xref: /illumos-gate/usr/src/uts/common/inet/ip/ip6.c (revision 47842382d52f28aa3173aa6b511781c322ccb6a2)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 /*
26  * Copyright (c) 1990 Mentat Inc.
27  */
28 
29 #include <sys/types.h>
30 #include <sys/stream.h>
31 #include <sys/dlpi.h>
32 #include <sys/stropts.h>
33 #include <sys/sysmacros.h>
34 #include <sys/strsun.h>
35 #include <sys/strlog.h>
36 #include <sys/strsubr.h>
37 #define	_SUN_TPI_VERSION	2
38 #include <sys/tihdr.h>
39 #include <sys/ddi.h>
40 #include <sys/sunddi.h>
41 #include <sys/cmn_err.h>
42 #include <sys/debug.h>
43 #include <sys/sdt.h>
44 #include <sys/kobj.h>
45 #include <sys/zone.h>
46 #include <sys/neti.h>
47 #include <sys/hook.h>
48 
49 #include <sys/kmem.h>
50 #include <sys/systm.h>
51 #include <sys/param.h>
52 #include <sys/socket.h>
53 #include <sys/vtrace.h>
54 #include <sys/isa_defs.h>
55 #include <sys/atomic.h>
56 #include <sys/iphada.h>
57 #include <sys/policy.h>
58 #include <net/if.h>
59 #include <net/if_types.h>
60 #include <net/route.h>
61 #include <net/if_dl.h>
62 #include <sys/sockio.h>
63 #include <netinet/in.h>
64 #include <netinet/ip6.h>
65 #include <netinet/icmp6.h>
66 #include <netinet/sctp.h>
67 
68 #include <inet/common.h>
69 #include <inet/mi.h>
70 #include <inet/optcom.h>
71 #include <inet/mib2.h>
72 #include <inet/nd.h>
73 #include <inet/arp.h>
74 
75 #include <inet/ip.h>
76 #include <inet/ip_impl.h>
77 #include <inet/ip6.h>
78 #include <inet/ip6_asp.h>
79 #include <inet/tcp.h>
80 #include <inet/tcp_impl.h>
81 #include <inet/udp_impl.h>
82 #include <inet/ipp_common.h>
83 
84 #include <inet/ip_multi.h>
85 #include <inet/ip_if.h>
86 #include <inet/ip_ire.h>
87 #include <inet/ip_rts.h>
88 #include <inet/ip_ndp.h>
89 #include <net/pfkeyv2.h>
90 #include <inet/ipsec_info.h>
91 #include <inet/sadb.h>
92 #include <inet/ipsec_impl.h>
93 #include <inet/tun.h>
94 #include <inet/sctp_ip.h>
95 #include <sys/pattr.h>
96 #include <inet/ipclassifier.h>
97 #include <inet/ipsecah.h>
98 #include <inet/rawip_impl.h>
99 #include <inet/rts_impl.h>
100 #include <sys/squeue_impl.h>
101 #include <sys/squeue.h>
102 
103 #include <sys/tsol/label.h>
104 #include <sys/tsol/tnet.h>
105 
106 #include <rpc/pmap_prot.h>
107 
108 /* Temporary; for CR 6451644 work-around */
109 #include <sys/ethernet.h>
110 
111 extern int ip_squeue_flag;
112 
113 /*
114  * Naming conventions:
115  *      These rules should be judiciously applied
116  *	if there is a need to identify something as IPv6 versus IPv4
117  *	IPv6 funcions will end with _v6 in the ip module.
118  *	IPv6 funcions will end with _ipv6 in the transport modules.
119  *	IPv6 macros:
120  *		Some macros end with _V6; e.g. ILL_FRAG_HASH_V6
121  *		Some macros start with V6_; e.g. V6_OR_V4_INADDR_ANY
122  *		And then there are ..V4_PART_OF_V6.
123  *		The intent is that macros in the ip module end with _V6.
124  *	IPv6 global variables will start with ipv6_
125  *	IPv6 structures will start with ipv6
126  *	IPv6 defined constants should start with IPV6_
127  *		(but then there are NDP_DEFAULT_VERS_PRI_AND_FLOW, etc)
128  */
129 
130 /*
131  * ip6opt_ls is used to enable IPv6 (via /etc/system on TX systems).
132  * We need to do this because we didn't obtain the IP6OPT_LS (0x0a)
133  * from IANA. This mechanism will remain in effect until an official
134  * number is obtained.
135  */
136 uchar_t ip6opt_ls;
137 
138 const in6_addr_t ipv6_all_ones =
139 	{ 0xffffffffU, 0xffffffffU, 0xffffffffU, 0xffffffffU };
140 const in6_addr_t ipv6_all_zeros = { 0, 0, 0, 0 };
141 
142 #ifdef	_BIG_ENDIAN
143 const in6_addr_t ipv6_unspecified_group = { 0xff000000U, 0, 0, 0 };
144 #else	/* _BIG_ENDIAN */
145 const in6_addr_t ipv6_unspecified_group = { 0x000000ffU, 0, 0, 0 };
146 #endif	/* _BIG_ENDIAN */
147 
148 #ifdef	_BIG_ENDIAN
149 const in6_addr_t ipv6_loopback = { 0, 0, 0, 0x00000001U };
150 #else  /* _BIG_ENDIAN */
151 const in6_addr_t ipv6_loopback = { 0, 0, 0, 0x01000000U };
152 #endif /* _BIG_ENDIAN */
153 
154 #ifdef _BIG_ENDIAN
155 const in6_addr_t ipv6_all_hosts_mcast = { 0xff020000U, 0, 0, 0x00000001U };
156 #else  /* _BIG_ENDIAN */
157 const in6_addr_t ipv6_all_hosts_mcast = { 0x000002ffU, 0, 0, 0x01000000U };
158 #endif /* _BIG_ENDIAN */
159 
160 #ifdef _BIG_ENDIAN
161 const in6_addr_t ipv6_all_rtrs_mcast = { 0xff020000U, 0, 0, 0x00000002U };
162 #else  /* _BIG_ENDIAN */
163 const in6_addr_t ipv6_all_rtrs_mcast = { 0x000002ffU, 0, 0, 0x02000000U };
164 #endif /* _BIG_ENDIAN */
165 
166 #ifdef _BIG_ENDIAN
167 const in6_addr_t ipv6_all_v2rtrs_mcast = { 0xff020000U, 0, 0, 0x00000016U };
168 #else  /* _BIG_ENDIAN */
169 const in6_addr_t ipv6_all_v2rtrs_mcast = { 0x000002ffU, 0, 0, 0x16000000U };
170 #endif /* _BIG_ENDIAN */
171 
172 #ifdef _BIG_ENDIAN
173 const in6_addr_t ipv6_solicited_node_mcast =
174 			{ 0xff020000U, 0, 0x00000001U, 0xff000000U };
175 #else  /* _BIG_ENDIAN */
176 const in6_addr_t ipv6_solicited_node_mcast =
177 			{ 0x000002ffU, 0, 0x01000000U, 0x000000ffU };
178 #endif /* _BIG_ENDIAN */
179 
180 /* Leave room for ip_newroute to tack on the src and target addresses */
181 #define	OK_RESOLVER_MP_V6(mp)						\
182 		((mp) && ((mp)->b_wptr - (mp)->b_rptr) >= (2 * IPV6_ADDR_LEN))
183 
184 #define	IP6_MBLK_OK		0
185 #define	IP6_MBLK_HDR_ERR	1
186 #define	IP6_MBLK_LEN_ERR	2
187 
188 static void	icmp_inbound_too_big_v6(queue_t *, mblk_t *, ill_t *, ill_t *,
189     boolean_t, zoneid_t);
190 static void	icmp_pkt_v6(queue_t *, mblk_t *, void *, size_t,
191     const in6_addr_t *, boolean_t, zoneid_t, ip_stack_t *);
192 static void	icmp_redirect_v6(queue_t *, mblk_t *, ill_t *ill);
193 static int	ip_bind_connected_v6(conn_t *, mblk_t **, uint8_t, in6_addr_t *,
194     uint16_t, const in6_addr_t *, ip6_pkt_t *, uint16_t,
195     boolean_t, boolean_t);
196 static boolean_t ip_bind_get_ire_v6(mblk_t **, ire_t *, const in6_addr_t *,
197     iulp_t *, ip_stack_t *);
198 static void	ip_bind_post_handling_v6(conn_t *, mblk_t *, boolean_t,
199     boolean_t, ip_stack_t *);
200 static int	ip_bind_laddr_v6(conn_t *, mblk_t **, uint8_t,
201     const in6_addr_t *, uint16_t, boolean_t);
202 static void	ip_fanout_proto_v6(queue_t *, mblk_t *, ip6_t *, ill_t *,
203     ill_t *, uint8_t, uint_t, uint_t, boolean_t, zoneid_t);
204 static void	ip_fanout_tcp_v6(queue_t *, mblk_t *, ip6_t *, ill_t *,
205     ill_t *, uint_t, uint_t, boolean_t, zoneid_t);
206 static void	ip_fanout_udp_v6(queue_t *, mblk_t *, ip6_t *, uint32_t,
207     ill_t *, ill_t *, uint_t, boolean_t, zoneid_t);
208 static int	ip_process_options_v6(queue_t *, mblk_t *, ip6_t *,
209     uint8_t *, uint_t, uint8_t, ip_stack_t *);
210 static mblk_t	*ip_rput_frag_v6(ill_t *, ill_t *, mblk_t *, ip6_t *,
211     ip6_frag_t *, uint_t, uint_t *, uint32_t *, uint16_t *);
212 static boolean_t	ip_source_routed_v6(ip6_t *, mblk_t *, ip_stack_t *);
213 static void	ip_wput_ire_v6(queue_t *, mblk_t *, ire_t *, int, int,
214     conn_t *, int, int, zoneid_t);
215 static boolean_t ipif_lookup_testaddr_v6(ill_t *, const in6_addr_t *,
216     ipif_t **);
217 
218 /*
219  * A template for an IPv6 AR_ENTRY_QUERY
220  */
221 static areq_t	ipv6_areq_template = {
222 	AR_ENTRY_QUERY,				/* cmd */
223 	sizeof (areq_t)+(2*IPV6_ADDR_LEN),	/* name offset */
224 	sizeof (areq_t),	/* name len (filled by ill_arp_alloc) */
225 	IP6_DL_SAP,		/* protocol, from arps perspective */
226 	sizeof (areq_t),	/* target addr offset */
227 	IPV6_ADDR_LEN,		/* target addr_length */
228 	0,			/* flags */
229 	sizeof (areq_t) + IPV6_ADDR_LEN,	/* sender addr offset */
230 	IPV6_ADDR_LEN,		/* sender addr length */
231 	6,			/* xmit_count */
232 	1000,			/* (re)xmit_interval in milliseconds */
233 	4			/* max # of requests to buffer */
234 	/* anything else filled in by the code */
235 };
236 
237 /*
238  * Handle IPv6 ICMP packets sent to us.  Consume the mblk passed in.
239  * The message has already been checksummed and if needed,
240  * a copy has been made to be sent any interested ICMP client (conn)
241  * Note that this is different than icmp_inbound() which does the fanout
242  * to conn's as well as local processing of the ICMP packets.
243  *
244  * All error messages are passed to the matching transport stream.
245  *
246  * Zones notes:
247  * The packet is only processed in the context of the specified zone: typically
248  * only this zone will reply to an echo request. This means that the caller must
249  * call icmp_inbound_v6() for each relevant zone.
250  */
251 static void
252 icmp_inbound_v6(queue_t *q, mblk_t *mp, ill_t *ill, ill_t *inill,
253     uint_t hdr_length, boolean_t mctl_present, uint_t flags, zoneid_t zoneid,
254     mblk_t *dl_mp)
255 {
256 	icmp6_t		*icmp6;
257 	ip6_t		*ip6h;
258 	boolean_t	interested;
259 	in6_addr_t	origsrc;
260 	mblk_t		*first_mp;
261 	ipsec_in_t	*ii;
262 	ip_stack_t	*ipst = ill->ill_ipst;
263 
264 	ASSERT(ill != NULL);
265 	first_mp = mp;
266 	if (mctl_present) {
267 		mp = first_mp->b_cont;
268 		ASSERT(mp != NULL);
269 
270 		ii = (ipsec_in_t *)first_mp->b_rptr;
271 		ASSERT(ii->ipsec_in_type == IPSEC_IN);
272 	}
273 
274 	ip6h = (ip6_t *)mp->b_rptr;
275 
276 	BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpInMsgs);
277 
278 	if ((mp->b_wptr - mp->b_rptr) < (hdr_length + ICMP6_MINLEN)) {
279 		if (!pullupmsg(mp, hdr_length + ICMP6_MINLEN)) {
280 			ip1dbg(("icmp_inbound_v6: pullupmsg failed\n"));
281 			BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpInErrors);
282 			freemsg(first_mp);
283 			return;
284 		}
285 		ip6h = (ip6_t *)mp->b_rptr;
286 	}
287 	if (ipst->ips_icmp_accept_clear_messages == 0) {
288 		first_mp = ipsec_check_global_policy(first_mp, NULL,
289 		    NULL, ip6h, mctl_present, ipst->ips_netstack);
290 		if (first_mp == NULL)
291 			return;
292 	}
293 
294 	/*
295 	 * On a labeled system, we have to check whether the zone itself is
296 	 * permitted to receive raw traffic.
