1 /*
   2  * CDDL HEADER START
   3  *
   4  * The contents of this file are subject to the terms of the
   5  * Common Development and Distribution License (the "License").
   6  * You may not use this file except in compliance with the License.
   7  *
   8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
   9  * or http://www.opensolaris.org/os/licensing.
  10  * See the License for the specific language governing permissions
  11  * and limitations under the License.
  12  *
  13  * When distributing Covered Code, include this CDDL HEADER in each
  14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
  15  * If applicable, add the following below this CDDL HEADER, with the
  16  * fields enclosed by brackets "[]" replaced with your own identifying
  17  * information: Portions Copyright [yyyy] [name of copyright owner]
  18  *
  19  * CDDL HEADER END
  20  */
  21 /*
  22  * Copyright (c) 1991, 2010, Oracle and/or its affiliates. All rights reserved.
  23  * Copyright (c) 2013 by Delphix. All rights reserved.
  24  * Copyright 2014, OmniTI Computer Consulting, Inc. All rights reserved.
  25  * Copyright (c) 2018, Joyent, Inc.
  26  */
  27 /* Copyright (c) 1990 Mentat Inc. */
  28 
  29 #include <sys/types.h>
  30 #include <sys/stream.h>
  31 #include <sys/stropts.h>
  32 #include <sys/strlog.h>
  33 #include <sys/strsun.h>
  34 #define _SUN_TPI_VERSION 2
  35 #include <sys/tihdr.h>
  36 #include <sys/timod.h>
  37 #include <sys/ddi.h>
  38 #include <sys/sunddi.h>
  39 #include <sys/strsubr.h>
  40 #include <sys/suntpi.h>
  41 #include <sys/xti_inet.h>
  42 #include <sys/cmn_err.h>
  43 #include <sys/kmem.h>
  44 #include <sys/cred.h>
  45 #include <sys/policy.h>
  46 #include <sys/priv.h>
  47 #include <sys/ucred.h>
  48 #include <sys/zone.h>
  49 
  50 #include <sys/sockio.h>
  51 #include <sys/socket.h>
  52 #include <sys/socketvar.h>
  53 #include <sys/vtrace.h>
  54 #include <sys/sdt.h>
  55 #include <sys/debug.h>
  56 #include <sys/isa_defs.h>
  57 #include <sys/random.h>
  58 #include <netinet/in.h>
  59 #include <netinet/ip6.h>
  60 #include <netinet/icmp6.h>
  61 #include <netinet/udp.h>
  62 
  63 #include <inet/common.h>
  64 #include <inet/ip.h>
  65 #include <inet/ip_impl.h>
  66 #include <inet/ipsec_impl.h>
  67 #include <inet/ip6.h>
  68 #include <inet/ip_ire.h>
  69 #include <inet/ip_if.h>
  70 #include <inet/ip_multi.h>
  71 #include <inet/ip_ndp.h>
  72 #include <inet/proto_set.h>
  73 #include <inet/mib2.h>
  74 #include <inet/nd.h>
  75 #include <inet/optcom.h>
  76 #include <inet/snmpcom.h>
  77 #include <inet/kstatcom.h>
  78 #include <inet/ipclassifier.h>
  79 
  80 #include <sys/tsol/label.h>
  81 #include <sys/tsol/tnet.h>
  82 
  83 #include <inet/rawip_impl.h>
  84 
  85 #include <sys/disp.h>
  86 
  87 /*
  88  * Synchronization notes:
  89  *
  90  * RAWIP is MT and uses the usual kernel synchronization primitives. We use
  91  * conn_lock to protect the icmp_t.
  92  *
  93  * Plumbing notes:
  94  * ICMP is always a device driver. For compatibility with mibopen() code
  95  * it is possible to I_PUSH "icmp", but that results in pushing a passthrough
  96  * dummy module.
  97  */
  98 static void     icmp_addr_req(queue_t *q, mblk_t *mp);
  99 static void     icmp_tpi_bind(queue_t *q, mblk_t *mp);
 100 static void     icmp_bind_proto(icmp_t *icmp);
 101 static int      icmp_build_hdr_template(conn_t *, const in6_addr_t *,
 102     const in6_addr_t *, uint32_t);
 103 static void     icmp_capability_req(queue_t *q, mblk_t *mp);
 104 static int      icmp_close(queue_t *q, int flags, cred_t *);
 105 static void     icmp_close_free(conn_t *);
 106 static void     icmp_tpi_connect(queue_t *q, mblk_t *mp);
 107 static void     icmp_tpi_disconnect(queue_t *q, mblk_t *mp);
 108 static void     icmp_err_ack(queue_t *q, mblk_t *mp, t_scalar_t t_error,
 109     int sys_error);
 110 static void     icmp_err_ack_prim(queue_t *q, mblk_t *mp, t_scalar_t primitive,
 111     t_scalar_t tlierr, int sys_error);
 112 static void     icmp_icmp_input(void *arg1, mblk_t *mp, void *arg2,
 113     ip_recv_attr_t *);
 114 static void     icmp_icmp_error_ipv6(conn_t *connp, mblk_t *mp,
 115     ip_recv_attr_t *);
 116 static void     icmp_info_req(queue_t *q, mblk_t *mp);
 117 static void     icmp_input(void *, mblk_t *, void *, ip_recv_attr_t *);
 118 static conn_t   *icmp_open(int family, cred_t *credp, int *err, int flags);
 119 static int      icmp_openv4(queue_t *q, dev_t *devp, int flag, int sflag,
 120                     cred_t *credp);
 121 static int      icmp_openv6(queue_t *q, dev_t *devp, int flag, int sflag,
 122                     cred_t *credp);
 123 static boolean_t icmp_opt_allow_udr_set(t_scalar_t level, t_scalar_t name);
 124 int             icmp_opt_set(conn_t *connp, uint_t optset_context,
 125                     int level, int name, uint_t inlen,
 126                     uchar_t *invalp, uint_t *outlenp, uchar_t *outvalp,
 127                     void *thisdg_attrs, cred_t *cr);
 128 int             icmp_opt_get(conn_t *connp, int level, int name,
 129                     uchar_t *ptr);
 130 static int      icmp_output_newdst(conn_t *connp, mblk_t *data_mp, sin_t *sin,
 131                     sin6_t *sin6, cred_t *cr, pid_t pid, ip_xmit_attr_t *ixa);
 132 static mblk_t   *icmp_prepend_hdr(conn_t *, ip_xmit_attr_t *, const ip_pkt_t *,
 133     const in6_addr_t *, const in6_addr_t *, uint32_t, mblk_t *, int *);
 134 static mblk_t   *icmp_prepend_header_template(conn_t *, ip_xmit_attr_t *,
 135     mblk_t *, const in6_addr_t *, uint32_t, int *);
 136 static int      icmp_snmp_set(queue_t *q, t_scalar_t level, t_scalar_t name,
 137                     uchar_t *ptr, int len);
 138 static void     icmp_ud_err(queue_t *q, mblk_t *mp, t_scalar_t err);
 139 static void     icmp_tpi_unbind(queue_t *q, mblk_t *mp);
 140 static int      icmp_wput(queue_t *q, mblk_t *mp);
 141 static int      icmp_wput_fallback(queue_t *q, mblk_t *mp);
 142 static void     icmp_wput_other(queue_t *q, mblk_t *mp);
 143 static void     icmp_wput_iocdata(queue_t *q, mblk_t *mp);
 144 static void     icmp_wput_restricted(queue_t *q, mblk_t *mp);
 145 static void     icmp_ulp_recv(conn_t *, mblk_t *, uint_t);
 146 
 147 static void     *rawip_stack_init(netstackid_t stackid, netstack_t *ns);
 148 static void     rawip_stack_fini(netstackid_t stackid, void *arg);
 149 
 150 static void     *rawip_kstat_init(netstackid_t stackid);
 151 static void     rawip_kstat_fini(netstackid_t stackid, kstat_t *ksp);
 152 static int      rawip_kstat_update(kstat_t *kp, int rw);
 153 static void     rawip_stack_shutdown(netstackid_t stackid, void *arg);
 154 
 155 /* Common routines for TPI and socket module */
 156 static conn_t   *rawip_do_open(int, cred_t *, int *, int);
 157 static void     rawip_do_close(conn_t *);
 158 static int      rawip_do_bind(conn_t *, struct sockaddr *, socklen_t);
 159 static int      rawip_do_unbind(conn_t *);
 160 static int      rawip_do_connect(conn_t *, const struct sockaddr *, socklen_t,
 161     cred_t *, pid_t);
 162 
 163 int             rawip_getsockname(sock_lower_handle_t, struct sockaddr *,
 164                     socklen_t *, cred_t *);
 165 int             rawip_getpeername(sock_lower_handle_t, struct sockaddr *,
 166                     socklen_t *, cred_t *);
 167 
 168 static struct module_info icmp_mod_info =  {
 169         5707, "icmp", 1, INFPSZ, 512, 128
 170 };
 171 
 172 /*
 173  * Entry points for ICMP as a device.
 174  * We have separate open functions for the /dev/icmp and /dev/icmp6 devices.
 175  */
 176 static struct qinit icmprinitv4 = {
 177         NULL, NULL, icmp_openv4, icmp_close, NULL, &icmp_mod_info
 178 };
 179 
 180 static struct qinit icmprinitv6 = {
 181         NULL, NULL, icmp_openv6, icmp_close, NULL, &icmp_mod_info
 182 };
 183 
 184 static struct qinit icmpwinit = {
 185         icmp_wput, ip_wsrv, NULL, NULL, NULL, &icmp_mod_info
 186 };
 187 
 188 /* ICMP entry point during fallback */
 189 static struct qinit icmp_fallback_sock_winit = {
 190         icmp_wput_fallback, NULL, NULL, NULL, NULL, &icmp_mod_info
 191 };
 192 
 193 /* For AF_INET aka /dev/icmp */
 194 struct streamtab icmpinfov4 = {
 195         &icmprinitv4, &icmpwinit
 196 };
 197 
 198 /* For AF_INET6 aka /dev/icmp6 */
 199 struct streamtab icmpinfov6 = {
 200         &icmprinitv6, &icmpwinit
 201 };
 202 
 203 /* Default structure copied into T_INFO_ACK messages */
 204 static struct T_info_ack icmp_g_t_info_ack = {
 205         T_INFO_ACK,
 206         IP_MAXPACKET,    /* TSDU_size.  icmp allows maximum size messages. */
 207         T_INVALID,      /* ETSDU_size.  icmp does not support expedited data. */
 208         T_INVALID,      /* CDATA_size. icmp does not support connect data. */
 209         T_INVALID,      /* DDATA_size. icmp does not support disconnect data. */
 210         0,              /* ADDR_size - filled in later. */
 211         0,              /* OPT_size - not initialized here */
 212         IP_MAXPACKET,   /* TIDU_size.  icmp allows maximum size messages. */
 213         T_CLTS,         /* SERV_type.  icmp supports connection-less. */
 214         TS_UNBND,       /* CURRENT_state.  This is set from icmp_state. */
 215         (XPG4_1|SENDZERO) /* PROVIDER_flag */
 216 };
 217 
 218 static int
 219 icmp_set_buf_prop(netstack_t *stack, cred_t *cr, mod_prop_info_t *pinfo,
 220     const char *ifname, const void *pval, uint_t flags)
 221 {
 222         return (mod_set_buf_prop(stack->netstack_icmp->is_propinfo_tbl,
 223             stack, cr, pinfo, ifname, pval, flags));
 224 }
 225 
 226 static int
 227 icmp_get_buf_prop(netstack_t *stack, mod_prop_info_t *pinfo, const char *ifname,
 228     void *val, uint_t psize, uint_t flags)
 229 {
 230         return (mod_get_buf_prop(stack->netstack_icmp->is_propinfo_tbl, stack,
 231             pinfo, ifname, val, psize, flags));
 232 }
 233 
 234 /*
 235  * All of these are alterable, within the min/max values given, at run time.
 236  *
 237  * Note: All those tunables which do not start with "icmp_" are Committed and
 238  * therefore are public. See PSARC 2010/080.
 239  */
 240 static mod_prop_info_t icmp_propinfo_tbl[] = {
 241         /* tunable - 0 */
 242         { "_wroff_extra", MOD_PROTO_RAWIP,
 243             mod_set_uint32, mod_get_uint32,
 244             {0, 128, 32}, {32} },
 245 
 246         { "_ipv4_ttl", MOD_PROTO_RAWIP,
 247             mod_set_uint32, mod_get_uint32,
 248             {1, 255, 255}, {255} },
 249 
 250         { "_ipv6_hoplimit", MOD_PROTO_RAWIP,
 251             mod_set_uint32, mod_get_uint32,
 252             {0, IPV6_MAX_HOPS, IPV6_DEFAULT_HOPS},
 253             {IPV6_DEFAULT_HOPS} },
 254 
 255         { "_bsd_compat", MOD_PROTO_RAWIP,
 256             mod_set_boolean, mod_get_boolean,
 257             {B_TRUE}, {B_TRUE} },
 258 
 259         { "send_buf", MOD_PROTO_RAWIP,
 260             icmp_set_buf_prop, icmp_get_buf_prop,
 261             {4096, 65536, 8192}, {8192} },
 262 
 263         { "_xmit_lowat", MOD_PROTO_RAWIP,
 264             mod_set_uint32, mod_get_uint32,
 265             {0, 65536, 1024}, {1024} },
 266 
 267         { "recv_buf", MOD_PROTO_RAWIP,
 268             icmp_set_buf_prop, icmp_get_buf_prop,
 269             {4096, 65536, 8192}, {8192} },
 270 
 271         { "max_buf", MOD_PROTO_RAWIP,
 272             mod_set_uint32, mod_get_uint32,
 273             {65536, ULP_MAX_BUF, 256*1024}, {256*1024} },
 274 
 275         { "_pmtu_discovery", MOD_PROTO_RAWIP,
 276             mod_set_boolean, mod_get_boolean,
 277             {B_FALSE}, {B_FALSE} },
 278 
 279         { "_sendto_ignerr", MOD_PROTO_RAWIP,
 280             mod_set_boolean, mod_get_boolean,
 281             {B_FALSE}, {B_FALSE} },
 282 
 283         { "?", MOD_PROTO_RAWIP, NULL, mod_get_allprop, {0}, {0} },
 284 
 285         { NULL, 0, NULL, NULL, {0}, {0} }
 286 };
 287 
 288 #define is_wroff_extra                  is_propinfo_tbl[0].prop_cur_uval
 289 #define is_ipv4_ttl                     is_propinfo_tbl[1].prop_cur_uval
 290 #define is_ipv6_hoplimit                is_propinfo_tbl[2].prop_cur_uval
 291 #define is_bsd_compat                   is_propinfo_tbl[3].prop_cur_bval
 292 #define is_xmit_hiwat                   is_propinfo_tbl[4].prop_cur_uval
 293 #define is_xmit_lowat                   is_propinfo_tbl[5].prop_cur_uval
 294 #define is_recv_hiwat                   is_propinfo_tbl[6].prop_cur_uval
 295 #define is_max_buf                      is_propinfo_tbl[7].prop_cur_uval
 296 #define is_pmtu_discovery               is_propinfo_tbl[8].prop_cur_bval
 297 #define is_sendto_ignerr                is_propinfo_tbl[9].prop_cur_bval
 298 
 299 typedef union T_primitives *t_primp_t;
 300 
 301 /*
 302  * This routine is called to handle each O_T_BIND_REQ/T_BIND_REQ message
 303  * passed to icmp_wput.
 304  * It calls IP to verify the local IP address, and calls IP to insert
 305  * the conn_t in the fanout table.
 306  * If everything is ok it then sends the T_BIND_ACK back up.
 307  */
 308 static void
 309 icmp_tpi_bind(queue_t *q, mblk_t *mp)
 310 {
 311         int     error;
 312         struct sockaddr *sa;
 313         struct T_bind_req *tbr;
 314         socklen_t       len;
 315         sin_t   *sin;
 316         sin6_t  *sin6;
 317         icmp_t          *icmp;
 318         conn_t  *connp = Q_TO_CONN(q);
 319         mblk_t *mp1;
 320         cred_t *cr;
 321 
 322         /*
 323          * All Solaris components should pass a db_credp
 324          * for this TPI message, hence we ASSERT.
 325          * But in case there is some other M_PROTO that looks
 326          * like a TPI message sent by some other kernel
 327          * component, we check and return an error.
 328          */
 329         cr = msg_getcred(mp, NULL);
 330         ASSERT(cr != NULL);
 331         if (cr == NULL) {
 332                 icmp_err_ack(q, mp, TSYSERR, EINVAL);
 333                 return;
 334         }
 335 
 336         icmp = connp->conn_icmp;
 337         if ((mp->b_wptr - mp->b_rptr) < sizeof (*tbr)) {
 338                 (void) mi_strlog(q, 1, SL_ERROR|SL_TRACE,
 339                     "icmp_bind: bad req, len %u",
 340                     (uint_t)(mp->b_wptr - mp->b_rptr));
 341                 icmp_err_ack(q, mp, TPROTO, 0);
 342                 return;
 343         }
 344 
 345         if (icmp->icmp_state != TS_UNBND) {
 346                 (void) mi_strlog(q, 1, SL_ERROR|SL_TRACE,
 347                     "icmp_bind: bad state, %u", icmp->icmp_state);
 348                 icmp_err_ack(q, mp, TOUTSTATE, 0);
 349                 return;
 350         }
 351 
 352         /*
 353          * Reallocate the message to make sure we have enough room for an
 354          * address.
 355          */
 356         mp1 = reallocb(mp, sizeof (struct T_bind_ack) + sizeof (sin6_t), 1);
 357         if (mp1 == NULL) {
 358                 icmp_err_ack(q, mp, TSYSERR, ENOMEM);
 359                 return;
 360         }
 361         mp = mp1;
 362 
 363         /* Reset the message type in preparation for shipping it back. */
 364         DB_TYPE(mp) = M_PCPROTO;
 365         tbr = (struct T_bind_req *)mp->b_rptr;
 366         len = tbr->ADDR_length;
 367         switch (len) {
 368         case 0: /* request for a generic port */
 369                 tbr->ADDR_offset = sizeof (struct T_bind_req);
 370                 if (connp->conn_family == AF_INET) {
 371                         tbr->ADDR_length = sizeof (sin_t);
 372                         sin = (sin_t *)&tbr[1];
 373                         *sin = sin_null;
 374                         sin->sin_family = AF_INET;
 375                         mp->b_wptr = (uchar_t *)&sin[1];
 376                         sa = (struct sockaddr *)sin;
 377                         len = sizeof (sin_t);
 378                 } else {
 379                         ASSERT(connp->conn_family == AF_INET6);
 380                         tbr->ADDR_length = sizeof (sin6_t);
 381                         sin6 = (sin6_t *)&tbr[1];
 382                         *sin6 = sin6_null;
 383                         sin6->sin6_family = AF_INET6;
 384                         mp->b_wptr = (uchar_t *)&sin6[1];
 385                         sa = (struct sockaddr *)sin6;
 386                         len = sizeof (sin6_t);
 387                 }
 388                 break;
 389 
 390         case sizeof (sin_t):    /* Complete IPv4 address */
 391                 sa = (struct sockaddr *)mi_offset_param(mp, tbr->ADDR_offset,
 392                     sizeof (sin_t));
 393                 break;
 394 
 395         case sizeof (sin6_t):   /* Complete IPv6 address */
 396                 sa = (struct sockaddr *)mi_offset_param(mp,
 397                     tbr->ADDR_offset, sizeof (sin6_t));
 398                 break;
 399 
 400         default:
 401                 (void) mi_strlog(q, 1, SL_ERROR|SL_TRACE,
 402                     "icmp_bind: bad ADDR_length %u", tbr->ADDR_length);
 403                 icmp_err_ack(q, mp, TBADADDR, 0);
 404                 return;
 405         }
 406 
 407         error = rawip_do_bind(connp, sa, len);
 408         if (error != 0) {
 409                 if (error > 0) {
 410                         icmp_err_ack(q, mp, TSYSERR, error);
 411                 } else {
 412                         icmp_err_ack(q, mp, -error, 0);
 413                 }
 414         } else {
 415                 tbr->PRIM_type = T_BIND_ACK;
 416                 qreply(q, mp);
 417         }
 418 }
 419 
 420 static int
 421 rawip_do_bind(conn_t *connp, struct sockaddr *sa, socklen_t len)
 422 {
 423         sin_t           *sin;
 424         sin6_t          *sin6;
 425         icmp_t          *icmp = connp->conn_icmp;
 426         int             error = 0;
 427         ip_laddr_t      laddr_type = IPVL_UNICAST_UP;   /* INADDR_ANY */
 428         in_port_t       lport;          /* Network byte order */
 429         ipaddr_t        v4src;          /* Set if AF_INET */
 430         in6_addr_t      v6src;
 431         uint_t          scopeid = 0;
 432         zoneid_t        zoneid = IPCL_ZONEID(connp);
 433         ip_stack_t      *ipst = connp->conn_netstack->netstack_ip;
 434 
 435         if (sa == NULL || !OK_32PTR((char *)sa)) {
 436                 return (EINVAL);
 437         }
 438 
 439         switch (len) {
 440         case sizeof (sin_t):    /* Complete IPv4 address */
 441                 sin = (sin_t *)sa;
 442                 if (sin->sin_family != AF_INET ||
 443                     connp->conn_family != AF_INET) {
 444                         /* TSYSERR, EAFNOSUPPORT */
 445                         return (EAFNOSUPPORT);
 446                 }
 447                 v4src = sin->sin_addr.s_addr;
 448                 IN6_IPADDR_TO_V4MAPPED(v4src, &v6src);
 449                 if (v4src != INADDR_ANY) {
 450                         laddr_type = ip_laddr_verify_v4(v4src, zoneid, ipst,
 451                             B_TRUE);
 452                 }
 453                 lport = sin->sin_port;
 454                 break;
 455         case sizeof (sin6_t): /* Complete IPv6 address */
 456                 sin6 = (sin6_t *)sa;
 457                 if (sin6->sin6_family != AF_INET6 ||
 458                     connp->conn_family != AF_INET6) {
 459                         /* TSYSERR, EAFNOSUPPORT */
 460                         return (EAFNOSUPPORT);
 461                 }
 462                 /* No support for mapped addresses on raw sockets */
 463                 if (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) {
 464                         /* TSYSERR, EADDRNOTAVAIL */
 465                         return (EADDRNOTAVAIL);
 466                 }
 467                 v6src = sin6->sin6_addr;
 468                 if (!IN6_IS_ADDR_UNSPECIFIED(&v6src)) {
 469                         if (IN6_IS_ADDR_LINKSCOPE(&v6src))
 470                                 scopeid = sin6->sin6_scope_id;
 471                         laddr_type = ip_laddr_verify_v6(&v6src, zoneid, ipst,
 472                             B_TRUE, scopeid);
 473                 }
 474                 lport = sin6->sin6_port;
 475                 break;
 476 
 477         default:
 478                 /* TBADADDR */
 479                 return (EADDRNOTAVAIL);
 480         }
 481 
 482         /* Is the local address a valid unicast, multicast, or broadcast? */
 483         if (laddr_type == IPVL_BAD)
 484                 return (EADDRNOTAVAIL);
 485 
 486         /*
 487          * The state must be TS_UNBND.
 488          */
 489         mutex_enter(&connp->conn_lock);
 490         if (icmp->icmp_state != TS_UNBND) {
 491                 mutex_exit(&connp->conn_lock);
 492                 return (-TOUTSTATE);
 493         }
 494 
 495         /*
 496          * Copy the source address into our icmp structure.  This address
 497          * may still be zero; if so, ip will fill in the correct address
 498          * each time an outbound packet is passed to it.
 499          * If we are binding to a broadcast or multicast address then
 500          * we just set the conn_bound_addr since we don't want to use
 501          * that as the source address when sending.
 502          */
 503         connp->conn_bound_addr_v6 = v6src;
 504         connp->conn_laddr_v6 = v6src;
 505         if (scopeid != 0) {
 506                 connp->conn_ixa->ixa_flags |= IXAF_SCOPEID_SET;
 507                 connp->conn_ixa->ixa_scopeid = scopeid;
 508                 connp->conn_incoming_ifindex = scopeid;
 509         } else {
 510                 connp->conn_ixa->ixa_flags &= ~IXAF_SCOPEID_SET;
 511                 connp->conn_incoming_ifindex = connp->conn_bound_if;
 512         }
 513 
 514         switch (laddr_type) {
 515         case IPVL_UNICAST_UP:
 516         case IPVL_UNICAST_DOWN:
 517                 connp->conn_saddr_v6 = v6src;
 518                 connp->conn_mcbc_bind = B_FALSE;
 519                 break;
 520         case IPVL_MCAST:
 521         case IPVL_BCAST:
 522                 /* ip_set_destination will pick a source address later */
 523                 connp->conn_saddr_v6 = ipv6_all_zeros;
 524                 connp->conn_mcbc_bind = B_TRUE;
 525                 break;
 526         }
 527 
 528         /* Any errors after this point should use late_error */
 529 
 530         /*
 531          * Use sin_port/sin6_port since applications like psh use SOCK_RAW
 532          * with IPPROTO_TCP.
 533          */
 534         connp->conn_lport = lport;
 535         connp->conn_fport = 0;
 536 
 537         if (connp->conn_family == AF_INET) {
 538                 ASSERT(connp->conn_ipversion == IPV4_VERSION);
 539         } else {
 540                 ASSERT(connp->conn_ipversion == IPV6_VERSION);
 541         }
 542 
 543         icmp->icmp_state = TS_IDLE;
 544 
 545         /*
 546          * We create an initial header template here to make a subsequent
 547          * sendto have a starting point. Since conn_last_dst is zero the
 548          * first sendto will always follow the 'dst changed' code path.
 549          * Note that we defer massaging options and the related checksum
 550          * adjustment until we have a destination address.
 551          */
 552         error = icmp_build_hdr_template(connp, &connp->conn_saddr_v6,
 553             &connp->conn_faddr_v6, connp->conn_flowinfo);
 554         if (error != 0) {
 555                 mutex_exit(&connp->conn_lock);
 556                 goto late_error;
 557         }
 558         /* Just in case */
 559         connp->conn_faddr_v6 = ipv6_all_zeros;
 560         connp->conn_v6lastdst = ipv6_all_zeros;
 561         mutex_exit(&connp->conn_lock);
 562 
 563         error = ip_laddr_fanout_insert(connp);
 564         if (error != 0)
 565                 goto late_error;
 566 
 567         /* Bind succeeded */
 568         return (0);
 569 
 570 late_error:
 571         mutex_enter(&connp->conn_lock);
 572         connp->conn_saddr_v6 = ipv6_all_zeros;
 573         connp->conn_bound_addr_v6 = ipv6_all_zeros;
 574         connp->conn_laddr_v6 = ipv6_all_zeros;
 575         if (scopeid != 0) {
 576                 connp->conn_ixa->ixa_flags &= ~IXAF_SCOPEID_SET;
 577                 connp->conn_incoming_ifindex = connp->conn_bound_if;
 578         }
 579         icmp->icmp_state = TS_UNBND;
 580         connp->conn_v6lastdst = ipv6_all_zeros;
 581         connp->conn_lport = 0;
 582 
 583         /* Restore the header that was built above - different source address */
 584         (void) icmp_build_hdr_template(connp, &connp->conn_saddr_v6,
 585             &connp->conn_faddr_v6, connp->conn_flowinfo);
 586         mutex_exit(&connp->conn_lock);
 587         return (error);
 588 }
 589 
 590 /*
 591  * Tell IP to just bind to the protocol.
 592  */
 593 static void
 594 icmp_bind_proto(icmp_t *icmp)
 595 {
 596         conn_t  *connp = icmp->icmp_connp;
 597 
 598         mutex_enter(&connp->conn_lock);
 599         connp->conn_saddr_v6 = ipv6_all_zeros;
 600         connp->conn_laddr_v6 = ipv6_all_zeros;
 601         connp->conn_faddr_v6 = ipv6_all_zeros;
 602         connp->conn_v6lastdst = ipv6_all_zeros;
 603         mutex_exit(&connp->conn_lock);
 604 
 605         (void) ip_laddr_fanout_insert(connp);
 606 }
 607 
 608 /*
 609  * This routine handles each T_CONN_REQ message passed to icmp.  It
 610  * associates a default destination address with the stream.
 611  *
 612  * After various error checks are completed, icmp_connect() lays
 613  * the target address and port into the composite header template.
 614  * Then we ask IP for information, including a source address if we didn't
 615  * already have one. Finally we send up the T_OK_ACK reply message.
 616  */
 617 static void
 618 icmp_tpi_connect(queue_t *q, mblk_t *mp)
 619 {
 620         conn_t  *connp = Q_TO_CONN(q);
 621         struct T_conn_req       *tcr;
 622         struct sockaddr *sa;
 623         socklen_t len;
 624         int error;
 625         cred_t *cr;
 626         pid_t pid;
 627         /*
 628          * All Solaris components should pass a db_credp
 629          * for this TPI message, hence we ASSERT.
 630          * But in case there is some other M_PROTO that looks
 631          * like a TPI message sent by some other kernel
 632          * component, we check and return an error.
 633          */
 634         cr = msg_getcred(mp, &pid);
 635         ASSERT(cr != NULL);
 636         if (cr == NULL) {
 637                 icmp_err_ack(q, mp, TSYSERR, EINVAL);
 638                 return;
 639         }
 640 
 641         tcr = (struct T_conn_req *)mp->b_rptr;
 642         /* Sanity checks */
 643         if ((mp->b_wptr - mp->b_rptr) < sizeof (struct T_conn_req)) {
 644                 icmp_err_ack(q, mp, TPROTO, 0);
 645                 return;
 646         }
 647 
 648         if (tcr->OPT_length != 0) {
 649                 icmp_err_ack(q, mp, TBADOPT, 0);
 650                 return;
 651         }
 652 
 653         len = tcr->DEST_length;
 654 
 655         switch (len) {
 656         default:
 657                 icmp_err_ack(q, mp, TBADADDR, 0);
 658                 return;
 659         case sizeof (sin_t):
 660                 sa = (struct sockaddr *)mi_offset_param(mp, tcr->DEST_offset,
 661                     sizeof (sin_t));
 662                 break;
 663         case sizeof (sin6_t):
 664                 sa = (struct sockaddr *)mi_offset_param(mp,
 665                     tcr->DEST_offset, sizeof (sin6_t));
 666                 break;
 667         }
 668 
 669         error = proto_verify_ip_addr(connp->conn_family, sa, len);
 670         if (error != 0) {
 671                 icmp_err_ack(q, mp, TSYSERR, error);
 672                 return;
 673         }
 674 
 675         error = rawip_do_connect(connp, sa, len, cr, pid);
 676         if (error != 0) {
 677                 if (error < 0) {
 678                         icmp_err_ack(q, mp, -error, 0);
 679                 } else {
 680                         icmp_err_ack(q, mp, 0, error);
 681                 }
 682         } else {
 683                 mblk_t *mp1;
 684 
 685                 /*
 686                  * We have to send a connection confirmation to
 687                  * keep TLI happy.
