilb_list_nat(ilbs, zoneid, cmd->entries, &cmd->num_nat,
18952                     &cmd->flags);
18953                 break;
18954         }
18955         case ILB_LIST_STICKY_TABLE: {
18956                 ilb_list_sticky_cmd_t *cmd;
18957 
18958                 cmd = (ilb_list_sticky_cmd_t *)cmd_mp->b_rptr;
18959                 if (MBLKL(cmd_mp) < sizeof (ilb_list_sticky_cmd_t)) {
18960                         ret = EINVAL;
18961                         break;
18962                 }
18963                 size = cmd->num_sticky * sizeof (ilb_sticky_entry_t);
18964                 if (cmd_mp->b_rptr + offsetof(ilb_list_sticky_cmd_t, entries) +
18965                     size != cmd_mp->b_wptr) {
18966                         ret = EINVAL;
18967                         break;
18968                 }
18969 
18970                 ret = ilb_list_sticky(ilbs, zoneid, cmd->entries,
18971                     &cmd->num_sticky, &cmd->flags);
18972                 break;
18973         }
18974         default:
18975                 ret = EINVAL;
18976                 break;
18977         }
18978 done:
18979         return (ret);
18980 }
18981 
18982 /* Remove all cache entries for this logical interface */
18983 void
18984 ipif_nce_down(ipif_t *ipif)
18985 {
18986         ill_t *ill = ipif->ipif_ill;
18987         nce_t *nce;
18988 
18989         DTRACE_PROBE3(ipif__downup, char *, "ipif_nce_down",
18990             ill_t *, ill, ipif_t *, ipif);
18991         if (ipif->ipif_added_nce) {
18992                 if (ipif->ipif_isv6)
18993                         nce = nce_lookup_v6(ill, &ipif->ipif_v6lcl_addr);
18994                 else
18995                         nce = nce_lookup_v4(ill, &ipif->ipif_lcl_addr);
18996                 if (nce != NULL) {
18997                         if (--nce->nce_ipif_cnt == 0)
18998                                 ncec_delete(nce->nce_common);
18999                         ipif->ipif_added_nce = 0;
19000                         nce_refrele(nce);
19001                 } else {
19002                         /*
19003                          * nce may already be NULL because it was already
19004                          * flushed, e.g., due to a call to nce_flush
19005                          */
19006                         ipif->ipif_added_nce = 0;
19007                 }
19008         }
19009         /*
19010          * Make IPMP aware of the deleted data address.
19011          */
19012         if (IS_IPMP(ill))
19013                 ipmp_illgrp_del_ipif(ill->ill_grp, ipif);
19014 
19015         /*
19016          * Remove all other nces dependent on this ill when the last ipif
19017          * is going away.
19018          */
19019         if (ill->ill_ipif_up_count == 0) {
19020                 ncec_walk(ill, (pfi_t)ncec_delete_per_ill,
19021                     (uchar_t *)ill, ill->ill_ipst);
19022                 if (IS_UNDER_IPMP(ill))
19023                         nce_flush(ill, B_TRUE);
19024         }
19025 }
19026 
19027 /*
19028  * find the first interface that uses usill for its source address.
19029  */
19030 ill_t *
19031 ill_lookup_usesrc(ill_t *usill)
19032 {
19033         ip_stack_t *ipst = usill->ill_ipst;
19034         ill_t *ill;
19035 
19036         ASSERT(usill != NULL);
19037 
19038         /* ill_g_usesrc_lock protects ill_usesrc_grp_next */
19039         rw_enter(&ipst->ips_ill_g_usesrc_lock, RW_WRITER);
19040         rw_enter(&ipst->ips_ill_g_lock, RW_READER);
19041         for (ill = usill->ill_usesrc_grp_next; ill != NULL && ill != usill;
19042             ill = ill->ill_usesrc_grp_next) {
19043                 if (!IS_UNDER_IPMP(ill) && (ill->ill_flags & ILLF_MULTICAST) &&
19044                     !ILL_IS_CONDEMNED(ill)) {
19045                         ill_refhold(ill);
19046                         break;
19047                 }
19048         }
19049         rw_exit(&ipst->ips_ill_g_lock);
19050         rw_exit(&ipst->ips_ill_g_usesrc_lock);
19051         return (ill);
19052 }
19053 
19054 /*
19055  * This comment applies to both ip_sioctl_get_ifhwaddr and
19056  * ip_sioctl_get_lifhwaddr as the basic function of these two functions
19057  * is the same.
19058  *
19059  * The goal here is to find an IP interface that corresponds to the name
19060  * provided by the caller in the ifreq/lifreq structure held in the mblk_t
19061  * chain and to fill out a sockaddr/sockaddr_storage structure with the
19062  * mac address.