297 	 */
298 	if (is_system_labeled()) {
299 		if (zoneid == ALL_ZONES)
300 			zoneid = tsol_packet_to_zoneid(mp);
301 		if (!tsol_can_accept_raw(mp, B_FALSE)) {
302 			ip1dbg(("icmp_inbound_v6: zone %d can't receive raw",
303 			    zoneid));
304 			BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpInErrors);
305 			freemsg(first_mp);
306 			return;
307 		}
308 	}
309 
310 	icmp6 = (icmp6_t *)(&mp->b_rptr[hdr_length]);
311 	ip2dbg(("icmp_inbound_v6: type %d code %d\n", icmp6->icmp6_type,
312 	    icmp6->icmp6_code));
313 	interested = !(icmp6->icmp6_type & ICMP6_INFOMSG_MASK);
314 
315 	/* Initiate IPPF processing here */
316 	if (IP6_IN_IPP(flags, ipst)) {
317 
318 		/*
319 		 * If the ifindex changes due to SIOCSLIFINDEX
320 		 * packet may return to IP on the wrong ill.
321 		 */
322 		ip_process(IPP_LOCAL_IN, &mp, ill->ill_phyint->phyint_ifindex);
323 		if (mp == NULL) {
324 			if (mctl_present) {
325 				freeb(first_mp);
326 			}
327 			return;
328 		}
329 	}
330 
331 	switch (icmp6->icmp6_type) {
332 	case ICMP6_DST_UNREACH:
333 		BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpInDestUnreachs);
334 		if (icmp6->icmp6_code == ICMP6_DST_UNREACH_ADMIN)
335 			BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpInAdminProhibs);
336 		break;
337 
338 	case ICMP6_TIME_EXCEEDED:
339 		BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpInTimeExcds);
340 		break;
341 
342 	case ICMP6_PARAM_PROB:
343 		BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpInParmProblems);
344 		break;
345 
346 	case ICMP6_PACKET_TOO_BIG:
347 		icmp_inbound_too_big_v6(q, first_mp, ill, inill, mctl_present,
348 		    zoneid);
349 		return;
350 	case ICMP6_ECHO_REQUEST:
351 		BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpInEchos);
352 		if (IN6_IS_ADDR_MULTICAST(&ip6h->ip6_dst) &&
353 		    !ipst->ips_ipv6_resp_echo_mcast)
354 			break;
355 
356 		/*
357 		 * We must have exclusive use of the mblk to convert it to
358 		 * a response.
359 		 * If not, we copy it.
360 		 */
361 		if (mp->b_datap->db_ref > 1) {
362 			mblk_t	*mp1;
363 
364 			mp1 = copymsg(mp);
365 			freemsg(mp);
366 			if (mp1 == NULL) {
367 				BUMP_MIB(ill->ill_icmp6_mib,
368 				    ipv6IfIcmpInErrors);
369 				if (mctl_present)
370 					freeb(first_mp);
371 				return;
372 			}
373 			mp = mp1;
374 			ip6h = (ip6_t *)mp->b_rptr;
375 			icmp6 = (icmp6_t *)(&mp->b_rptr[hdr_length]);
376 			if (mctl_present)
377 				first_mp->b_cont = mp;
378 			else
379 				first_mp = mp;
380 		}
381 
382 		/*
383 		 * Turn the echo into an echo reply.
384 		 * Remove any extension headers (do not reverse a source route)
385 		 * and clear the flow id (keep traffic class for now).
386 		 */
387 		if (hdr_length != IPV6_HDR_LEN) {
388 			int	i;
389 
390 			for (i = 0; i < IPV6_HDR_LEN; i++)
391 				mp->b_rptr[hdr_length - i - 1] =
392 				    mp->b_rptr[IPV6_HDR_LEN - i - 1];
393 			mp->b_rptr += (hdr_length - IPV6_HDR_LEN);
394 			ip6h = (ip6_t *)mp->b_rptr;
395 			ip6h->ip6_nxt = IPPROTO_ICMPV6;
396 			hdr_length = IPV6_HDR_LEN;
397 		}
398 		ip6h->ip6_vcf &= ~IPV6_FLOWINFO_FLOWLABEL;
399 		icmp6->icmp6_type = ICMP6_ECHO_REPLY;
400 
401 		ip6h->ip6_plen =
402 		    htons((uint16_t)(msgdsize(mp) - IPV6_HDR_LEN));
403 		origsrc = ip6h->ip6_src;
404 		/*
405 		 * Reverse the source and destination addresses.
406 		 * If the return address is a multicast, zero out the source
407 		 * (ip_wput_v6 will set an address).
408 		 */
409 		if (IN6_IS_ADDR_MULTICAST(&ip6h->ip6_dst)) {
410 			ip6h->ip6_src = ipv6_all_zeros;
411 			ip6h->ip6_dst = origsrc;
412 		} else {
413 			ip6h->ip6_src = ip6h->ip6_dst;
414 			ip6h->ip6_dst = origsrc;
415 		}
416 
417 		/* set the hop limit */
418 		ip6h->ip6_hops = ipst->ips_ipv6_def_hops;
419 
420 		/*
421 		 * Prepare for checksum by putting icmp length in the icmp
422 		 * checksum field. The checksum is calculated in ip_wput_v6.
423 		 */
424 		icmp6->icmp6_cksum = ip6h->ip6_plen;
425 
426 		if (!mctl_present) {
427 			/*
428 			 * This packet should go out the same way as it
429 			 * came in i.e in clear. To make sure that global
430 			 * policy will not be applied to this in ip_wput,
431 			 * we attach a IPSEC_IN mp and clear ipsec_in_secure.
432 			 */
433 			ASSERT(first_mp == mp);
434 			first_mp = ipsec_in_alloc(B_FALSE, ipst->ips_netstack);
435 			if (first_mp == NULL) {
436 				BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
437 				freemsg(mp);
438 				return;
439 			}
440 			ii = (ipsec_in_t *)first_mp->b_rptr;
441 
442 			/* This is not a secure packet */
443 			ii->ipsec_in_secure = B_FALSE;
444 			first_mp->b_cont = mp;
445 		}
446 		ii->ipsec_in_zoneid = zoneid;
447 		ASSERT(zoneid != ALL_ZONES);
448 		if (!ipsec_in_to_out(first_mp, NULL, ip6h)) {
449 			BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
450 			return;
451 		}
452 		put(WR(q), first_mp);
453 		return;
454 
455 	case ICMP6_ECHO_REPLY:
456 		BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpInEchoReplies);
457 		break;
458 
459 	case ND_ROUTER_SOLICIT:
460 		BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpInRouterSolicits);
461 		break;
462 
463 	case ND_ROUTER_ADVERT:
464 		BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpInRouterAdvertisements);
465 		break;
466 
467 	case ND_NEIGHBOR_SOLICIT:
468 		BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpInNeighborSolicits);
469 		if (mctl_present)
470 			freeb(first_mp);
471 		/* XXX may wish to pass first_mp up to ndp_input someday. */
472 		ndp_input(inill, mp, dl_mp);
473 		return;
474 
475 	case ND_NEIGHBOR_ADVERT:
476 		BUMP_MIB(ill->ill_icmp6_mib,
477 		    ipv6IfIcmpInNeighborAdvertisements);
478 		if (mctl_present)
479 			freeb(first_mp);
480 		/* XXX may wish to pass first_mp up to ndp_input someday. */
481 		ndp_input(inill, mp, dl_mp);
482 		return;
483 
484 	case ND_REDIRECT: {
485 		BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpInRedirects);
486 
487 		if (ipst->ips_ipv6_ignore_redirect)
488 			break;
489 
490 		/*
491 		 * As there is no upper client to deliver, we don't
492 		 * need the first_mp any more.
493 		 */
494 		if (mctl_present)
495 			freeb(first_mp);
496 		if (!pullupmsg(mp, -1)) {
497 			BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpInBadRedirects);
498 			break;
499 		}
500 		icmp_redirect_v6(q, mp, ill);
501 		return;
502 	}
503 
504 	/*
505 	 * The next three icmp messages will be handled by MLD.
506 	 * Pass all valid MLD packets up to any process(es)
507 	 * listening on a raw ICMP socket. MLD messages are
508 	 * freed by mld_input function.
509 	 */
510 	case MLD_LISTENER_QUERY:
511 	case MLD_LISTENER_REPORT:
512 	case MLD_LISTENER_REDUCTION:
513 		if (mctl_present)
514 			freeb(first_mp);
515 		mld_input(q, mp, ill);
516 		return;
517 	default:
518 		break;
519 	}
520 	if (interested) {
521 		icmp_inbound_error_fanout_v6(q, first_mp, ip6h, icmp6, ill,
522 		    inill, mctl_present, zoneid);
523 	} else {
524 		freemsg(first_mp);
525 	}
526 }
527 
528 /*
529  * Process received IPv6 ICMP Packet too big.
530  * After updating any IRE it does the fanout to any matching transport streams.
531  * Assumes the IPv6 plus ICMPv6 headers have been pulled up but nothing else.
532  */
533 /* ARGSUSED */
534 static void
535 icmp_inbound_too_big_v6(queue_t *q, mblk_t *mp, ill_t *ill, ill_t *inill,
536     boolean_t mctl_present, zoneid_t zoneid)
537 {
538 	ip6_t		*ip6h;
539 	ip6_t		*inner_ip6h;
540 	icmp6_t		*icmp6;
541 	uint16_t	hdr_length;
542 	uint32_t	mtu;
543 	ire_t		*ire, *first_ire;
544 	mblk_t		*first_mp;
545 	ip_stack_t	*ipst = ill->ill_ipst;
546 
547 	first_mp = mp;
548 	if (mctl_present)
549 		mp = first_mp->b_cont;
550 	/*
551 	 * We must have exclusive use of the mblk to update the MTU
552 	 * in the packet.
553 	 * If not, we copy it.
554 	 *
555 	 * If there's an M_CTL present, we know that allocated first_mp
556 	 * earlier in this function, so we know first_mp has refcnt of one.
557 	 */
558 	ASSERT(!mctl_present || first_mp->b_datap->db_ref == 1);
559 	if (mp->b_datap->db_ref > 1) {
560 		mblk_t	*mp1;
561 
562 		mp1 = copymsg(mp);
563 		freemsg(mp);
564 		if (mp1 == NULL) {
565 			BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
566 			if (mctl_present)
567 				freeb(first_mp);
568 			return;
569 		}
570 		mp = mp1;
571 		if (mctl_present)
572 			first_mp->b_cont = mp;
573 		else
574 			first_mp = mp;
575 	}
576 	ip6h = (ip6_t *)mp->b_rptr;
577 	if (ip6h->ip6_nxt != IPPROTO_ICMPV6)
578 		hdr_length = ip_hdr_length_v6(mp, ip6h);
579 	else
580 		hdr_length = IPV6_HDR_LEN;
581 
582 	icmp6 = (icmp6_t *)(&mp->b_rptr[hdr_length]);
583 	ASSERT((size_t)(mp->b_wptr - mp->b_rptr) >= hdr_length + ICMP6_MINLEN);
584 	inner_ip6h = (ip6_t *)&icmp6[1];	/* Packet in error */
585 	if ((uchar_t *)&inner_ip6h[1] > mp->b_wptr) {
586 		if (!pullupmsg(mp, (uchar_t *)&inner_ip6h[1] - mp->b_rptr)) {
587 			BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
588 			freemsg(first_mp);
589 			return;
590 		}
591 		ip6h = (ip6_t *)mp->b_rptr;
592 		icmp6 = (icmp6_t *)&mp->b_rptr[hdr_length];
593 		inner_ip6h = (ip6_t *)&icmp6[1];
594 	}
595 
596 	/*
597 	 * For link local destinations matching simply on IRE type is not
598 	 * sufficient. Same link local addresses for different ILL's is
599 	 * possible.
600 	 */
601 	if (IN6_IS_ADDR_LINKLOCAL(&inner_ip6h->ip6_dst)) {
602 		first_ire = ire_ctable_lookup_v6(&inner_ip6h->ip6_dst, NULL,
603 		    IRE_CACHE, ill->ill_ipif, ALL_ZONES, NULL,
604 		    MATCH_IRE_TYPE | MATCH_IRE_ILL, ipst);
605 
606 		if (first_ire == NULL) {
607 			if (ip_debug > 2) {
608 				/* ip1dbg */
609 				pr_addr_dbg("icmp_inbound_too_big_v6:"
610 				    "no ire for dst %s\n", AF_INET6,
611 				    &inner_ip6h->ip6_dst);
612 			}
613 			freemsg(first_mp);
614 			return;
615 		}
616 
617 		mtu = ntohl(icmp6->icmp6_mtu);
618 		rw_enter(&first_ire->ire_bucket->irb_lock, RW_READER);
619 		for (ire = first_ire; ire != NULL &&
620 		    IN6_ARE_ADDR_EQUAL(&ire->ire_addr_v6, &inner_ip6h->ip6_dst);
621 		    ire = ire->ire_next) {
622 			mutex_enter(&ire->ire_lock);
623 			if (mtu < IPV6_MIN_MTU) {
624 				ip1dbg(("Received mtu less than IPv6 "
625 				    "min mtu %d: %d\n", IPV6_MIN_MTU, mtu));
626 				mtu = IPV6_MIN_MTU;
627 				/*
628 				 * If an mtu less than IPv6 min mtu is received,
629 				 * we must include a fragment header in
630 				 * subsequent packets.