 688                  */
 689                 if (connp->conn_family == AF_INET) {
 690                         mp1 = mi_tpi_conn_con(NULL, (char *)sa,
 691                             sizeof (sin_t), NULL, 0);
 692                 } else {
 693                         ASSERT(connp->conn_family == AF_INET6);
 694                         mp1 = mi_tpi_conn_con(NULL, (char *)sa,
 695                             sizeof (sin6_t), NULL, 0);
 696                 }
 697                 if (mp1 == NULL) {
 698                         icmp_err_ack(q, mp, TSYSERR, ENOMEM);
 699                         return;
 700                 }
 701 
 702                 /*
 703                  * Send ok_ack for T_CONN_REQ
 704                  */
 705                 mp = mi_tpi_ok_ack_alloc(mp);
 706                 if (mp == NULL) {
 707                         /* Unable to reuse the T_CONN_REQ for the ack. */
 708                         icmp_err_ack_prim(q, mp1, T_CONN_REQ, TSYSERR, ENOMEM);
 709                         return;
 710                 }
 711                 putnext(connp->conn_rq, mp);
 712                 putnext(connp->conn_rq, mp1);
 713         }
 714 }
 715 
 716 static int
 717 rawip_do_connect(conn_t *connp, const struct sockaddr *sa, socklen_t len,
 718     cred_t *cr, pid_t pid)
 719 {
 720         icmp_t          *icmp;
 721         sin_t           *sin;
 722         sin6_t          *sin6;
 723         int             error;
 724         uint16_t        dstport;
 725         ipaddr_t        v4dst;
 726         in6_addr_t      v6dst;
 727         uint32_t        flowinfo;
 728         ip_xmit_attr_t  *ixa;
 729         ip_xmit_attr_t  *oldixa;
 730         uint_t          scopeid = 0;
 731         uint_t          srcid = 0;
 732         in6_addr_t      v6src = connp->conn_saddr_v6;
 733 
 734         icmp = connp->conn_icmp;
 735 
 736         if (sa == NULL || !OK_32PTR((char *)sa)) {
 737                 return (EINVAL);
 738         }
 739 
 740         ASSERT(sa != NULL && len != 0);
 741 
 742         /*
 743          * Determine packet type based on type of address passed in
 744          * the request should contain an IPv4 or IPv6 address.
 745          * Make sure that address family matches the type of
 746          * family of the address passed down.
 747          */
 748         switch (len) {
 749         case sizeof (sin_t):
 750                 sin = (sin_t *)sa;
 751 
 752                 v4dst = sin->sin_addr.s_addr;
 753                 dstport = sin->sin_port;
 754                 IN6_IPADDR_TO_V4MAPPED(v4dst, &v6dst);
 755                 ASSERT(connp->conn_ipversion == IPV4_VERSION);
 756                 break;
 757 
 758         case sizeof (sin6_t):
 759                 sin6 = (sin6_t *)sa;
 760 
 761                 /* No support for mapped addresses on raw sockets */
 762                 if (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) {
 763                         return (EADDRNOTAVAIL);
 764                 }
 765                 v6dst = sin6->sin6_addr;
 766                 dstport = sin6->sin6_port;
 767                 ASSERT(connp->conn_ipversion == IPV6_VERSION);
 768                 flowinfo = sin6->sin6_flowinfo;
 769                 if (IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr))
 770                         scopeid = sin6->sin6_scope_id;
 771                 srcid = sin6->__sin6_src_id;
 772                 if (srcid != 0 && IN6_IS_ADDR_UNSPECIFIED(&v6src)) {
 773                         /* Due to check above, we know sin6_addr is v6-only. */
 774                         if (!ip_srcid_find_id(srcid, &v6src, IPCL_ZONEID(connp),
 775                             B_FALSE, connp->conn_netstack)) {
 776                                 /* Mismatch - v6src would be v4mapped. */
 777                                 return (EADDRNOTAVAIL);
 778                         }
 779                 }
 780                 break;
 781         }
 782 
 783         /*
 784          * If there is a different thread using conn_ixa then we get a new
 785          * copy and cut the old one loose from conn_ixa. Otherwise we use
 786          * conn_ixa and prevent any other thread from using/changing it.
 787          * Once connect() is done other threads can use conn_ixa since the
 788          * refcnt will be back at one.
 789          * We defer updating conn_ixa until later to handle any concurrent
 790          * conn_ixa_cleanup thread.
 791          */
 792         ixa = conn_get_ixa(connp, B_FALSE);
 793         if (ixa == NULL)
 794                 return (ENOMEM);
 795 
 796         mutex_enter(&connp->conn_lock);
 797         /*
 798          * This icmp_t must have bound already before doing a connect.
 799          * Reject if a connect is in progress (we drop conn_lock during
 800          * rawip_do_connect).
 801          */
 802         if (icmp->icmp_state == TS_UNBND || icmp->icmp_state == TS_WCON_CREQ) {
 803                 mutex_exit(&connp->conn_lock);
 804                 ixa_refrele(ixa);
 805                 return (-TOUTSTATE);
 806         }
 807 
 808         if (icmp->icmp_state == TS_DATA_XFER) {
 809                 /* Already connected - clear out state */
 810                 if (connp->conn_mcbc_bind)
 811                         connp->conn_saddr_v6 = ipv6_all_zeros;
 812                 else
 813                         connp->conn_saddr_v6 = connp->conn_bound_addr_v6;
 814                 connp->conn_laddr_v6 = connp->conn_bound_addr_v6;
 815                 connp->conn_faddr_v6 = ipv6_all_zeros;
 816                 icmp->icmp_state = TS_IDLE;
 817         }
 818 
 819         /*
 820          * Use sin_port/sin6_port since applications like psh use SOCK_RAW
 821          * with IPPROTO_TCP.
 822          */
 823         connp->conn_fport = dstport;
 824         if (connp->conn_ipversion == IPV4_VERSION) {
 825                 /*
 826                  * Interpret a zero destination to mean loopback.
 827                  * Update the T_CONN_REQ (sin/sin6) since it is used to
 828                  * generate the T_CONN_CON.
 829                  */
 830                 if (v4dst == INADDR_ANY) {
 831                         v4dst = htonl(INADDR_LOOPBACK);
 832                         IN6_IPADDR_TO_V4MAPPED(v4dst, &v6dst);
 833                         ASSERT(connp->conn_family == AF_INET);
 834                         sin->sin_addr.s_addr = v4dst;
 835                 }
 836                 connp->conn_faddr_v6 = v6dst;
 837                 connp->conn_flowinfo = 0;
 838         } else {
 839                 ASSERT(connp->conn_ipversion == IPV6_VERSION);
 840                 /*
 841                  * Interpret a zero destination to mean loopback.
 842                  * Update the T_CONN_REQ (sin/sin6) since it is used to
 843                  * generate the T_CONN_CON.
 844                  */
 845                 if (IN6_IS_ADDR_UNSPECIFIED(&v6dst)) {
 846                         v6dst = ipv6_loopback;
 847                         sin6->sin6_addr = v6dst;
 848                 }
 849                 connp->conn_faddr_v6 = v6dst;
 850                 connp->conn_flowinfo = flowinfo;
 851         }
 852 
 853         /*
 854          * We update our cred/cpid based on the caller of connect
 855          */
 856         if (connp->conn_cred != cr) {
 857                 crhold(cr);
 858                 crfree(connp->conn_cred);
 859                 connp->conn_cred = cr;
 860         }
 861         connp->conn_cpid = pid;
 862         ASSERT(!(ixa->ixa_free_flags & IXA_FREE_CRED));
 863         ixa->ixa_cred = cr;
 864         ixa->ixa_cpid = pid;
 865         if (is_system_labeled()) {
 866                 /* We need to restart with a label based on the cred */
 867                 ip_xmit_attr_restore_tsl(ixa, ixa->ixa_cred);
 868         }
 869 
 870         if (scopeid != 0) {
 871                 ixa->ixa_flags |= IXAF_SCOPEID_SET;
 872                 ixa->ixa_scopeid = scopeid;
 873                 connp->conn_incoming_ifindex = scopeid;
 874         } else {
 875                 ixa->ixa_flags &= ~IXAF_SCOPEID_SET;
 876                 connp->conn_incoming_ifindex = connp->conn_bound_if;
 877         }
 878 
 879         /*
 880          * conn_connect will drop conn_lock and reacquire it.
 881          * To prevent a send* from messing with this icmp_t while the lock
 882          * is dropped we set icmp_state and clear conn_v6lastdst.
 883          * That will make all send* fail with EISCONN.
 884          */
 885         connp->conn_v6lastdst = ipv6_all_zeros;
 886         icmp->icmp_state = TS_WCON_CREQ;
 887 
 888         error = conn_connect(connp, NULL, IPDF_ALLOW_MCBC);
 889         mutex_exit(&connp->conn_lock);
 890         if (error != 0)
 891                 goto connect_failed;
 892 
 893         /*
 894          * The addresses have been verified. Time to insert in
 895          * the correct fanout list.
 896          */
 897         error = ipcl_conn_insert(connp);
 898         if (error != 0)
 899                 goto connect_failed;
 900 
 901         mutex_enter(&connp->conn_lock);
 902         error = icmp_build_hdr_template(connp, &connp->conn_saddr_v6,
 903             &connp->conn_faddr_v6, connp->conn_flowinfo);
 904         if (error != 0) {
 905                 mutex_exit(&connp->conn_lock);
 906                 goto connect_failed;
 907         }
 908 
 909         icmp->icmp_state = TS_DATA_XFER;
 910         /* Record this as the "last" send even though we haven't sent any */
 911         connp->conn_v6lastdst = connp->conn_faddr_v6;
 912         connp->conn_lastipversion = connp->conn_ipversion;
 913         connp->conn_lastdstport = connp->conn_fport;
 914         connp->conn_lastflowinfo = connp->conn_flowinfo;
 915         connp->conn_lastscopeid = scopeid;
 916         connp->conn_lastsrcid = srcid;
 917         /* Also remember a source to use together with lastdst */
 918         connp->conn_v6lastsrc = v6src;
 919 
 920         oldixa = conn_replace_ixa(connp, ixa);
 921         mutex_exit(&connp->conn_lock);
 922         ixa_refrele(oldixa);
 923 
 924         ixa_refrele(ixa);
 925         return (0);
 926 
 927 connect_failed:
 928         if (ixa != NULL)
 929                 ixa_refrele(ixa);
 930         mutex_enter(&connp->conn_lock);
 931         icmp->icmp_state = TS_IDLE;
 932         /* In case the source address was set above */
 933         if (connp->conn_mcbc_bind)
 934                 connp->conn_saddr_v6 = ipv6_all_zeros;
 935         else
 936                 connp->conn_saddr_v6 = connp->conn_bound_addr_v6;
 937         connp->conn_laddr_v6 = connp->conn_bound_addr_v6;
 938         connp->conn_faddr_v6 = ipv6_all_zeros;
 939         connp->conn_v6lastdst = ipv6_all_zeros;
 940         connp->conn_flowinfo = 0;
 941 
 942         (void) icmp_build_hdr_template(connp, &connp->conn_saddr_v6,
 943             &connp->conn_faddr_v6, connp->conn_flowinfo);
 944         mutex_exit(&connp->conn_lock);
 945         return (error);
 946 }
 947 
 948 static void
 949 rawip_do_close(conn_t *connp)
 950 {
 951         ASSERT(connp != NULL && IPCL_IS_RAWIP(connp));
 952 
 953         ip_quiesce_conn(connp);
 954 
 955         if (!IPCL_IS_NONSTR(connp)) {
 956                 qprocsoff(connp->conn_rq);
 957         }
 958 
 959         icmp_close_free(connp);
 960 
 961         /*
 962          * Now we are truly single threaded on this stream, and can
 963          * delete the things hanging off the connp, and finally the connp.
 964          * We removed this connp from the fanout list, it cannot be
 965          * accessed thru the fanouts, and we already waited for the
 966          * conn_ref to drop to 0. We are already in close, so
 967          * there cannot be any other thread from the top. qprocsoff
 968          * has completed, and service has completed or won't run in
 969          * future.
 970          */
 971         ASSERT(connp->conn_ref == 1);
 972 
 973         if (!IPCL_IS_NONSTR(connp)) {
 974                 inet_minor_free(connp->conn_minor_arena, connp->conn_dev);
 975         } else {
 976                 ip_free_helper_stream(connp);
 977         }
 978 
 979         connp->conn_ref--;
 980         ipcl_conn_destroy(connp);
 981 }
 982 
 983 /* ARGSUSED */
 984 static int
 985 icmp_close(queue_t *q, int flags, cred_t *credp __unused)
 986 {
 987         conn_t  *connp;
 988 
 989         if (flags & SO_FALLBACK) {
 990                 /*
 991                  * stream is being closed while in fallback
 992                  * simply free the resources that were allocated
 993                  */
 994                 inet_minor_free(WR(q)->q_ptr, (dev_t)(RD(q)->q_ptr));
 995                 qprocsoff(q);
 996                 goto done;
 997         }
 998 
 999         connp = Q_TO_CONN(q);
1000         (void) rawip_do_close(connp);
1001 done:
1002         q->q_ptr = WR(q)->q_ptr = NULL;
1003         return (0);
1004 }
1005 
1006 static void
1007 icmp_close_free(conn_t *connp)
1008 {
1009         icmp_t *icmp = connp->conn_icmp;
1010 
1011         if (icmp->icmp_filter != NULL) {
1012                 kmem_free(icmp->icmp_filter, sizeof (icmp6_filter_t));
1013                 icmp->icmp_filter = NULL;
1014         }
1015 
1016         /*
1017          * Clear any fields which the kmem_cache constructor clears.
1018          * Only icmp_connp needs to be preserved.
1019          * TBD: We should make this more efficient to avoid clearing
1020          * everything.
1021          */
1022         ASSERT(icmp->icmp_connp == connp);
1023         bzero(icmp, sizeof (icmp_t));
1024         icmp->icmp_connp = connp;
1025 }
1026 
1027 /*
1028  * This routine handles each T_DISCON_REQ message passed to icmp
1029  * as an indicating that ICMP is no longer connected. This results
1030  * in telling IP to restore the binding to just the local address.
1031  */
1032 static int
1033 icmp_do_disconnect(conn_t *connp)
1034 {
1035         icmp_t  *icmp = connp->conn_icmp;
1036         int     error;
1037 
1038         mutex_enter(&connp->conn_lock);
1039         if (icmp->icmp_state != TS_DATA_XFER) {
1040                 mutex_exit(&connp->conn_lock);
1041                 return (-TOUTSTATE);
1042         }
1043         if (connp->conn_mcbc_bind)
1044                 connp->conn_saddr_v6 = ipv6_all_zeros;
1045         else
1046                 connp->conn_saddr_v6 = connp->conn_bound_addr_v6;
1047         connp->conn_laddr_v6 = connp->conn_bound_addr_v6;
1048         connp->conn_faddr_v6 = ipv6_all_zeros;
1049         icmp->icmp_state = TS_IDLE;
1050 
1051         connp->conn_v6lastdst = ipv6_all_zeros;
1052         error = icmp_build_hdr_template(connp, &connp->conn_saddr_v6,
1053             &connp->conn_faddr_v6, connp->conn_flowinfo);
1054         mutex_exit(&connp->conn_lock);
1055         if (error != 0)
1056                 return (error);
1057 
1058         /*
1059          * Tell IP to remove the full binding and revert
1060          * to the local address binding.
1061          */
1062         return (ip_laddr_fanout_insert(connp));
1063 }
1064 
1065 static void
1066 icmp_tpi_disconnect(queue_t *q, mblk_t *mp)
1067 {
1068         conn_t  *connp = Q_TO_CONN(q);
1069         int     error;
1070 
1071         /*
1072          * Allocate the largest primitive we need to send back
1073          * T_error_ack is > than T_ok_ack
1074          */
1075         mp = reallocb(mp, sizeof (struct T_error_ack), 1);
1076         if (mp == NULL) {
1077                 /* Unable to reuse the T_DISCON_REQ for the ack. */
1078                 icmp_err_ack_prim(q, mp, T_DISCON_REQ, TSYSERR, ENOMEM);
1079                 return;
1080         }
1081 
1082         error = icmp_do_disconnect(connp);
1083 
1084         if (error != 0) {
1085                 if (error > 0) {
1086                         icmp_err_ack(q, mp, 0, error);
1087                 } else {
1088                         icmp_err_ack(q, mp, -error, 0);
1089                 }
1090         } else {
1091                 mp = mi_tpi_ok_ack_alloc(mp);
1092                 ASSERT(mp != NULL);
1093                 qreply(q, mp);
1094         }
1095 }
1096 
1097 static int
1098 icmp_disconnect(conn_t *connp)
1099 {
1100         int     error;
1101 
1102         connp->conn_dgram_errind = B_FALSE;
1103 
1104         error = icmp_do_disconnect(connp);
1105 
1106         if (error < 0)
1107                 error = proto_tlitosyserr(-error);
1108         return (error);
1109 }
1110 
1111 /* This routine creates a T_ERROR_ACK message and passes it upstream. */
1112 static void
1113 icmp_err_ack(queue_t *q, mblk_t *mp, t_scalar_t t_error, int sys_error)
1114 {
1115         if ((mp = mi_tpi_err_ack_alloc(mp, t_error, sys_error)) != NULL)
1116                 qreply(q, mp);
1117 }
1118 
1119 /* Shorthand to generate and send TPI error acks to our client */
1120 static void
1121 icmp_err_ack_prim(queue_t *q, mblk_t *mp, t_scalar_t primitive,
1122     t_scalar_t t_error, int sys_error)
1123 {
1124         struct T_error_ack      *teackp;
1125 
1126         if ((mp = tpi_ack_alloc(mp, sizeof (struct T_error_ack),
1127             M_PCPROTO, T_ERROR_ACK)) != NULL) {
1128                 teackp = (struct T_error_ack *)mp->b_rptr;
1129                 teackp->ERROR_prim = primitive;
1130                 teackp->TLI_error = t_error;
1131                 teackp->UNIX_error = sys_error;
1132                 qreply(q, mp);
1133         }
1134 }
1135 
1136 /*
1137  * icmp_icmp_input is called as conn_recvicmp to process ICMP messages.
1138  * Generates the appropriate T_UDERROR_IND for permanent (non-transient) errors.
1139  * Assumes that IP has pulled up everything up to and including the ICMP header.
1140  */
1141 /* ARGSUSED2 */
1142 static void
1143 icmp_icmp_input(void *arg1, mblk_t *mp, void *arg2, ip_recv_attr_t *ira)
1144 {
1145         conn_t          *connp = (conn_t *)arg1;
1146         icmp_t          *icmp = connp->conn_icmp;
1147         icmph_t         *icmph;
1148         ipha_t          *ipha;
1149         int             iph_hdr_length;
1150         sin_t           sin;
1151         mblk_t          *mp1;
1152         int             error = 0;
1153 
1154         ipha = (ipha_t *)mp->b_rptr;
1155 
1156         ASSERT(OK_32PTR(mp->b_rptr));
1157 
1158         if (IPH_HDR_VERSION(ipha) != IPV4_VERSION) {
1159                 ASSERT(IPH_HDR_VERSION(ipha) == IPV6_VERSION);
1160                 icmp_icmp_error_ipv6(connp, mp, ira);
1161                 return;
1162         }
1163         ASSERT(IPH_HDR_VERSION(ipha) == IPV4_VERSION);
1164 
1165         /* Skip past the outer IP and ICMP headers */
1166         ASSERT(IPH_HDR_LENGTH(ipha) == ira->ira_ip_hdr_length);
1167         iph_hdr_length = ira->ira_ip_hdr_length;
1168         icmph = (icmph_t *)&mp->b_rptr[iph_hdr_length];
1169         ipha = (ipha_t *)&icmph[1]; /* Inner IP header */
1170 
1171         iph_hdr_length = IPH_HDR_LENGTH(ipha);
1172 
1173         switch (icmph->icmph_type) {
1174         case ICMP_DEST_UNREACHABLE:
1175                 switch (icmph->icmph_code) {
1176                 case ICMP_FRAGMENTATION_NEEDED: {
1177                         ipha_t          *ipha;
1178                         ip_xmit_attr_t  *ixa;
1179                         /*
1180                          * IP has already adjusted the path MTU.
1181                          * But we need to adjust DF for IPv4.
1182                          */
1183                         if (connp->conn_ipversion != IPV4_VERSION)
1184                                 break;
1185 
1186                         ixa = conn_get_ixa(connp, B_FALSE);
1187                         if (ixa == NULL || ixa->ixa_ire == NULL) {
1188                                 /*
1189                                  * Some other thread holds conn_ixa. We will
1190                                  * redo this on the next ICMP too big.
1191                                  */
1192                                 if (ixa != NULL)
1193                                         ixa_refrele(ixa);
1194                                 break;
1195                         }
1196                         (void) ip_get_pmtu(ixa);
1197 
1198                         mutex_enter(&connp->conn_lock);
1199                         ipha = (ipha_t *)connp->conn_ht_iphc;
1200                         if (ixa->ixa_flags & IXAF_PMTU_IPV4_DF) {
1201                                 ipha->ipha_fragment_offset_and_flags |=
1202                                     IPH_DF_HTONS;
1203                         } else {
1204                                 ipha->ipha_fragment_offset_and_flags &=
1205                                     ~IPH_DF_HTONS;
1206                         }
1207                         mutex_exit(&connp->conn_lock);
1208                         ixa_refrele(ixa);
1209                         break;
1210                 }
1211                 case ICMP_PORT_UNREACHABLE:
1212                 case ICMP_PROTOCOL_UNREACHABLE:
1213                         error = ECONNREFUSED;
1214                         break;
1215                 default:
1216                         /* Transient errors */
1217                         break;
1218                 }
1219                 break;
1220         default:
1221                 /* Transient errors */
1222                 break;
1223         }
1224         if (error == 0) {
1225                 freemsg(mp);
1226                 return;
1227         }
1228 
1229         /*
1230          * Deliver T_UDERROR_IND when the application has asked for it.
1231          * The socket layer enables this automatically when connected.
1232          */
1233         if (!connp->conn_dgram_errind) {
1234                 freemsg(mp);
1235                 return;
1236         }
1237 
1238         sin = sin_null;
1239         sin.sin_family = AF_INET;
1240         sin.sin_addr.s_addr = ipha->ipha_dst;
1241 
1242         if (IPCL_IS_NONSTR(connp)) {
1243                 mutex_enter(&connp->conn_lock);
1244                 if (icmp->icmp_state == TS_DATA_XFER) {
1245                         if (sin.sin_addr.s_addr == connp->conn_faddr_v4) {
1246                                 mutex_exit(&connp->conn_lock);
1247                                 (*connp->conn_upcalls->su_set_error)
1248                                     (connp->conn_upper_handle, error);
1249                                 goto done;
1250                         }
1251                 } else {
1252                         icmp->icmp_delayed_error = error;
1253                         *((sin_t *)&icmp->icmp_delayed_addr) = sin;
1254                 }
1255                 mutex_exit(&connp->conn_lock);
1256         } else {
1257                 mp1 = mi_tpi_uderror_ind((char *)&sin, sizeof (sin_t), NULL, 0,
1258                     error);
1259                 if (mp1 != NULL)
1260                         putnext(connp->conn_rq, mp1);
1261         }
1262 done:
1263         freemsg(mp);
1264 }
1265 
1266 /*
1267  * icmp_icmp_error_ipv6 is called by icmp_icmp_error to process ICMP for IPv6.
1268  * Generates the appropriate T_UDERROR_IND for permanent (non-transient) errors.
1269  * Assumes that IP has pulled up all the extension headers as well as the
1270  * ICMPv6 header.
1271  */
1272 static void
1273 icmp_icmp_error_ipv6(conn_t *connp, mblk_t *mp, ip_recv_attr_t *ira)
1274 {
1275         icmp6_t         *icmp6;
1276         ip6_t           *ip6h, *outer_ip6h;
1277         uint16_t        iph_hdr_length;
1278         uint8_t         *nexthdrp;
1279         sin6_t          sin6;
1280         mblk_t          *mp1;
1281         int             error = 0;
1282         icmp_t          *icmp = connp->conn_icmp;
1283 
1284         outer_ip6h = (ip6_t *)mp->b_rptr;
1285 #ifdef DEBUG
1286         if (outer_ip6h->ip6_nxt != IPPROTO_ICMPV6)
1287                 iph_hdr_length = ip_hdr_length_v6(mp, outer_ip6h);
1288         else
1289                 iph_hdr_length = IPV6_HDR_LEN;
1290         ASSERT(iph_hdr_length == ira->ira_ip_hdr_length);
1291 #endif
1292         /* Skip past the outer IP and ICMP headers */
1293         iph_hdr_length = ira->ira_ip_hdr_length;
1294         icmp6 = (icmp6_t *)&mp->b_rptr[iph_hdr_length];
1295 
1296         ip6h = (ip6_t *)&icmp6[1];  /* Inner IP header */
1297         if (!ip_hdr_length_nexthdr_v6(mp, ip6h, &iph_hdr_length, &nexthdrp)) {
1298                 freemsg(mp);
1299                 return;
1300         }
1301 
1302         switch (icmp6->icmp6_type) {
1303         case ICMP6_DST_UNREACH:
1304                 switch (icmp6->icmp6_code) {
1305                 case ICMP6_DST_UNREACH_NOPORT:
1306                         error = ECONNREFUSED;
1307                         break;
1308                 case ICMP6_DST_UNREACH_ADMIN:
1309                 case ICMP6_DST_UNREACH_NOROUTE:
1310                 case ICMP6_DST_UNREACH_BEYONDSCOPE:
1311                 case ICMP6_DST_UNREACH_ADDR:
1312                         /* Transient errors */
1313                         break;
1314                 default:
1315                         break;
1316                 }
1317                 break;
1318         case ICMP6_PACKET_TOO_BIG: {
1319                 struct T_unitdata_ind   *tudi;
1320                 struct T_opthdr         *toh;
1321                 size_t                  udi_size;
1322                 mblk_t                  *newmp;
1323                 t_scalar_t              opt_length = sizeof (struct T_opthdr) +
1324                     sizeof (struct ip6_mtuinfo);
1325                 sin6_t                  *sin6;
1326                 struct ip6_mtuinfo      *mtuinfo;
1327 
1328                 /*
1329                  * If the application has requested to receive path mtu
1330                  * information, send up an empty message containing an
1331                  * IPV6_PATHMTU ancillary data item.
1332                  */
1333                 if (!connp->conn_ipv6_recvpathmtu)
1334                         break;
1335 
1336                 udi_size = sizeof (struct T_unitdata_ind) + sizeof (sin6_t) +
1337                     opt_length;
1338                 if ((newmp = allocb(udi_size, BPRI_MED)) == NULL) {
1339                         BUMP_MIB(&icmp->icmp_is->is_rawip_mib, rawipInErrors);
1340                         break;
1341                 }
1342 
1343                 /*
1344                  * newmp->b_cont is left to NULL on purpose.  This is an
1345                  * empty message containing only ancillary data.
1346                  */
1347                 newmp->b_datap->db_type = M_PROTO;
1348                 tudi = (struct T_unitdata_ind *)newmp->b_rptr;
1349                 newmp->b_wptr = (uchar_t *)tudi + udi_size;
1350                 tudi->PRIM_type = T_UNITDATA_IND;
1351                 tudi->SRC_length = sizeof (sin6_t);
1352                 tudi->SRC_offset = sizeof (struct T_unitdata_ind);
1353                 tudi->OPT_offset = tudi->SRC_offset + sizeof (sin6_t);
1354                 tudi->OPT_length = opt_length;
1355 
1356                 sin6 = (sin6_t *)&tudi[1];
1357                 bzero(sin6, sizeof (sin6_t));
1358                 sin6->sin6_family = AF_INET6;
1359                 sin6->sin6_addr = connp->conn_faddr_v6;
1360 
1361                 toh = (struct T_opthdr *)&sin6[1];
1362                 toh->level = IPPROTO_IPV6;
1363                 toh->name = IPV6_PATHMTU;
1364                 toh->len = opt_length;
1365                 toh->status = 0;
1366 
1367                 mtuinfo = (struct ip6_mtuinfo *)&toh[1];
1368                 bzero(mtuinfo, sizeof (struct ip6_mtuinfo));
1369                 mtuinfo->ip6m_addr.sin6_family = AF_INET6;
1370                 mtuinfo->ip6m_addr.sin6_addr = ip6h->ip6_dst;
1371                 mtuinfo->ip6m_mtu = icmp6->icmp6_mtu;
1372                 /*
1373                  * We've consumed everything we need from the original
1374                  * message.  Free it, then send our empty message.
1375                  */
1376                 freemsg(mp);
1377                 icmp_ulp_recv(connp, newmp, msgdsize(newmp));
1378                 return;
1379         }
1380         case ICMP6_TIME_EXCEEDED:
1381                 /* Transient errors */
1382                 break;
1383         case ICMP6_PARAM_PROB:
1384                 /* If this corresponds to an ICMP_PROTOCOL_UNREACHABLE */
1385                 if (icmp6->icmp6_code == ICMP6_PARAMPROB_NEXTHEADER &&
1386                     (uchar_t *)ip6h + icmp6->icmp6_pptr ==
1387                     (uchar_t *)nexthdrp) {
1388                         error = ECONNREFUSED;
1389                         break;
1390                 }
1391                 break;
1392         }
1393         if (error == 0) {
1394                 freemsg(mp);
1395                 return;
1396         }
1397 
1398         /*
1399          * Deliver T_UDERROR_IND when the application has asked for it.