19063  *
19064  * The SIOCGIFHWADDR/SIOCGLIFHWADDR ioctl may return an error for a number
19065  * of different reasons:
19066  * ENXIO - the device name is not known to IP.
19067  * EADDRNOTAVAIL - the device has no hardware address. This is indicated
19068  * by ill_phys_addr not pointing to an actual address.
19069  * EPFNOSUPPORT - this will indicate that a request is being made for a
19070  * mac address that will not fit in the data structure supplier (struct
19071  * sockaddr).
19072  *
19073  */
19074 /* ARGSUSED */
19075 int
19076 ip_sioctl_get_ifhwaddr(ipif_t *ipif, sin_t *dummy_sin, queue_t *q, mblk_t *mp,
19077     ip_ioctl_cmd_t *ipip, void *if_req)
19078 {
19079         struct sockaddr *sock;
19080         struct ifreq *ifr;
19081         mblk_t *mp1;
19082         ill_t *ill;
19083 
19084         ASSERT(ipif != NULL);
19085         ill = ipif->ipif_ill;
19086 
19087         if (ill->ill_phys_addr == NULL) {
19088                 return (EADDRNOTAVAIL);
19089         }
19090         if (ill->ill_phys_addr_length > sizeof (sock->sa_data)) {
19091                 return (EPFNOSUPPORT);
19092         }
19093 
19094         ip1dbg(("ip_sioctl_get_hwaddr(%s)\n", ill->ill_name));
19095 
19096         /* Existence of mp1 has been checked in ip_wput_nondata */
19097         mp1 = mp->b_cont->b_cont;
19098         ifr = (struct ifreq *)mp1->b_rptr;
19099 
19100         sock = &ifr->ifr_addr;
19101         /*
19102          * The "family" field in the returned structure is set to a value
19103          * that represents the type of device to which the address belongs.
19104          * The value returned may differ to that on Linux but it will still
19105          * represent the correct symbol on Solaris.
19106          */
19107         sock->sa_family = arp_hw_type(ill->ill_mactype);
19108         bcopy(ill->ill_phys_addr, &sock->sa_data, ill->ill_phys_addr_length);
19109 
19110         return (0);
19111 }
19112 
19113 /*
19114  * The expection of applications using SIOCGIFHWADDR is that data will
19115  * be returned in the sa_data field of the sockaddr structure. With
19116  * SIOCGLIFHWADDR, we're breaking new ground as there is no Linux
19117  * equivalent. In light of this, struct sockaddr_dl is used as it
19118  * offers more space for address storage in sll_data.
19119  */
19120 /* ARGSUSED */
19121 int
19122 ip_sioctl_get_lifhwaddr(ipif_t *ipif, sin_t *dummy_sin, queue_t *q, mblk_t *mp,
19123     ip_ioctl_cmd_t *ipip, void *if_req)
19124 {
19125         struct sockaddr_dl *sock;
19126         struct lifreq *lifr;
19127         mblk_t *mp1;
19128         ill_t *ill;
19129 
19130         ASSERT(ipif != NULL);
19131         ill = ipif->ipif_ill;
19132 
19133         if (ill->ill_phys_addr == NULL) {
19134                 return (EADDRNOTAVAIL);
19135         }
19136         if (ill->ill_phys_addr_length > sizeof (sock->sdl_data)) {
19137                 return (EPFNOSUPPORT);
19138         }
19139 
19140         ip1dbg(("ip_sioctl_get_lifhwaddr(%s)\n", ill->ill_name));
19141 
19142         /* Existence of mp1 has been checked in ip_wput_nondata */
19143         mp1 = mp->b_cont->b_cont;
19144         lifr = (struct lifreq *)mp1->b_rptr;
19145 
19146         /*
19147          * sockaddr_ll is used here because it is also the structure used in
19148          * responding to the same ioctl in sockpfp. The only other choice is
19149          * sockaddr_dl which contains fields that are not required here
19150          * because its purpose is different.
19151          */
19152         lifr->lifr_type = ill->ill_type;
19153         sock = (struct sockaddr_dl *)&lifr->lifr_addr;
19154         sock->sdl_family = AF_LINK;
19155         sock->sdl_index = ill->ill_phyint->phyint_ifindex;
19156         sock->sdl_type = ill->ill_mactype;
19157         sock->sdl_nlen = 0;
19158         sock->sdl_slen = 0;
19159         sock->sdl_alen = ill->ill_phys_addr_length;
19160         bcopy(ill->ill_phys_addr, sock->sdl_data, ill->ill_phys_addr_length);
19161 
19162         return (0);
19163 }