631 				 */
632 				ire->ire_frag_flag |= IPH_FRAG_HDR;
633 			}
634 			ip1dbg(("Received mtu from router: %d\n", mtu));
635 			ire->ire_max_frag = MIN(ire->ire_max_frag, mtu);
636 			/* Record the new max frag size for the ULP. */
637 			if (ire->ire_frag_flag & IPH_FRAG_HDR) {
638 				/*
639 				 * If we need a fragment header in every packet
640 				 * (above case or multirouting), make sure the
641 				 * ULP takes it into account when computing the
642 				 * payload size.
643 				 */
644 				icmp6->icmp6_mtu = htonl(ire->ire_max_frag -
645 				    sizeof (ip6_frag_t));
646 			} else {
647 				icmp6->icmp6_mtu = htonl(ire->ire_max_frag);
648 			}
649 			mutex_exit(&ire->ire_lock);
650 		}
651 		rw_exit(&first_ire->ire_bucket->irb_lock);
652 		ire_refrele(first_ire);
653 	} else {
654 		irb_t	*irb = NULL;
655 		/*
656 		 * for non-link local destinations we match only on the IRE type
657 		 */
658 		ire = ire_ctable_lookup_v6(&inner_ip6h->ip6_dst, NULL,
659 		    IRE_CACHE, ill->ill_ipif, ALL_ZONES, NULL, MATCH_IRE_TYPE,
660 		    ipst);
661 		if (ire == NULL) {
662 			if (ip_debug > 2) {
663 				/* ip1dbg */
664 				pr_addr_dbg("icmp_inbound_too_big_v6:"
665 				    "no ire for dst %s\n",
666 				    AF_INET6, &inner_ip6h->ip6_dst);
667 			}
668 			freemsg(first_mp);
669 			return;
670 		}
671 		irb = ire->ire_bucket;
672 		ire_refrele(ire);
673 		rw_enter(&irb->irb_lock, RW_READER);
674 		for (ire = irb->irb_ire; ire != NULL; ire = ire->ire_next) {
675 			if (IN6_ARE_ADDR_EQUAL(&ire->ire_addr_v6,
676 			    &inner_ip6h->ip6_dst)) {
677 				mtu = ntohl(icmp6->icmp6_mtu);
678 				mutex_enter(&ire->ire_lock);
679 				if (mtu < IPV6_MIN_MTU) {
680 					ip1dbg(("Received mtu less than IPv6"
681 					    "min mtu %d: %d\n",
682 					    IPV6_MIN_MTU, mtu));
683 					mtu = IPV6_MIN_MTU;
684 					/*
685 					 * If an mtu less than IPv6 min mtu is
686 					 * received, we must include a fragment
687 					 * header in subsequent packets.
688 					 */
689 					ire->ire_frag_flag |= IPH_FRAG_HDR;
690 				}
691 
692 				ip1dbg(("Received mtu from router: %d\n", mtu));
693 				ire->ire_max_frag = MIN(ire->ire_max_frag, mtu);
694 				/* Record the new max frag size for the ULP. */
695 				if (ire->ire_frag_flag & IPH_FRAG_HDR) {
696 					/*
697 					 * If we need a fragment header in
698 					 * every packet (above case or
699 					 * multirouting), make sure the ULP
700 					 * takes it into account when computing
701 					 * the payload size.
702 					 */
703 					icmp6->icmp6_mtu =
704 					    htonl(ire->ire_max_frag -
705 					    sizeof (ip6_frag_t));
706 				} else {
707 					icmp6->icmp6_mtu =
708 					    htonl(ire->ire_max_frag);
709 				}
710 				mutex_exit(&ire->ire_lock);
711 			}
712 		}
713 		rw_exit(&irb->irb_lock);
714 	}
715 	icmp_inbound_error_fanout_v6(q, first_mp, ip6h, icmp6, ill, inill,
716 	    mctl_present, zoneid);
717 }
718 
719 /*
720  * Fanout received ICMPv6 error packets to the transports.
721  * Assumes the IPv6 plus ICMPv6 headers have been pulled up but nothing else.
722  */
723 void
724 icmp_inbound_error_fanout_v6(queue_t *q, mblk_t *mp, ip6_t *ip6h,
725     icmp6_t *icmp6, ill_t *ill, ill_t *inill, boolean_t mctl_present,
726     zoneid_t zoneid)
727 {
728 	uint16_t *up;	/* Pointer to ports in ULP header */
729 	uint32_t ports;	/* reversed ports for fanout */
730 	ip6_t rip6h;	/* With reversed addresses */
731 	uint16_t	hdr_length;
732 	uint8_t		*nexthdrp;
733 	uint8_t		nexthdr;
734 	mblk_t *first_mp;
735 	ipsec_in_t *ii;
736 	tcpha_t	*tcpha;
737 	conn_t	*connp;
738 	ip_stack_t	*ipst = ill->ill_ipst;
739 
740 	first_mp = mp;
741 	if (mctl_present) {
742 		mp = first_mp->b_cont;
743 		ASSERT(mp != NULL);
744 
745 		ii = (ipsec_in_t *)first_mp->b_rptr;
746 		ASSERT(ii->ipsec_in_type == IPSEC_IN);
747 	} else {
748 		ii = NULL;
749 	}
750 
751 	hdr_length = (uint16_t)((uchar_t *)icmp6 - (uchar_t *)ip6h);
752 	ASSERT((size_t)(mp->b_wptr - (uchar_t *)icmp6) >= ICMP6_MINLEN);
753 
754 	/*
755 	 * Need to pullup everything in order to use
756 	 * ip_hdr_length_nexthdr_v6()
757 	 */
758 	if (mp->b_cont != NULL) {
759 		if (!pullupmsg(mp, -1)) {
760 			ip1dbg(("icmp_inbound_error_fanout_v6: "
761 			    "pullupmsg failed\n"));
762 			goto drop_pkt;
763 		}
764 		ip6h = (ip6_t *)mp->b_rptr;
765 		icmp6 = (icmp6_t *)(&mp->b_rptr[hdr_length]);
766 	}
767 
768 	ip6h = (ip6_t *)&icmp6[1];	/* Packet in error */
769 	if ((uchar_t *)&ip6h[1] > mp->b_wptr)
770 		goto drop_pkt;
771 
772 	if (!ip_hdr_length_nexthdr_v6(mp, ip6h, &hdr_length, &nexthdrp))
773 		goto drop_pkt;
774 	nexthdr = *nexthdrp;
775 
776 	/* Set message type, must be done after pullups */
777 	mp->b_datap->db_type = M_CTL;
778 
779 	/* Try to pass the ICMP message to clients who need it */
780 	switch (nexthdr) {
781 	case IPPROTO_UDP: {
782 		/*
783 		 * Verify we have at least ICMP_MIN_TP_HDR_LEN bytes of
784 		 * UDP header to get the port information.
785 		 */
786 		if ((uchar_t *)ip6h + hdr_length + ICMP_MIN_TP_HDR_LEN >
787 		    mp->b_wptr) {
788 			break;
789 		}
790 		/*
791 		 * Attempt to find a client stream based on port.
792 		 * Note that we do a reverse lookup since the header is
793 		 * in the form we sent it out.
794 		 * The rip6h header is only used for the IPCL_UDP_MATCH_V6
795 		 * and we only set the src and dst addresses and nexthdr.
796 		 */
797 		up = (uint16_t *)((uchar_t *)ip6h + hdr_length);
798 		rip6h.ip6_src = ip6h->ip6_dst;
799 		rip6h.ip6_dst = ip6h->ip6_src;
800 		rip6h.ip6_nxt = nexthdr;
801 		((uint16_t *)&ports)[0] = up[1];
802 		((uint16_t *)&ports)[1] = up[0];
803 
804 		ip_fanout_udp_v6(q, first_mp, &rip6h, ports, ill, inill,
805 		    IP6_NO_IPPOLICY, mctl_present, zoneid);
806 		return;
807 	}
808 	case IPPROTO_TCP: {
809 		/*
810 		 * Verify we have at least ICMP_MIN_TP_HDR_LEN bytes of
811 		 * the TCP header to get the port information.
812 		 */
813 		if ((uchar_t *)ip6h + hdr_length + ICMP_MIN_TP_HDR_LEN >
814 		    mp->b_wptr) {
815 			break;
816 		}
817 
818 		/*
819 		 * Attempt to find a client stream based on port.
820 		 * Note that we do a reverse lookup since the header is
821 		 * in the form we sent it out.
822 		 * The rip6h header is only used for the IP_TCP_*MATCH_V6 and
823 		 * we only set the src and dst addresses and nexthdr.
824 		 */
825 
826 		tcpha = (tcpha_t *)((char *)ip6h + hdr_length);
827 		connp = ipcl_tcp_lookup_reversed_ipv6(ip6h, tcpha,
828 		    TCPS_LISTEN, ill->ill_phyint->phyint_ifindex, ipst);
829 		if (connp == NULL) {
830 			goto drop_pkt;
831 		}
832 
833 		SQUEUE_ENTER_ONE(connp->conn_sqp, first_mp, tcp_input, connp,
834 		    SQ_FILL, SQTAG_TCP6_INPUT_ICMP_ERR);
835 		return;
836 
837 	}
838 	case IPPROTO_SCTP:
839 		/*
840 		 * Verify we have at least ICMP_MIN_TP_HDR_LEN bytes of
841 		 * the SCTP header to get the port information.
842 		 */
843 		if ((uchar_t *)ip6h + hdr_length + ICMP_MIN_TP_HDR_LEN >
844 		    mp->b_wptr) {
845 			break;
846 		}
847 
848 		up = (uint16_t *)((uchar_t *)ip6h + hdr_length);
849 		((uint16_t *)&ports)[0] = up[1];
850 		((uint16_t *)&ports)[1] = up[0];
851 		ip_fanout_sctp(first_mp, inill, (ipha_t *)ip6h, ports, 0,
852 		    mctl_present, IP6_NO_IPPOLICY, zoneid);
853 		return;
854 	case IPPROTO_ESP:
855 	case IPPROTO_AH: {
856 		int ipsec_rc;
857 		ipsec_stack_t *ipss = ipst->ips_netstack->netstack_ipsec;
858 
859 		/*
860 		 * We need a IPSEC_IN in the front to fanout to AH/ESP.
861 		 * We will re-use the IPSEC_IN if it is already present as
862 		 * AH/ESP will not affect any fields in the IPSEC_IN for
863 		 * ICMP errors. If there is no IPSEC_IN, allocate a new
864 		 * one and attach it in the front.
865 		 */
866 		if (ii != NULL) {
867 			/*
868 			 * ip_fanout_proto_again converts the ICMP errors
869 			 * that come back from AH/ESP to M_DATA so that
870 			 * if it is non-AH/ESP and we do a pullupmsg in
871 			 * this function, it would work. Convert it back
872 			 * to M_CTL before we send up as this is a ICMP
873 			 * error. This could have been generated locally or
874 			 * by some router. Validate the inner IPSEC
875 			 * headers.
876 			 *
877 			 * NOTE : ill_index is used by ip_fanout_proto_again
878 			 * to locate the ill.
879 			 */
880 			ASSERT(ill != NULL);
881 			ii->ipsec_in_ill_index =
882 			    ill->ill_phyint->phyint_ifindex;
883 			ii->ipsec_in_rill_index =
884 			    inill->ill_phyint->phyint_ifindex;
885 			first_mp->b_cont->b_datap->db_type = M_CTL;
886 		} else {
887 			/*
888 			 * IPSEC_IN is not present. We attach a ipsec_in
889 			 * message and send up to IPSEC for validating
890 			 * and removing the IPSEC headers. Clear
891 			 * ipsec_in_secure so that when we return
892 			 * from IPSEC, we don't mistakenly think that this
893 			 * is a secure packet came from the network.
894 			 *
895 			 * NOTE : ill_index is used by ip_fanout_proto_again
896 			 * to locate the ill.
897 			 */
898 			ASSERT(first_mp == mp);
899 			first_mp = ipsec_in_alloc(B_FALSE, ipst->ips_netstack);
900 			ASSERT(ill != NULL);
901 			if (first_mp == NULL) {
902 				freemsg(mp);
903 				BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
904 				return;
905 			}
906 			ii = (ipsec_in_t *)first_mp->b_rptr;
907 
908 			/* This is not a secure packet */
909 			ii->ipsec_in_secure = B_FALSE;
910 			first_mp->b_cont = mp;
911 			mp->b_datap->db_type = M_CTL;
912 			ii->ipsec_in_ill_index =
913 			    ill->ill_phyint->phyint_ifindex;
914 			ii->ipsec_in_rill_index =
915 			    inill->ill_phyint->phyint_ifindex;
916 		}
917 
918 		if (!ipsec_loaded(ipss)) {
919 			ip_proto_not_sup(q, first_mp, 0, zoneid, ipst);
920 			return;
921 		}
922 
923 		if (nexthdr == IPPROTO_ESP)
924 			ipsec_rc = ipsecesp_icmp_error(first_mp);
925 		else
926 			ipsec_rc = ipsecah_icmp_error(first_mp);
927 		if (ipsec_rc == IPSEC_STATUS_FAILED)
928 			return;
929 
930 		ip_fanout_proto_again(first_mp, ill, inill, NULL);
931 		return;
932 	}
933 	case IPPROTO_ENCAP:
934 	case IPPROTO_IPV6:
935 		if ((uint8_t *)ip6h + hdr_length +
936 		    (nexthdr == IPPROTO_ENCAP ? sizeof (ipha_t) :
937 		    sizeof (ip6_t)) > mp->b_wptr) {
938 			goto drop_pkt;
939 		}
940 
941 		if (nexthdr == IPPROTO_ENCAP ||
942 		    !IN6_ARE_ADDR_EQUAL(
943 		    &((ip6_t *)(((uint8_t *)ip6h) + hdr_length))->ip6_src,
944 		    &ip6h->ip6_src) ||
945 		    !IN6_ARE_ADDR_EQUAL(
946 		    &((ip6_t *)(((uint8_t *)ip6h) + hdr_length))->ip6_dst,
947 		    &ip6h->ip6_dst)) {
948 			/*
949 			 * For tunnels that have used IPsec protection,
950 			 * we need to adjust the MTU to take into account
951 			 * the IPsec overhead.