1400          * The socket layer enables this automatically when connected.
1401          */
1402         if (!connp->conn_dgram_errind) {
1403                 freemsg(mp);
1404                 return;
1405         }
1406 
1407         sin6 = sin6_null;
1408         sin6.sin6_family = AF_INET6;
1409         sin6.sin6_addr = ip6h->ip6_dst;
1410         sin6.sin6_flowinfo = ip6h->ip6_vcf & ~IPV6_VERS_AND_FLOW_MASK;
1411         if (IPCL_IS_NONSTR(connp)) {
1412                 mutex_enter(&connp->conn_lock);
1413                 if (icmp->icmp_state == TS_DATA_XFER) {
1414                         if (IN6_ARE_ADDR_EQUAL(&sin6.sin6_addr,
1415                             &connp->conn_faddr_v6)) {
1416                                 mutex_exit(&connp->conn_lock);
1417                                 (*connp->conn_upcalls->su_set_error)
1418                                     (connp->conn_upper_handle, error);
1419                                 goto done;
1420                         }
1421                 } else {
1422                         icmp->icmp_delayed_error = error;
1423                         *((sin6_t *)&icmp->icmp_delayed_addr) = sin6;
1424                 }
1425                 mutex_exit(&connp->conn_lock);
1426         } else {
1427                 mp1 = mi_tpi_uderror_ind((char *)&sin6, sizeof (sin6_t),
1428                     NULL, 0, error);
1429                 if (mp1 != NULL)
1430                         putnext(connp->conn_rq, mp1);
1431         }
1432 done:
1433         freemsg(mp);
1434 }
1435 
1436 /*
1437  * This routine responds to T_ADDR_REQ messages.  It is called by icmp_wput.
1438  * The local address is filled in if endpoint is bound. The remote address
1439  * is filled in if remote address has been precified ("connected endpoint")
1440  * (The concept of connected CLTS sockets is alien to published TPI
1441  *  but we support it anyway).
1442  */
1443 static void
1444 icmp_addr_req(queue_t *q, mblk_t *mp)
1445 {
1446         struct sockaddr *sa;
1447         mblk_t  *ackmp;
1448         struct T_addr_ack *taa;
1449         icmp_t  *icmp = Q_TO_ICMP(q);
1450         conn_t  *connp = icmp->icmp_connp;
1451         uint_t  addrlen;
1452 
1453         /* Make it large enough for worst case */
1454         ackmp = reallocb(mp, sizeof (struct T_addr_ack) +
1455             2 * sizeof (sin6_t), 1);
1456         if (ackmp == NULL) {
1457                 icmp_err_ack(q, mp, TSYSERR, ENOMEM);
1458                 return;
1459         }
1460         taa = (struct T_addr_ack *)ackmp->b_rptr;
1461 
1462         bzero(taa, sizeof (struct T_addr_ack));
1463         ackmp->b_wptr = (uchar_t *)&taa[1];
1464 
1465         taa->PRIM_type = T_ADDR_ACK;
1466         ackmp->b_datap->db_type = M_PCPROTO;
1467 
1468         if (connp->conn_family == AF_INET)
1469                 addrlen = sizeof (sin_t);
1470         else
1471                 addrlen = sizeof (sin6_t);
1472 
1473         mutex_enter(&connp->conn_lock);
1474         /*
1475          * Note: Following code assumes 32 bit alignment of basic
1476          * data structures like sin_t and struct T_addr_ack.
1477          */
1478         if (icmp->icmp_state != TS_UNBND) {
1479                 /*
1480                  * Fill in local address first
1481                  */
1482                 taa->LOCADDR_offset = sizeof (*taa);
1483                 taa->LOCADDR_length = addrlen;
1484                 sa = (struct sockaddr *)&taa[1];
1485                 (void) conn_getsockname(connp, sa, &addrlen);
1486                 ackmp->b_wptr += addrlen;
1487         }
1488         if (icmp->icmp_state == TS_DATA_XFER) {
1489                 /*
1490                  * connected, fill remote address too
1491                  */
1492                 taa->REMADDR_length = addrlen;
1493                 /* assumed 32-bit alignment */
1494                 taa->REMADDR_offset = taa->LOCADDR_offset + taa->LOCADDR_length;
1495                 sa = (struct sockaddr *)(ackmp->b_rptr + taa->REMADDR_offset);
1496                 (void) conn_getpeername(connp, sa, &addrlen);
1497                 ackmp->b_wptr += addrlen;
1498         }
1499         mutex_exit(&connp->conn_lock);
1500         ASSERT(ackmp->b_wptr <= ackmp->b_datap->db_lim);
1501         qreply(q, ackmp);
1502 }
1503 
1504 static void
1505 icmp_copy_info(struct T_info_ack *tap, icmp_t *icmp)
1506 {
1507         conn_t          *connp = icmp->icmp_connp;
1508 
1509         *tap = icmp_g_t_info_ack;
1510 
1511         if (connp->conn_family == AF_INET6)
1512                 tap->ADDR_size = sizeof (sin6_t);
1513         else
1514                 tap->ADDR_size = sizeof (sin_t);
1515         tap->CURRENT_state = icmp->icmp_state;
1516         tap->OPT_size = icmp_max_optsize;
1517 }
1518 
1519 static void
1520 icmp_do_capability_ack(icmp_t *icmp, struct T_capability_ack *tcap,
1521     t_uscalar_t cap_bits1)
1522 {
1523         tcap->CAP_bits1 = 0;
1524 
1525         if (cap_bits1 & TC1_INFO) {
1526                 icmp_copy_info(&tcap->INFO_ack, icmp);
1527                 tcap->CAP_bits1 |= TC1_INFO;
1528         }
1529 }
1530 
1531 /*
1532  * This routine responds to T_CAPABILITY_REQ messages.  It is called by
1533  * icmp_wput.  Much of the T_CAPABILITY_ACK information is copied from
1534  * icmp_g_t_info_ack.  The current state of the stream is copied from
1535  * icmp_state.
1536  */
1537 static void
1538 icmp_capability_req(queue_t *q, mblk_t *mp)
1539 {
1540         icmp_t                  *icmp = Q_TO_ICMP(q);
1541         t_uscalar_t             cap_bits1;
1542         struct T_capability_ack *tcap;
1543 
1544         cap_bits1 = ((struct T_capability_req *)mp->b_rptr)->CAP_bits1;
1545 
1546         mp = tpi_ack_alloc(mp, sizeof (struct T_capability_ack),
1547             mp->b_datap->db_type, T_CAPABILITY_ACK);
1548         if (!mp)
1549                 return;
1550 
1551         tcap = (struct T_capability_ack *)mp->b_rptr;
1552 
1553         icmp_do_capability_ack(icmp, tcap, cap_bits1);
1554 
1555         qreply(q, mp);
1556 }
1557 
1558 /*
1559  * This routine responds to T_INFO_REQ messages.  It is called by icmp_wput.
1560  * Most of the T_INFO_ACK information is copied from icmp_g_t_info_ack.
1561  * The current state of the stream is copied from icmp_state.
1562  */
1563 static void
1564 icmp_info_req(queue_t *q, mblk_t *mp)
1565 {
1566         icmp_t  *icmp = Q_TO_ICMP(q);
1567 
1568         /* Create a T_INFO_ACK message. */
1569         mp = tpi_ack_alloc(mp, sizeof (struct T_info_ack), M_PCPROTO,
1570             T_INFO_ACK);
1571         if (!mp)
1572                 return;
1573         icmp_copy_info((struct T_info_ack *)mp->b_rptr, icmp);
1574         qreply(q, mp);
1575 }
1576 
1577 static int
1578 icmp_tpi_open(queue_t *q, dev_t *devp, int flag, int sflag, cred_t *credp,
1579     int family)
1580 {
1581         conn_t *connp;
1582         dev_t   conn_dev;
1583         int     error;
1584 
1585         /* If the stream is already open, return immediately. */
1586         if (q->q_ptr != NULL)
1587                 return (0);
1588 
1589         if (sflag == MODOPEN)
1590                 return (EINVAL);
1591 
1592         /*
1593          * Since ICMP is not used so heavily, allocating from the small
1594          * arena should be sufficient.
1595          */
1596         if ((conn_dev = inet_minor_alloc(ip_minor_arena_sa)) == 0) {
1597                 return (EBUSY);
1598         }
1599 
1600         if (flag & SO_FALLBACK) {
1601                 /*
1602                  * Non streams socket needs a stream to fallback to
1603                  */
1604                 RD(q)->q_ptr = (void *)conn_dev;
1605                 WR(q)->q_qinfo = &icmp_fallback_sock_winit;
1606                 WR(q)->q_ptr = (void *)ip_minor_arena_sa;
1607                 qprocson(q);
1608                 return (0);
1609         }
1610 
1611         connp = rawip_do_open(family, credp, &error, KM_SLEEP);
1612         if (connp == NULL) {
1613                 ASSERT(error != 0);
1614                 inet_minor_free(ip_minor_arena_sa, conn_dev);
1615                 return (error);
1616         }
1617 
1618         *devp = makedevice(getemajor(*devp), (minor_t)conn_dev);
1619         connp->conn_dev = conn_dev;
1620         connp->conn_minor_arena = ip_minor_arena_sa;
1621 
1622         /*
1623          * Initialize the icmp_t structure for this stream.
1624          */
1625         q->q_ptr = connp;
1626         WR(q)->q_ptr = connp;
1627         connp->conn_rq = q;
1628         connp->conn_wq = WR(q);
1629 
1630         WR(q)->q_hiwat = connp->conn_sndbuf;
1631         WR(q)->q_lowat = connp->conn_sndlowat;
1632 
1633         qprocson(q);
1634 
1635         /* Set the Stream head write offset. */
1636         (void) proto_set_tx_wroff(q, connp, connp->conn_wroff);
1637         (void) proto_set_rx_hiwat(connp->conn_rq, connp, connp->conn_rcvbuf);
1638 
1639         mutex_enter(&connp->conn_lock);
1640         connp->conn_state_flags &= ~CONN_INCIPIENT;
1641         mutex_exit(&connp->conn_lock);
1642 
1643         icmp_bind_proto(connp->conn_icmp);
1644 
1645         return (0);
1646 }
1647 
1648 /* For /dev/icmp aka AF_INET open */
1649 static int
1650 icmp_openv4(queue_t *q, dev_t *devp, int flag, int sflag, cred_t *credp)
1651 {
1652         return (icmp_tpi_open(q, devp, flag, sflag, credp, AF_INET));
1653 }
1654 
1655 /* For /dev/icmp6 aka AF_INET6 open */
1656 static int
1657 icmp_openv6(queue_t *q, dev_t *devp, int flag, int sflag, cred_t *credp)
1658 {
1659         return (icmp_tpi_open(q, devp, flag, sflag, credp, AF_INET6));
1660 }
1661 
1662 /*
1663  * This is the open routine for icmp.  It allocates a icmp_t structure for
1664  * the stream and, on the first open of the module, creates an ND table.
1665  */
1666 static conn_t *
1667 rawip_do_open(int family, cred_t *credp, int *err, int flags)
1668 {
1669         icmp_t  *icmp;
1670         conn_t *connp;
1671         zoneid_t zoneid;
1672         netstack_t *ns;
1673         icmp_stack_t *is;
1674         int len;
1675         boolean_t isv6 = B_FALSE;
1676 
1677         *err = secpolicy_net_icmpaccess(credp);
1678         if (*err != 0)
1679                 return (NULL);
1680 
1681         if (family == AF_INET6)
1682                 isv6 = B_TRUE;
1683 
1684         ns = netstack_find_by_cred(credp);
1685         ASSERT(ns != NULL);
1686         is = ns->netstack_icmp;
1687         ASSERT(is != NULL);
1688 
1689         /*
1690          * For exclusive stacks we set the zoneid to zero
1691          * to make ICMP operate as if in the global zone.
1692          */
1693         if (ns->netstack_stackid != GLOBAL_NETSTACKID)
1694                 zoneid = GLOBAL_ZONEID;
1695         else
1696                 zoneid = crgetzoneid(credp);
1697 
1698         ASSERT(flags == KM_SLEEP || flags == KM_NOSLEEP);
1699 
1700         connp = ipcl_conn_create(IPCL_RAWIPCONN, flags, ns);
1701         icmp = connp->conn_icmp;
1702 
1703         /*
1704          * ipcl_conn_create did a netstack_hold. Undo the hold that was
1705          * done by netstack_find_by_cred()
1706          */
1707         netstack_rele(ns);
1708 
1709         /*
1710          * Since this conn_t/icmp_t is not yet visible to anybody else we don't
1711          * need to lock anything.
1712          */
1713         ASSERT(connp->conn_proto == IPPROTO_ICMP);
1714         ASSERT(connp->conn_icmp == icmp);
1715         ASSERT(icmp->icmp_connp == connp);
1716 
1717         /* Set the initial state of the stream and the privilege status. */
1718         icmp->icmp_state = TS_UNBND;
1719         connp->conn_ixa->ixa_flags |= IXAF_VERIFY_SOURCE;
1720         if (isv6) {
1721                 connp->conn_family = AF_INET6;
1722                 connp->conn_ipversion = IPV6_VERSION;
1723                 connp->conn_ixa->ixa_flags &= ~IXAF_IS_IPV4;
1724                 connp->conn_proto = IPPROTO_ICMPV6;
1725                 /* May be changed by a SO_PROTOTYPE socket option. */
1726                 connp->conn_proto = IPPROTO_ICMPV6;
1727                 connp->conn_ixa->ixa_protocol = connp->conn_proto;
1728                 connp->conn_ixa->ixa_raw_cksum_offset = 2;
1729                 connp->conn_default_ttl = is->is_ipv6_hoplimit;
1730                 len = sizeof (ip6_t);
1731         } else {
1732                 connp->conn_family = AF_INET;
1733                 connp->conn_ipversion = IPV4_VERSION;
1734                 connp->conn_ixa->ixa_flags |= IXAF_IS_IPV4;
1735                 /* May be changed by a SO_PROTOTYPE socket option. */
1736                 connp->conn_proto = IPPROTO_ICMP;
1737                 connp->conn_ixa->ixa_protocol = connp->conn_proto;
1738                 connp->conn_default_ttl = is->is_ipv4_ttl;
1739                 len = sizeof (ipha_t);
1740         }
1741         connp->conn_xmit_ipp.ipp_unicast_hops = connp->conn_default_ttl;
1742 
1743         connp->conn_ixa->ixa_multicast_ttl = IP_DEFAULT_MULTICAST_TTL;
1744 
1745         /*
1746          * For the socket of protocol IPPROTO_RAW or when IP_HDRINCL is set,
1747          * the checksum is provided in the pre-built packet. We clear
1748          * IXAF_SET_ULP_CKSUM to tell IP that the application has sent a
1749          * complete IP header and not to compute the transport checksum.
1750          */
1751         connp->conn_ixa->ixa_flags |= IXAF_MULTICAST_LOOP | IXAF_SET_ULP_CKSUM;
1752         /* conn_allzones can not be set this early, hence no IPCL_ZONEID */
1753         connp->conn_ixa->ixa_zoneid = zoneid;
1754 
1755         connp->conn_zoneid = zoneid;
1756 
1757         /*
1758          * If the caller has the process-wide flag set, then default to MAC
1759          * exempt mode.  This allows read-down to unlabeled hosts.
1760          */
1761         if (getpflags(NET_MAC_AWARE, credp) != 0)
1762                 connp->conn_mac_mode = CONN_MAC_AWARE;
1763 
1764         connp->conn_zone_is_global = (crgetzoneid(credp) == GLOBAL_ZONEID);
1765 
1766         icmp->icmp_is = is;
1767 
1768         connp->conn_rcvbuf = is->is_recv_hiwat;
1769         connp->conn_sndbuf = is->is_xmit_hiwat;
1770         connp->conn_sndlowat = is->is_xmit_lowat;
1771         connp->conn_rcvlowat = icmp_mod_info.mi_lowat;
1772 
1773         connp->conn_wroff = len + is->is_wroff_extra;
1774         connp->conn_so_type = SOCK_RAW;
1775 
1776         connp->conn_recv = icmp_input;
1777         connp->conn_recvicmp = icmp_icmp_input;
1778         crhold(credp);
1779         connp->conn_cred = credp;
1780         connp->conn_cpid = curproc->p_pid;
1781         connp->conn_open_time = ddi_get_lbolt64();
1782         /* Cache things in ixa without an extra refhold */
1783         ASSERT(!(connp->conn_ixa->ixa_free_flags & IXA_FREE_CRED));
1784         connp->conn_ixa->ixa_cred = connp->conn_cred;
1785         connp->conn_ixa->ixa_cpid = connp->conn_cpid;
1786         if (is_system_labeled())
1787                 connp->conn_ixa->ixa_tsl = crgetlabel(connp->conn_cred);
1788 
1789         connp->conn_flow_cntrld = B_FALSE;
1790 
1791         if (is->is_pmtu_discovery)
1792                 connp->conn_ixa->ixa_flags |= IXAF_PMTU_DISCOVERY;
1793 
1794         return (connp);
1795 }
1796 
1797 /*
1798  * Which ICMP options OK to set through T_UNITDATA_REQ...
1799  */
1800 /* ARGSUSED */
1801 static boolean_t
1802 icmp_opt_allow_udr_set(t_scalar_t level, t_scalar_t name)
1803 {
1804         return (B_TRUE);
1805 }
1806 
1807 /*
1808  * This routine gets default values of certain options whose default
1809  * values are maintained by protcol specific code
1810  */
1811 int
1812 icmp_opt_default(queue_t *q, t_scalar_t level, t_scalar_t name, uchar_t *ptr)
1813 {
1814         icmp_t *icmp = Q_TO_ICMP(q);
1815         icmp_stack_t *is = icmp->icmp_is;
1816         int *i1 = (int *)ptr;
1817 
1818         switch (level) {
1819         case IPPROTO_IP:
1820                 switch (name) {
1821                 case IP_MULTICAST_TTL:
1822                         *ptr = (uchar_t)IP_DEFAULT_MULTICAST_TTL;
1823                         return (sizeof (uchar_t));
1824                 case IP_MULTICAST_LOOP:
1825                         *ptr = (uchar_t)IP_DEFAULT_MULTICAST_LOOP;
1826                         return (sizeof (uchar_t));
1827                 }
1828                 break;
1829         case IPPROTO_IPV6:
1830                 switch (name) {
1831                 case IPV6_MULTICAST_HOPS:
1832                         *i1 = IP_DEFAULT_MULTICAST_TTL;
1833                         return (sizeof (int));
1834                 case IPV6_MULTICAST_LOOP:
1835                         *i1 = IP_DEFAULT_MULTICAST_LOOP;
1836                         return (sizeof (int));
1837                 case IPV6_UNICAST_HOPS:
1838                         *i1 = is->is_ipv6_hoplimit;
1839                         return (sizeof (int));
1840                 }
1841                 break;
1842         case IPPROTO_ICMPV6:
1843                 switch (name) {
1844                 case ICMP6_FILTER:
1845                         /* Make it look like "pass all" */
1846                         ICMP6_FILTER_SETPASSALL((icmp6_filter_t *)ptr);
1847                         return (sizeof (icmp6_filter_t));
1848                 }
1849                 break;
1850         }
1851         return (-1);
1852 }
1853 
1854 /*
1855  * This routine retrieves the current status of socket options.
1856  * It returns the size of the option retrieved, or -1.
1857  */
1858 int
1859 icmp_opt_get(conn_t *connp, int level, int name, uchar_t *ptr)
1860 {
1861         icmp_t          *icmp = connp->conn_icmp;
1862         int             *i1 = (int *)ptr;
1863         conn_opt_arg_t  coas;
1864         int             retval;
1865 
1866         coas.coa_connp = connp;
1867         coas.coa_ixa = connp->conn_ixa;
1868         coas.coa_ipp = &connp->conn_xmit_ipp;
1869         coas.coa_ancillary = B_FALSE;
1870         coas.coa_changed = 0;
1871 
1872         /*
1873          * We assume that the optcom framework has checked for the set
1874          * of levels and names that are supported, hence we don't worry
1875          * about rejecting based on that.
1876          * First check for ICMP specific handling, then pass to common routine.
1877          */
1878         switch (level) {
1879         case IPPROTO_IP:
1880                 /*
1881                  * Only allow IPv4 option processing on IPv4 sockets.
1882                  */
1883                 if (connp->conn_family != AF_INET)
1884                         return (-1);
1885 
1886                 switch (name) {
1887                 case IP_OPTIONS:
1888                 case T_IP_OPTIONS:
1889                         /* Options are passed up with each packet */
1890                         return (0);
1891                 case IP_HDRINCL:
1892                         mutex_enter(&connp->conn_lock);
1893                         *i1 = (int)icmp->icmp_hdrincl;
1894                         mutex_exit(&connp->conn_lock);
1895                         return (sizeof (int));
1896                 }
1897                 break;
1898 
1899         case IPPROTO_IPV6:
1900                 /*
1901                  * Only allow IPv6 option processing on native IPv6 sockets.
1902                  */
1903                 if (connp->conn_family != AF_INET6)
1904                         return (-1);
1905 
1906                 switch (name) {
1907                 case IPV6_CHECKSUM:
1908                         /*
1909                          * Return offset or -1 if no checksum offset.
1910                          * Does not apply to IPPROTO_ICMPV6
1911                          */
1912                         if (connp->conn_proto == IPPROTO_ICMPV6)
1913                                 return (-1);
1914 
1915                         mutex_enter(&connp->conn_lock);
1916                         if (connp->conn_ixa->ixa_flags & IXAF_SET_RAW_CKSUM)
1917                                 *i1 = connp->conn_ixa->ixa_raw_cksum_offset;
1918                         else
1919                                 *i1 = -1;
1920                         mutex_exit(&connp->conn_lock);
1921                         return (sizeof (int));
1922                 }
1923                 break;
1924 
1925         case IPPROTO_ICMPV6:
1926                 /*
1927                  * Only allow IPv6 option processing on native IPv6 sockets.
1928                  */
1929                 if (connp->conn_family != AF_INET6)
1930                         return (-1);
1931 
1932                 if (connp->conn_proto != IPPROTO_ICMPV6)
1933                         return (-1);
1934 
1935                 switch (name) {
1936                 case ICMP6_FILTER:
1937                         mutex_enter(&connp->conn_lock);
1938                         if (icmp->icmp_filter == NULL) {
1939                                 /* Make it look like "pass all" */
1940                                 ICMP6_FILTER_SETPASSALL((icmp6_filter_t *)ptr);
1941                         } else {
1942                                 (void) bcopy(icmp->icmp_filter, ptr,
1943                                     sizeof (icmp6_filter_t));
1944                         }
1945                         mutex_exit(&connp->conn_lock);
1946                         return (sizeof (icmp6_filter_t));
1947                 }
1948         }
1949         mutex_enter(&connp->conn_lock);
1950         retval = conn_opt_get(&coas, level, name, ptr);
1951         mutex_exit(&connp->conn_lock);
1952         return (retval);
1953 }
1954 
1955 /*
1956  * This routine retrieves the current status of socket options.
1957  * It returns the size of the option retrieved, or -1.
1958  */
1959 int
1960 icmp_tpi_opt_get(queue_t *q, int level, int name, uchar_t *ptr)
1961 {
1962         conn_t          *connp = Q_TO_CONN(q);
1963         int             err;
1964 
1965         err = icmp_opt_get(connp, level, name, ptr);
1966         return (err);
1967 }
1968 
1969 /*
1970  * This routine sets socket options.
1971  */
1972 int
1973 icmp_do_opt_set(conn_opt_arg_t *coa, int level, int name,
1974     uint_t inlen, uchar_t *invalp, cred_t *cr, boolean_t checkonly)
1975 {
1976         conn_t          *connp = coa->coa_connp;
1977         ip_xmit_attr_t  *ixa = coa->coa_ixa;
1978         icmp_t          *icmp = connp->conn_icmp;
1979         icmp_stack_t    *is = icmp->icmp_is;
1980         int             *i1 = (int *)invalp;
1981         boolean_t       onoff = (*i1 == 0) ? 0 : 1;
1982         int             error;
1983 
1984         ASSERT(MUTEX_NOT_HELD(&coa->coa_connp->conn_lock));
1985 
1986         /*
1987          * For fixed length options, no sanity check
1988          * of passed in length is done. It is assumed *_optcom_req()
1989          * routines do the right thing.
1990          */
1991 
1992         switch (level) {
1993         case SOL_SOCKET:
1994                 switch (name) {
1995                 case SO_PROTOTYPE:
1996                         if ((*i1 & 0xFF) != IPPROTO_ICMP &&
1997                             (*i1 & 0xFF) != IPPROTO_ICMPV6 &&
1998                             secpolicy_net_rawaccess(cr) != 0) {
1999                                 return (EACCES);
2000                         }
2001                         if (checkonly)
2002                                 break;
2003 
2004                         mutex_enter(&connp->conn_lock);
2005                         connp->conn_proto = *i1 & 0xFF;
2006                         ixa->ixa_protocol = connp->conn_proto;
2007                         if ((connp->conn_proto == IPPROTO_RAW ||
2008                             connp->conn_proto == IPPROTO_IGMP) &&
2009                             connp->conn_family == AF_INET) {
2010                                 icmp->icmp_hdrincl = 1;
2011                                 ixa->ixa_flags &= ~IXAF_SET_ULP_CKSUM;
2012                         } else if (connp->conn_proto == IPPROTO_UDP ||
2013                             connp->conn_proto == IPPROTO_TCP ||
2014                             connp->conn_proto == IPPROTO_SCTP) {
2015                                 /* Used by test applications like psh */
2016                                 icmp->icmp_hdrincl = 0;
2017                                 ixa->ixa_flags &= ~IXAF_SET_ULP_CKSUM;
2018                         } else {
2019                                 icmp->icmp_hdrincl = 0;
2020                                 ixa->ixa_flags |= IXAF_SET_ULP_CKSUM;
2021                         }
2022 
2023                         if (connp->conn_family == AF_INET6 &&
2024                             connp->conn_proto == IPPROTO_ICMPV6) {
2025                                 /* Set offset for icmp6_cksum */
2026                                 ixa->ixa_flags &= ~IXAF_SET_RAW_CKSUM;
2027                                 ixa->ixa_raw_cksum_offset = 2;
2028                         }
2029                         if (icmp->icmp_filter != NULL &&
2030                             connp->conn_proto != IPPROTO_ICMPV6) {
2031                                 kmem_free(icmp->icmp_filter,
2032                                     sizeof (icmp6_filter_t));
2033                                 icmp->icmp_filter = NULL;
2034                         }
2035                         mutex_exit(&connp->conn_lock);
2036 
2037                         coa->coa_changed |= COA_HEADER_CHANGED;
2038                         /*
2039                          * For SCTP, we don't use icmp_bind_proto() for
2040                          * raw socket binding.
2041                          */
2042                         if (connp->conn_proto == IPPROTO_SCTP)
2043                                 return (0);
2044 
2045                         coa->coa_changed |= COA_ICMP_BIND_NEEDED;
2046                         return (0);
2047 
2048                 case SO_SNDBUF:
2049                         if (*i1 > is->is_max_buf) {
2050                                 return (ENOBUFS);
2051                         }
2052                         break;
2053                 case SO_RCVBUF:
2054                         if (*i1 > is->is_max_buf) {
2055                                 return (ENOBUFS);
2056                         }
2057                         break;
2058                 }
2059                 break;
2060 
2061         case IPPROTO_IP:
2062                 /*
2063                  * Only allow IPv4 option processing on IPv4 sockets.
2064                  */
2065                 if (connp->conn_family != AF_INET)
2066                         return (EINVAL);
2067 
2068                 switch (name) {
2069                 case IP_HDRINCL:
2070                         if (!checkonly) {
2071                                 mutex_enter(&connp->conn_lock);
2072                                 icmp->icmp_hdrincl = onoff;
2073                                 if (onoff)
2074                                         ixa->ixa_flags &= ~IXAF_SET_ULP_CKSUM;
2075                                 else
2076                                         ixa->ixa_flags |= IXAF_SET_ULP_CKSUM;
2077                                 mutex_exit(&connp->conn_lock);
2078                         }
2079                         break;
2080                 }
2081                 break;
2082 
2083         case IPPROTO_IPV6:
2084                 if (connp->conn_family != AF_INET6)
2085                         return (EINVAL);
2086 
2087                 switch (name) {
2088                 case IPV6_CHECKSUM:
2089                         /*
2090                          * Integer offset into the user data of where the
2091                          * checksum is located.
2092                          * Offset of -1 disables option.
2093                          * Does not apply to IPPROTO_ICMPV6.
2094                          */
2095                         if (connp->conn_proto == IPPROTO_ICMPV6 ||
2096                             coa->coa_ancillary) {
2097                                 return (EINVAL);
2098                         }
2099                         if ((*i1 != -1) && ((*i1 < 0) || (*i1 & 0x1) != 0)) {
2100                                 /* Negative or not 16 bit aligned offset */
2101                                 return (EINVAL);
2102                         }
2103                         if (checkonly)
2104                                 break;
2105 
2106                         mutex_enter(&connp->conn_lock);
2107                         if (*i1 == -1) {
2108                                 ixa->ixa_flags &= ~IXAF_SET_RAW_CKSUM;
2109                                 ixa->ixa_raw_cksum_offset = 0;
2110                                 ixa->ixa_flags &= ~IXAF_SET_ULP_CKSUM;
2111                         } else {
2112                                 ixa->ixa_flags |= IXAF_SET_RAW_CKSUM;
2113                                 ixa->ixa_raw_cksum_offset = *i1;
2114                                 ixa->ixa_flags |= IXAF_SET_ULP_CKSUM;
2115                         }
2116                         mutex_exit(&connp->conn_lock);
2117                         break;
2118                 }
2119                 break;
2120 
2121         case IPPROTO_ICMPV6:
2122                 /*
2123                  * Only allow IPv6 option processing on IPv6 sockets.