952 			 */
953 			if (ii != NULL)
954 				icmp6->icmp6_mtu = htonl(
955 				    ntohl(icmp6->icmp6_mtu) -
956 				    ipsec_in_extra_length(first_mp));
957 		} else {
958 			/*
959 			 * Self-encapsulated case. As in the ipv4 case,
960 			 * we need to strip the 2nd IP header. Since mp
961 			 * is already pulled-up, we can simply bcopy
962 			 * the 3rd header + data over the 2nd header.
963 			 */
964 			uint16_t unused_len;
965 			ip6_t *inner_ip6h = (ip6_t *)
966 			    ((uchar_t *)ip6h + hdr_length);
967 
968 			/*
969 			 * Make sure we don't do recursion more than once.
970 			 */
971 			if (!ip_hdr_length_nexthdr_v6(mp, inner_ip6h,
972 			    &unused_len, &nexthdrp) ||
973 			    *nexthdrp == IPPROTO_IPV6) {
974 				goto drop_pkt;
975 			}
976 
977 			/*
978 			 * We are about to modify the packet. Make a copy if
979 			 * someone else has a reference to it.
980 			 */
981 			if (DB_REF(mp) > 1) {
982 				mblk_t	*mp1;
983 				uint16_t icmp6_offset;
984 
985 				mp1 = copymsg(mp);
986 				if (mp1 == NULL) {
987 					goto drop_pkt;
988 				}
989 				icmp6_offset = (uint16_t)
990 				    ((uchar_t *)icmp6 - mp->b_rptr);
991 				freemsg(mp);
992 				mp = mp1;
993 
994 				icmp6 = (icmp6_t *)(mp->b_rptr + icmp6_offset);
995 				ip6h = (ip6_t *)&icmp6[1];
996 				inner_ip6h = (ip6_t *)
997 				    ((uchar_t *)ip6h + hdr_length);
998 
999 				if (mctl_present)
1000 					first_mp->b_cont = mp;
1001 				else
1002 					first_mp = mp;
1003 			}
1004 
1005 			/*
1006 			 * Need to set db_type back to M_DATA before
1007 			 * refeeding mp into this function.
1008 			 */
1009 			DB_TYPE(mp) = M_DATA;
1010 
1011 			/*
1012 			 * Copy the 3rd header + remaining data on top
1013 			 * of the 2nd header.
1014 			 */
1015 			bcopy(inner_ip6h, ip6h,
1016 			    mp->b_wptr - (uchar_t *)inner_ip6h);
1017 
1018 			/*
1019 			 * Subtract length of the 2nd header.
1020 			 */
1021 			mp->b_wptr -= hdr_length;
1022 
1023 			/*
1024 			 * Now recurse, and see what I _really_ should be
1025 			 * doing here.
1026 			 */
1027 			icmp_inbound_error_fanout_v6(q, first_mp,
1028 			    (ip6_t *)mp->b_rptr, icmp6, ill, inill,
1029 			    mctl_present, zoneid);
1030 			return;
1031 		}
1032 		/* FALLTHRU */
1033 	default:
1034 		/*
1035 		 * The rip6h header is only used for the lookup and we
1036 		 * only set the src and dst addresses and nexthdr.
1037 		 */
1038 		rip6h.ip6_src = ip6h->ip6_dst;
1039 		rip6h.ip6_dst = ip6h->ip6_src;
1040 		rip6h.ip6_nxt = nexthdr;
1041 		ip_fanout_proto_v6(q, first_mp, &rip6h, ill, inill, nexthdr, 0,
1042 		    IP6_NO_IPPOLICY, mctl_present, zoneid);
1043 		return;
1044 	}
1045 	/* NOTREACHED */
1046 drop_pkt:
1047 	BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpInErrors);
1048 	ip1dbg(("icmp_inbound_error_fanout_v6: drop pkt\n"));
1049 	freemsg(first_mp);
1050 }
1051 
1052 /*
1053  * Process received IPv6 ICMP Redirect messages.
1054  */
1055 /* ARGSUSED */
1056 static void
1057 icmp_redirect_v6(queue_t *q, mblk_t *mp, ill_t *ill)
1058 {
1059 	ip6_t		*ip6h;
1060 	uint16_t	hdr_length;
1061 	nd_redirect_t	*rd;
1062 	ire_t		*ire;
1063 	ire_t		*prev_ire;
1064 	ire_t		*redir_ire;
1065 	in6_addr_t	*src, *dst, *gateway;
1066 	nd_opt_hdr_t	*opt;
1067 	nce_t		*nce;
1068 	int		nce_flags = 0;
1069 	int		err = 0;
1070 	boolean_t	redirect_to_router = B_FALSE;
1071 	int		len;
1072 	int		optlen;
1073 	iulp_t		ulp_info = { 0 };
1074 	ill_t		*prev_ire_ill;
1075 	ipif_t		*ipif;
1076 	ip_stack_t	*ipst = ill->ill_ipst;
1077 
1078 	ip6h = (ip6_t *)mp->b_rptr;
1079 	if (ip6h->ip6_nxt != IPPROTO_ICMPV6)
1080 		hdr_length = ip_hdr_length_v6(mp, ip6h);
1081 	else
1082 		hdr_length = IPV6_HDR_LEN;
1083 
1084 	rd = (nd_redirect_t *)&mp->b_rptr[hdr_length];
1085 	len = mp->b_wptr - mp->b_rptr -  hdr_length;
1086 	src = &ip6h->ip6_src;
1087 	dst = &rd->nd_rd_dst;
1088 	gateway = &rd->nd_rd_target;
1089 
1090 	/* Verify if it is a valid redirect */
1091 	if (!IN6_IS_ADDR_LINKLOCAL(src) ||
1092 	    (ip6h->ip6_hops != IPV6_MAX_HOPS) ||
1093 	    (rd->nd_rd_code != 0) ||
1094 	    (len < sizeof (nd_redirect_t)) ||
1095 	    (IN6_IS_ADDR_V4MAPPED(dst)) ||
1096 	    (IN6_IS_ADDR_MULTICAST(dst))) {
1097 		BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpInBadRedirects);
1098 		freemsg(mp);
1099 		return;
1100 	}
1101 
1102 	if (!(IN6_IS_ADDR_LINKLOCAL(gateway) ||
1103 	    IN6_ARE_ADDR_EQUAL(gateway, dst))) {
1104 		BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpInBadRedirects);
1105 		freemsg(mp);
1106 		return;
1107 	}
1108 
1109 	if (len > sizeof (nd_redirect_t)) {
1110 		if (!ndp_verify_optlen((nd_opt_hdr_t *)&rd[1],
1111 		    len - sizeof (nd_redirect_t))) {
1112 			BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpInBadRedirects);
1113 			freemsg(mp);
1114 			return;
1115 		}
1116 	}
1117 
1118 	if (!IN6_ARE_ADDR_EQUAL(gateway, dst)) {
1119 		redirect_to_router = B_TRUE;
1120 		nce_flags |= NCE_F_ISROUTER;
1121 	}
1122 
1123 	/* ipif will be refreleased afterwards */
1124 	ipif = ipif_get_next_ipif(NULL, ill);
1125 	if (ipif == NULL) {
1126 		freemsg(mp);
1127 		return;
1128 	}
1129 
1130 	/*
1131 	 * Verify that the IP source address of the redirect is
1132 	 * the same as the current first-hop router for the specified
1133 	 * ICMP destination address.
1134 	 * Also, Make sure we had a route for the dest in question and
1135 	 * that route was pointing to the old gateway (the source of the
1136 	 * redirect packet.)
1137 	 */
1138 
1139 	prev_ire = ire_route_lookup_v6(dst, 0, src, 0, ipif, NULL, ALL_ZONES,
1140 	    NULL, MATCH_IRE_GW | MATCH_IRE_ILL | MATCH_IRE_DEFAULT, ipst);
1141 
1142 	/*
1143 	 * Check that
1144 	 *	the redirect was not from ourselves
1145 	 *	old gateway is still directly reachable
1146 	 */
1147 	if (prev_ire == NULL ||
1148 	    prev_ire->ire_type == IRE_LOCAL) {
1149 		BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpInBadRedirects);
1150 		ipif_refrele(ipif);
1151 		goto fail_redirect;
1152 	}
1153 	prev_ire_ill = ire_to_ill(prev_ire);
1154 	ASSERT(prev_ire_ill != NULL);
1155 	if (prev_ire_ill->ill_flags & ILLF_NONUD)
1156 		nce_flags |= NCE_F_NONUD;
1157 
1158 	/*
1159 	 * Should we use the old ULP info to create the new gateway?  From
1160 	 * a user's perspective, we should inherit the info so that it
1161 	 * is a "smooth" transition.  If we do not do that, then new
1162 	 * connections going thru the new gateway will have no route metrics,
1163 	 * which is counter-intuitive to user.  From a network point of
1164 	 * view, this may or may not make sense even though the new gateway
1165 	 * is still directly connected to us so the route metrics should not
1166 	 * change much.
1167 	 *
1168 	 * But if the old ire_uinfo is not initialized, we do another
1169 	 * recursive lookup on the dest using the new gateway.  There may
1170 	 * be a route to that.  If so, use it to initialize the redirect
1171 	 * route.
1172 	 */
1173 	if (prev_ire->ire_uinfo.iulp_set) {
1174 		bcopy(&prev_ire->ire_uinfo, &ulp_info, sizeof (iulp_t));
1175 	} else if (redirect_to_router) {
1176 		/*
1177 		 * Only do the following if the redirection is really to
1178 		 * a router.
1179 		 */
1180 		ire_t *tmp_ire;
1181 		ire_t *sire;
1182 
1183 		tmp_ire = ire_ftable_lookup_v6(dst, 0, gateway, 0, NULL, &sire,
1184 		    ALL_ZONES, 0, NULL,
1185 		    (MATCH_IRE_RECURSIVE | MATCH_IRE_GW | MATCH_IRE_DEFAULT),
1186 		    ipst);
1187 		if (sire != NULL) {
1188 			bcopy(&sire->ire_uinfo, &ulp_info, sizeof (iulp_t));
1189 			ASSERT(tmp_ire != NULL);
1190 			ire_refrele(tmp_ire);
1191 			ire_refrele(sire);
1192 		} else if (tmp_ire != NULL) {
1193 			bcopy(&tmp_ire->ire_uinfo, &ulp_info,
1194 			    sizeof (iulp_t));
1195 			ire_refrele(tmp_ire);
1196 		}
1197 	}
1198 
1199 	optlen = mp->b_wptr - mp->b_rptr -  hdr_length - sizeof (nd_redirect_t);
1200 	opt = (nd_opt_hdr_t *)&rd[1];
1201 	opt = ndp_get_option(opt, optlen, ND_OPT_TARGET_LINKADDR);
1202 	if (opt != NULL) {
1203 		err = ndp_lookup_then_add_v6(ill,
1204 		    B_FALSE,			/* don't match across illgrp */
1205 		    (uchar_t *)&opt[1],		/* Link layer address */
1206 		    gateway,
1207 		    &ipv6_all_ones,		/* prefix mask */
1208 		    &ipv6_all_zeros,		/* Mapping mask */
1209 		    0,
1210 		    nce_flags,
1211 		    ND_STALE,
1212 		    &nce);
1213 		switch (err) {
1214 		case 0:
1215 			NCE_REFRELE(nce);
1216 			break;
1217 		case EEXIST:
1218 			/*
1219 			 * Check to see if link layer address has changed and
1220 			 * process the nce_state accordingly.
1221 			 */
1222 			ndp_process(nce, (uchar_t *)&opt[1], 0, B_FALSE);
1223 			NCE_REFRELE(nce);
1224 			break;
1225 		default:
1226 			ip1dbg(("icmp_redirect_v6: NCE create failed %d\n",
1227 			    err));
1228 			ipif_refrele(ipif);
1229 			goto fail_redirect;
1230 		}
1231 	}
1232 	if (redirect_to_router) {
1233 		/* icmp_redirect_ok_v6() must  have already verified this  */
1234 		ASSERT(IN6_IS_ADDR_LINKLOCAL(gateway));
1235 
1236 		/*
1237 		 * Create a Route Association.  This will allow us to remember
1238 		 * a router told us to use the particular gateway.
1239 		 */
1240 		ire = ire_create_v6(
1241 		    dst,
1242 		    &ipv6_all_ones,		/* mask */
1243 		    &prev_ire->ire_src_addr_v6,	/* source addr */
1244 		    gateway,			/* gateway addr */
1245 		    &prev_ire->ire_max_frag,	/* max frag */
1246 		    NULL,			/* no src nce */
1247 		    NULL, 			/* no rfq */
1248 		    NULL,			/* no stq */
1249 		    IRE_HOST,
1250 		    prev_ire->ire_ipif,
1251 		    NULL,
1252 		    0,
1253 		    0,
1254 		    (RTF_DYNAMIC | RTF_GATEWAY | RTF_HOST),
1255 		    &ulp_info,
1256 		    NULL,
1257 		    NULL,
1258 		    ipst);
1259 	} else {
1260 		queue_t *stq;
1261 
1262 		stq = (ipif->ipif_net_type == IRE_IF_RESOLVER)
1263 		    ? ipif->ipif_rq : ipif->ipif_wq;
1264 
1265 		/*
1266 		 * Just create an on link entry, i.e. interface route.
1267 		 */
1268 		ire = ire_create_v6(
1269 		    dst,				/* gateway == dst */
1270 		    &ipv6_all_ones,			/* mask */
1271 		    &prev_ire->ire_src_addr_v6,		/* source addr */
1272 		    &ipv6_all_zeros,			/* gateway addr */
1273 		    &prev_ire->ire_max_frag,		/* max frag */
1274 		    NULL,				/* no src nce */
1275 		    NULL,				/* ire rfq */
1276 		    stq,				/* ire stq */
1277 		    ipif->ipif_net_type,		/* IF_[NO]RESOLVER */
1278 		    prev_ire->ire_ipif,
1279 		    &ipv6_all_ones,
1280 		    0,
1281 		    0,
1282 		    (RTF_DYNAMIC | RTF_HOST),
1283 		    &ulp_info,
1284 		    NULL,
1285 		    NULL,
1286 		    ipst);
1287 	}
1288 
1289 	/* Release reference from earlier ipif_get_next_ipif() */
1290 	ipif_refrele(ipif);
1291 
1292 	if (ire == NULL)
1293 		goto fail_redirect;
1294 
1295 	if (ire_add(&ire, NULL, NULL, NULL, B_FALSE) == 0) {
1296 
1297 		/* tell routing sockets that we received a redirect */
1298 		ip_rts_change_v6(RTM_REDIRECT,
1299 		    &rd->nd_rd_dst,
1300 		    &rd->nd_rd_target,
1301 		    &ipv6_all_ones, 0, &ire->ire_src_addr_v6,
1302 		    (RTF_DYNAMIC | RTF_GATEWAY | RTF_HOST), 0,
1303 		    (RTA_DST | RTA_GATEWAY | RTA_NETMASK | RTA_AUTHOR), ipst);
1304 
1305 		/*
1306 		 * Delete any existing IRE_HOST type ires for this destination.
1307 		 * This together with the added IRE has the effect of
1308 		 * modifying an existing redirect.
1309 		 */
1310 		redir_ire = ire_ftable_lookup_v6(dst, 0, src, IRE_HOST,
1311 		    ire->ire_ipif, NULL, ALL_ZONES, 0, NULL,
1312 		    (MATCH_IRE_GW | MATCH_IRE_TYPE | MATCH_IRE_ILL), ipst);
1313 
1314 		ire_refrele(ire);		/* Held in ire_add_v6 */
1315 
1316 		if (redir_ire != NULL) {
1317 			if (redir_ire->ire_flags & RTF_DYNAMIC)
1318 				ire_delete(redir_ire);
1319 			ire_refrele(redir_ire);
1320 		}
1321 	}
1322 
1323 	if (prev_ire->ire_type == IRE_CACHE)
1324 		ire_delete(prev_ire);
1325 	ire_refrele(prev_ire);
1326 	prev_ire = NULL;
1327 
1328 fail_redirect:
1329 	if (prev_ire != NULL)
1330 		ire_refrele(prev_ire);
1331 	freemsg(mp);
1332 }
1333 
1334 static ill_t *
1335 ip_queue_to_ill_v6(queue_t *q, ip_stack_t *ipst)
1336 {
1337 	ill_t *ill;
1338 
1339 	ASSERT(WR(q) == q);
1340 
1341 	if (q->q_next != NULL) {
1342 		ill = (ill_t *)q->q_ptr;
1343 		if (ILL_CAN_LOOKUP(ill))
1344 			ill_refhold(ill);
1345 		else
1346 			ill = NULL;
1347 	} else {
1348 		ill = ill_lookup_on_name(ipif_loopback_name, B_FALSE, B_TRUE,
1349 		    NULL, NULL, NULL, NULL, NULL, ipst);
1350 	}
1351 	if (ill == NULL)
1352 		ip0dbg(("ip_queue_to_ill_v6: no ill\n"));
1353 	return (ill);
1354 }
1355 
1356 /*
1357  * Assigns an appropriate source address to the packet.
1358  * If origdst is one of our IP addresses that use it as the source.
1359  * If the queue is an ill queue then select a source from that ill.
1360  * Otherwise pick a source based on a route lookup back to the origsrc.
1361  *
1362  * src is the return parameter. Returns a pointer to src or NULL if failure.
1363  */
1364 static in6_addr_t *
1365 icmp_pick_source_v6(queue_t *wq, in6_addr_t *origsrc, in6_addr_t *origdst,
1366     in6_addr_t *src, zoneid_t zoneid, ip_stack_t *ipst)
1367 {
1368 	ill_t	*ill;
1369 	ire_t	*ire;
1370 	ipif_t	*ipif;
1371 
1372 	ASSERT(!(wq->q_flag & QREADR));
1373 	if (wq->q_next != NULL) {
1374 		ill = (ill_t *)wq->q_ptr;
1375 	} else {
1376 		ill = NULL;
1377 	}
1378 
1379 	ire = ire_route_lookup_v6(origdst, 0, 0, (IRE_LOCAL|IRE_LOOPBACK),
1380 	    NULL, NULL, zoneid, NULL, (MATCH_IRE_TYPE|MATCH_IRE_ZONEONLY),
1381 	    ipst);
1382 	if (ire != NULL) {
1383 		/* Destined to one of our addresses */
1384 		*src = *origdst;
1385 		ire_refrele(ire);
1386 		return (src);
1387 	}
1388 	if (ire != NULL) {
1389 		ire_refrele(ire);
1390 		ire = NULL;
1391 	}
1392 	if (ill == NULL) {
1393 		/* What is the route back to the original source? */
1394 		ire = ire_route_lookup_v6(origsrc, 0, 0, 0,
1395 		    NULL, NULL, zoneid, NULL,
1396 		    (MATCH_IRE_DEFAULT|MATCH_IRE_RECURSIVE), ipst);
1397 		if (ire == NULL) {
1398 			BUMP_MIB(&ipst->ips_ip6_mib, ipIfStatsOutNoRoutes);
1399 			return (NULL);
1400 		}
1401 		ASSERT(ire->ire_ipif != NULL);
1402 		ill = ire->ire_ipif->ipif_ill;
1403 		ire_refrele(ire);
1404 	}
1405 	ipif = ipif_select_source_v6(ill, origsrc, B_FALSE,
1406 	    IPV6_PREFER_SRC_DEFAULT, zoneid);
1407 	if (ipif != NULL) {
1408 		*src = ipif->ipif_v6src_addr;
1409 		ipif_refrele(ipif);
1410 		return (src);
1411 	}
1412 	/*
1413 	 * Unusual case - can't find a usable source address to reach the
1414 	 * original source. Use what in the route to the source.
1415 	 */
1416 	ire = ire_route_lookup_v6(origsrc, 0, 0, 0,
1417 	    NULL, NULL, zoneid, NULL,
1418 	    (MATCH_IRE_DEFAULT|MATCH_IRE_RECURSIVE), ipst);
1419 	if (ire == NULL) {
1420 		BUMP_MIB(&ipst->ips_ip6_mib, ipIfStatsOutNoRoutes);
1421 		return (NULL);
1422 	}
1423 	ASSERT(ire != NULL);
1424 	*src = ire->ire_src_addr_v6;
1425 	ire_refrele(ire);
1426 	return (src);
1427 }
1428 
1429 /*
1430  * Build and ship an IPv6 ICMP message using the packet data in mp,
1431  * and the ICMP header pointed to by "stuff".  (May be called as
1432  * writer.)
1433  * Note: assumes that icmp_pkt_err_ok_v6 has been called to
1434  * verify that an icmp error packet can be sent.
1435  *
1436  * If q is an ill write side queue (which is the case when packets
1437  * arrive from ip_rput) then ip_wput code will ensure that packets to
1438  * link-local destinations are sent out that ill.
1439  *
1440  * If v6src_ptr is set use it as a source. Otherwise select a reasonable
1441  * source address (see above function).
1442  */
1443 static void
1444 icmp_pkt_v6(queue_t *q, mblk_t *mp, void *stuff, size_t len,
1445     const in6_addr_t *v6src_ptr, boolean_t mctl_present, zoneid_t zoneid,
1446     ip_stack_t *ipst)
1447 {
1448 	ip6_t		*ip6h;
1449 	in6_addr_t	v6dst;
1450 	size_t		len_needed;
1451 	size_t		msg_len;
1452 	mblk_t		*mp1;
1453 	icmp6_t		*icmp6;
1454 	ill_t		*ill;
1455 	in6_addr_t	v6src;
1456 	mblk_t *ipsec_mp;
1457 	ipsec_out_t *io;
1458 
1459 	ill = ip_queue_to_ill_v6(q, ipst);
1460 	if (ill == NULL) {
1461 		freemsg(mp);
1462 		return;
1463 	}
1464 
1465 	if (mctl_present) {
1466 		/*
1467 		 * If it is :
1468 		 *
1469 		 * 1) a IPSEC_OUT, then this is caused by outbound
1470 		 *    datagram originating on this host. IPSEC processing
1471 		 *    may or may not have been done. Refer to comments above
1472 		 *    icmp_inbound_error_fanout for details.
1473 		 *
1474 		 * 2) a IPSEC_IN if we are generating a icmp_message
1475 		 *    for an incoming datagram destined for us i.e called
1476 		 *    from ip_fanout_send_icmp.
1477 		 */
1478 		ipsec_info_t *in;
1479 
1480 		ipsec_mp = mp;
1481 		mp = ipsec_mp->b_cont;
1482 
1483 		in = (ipsec_info_t *)ipsec_mp->b_rptr;
1484 		ip6h = (ip6_t *)mp->b_rptr;
1485 
1486 		ASSERT(in->ipsec_info_type == IPSEC_OUT ||
1487 		    in->ipsec_info_type == IPSEC_IN);
1488 
1489 		if (in->ipsec_info_type == IPSEC_IN) {
1490 			/*
1491 			 * Convert the IPSEC_IN to IPSEC_OUT.
1492 			 */
1493 			if (!ipsec_in_to_out(ipsec_mp, NULL, ip6h)) {
1494 				BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
1495 				ill_refrele(ill);
1496 				return;
1497 			}
1498 		} else {
1499 			ASSERT(in->ipsec_info_type == IPSEC_OUT);
1500 			io = (ipsec_out_t *)in;
1501 			/*
1502 			 * Clear out ipsec_out_proc_begin, so we do a fresh
1503 			 * ire lookup.
1504 			 */
1505 			io->ipsec_out_proc_begin = B_FALSE;
1506 		}
1507 	} else {
1508 		/*
1509 		 * This is in clear. The icmp message we are building
1510 		 * here should go out in clear.
1511 		 */
1512 		ipsec_in_t *ii;
1513 		ASSERT(mp->b_datap->db_type == M_DATA);
1514 		ipsec_mp = ipsec_in_alloc(B_FALSE, ipst->ips_netstack);
1515 		if (ipsec_mp == NULL) {
1516 			freemsg(mp);
1517 			BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
1518 			ill_refrele(ill);
1519 			return;
1520 		}
1521 		ii = (ipsec_in_t *)ipsec_mp->b_rptr;
1522 
1523 		/* This is not a secure packet */
1524 		ii->ipsec_in_secure = B_FALSE;
1525 		/*
1526 		 * For trusted extensions using a shared IP address we can
1527 		 * send using any zoneid.
1528 		 */
1529 		if (zoneid == ALL_ZONES)
1530 			ii->ipsec_in_zoneid = GLOBAL_ZONEID;
1531 		else
1532 			ii->ipsec_in_zoneid = zoneid;
1533 		ipsec_mp->b_cont = mp;
1534 		ip6h = (ip6_t *)mp->b_rptr;
1535 		/*
1536 		 * Convert the IPSEC_IN to IPSEC_OUT.