2124                  */
2125                 if (connp->conn_family != AF_INET6)
2126                         return (EINVAL);
2127                 if (connp->conn_proto != IPPROTO_ICMPV6)
2128                         return (EINVAL);
2129 
2130                 switch (name) {
2131                 case ICMP6_FILTER:
2132                         if (checkonly)
2133                                 break;
2134 
2135                         if ((inlen != 0) &&
2136                             (inlen != sizeof (icmp6_filter_t)))
2137                                 return (EINVAL);
2138 
2139                         mutex_enter(&connp->conn_lock);
2140                         if (inlen == 0) {
2141                                 if (icmp->icmp_filter != NULL) {
2142                                         kmem_free(icmp->icmp_filter,
2143                                             sizeof (icmp6_filter_t));
2144                                         icmp->icmp_filter = NULL;
2145                                 }
2146                         } else {
2147                                 if (icmp->icmp_filter == NULL) {
2148                                         icmp->icmp_filter = kmem_alloc(
2149                                             sizeof (icmp6_filter_t),
2150                                             KM_NOSLEEP);
2151                                         if (icmp->icmp_filter == NULL) {
2152                                                 mutex_exit(&connp->conn_lock);
2153                                                 return (ENOBUFS);
2154                                         }
2155                                 }
2156                                 (void) bcopy(invalp, icmp->icmp_filter, inlen);
2157                         }
2158                         mutex_exit(&connp->conn_lock);
2159                         break;
2160                 }
2161                 break;
2162         }
2163         error = conn_opt_set(coa, level, name, inlen, invalp,
2164             checkonly, cr);
2165         return (error);
2166 }
2167 
2168 /*
2169  * This routine sets socket options.
2170  */
2171 int
2172 icmp_opt_set(conn_t *connp, uint_t optset_context, int level, int name,
2173     uint_t inlen, uchar_t *invalp, uint_t *outlenp, uchar_t *outvalp,
2174     void *thisdg_attrs, cred_t *cr)
2175 {
2176         icmp_t          *icmp = connp->conn_icmp;
2177         int             err;
2178         conn_opt_arg_t  coas, *coa;
2179         boolean_t       checkonly;
2180         icmp_stack_t    *is = icmp->icmp_is;
2181 
2182         switch (optset_context) {
2183         case SETFN_OPTCOM_CHECKONLY:
2184                 checkonly = B_TRUE;
2185                 /*
2186                  * Note: Implies T_CHECK semantics for T_OPTCOM_REQ
2187                  * inlen != 0 implies value supplied and
2188                  *      we have to "pretend" to set it.
2189                  * inlen == 0 implies that there is no
2190                  *      value part in T_CHECK request and just validation
2191                  * done elsewhere should be enough, we just return here.
2192                  */
2193                 if (inlen == 0) {
2194                         *outlenp = 0;
2195                         return (0);
2196                 }
2197                 break;
2198         case SETFN_OPTCOM_NEGOTIATE:
2199                 checkonly = B_FALSE;
2200                 break;
2201         case SETFN_UD_NEGOTIATE:
2202         case SETFN_CONN_NEGOTIATE:
2203                 checkonly = B_FALSE;
2204                 /*
2205                  * Negotiating local and "association-related" options
2206                  * through T_UNITDATA_REQ.
2207                  *
2208                  * Following routine can filter out ones we do not
2209                  * want to be "set" this way.
2210                  */
2211                 if (!icmp_opt_allow_udr_set(level, name)) {
2212                         *outlenp = 0;
2213                         return (EINVAL);
2214                 }
2215                 break;
2216         default:
2217                 /*
2218                  * We should never get here
2219                  */
2220                 *outlenp = 0;
2221                 return (EINVAL);
2222         }
2223 
2224         ASSERT((optset_context != SETFN_OPTCOM_CHECKONLY) ||
2225             (optset_context == SETFN_OPTCOM_CHECKONLY && inlen != 0));
2226 
2227         if (thisdg_attrs != NULL) {
2228                 /* Options from T_UNITDATA_REQ */
2229                 coa = (conn_opt_arg_t *)thisdg_attrs;
2230                 ASSERT(coa->coa_connp == connp);
2231                 ASSERT(coa->coa_ixa != NULL);
2232                 ASSERT(coa->coa_ipp != NULL);
2233                 ASSERT(coa->coa_ancillary);
2234         } else {
2235                 coa = &coas;
2236                 coas.coa_connp = connp;
2237                 /* Get a reference on conn_ixa to prevent concurrent mods */
2238                 coas.coa_ixa = conn_get_ixa(connp, B_TRUE);
2239                 if (coas.coa_ixa == NULL) {
2240                         *outlenp = 0;
2241                         return (ENOMEM);
2242                 }
2243                 coas.coa_ipp = &connp->conn_xmit_ipp;
2244                 coas.coa_ancillary = B_FALSE;
2245                 coas.coa_changed = 0;
2246         }
2247 
2248         err = icmp_do_opt_set(coa, level, name, inlen, invalp,
2249             cr, checkonly);
2250         if (err != 0) {
2251 errout:
2252                 if (!coa->coa_ancillary)
2253                         ixa_refrele(coa->coa_ixa);
2254                 *outlenp = 0;
2255                 return (err);
2256         }
2257 
2258         /*
2259          * Common case of OK return with outval same as inval.
2260          */
2261         if (invalp != outvalp) {
2262                 /* don't trust bcopy for identical src/dst */
2263                 (void) bcopy(invalp, outvalp, inlen);
2264         }
2265         *outlenp = inlen;
2266 
2267         /*
2268          * If this was not ancillary data, then we rebuild the headers,
2269          * update the IRE/NCE, and IPsec as needed.
2270          * Since the label depends on the destination we go through
2271          * ip_set_destination first.
2272          */
2273         if (coa->coa_ancillary) {
2274                 return (0);
2275         }
2276 
2277         if (coa->coa_changed & COA_ROUTE_CHANGED) {
2278                 in6_addr_t saddr, faddr, nexthop;
2279                 in_port_t fport;
2280 
2281                 /*
2282                  * We clear lastdst to make sure we pick up the change
2283                  * next time sending.
2284                  * If we are connected we re-cache the information.
2285                  * We ignore errors to preserve BSD behavior.
2286                  * Note that we don't redo IPsec policy lookup here
2287                  * since the final destination (or source) didn't change.
2288                  */
2289                 mutex_enter(&connp->conn_lock);
2290                 connp->conn_v6lastdst = ipv6_all_zeros;
2291 
2292                 ip_attr_nexthop(coa->coa_ipp, coa->coa_ixa,
2293                     &connp->conn_faddr_v6, &nexthop);
2294                 saddr = connp->conn_saddr_v6;
2295                 faddr = connp->conn_faddr_v6;
2296                 fport = connp->conn_fport;
2297                 mutex_exit(&connp->conn_lock);
2298 
2299                 if (!IN6_IS_ADDR_UNSPECIFIED(&faddr) &&
2300                     !IN6_IS_ADDR_V4MAPPED_ANY(&faddr)) {
2301                         (void) ip_attr_connect(connp, coa->coa_ixa,
2302                             &saddr, &faddr, &nexthop, fport, NULL, NULL,
2303                             IPDF_ALLOW_MCBC | IPDF_VERIFY_DST);
2304                 }
2305         }
2306 
2307         ixa_refrele(coa->coa_ixa);
2308 
2309         if (coa->coa_changed & COA_HEADER_CHANGED) {
2310                 /*
2311                  * Rebuild the header template if we are connected.
2312                  * Otherwise clear conn_v6lastdst so we rebuild the header
2313                  * in the data path.
2314                  */
2315                 mutex_enter(&connp->conn_lock);
2316                 if (!IN6_IS_ADDR_UNSPECIFIED(&connp->conn_faddr_v6) &&
2317                     !IN6_IS_ADDR_V4MAPPED_ANY(&connp->conn_faddr_v6)) {
2318                         err = icmp_build_hdr_template(connp,
2319                             &connp->conn_saddr_v6, &connp->conn_faddr_v6,
2320                             connp->conn_flowinfo);
2321                         if (err != 0) {
2322                                 mutex_exit(&connp->conn_lock);
2323                                 return (err);
2324                         }
2325                 } else {
2326                         connp->conn_v6lastdst = ipv6_all_zeros;
2327                 }
2328                 mutex_exit(&connp->conn_lock);
2329         }
2330         if (coa->coa_changed & COA_RCVBUF_CHANGED) {
2331                 (void) proto_set_rx_hiwat(connp->conn_rq, connp,
2332                     connp->conn_rcvbuf);
2333         }
2334         if ((coa->coa_changed & COA_SNDBUF_CHANGED) && !IPCL_IS_NONSTR(connp)) {
2335                 connp->conn_wq->q_hiwat = connp->conn_sndbuf;
2336         }
2337         if (coa->coa_changed & COA_WROFF_CHANGED) {
2338                 /* Increase wroff if needed */
2339                 uint_t wroff;
2340 
2341                 mutex_enter(&connp->conn_lock);
2342                 wroff = connp->conn_ht_iphc_allocated + is->is_wroff_extra;
2343                 if (wroff > connp->conn_wroff) {
2344                         connp->conn_wroff = wroff;
2345                         mutex_exit(&connp->conn_lock);
2346                         (void) proto_set_tx_wroff(connp->conn_rq, connp, wroff);
2347                 } else {
2348                         mutex_exit(&connp->conn_lock);
2349                 }
2350         }
2351         if (coa->coa_changed & COA_ICMP_BIND_NEEDED) {
2352                 icmp_bind_proto(icmp);
2353         }
2354         return (err);
2355 }
2356 
2357 /* This routine sets socket options. */
2358 int
2359 icmp_tpi_opt_set(queue_t *q, uint_t optset_context, int level, int name,
2360     uint_t inlen, uchar_t *invalp, uint_t *outlenp, uchar_t *outvalp,
2361     void *thisdg_attrs, cred_t *cr)
2362 {
2363         conn_t  *connp = Q_TO_CONN(q);
2364         int error;
2365 
2366         error = icmp_opt_set(connp, optset_context, level, name, inlen, invalp,
2367             outlenp, outvalp, thisdg_attrs, cr);
2368         return (error);
2369 }
2370 
2371 /*
2372  * Setup IP headers.
2373  *
2374  * Note that IP_HDRINCL has ipha_protocol that is different than conn_proto,
2375  * but icmp_output_hdrincl restores ipha_protocol once we return.
2376  */
2377 mblk_t *
2378 icmp_prepend_hdr(conn_t *connp, ip_xmit_attr_t *ixa, const ip_pkt_t *ipp,
2379     const in6_addr_t *v6src, const in6_addr_t *v6dst, uint32_t flowinfo,
2380     mblk_t *data_mp, int *errorp)
2381 {
2382         mblk_t          *mp;
2383         icmp_stack_t    *is = connp->conn_netstack->netstack_icmp;
2384         uint_t          data_len;
2385         uint32_t        cksum;
2386 
2387         data_len = msgdsize(data_mp);
2388         mp = conn_prepend_hdr(ixa, ipp, v6src, v6dst, connp->conn_proto,
2389             flowinfo, 0, data_mp, data_len, is->is_wroff_extra, &cksum, errorp);
2390         if (mp == NULL) {
2391                 ASSERT(*errorp != 0);
2392                 return (NULL);
2393         }
2394 
2395         ixa->ixa_pktlen = data_len + ixa->ixa_ip_hdr_length;
2396 
2397         /*
2398          * If there was a routing option/header then conn_prepend_hdr
2399          * has massaged it and placed the pseudo-header checksum difference
2400          * in the cksum argument.
2401          *
2402          * Prepare for ICMPv6 checksum done in IP.
2403          *
2404          * We make it easy for IP to include our pseudo header
2405          * by putting our length (and any routing header adjustment)
2406          * in the ICMPv6 checksum field.
2407          * The IP source, destination, and length have already been set by
2408          * conn_prepend_hdr.
2409          */
2410         cksum += data_len;
2411         cksum = (cksum >> 16) + (cksum & 0xFFFF);
2412         ASSERT(cksum < 0x10000);
2413 
2414         if (ixa->ixa_flags & IXAF_IS_IPV4) {
2415                 ipha_t  *ipha = (ipha_t *)mp->b_rptr;
2416 
2417                 ASSERT(ntohs(ipha->ipha_length) == ixa->ixa_pktlen);
2418         } else {
2419                 ip6_t   *ip6h = (ip6_t *)mp->b_rptr;
2420                 uint_t  cksum_offset = 0;
2421 
2422                 ASSERT(ntohs(ip6h->ip6_plen) + IPV6_HDR_LEN == ixa->ixa_pktlen);
2423 
2424                 if (ixa->ixa_flags & IXAF_SET_ULP_CKSUM) {
2425                         if (connp->conn_proto == IPPROTO_ICMPV6) {
2426                                 cksum_offset = ixa->ixa_ip_hdr_length +
2427                                     offsetof(icmp6_t, icmp6_cksum);
2428                         } else if (ixa->ixa_flags & IXAF_SET_RAW_CKSUM) {
2429                                 cksum_offset = ixa->ixa_ip_hdr_length +
2430                                     ixa->ixa_raw_cksum_offset;
2431                         }
2432                 }
2433                 if (cksum_offset != 0) {
2434                         uint16_t *ptr;
2435 
2436                         /* Make sure the checksum fits in the first mblk */
2437                         if (cksum_offset + sizeof (short) > MBLKL(mp)) {
2438                                 mblk_t *mp1;
2439 
2440                                 mp1 = msgpullup(mp,
2441                                     cksum_offset + sizeof (short));
2442                                 freemsg(mp);
2443                                 if (mp1 == NULL) {
2444                                         *errorp = ENOMEM;
2445                                         return (NULL);
2446                                 }
2447                                 mp = mp1;
2448                                 ip6h = (ip6_t *)mp->b_rptr;
2449                         }
2450                         ptr = (uint16_t *)(mp->b_rptr + cksum_offset);
2451                         *ptr = htons(cksum);
2452                 }
2453         }
2454 
2455         /* Note that we don't try to update wroff due to ancillary data */
2456         return (mp);
2457 }
2458 
2459 static int
2460 icmp_build_hdr_template(conn_t *connp, const in6_addr_t *v6src,
2461     const in6_addr_t *v6dst, uint32_t flowinfo)
2462 {
2463         int             error;
2464 
2465         ASSERT(MUTEX_HELD(&connp->conn_lock));
2466         /*
2467          * We clear lastdst to make sure we don't use the lastdst path
2468          * next time sending since we might not have set v6dst yet.
2469          */
2470         connp->conn_v6lastdst = ipv6_all_zeros;
2471 
2472         error = conn_build_hdr_template(connp, 0, 0, v6src, v6dst, flowinfo);
2473         if (error != 0)
2474                 return (error);
2475 
2476         /*
2477          * Any routing header/option has been massaged. The checksum difference
2478          * is stored in conn_sum.
2479          */
2480         return (0);
2481 }
2482 
2483 static mblk_t *
2484 icmp_queue_fallback(icmp_t *icmp, mblk_t *mp)
2485 {
2486         ASSERT(MUTEX_HELD(&icmp->icmp_recv_lock));
2487         if (IPCL_IS_NONSTR(icmp->icmp_connp)) {
2488                 /*
2489                  * fallback has started but messages have not been moved yet
2490                  */
2491                 if (icmp->icmp_fallback_queue_head == NULL) {
2492                         ASSERT(icmp->icmp_fallback_queue_tail == NULL);
2493                         icmp->icmp_fallback_queue_head = mp;
2494                         icmp->icmp_fallback_queue_tail = mp;
2495                 } else {
2496                         ASSERT(icmp->icmp_fallback_queue_tail != NULL);
2497                         icmp->icmp_fallback_queue_tail->b_next = mp;
2498                         icmp->icmp_fallback_queue_tail = mp;
2499                 }
2500                 return (NULL);
2501         } else {
2502                 /*
2503                  * Fallback completed, let the caller putnext() the mblk.
2504                  */
2505                 return (mp);
2506         }
2507 }
2508 
2509 /*
2510  * Deliver data to ULP. In case we have a socket, and it's falling back to
2511  * TPI, then we'll queue the mp for later processing.
2512  */
2513 static void
2514 icmp_ulp_recv(conn_t *connp, mblk_t *mp, uint_t len)
2515 {
2516         if (IPCL_IS_NONSTR(connp)) {
2517                 icmp_t *icmp = connp->conn_icmp;
2518                 int error;
2519 
2520                 ASSERT(len == msgdsize(mp));
2521                 if ((*connp->conn_upcalls->su_recv)
2522                     (connp->conn_upper_handle, mp, len, 0, &error, NULL) < 0) {
2523                         mutex_enter(&icmp->icmp_recv_lock);
2524                         if (error == ENOSPC) {
2525                                 /*
2526                                  * let's confirm while holding the lock
2527                                  */
2528                                 if ((*connp->conn_upcalls->su_recv)
2529                                     (connp->conn_upper_handle, NULL, 0, 0,
2530                                     &error, NULL) < 0) {
2531                                         ASSERT(error == ENOSPC);
2532                                         if (error == ENOSPC) {
2533                                                 connp->conn_flow_cntrld =
2534                                                     B_TRUE;
2535                                         }
2536                                 }
2537                                 mutex_exit(&icmp->icmp_recv_lock);
2538                         } else {
2539                                 ASSERT(error == EOPNOTSUPP);
2540                                 mp = icmp_queue_fallback(icmp, mp);
2541                                 mutex_exit(&icmp->icmp_recv_lock);
2542                                 if (mp != NULL)
2543                                         putnext(connp->conn_rq, mp);
2544                         }
2545                 }
2546                 ASSERT(MUTEX_NOT_HELD(&icmp->icmp_recv_lock));
2547         } else {
2548                 putnext(connp->conn_rq, mp);
2549         }
2550 }
2551 
2552 /*
2553  * This is the inbound data path.
2554  * IP has already pulled up the IP headers and verified alignment
2555  * etc.
2556  */
2557 /* ARGSUSED2 */
2558 static void
2559 icmp_input(void *arg1, mblk_t *mp, void *arg2, ip_recv_attr_t *ira)
2560 {
2561         conn_t                  *connp = (conn_t *)arg1;
2562         struct T_unitdata_ind   *tudi;
2563         uchar_t                 *rptr;          /* Pointer to IP header */
2564         int                     ip_hdr_length;
2565         int                     udi_size;       /* Size of T_unitdata_ind */
2566         int                     pkt_len;
2567         icmp_t                  *icmp;
2568         ip_pkt_t                ipps;
2569         ip6_t                   *ip6h;
2570         mblk_t                  *mp1;
2571         crb_t                   recv_ancillary;
2572         icmp_stack_t            *is;
2573         sin_t                   *sin;
2574         sin6_t                  *sin6;
2575         ipha_t                  *ipha;
2576 
2577         ASSERT(connp->conn_flags & IPCL_RAWIPCONN);
2578 
2579         icmp = connp->conn_icmp;
2580         is = icmp->icmp_is;
2581         rptr = mp->b_rptr;
2582 
2583         ASSERT(DB_TYPE(mp) == M_DATA);
2584         ASSERT(OK_32PTR(rptr));
2585         ASSERT(ira->ira_pktlen == msgdsize(mp));
2586         pkt_len = ira->ira_pktlen;
2587 
2588         /*
2589          * Get a snapshot of these and allow other threads to change
2590          * them after that. We need the same recv_ancillary when determining
2591          * the size as when adding the ancillary data items.
2592          */
2593         mutex_enter(&connp->conn_lock);
2594         recv_ancillary = connp->conn_recv_ancillary;
2595         mutex_exit(&connp->conn_lock);
2596 
2597         ip_hdr_length = ira->ira_ip_hdr_length;
2598         ASSERT(MBLKL(mp) >= ip_hdr_length);  /* IP did a pullup */
2599 
2600         /* Initialize regardless of IP version */
2601         ipps.ipp_fields = 0;
2602 
2603         if (ira->ira_flags & IRAF_IS_IPV4) {
2604                 ASSERT(IPH_HDR_VERSION(rptr) == IPV4_VERSION);
2605                 ASSERT(MBLKL(mp) >= sizeof (ipha_t));
2606                 ASSERT(ira->ira_ip_hdr_length == IPH_HDR_LENGTH(rptr));
2607 
2608                 ipha = (ipha_t *)mp->b_rptr;
2609                 if (recv_ancillary.crb_all != 0)
2610                         (void) ip_find_hdr_v4(ipha, &ipps, B_FALSE);
2611 
2612                 /*
2613                  * BSD for some reason adjusts ipha_length to exclude the
2614                  * IP header length. We do the same.
2615                  */
2616                 if (is->is_bsd_compat) {
2617                         ushort_t len;
2618 
2619                         len = ntohs(ipha->ipha_length);
2620                         if (mp->b_datap->db_ref > 1) {
2621                                 /*
2622                                  * Allocate a new IP header so that we can
2623                                  * modify ipha_length.
2624                                  */
2625                                 mblk_t  *mp1;
2626 
2627                                 mp1 = allocb(ip_hdr_length, BPRI_MED);
2628                                 if (mp1 == NULL) {
2629                                         freemsg(mp);
2630                                         BUMP_MIB(&is->is_rawip_mib,
2631                                             rawipInErrors);
2632                                         return;
2633                                 }
2634                                 bcopy(rptr, mp1->b_rptr, ip_hdr_length);
2635                                 mp->b_rptr = rptr + ip_hdr_length;
2636                                 rptr = mp1->b_rptr;
2637                                 ipha = (ipha_t *)rptr;
2638                                 mp1->b_cont = mp;
2639                                 mp1->b_wptr = rptr + ip_hdr_length;
2640                                 mp = mp1;
2641                         }
2642                         len -= ip_hdr_length;
2643                         ipha->ipha_length = htons(len);
2644                 }
2645 
2646                 /*
2647                  * For RAW sockets we not pass ICMP/IPv4 packets to AF_INET6
2648                  * sockets. This is ensured by icmp_bind and the IP fanout code.
2649                  */
2650                 ASSERT(connp->conn_family == AF_INET);
2651 
2652                 /*
2653                  * This is the inbound data path.  Packets are passed upstream
2654                  * as T_UNITDATA_IND messages with full IPv4 headers still
2655                  * attached.
2656                  */
2657 
2658                 /*
2659                  * Normally only send up the source address.
2660                  * If any ancillary data items are wanted we add those.
2661                  */
2662                 udi_size = sizeof (struct T_unitdata_ind) + sizeof (sin_t);
2663                 if (recv_ancillary.crb_all != 0) {
2664                         udi_size += conn_recvancillary_size(connp,
2665                             recv_ancillary, ira, mp, &ipps);
2666                 }
2667 
2668                 /* Allocate a message block for the T_UNITDATA_IND structure. */
2669                 mp1 = allocb(udi_size, BPRI_MED);
2670                 if (mp1 == NULL) {
2671                         freemsg(mp);
2672                         BUMP_MIB(&is->is_rawip_mib, rawipInErrors);
2673                         return;
2674                 }
2675                 mp1->b_cont = mp;
2676                 tudi = (struct T_unitdata_ind *)mp1->b_rptr;
2677                 mp1->b_datap->db_type = M_PROTO;
2678                 mp1->b_wptr = (uchar_t *)tudi + udi_size;
2679                 tudi->PRIM_type = T_UNITDATA_IND;
2680                 tudi->SRC_length = sizeof (sin_t);
2681                 tudi->SRC_offset = sizeof (struct T_unitdata_ind);
2682                 sin = (sin_t *)&tudi[1];
2683                 *sin = sin_null;
2684                 sin->sin_family = AF_INET;
2685                 sin->sin_addr.s_addr = ipha->ipha_src;
2686                 *(uint32_t *)&sin->sin_zero[0] = 0;
2687                 *(uint32_t *)&sin->sin_zero[4] = 0;
2688                 tudi->OPT_offset =  sizeof (struct T_unitdata_ind) +
2689                     sizeof (sin_t);
2690                 udi_size -= (sizeof (struct T_unitdata_ind) + sizeof (sin_t));
2691                 tudi->OPT_length = udi_size;
2692 
2693                 /*
2694                  * Add options if IP_RECVIF etc is set
2695                  */
2696                 if (udi_size != 0) {
2697                         conn_recvancillary_add(connp, recv_ancillary, ira,
2698                             &ipps, (uchar_t *)&sin[1], udi_size);
2699                 }
2700                 goto deliver;
2701         }
2702 
2703         ASSERT(IPH_HDR_VERSION(rptr) == IPV6_VERSION);
2704         /*
2705          * IPv6 packets can only be received by applications
2706          * that are prepared to receive IPv6 addresses.
2707          * The IP fanout must ensure this.
2708          */
2709         ASSERT(connp->conn_family == AF_INET6);
2710 
2711         /*
2712          * Handle IPv6 packets. We don't pass up the IP headers with the
2713          * payload for IPv6.
2714          */
2715 
2716         ip6h = (ip6_t *)rptr;
2717         if (recv_ancillary.crb_all != 0) {
2718                 /*
2719                  * Call on ip_find_hdr_v6 which gets individual lenghts of
2720                  * extension headers (and pointers to them).
2721                  */
2722                 uint8_t         nexthdr;
2723 
2724                 /* We don't care about the length or nextheader. */
2725                 (void) ip_find_hdr_v6(mp, ip6h, B_TRUE, &ipps, &nexthdr);
2726 
2727                 /*
2728                  * We do not pass up hop-by-hop options or any other
2729                  * extension header as part of the packet. Applications
2730                  * that want to see them have to specify IPV6_RECV* socket
2731                  * options. And conn_recvancillary_size/add explicitly
2732                  * drops the TX option from IPV6_HOPOPTS as it does for UDP.
2733                  *
2734                  * If we had multilevel ICMP sockets, then we'd want to
2735                  * modify conn_recvancillary_size/add to
2736                  * allow the user to see the label.
2737                  */
2738         }
2739 
2740         /*
2741          * Check a filter for ICMPv6 types if needed.
2742          * Verify raw checksums if needed.
2743          */
2744         mutex_enter(&connp->conn_lock);
2745         if (icmp->icmp_filter != NULL) {
2746                 int type;
2747 
2748                 /* Assumes that IP has done the pullupmsg */
2749                 type = mp->b_rptr[ip_hdr_length];
2750 
2751                 ASSERT(mp->b_rptr + ip_hdr_length <= mp->b_wptr);
2752                 if (ICMP6_FILTER_WILLBLOCK(type, icmp->icmp_filter)) {
2753                         mutex_exit(&connp->conn_lock);
2754                         freemsg(mp);
2755                         return;
2756                 }
2757         }
2758         if (connp->conn_ixa->ixa_flags & IXAF_SET_RAW_CKSUM) {
2759                 /* Checksum */
2760                 uint16_t        *up;
2761                 uint32_t        sum;
2762                 int             remlen;
2763 
2764                 up = (uint16_t *)&ip6h->ip6_src;
2765 
2766                 remlen = msgdsize(mp) - ip_hdr_length;
2767                 sum = htons(connp->conn_proto + remlen)
2768                     + up[0] + up[1] + up[2] + up[3]
2769                     + up[4] + up[5] + up[6] + up[7]
2770                     + up[8] + up[9] + up[10] + up[11]
2771                     + up[12] + up[13] + up[14] + up[15];
2772                 sum = (sum & 0xffff) + (sum >> 16);
2773                 sum = IP_CSUM(mp, ip_hdr_length, sum);
2774                 if (sum != 0) {
2775                         /* IPv6 RAW checksum failed */
2776                         ip0dbg(("icmp_rput: RAW checksum failed %x\n", sum));
2777                         mutex_exit(&connp->conn_lock);
2778                         freemsg(mp);
2779                         BUMP_MIB(&is->is_rawip_mib, rawipInCksumErrs);
2780                         return;
2781                 }
2782         }
2783         mutex_exit(&connp->conn_lock);
2784 
2785         udi_size = sizeof (struct T_unitdata_ind) + sizeof (sin6_t);
2786 
2787         if (recv_ancillary.crb_all != 0) {
2788                 udi_size += conn_recvancillary_size(connp,
2789                     recv_ancillary, ira, mp, &ipps);
2790         }
2791 
2792         mp1 = allocb(udi_size, BPRI_MED);
2793         if (mp1 == NULL) {
2794                 freemsg(mp);
2795                 BUMP_MIB(&is->is_rawip_mib, rawipInErrors);
2796                 return;
2797         }
2798         mp1->b_cont = mp;
2799         mp1->b_datap->db_type = M_PROTO;
2800         tudi = (struct T_unitdata_ind *)mp1->b_rptr;
2801         mp1->b_wptr = (uchar_t *)tudi + udi_size;
2802         tudi->PRIM_type = T_UNITDATA_IND;
2803         tudi->SRC_length = sizeof (sin6_t);
2804         tudi->SRC_offset = sizeof (struct T_unitdata_ind);
2805         tudi->OPT_offset = sizeof (struct T_unitdata_ind) + sizeof (sin6_t);
2806         udi_size -= (sizeof (struct T_unitdata_ind) + sizeof (sin6_t));
2807         tudi->OPT_length = udi_size;
2808         sin6 = (sin6_t *)&tudi[1];
2809         *sin6 = sin6_null;
2810         sin6->sin6_port = 0;
2811         sin6->sin6_family = AF_INET6;
2812 
2813         sin6->sin6_addr = ip6h->ip6_src;
2814         /* No sin6_flowinfo per API */
2815         sin6->sin6_flowinfo = 0;
2816         /* For link-scope pass up scope id */
2817         if (IN6_IS_ADDR_LINKSCOPE(&ip6h->ip6_src))
2818                 sin6->sin6_scope_id = ira->ira_ruifindex;
2819         else
2820                 sin6->sin6_scope_id = 0;
2821         sin6->__sin6_src_id = ip_srcid_find_addr(&ip6h->ip6_dst,
2822             IPCL_ZONEID(connp), is->is_netstack);
2823 
2824         if (udi_size != 0) {
2825                 conn_recvancillary_add(connp, recv_ancillary, ira,
2826                     &ipps, (uchar_t *)&sin6[1], udi_size);
2827         }
2828 
2829         /* Skip all the IPv6 headers per API */
2830         mp->b_rptr += ip_hdr_length;
2831         pkt_len -= ip_hdr_length;
2832 
2833 deliver:
2834         BUMP_MIB(&is->is_rawip_mib, rawipInDatagrams);
2835         icmp_ulp_recv(connp, mp1, pkt_len);
2836 }
2837 
2838 /*
2839  * return SNMP stuff in buffer in mpdata. We don't hold any lock and report
2840  * information that can be changing beneath us.