1537 		 */
1538 		if (!ipsec_in_to_out(ipsec_mp, NULL, ip6h)) {
1539 			BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
1540 			ill_refrele(ill);
1541 			return;
1542 		}
1543 	}
1544 	io = (ipsec_out_t *)ipsec_mp->b_rptr;
1545 
1546 	if (v6src_ptr != NULL) {
1547 		v6src = *v6src_ptr;
1548 	} else {
1549 		if (icmp_pick_source_v6(q, &ip6h->ip6_src, &ip6h->ip6_dst,
1550 		    &v6src, zoneid, ipst) == NULL) {
1551 			freemsg(ipsec_mp);
1552 			ill_refrele(ill);
1553 			return;
1554 		}
1555 	}
1556 	v6dst = ip6h->ip6_src;
1557 	len_needed = ipst->ips_ipv6_icmp_return - IPV6_HDR_LEN - len;
1558 	msg_len = msgdsize(mp);
1559 	if (msg_len > len_needed) {
1560 		if (!adjmsg(mp, len_needed - msg_len)) {
1561 			BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpOutErrors);
1562 			freemsg(ipsec_mp);
1563 			ill_refrele(ill);
1564 			return;
1565 		}
1566 		msg_len = len_needed;
1567 	}
1568 	mp1 = allocb_cred(IPV6_HDR_LEN + len, DB_CRED(mp));
1569 	if (mp1 == NULL) {
1570 		BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpOutErrors);
1571 		freemsg(ipsec_mp);
1572 		ill_refrele(ill);
1573 		return;
1574 	}
1575 	ill_refrele(ill);
1576 	mp1->b_cont = mp;
1577 	mp = mp1;
1578 	ASSERT(ipsec_mp->b_datap->db_type == M_CTL &&
1579 	    io->ipsec_out_type == IPSEC_OUT);
1580 	ipsec_mp->b_cont = mp;
1581 
1582 	/*
1583 	 * Set ipsec_out_icmp_loopback so we can let the ICMP messages this
1584 	 * node generates be accepted in peace by all on-host destinations.
1585 	 * If we do NOT assume that all on-host destinations trust
1586 	 * self-generated ICMP messages, then rework here, ip.c, and spd.c.
1587 	 * (Look for ipsec_out_icmp_loopback).
1588 	 */
1589 	io->ipsec_out_icmp_loopback = B_TRUE;
1590 
1591 	ip6h = (ip6_t *)mp->b_rptr;
1592 	mp1->b_wptr = (uchar_t *)ip6h + (IPV6_HDR_LEN + len);
1593 
1594 	ip6h->ip6_vcf = IPV6_DEFAULT_VERS_AND_FLOW;
1595 	ip6h->ip6_nxt = IPPROTO_ICMPV6;
1596 	ip6h->ip6_hops = ipst->ips_ipv6_def_hops;
1597 	ip6h->ip6_dst = v6dst;
1598 	ip6h->ip6_src = v6src;
1599 	msg_len += IPV6_HDR_LEN + len;
1600 	if (msg_len > IP_MAXPACKET + IPV6_HDR_LEN) {
1601 		(void) adjmsg(mp, IP_MAXPACKET + IPV6_HDR_LEN - msg_len);
1602 		msg_len = IP_MAXPACKET + IPV6_HDR_LEN;
1603 	}
1604 	ip6h->ip6_plen = htons((uint16_t)(msgdsize(mp) - IPV6_HDR_LEN));
1605 	icmp6 = (icmp6_t *)&ip6h[1];
1606 	bcopy(stuff, (char *)icmp6, len);
1607 	/*
1608 	 * Prepare for checksum by putting icmp length in the icmp
1609 	 * checksum field. The checksum is calculated in ip_wput_v6.
1610 	 */
1611 	icmp6->icmp6_cksum = ip6h->ip6_plen;
1612 	if (icmp6->icmp6_type == ND_REDIRECT) {
1613 		ip6h->ip6_hops = IPV6_MAX_HOPS;
1614 	}
1615 	/* Send to V6 writeside put routine */
1616 	put(q, ipsec_mp);
1617 }
1618 
1619 /*
1620  * Update the output mib when ICMPv6 packets are sent.
1621  */
1622 static void
1623 icmp_update_out_mib_v6(ill_t *ill, icmp6_t *icmp6)
1624 {
1625 	BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpOutMsgs);
1626 
1627 	switch (icmp6->icmp6_type) {
1628 	case ICMP6_DST_UNREACH:
1629 		BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpOutDestUnreachs);
1630 		if (icmp6->icmp6_code == ICMP6_DST_UNREACH_ADMIN)
1631 			BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpOutAdminProhibs);
1632 		break;
1633 
1634 	case ICMP6_TIME_EXCEEDED:
1635 		BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpOutTimeExcds);
1636 		break;
1637 
1638 	case ICMP6_PARAM_PROB:
1639 		BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpOutParmProblems);
1640 		break;
1641 
1642 	case ICMP6_PACKET_TOO_BIG:
1643 		BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpOutPktTooBigs);
1644 		break;
1645 
1646 	case ICMP6_ECHO_REQUEST:
1647 		BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpOutEchos);
1648 		break;
1649 
1650 	case ICMP6_ECHO_REPLY:
1651 		BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpOutEchoReplies);
1652 		break;
1653 
1654 	case ND_ROUTER_SOLICIT:
1655 		BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpOutRouterSolicits);
1656 		break;
1657 
1658 	case ND_ROUTER_ADVERT:
1659 		BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpOutRouterAdvertisements);
1660 		break;
1661 
1662 	case ND_NEIGHBOR_SOLICIT:
1663 		BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpOutNeighborSolicits);
1664 		break;
1665 
1666 	case ND_NEIGHBOR_ADVERT:
1667 		BUMP_MIB(ill->ill_icmp6_mib,
1668 		    ipv6IfIcmpOutNeighborAdvertisements);
1669 		break;
1670 
1671 	case ND_REDIRECT:
1672 		BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpOutRedirects);
1673 		break;
1674 
1675 	case MLD_LISTENER_QUERY:
1676 		BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpOutGroupMembQueries);
1677 		break;
1678 
1679 	case MLD_LISTENER_REPORT:
1680 	case MLD_V2_LISTENER_REPORT:
1681 		BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpOutGroupMembResponses);
1682 		break;
1683 
1684 	case MLD_LISTENER_REDUCTION:
1685 		BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpOutGroupMembReductions);
1686 		break;
1687 	}
1688 }
1689 
1690 /*
1691  * Check if it is ok to send an ICMPv6 error packet in
1692  * response to the IP packet in mp.
1693  * Free the message and return null if no
1694  * ICMP error packet should be sent.
1695  */
1696 static mblk_t *
1697 icmp_pkt_err_ok_v6(queue_t *q, mblk_t *mp,
1698     boolean_t llbcast, boolean_t mcast_ok, ip_stack_t *ipst)
1699 {
1700 	ip6_t	*ip6h;
1701 
1702 	if (!mp)
1703 		return (NULL);
1704 
1705 	ip6h = (ip6_t *)mp->b_rptr;
1706 
1707 	/* Check if source address uniquely identifies the host */
1708 
1709 	if (IN6_IS_ADDR_MULTICAST(&ip6h->ip6_src) ||
1710 	    IN6_IS_ADDR_V4MAPPED(&ip6h->ip6_src) ||
1711 	    IN6_IS_ADDR_UNSPECIFIED(&ip6h->ip6_src)) {
1712 		freemsg(mp);
1713 		return (NULL);
1714 	}
1715 
1716 	if (ip6h->ip6_nxt == IPPROTO_ICMPV6) {
1717 		size_t	len_needed = IPV6_HDR_LEN + ICMP6_MINLEN;
1718 		icmp6_t		*icmp6;
1719 
1720 		if (mp->b_wptr - mp->b_rptr < len_needed) {
1721 			if (!pullupmsg(mp, len_needed)) {
1722 				ill_t	*ill;
1723 
1724 				ill = ip_queue_to_ill_v6(q, ipst);
1725 				if (ill == NULL) {
1726 					BUMP_MIB(&ipst->ips_icmp6_mib,
1727 					    ipv6IfIcmpInErrors);
1728 				} else {
1729 					BUMP_MIB(ill->ill_icmp6_mib,
1730 					    ipv6IfIcmpInErrors);
1731 					ill_refrele(ill);
1732 				}
1733 				freemsg(mp);
1734 				return (NULL);
1735 			}
1736 			ip6h = (ip6_t *)mp->b_rptr;
1737 		}
1738 		icmp6 = (icmp6_t *)&ip6h[1];
1739 		/* Explicitly do not generate errors in response to redirects */
1740 		if (ICMP6_IS_ERROR(icmp6->icmp6_type) ||
1741 		    icmp6->icmp6_type == ND_REDIRECT) {
1742 			freemsg(mp);
1743 			return (NULL);
1744 		}
1745 	}
1746 	/*
1747 	 * Check that the destination is not multicast and that the packet
1748 	 * was not sent on link layer broadcast or multicast.  (Exception
1749 	 * is Packet too big message as per the draft - when mcast_ok is set.)
1750 	 */
1751 	if (!mcast_ok &&
1752 	    (llbcast || IN6_IS_ADDR_MULTICAST(&ip6h->ip6_dst))) {
1753 		freemsg(mp);
1754 		return (NULL);
1755 	}
1756 	if (icmp_err_rate_limit(ipst)) {
1757 		/*
1758 		 * Only send ICMP error packets every so often.
1759 		 * This should be done on a per port/source basis,
1760 		 * but for now this will suffice.
1761 		 */
1762 		freemsg(mp);
1763 		return (NULL);
1764 	}
1765 	return (mp);
1766 }
1767 
1768 /*
1769  * Generate an ICMPv6 redirect message.
1770  * Include target link layer address option if it exits.
1771  * Always include redirect header.
1772  */
1773 static void
1774 icmp_send_redirect_v6(queue_t *q, mblk_t *mp, in6_addr_t *targetp,
1775     in6_addr_t *dest, ill_t *ill, boolean_t llbcast)
1776 {
1777 	nd_redirect_t	*rd;
1778 	nd_opt_rd_hdr_t	*rdh;
1779 	uchar_t		*buf;
1780 	nce_t		*nce = NULL;
1781 	nd_opt_hdr_t	*opt;
1782 	int		len;
1783 	int		ll_opt_len = 0;
1784 	int		max_redir_hdr_data_len;
1785 	int		pkt_len;
1786 	in6_addr_t	*srcp;
1787 	ip_stack_t	*ipst = ill->ill_ipst;
1788 
1789 	/*
1790 	 * We are called from ip_rput where we could
1791 	 * not have attached an IPSEC_IN.
1792 	 */
1793 	ASSERT(mp->b_datap->db_type == M_DATA);
1794 
1795 	mp = icmp_pkt_err_ok_v6(q, mp, llbcast, B_FALSE, ipst);
1796 	if (mp == NULL)
1797 		return;
1798 	nce = ndp_lookup_v6(ill, B_TRUE, targetp, B_FALSE);
1799 	if (nce != NULL && nce->nce_state != ND_INCOMPLETE) {
1800 		ll_opt_len = (sizeof (nd_opt_hdr_t) +
1801 		    ill->ill_phys_addr_length + 7)/8 * 8;
1802 	}
1803 	len = sizeof (nd_redirect_t) + sizeof (nd_opt_rd_hdr_t) + ll_opt_len;
1804 	ASSERT(len % 4 == 0);
1805 	buf = kmem_alloc(len, KM_NOSLEEP);
1806 	if (buf == NULL) {
1807 		if (nce != NULL)
1808 			NCE_REFRELE(nce);
1809 		freemsg(mp);
1810 		return;
1811 	}
1812 
1813 	rd = (nd_redirect_t *)buf;
1814 	rd->nd_rd_type = (uint8_t)ND_REDIRECT;
1815 	rd->nd_rd_code = 0;
1816 	rd->nd_rd_reserved = 0;
1817 	rd->nd_rd_target = *targetp;
1818 	rd->nd_rd_dst = *dest;
1819 
1820 	opt = (nd_opt_hdr_t *)(buf + sizeof (nd_redirect_t));
1821 	if (nce != NULL && ll_opt_len != 0) {
1822 		opt->nd_opt_type = ND_OPT_TARGET_LINKADDR;
1823 		opt->nd_opt_len = ll_opt_len/8;
1824 		bcopy((char *)nce->nce_res_mp->b_rptr +
1825 		    NCE_LL_ADDR_OFFSET(ill), &opt[1],
1826 		    ill->ill_phys_addr_length);
1827 	}
1828 	if (nce != NULL)
1829 		NCE_REFRELE(nce);
1830 	rdh = (nd_opt_rd_hdr_t *)(buf + sizeof (nd_redirect_t) + ll_opt_len);
1831 	rdh->nd_opt_rh_type = (uint8_t)ND_OPT_REDIRECTED_HEADER;
1832 	/* max_redir_hdr_data_len and nd_opt_rh_len must be multiple of 8 */
1833 	max_redir_hdr_data_len =
1834 	    (ipst->ips_ipv6_icmp_return - IPV6_HDR_LEN - len)/8*8;
1835 	pkt_len = msgdsize(mp);
1836 	/* Make sure mp is 8 byte aligned */
1837 	if (pkt_len > max_redir_hdr_data_len) {
1838 		rdh->nd_opt_rh_len = (max_redir_hdr_data_len +
1839 		    sizeof (nd_opt_rd_hdr_t))/8;
1840 		(void) adjmsg(mp, max_redir_hdr_data_len - pkt_len);
1841 	} else {
1842 		rdh->nd_opt_rh_len = (pkt_len + sizeof (nd_opt_rd_hdr_t))/8;
1843 		(void) adjmsg(mp, -(pkt_len % 8));
1844 	}
1845 	rdh->nd_opt_rh_reserved1 = 0;
1846 	rdh->nd_opt_rh_reserved2 = 0;
1847 	/* ipif_v6src_addr contains the link-local source address */
1848 	srcp = &ill->ill_ipif->ipif_v6src_addr;
1849 
1850 	/* Redirects sent by router, and router is global zone */
1851 	icmp_pkt_v6(q, mp, buf, len, srcp, B_FALSE, GLOBAL_ZONEID, ipst);
1852 	kmem_free(buf, len);
1853 }
1854 
1855 
1856 /* Generate an ICMP time exceeded message.  (May be called as writer.) */
1857 void
1858 icmp_time_exceeded_v6(queue_t *q, mblk_t *mp, uint8_t code,
1859     boolean_t llbcast, boolean_t mcast_ok, zoneid_t zoneid,
1860     ip_stack_t *ipst)
1861 {
1862 	icmp6_t	icmp6;
1863 	boolean_t mctl_present;
1864 	mblk_t *first_mp;
1865 
1866 	EXTRACT_PKT_MP(mp, first_mp, mctl_present);
1867 
1868 	mp = icmp_pkt_err_ok_v6(q, mp, llbcast, mcast_ok, ipst);
1869 	if (mp == NULL) {
1870 		if (mctl_present)
1871 			freeb(first_mp);
1872 		return;
1873 	}
1874 	bzero(&icmp6, sizeof (icmp6_t));
1875 	icmp6.icmp6_type = ICMP6_TIME_EXCEEDED;
1876 	icmp6.icmp6_code = code;
1877 	icmp_pkt_v6(q, first_mp, &icmp6, sizeof (icmp6_t), NULL, mctl_present,
1878 	    zoneid, ipst);
1879 }
1880 
1881 /*
1882  * Generate an ICMP unreachable message.