2841  */
2842 mblk_t *
2843 icmp_snmp_get(queue_t *q, mblk_t *mpctl)
2844 {
2845         mblk_t                  *mpdata;
2846         struct opthdr           *optp;
2847         conn_t                  *connp = Q_TO_CONN(q);
2848         icmp_stack_t            *is = connp->conn_netstack->netstack_icmp;
2849         mblk_t                  *mp2ctl;
2850 
2851         /*
2852          * make a copy of the original message
2853          */
2854         mp2ctl = copymsg(mpctl);
2855 
2856         if (mpctl == NULL ||
2857             (mpdata = mpctl->b_cont) == NULL) {
2858                 freemsg(mpctl);
2859                 freemsg(mp2ctl);
2860                 return (0);
2861         }
2862 
2863         /* fixed length structure for IPv4 and IPv6 counters */
2864         optp = (struct opthdr *)&mpctl->b_rptr[sizeof (struct T_optmgmt_ack)];
2865         optp->level = EXPER_RAWIP;
2866         optp->name = 0;
2867         (void) snmp_append_data(mpdata, (char *)&is->is_rawip_mib,
2868             sizeof (is->is_rawip_mib));
2869         optp->len = msgdsize(mpdata);
2870         qreply(q, mpctl);
2871 
2872         return (mp2ctl);
2873 }
2874 
2875 /*
2876  * Return 0 if invalid set request, 1 otherwise, including non-rawip requests.
2877  * TODO:  If this ever actually tries to set anything, it needs to be
2878  * to do the appropriate locking.
2879  */
2880 /* ARGSUSED */
2881 int
2882 icmp_snmp_set(queue_t *q, t_scalar_t level, t_scalar_t name,
2883     uchar_t *ptr, int len)
2884 {
2885         switch (level) {
2886         case EXPER_RAWIP:
2887                 return (0);
2888         default:
2889                 return (1);
2890         }
2891 }
2892 
2893 /*
2894  * This routine creates a T_UDERROR_IND message and passes it upstream.
2895  * The address and options are copied from the T_UNITDATA_REQ message
2896  * passed in mp.  This message is freed.
2897  */
2898 static void
2899 icmp_ud_err(queue_t *q, mblk_t *mp, t_scalar_t err)
2900 {
2901         struct T_unitdata_req *tudr;
2902         mblk_t  *mp1;
2903         uchar_t *destaddr;
2904         t_scalar_t destlen;
2905         uchar_t *optaddr;
2906         t_scalar_t optlen;
2907 
2908         if ((mp->b_wptr < mp->b_rptr) ||
2909             (MBLKL(mp)) < sizeof (struct T_unitdata_req)) {
2910                 goto done;
2911         }
2912         tudr = (struct T_unitdata_req *)mp->b_rptr;
2913         destaddr = mp->b_rptr + tudr->DEST_offset;
2914         if (destaddr < mp->b_rptr || destaddr >= mp->b_wptr ||
2915             destaddr + tudr->DEST_length < mp->b_rptr ||
2916             destaddr + tudr->DEST_length > mp->b_wptr) {
2917                 goto done;
2918         }
2919         optaddr = mp->b_rptr + tudr->OPT_offset;
2920         if (optaddr < mp->b_rptr || optaddr >= mp->b_wptr ||
2921             optaddr + tudr->OPT_length < mp->b_rptr ||
2922             optaddr + tudr->OPT_length > mp->b_wptr) {
2923                 goto done;
2924         }
2925         destlen = tudr->DEST_length;
2926         optlen = tudr->OPT_length;
2927 
2928         mp1 = mi_tpi_uderror_ind((char *)destaddr, destlen,
2929             (char *)optaddr, optlen, err);
2930         if (mp1 != NULL)
2931                 qreply(q, mp1);
2932 
2933 done:
2934         freemsg(mp);
2935 }
2936 
2937 static int
2938 rawip_do_unbind(conn_t *connp)
2939 {
2940         icmp_t  *icmp = connp->conn_icmp;
2941 
2942         mutex_enter(&connp->conn_lock);
2943         /* If a bind has not been done, we can't unbind. */
2944         if (icmp->icmp_state == TS_UNBND) {
2945                 mutex_exit(&connp->conn_lock);
2946                 return (-TOUTSTATE);
2947         }
2948         connp->conn_saddr_v6 = ipv6_all_zeros;
2949         connp->conn_bound_addr_v6 = ipv6_all_zeros;
2950         connp->conn_laddr_v6 = ipv6_all_zeros;
2951         connp->conn_mcbc_bind = B_FALSE;
2952         connp->conn_lport = 0;
2953         connp->conn_fport = 0;
2954         /* In case we were also connected */
2955         connp->conn_faddr_v6 = ipv6_all_zeros;
2956         connp->conn_v6lastdst = ipv6_all_zeros;
2957 
2958         icmp->icmp_state = TS_UNBND;
2959 
2960         (void) icmp_build_hdr_template(connp, &connp->conn_saddr_v6,
2961             &connp->conn_faddr_v6, connp->conn_flowinfo);
2962         mutex_exit(&connp->conn_lock);
2963 
2964         ip_unbind(connp);
2965         return (0);
2966 }
2967 
2968 /*
2969  * This routine is called by icmp_wput to handle T_UNBIND_REQ messages.
2970  * After some error checking, the message is passed downstream to ip.
2971  */
2972 static void
2973 icmp_tpi_unbind(queue_t *q, mblk_t *mp)
2974 {
2975         conn_t  *connp = Q_TO_CONN(q);
2976         int     error;
2977 
2978         ASSERT(mp->b_cont == NULL);
2979         error = rawip_do_unbind(connp);
2980         if (error) {
2981                 if (error < 0) {
2982                         icmp_err_ack(q, mp, -error, 0);
2983                 } else {
2984                         icmp_err_ack(q, mp, 0, error);
2985                 }
2986                 return;
2987         }
2988 
2989         /*
2990          * Convert mp into a T_OK_ACK
2991          */
2992 
2993         mp = mi_tpi_ok_ack_alloc(mp);
2994 
2995         /*
2996          * should not happen in practice... T_OK_ACK is smaller than the
2997          * original message.
2998          */
2999         ASSERT(mp != NULL);
3000         ASSERT(((struct T_ok_ack *)mp->b_rptr)->PRIM_type == T_OK_ACK);
3001         qreply(q, mp);
3002 }
3003 
3004 /*
3005  * Process IPv4 packets that already include an IP header.
3006  * Used when IP_HDRINCL has been set (implicit for IPPROTO_RAW and
3007  * IPPROTO_IGMP).
3008  * In this case we ignore the address and any options in the T_UNITDATA_REQ.
3009  *
3010  * The packet is assumed to have a base (20 byte) IP header followed
3011  * by the upper-layer protocol. We include any IP_OPTIONS including a
3012  * CIPSO label but otherwise preserve the base IP header.
3013  */
3014 static int
3015 icmp_output_hdrincl(conn_t *connp, mblk_t *mp, cred_t *cr, pid_t pid)
3016 {
3017         icmp_t          *icmp = connp->conn_icmp;
3018         icmp_stack_t    *is = icmp->icmp_is;
3019         ipha_t          iphas;
3020         ipha_t          *ipha;
3021         int             ip_hdr_length;
3022         int             tp_hdr_len;
3023         ip_xmit_attr_t  *ixa;
3024         ip_pkt_t        *ipp;
3025         in6_addr_t      v6src;
3026         in6_addr_t      v6dst;
3027         in6_addr_t      v6nexthop;
3028         int             error;
3029         boolean_t       do_ipsec;
3030 
3031         /*
3032          * We need an exclusive copy of conn_ixa since the included IP
3033          * header could have any destination.
3034          * That copy has no pointers hence we
3035          * need to set them up once we've parsed the ancillary data.
3036          */
3037         ixa = conn_get_ixa_exclusive(connp);
3038         if (ixa == NULL) {
3039                 BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
3040                 freemsg(mp);
3041                 return (ENOMEM);
3042         }
3043         ASSERT(cr != NULL);
3044         /*
3045          * Caller has a reference on cr; from db_credp or because we
3046          * are running in process context.
3047          */
3048         ASSERT(!(ixa->ixa_free_flags & IXA_FREE_CRED));
3049         ixa->ixa_cred = cr;
3050         ixa->ixa_cpid = pid;
3051         if (is_system_labeled()) {
3052                 /* We need to restart with a label based on the cred */
3053                 ip_xmit_attr_restore_tsl(ixa, ixa->ixa_cred);
3054         }
3055 
3056         /* In case previous destination was multicast or multirt */
3057         ip_attr_newdst(ixa);
3058 
3059         /* Get a copy of conn_xmit_ipp since the TX label might change it */
3060         ipp = kmem_zalloc(sizeof (*ipp), KM_NOSLEEP);
3061         if (ipp == NULL) {
3062                 ASSERT(!(ixa->ixa_free_flags & IXA_FREE_CRED));
3063                 ixa->ixa_cred = connp->conn_cred; /* Restore */
3064                 ixa->ixa_cpid = connp->conn_cpid;
3065                 ixa_refrele(ixa);
3066                 BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
3067                 freemsg(mp);
3068                 return (ENOMEM);
3069         }
3070         mutex_enter(&connp->conn_lock);
3071         error = ip_pkt_copy(&connp->conn_xmit_ipp, ipp, KM_NOSLEEP);
3072         mutex_exit(&connp->conn_lock);
3073         if (error != 0) {
3074                 BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
3075                 freemsg(mp);
3076                 goto done;
3077         }
3078 
3079         /* Sanity check length of packet */
3080         ipha = (ipha_t *)mp->b_rptr;
3081 
3082         ip_hdr_length = IP_SIMPLE_HDR_LENGTH;
3083         if ((mp->b_wptr - mp->b_rptr) < IP_SIMPLE_HDR_LENGTH) {
3084                 if (!pullupmsg(mp, IP_SIMPLE_HDR_LENGTH)) {
3085                         BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
3086                         freemsg(mp);
3087                         goto done;
3088                 }
3089                 ipha = (ipha_t *)mp->b_rptr;
3090         }
3091         ipha->ipha_version_and_hdr_length =
3092             (IP_VERSION<<4) | (ip_hdr_length>>2);
3093 
3094         /*
3095          * We set IXAF_DONTFRAG if the application set DF which makes
3096          * IP not fragment.
3097          */
3098         ipha->ipha_fragment_offset_and_flags &= htons(IPH_DF);
3099         if (ipha->ipha_fragment_offset_and_flags & htons(IPH_DF))
3100                 ixa->ixa_flags |= (IXAF_DONTFRAG | IXAF_PMTU_IPV4_DF);
3101         else
3102                 ixa->ixa_flags &= ~(IXAF_DONTFRAG | IXAF_PMTU_IPV4_DF);
3103 
3104         /* Even for multicast and broadcast we honor the apps ttl */
3105         ixa->ixa_flags |= IXAF_NO_TTL_CHANGE;
3106 
3107         /*
3108          * No source verification for non-local addresses
3109          */
3110         if (ipha->ipha_src != INADDR_ANY &&
3111             ip_laddr_verify_v4(ipha->ipha_src, ixa->ixa_zoneid,
3112             is->is_netstack->netstack_ip, B_FALSE)
3113             != IPVL_UNICAST_UP) {
3114                 ixa->ixa_flags &= ~IXAF_VERIFY_SOURCE;
3115         }
3116 
3117         if (ipha->ipha_dst == INADDR_ANY)
3118                 ipha->ipha_dst = htonl(INADDR_LOOPBACK);
3119 
3120         IN6_IPADDR_TO_V4MAPPED(ipha->ipha_src, &v6src);
3121         IN6_IPADDR_TO_V4MAPPED(ipha->ipha_dst, &v6dst);
3122 
3123         /* Defer IPsec if it might need to look at ICMP type/code */
3124         do_ipsec = ipha->ipha_protocol != IPPROTO_ICMP;
3125         ixa->ixa_flags |= IXAF_IS_IPV4;
3126 
3127         ip_attr_nexthop(ipp, ixa, &v6dst, &v6nexthop);
3128         error = ip_attr_connect(connp, ixa, &v6src, &v6dst, &v6nexthop,
3129             connp->conn_fport, &v6src, NULL, IPDF_ALLOW_MCBC | IPDF_VERIFY_DST |
3130             (do_ipsec ? IPDF_IPSEC : 0));
3131         switch (error) {
3132         case 0:
3133                 break;
3134         case EADDRNOTAVAIL:
3135                 /*
3136                  * IXAF_VERIFY_SOURCE tells us to pick a better source.
3137                  * Don't have the application see that errno
3138                  */
3139                 error = ENETUNREACH;
3140                 goto failed;
3141         case ENETDOWN:
3142                 /*
3143                  * Have !ipif_addr_ready address; drop packet silently
3144                  * until we can get applications to not send until we
3145                  * are ready.
3146                  */
3147                 error = 0;
3148                 goto failed;
3149         case EHOSTUNREACH:
3150         case ENETUNREACH:
3151                 if (ixa->ixa_ire != NULL) {
3152                         /*
3153                          * Let conn_ip_output/ire_send_noroute return
3154                          * the error and send any local ICMP error.
3155                          */
3156                         error = 0;
3157                         break;
3158                 }
3159                 /* FALLTHRU */
3160         default:
3161         failed:
3162                 freemsg(mp);
3163                 BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
3164                 goto done;
3165         }
3166         if (ipha->ipha_src == INADDR_ANY)
3167                 IN6_V4MAPPED_TO_IPADDR(&v6src, ipha->ipha_src);
3168 
3169         /*
3170          * We might be going to a different destination than last time,
3171          * thus check that TX allows the communication and compute any
3172          * needed label.
3173          *
3174          * TSOL Note: We have an exclusive ipp and ixa for this thread so we
3175          * don't have to worry about concurrent threads.
3176          */
3177         if (is_system_labeled()) {
3178                 /*
3179                  * Check whether Trusted Solaris policy allows communication
3180                  * with this host, and pretend that the destination is
3181                  * unreachable if not.
3182                  * Compute any needed label and place it in ipp_label_v4/v6.
3183                  *
3184                  * Later conn_build_hdr_template/conn_prepend_hdr takes
3185                  * ipp_label_v4/v6 to form the packet.
3186                  *
3187                  * Tsol note: We have ipp structure local to this thread so
3188                  * no locking is needed.
3189                  */
3190                 error = conn_update_label(connp, ixa, &v6dst, ipp);
3191                 if (error != 0) {
3192                         freemsg(mp);
3193                         BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
3194                         goto done;
3195                 }
3196         }
3197 
3198         /*
3199          * Save away a copy of the IPv4 header the application passed down
3200          * and then prepend an IPv4 header complete with any IP options
3201          * including label.
3202          * We need a struct copy since icmp_prepend_hdr will reuse the available
3203          * space in the mblk.
3204          */
3205         iphas = *ipha;
3206         mp->b_rptr += IP_SIMPLE_HDR_LENGTH;
3207 
3208         mp = icmp_prepend_hdr(connp, ixa, ipp, &v6src, &v6dst, 0, mp, &error);
3209         if (mp == NULL) {
3210                 BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
3211                 ASSERT(error != 0);
3212                 goto done;
3213         }
3214         if (ixa->ixa_pktlen > IP_MAXPACKET) {
3215                 error = EMSGSIZE;
3216                 BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
3217                 freemsg(mp);
3218                 goto done;
3219         }
3220         /* Restore key parts of the header that the application passed down */
3221         ipha = (ipha_t *)mp->b_rptr;
3222         ipha->ipha_type_of_service = iphas.ipha_type_of_service;
3223         ipha->ipha_ident = iphas.ipha_ident;
3224         ipha->ipha_fragment_offset_and_flags =
3225             iphas.ipha_fragment_offset_and_flags;
3226         ipha->ipha_ttl = iphas.ipha_ttl;
3227         ipha->ipha_protocol = iphas.ipha_protocol;
3228         ipha->ipha_src = iphas.ipha_src;
3229         ipha->ipha_dst = iphas.ipha_dst;
3230 
3231         ixa->ixa_protocol = ipha->ipha_protocol;
3232 
3233         /*
3234          * Make sure that the IP header plus any transport header that is
3235          * checksumed by ip_output is in the first mblk. (ip_output assumes
3236          * that at least the checksum field is in the first mblk.)
3237          */
3238         switch (ipha->ipha_protocol) {
3239         case IPPROTO_UDP:
3240                 tp_hdr_len = 8;
3241                 break;
3242         case IPPROTO_TCP:
3243                 tp_hdr_len = 20;
3244                 break;
3245         default:
3246                 tp_hdr_len = 0;
3247                 break;
3248         }
3249         ip_hdr_length = IPH_HDR_LENGTH(ipha);
3250         if (mp->b_wptr - mp->b_rptr < ip_hdr_length + tp_hdr_len) {
3251                 if (!pullupmsg(mp, ip_hdr_length + tp_hdr_len)) {
3252                         BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
3253                         if (mp->b_cont == NULL)
3254                                 error = EINVAL;
3255                         else
3256                                 error = ENOMEM;
3257                         freemsg(mp);
3258                         goto done;
3259                 }
3260         }
3261 
3262         if (!do_ipsec) {
3263                 /* Policy might differ for different ICMP type/code */
3264                 if (ixa->ixa_ipsec_policy != NULL) {
3265                         IPPOL_REFRELE(ixa->ixa_ipsec_policy);
3266                         ixa->ixa_ipsec_policy = NULL;
3267                         ixa->ixa_flags &= ~IXAF_IPSEC_SECURE;
3268                 }
3269                 mp = ip_output_attach_policy(mp, ipha, NULL, connp, ixa);
3270                 if (mp == NULL) {
3271                         BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
3272                         error = EHOSTUNREACH;   /* IPsec policy failure */
3273                         goto done;
3274                 }
3275         }
3276 
3277         /* We're done.  Pass the packet to ip. */
3278         BUMP_MIB(&is->is_rawip_mib, rawipOutDatagrams);
3279 
3280         error = conn_ip_output(mp, ixa);
3281         /* No rawipOutErrors if an error since IP increases its error counter */
3282         switch (error) {
3283         case 0:
3284                 break;
3285         case EWOULDBLOCK:
3286                 (void) ixa_check_drain_insert(connp, ixa);
3287                 error = 0;
3288                 break;
3289         case EADDRNOTAVAIL:
3290                 /*
3291                  * IXAF_VERIFY_SOURCE tells us to pick a better source.
3292                  * Don't have the application see that errno
3293                  */
3294                 error = ENETUNREACH;
3295                 break;
3296         }
3297 done:
3298         ASSERT(!(ixa->ixa_free_flags & IXA_FREE_CRED));
3299         ixa->ixa_cred = connp->conn_cred; /* Restore */
3300         ixa->ixa_cpid = connp->conn_cpid;
3301         ixa_refrele(ixa);
3302         ip_pkt_free(ipp);
3303         kmem_free(ipp, sizeof (*ipp));
3304         return (error);
3305 }
3306 
3307 static mblk_t *
3308 icmp_output_attach_policy(mblk_t *mp, conn_t *connp, ip_xmit_attr_t *ixa)
3309 {
3310         ipha_t  *ipha = NULL;
3311         ip6_t   *ip6h = NULL;
3312 
3313         if (ixa->ixa_flags & IXAF_IS_IPV4)
3314                 ipha = (ipha_t *)mp->b_rptr;
3315         else
3316                 ip6h = (ip6_t *)mp->b_rptr;
3317 
3318         if (ixa->ixa_ipsec_policy != NULL) {
3319                 IPPOL_REFRELE(ixa->ixa_ipsec_policy);
3320                 ixa->ixa_ipsec_policy = NULL;
3321                 ixa->ixa_flags &= ~IXAF_IPSEC_SECURE;
3322         }
3323         return (ip_output_attach_policy(mp, ipha, ip6h, connp, ixa));
3324 }
3325 
3326 /*
3327  * Handle T_UNITDATA_REQ with options. Both IPv4 and IPv6
3328  * Either tudr_mp or msg is set. If tudr_mp we take ancillary data from
3329  * the TPI options, otherwise we take them from msg_control.
3330  * If both sin and sin6 is set it is a connected socket and we use conn_faddr.
3331  * Always consumes mp; never consumes tudr_mp.
3332  */
3333 static int
3334 icmp_output_ancillary(conn_t *connp, sin_t *sin, sin6_t *sin6, mblk_t *mp,
3335     mblk_t *tudr_mp, struct nmsghdr *msg, cred_t *cr, pid_t pid)
3336 {
3337         icmp_t          *icmp = connp->conn_icmp;
3338         icmp_stack_t    *is = icmp->icmp_is;
3339         int             error;
3340         ip_xmit_attr_t  *ixa;
3341         ip_pkt_t        *ipp;
3342         in6_addr_t      v6src;
3343         in6_addr_t      v6dst;
3344         in6_addr_t      v6nexthop;
3345         in_port_t       dstport;
3346         uint32_t        flowinfo;
3347         int             is_absreq_failure = 0;
3348         conn_opt_arg_t  coas, *coa;
3349 
3350         ASSERT(tudr_mp != NULL || msg != NULL);
3351 
3352         /*
3353          * Get ixa before checking state to handle a disconnect race.
3354          *
3355          * We need an exclusive copy of conn_ixa since the ancillary data
3356          * options might modify it. That copy has no pointers hence we
3357          * need to set them up once we've parsed the ancillary data.
3358          */
3359         ixa = conn_get_ixa_exclusive(connp);
3360         if (ixa == NULL) {
3361                 BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
3362                 freemsg(mp);
3363                 return (ENOMEM);
3364         }
3365         ASSERT(cr != NULL);
3366         ASSERT(!(ixa->ixa_free_flags & IXA_FREE_CRED));
3367         ixa->ixa_cred = cr;
3368         ixa->ixa_cpid = pid;
3369         if (is_system_labeled()) {
3370                 /* We need to restart with a label based on the cred */
3371                 ip_xmit_attr_restore_tsl(ixa, ixa->ixa_cred);
3372         }
3373 
3374         /* In case previous destination was multicast or multirt */
3375         ip_attr_newdst(ixa);
3376 
3377         /* Get a copy of conn_xmit_ipp since the options might change it */
3378         ipp = kmem_zalloc(sizeof (*ipp), KM_NOSLEEP);
3379         if (ipp == NULL) {
3380                 ASSERT(!(ixa->ixa_free_flags & IXA_FREE_CRED));
3381                 ixa->ixa_cred = connp->conn_cred; /* Restore */
3382                 ixa->ixa_cpid = connp->conn_cpid;
3383                 ixa_refrele(ixa);
3384                 BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
3385                 freemsg(mp);
3386                 return (ENOMEM);
3387         }
3388         mutex_enter(&connp->conn_lock);
3389         error = ip_pkt_copy(&connp->conn_xmit_ipp, ipp, KM_NOSLEEP);
3390         mutex_exit(&connp->conn_lock);
3391         if (error != 0) {
3392                 BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
3393                 freemsg(mp);
3394                 goto done;
3395         }
3396 
3397         /*
3398          * Parse the options and update ixa and ipp as a result.
3399          */
3400 
3401         coa = &coas;
3402         coa->coa_connp = connp;
3403         coa->coa_ixa = ixa;
3404         coa->coa_ipp = ipp;
3405         coa->coa_ancillary = B_TRUE;
3406         coa->coa_changed = 0;
3407 
3408         if (msg != NULL) {
3409                 error = process_auxiliary_options(connp, msg->msg_control,
3410                     msg->msg_controllen, coa, &icmp_opt_obj, icmp_opt_set, cr);
3411         } else {
3412                 struct T_unitdata_req *tudr;
3413 
3414                 tudr = (struct T_unitdata_req *)tudr_mp->b_rptr;
3415                 ASSERT(tudr->PRIM_type == T_UNITDATA_REQ);
3416                 error = tpi_optcom_buf(connp->conn_wq, tudr_mp,
3417                     &tudr->OPT_length, tudr->OPT_offset, cr, &icmp_opt_obj,
3418                     coa, &is_absreq_failure);
3419         }
3420         if (error != 0) {
3421                 /*
3422                  * Note: No special action needed in this
3423                  * module for "is_absreq_failure"
3424                  */
3425                 freemsg(mp);
3426                 BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
3427                 goto done;
3428         }
3429         ASSERT(is_absreq_failure == 0);
3430 
3431         mutex_enter(&connp->conn_lock);
3432         /*
3433          * If laddr is unspecified then we look at sin6_src_id.
3434          * We will give precedence to a source address set with IPV6_PKTINFO
3435          * (aka IPPF_ADDR) but that is handled in build_hdrs. However, we don't
3436          * want ip_attr_connect to select a source (since it can fail) when
3437          * IPV6_PKTINFO is specified.
3438          * If this doesn't result in a source address then we get a source
3439          * from ip_attr_connect() below.
3440          */
3441         v6src = connp->conn_saddr_v6;
3442         if (sin != NULL) {
3443                 IN6_IPADDR_TO_V4MAPPED(sin->sin_addr.s_addr, &v6dst);
3444                 dstport = sin->sin_port;
3445                 flowinfo = 0;
3446                 ixa->ixa_flags &= ~IXAF_SCOPEID_SET;
3447                 ixa->ixa_flags |= IXAF_IS_IPV4;
3448         } else if (sin6 != NULL) {
3449                 boolean_t v4mapped;
3450                 uint_t srcid;
3451 
3452                 v6dst = sin6->sin6_addr;
3453                 dstport = sin6->sin6_port;
3454                 flowinfo = sin6->sin6_flowinfo;
3455                 srcid = sin6->__sin6_src_id;
3456                 if (IN6_IS_ADDR_LINKSCOPE(&v6dst) && sin6->sin6_scope_id != 0) {
3457                         ixa->ixa_scopeid = sin6->sin6_scope_id;
3458                         ixa->ixa_flags |= IXAF_SCOPEID_SET;
3459                 } else {
3460                         ixa->ixa_flags &= ~IXAF_SCOPEID_SET;
3461                 }
3462                 v4mapped = IN6_IS_ADDR_V4MAPPED(&v6dst);
3463                 if (v4mapped)
3464                         ixa->ixa_flags |= IXAF_IS_IPV4;
3465                 else
3466                         ixa->ixa_flags &= ~IXAF_IS_IPV4;
3467                 if (srcid != 0 && IN6_IS_ADDR_UNSPECIFIED(&v6src)) {
3468                         if (!ip_srcid_find_id(srcid, &v6src, IPCL_ZONEID(connp),
3469                             v4mapped, connp->conn_netstack)) {
3470                                 /* Mismatched v4mapped/v6 specified by srcid. */
3471                                 mutex_exit(&connp->conn_lock);
3472                                 error = EADDRNOTAVAIL;
3473                                 goto failed;    /* Does freemsg() and mib. */
3474                         }
3475                 }
3476         } else {
3477                 /* Connected case */
3478                 v6dst = connp->conn_faddr_v6;
3479                 flowinfo = connp->conn_flowinfo;
3480         }
3481         mutex_exit(&connp->conn_lock);
3482         /* Handle IP_PKTINFO/IPV6_PKTINFO setting source address. */
3483         if (ipp->ipp_fields & IPPF_ADDR) {
3484                 if (ixa->ixa_flags & IXAF_IS_IPV4) {
3485                         if (IN6_IS_ADDR_V4MAPPED(&ipp->ipp_addr))
3486                                 v6src = ipp->ipp_addr;
3487                 } else {
3488                         if (!IN6_IS_ADDR_V4MAPPED(&ipp->ipp_addr))
3489                                 v6src = ipp->ipp_addr;
3490                 }
3491         }
3492         /*
3493          * Allow source not assigned to the system
3494          * only if it is not a local addresses
3495          */
3496         if (!V6_OR_V4_INADDR_ANY(v6src)) {
3497                 ip_laddr_t laddr_type;
3498 
3499                 if (ixa->ixa_flags & IXAF_IS_IPV4) {
3500                         ipaddr_t v4src;
3501 
3502                         IN6_V4MAPPED_TO_IPADDR(&v6src, v4src);
3503                         laddr_type = ip_laddr_verify_v4(v4src, ixa->ixa_zoneid,
3504                             is->is_netstack->netstack_ip, B_FALSE);
3505                 } else {
3506                         laddr_type = ip_laddr_verify_v6(&v6src, ixa->ixa_zoneid,
3507                             is->is_netstack->netstack_ip, B_FALSE, B_FALSE);
3508                 }
3509                 if (laddr_type != IPVL_UNICAST_UP)
3510                         ixa->ixa_flags &= ~IXAF_VERIFY_SOURCE;
3511         }
3512 
3513         ip_attr_nexthop(ipp, ixa, &v6dst, &v6nexthop);
3514         error = ip_attr_connect(connp, ixa, &v6src, &v6dst, &v6nexthop, dstport,
3515             &v6src, NULL, IPDF_ALLOW_MCBC | IPDF_VERIFY_DST);
3516 
3517         switch (error) {
3518         case 0:
3519                 break;
3520         case EADDRNOTAVAIL:
3521                 /*
3522                  * IXAF_VERIFY_SOURCE tells us to pick a better source.
3523                  * Don't have the application see that errno
3524                  */
3525                 error = ENETUNREACH;
3526                 goto failed;
3527         case ENETDOWN:
3528                 /*
3529                  * Have !ipif_addr_ready address; drop packet silently
3530                  * until we can get applications to not send until we
3531                  * are ready.
3532                  */
3533                 error = 0;
3534                 goto failed;
3535         case EHOSTUNREACH:
3536         case ENETUNREACH:
3537                 if (ixa->ixa_ire != NULL) {
3538                         /*
3539                          * Let conn_ip_output/ire_send_noroute return
3540                          * the error and send any local ICMP error.
3541                          */
3542                         error = 0;
3543                         break;
3544                 }
3545                 /* FALLTHRU */
3546         default:
3547         failed:
3548                 freemsg(mp);
3549                 BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
3550                 goto done;
3551         }
3552 
3553         /*
3554          * We might be going to a different destination than last time,
3555          * thus check that TX allows the communication and compute any
3556          * needed label.
3557          *
3558          * TSOL Note: We have an exclusive ipp and ixa for this thread so we
3559          * don't have to worry about concurrent threads.
3560          */
3561         if (is_system_labeled()) {
3562                 /*
3563                  * Check whether Trusted Solaris policy allows communication
3564                  * with this host, and pretend that the destination is
3565                  * unreachable if not.
3566                  * Compute any needed label and place it in ipp_label_v4/v6.
3567                  *
3568                  * Later conn_build_hdr_template/conn_prepend_hdr takes
3569                  * ipp_label_v4/v6 to form the packet.
3570                  *
3571                  * Tsol note: We have ipp structure local to this thread so
3572                  * no locking is needed.
3573                  */
3574                 error = conn_update_label(connp, ixa, &v6dst, ipp);
3575                 if (error != 0) {
3576                         freemsg(mp);
3577                         BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
3578                         goto done;
3579                 }
3580         }
3581         mp = icmp_prepend_hdr(connp, ixa, ipp, &v6src, &v6dst, flowinfo, mp,
3582             &error);
3583         if (mp == NULL) {
3584                 BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
3585                 ASSERT(error != 0);
3586                 goto done;
3587         }
3588         if (ixa->ixa_pktlen > IP_MAXPACKET) {
3589                 error = EMSGSIZE;
3590                 BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
3591                 freemsg(mp);
3592                 goto done;
3593         }
3594 
3595         /* Policy might differ for different ICMP type/code */
3596         mp = icmp_output_attach_policy(mp, connp, ixa);
3597         if (mp == NULL) {
3598                 BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
3599                 error = EHOSTUNREACH;   /* IPsec policy failure */
3600                 goto done;
3601         }
3602 
3603         /* We're done.  Pass the packet to ip. */
3604         BUMP_MIB(&is->is_rawip_mib, rawipOutDatagrams);
3605 
3606         error = conn_ip_output(mp, ixa);
3607         if (!connp->conn_unspec_src)
3608                 ixa->ixa_flags |= IXAF_VERIFY_SOURCE;
3609         /* No rawipOutErrors if an error since IP increases its error counter */
3610         switch (error) {
3611         case 0:
3612                 break;
3613         case EWOULDBLOCK:
3614                 (void) ixa_check_drain_insert(connp, ixa);
3615                 error = 0;
3616                 break;
3617         case EADDRNOTAVAIL:
3618                 /*
3619                  * IXAF_VERIFY_SOURCE tells us to pick a better source.
3620                  * Don't have the application see that errno
3621                  */
3622                 error = ENETUNREACH;
3623                 /* FALLTHRU */
3624         default:
3625                 mutex_enter(&connp->conn_lock);
3626                 /*
3627                  * Clear the source and v6lastdst so we call ip_attr_connect
3628                  * for the next packet and try to pick a better source.
3629                  */
3630                 if (connp->conn_mcbc_bind)
3631                         connp->conn_saddr_v6 = ipv6_all_zeros;
3632                 else
3633                         connp->conn_saddr_v6 = connp->conn_bound_addr_v6;
3634                 connp->conn_v6lastdst = ipv6_all_zeros;
3635                 mutex_exit(&connp->conn_lock);
3636                 break;
3637         }
3638 done:
3639         ASSERT(!(ixa->ixa_free_flags & IXA_FREE_CRED));
3640         ixa->ixa_cred = connp->conn_cred; /* Restore */
3641         ixa->ixa_cpid = connp->conn_cpid;
3642         ixa_refrele(ixa);
3643         ip_pkt_free(ipp);
3644         kmem_free(ipp, sizeof (*ipp));
3645         return (error);
3646 }
3647 
3648 /*
3649  * Handle sending an M_DATA for a connected socket.
3650  * Handles both IPv4 and IPv6.
3651  */
3652 int
3653 icmp_output_connected(conn_t *connp, mblk_t *mp, cred_t *cr, pid_t pid)
3654 {
3655         icmp_t          *icmp = connp->conn_icmp;
3656         icmp_stack_t    *is = icmp->icmp_is;
3657         int             error;
3658         ip_xmit_attr_t  *ixa;
3659         boolean_t       do_ipsec;
3660 
3661         /*
3662          * If no other thread is using conn_ixa this just gets a reference to
3663          * conn_ixa. Otherwise we get a safe copy of conn_ixa.
3664          */
3665         ixa = conn_get_ixa(connp, B_FALSE);
3666         if (ixa == NULL) {
3667                 BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
3668                 freemsg(mp);
3669                 return (ENOMEM);
3670         }
3671 
3672         ASSERT(cr != NULL);
3673         ASSERT(!(ixa->ixa_free_flags & IXA_FREE_CRED));
3674         ixa->ixa_cred = cr;
3675         ixa->ixa_cpid = pid;
3676 
3677         /* Defer IPsec if it might need to look at ICMP type/code */
3678         switch (ixa->ixa_protocol) {
3679         case IPPROTO_ICMP:
3680         case IPPROTO_ICMPV6:
3681                 do_ipsec = B_FALSE;
3682                 break;
3683         default:
3684                 do_ipsec = B_TRUE;
3685         }
3686 
3687         mutex_enter(&connp->conn_lock);
3688         mp = icmp_prepend_header_template(connp, ixa, mp,
3689             &connp->conn_saddr_v6, connp->conn_flowinfo, &error);
3690 
3691         if (mp == NULL) {
3692                 ASSERT(error != 0);
3693                 mutex_exit(&connp->conn_lock);
3694                 ASSERT(!(ixa->ixa_free_flags & IXA_FREE_CRED));
3695                 ixa->ixa_cred = connp->conn_cred; /* Restore */
3696                 ixa->ixa_cpid = connp->conn_cpid;
3697                 ixa_refrele(ixa);
3698                 BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
3699                 freemsg(mp);
3700                 return (error);
3701         }
3702 
3703         if (!do_ipsec) {
3704                 /* Policy might differ for different ICMP type/code */
3705                 mp = icmp_output_attach_policy(mp, connp, ixa);
3706                 if (mp == NULL) {
3707                         mutex_exit(&connp->conn_lock);
3708                         BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
3709                         ASSERT(!(ixa->ixa_free_flags & IXA_FREE_CRED));
3710                         ixa->ixa_cred = connp->conn_cred; /* Restore */
3711                         ixa->ixa_cpid = connp->conn_cpid;
3712                         ixa_refrele(ixa);
3713                         return (EHOSTUNREACH);  /* IPsec policy failure */
3714                 }
3715         }
3716 
3717         /*
3718          * In case we got a safe copy of conn_ixa, or if opt_set made us a new
3719          * safe copy, then we need to fill in any pointers in it.
3720          */
3721         if (ixa->ixa_ire == NULL) {
3722                 in6_addr_t      faddr, saddr;
3723                 in6_addr_t      nexthop;
3724                 in_port_t       fport;
3725 
3726                 saddr = connp->conn_saddr_v6;
3727                 faddr = connp->conn_faddr_v6;
3728                 fport = connp->conn_fport;
3729                 ip_attr_nexthop(&connp->conn_xmit_ipp, ixa, &faddr, &nexthop);
3730                 mutex_exit(&connp->conn_lock);
3731 
3732                 error = ip_attr_connect(connp, ixa, &saddr, &faddr, &nexthop,
3733                     fport, NULL, NULL, IPDF_ALLOW_MCBC | IPDF_VERIFY_DST |
3734                     (do_ipsec ? IPDF_IPSEC : 0));
3735                 switch (error) {
3736                 case 0:
3737                         break;
3738                 case EADDRNOTAVAIL:
3739                         /*
3740                          * IXAF_VERIFY_SOURCE tells us to pick a better source.
3741                          * Don't have the application see that errno
3742                          */
3743                         error = ENETUNREACH;
3744                         goto failed;
3745                 case ENETDOWN:
3746                         /*
3747                          * Have !ipif_addr_ready address; drop packet silently
3748                          * until we can get applications to not send until we
3749                          * are ready.
3750                          */
3751                         error = 0;
3752                         goto failed;
3753                 case EHOSTUNREACH:
3754                 case ENETUNREACH:
3755                         if (ixa->ixa_ire != NULL) {
3756                                 /*
3757                                  * Let conn_ip_output/ire_send_noroute return
3758                                  * the error and send any local ICMP error.
3759                                  */
3760                                 error = 0;
3761                                 break;
3762                         }
3763                         /* FALLTHRU */
3764                 default:
3765                 failed:
3766                         ASSERT(!(ixa->ixa_free_flags & IXA_FREE_CRED));
3767                         ixa->ixa_cred = connp->conn_cred; /* Restore */
3768                         ixa->ixa_cpid = connp->conn_cpid;
3769                         ixa_refrele(ixa);
3770                         BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
3771                         freemsg(mp);
3772                         return (error);
3773                 }
3774         } else {
3775                 /* Done with conn_t */
3776                 mutex_exit(&connp->conn_lock);
3777         }
3778 
3779         /* We're done.  Pass the packet to ip. */
3780         BUMP_MIB(&is->is_rawip_mib, rawipOutDatagrams);
3781 
3782         error = conn_ip_output(mp, ixa);
3783         /* No rawipOutErrors if an error since IP increases its error counter */
3784         switch (error) {
3785         case 0:
3786                 break;
3787         case EWOULDBLOCK:
3788                 (void) ixa_check_drain_insert(connp, ixa);
3789                 error = 0;
3790                 break;
3791         case EADDRNOTAVAIL:
3792                 /*
3793                  * IXAF_VERIFY_SOURCE tells us to pick a better source.
3794                  * Don't have the application see that errno
3795                  */
3796                 error = ENETUNREACH;
3797                 break;
3798         }
3799         ASSERT(!(ixa->ixa_free_flags & IXA_FREE_CRED));
3800         ixa->ixa_cred = connp->conn_cred; /* Restore */
3801         ixa->ixa_cpid = connp->conn_cpid;
3802         ixa_refrele(ixa);
3803         return (error);
3804 }
3805 
3806 /*
3807  * Handle sending an M_DATA to the last destination.
3808  * Handles both IPv4 and IPv6.
3809  *
3810  * NOTE: The caller must hold conn_lock and we drop it here.
3811  */
3812 int
3813 icmp_output_lastdst(conn_t *connp, mblk_t *mp, cred_t *cr, pid_t pid,
3814     ip_xmit_attr_t *ixa)
3815 {
3816         icmp_t          *icmp = connp->conn_icmp;
3817         icmp_stack_t    *is = icmp->icmp_is;
3818         int             error;
3819         boolean_t       do_ipsec;
3820 
3821         ASSERT(MUTEX_HELD(&connp->conn_lock));
3822         ASSERT(ixa != NULL);
3823 
3824         ASSERT(cr != NULL);
3825         ASSERT(!(ixa->ixa_free_flags & IXA_FREE_CRED));
3826         ixa->ixa_cred = cr;
3827         ixa->ixa_cpid = pid;
3828 
3829         /* Defer IPsec if it might need to look at ICMP type/code */
3830         switch (ixa->ixa_protocol) {
3831         case IPPROTO_ICMP:
3832         case IPPROTO_ICMPV6:
3833                 do_ipsec = B_FALSE;
3834                 break;
3835         default:
3836                 do_ipsec = B_TRUE;
3837         }
3838 
3839 
3840         mp = icmp_prepend_header_template(connp, ixa, mp,
3841             &connp->conn_v6lastsrc, connp->conn_lastflowinfo, &error);
3842 
3843         if (mp == NULL) {
3844                 ASSERT(error != 0);
3845                 mutex_exit(&connp->conn_lock);
3846                 ASSERT(!(ixa->ixa_free_flags & IXA_FREE_CRED));
3847                 ixa->ixa_cred = connp->conn_cred; /* Restore */
3848                 ixa->ixa_cpid = connp->conn_cpid;
3849                 ixa_refrele(ixa);
3850                 BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
3851                 freemsg(mp);
3852                 return (error);
3853         }
3854 
3855         if (!do_ipsec) {
3856                 /* Policy might differ for different ICMP type/code */
3857                 mp = icmp_output_attach_policy(mp, connp, ixa);
3858                 if (mp == NULL) {
3859                         mutex_exit(&connp->conn_lock);
3860                         BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
3861                         ASSERT(!(ixa->ixa_free_flags & IXA_FREE_CRED));
3862                         ixa->ixa_cred = connp->conn_cred; /* Restore */
3863                         ixa->ixa_cpid = connp->conn_cpid;
3864                         ixa_refrele(ixa);
3865                         return (EHOSTUNREACH);  /* IPsec policy failure */
3866                 }
3867         }
3868 
3869         /*
3870          * In case we got a safe copy of conn_ixa, or if opt_set made us a new
3871          * safe copy, then we need to fill in any pointers in it.
3872          */
3873         if (ixa->ixa_ire == NULL) {
3874                 in6_addr_t      lastdst, lastsrc;
3875                 in6_addr_t      nexthop;
3876                 in_port_t       lastport;
3877 
3878                 lastsrc = connp->conn_v6lastsrc;
3879                 lastdst = connp->conn_v6lastdst;
3880                 lastport = connp->conn_lastdstport;
3881                 ip_attr_nexthop(&connp->conn_xmit_ipp, ixa, &lastdst, &nexthop);
3882                 mutex_exit(&connp->conn_lock);
3883 
3884                 error = ip_attr_connect(connp, ixa, &lastsrc, &lastdst,
3885                     &nexthop, lastport, NULL, NULL, IPDF_ALLOW_MCBC |
3886                     IPDF_VERIFY_DST | (do_ipsec ? IPDF_IPSEC : 0));
3887                 switch (error) {
3888                 case 0:
3889                         break;
3890                 case EADDRNOTAVAIL:
3891                         /*
3892                          * IXAF_VERIFY_SOURCE tells us to pick a better source.
3893                          * Don't have the application see that errno
3894                          */
3895                         error = ENETUNREACH;
3896                         goto failed;
3897                 case ENETDOWN:
3898                         /*
3899                          * Have !ipif_addr_ready address; drop packet silently
3900                          * until we can get applications to not send until we
3901                          * are ready.
3902                          */
3903                         error = 0;
3904                         goto failed;
3905                 case EHOSTUNREACH:
3906                 case ENETUNREACH:
3907                         if (ixa->ixa_ire != NULL) {
3908                                 /*
3909                                  * Let conn_ip_output/ire_send_noroute return
3910                                  * the error and send any local ICMP error.
3911                                  */
3912                                 error = 0;
3913                                 break;
3914                         }
3915                         /* FALLTHRU */
3916                 default:
3917                 failed:
3918                         ASSERT(!(ixa->ixa_free_flags & IXA_FREE_CRED));
3919                         ixa->ixa_cred = connp->conn_cred; /* Restore */
3920                         ixa->ixa_cpid = connp->conn_cpid;
3921                         ixa_refrele(ixa);
3922                         BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
3923                         freemsg(mp);
3924                         return (error);
3925                 }
3926         } else {
3927                 /* Done with conn_t */
3928                 mutex_exit(&connp->conn_lock);
3929         }
3930 
3931         /* We're done.  Pass the packet to ip. */
3932         BUMP_MIB(&is->is_rawip_mib, rawipOutDatagrams);
3933         error = conn_ip_output(mp, ixa);
3934         /* No rawipOutErrors if an error since IP increases its error counter */
3935         switch (error) {
3936         case 0:
3937                 break;
3938         case EWOULDBLOCK:
3939                 (void) ixa_check_drain_insert(connp, ixa);
3940                 error = 0;
3941                 break;
3942         case EADDRNOTAVAIL:
3943                 /*
3944                  * IXAF_VERIFY_SOURCE tells us to pick a better source.
3945                  * Don't have the application see that errno
3946                  */
3947                 error = ENETUNREACH;
3948                 /* FALLTHRU */
3949         default:
3950                 mutex_enter(&connp->conn_lock);
3951                 /*
3952                  * Clear the source and v6lastdst so we call ip_attr_connect
3953                  * for the next packet and try to pick a better source.
3954                  */
3955                 if (connp->conn_mcbc_bind)
3956                         connp->conn_saddr_v6 = ipv6_all_zeros;
3957                 else
3958                         connp->conn_saddr_v6 = connp->conn_bound_addr_v6;
3959                 connp->conn_v6lastdst = ipv6_all_zeros;
3960                 mutex_exit(&connp->conn_lock);
3961                 break;
3962         }
3963         ASSERT(!(ixa->ixa_free_flags & IXA_FREE_CRED));
3964         ixa->ixa_cred = connp->conn_cred; /* Restore */
3965         ixa->ixa_cpid = connp->conn_cpid;
3966         ixa_refrele(ixa);
3967         return (error);
3968 }
3969 
3970 
3971 /*
3972  * Prepend the header template and then fill in the source and
3973  * flowinfo. The caller needs to handle the destination address since
3974  * it's setting is different if rthdr or source route.
3975  *
3976  * Returns NULL is allocation failed or if the packet would exceed IP_MAXPACKET.
3977  * When it returns NULL it sets errorp.
3978  */
3979 static mblk_t *
3980 icmp_prepend_header_template(conn_t *connp, ip_xmit_attr_t *ixa, mblk_t *mp,
3981     const in6_addr_t *v6src, uint32_t flowinfo, int *errorp)
3982 {
3983         icmp_t          *icmp = connp->conn_icmp;
3984         icmp_stack_t    *is = icmp->icmp_is;
3985         uint_t          pktlen;
3986         uint_t          copylen;
3987         uint8_t         *iph;
3988         uint_t          ip_hdr_length;
3989         uint32_t        cksum;
3990         ip_pkt_t        *ipp;
3991 
3992         ASSERT(MUTEX_HELD(&connp->conn_lock));
3993 
3994         /*
3995          * Copy the header template.
3996          */
3997         copylen = connp->conn_ht_iphc_len;
3998         pktlen = copylen + msgdsize(mp);
3999         if (pktlen > IP_MAXPACKET) {
4000                 freemsg(mp);
4001                 *errorp = EMSGSIZE;
4002                 return (NULL);
4003         }
4004         ixa->ixa_pktlen = pktlen;
4005 
4006         /* check/fix buffer config, setup pointers into it */
4007         iph = mp->b_rptr - copylen;
4008         if (DB_REF(mp) != 1 || iph < DB_BASE(mp) || !OK_32PTR(iph)) {
4009                 mblk_t *mp1;
4010 
4011                 mp1 = allocb(copylen + is->is_wroff_extra, BPRI_MED);
4012                 if (mp1 == NULL) {
4013                         freemsg(mp);
4014                         *errorp = ENOMEM;
4015                         return (NULL);
4016                 }
4017                 mp1->b_wptr = DB_LIM(mp1);
4018                 mp1->b_cont = mp;
4019                 mp = mp1;
4020                 iph = (mp->b_wptr - copylen);
4021         }
4022         mp->b_rptr = iph;
4023         bcopy(connp->conn_ht_iphc, iph, copylen);
4024         ip_hdr_length = (uint_t)(connp->conn_ht_ulp - connp->conn_ht_iphc);
4025 
4026         ixa->ixa_ip_hdr_length = ip_hdr_length;
4027 
4028         /*
4029          * Prepare for ICMPv6 checksum done in IP.
4030          *
4031          * icmp_build_hdr_template has already massaged any routing header
4032          * and placed the result in conn_sum.
4033          *
4034          * We make it easy for IP to include our pseudo header
4035          * by putting our length (and any routing header adjustment)
4036          * in the ICMPv6 checksum field.
4037          */
4038         cksum = pktlen - ip_hdr_length;
4039 
4040         cksum += connp->conn_sum;
4041         cksum = (cksum >> 16) + (cksum & 0xFFFF);
4042         ASSERT(cksum < 0x10000);
4043 
4044         ipp = &connp->conn_xmit_ipp;
4045         if (ixa->ixa_flags & IXAF_IS_IPV4) {
4046                 ipha_t  *ipha = (ipha_t *)iph;
4047 
4048                 ipha->ipha_length = htons((uint16_t)pktlen);
4049 
4050                 /* if IP_PKTINFO specified an addres it wins over bind() */
4051                 if ((ipp->ipp_fields & IPPF_ADDR) &&
4052                     IN6_IS_ADDR_V4MAPPED(&ipp->ipp_addr)) {
4053                         ASSERT(ipp->ipp_addr_v4 != INADDR_ANY);
4054                         ipha->ipha_src = ipp->ipp_addr_v4;
4055                 } else {
4056                         IN6_V4MAPPED_TO_IPADDR(v6src, ipha->ipha_src);
4057                 }
4058         } else {
4059                 ip6_t *ip6h = (ip6_t *)iph;
4060                 uint_t  cksum_offset = 0;
4061 
4062                 ip6h->ip6_plen =  htons((uint16_t)(pktlen - IPV6_HDR_LEN));
4063 
4064                 /* if IP_PKTINFO specified an addres it wins over bind() */
4065                 if ((ipp->ipp_fields & IPPF_ADDR) &&
4066                     !IN6_IS_ADDR_V4MAPPED(&ipp->ipp_addr)) {
4067                         ASSERT(!IN6_IS_ADDR_UNSPECIFIED(&ipp->ipp_addr));
4068                         ip6h->ip6_src = ipp->ipp_addr;
4069                 } else {
4070                         ip6h->ip6_src = *v6src;
4071                 }
4072                 ip6h->ip6_vcf =
4073                     (IPV6_DEFAULT_VERS_AND_FLOW & IPV6_VERS_AND_FLOW_MASK) |
4074                     (flowinfo & ~IPV6_VERS_AND_FLOW_MASK);
4075                 if (ipp->ipp_fields & IPPF_TCLASS) {
4076                         /* Overrides the class part of flowinfo */
4077                         ip6h->ip6_vcf = IPV6_TCLASS_FLOW(ip6h->ip6_vcf,
4078                             ipp->ipp_tclass);
4079                 }
4080 
4081                 if (ixa->ixa_flags & IXAF_SET_ULP_CKSUM) {
4082                         if (connp->conn_proto == IPPROTO_ICMPV6) {
4083                                 cksum_offset = ixa->ixa_ip_hdr_length +
4084                                     offsetof(icmp6_t, icmp6_cksum);
4085                         } else if (ixa->ixa_flags & IXAF_SET_RAW_CKSUM) {
4086                                 cksum_offset = ixa->ixa_ip_hdr_length +
4087                                     ixa->ixa_raw_cksum_offset;
4088                         }
4089                 }
4090                 if (cksum_offset != 0) {
4091                         uint16_t *ptr;
4092 
4093                         /* Make sure the checksum fits in the first mblk */
4094                         if (cksum_offset + sizeof (short) > MBLKL(mp)) {
4095                                 mblk_t *mp1;
4096 
4097                                 mp1 = msgpullup(mp,
4098                                     cksum_offset + sizeof (short));
4099                                 freemsg(mp);
4100                                 if (mp1 == NULL) {
4101                                         *errorp = ENOMEM;
4102                                         return (NULL);
4103                                 }
4104                                 mp = mp1;
4105                                 iph = mp->b_rptr;
4106                                 ip6h = (ip6_t *)iph;
4107                         }
4108                         ptr = (uint16_t *)(mp->b_rptr + cksum_offset);
4109                         *ptr = htons(cksum);
4110                 }
4111         }
4112 
4113         return (mp);
4114 }
4115 
4116 /*
4117  * This routine handles all messages passed downstream.  It either
4118  * consumes the message or passes it downstream; it never queues a
4119  * a message.
4120  */
4121 int
4122 icmp_wput(queue_t *q, mblk_t *mp)
4123 {
4124         sin6_t          *sin6;
4125         sin_t           *sin = NULL;
4126         uint_t          srcid;
4127         conn_t          *connp = Q_TO_CONN(q);
4128         icmp_t          *icmp = connp->conn_icmp;
4129         int             error = 0;
4130         struct sockaddr *addr = NULL;
4131         socklen_t       addrlen;
4132         icmp_stack_t    *is = icmp->icmp_is;
4133         struct T_unitdata_req *tudr;
4134         mblk_t          *data_mp;
4135         cred_t          *cr;
4136         pid_t           pid;
4137 
4138         /*
4139          * We directly handle several cases here: T_UNITDATA_REQ message
4140          * coming down as M_PROTO/M_PCPROTO and M_DATA messages for connected
4141          * socket.
4142          */
4143         switch (DB_TYPE(mp)) {
4144         case M_DATA:
4145                 /* sockfs never sends down M_DATA */
4146                 BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
4147                 freemsg(mp);
4148                 return (0);
4149 
4150         case M_PROTO:
4151         case M_PCPROTO:
4152                 tudr = (struct T_unitdata_req *)mp->b_rptr;
4153                 if (MBLKL(mp) < sizeof (*tudr) ||
4154                     ((t_primp_t)mp->b_rptr)->type != T_UNITDATA_REQ) {
4155                         icmp_wput_other(q, mp);
4156                         return (0);
4157                 }
4158                 break;
4159 
4160         default:
4161                 icmp_wput_other(q, mp);
4162                 return (0);
4163         }
4164 
4165         /* Handle valid T_UNITDATA_REQ here */
4166         data_mp = mp->b_cont;
4167         if (data_mp == NULL) {
4168                 error = EPROTO;
4169                 goto ud_error2;
4170         }
4171         mp->b_cont = NULL;
4172 
4173         if (!MBLKIN(mp, 0, tudr->DEST_offset + tudr->DEST_length)) {
4174                 error = EADDRNOTAVAIL;
4175                 goto ud_error2;
4176         }
4177 
4178         /*
4179          * All Solaris components should pass a db_credp
4180          * for this message, hence we ASSERT.
4181          * On production kernels we return an error to be robust against
4182          * random streams modules sitting on top of us.
4183          */
4184         cr = msg_getcred(mp, &pid);
4185         ASSERT(cr != NULL);
4186         if (cr == NULL) {
4187                 error = EINVAL;
4188                 goto ud_error2;
4189         }
4190 
4191         /*
4192          * If a port has not been bound to the stream, fail.
4193          * This is not a problem when sockfs is directly
4194          * above us, because it will ensure that the socket
4195          * is first bound before allowing data to be sent.
4196          */
4197         if (icmp->icmp_state == TS_UNBND) {
4198                 error = EPROTO;
4199                 goto ud_error2;
4200         }
4201         addr = (struct sockaddr *)&mp->b_rptr[tudr->DEST_offset];
4202         addrlen = tudr->DEST_length;
4203 
4204         switch (connp->conn_family) {
4205         case AF_INET6:
4206                 sin6 = (sin6_t *)addr;
4207                 if (!OK_32PTR((char *)sin6) || (addrlen != sizeof (sin6_t)) ||
4208                     (sin6->sin6_family != AF_INET6)) {
4209                         error = EADDRNOTAVAIL;
4210                         goto ud_error2;
4211                 }
4212 
4213                 /* No support for mapped addresses on raw sockets */
4214                 if (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) {
4215                         error = EADDRNOTAVAIL;
4216                         goto ud_error2;
4217                 }
4218                 srcid = sin6->__sin6_src_id;
4219 
4220                 /*
4221                  * If the local address is a mapped address return
4222                  * an error.
4223                  * It would be possible to send an IPv6 packet but the
4224                  * response would never make it back to the application
4225                  * since it is bound to a mapped address.
4226                  */
4227                 if (IN6_IS_ADDR_V4MAPPED(&connp->conn_saddr_v6)) {
4228                         error = EADDRNOTAVAIL;
4229                         goto ud_error2;
4230                 }
4231 
4232                 if (IN6_IS_ADDR_UNSPECIFIED(&sin6->sin6_addr))
4233                         sin6->sin6_addr = ipv6_loopback;
4234 
4235                 if (tudr->OPT_length != 0) {
4236                         /*
4237                          * If we are connected then the destination needs to be
4238                          * the same as the connected one.
4239                          */
4240                         if (icmp->icmp_state == TS_DATA_XFER &&
4241                             !conn_same_as_last_v6(connp, sin6)) {
4242                                 error = EISCONN;
4243                                 goto ud_error2;
4244                         }
4245                         error = icmp_output_ancillary(connp, NULL, sin6,
4246                             data_mp, mp, NULL, cr, pid);
4247                 } else {
4248                         ip_xmit_attr_t *ixa;
4249 
4250                         /*
4251                          * We have to allocate an ip_xmit_attr_t before we grab
4252                          * conn_lock and we need to hold conn_lock once we've
4253                          * checked conn_same_as_last_v6 to handle concurrent
4254                          * send* calls on a socket.
4255                          */
4256                         ixa = conn_get_ixa(connp, B_FALSE);
4257                         if (ixa == NULL) {
4258                                 error = ENOMEM;
4259                                 goto ud_error2;
4260                         }
4261                         mutex_enter(&connp->conn_lock);
4262 
4263                         if (conn_same_as_last_v6(connp, sin6) &&
4264                             connp->conn_lastsrcid == srcid &&
4265                             ipsec_outbound_policy_current(ixa)) {
4266                                 /* icmp_output_lastdst drops conn_lock */
4267                                 error = icmp_output_lastdst(connp, data_mp, cr,
4268                                     pid, ixa);
4269                         } else {
4270                                 /* icmp_output_newdst drops conn_lock */
4271                                 error = icmp_output_newdst(connp, data_mp, NULL,
4272                                     sin6, cr, pid, ixa);
4273                         }
4274                         ASSERT(MUTEX_NOT_HELD(&connp->conn_lock));
4275                 }
4276                 if (error == 0) {
4277                         freeb(mp);
4278                         return (0);
4279                 }
4280                 break;
4281 
4282         case AF_INET:
4283                 sin = (sin_t *)addr;
4284                 if ((!OK_32PTR((char *)sin) || addrlen != sizeof (sin_t)) ||
4285                     (sin->sin_family != AF_INET)) {
4286                         error = EADDRNOTAVAIL;
4287                         goto ud_error2;
4288                 }
4289                 if (sin->sin_addr.s_addr == INADDR_ANY)
4290                         sin->sin_addr.s_addr = htonl(INADDR_LOOPBACK);
4291 
4292                 /* Protocol 255 contains full IP headers */
4293                 /* Read without holding lock */
4294                 if (icmp->icmp_hdrincl) {
4295                         if (MBLKL(data_mp) < IP_SIMPLE_HDR_LENGTH) {
4296                                 if (!pullupmsg(data_mp, IP_SIMPLE_HDR_LENGTH)) {
4297                                         error = EINVAL;
4298                                         goto ud_error2;
4299                                 }
4300                         }
4301                         error = icmp_output_hdrincl(connp, data_mp, cr, pid);
4302                         if (error == 0) {
4303                                 freeb(mp);
4304                                 return (0);
4305                         }
4306                         /* data_mp consumed above */
4307                         data_mp = NULL;
4308                         goto ud_error2;
4309                 }
4310 
4311                 if (tudr->OPT_length != 0) {
4312                         /*
4313                          * If we are connected then the destination needs to be
4314                          * the same as the connected one.