1883  */
1884 void
1885 icmp_unreachable_v6(queue_t *q, mblk_t *mp, uint8_t code,
1886     boolean_t llbcast, boolean_t mcast_ok, zoneid_t zoneid,
1887     ip_stack_t *ipst)
1888 {
1889 	icmp6_t	icmp6;
1890 	boolean_t mctl_present;
1891 	mblk_t *first_mp;
1892 
1893 	EXTRACT_PKT_MP(mp, first_mp, mctl_present);
1894 
1895 	mp = icmp_pkt_err_ok_v6(q, mp, llbcast, mcast_ok, ipst);
1896 	if (mp == NULL) {
1897 		if (mctl_present)
1898 			freeb(first_mp);
1899 		return;
1900 	}
1901 	bzero(&icmp6, sizeof (icmp6_t));
1902 	icmp6.icmp6_type = ICMP6_DST_UNREACH;
1903 	icmp6.icmp6_code = code;
1904 	icmp_pkt_v6(q, first_mp, &icmp6, sizeof (icmp6_t), NULL, mctl_present,
1905 	    zoneid, ipst);
1906 }
1907 
1908 /*
1909  * Generate an ICMP pkt too big message.
1910  */
1911 static void
1912 icmp_pkt2big_v6(queue_t *q, mblk_t *mp, uint32_t mtu,
1913     boolean_t llbcast, boolean_t mcast_ok, zoneid_t zoneid, ip_stack_t *ipst)
1914 {
1915 	icmp6_t	icmp6;
1916 	mblk_t *first_mp;
1917 	boolean_t mctl_present;
1918 
1919 	EXTRACT_PKT_MP(mp, first_mp, mctl_present);
1920 
1921 	mp = icmp_pkt_err_ok_v6(q, mp, llbcast, mcast_ok,  ipst);
1922 	if (mp == NULL) {
1923 		if (mctl_present)
1924 			freeb(first_mp);
1925 		return;
1926 	}
1927 	bzero(&icmp6, sizeof (icmp6_t));
1928 	icmp6.icmp6_type = ICMP6_PACKET_TOO_BIG;
1929 	icmp6.icmp6_code = 0;
1930 	icmp6.icmp6_mtu = htonl(mtu);
1931 
1932 	icmp_pkt_v6(q, first_mp, &icmp6, sizeof (icmp6_t), NULL, mctl_present,
1933 	    zoneid, ipst);
1934 }
1935 
1936 /*
1937  * Generate an ICMP parameter problem message. (May be called as writer.)
1938  * 'offset' is the offset from the beginning of the packet in error.
1939  */
1940 static void
1941 icmp_param_problem_v6(queue_t *q, mblk_t *mp, uint8_t code,
1942     uint32_t offset, boolean_t llbcast, boolean_t mcast_ok, zoneid_t zoneid,
1943     ip_stack_t *ipst)
1944 {
1945 	icmp6_t	icmp6;
1946 	boolean_t mctl_present;
1947 	mblk_t *first_mp;
1948 
1949 	EXTRACT_PKT_MP(mp, first_mp, mctl_present);
1950 
1951 	mp = icmp_pkt_err_ok_v6(q, mp, llbcast, mcast_ok, ipst);
1952 	if (mp == NULL) {
1953 		if (mctl_present)
1954 			freeb(first_mp);
1955 		return;
1956 	}
1957 	bzero((char *)&icmp6, sizeof (icmp6_t));
1958 	icmp6.icmp6_type = ICMP6_PARAM_PROB;
1959 	icmp6.icmp6_code = code;
1960 	icmp6.icmp6_pptr = htonl(offset);
1961 	icmp_pkt_v6(q, first_mp, &icmp6, sizeof (icmp6_t), NULL, mctl_present,
1962 	    zoneid, ipst);
1963 }
1964 
1965 /*
1966  * This code will need to take into account the possibility of binding
1967  * to a link local address on a multi-homed host, in which case the
1968  * outgoing interface (from the conn) will need to be used when getting
1969  * an ire for the dst. Going through proper outgoing interface and
1970  * choosing the source address corresponding to the outgoing interface
1971  * is necessary when the destination address is a link-local address and
1972  * IPV6_BOUND_IF or IPV6_PKTINFO or scope_id has been set.
1973  * This can happen when active connection is setup; thus ipp pointer
1974  * is passed here from tcp_connect_*() routines, in non-TCP cases NULL
1975  * pointer is passed as ipp pointer.
1976  */
1977 mblk_t *
1978 ip_bind_v6(queue_t *q, mblk_t *mp, conn_t *connp, ip6_pkt_t *ipp)
1979 {
1980 	ssize_t			len;
1981 	int			protocol;
1982 	struct T_bind_req	*tbr;
1983 	sin6_t			*sin6;
1984 	ipa6_conn_t		*ac6;
1985 	in6_addr_t		*v6srcp;
1986 	in6_addr_t		*v6dstp;
1987 	uint16_t		lport;
1988 	uint16_t		fport;
1989 	uchar_t			*ucp;
1990 	int			error = 0;
1991 	boolean_t		local_bind;
1992 	ipa6_conn_x_t		*acx6;
1993 	boolean_t		verify_dst;
1994 	ip_stack_t		*ipst = connp->conn_netstack->netstack_ip;
1995 
1996 	ASSERT(connp->conn_af_isv6);
1997 	len = mp->b_wptr - mp->b_rptr;
1998 	if (len < (sizeof (*tbr) + 1)) {
1999 		(void) mi_strlog(q, 1, SL_ERROR|SL_TRACE,
2000 		    "ip_bind_v6: bogus msg, len %ld", len);
2001 		goto bad_addr;
2002 	}
2003 	/* Back up and extract the protocol identifier. */
2004 	mp->b_wptr--;
2005 	tbr = (struct T_bind_req *)mp->b_rptr;
2006 	/* Reset the message type in preparation for shipping it back. */
2007 	mp->b_datap->db_type = M_PCPROTO;
2008 
2009 	protocol = *mp->b_wptr & 0xFF;
2010 	connp->conn_ulp = (uint8_t)protocol;
2011 
2012 	/*
2013 	 * Check for a zero length address.  This is from a protocol that
2014 	 * wants to register to receive all packets of its type.
2015 	 */
2016 	if (tbr->ADDR_length == 0) {
2017 		if ((protocol == IPPROTO_TCP || protocol == IPPROTO_SCTP ||
2018 		    protocol == IPPROTO_ESP || protocol == IPPROTO_AH) &&
2019 		    ipst->ips_ipcl_proto_fanout_v6[protocol].connf_head !=
2020 		    NULL) {
2021 			/*
2022 			 * TCP, SCTP, AH, and ESP have single protocol fanouts.
2023 			 * Do not allow others to bind to these.
2024 			 */
2025 			goto bad_addr;
2026 		}
2027 
2028 		/*
2029 		 *
2030 		 * The udp module never sends down a zero-length address,
2031 		 * and allowing this on a labeled system will break MLP
2032 		 * functionality.
2033 		 */
2034 		if (is_system_labeled() && protocol == IPPROTO_UDP)
2035 			goto bad_addr;
2036 
2037 		/* Allow ipsec plumbing */
2038 		if (connp->conn_mac_exempt && protocol != IPPROTO_AH &&
2039 		    protocol != IPPROTO_ESP)
2040 			goto bad_addr;
2041 
2042 		connp->conn_srcv6 = ipv6_all_zeros;
2043 		ipcl_proto_insert_v6(connp, protocol);
2044 
2045 		tbr->PRIM_type = T_BIND_ACK;
2046 		return (mp);
2047 	}
2048 
2049 	/* Extract the address pointer from the message. */
2050 	ucp = (uchar_t *)mi_offset_param(mp, tbr->ADDR_offset,
2051 	    tbr->ADDR_length);
2052 	if (ucp == NULL) {
2053 		ip1dbg(("ip_bind_v6: no address\n"));
2054 		goto bad_addr;
2055 	}
2056 	if (!OK_32PTR(ucp)) {
2057 		ip1dbg(("ip_bind_v6: unaligned address\n"));
2058 		goto bad_addr;
2059 	}
2060 
2061 	switch (tbr->ADDR_length) {
2062 	default:
2063 		ip1dbg(("ip_bind_v6: bad address length %d\n",
2064 		    (int)tbr->ADDR_length));
2065 		goto bad_addr;
2066 
2067 	case IPV6_ADDR_LEN:
2068 		/* Verification of local address only */
2069 		v6srcp = (in6_addr_t *)ucp;
2070 		lport = 0;
2071 		local_bind = B_TRUE;
2072 		break;
2073 
2074 	case sizeof (sin6_t):
2075 		sin6 = (sin6_t *)ucp;
2076 		v6srcp = &sin6->sin6_addr;
2077 		lport = sin6->sin6_port;
2078 		local_bind = B_TRUE;
2079 		break;
2080 
2081 	case sizeof (ipa6_conn_t):
2082 		/*
2083 		 * Verify that both the source and destination addresses
2084 		 * are valid.
2085 		 */
2086 		ac6 = (ipa6_conn_t *)ucp;
2087 		v6srcp = &ac6->ac6_laddr;
2088 		v6dstp = &ac6->ac6_faddr;
2089 		fport = ac6->ac6_fport;
2090 		/* For raw socket, the local port is not set. */
2091 		lport = ac6->ac6_lport != 0 ? ac6->ac6_lport :
2092 		    connp->conn_lport;
2093 		local_bind = B_FALSE;
2094 		/* Always verify destination reachability. */
2095 		verify_dst = B_TRUE;
2096 		break;
2097 
2098 	case sizeof (ipa6_conn_x_t):
2099 		/*
2100 		 * Verify that the source address is valid.
2101 		 */
2102 		acx6 = (ipa6_conn_x_t *)ucp;
2103 		ac6 = &acx6->ac6x_conn;
2104 		v6srcp = &ac6->ac6_laddr;
2105 		v6dstp = &ac6->ac6_faddr;
2106 		fport = ac6->ac6_fport;
2107 		lport = ac6->ac6_lport;
2108 		local_bind = B_FALSE;
2109 		/*
2110 		 * Client that passed ipa6_conn_x_t to us specifies whether to
2111 		 * verify destination reachability.
2112 		 */
2113 		verify_dst = (acx6->ac6x_flags & ACX_VERIFY_DST) != 0;
2114 		break;
2115 	}
2116 	if (local_bind) {
2117 		error = ip_proto_bind_laddr_v6(connp, &mp->b_cont, protocol,
2118 		    v6srcp, lport, tbr->ADDR_length != IPV6_ADDR_LEN);
2119 	} else {
2120 		error = ip_proto_bind_connected_v6(connp, &mp->b_cont, protocol,
2121 		    v6srcp, lport, v6dstp, ipp, fport, B_TRUE, verify_dst);
2122 	}
2123 
2124 	if (error == 0) {
2125 		/* Send it home. */
2126 		mp->b_datap->db_type = M_PCPROTO;
2127 		tbr->PRIM_type = T_BIND_ACK;
2128 		return (mp);
2129 	}
2130 
2131 bad_addr:
2132 	ASSERT(error != EINPROGRESS);
2133 	if (error > 0)
2134 		mp = mi_tpi_err_ack_alloc(mp, TSYSERR, error);
2135 	else
2136 		mp = mi_tpi_err_ack_alloc(mp, TBADADDR, 0);
2137 	return (mp);
2138 }
2139 
2140 static void
2141 ip_bind_post_handling_v6(conn_t *connp, mblk_t *mp,
2142     boolean_t version_changed, boolean_t ire_requested, ip_stack_t *ipst)
2143 {
2144 	/* Update conn_send and pktversion if v4/v6 changed */
2145 	if (version_changed) {
2146 		ip_setpktversion(connp, connp->conn_pkt_isv6, B_TRUE, ipst);
2147 	}
2148 
2149 	/*
2150 	 * Pass the IPSEC headers size in ire_ipsec_overhead.