4315                          */
4316                         if (icmp->icmp_state == TS_DATA_XFER &&
4317                             !conn_same_as_last_v4(connp, sin)) {
4318                                 error = EISCONN;
4319                                 goto ud_error2;
4320                         }
4321                         error = icmp_output_ancillary(connp, sin, NULL,
4322                             data_mp, mp, NULL, cr, pid);
4323                 } else {
4324                         ip_xmit_attr_t *ixa;
4325 
4326                         /*
4327                          * We have to allocate an ip_xmit_attr_t before we grab
4328                          * conn_lock and we need to hold conn_lock once we've
4329                          * checked conn_same_as_last_v4 to handle concurrent
4330                          * send* calls on a socket.
4331                          */
4332                         ixa = conn_get_ixa(connp, B_FALSE);
4333                         if (ixa == NULL) {
4334                                 error = ENOMEM;
4335                                 goto ud_error2;
4336                         }
4337                         mutex_enter(&connp->conn_lock);
4338 
4339                         if (conn_same_as_last_v4(connp, sin) &&
4340                             ipsec_outbound_policy_current(ixa)) {
4341                                 /* icmp_output_lastdst drops conn_lock */
4342                                 error = icmp_output_lastdst(connp, data_mp, cr,
4343                                     pid, ixa);
4344                         } else {
4345                                 /* icmp_output_newdst drops conn_lock */
4346                                 error = icmp_output_newdst(connp, data_mp, sin,
4347                                     NULL, cr, pid, ixa);
4348                         }
4349                         ASSERT(MUTEX_NOT_HELD(&connp->conn_lock));
4350                 }
4351                 if (error == 0) {
4352                         freeb(mp);
4353                         return (0);
4354                 }
4355                 break;
4356         }
4357         ASSERT(mp != NULL);
4358         /* mp is freed by the following routine */
4359         icmp_ud_err(q, mp, (t_scalar_t)error);
4360         return (0);
4361 
4362 ud_error2:
4363         BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
4364         freemsg(data_mp);
4365         ASSERT(mp != NULL);
4366         /* mp is freed by the following routine */
4367         icmp_ud_err(q, mp, (t_scalar_t)error);
4368         return (0);
4369 }
4370 
4371 /*
4372  * Handle the case of the IP address or flow label being different
4373  * for both IPv4 and IPv6.
4374  *
4375  * NOTE: The caller must hold conn_lock and we drop it here.
4376  */
4377 static int
4378 icmp_output_newdst(conn_t *connp, mblk_t *data_mp, sin_t *sin, sin6_t *sin6,
4379     cred_t *cr, pid_t pid, ip_xmit_attr_t *ixa)
4380 {
4381         icmp_t          *icmp = connp->conn_icmp;
4382         icmp_stack_t    *is = icmp->icmp_is;
4383         int             error;
4384         ip_xmit_attr_t  *oldixa;
4385         boolean_t       do_ipsec;
4386         uint_t          srcid;
4387         uint32_t        flowinfo;
4388         in6_addr_t      v6src;
4389         in6_addr_t      v6dst;
4390         in6_addr_t      v6nexthop;
4391         in_port_t       dstport;
4392 
4393         ASSERT(MUTEX_HELD(&connp->conn_lock));
4394         ASSERT(ixa != NULL);
4395 
4396         /*
4397          * We hold conn_lock across all the use and modifications of
4398          * the conn_lastdst, conn_ixa, and conn_xmit_ipp to ensure that they
4399          * stay consistent.
4400          */
4401 
4402         ASSERT(cr != NULL);
4403         ASSERT(!(ixa->ixa_free_flags & IXA_FREE_CRED));
4404         ixa->ixa_cred = cr;
4405         ixa->ixa_cpid = pid;
4406         if (is_system_labeled()) {
4407                 /* We need to restart with a label based on the cred */
4408                 ip_xmit_attr_restore_tsl(ixa, ixa->ixa_cred);
4409         }
4410         /*
4411          * If we are connected then the destination needs to be the
4412          * same as the connected one, which is not the case here since we
4413          * checked for that above.
4414          */
4415         if (icmp->icmp_state == TS_DATA_XFER) {
4416                 mutex_exit(&connp->conn_lock);
4417                 error = EISCONN;
4418                 goto ud_error;
4419         }
4420 
4421         /* In case previous destination was multicast or multirt */
4422         ip_attr_newdst(ixa);
4423 
4424         /*
4425          * If laddr is unspecified then we look at sin6_src_id.
4426          * We will give precedence to a source address set with IPV6_PKTINFO
4427          * (aka IPPF_ADDR) but that is handled in build_hdrs. However, we don't
4428          * want ip_attr_connect to select a source (since it can fail) when
4429          * IPV6_PKTINFO is specified.
4430          * If this doesn't result in a source address then we get a source
4431          * from ip_attr_connect() below.
4432          */
4433         v6src = connp->conn_saddr_v6;
4434         if (sin != NULL) {
4435                 IN6_IPADDR_TO_V4MAPPED(sin->sin_addr.s_addr, &v6dst);
4436                 dstport = sin->sin_port;
4437                 flowinfo = 0;
4438                 /* Don't bother with ip_srcid_find_id(), but indicate anyway. */
4439                 srcid = 0;
4440                 ixa->ixa_flags &= ~IXAF_SCOPEID_SET;
4441                 ixa->ixa_flags |= IXAF_IS_IPV4;
4442         } else {
4443                 boolean_t v4mapped;
4444 
4445                 v6dst = sin6->sin6_addr;
4446                 dstport = sin6->sin6_port;
4447                 flowinfo = sin6->sin6_flowinfo;
4448                 srcid = sin6->__sin6_src_id;
4449                 if (IN6_IS_ADDR_LINKSCOPE(&v6dst) && sin6->sin6_scope_id != 0) {
4450                         ixa->ixa_scopeid = sin6->sin6_scope_id;
4451                         ixa->ixa_flags |= IXAF_SCOPEID_SET;
4452                 } else {
4453                         ixa->ixa_flags &= ~IXAF_SCOPEID_SET;
4454                 }
4455                 v4mapped = IN6_IS_ADDR_V4MAPPED(&v6dst);
4456                 if (v4mapped)
4457                         ixa->ixa_flags |= IXAF_IS_IPV4;
4458                 else
4459                         ixa->ixa_flags &= ~IXAF_IS_IPV4;
4460                 if (srcid != 0 && IN6_IS_ADDR_UNSPECIFIED(&v6src)) {
4461                         if (!ip_srcid_find_id(srcid, &v6src, IPCL_ZONEID(connp),
4462                             v4mapped, connp->conn_netstack)) {
4463                                 /* Mismatched v4mapped/v6 specified by srcid. */
4464                                 mutex_exit(&connp->conn_lock);
4465                                 error = EADDRNOTAVAIL;
4466                                 goto ud_error;
4467                         }
4468                 }
4469         }
4470         /* Handle IP_PKTINFO/IPV6_PKTINFO setting source address. */
4471         if (connp->conn_xmit_ipp.ipp_fields & IPPF_ADDR) {
4472                 ip_pkt_t *ipp = &connp->conn_xmit_ipp;
4473 
4474                 if (ixa->ixa_flags & IXAF_IS_IPV4) {
4475                         if (IN6_IS_ADDR_V4MAPPED(&ipp->ipp_addr))
4476                                 v6src = ipp->ipp_addr;
4477                 } else {
4478                         if (!IN6_IS_ADDR_V4MAPPED(&ipp->ipp_addr))
4479                                 v6src = ipp->ipp_addr;
4480                 }
4481         }
4482 
4483         /* Defer IPsec if it might need to look at ICMP type/code */
4484         switch (ixa->ixa_protocol) {
4485         case IPPROTO_ICMP:
4486         case IPPROTO_ICMPV6:
4487                 do_ipsec = B_FALSE;
4488                 break;
4489         default:
4490                 do_ipsec = B_TRUE;
4491         }
4492 
4493         ip_attr_nexthop(&connp->conn_xmit_ipp, ixa, &v6dst, &v6nexthop);
4494         mutex_exit(&connp->conn_lock);
4495 
4496         error = ip_attr_connect(connp, ixa, &v6src, &v6dst, &v6nexthop, dstport,
4497             &v6src, NULL, IPDF_ALLOW_MCBC | IPDF_VERIFY_DST |
4498             (do_ipsec ? IPDF_IPSEC : 0));
4499         switch (error) {
4500         case 0:
4501                 break;
4502         case EADDRNOTAVAIL:
4503                 /*
4504                  * IXAF_VERIFY_SOURCE tells us to pick a better source.
4505                  * Don't have the application see that errno
4506                  */
4507                 error = ENETUNREACH;
4508                 goto failed;
4509         case ENETDOWN:
4510                 /*
4511                  * Have !ipif_addr_ready address; drop packet silently
4512                  * until we can get applications to not send until we
4513                  * are ready.
4514                  */
4515                 error = 0;
4516                 goto failed;
4517         case EHOSTUNREACH:
4518         case ENETUNREACH:
4519                 if (ixa->ixa_ire != NULL) {
4520                         /*
4521                          * Let conn_ip_output/ire_send_noroute return
4522                          * the error and send any local ICMP error.
4523                          */
4524                         error = 0;
4525                         break;
4526                 }
4527                 /* FALLTHRU */
4528         default:
4529         failed:
4530                 goto ud_error;
4531         }
4532 
4533         mutex_enter(&connp->conn_lock);
4534         /*
4535          * While we dropped the lock some other thread might have connected
4536          * this socket. If so we bail out with EISCONN to ensure that the
4537          * connecting thread is the one that updates conn_ixa, conn_ht_*
4538          * and conn_*last*.
4539          */
4540         if (icmp->icmp_state == TS_DATA_XFER) {
4541                 mutex_exit(&connp->conn_lock);
4542                 error = EISCONN;
4543                 goto ud_error;
4544         }
4545 
4546         /*
4547          * We need to rebuild the headers if
4548          *  - we are labeling packets (could be different for different
4549          *    destinations)
4550          *  - we have a source route (or routing header) since we need to
4551          *    massage that to get the pseudo-header checksum
4552          *  - a socket option with COA_HEADER_CHANGED has been set which
4553          *    set conn_v6lastdst to zero.
4554          *
4555          * Otherwise the prepend function will just update the src, dst,
4556          * and flow label.
4557          */
4558         if (is_system_labeled()) {
4559                 /* TX MLP requires SCM_UCRED and don't have that here */
4560                 if (connp->conn_mlp_type != mlptSingle) {
4561                         mutex_exit(&connp->conn_lock);
4562                         error = ECONNREFUSED;
4563                         goto ud_error;
4564                 }
4565                 /*
4566                  * Check whether Trusted Solaris policy allows communication
4567                  * with this host, and pretend that the destination is
4568                  * unreachable if not.
4569                  * Compute any needed label and place it in ipp_label_v4/v6.
4570                  *
4571                  * Later conn_build_hdr_template/conn_prepend_hdr takes
4572                  * ipp_label_v4/v6 to form the packet.
4573                  *
4574                  * Tsol note: Since we hold conn_lock we know no other
4575                  * thread manipulates conn_xmit_ipp.
4576                  */
4577                 error = conn_update_label(connp, ixa, &v6dst,
4578                     &connp->conn_xmit_ipp);
4579                 if (error != 0) {
4580                         mutex_exit(&connp->conn_lock);
4581                         goto ud_error;
4582                 }
4583                 /* Rebuild the header template */
4584                 error = icmp_build_hdr_template(connp, &v6src, &v6dst,
4585                     flowinfo);
4586                 if (error != 0) {
4587                         mutex_exit(&connp->conn_lock);
4588                         goto ud_error;
4589                 }
4590         } else if (connp->conn_xmit_ipp.ipp_fields &
4591             (IPPF_IPV4_OPTIONS|IPPF_RTHDR) ||
4592             IN6_IS_ADDR_UNSPECIFIED(&connp->conn_v6lastdst)) {
4593                 /* Rebuild the header template */
4594                 error = icmp_build_hdr_template(connp, &v6src, &v6dst,
4595                     flowinfo);
4596                 if (error != 0) {
4597                         mutex_exit(&connp->conn_lock);
4598                         goto ud_error;
4599                 }
4600         } else {
4601                 /* Simply update the destination address if no source route */
4602                 if (ixa->ixa_flags & IXAF_IS_IPV4) {
4603                         ipha_t  *ipha = (ipha_t *)connp->conn_ht_iphc;
4604 
4605                         IN6_V4MAPPED_TO_IPADDR(&v6dst, ipha->ipha_dst);
4606                         if (ixa->ixa_flags & IXAF_PMTU_IPV4_DF) {
4607                                 ipha->ipha_fragment_offset_and_flags |=
4608                                     IPH_DF_HTONS;
4609                         } else {
4610                                 ipha->ipha_fragment_offset_and_flags &=
4611                                     ~IPH_DF_HTONS;
4612                         }
4613                 } else {
4614                         ip6_t *ip6h = (ip6_t *)connp->conn_ht_iphc;
4615                         ip6h->ip6_dst = v6dst;
4616                 }
4617         }
4618 
4619         /*
4620          * Remember the dst etc which corresponds to the built header
4621          * template and conn_ixa.
4622          */
4623         oldixa = conn_replace_ixa(connp, ixa);
4624         connp->conn_v6lastdst = v6dst;
4625         connp->conn_lastflowinfo = flowinfo;
4626         connp->conn_lastscopeid = ixa->ixa_scopeid;
4627         connp->conn_lastsrcid = srcid;
4628         /* Also remember a source to use together with lastdst */
4629         connp->conn_v6lastsrc = v6src;
4630 
4631         data_mp = icmp_prepend_header_template(connp, ixa, data_mp, &v6src,
4632             flowinfo, &error);
4633 
4634         /* Done with conn_t */
4635         mutex_exit(&connp->conn_lock);
4636         ixa_refrele(oldixa);
4637 
4638         if (data_mp == NULL) {
4639                 ASSERT(error != 0);
4640                 goto ud_error;
4641         }
4642 
4643         if (!do_ipsec) {
4644                 /* Policy might differ for different ICMP type/code */
4645                 data_mp = icmp_output_attach_policy(data_mp, connp, ixa);
4646                 if (data_mp == NULL) {
4647                         BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
4648                         error = EHOSTUNREACH;   /* IPsec policy failure */
4649                         goto done;
4650                 }
4651         }
4652 
4653         /* We're done.  Pass the packet to ip. */
4654         BUMP_MIB(&is->is_rawip_mib, rawipOutDatagrams);
4655 
4656         error = conn_ip_output(data_mp, ixa);
4657         /* No rawipOutErrors if an error since IP increases its error counter */
4658         switch (error) {
4659         case 0:
4660                 break;
4661         case EWOULDBLOCK:
4662                 (void) ixa_check_drain_insert(connp, ixa);
4663                 error = 0;
4664                 break;
4665         case EADDRNOTAVAIL:
4666                 /*
4667                  * IXAF_VERIFY_SOURCE tells us to pick a better source.
4668                  * Don't have the application see that errno
4669                  */
4670                 error = ENETUNREACH;
4671                 /* FALLTHRU */
4672         default:
4673                 mutex_enter(&connp->conn_lock);
4674                 /*
4675                  * Clear the source and v6lastdst so we call ip_attr_connect
4676                  * for the next packet and try to pick a better source.
4677                  */
4678                 if (connp->conn_mcbc_bind)
4679                         connp->conn_saddr_v6 = ipv6_all_zeros;
4680                 else
4681                         connp->conn_saddr_v6 = connp->conn_bound_addr_v6;
4682                 connp->conn_v6lastdst = ipv6_all_zeros;
4683                 mutex_exit(&connp->conn_lock);
4684                 break;
4685         }
4686 done:
4687         ASSERT(!(ixa->ixa_free_flags & IXA_FREE_CRED));
4688         ixa->ixa_cred = connp->conn_cred; /* Restore */
4689         ixa->ixa_cpid = connp->conn_cpid;
4690         ixa_refrele(ixa);
4691         return (error);
4692 
4693 ud_error:
4694         ASSERT(!(ixa->ixa_free_flags & IXA_FREE_CRED));
4695         ixa->ixa_cred = connp->conn_cred; /* Restore */
4696         ixa->ixa_cpid = connp->conn_cpid;
4697         ixa_refrele(ixa);
4698 
4699         BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
4700         freemsg(data_mp);
4701         return (error);
4702 }
4703 
4704 /* ARGSUSED */
4705 static int
4706 icmp_wput_fallback(queue_t *q, mblk_t *mp)
4707 {
4708 #ifdef DEBUG
4709         cmn_err(CE_CONT, "icmp_wput_fallback: Message during fallback \n");
4710 #endif
4711         freemsg(mp);
4712         return (0);
4713 }
4714 
4715 static void
4716 icmp_wput_other(queue_t *q, mblk_t *mp)
4717 {
4718         uchar_t *rptr = mp->b_rptr;
4719         struct iocblk *iocp;
4720         conn_t  *connp = Q_TO_CONN(q);
4721         icmp_t  *icmp = connp->conn_icmp;
4722         cred_t *cr;
4723 
4724         switch (mp->b_datap->db_type) {
4725         case M_PROTO:
4726         case M_PCPROTO:
4727                 if (mp->b_wptr - rptr < sizeof (t_scalar_t)) {
4728                         /*
4729                          * If the message does not contain a PRIM_type,
4730                          * throw it away.
4731                          */
4732                         freemsg(mp);
4733                         return;
4734                 }
4735                 switch (((t_primp_t)rptr)->type) {
4736                 case T_ADDR_REQ:
4737                         icmp_addr_req(q, mp);
4738                         return;
4739                 case O_T_BIND_REQ:
4740                 case T_BIND_REQ:
4741                         icmp_tpi_bind(q, mp);
4742                         return;
4743                 case T_CONN_REQ:
4744                         icmp_tpi_connect(q, mp);
4745                         return;
4746                 case T_CAPABILITY_REQ:
4747                         icmp_capability_req(q, mp);
4748                         return;
4749                 case T_INFO_REQ:
4750                         icmp_info_req(q, mp);
4751                         return;
4752                 case T_UNITDATA_REQ:
4753                         /*
4754                          * If a T_UNITDATA_REQ gets here, the address must
4755                          * be bad.  Valid T_UNITDATA_REQs are handled
4756                          * in icmp_wput.
4757                          */
4758                         icmp_ud_err(q, mp, EADDRNOTAVAIL);
4759                         return;
4760                 case T_UNBIND_REQ:
4761                         icmp_tpi_unbind(q, mp);
4762                         return;
4763                 case T_SVR4_OPTMGMT_REQ:
4764                         /*
4765                          * All Solaris components should pass a db_credp
4766                          * for this TPI message, hence we ASSERT.
4767                          * But in case there is some other M_PROTO that looks
4768                          * like a TPI message sent by some other kernel
4769                          * component, we check and return an error.
4770                          */
4771                         cr = msg_getcred(mp, NULL);
4772                         ASSERT(cr != NULL);
4773                         if (cr == NULL) {
4774                                 icmp_err_ack(q, mp, TSYSERR, EINVAL);
4775                                 return;
4776                         }
4777 
4778                         if (!snmpcom_req(q, mp, icmp_snmp_set, ip_snmp_get,
4779                             cr)) {
4780                                 svr4_optcom_req(q, mp, cr, &icmp_opt_obj);
4781                         }
4782                         return;
4783 
4784                 case T_OPTMGMT_REQ:
4785                         /*
4786                          * All Solaris components should pass a db_credp
4787                          * for this TPI message, hence we ASSERT.
4788                          * But in case there is some other M_PROTO that looks
4789                          * like a TPI message sent by some other kernel
4790                          * component, we check and return an error.
4791                          */
4792                         cr = msg_getcred(mp, NULL);
4793                         ASSERT(cr != NULL);
4794                         if (cr == NULL) {
4795                                 icmp_err_ack(q, mp, TSYSERR, EINVAL);
4796                                 return;
4797                         }
4798                         tpi_optcom_req(q, mp, cr, &icmp_opt_obj);
4799                         return;
4800 
4801                 case T_DISCON_REQ:
4802                         icmp_tpi_disconnect(q, mp);
4803                         return;
4804 
4805                 /* The following TPI message is not supported by icmp. */
4806                 case O_T_CONN_RES:
4807                 case T_CONN_RES:
4808                         icmp_err_ack(q, mp, TNOTSUPPORT, 0);
4809                         return;
4810 
4811                 /* The following 3 TPI requests are illegal for icmp. */
4812                 case T_DATA_REQ:
4813                 case T_EXDATA_REQ:
4814                 case T_ORDREL_REQ:
4815                         icmp_err_ack(q, mp, TNOTSUPPORT, 0);
4816                         return;
4817                 default:
4818                         break;
4819                 }
4820                 break;
4821         case M_FLUSH:
4822                 if (*rptr & FLUSHW)
4823                         flushq(q, FLUSHDATA);
4824                 break;
4825         case M_IOCTL:
4826                 iocp = (struct iocblk *)mp->b_rptr;
4827                 switch (iocp->ioc_cmd) {
4828                 case TI_GETPEERNAME:
4829                         if (icmp->icmp_state != TS_DATA_XFER) {
4830                                 /*
4831                                  * If a default destination address has not
4832                                  * been associated with the stream, then we
4833                                  * don't know the peer's name.
4834                                  */
4835                                 iocp->ioc_error = ENOTCONN;
4836                                 iocp->ioc_count = 0;
4837                                 mp->b_datap->db_type = M_IOCACK;
4838                                 qreply(q, mp);
4839                                 return;
4840                         }
4841                         /* FALLTHRU */
4842                 case TI_GETMYNAME:
4843                         /*
4844                          * For TI_GETPEERNAME and TI_GETMYNAME, we first
4845                          * need to copyin the user's strbuf structure.
4846                          * Processing will continue in the M_IOCDATA case
4847                          * below.
4848                          */
4849                         mi_copyin(q, mp, NULL,
4850                             SIZEOF_STRUCT(strbuf, iocp->ioc_flag));
4851                         return;
4852                 default:
4853                         break;
4854                 }
4855                 break;
4856         case M_IOCDATA:
4857                 icmp_wput_iocdata(q, mp);
4858                 return;
4859         default:
4860                 /* Unrecognized messages are passed through without change. */
4861                 break;
4862         }
4863         ip_wput_nondata(q, mp);
4864 }
4865 
4866 /*
4867  * icmp_wput_iocdata is called by icmp_wput_other to handle all M_IOCDATA
4868  * messages.
4869  */
4870 static void
4871 icmp_wput_iocdata(queue_t *q, mblk_t *mp)
4872 {
4873         mblk_t          *mp1;
4874         STRUCT_HANDLE(strbuf, sb);
4875         uint_t          addrlen;
4876         conn_t          *connp = Q_TO_CONN(q);
4877         icmp_t          *icmp = connp->conn_icmp;
4878 
4879         /* Make sure it is one of ours. */
4880         switch (((struct iocblk *)mp->b_rptr)->ioc_cmd) {
4881         case TI_GETMYNAME:
4882         case TI_GETPEERNAME:
4883                 break;
4884         default:
4885                 ip_wput_nondata(q, mp);
4886                 return;
4887         }
4888 
4889         switch (mi_copy_state(q, mp, &mp1)) {
4890         case -1:
4891                 return;
4892         case MI_COPY_CASE(MI_COPY_IN, 1):
4893                 break;
4894         case MI_COPY_CASE(MI_COPY_OUT, 1):
4895                 /*
4896                  * The address has been copied out, so now
4897                  * copyout the strbuf.
4898                  */
4899                 mi_copyout(q, mp);
4900                 return;
4901         case MI_COPY_CASE(MI_COPY_OUT, 2):
4902                 /*
4903                  * The address and strbuf have been copied out.
4904                  * We're done, so just acknowledge the original
4905                  * M_IOCTL.
4906                  */
4907                 mi_copy_done(q, mp, 0);
4908                 return;
4909         default:
4910                 /*
4911                  * Something strange has happened, so acknowledge
4912                  * the original M_IOCTL with an EPROTO error.
4913                  */
4914                 mi_copy_done(q, mp, EPROTO);
4915                 return;
4916         }
4917 
4918         /*
4919          * Now we have the strbuf structure for TI_GETMYNAME
4920          * and TI_GETPEERNAME.  Next we copyout the requested
4921          * address and then we'll copyout the strbuf.
4922          */
4923         STRUCT_SET_HANDLE(sb, ((struct iocblk *)mp->b_rptr)->ioc_flag,
4924             (void *)mp1->b_rptr);
4925 
4926         if (connp->conn_family == AF_INET)
4927                 addrlen = sizeof (sin_t);
4928         else
4929                 addrlen = sizeof (sin6_t);
4930 
4931         if (STRUCT_FGET(sb, maxlen) < addrlen) {
4932                 mi_copy_done(q, mp, EINVAL);
4933                 return;
4934         }
4935         switch (((struct iocblk *)mp->b_rptr)->ioc_cmd) {
4936         case TI_GETMYNAME:
4937                 break;
4938         case TI_GETPEERNAME:
4939                 if (icmp->icmp_state != TS_DATA_XFER) {
4940                         mi_copy_done(q, mp, ENOTCONN);
4941                         return;
4942                 }
4943                 break;
4944         default:
4945                 mi_copy_done(q, mp, EPROTO);
4946                 return;
4947         }
4948         mp1 = mi_copyout_alloc(q, mp, STRUCT_FGETP(sb, buf), addrlen, B_TRUE);
4949         if (!mp1)
4950                 return;
4951 
4952         STRUCT_FSET(sb, len, addrlen);
4953         switch (((struct iocblk *)mp->b_rptr)->ioc_cmd) {
4954         case TI_GETMYNAME:
4955                 (void) conn_getsockname(connp, (struct sockaddr *)mp1->b_wptr,
4956                     &addrlen);
4957                 break;
4958         case TI_GETPEERNAME:
4959                 (void) conn_getpeername(connp, (struct sockaddr *)mp1->b_wptr,
4960                     &addrlen);
4961                 break;
4962         }
4963         mp1->b_wptr += addrlen;
4964         /* Copy out the address */
4965         mi_copyout(q, mp);
4966 }
4967 
4968 void
4969 icmp_ddi_g_init(void)
4970 {
4971         icmp_max_optsize = optcom_max_optsize(icmp_opt_obj.odb_opt_des_arr,
4972             icmp_opt_obj.odb_opt_arr_cnt);
4973 
4974         /*
4975          * We want to be informed each time a stack is created or
4976          * destroyed in the kernel, so we can maintain the
4977          * set of icmp_stack_t's.
4978          */
4979         netstack_register(NS_ICMP, rawip_stack_init, NULL, rawip_stack_fini);
4980 }
4981 
4982 void
4983 icmp_ddi_g_destroy(void)
4984 {
4985         netstack_unregister(NS_ICMP);
4986 }
4987 
4988 #define INET_NAME       "ip"
4989 
4990 /*
4991  * Initialize the ICMP stack instance.
4992  */
4993 static void *
4994 rawip_stack_init(netstackid_t stackid, netstack_t *ns)
4995 {
4996         icmp_stack_t    *is;
4997         int             error = 0;
4998         size_t          arrsz;
4999         major_t         major;
5000 
5001         is = (icmp_stack_t *)kmem_zalloc(sizeof (*is), KM_SLEEP);
5002         is->is_netstack = ns;
5003 
5004         arrsz = sizeof (icmp_propinfo_tbl);
5005         is->is_propinfo_tbl = (mod_prop_info_t *)kmem_alloc(arrsz, KM_SLEEP);
5006         bcopy(icmp_propinfo_tbl, is->is_propinfo_tbl, arrsz);
5007 
5008         is->is_ksp = rawip_kstat_init(stackid);
5009 
5010         major = mod_name_to_major(INET_NAME);
5011         error = ldi_ident_from_major(major, &is->is_ldi_ident);
5012         ASSERT(error == 0);
5013         return (is);
5014 }
5015 
5016 /*
5017  * Free the ICMP stack instance.
5018  */
5019 static void
5020 rawip_stack_fini(netstackid_t stackid, void *arg)
5021 {
5022         icmp_stack_t *is = (icmp_stack_t *)arg;
5023 
5024         kmem_free(is->is_propinfo_tbl, sizeof (icmp_propinfo_tbl));
5025         is->is_propinfo_tbl = NULL;
5026 
5027         rawip_kstat_fini(stackid, is->is_ksp);
5028         is->is_ksp = NULL;
5029         ldi_ident_release(is->is_ldi_ident);
5030         kmem_free(is, sizeof (*is));
5031 }
5032 
5033 static void *
5034 rawip_kstat_init(netstackid_t stackid)
5035 {
5036         kstat_t *ksp;
5037 
5038         rawip_named_kstat_t template = {
5039                 { "inDatagrams",        KSTAT_DATA_UINT32, 0 },
5040                 { "inCksumErrs",        KSTAT_DATA_UINT32, 0 },
5041                 { "inErrors",           KSTAT_DATA_UINT32, 0 },
5042                 { "outDatagrams",       KSTAT_DATA_UINT32, 0 },
5043                 { "outErrors",          KSTAT_DATA_UINT32, 0 },
5044         };
5045 
5046         ksp = kstat_create_netstack("icmp", 0, "rawip", "mib2",
5047             KSTAT_TYPE_NAMED, NUM_OF_FIELDS(rawip_named_kstat_t), 0, stackid);
5048         if (ksp == NULL || ksp->ks_data == NULL)
5049                 return (NULL);
5050 
5051         bcopy(&template, ksp->ks_data, sizeof (template));
5052         ksp->ks_update = rawip_kstat_update;
5053         ksp->ks_private = (void *)(uintptr_t)stackid;
5054 
5055         kstat_install(ksp);
5056         return (ksp);
5057 }
5058 
5059 static void
5060 rawip_kstat_fini(netstackid_t stackid, kstat_t *ksp)
5061 {
5062         if (ksp != NULL) {
5063                 ASSERT(stackid == (netstackid_t)(uintptr_t)ksp->ks_private);
5064                 kstat_delete_netstack(ksp, stackid);
5065         }
5066 }
5067 
5068 static int
5069 rawip_kstat_update(kstat_t *ksp, int rw)
5070 {
5071         rawip_named_kstat_t *rawipkp;
5072         netstackid_t    stackid = (netstackid_t)(uintptr_t)ksp->ks_private;
5073         netstack_t      *ns;
5074         icmp_stack_t    *is;
5075 
5076         if (ksp->ks_data == NULL)
5077                 return (EIO);
5078 
5079         if (rw == KSTAT_WRITE)
5080                 return (EACCES);
5081 
5082         rawipkp = (rawip_named_kstat_t *)ksp->ks_data;
5083 
5084         ns = netstack_find_by_stackid(stackid);
5085         if (ns == NULL)
5086                 return (-1);
5087         is = ns->netstack_icmp;
5088         if (is == NULL) {
5089                 netstack_rele(ns);
5090                 return (-1);
5091         }
5092         rawipkp->inDatagrams.value.ui32 =  is->is_rawip_mib.rawipInDatagrams;
5093         rawipkp->inCksumErrs.value.ui32 =  is->is_rawip_mib.rawipInCksumErrs;
5094         rawipkp->inErrors.value.ui32 =          is->is_rawip_mib.rawipInErrors;
5095         rawipkp->outDatagrams.value.ui32 = is->is_rawip_mib.rawipOutDatagrams;
5096         rawipkp->outErrors.value.ui32 =         is->is_rawip_mib.rawipOutErrors;
5097         netstack_rele(ns);
5098         return (0);
5099 }
5100 
5101 /* ARGSUSED */
5102 int
5103 rawip_accept(sock_lower_handle_t lproto_handle,
5104     sock_lower_handle_t eproto_handle, sock_upper_handle_t sock_handle,
5105     cred_t *cr)
5106 {
5107         return (EOPNOTSUPP);
5108 }
5109 
5110 /* ARGSUSED */
5111 int
5112 rawip_bind(sock_lower_handle_t proto_handle, struct sockaddr *sa,
5113     socklen_t len, cred_t *cr)
5114 {
5115         conn_t  *connp = (conn_t *)proto_handle;
5116         int     error;
5117 
5118         /* All Solaris components should pass a cred for this operation. */
5119         ASSERT(cr != NULL);
5120 
5121         /* Binding to a NULL address really means unbind */
5122         if (sa == NULL)
5123                 error = rawip_do_unbind(connp);
5124         else
5125                 error = rawip_do_bind(connp, sa, len);
5126 
5127         if (error < 0) {
5128                 if (error == -TOUTSTATE)
5129                         error = EINVAL;
5130                 else
5131                         error = proto_tlitosyserr(-error);
5132         }
5133         return (error);
5134 }
5135 
5136 static int
5137 rawip_implicit_bind(conn_t *connp)
5138 {
5139         sin6_t sin6addr;
5140         sin_t *sin;
5141         sin6_t *sin6;
5142         socklen_t len;
5143         int error;
5144 
5145         if (connp->conn_family == AF_INET) {
5146                 len = sizeof (struct sockaddr_in);
5147                 sin = (sin_t *)&sin6addr;
5148                 *sin = sin_null;
5149                 sin->sin_family = AF_INET;
5150                 sin->sin_addr.s_addr = INADDR_ANY;
5151         } else {
5152                 ASSERT(connp->conn_family == AF_INET6);
5153                 len = sizeof (sin6_t);
5154                 sin6 = (sin6_t *)&sin6addr;
5155                 *sin6 = sin6_null;
5156                 sin6->sin6_family = AF_INET6;
5157                 V6_SET_ZERO(sin6->sin6_addr);
5158         }
5159 
5160         error = rawip_do_bind(connp, (struct sockaddr *)&sin6addr, len);
5161 
5162         return ((error < 0) ? proto_tlitosyserr(-error) : error);
5163 }
5164 
5165 static int
5166 rawip_unbind(conn_t *connp)
5167 {
5168         int error;
5169 
5170         error = rawip_do_unbind(connp);
5171         if (error < 0) {
5172                 error = proto_tlitosyserr(-error);
5173         }
5174         return (error);
5175 }
5176 
5177 /* ARGSUSED */
5178 int
5179 rawip_listen(sock_lower_handle_t proto_handle, int backlog, cred_t *cr)
5180 {
5181         return (EOPNOTSUPP);
5182 }
5183 
5184 int
5185 rawip_connect(sock_lower_handle_t proto_handle, const struct sockaddr *sa,
5186     socklen_t len, sock_connid_t *id, cred_t *cr)
5187 {
5188         conn_t  *connp = (conn_t *)proto_handle;
5189         icmp_t *icmp = connp->conn_icmp;
5190         int     error;
5191         boolean_t did_bind = B_FALSE;
5192         pid_t   pid = curproc->p_pid;
5193 
5194         /* All Solaris components should pass a cred for this operation. */
5195         ASSERT(cr != NULL);
5196 
5197         if (sa == NULL) {
5198                 /*
5199                  * Disconnect
5200                  * Make sure we are connected
5201                  */
5202                 if (icmp->icmp_state != TS_DATA_XFER)
5203                         return (EINVAL);
5204 
5205                 error = icmp_disconnect(connp);
5206                 return (error);
5207         }
5208 
5209         error = proto_verify_ip_addr(connp->conn_family, sa, len);
5210         if (error != 0)
5211                 return (error);
5212 
5213         /* do an implicit bind if necessary */
5214         if (icmp->icmp_state == TS_UNBND) {
5215                 error = rawip_implicit_bind(connp);
5216                 /*
5217                  * We could be racing with an actual bind, in which case
5218                  * we would see EPROTO. We cross our fingers and try
5219                  * to connect.
5220                  */
5221                 if (!(error == 0 || error == EPROTO))
5222                         return (error);
5223                 did_bind = B_TRUE;
5224         }
5225 
5226         /*
5227          * set SO_DGRAM_ERRIND
5228          */
5229         connp->conn_dgram_errind = B_TRUE;
5230 
5231         error = rawip_do_connect(connp, sa, len, cr, pid);
5232         if (error != 0 && did_bind) {
5233                 int unbind_err;
5234 
5235                 unbind_err = rawip_unbind(connp);
5236                 ASSERT(unbind_err == 0);
5237         }
5238 
5239         if (error == 0) {
5240                 *id = 0;
5241                 (*connp->conn_upcalls->su_connected)(connp->conn_upper_handle,
5242                     0, NULL, -1);
5243         } else if (error < 0) {
5244                 error = proto_tlitosyserr(-error);
5245         }
5246         return (error);
5247 }
5248 
5249 /* ARGSUSED2 */
5250 int
5251 rawip_fallback(sock_lower_handle_t proto_handle, queue_t *q,
5252     boolean_t direct_sockfs, so_proto_quiesced_cb_t quiesced_cb,
5253     sock_quiesce_arg_t *arg)
5254 {
5255         conn_t  *connp = (conn_t *)proto_handle;
5256         icmp_t  *icmp;
5257         struct T_capability_ack tca;
5258         struct sockaddr_in6 laddr, faddr;
5259         socklen_t laddrlen, faddrlen;
5260         short opts;
5261         struct stroptions *stropt;
5262         mblk_t *mp, *stropt_mp;
5263         int error;
5264 
5265         icmp = connp->conn_icmp;
5266 
5267         stropt_mp = allocb_wait(sizeof (*stropt), BPRI_HI, STR_NOSIG, NULL);
5268 
5269         /*
5270          * setup the fallback stream that was allocated
5271          */
5272         connp->conn_dev = (dev_t)RD(q)->q_ptr;
5273         connp->conn_minor_arena = WR(q)->q_ptr;
5274 
5275         RD(q)->q_ptr = WR(q)->q_ptr = connp;
5276 
5277         WR(q)->q_qinfo = &icmpwinit;
5278 
5279         connp->conn_rq = RD(q);
5280         connp->conn_wq = WR(q);
5281 
5282         /* Notify stream head about options before sending up data */
5283         stropt_mp->b_datap->db_type = M_SETOPTS;
5284         stropt_mp->b_wptr += sizeof (*stropt);
5285         stropt = (struct stroptions *)stropt_mp->b_rptr;
5286         stropt->so_flags = SO_WROFF | SO_HIWAT;
5287         stropt->so_wroff = connp->conn_wroff;
5288         stropt->so_hiwat = connp->conn_rcvbuf;
5289         putnext(RD(q), stropt_mp);
5290 
5291         /*
5292          * free helper stream
5293          */
5294         ip_free_helper_stream(connp);
5295 
5296         /*
5297          * Collect the information needed to sync with the sonode
5298          */
5299         icmp_do_capability_ack(icmp, &tca, TC1_INFO);
5300 
5301         laddrlen = faddrlen = sizeof (sin6_t);
5302         (void) rawip_getsockname((sock_lower_handle_t)connp,
5303             (struct sockaddr *)&laddr, &laddrlen, CRED());
5304         error = rawip_getpeername((sock_lower_handle_t)connp,
5305             (struct sockaddr *)&faddr, &faddrlen, CRED());
5306         if (error != 0)
5307                 faddrlen = 0;
5308         opts = 0;
5309         if (connp->conn_dgram_errind)
5310                 opts |= SO_DGRAM_ERRIND;
5311         if (connp->conn_ixa->ixa_flags & IXAF_DONTROUTE)
5312                 opts |= SO_DONTROUTE;
5313 
5314         mp = (*quiesced_cb)(connp->conn_upper_handle, arg, &tca,
5315             (struct sockaddr *)&laddr, laddrlen,
5316             (struct sockaddr *)&faddr, faddrlen, opts);
5317 
5318         /*
5319          * Attempts to send data up during fallback will result in it being
5320          * queued in icmp_t. Now we push up any queued packets.
5321          */
5322         mutex_enter(&icmp->icmp_recv_lock);
5323         if (mp != NULL) {
5324                 mp->b_next = icmp->icmp_fallback_queue_head;
5325                 icmp->icmp_fallback_queue_head = mp;
5326         }
5327         while (icmp->icmp_fallback_queue_head != NULL) {
5328                 mp = icmp->icmp_fallback_queue_head;
5329                 icmp->icmp_fallback_queue_head = mp->b_next;
5330                 mp->b_next = NULL;
5331                 mutex_exit(&icmp->icmp_recv_lock);
5332                 putnext(RD(q), mp);
5333                 mutex_enter(&icmp->icmp_recv_lock);
5334         }
5335         icmp->icmp_fallback_queue_tail = icmp->icmp_fallback_queue_head;
5336 
5337         /*
5338          * No longer a streams less socket
5339          */
5340         mutex_enter(&connp->conn_lock);
5341         connp->conn_flags &= ~IPCL_NONSTR;
5342         mutex_exit(&connp->conn_lock);
5343 
5344         mutex_exit(&icmp->icmp_recv_lock);
5345 
5346         ASSERT(icmp->icmp_fallback_queue_head == NULL &&
5347             icmp->icmp_fallback_queue_tail == NULL);
5348 
5349         ASSERT(connp->conn_ref >= 1);
5350 
5351         return (0);
5352 }
5353 
5354 /* ARGSUSED2 */
5355 sock_lower_handle_t
5356 rawip_create(int family, int type, int proto, sock_downcalls_t **sock_downcalls,
5357     uint_t *smodep, int *errorp, int flags, cred_t *credp)
5358 {
5359         conn_t *connp;
5360 
5361         if (type != SOCK_RAW || (family != AF_INET && family != AF_INET6)) {
5362                 *errorp = EPROTONOSUPPORT;
5363                 return (NULL);
5364         }
5365 
5366         connp = rawip_do_open(family, credp, errorp, flags);
5367         if (connp != NULL) {
5368                 connp->conn_flags |= IPCL_NONSTR;
5369 
5370                 mutex_enter(&connp->conn_lock);
5371                 connp->conn_state_flags &= ~CONN_INCIPIENT;
5372                 mutex_exit(&connp->conn_lock);
5373                 *sock_downcalls = &sock_rawip_downcalls;
5374                 *smodep = SM_ATOMIC;
5375         } else {
5376                 ASSERT(*errorp != 0);
5377         }
5378 
5379         return ((sock_lower_handle_t)connp);
5380 }
5381 
5382 /* ARGSUSED3 */
5383 void
5384 rawip_activate(sock_lower_handle_t proto_handle,
5385     sock_upper_handle_t sock_handle, sock_upcalls_t *sock_upcalls, int flags,
5386     cred_t *cr)
5387 {
5388         conn_t *connp = (conn_t *)proto_handle;
5389         struct sock_proto_props sopp;
5390 
5391         /* All Solaris components should pass a cred for this operation. */
5392         ASSERT(cr != NULL);
5393 
5394         connp->conn_upcalls = sock_upcalls;
5395         connp->conn_upper_handle = sock_handle;
5396 
5397         sopp.sopp_flags = SOCKOPT_WROFF | SOCKOPT_RCVHIWAT | SOCKOPT_RCVLOWAT |
5398             SOCKOPT_MAXBLK | SOCKOPT_MAXPSZ | SOCKOPT_MINPSZ;
5399         sopp.sopp_wroff = connp->conn_wroff;
5400         sopp.sopp_rxhiwat = connp->conn_rcvbuf;
5401         sopp.sopp_rxlowat = connp->conn_rcvlowat;
5402         sopp.sopp_maxblk = INFPSZ;
5403         sopp.sopp_maxpsz = IP_MAXPACKET;
5404         sopp.sopp_minpsz = (icmp_mod_info.mi_minpsz == 1) ? 0 :
5405             icmp_mod_info.mi_minpsz;
5406 
5407         (*connp->conn_upcalls->su_set_proto_props)
5408             (connp->conn_upper_handle, &sopp);
5409 
5410         icmp_bind_proto(connp->conn_icmp);
5411 }
5412 
5413 /* ARGSUSED3 */
5414 int
5415 rawip_getpeername(sock_lower_handle_t proto_handle, struct sockaddr *sa,
5416     socklen_t *salenp, cred_t *cr)
5417 {
5418         conn_t  *connp = (conn_t *)proto_handle;
5419         icmp_t  *icmp = connp->conn_icmp;
5420         int     error;
5421 
5422         /* All Solaris components should pass a cred for this operation. */
5423         ASSERT(cr != NULL);
5424 
5425         mutex_enter(&connp->conn_lock);
5426         if (icmp->icmp_state != TS_DATA_XFER)
5427                 error = ENOTCONN;
5428         else
5429                 error = conn_getpeername(connp, sa, salenp);
5430         mutex_exit(&connp->conn_lock);
5431         return (error);
5432 }
5433 
5434 /* ARGSUSED3 */
5435 int
5436 rawip_getsockname(sock_lower_handle_t proto_handle, struct sockaddr *sa,
5437     socklen_t *salenp, cred_t *cr)
5438 {
5439         conn_t  *connp = (conn_t *)proto_handle;
5440         int     error;
5441 
5442         /* All Solaris components should pass a cred for this operation. */
5443         ASSERT(cr != NULL);
5444 
5445         mutex_enter(&connp->conn_lock);
5446         error = conn_getsockname(connp, sa, salenp);
5447         mutex_exit(&connp->conn_lock);
5448         return (error);
5449 }
5450 
5451 int
5452 rawip_setsockopt(sock_lower_handle_t proto_handle, int level, int option_name,
5453     const void *optvalp, socklen_t optlen, cred_t *cr)
5454 {
5455         conn_t  *connp = (conn_t *)proto_handle;
5456         int error;
5457 
5458         /* All Solaris components should pass a cred for this operation. */
5459         ASSERT(cr != NULL);
5460 
5461         error = proto_opt_check(level, option_name, optlen, NULL,
5462             icmp_opt_obj.odb_opt_des_arr,
5463             icmp_opt_obj.odb_opt_arr_cnt,
5464             B_TRUE, B_FALSE, cr);
5465 
5466         if (error != 0) {
5467                 /*
5468                  * option not recognized
5469                  */
5470                 if (error < 0) {
5471                         error = proto_tlitosyserr(-error);
5472                 }
5473                 return (error);
5474         }
5475 
5476         error = icmp_opt_set(connp, SETFN_OPTCOM_NEGOTIATE, level,
5477             option_name, optlen, (uchar_t *)optvalp, (uint_t *)&optlen,
5478             (uchar_t *)optvalp, NULL, cr);
5479 
5480         ASSERT(error >= 0);
5481 
5482         return (error);
5483 }
5484 
5485 int
5486 rawip_getsockopt(sock_lower_handle_t proto_handle, int level, int option_name,
5487     void *optvalp, socklen_t *optlen, cred_t *cr)
5488 {
5489         int             error;
5490         conn_t          *connp = (conn_t *)proto_handle;
5491         t_uscalar_t     max_optbuf_len;
5492         void            *optvalp_buf;
5493         int             len;
5494 
5495         /* All Solaris components should pass a cred for this operation. */
5496         ASSERT(cr != NULL);
5497 
5498         error = proto_opt_check(level, option_name, *optlen, &max_optbuf_len,
5499             icmp_opt_obj.odb_opt_des_arr,
5500             icmp_opt_obj.odb_opt_arr_cnt,
5501             B_FALSE, B_TRUE, cr);
5502 
5503         if (error != 0) {
5504                 if (error < 0) {
5505                         error = proto_tlitosyserr(-error);
5506                 }
5507                 return (error);
5508         }
5509 
5510         optvalp_buf = kmem_alloc(max_optbuf_len, KM_SLEEP);
5511         len = icmp_opt_get(connp, level, option_name, optvalp_buf);
5512         if (len == -1) {
5513                 kmem_free(optvalp_buf, max_optbuf_len);
5514                 return (EINVAL);
5515         }
5516 
5517         /*
5518          * update optlen and copy option value
5519          */
5520         t_uscalar_t size = MIN(len, *optlen);
5521 
5522         bcopy(optvalp_buf, optvalp, size);
5523         bcopy(&size, optlen, sizeof (size));
5524 
5525         kmem_free(optvalp_buf, max_optbuf_len);
5526         return (0);
5527 }
5528 
5529 /* ARGSUSED1 */
5530 int
5531 rawip_close(sock_lower_handle_t proto_handle, int flags, cred_t *cr)
5532 {
5533         conn_t  *connp = (conn_t *)proto_handle;
5534 
5535         /* All Solaris components should pass a cred for this operation. */
5536         ASSERT(cr != NULL);
5537 
5538         (void) rawip_do_close(connp);
5539         return (0);
5540 }
5541 
5542 /* ARGSUSED2 */
5543 int
5544 rawip_shutdown(sock_lower_handle_t proto_handle, int how, cred_t *cr)
5545 {
5546         conn_t  *connp = (conn_t *)proto_handle;
5547 
5548         /* All Solaris components should pass a cred for this operation. */
5549         ASSERT(cr != NULL);
5550 
5551         /* shut down the send side */
5552         if (how != SHUT_RD)
5553                 (*connp->conn_upcalls->su_opctl)(connp->conn_upper_handle,
5554                     SOCK_OPCTL_SHUT_SEND, 0);
5555         /* shut down the recv side */
5556         if (how != SHUT_WR)
5557                 (*connp->conn_upcalls->su_opctl)(connp->conn_upper_handle,
5558                     SOCK_OPCTL_SHUT_RECV, 0);
5559         return (0);
5560 }
5561 
5562 void
5563 rawip_clr_flowctrl(sock_lower_handle_t proto_handle)
5564 {
5565         conn_t  *connp = (conn_t *)proto_handle;
5566         icmp_t  *icmp = connp->conn_icmp;
5567 
5568         mutex_enter(&icmp->icmp_recv_lock);
5569         connp->conn_flow_cntrld = B_FALSE;
5570         mutex_exit(&icmp->icmp_recv_lock);
5571 }
5572 
5573 int
5574 rawip_ioctl(sock_lower_handle_t proto_handle, int cmd, intptr_t arg,
5575     int mode, int32_t *rvalp, cred_t *cr)
5576 {
5577         conn_t          *connp = (conn_t *)proto_handle;
5578         int             error;
5579 
5580         /* All Solaris components should pass a cred for this operation. */
5581         ASSERT(cr != NULL);
5582 
5583         /*
5584          * If we don't have a helper stream then create one.
5585          * ip_create_helper_stream takes care of locking the conn_t,
5586          * so this check for NULL is just a performance optimization.
5587          */
5588         if (connp->conn_helper_info == NULL) {
5589                 icmp_stack_t *is = connp->conn_icmp->icmp_is;
5590 
5591                 ASSERT(is->is_ldi_ident != NULL);
5592 
5593                 /*
5594                  * Create a helper stream for non-STREAMS socket.
5595                  */
5596                 error = ip_create_helper_stream(connp, is->is_ldi_ident);
5597                 if (error != 0) {
5598                         ip0dbg(("rawip_ioctl: create of IP helper stream "
5599                             "failed %d\n", error));
5600                         return (error);
5601                 }
5602         }
5603 
5604         switch (cmd) {
5605         case _SIOCSOCKFALLBACK:
5606         case TI_GETPEERNAME:
5607         case TI_GETMYNAME:
5608 #ifdef DEBUG
5609                 cmn_err(CE_CONT, "icmp_ioctl cmd 0x%x on non streams"
5610                     " socket", cmd);
5611 #endif
5612                 error = EINVAL;
5613                 break;
5614         default:
5615                 /*
5616                  * Pass on to IP using helper stream
5617                  */
5618                 error = ldi_ioctl(connp->conn_helper_info->iphs_handle,
5619                     cmd, arg, mode, cr, rvalp);
5620                 break;
5621         }
5622         return (error);
5623 }
5624 
5625 int
5626 rawip_send(sock_lower_handle_t proto_handle, mblk_t *mp, struct nmsghdr *msg,
5627     cred_t *cr)
5628 {
5629         sin6_t          *sin6;
5630         sin_t           *sin = NULL;
5631         uint_t          srcid;
5632         conn_t          *connp = (conn_t *)proto_handle;
5633         icmp_t          *icmp = connp->conn_icmp;
5634         int             error = 0;
5635         icmp_stack_t    *is = icmp->icmp_is;
5636         pid_t           pid = curproc->p_pid;
5637         ip_xmit_attr_t  *ixa;
5638 
5639         ASSERT(DB_TYPE(mp) == M_DATA);
5640 
5641         /* All Solaris components should pass a cred for this operation. */
5642         ASSERT(cr != NULL);
5643 
5644         /* do an implicit bind if necessary */
5645         if (icmp->icmp_state == TS_UNBND) {
5646                 error = rawip_implicit_bind(connp);
5647                 /*
5648                  * We could be racing with an actual bind, in which case
5649                  * we would see EPROTO. We cross our fingers and try
5650                  * to connect.
5651                  */
5652                 if (!(error == 0 || error == EPROTO)) {
5653                         freemsg(mp);
5654                         return (error);
5655                 }
5656         }
5657 
5658         /* Protocol 255 contains full IP headers */
5659         /* Read without holding lock */
5660         if (icmp->icmp_hdrincl) {
5661                 ASSERT(connp->conn_ipversion == IPV4_VERSION);
5662                 if (mp->b_wptr - mp->b_rptr < IP_SIMPLE_HDR_LENGTH) {
5663                         if (!pullupmsg(mp, IP_SIMPLE_HDR_LENGTH)) {
5664                                 BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
5665                                 freemsg(mp);
5666                                 return (EINVAL);
5667                         }
5668                 }
5669                 error = icmp_output_hdrincl(connp, mp, cr, pid);
5670                 if (is->is_sendto_ignerr)
5671                         return (0);
5672                 else
5673                         return (error);
5674         }
5675 
5676         /* Connected? */
5677         if (msg->msg_name == NULL) {
5678                 if (icmp->icmp_state != TS_DATA_XFER) {
5679                         BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
5680                         return (EDESTADDRREQ);
5681                 }
5682                 if (msg->msg_controllen != 0) {
5683                         error = icmp_output_ancillary(connp, NULL, NULL, mp,
5684                             NULL, msg, cr, pid);
5685                 } else {
5686                         error = icmp_output_connected(connp, mp, cr, pid);
5687                 }
5688                 if (is->is_sendto_ignerr)
5689                         return (0);
5690                 else
5691                         return (error);
5692         }
5693         if (icmp->icmp_state == TS_DATA_XFER) {
5694                 BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
5695                 return (EISCONN);
5696         }
5697         error = proto_verify_ip_addr(connp->conn_family,
5698             (struct sockaddr *)msg->msg_name, msg->msg_namelen);
5699         if (error != 0) {
5700                 BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
5701                 return (error);
5702         }
5703         switch (connp->conn_family) {
5704         case AF_INET6:
5705                 sin6 = (sin6_t *)msg->msg_name;
5706 
5707                 /* No support for mapped addresses on raw sockets */
5708                 if (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) {
5709                         BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
5710                         return (EADDRNOTAVAIL);
5711                 }
5712                 srcid = sin6->__sin6_src_id;
5713 
5714                 /*
5715                  * If the local address is a mapped address return
5716                  * an error.
5717                  * It would be possible to send an IPv6 packet but the
5718                  * response would never make it back to the application
5719                  * since it is bound to a mapped address.
5720                  */
5721                 if (IN6_IS_ADDR_V4MAPPED(&connp->conn_saddr_v6)) {
5722                         BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
5723                         return (EADDRNOTAVAIL);
5724                 }
5725 
5726                 if (IN6_IS_ADDR_UNSPECIFIED(&sin6->sin6_addr))
5727                         sin6->sin6_addr = ipv6_loopback;
5728 
5729                 /*
5730                  * We have to allocate an ip_xmit_attr_t before we grab
5731                  * conn_lock and we need to hold conn_lock once we've check
5732                  * conn_same_as_last_v6 to handle concurrent send* calls on a
5733                  * socket.
5734                  */
5735                 if (msg->msg_controllen == 0) {
5736                         ixa = conn_get_ixa(connp, B_FALSE);
5737                         if (ixa == NULL) {
5738                                 BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
5739                                 return (ENOMEM);
5740                         }
5741                 } else {
5742                         ixa = NULL;
5743                 }
5744                 mutex_enter(&connp->conn_lock);
5745                 if (icmp->icmp_delayed_error != 0) {
5746                         sin6_t  *sin2 = (sin6_t *)&icmp->icmp_delayed_addr;
5747 
5748                         error = icmp->icmp_delayed_error;
5749                         icmp->icmp_delayed_error = 0;
5750 
5751                         /* Compare IP address and family */
5752 
5753                         if (IN6_ARE_ADDR_EQUAL(&sin6->sin6_addr,
5754                             &sin2->sin6_addr) &&
5755                             sin6->sin6_family == sin2->sin6_family) {
5756                                 mutex_exit(&connp->conn_lock);
5757                                 BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
5758                                 if (ixa != NULL)
5759                                         ixa_refrele(ixa);
5760                                 return (error);
5761                         }
5762                 }
5763                 if (msg->msg_controllen != 0) {
5764                         mutex_exit(&connp->conn_lock);
5765                         ASSERT(ixa == NULL);
5766                         error = icmp_output_ancillary(connp, NULL, sin6, mp,
5767                             NULL, msg, cr, pid);
5768                 } else if (conn_same_as_last_v6(connp, sin6) &&
5769                     connp->conn_lastsrcid == srcid &&
5770                     ipsec_outbound_policy_current(ixa)) {
5771                         /* icmp_output_lastdst drops conn_lock */
5772                         error = icmp_output_lastdst(connp, mp, cr, pid, ixa);
5773                 } else {
5774                         /* icmp_output_newdst drops conn_lock */
5775                         error = icmp_output_newdst(connp, mp, NULL, sin6, cr,
5776                             pid, ixa);
5777                 }
5778                 ASSERT(MUTEX_NOT_HELD(&connp->conn_lock));
5779                 if (is->is_sendto_ignerr)
5780                         return (0);
5781                 else
5782                         return (error);
5783         case AF_INET:
5784                 sin = (sin_t *)msg->msg_name;
5785 
5786                 if (sin->sin_addr.s_addr == INADDR_ANY)
5787                         sin->sin_addr.s_addr = htonl(INADDR_LOOPBACK);
5788 
5789                 /*
5790                  * We have to allocate an ip_xmit_attr_t before we grab
5791                  * conn_lock and we need to hold conn_lock once we've check
5792                  * conn_same_as_last_v6 to handle concurrent send* on a socket.
5793                  */
5794                 if (msg->msg_controllen == 0) {
5795                         ixa = conn_get_ixa(connp, B_FALSE);
5796                         if (ixa == NULL) {
5797                                 BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
5798                                 return (ENOMEM);
5799                         }
5800                 } else {
5801                         ixa = NULL;
5802                 }
5803                 mutex_enter(&connp->conn_lock);
5804                 if (icmp->icmp_delayed_error != 0) {
5805                         sin_t  *sin2 = (sin_t *)&icmp->icmp_delayed_addr;
5806 
5807                         error = icmp->icmp_delayed_error;
5808                         icmp->icmp_delayed_error = 0;
5809 
5810                         /* Compare IP address */
5811 
5812                         if (sin->sin_addr.s_addr == sin2->sin_addr.s_addr) {
5813                                 mutex_exit(&connp->conn_lock);
5814                                 BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
5815                                 if (ixa != NULL)
5816                                         ixa_refrele(ixa);
5817                                 return (error);
5818                         }
5819                 }
5820 
5821                 if (msg->msg_controllen != 0) {
5822                         mutex_exit(&connp->conn_lock);
5823                         ASSERT(ixa == NULL);
5824                         error = icmp_output_ancillary(connp, sin, NULL, mp,
5825                             NULL, msg, cr, pid);
5826                 } else if (conn_same_as_last_v4(connp, sin) &&
5827                     ipsec_outbound_policy_current(ixa)) {
5828                         /* icmp_output_lastdst drops conn_lock */
5829                         error = icmp_output_lastdst(connp, mp, cr, pid, ixa);
5830                 } else {
5831                         /* icmp_output_newdst drops conn_lock */
5832                         error = icmp_output_newdst(connp, mp, sin, NULL, cr,
5833                             pid, ixa);
5834                 }
5835                 ASSERT(MUTEX_NOT_HELD(&connp->conn_lock));
5836                 if (is->is_sendto_ignerr)
5837                         return (0);
5838                 else
5839                         return (error);
5840         default:
5841                 return (EINVAL);
5842         }
5843 }
5844 
5845 sock_downcalls_t sock_rawip_downcalls = {
5846         rawip_activate,
5847         rawip_accept,
5848         rawip_bind,
5849         rawip_listen,
5850         rawip_connect,
5851         rawip_getpeername,
5852         rawip_getsockname,
5853         rawip_getsockopt,
5854         rawip_setsockopt,
5855         rawip_send,
5856         NULL,
5857         NULL,
5858         NULL,
5859         rawip_shutdown,
5860         rawip_clr_flowctrl,
5861         rawip_ioctl,
5862         rawip_close
5863 };