2151 	 * We can't do this in ip_bind_insert_ire because the policy
2152 	 * may not have been inherited at that point in time and hence
2153 	 * conn_out_enforce_policy may not be set.
2154 	 */
2155 	if (ire_requested && connp->conn_out_enforce_policy &&
2156 	    mp != NULL && DB_TYPE(mp) == IRE_DB_REQ_TYPE) {
2157 		ire_t *ire = (ire_t *)mp->b_rptr;
2158 		ASSERT(MBLKL(mp) >= sizeof (ire_t));
2159 		ire->ire_ipsec_overhead = (conn_ipsec_length(connp));
2160 	}
2161 }
2162 
2163 /*
2164  * Here address is verified to be a valid local address.
2165  * If the IRE_DB_REQ_TYPE mp is present, a multicast
2166  * address is also considered a valid local address.
2167  * In the case of a multicast address, however, the
2168  * upper protocol is expected to reset the src address
2169  * to 0 if it sees an ire with IN6_IS_ADDR_MULTICAST returned so that
2170  * no packets are emitted with multicast address as
2171  * source address.
2172  * The addresses valid for bind are:
2173  *	(1) - in6addr_any
2174  *	(2) - IP address of an UP interface
2175  *	(3) - IP address of a DOWN interface
2176  *	(4) - a multicast address. In this case
2177  *	the conn will only receive packets destined to
2178  *	the specified multicast address. Note: the
2179  *	application still has to issue an
2180  *	IPV6_JOIN_GROUP socket option.
2181  *
2182  * In all the above cases, the bound address must be valid in the current zone.
2183  * When the address is loopback or multicast, there might be many matching IREs
2184  * so bind has to look up based on the zone.
2185  */
2186 /*
2187  * Verify the local IP address. Does not change the conn_t except
2188  * conn_fully_bound and conn_policy_cached.
2189  */
2190 static int
2191 ip_bind_laddr_v6(conn_t *connp, mblk_t **mpp, uint8_t protocol,
2192     const in6_addr_t *v6src, uint16_t lport, boolean_t fanout_insert)
2193 {
2194 	int		error = 0;
2195 	ire_t		*src_ire = NULL;
2196 	zoneid_t	zoneid;
2197 	mblk_t		*mp = NULL;
2198 	boolean_t	ire_requested;
2199 	boolean_t	ipsec_policy_set;
2200 	ip_stack_t	*ipst = connp->conn_netstack->netstack_ip;
2201 
2202 	if (mpp)
2203 		mp = *mpp;
2204 
2205 	ire_requested = (mp != NULL && DB_TYPE(mp) == IRE_DB_REQ_TYPE);
2206 	ipsec_policy_set = (mp != NULL && DB_TYPE(mp) == IPSEC_POLICY_SET);
2207 
2208 	/*
2209 	 * If it was previously connected, conn_fully_bound would have
2210 	 * been set.
2211 	 */
2212 	connp->conn_fully_bound = B_FALSE;
2213 
2214 	zoneid = connp->conn_zoneid;
2215 
2216 	if (!IN6_IS_ADDR_UNSPECIFIED(v6src)) {
2217 		src_ire = ire_route_lookup_v6(v6src, 0, 0,
2218 		    0, NULL, NULL, zoneid, NULL, MATCH_IRE_ZONEONLY, ipst);
2219 		/*
2220 		 * If an address other than in6addr_any is requested,
2221 		 * we verify that it is a valid address for bind
2222 		 * Note: Following code is in if-else-if form for
2223 		 * readability compared to a condition check.
2224 		 */
2225 		ASSERT(src_ire == NULL || !(src_ire->ire_type & IRE_BROADCAST));
2226 		/* LINTED - statement has no consequent */
2227 		if (IRE_IS_LOCAL(src_ire)) {
2228 			/*
2229 			 * (2) Bind to address of local UP interface
2230 			 */
2231 		} else if (IN6_IS_ADDR_MULTICAST(v6src)) {
2232 			ipif_t	*multi_ipif = NULL;
2233 			ire_t	*save_ire;
2234 			/*
2235 			 * (4) bind to multicast address.
2236 			 * Fake out the IRE returned to upper
2237 			 * layer to be a broadcast IRE in
2238 			 * ip_bind_insert_ire_v6().
2239 			 * Pass other information that matches
2240 			 * the ipif (e.g. the source address).
2241 			 * conn_multicast_ill is only used for
2242 			 * IPv6 packets
2243 			 */
2244 			mutex_enter(&connp->conn_lock);
2245 			if (connp->conn_multicast_ill != NULL) {
2246 				(void) ipif_lookup_zoneid(
2247 				    connp->conn_multicast_ill, zoneid, 0,
2248 				    &multi_ipif);
2249 			} else {
2250 				/*
2251 				 * Look for default like
2252 				 * ip_wput_v6
2253 				 */
2254 				multi_ipif = ipif_lookup_group_v6(
2255 				    &ipv6_unspecified_group, zoneid, ipst);
2256 			}
2257 			mutex_exit(&connp->conn_lock);
2258 			save_ire = src_ire;
2259 			src_ire = NULL;
2260 			if (multi_ipif == NULL || !ire_requested ||
2261 			    (src_ire = ipif_to_ire_v6(multi_ipif)) == NULL) {
2262 				src_ire = save_ire;
2263 				error = EADDRNOTAVAIL;
2264 			} else {
2265 				ASSERT(src_ire != NULL);
2266 				if (save_ire != NULL)
2267 					ire_refrele(save_ire);
2268 			}
2269 			if (multi_ipif != NULL)
2270 				ipif_refrele(multi_ipif);
2271 		} else {
2272 			if (!ip_addr_exists_v6(v6src, zoneid, ipst)) {
2273 				/*
2274 				 * Not a valid address for bind
2275 				 */
2276 				error = EADDRNOTAVAIL;
2277 			}
2278 		}
2279 
2280 		if (error != 0) {
2281 			/* Red Alert!  Attempting to be a bogon! */
2282 			if (ip_debug > 2) {
2283 				/* ip1dbg */
2284 				pr_addr_dbg("ip_bind_laddr_v6: bad src"
2285 				    " address %s\n", AF_INET6, v6src);
2286 			}
2287 			goto bad_addr;
2288 		}
2289 	}
2290 
2291 	/*
2292 	 * Allow setting new policies. For example, disconnects come
2293 	 * down as ipa_t bind. As we would have set conn_policy_cached
2294 	 * to B_TRUE before, we should set it to B_FALSE, so that policy
2295 	 * can change after the disconnect.
2296 	 */
2297 	connp->conn_policy_cached = B_FALSE;
2298 
2299 	/* If not fanout_insert this was just an address verification */
2300 	if (fanout_insert) {
2301 		/*
2302 		 * The addresses have been verified. Time to insert in
2303 		 * the correct fanout list.
2304 		 */
2305 		connp->conn_srcv6 = *v6src;
2306 		connp->conn_remv6 = ipv6_all_zeros;
2307 		connp->conn_lport = lport;
2308 		connp->conn_fport = 0;
2309 		error = ipcl_bind_insert_v6(connp, protocol, v6src, lport);
2310 	}
2311 	if (error == 0) {
2312 		if (ire_requested) {
2313 			if (!ip_bind_get_ire_v6(mpp, src_ire, v6src, NULL,
2314 			    ipst)) {
2315 				error = -1;
2316 				goto bad_addr;
2317 			}
2318 			mp = *mpp;
2319 		} else if (ipsec_policy_set) {
2320 			if (!ip_bind_ipsec_policy_set(connp, mp)) {
2321 				error = -1;
2322 				goto bad_addr;
2323 			}
2324 		}
2325 	}
2326 bad_addr:
2327 	if (error != 0) {
2328 		if (connp->conn_anon_port) {
2329 			(void) tsol_mlp_anon(crgetzone(connp->conn_cred),
2330 			    connp->conn_mlp_type, connp->conn_ulp, ntohs(lport),
2331 			    B_FALSE);
2332 		}
2333 		connp->conn_mlp_type = mlptSingle;
2334 	}
2335 
2336 	if (src_ire != NULL)
2337 		ire_refrele(src_ire);
2338 
2339 	if (ipsec_policy_set) {
2340 		ASSERT(mp != NULL);
2341 		freeb(mp);
2342 		/*
2343 		 * As of now assume that nothing else accompanies
2344 		 * IPSEC_POLICY_SET.
2345 		 */
2346 		*mpp = NULL;
2347 	}
2348 
2349 	return (error);
2350 }
2351 int
2352 ip_proto_bind_laddr_v6(conn_t *connp, mblk_t **mpp, uint8_t protocol,
2353     const in6_addr_t *v6srcp, uint16_t lport, boolean_t fanout_insert)
2354 {
2355 	int error;
2356 	boolean_t ire_requested;
2357 	mblk_t *mp = NULL;
2358 	boolean_t orig_pkt_isv6 = connp->conn_pkt_isv6;
2359 	ip_stack_t	*ipst = connp->conn_netstack->netstack_ip;
2360 
2361 	/*
2362 	 * Note that we allow connect to broadcast and multicast
2363 	 * address when ire_requested is set. Thus the ULP
2364 	 * has to check for IRE_BROADCAST and multicast.
2365 	 */
2366 	if (mpp)
2367 		mp = *mpp;
2368 	ire_requested = (mp && DB_TYPE(mp) == IRE_DB_REQ_TYPE);
2369 
2370 	ASSERT(connp->conn_af_isv6);
2371 	connp->conn_ulp = protocol;
2372 
2373 	if (IN6_IS_ADDR_V4MAPPED(v6srcp) && !connp->conn_ipv6_v6only) {
2374 		/* Bind to IPv4 address */
2375 		ipaddr_t v4src;
2376 
2377 		IN6_V4MAPPED_TO_IPADDR(v6srcp, v4src);
2378 
2379 		error = ip_bind_laddr_v4(connp, mpp, protocol, v4src, lport,
2380 		    fanout_insert);
2381 		if (error != 0)
2382 			goto bad_addr;
2383 		connp->conn_pkt_isv6 = B_FALSE;
2384 	} else {
2385 		if (IN6_IS_ADDR_V4MAPPED(v6srcp)) {
2386 			error = 0;
2387 			goto bad_addr;
2388 		}
2389 		error = ip_bind_laddr_v6(connp, mpp, protocol, v6srcp,
2390 		    lport, fanout_insert);
2391 		if (error != 0)
2392 			goto bad_addr;
2393 		connp->conn_pkt_isv6 = B_TRUE;
2394 	}
2395 
2396 	ip_bind_post_handling_v6(connp, mpp ? *mpp : NULL,
2397 	    orig_pkt_isv6 != connp->conn_pkt_isv6, ire_requested, ipst);
2398 	return (0);
2399 
2400 bad_addr:
2401 	if (error < 0)
2402 		error = -TBADADDR;
2403 	return (error);
2404 }
2405 
2406 /*
2407  * Verify that both the source and destination addresses
2408  * are valid.  If verify_dst, then destination address must also be reachable,
2409  * i.e. have a route.  Protocols like TCP want this.  Tunnels do not.
2410  * It takes ip6_pkt_t * as one of the arguments to determine correct
2411  * source address when IPV6_PKTINFO or scope_id is set along with a link-local
2412  * destination address. Note that parameter ipp is only useful for TCP connect
2413  * when scope_id is set or IPV6_PKTINFO option is set with an ifindex. For all
2414  * non-TCP cases, it is NULL and for all other tcp cases it is not useful.
2415  *
2416  */
2417 int
2418 ip_bind_connected_v6(conn_t *connp, mblk_t **mpp, uint8_t protocol,
2419     in6_addr_t *v6src, uint16_t lport, const in6_addr_t *v6dst,
2420     ip6_pkt_t *ipp, uint16_t fport, boolean_t fanout_insert,
2421     boolean_t verify_dst)
2422 {
2423 	ire_t		*src_ire;
2424 	ire_t		*dst_ire;
2425 	int		error = 0;
2426 	ire_t		*sire = NULL;
2427 	ire_t		*md_dst_ire = NULL;
2428 	ill_t		*md_ill = NULL;
2429 	ill_t 		*dst_ill = NULL;
2430 	ipif_t		*src_ipif = NULL;
2431 	zoneid_t	zoneid;
2432 	boolean_t	ill_held = B_FALSE;
2433 	mblk_t		*mp = NULL;
2434 	boolean_t	ire_requested = B_FALSE;
2435 	boolean_t	ipsec_policy_set = B_FALSE;
2436 	ip_stack_t	*ipst = connp->conn_netstack->netstack_ip;
2437 	ts_label_t	*tsl = NULL;
2438 
2439 	if (mpp)
2440 		mp = *mpp;
2441 
2442 	if (mp != NULL) {
2443 		ire_requested = (DB_TYPE(mp) == IRE_DB_REQ_TYPE);
2444 		ipsec_policy_set = (DB_TYPE(mp) == IPSEC_POLICY_SET);
2445 		tsl = MBLK_GETLABEL(mp);
2446 	}
2447 
2448 	src_ire = dst_ire = NULL;
2449 	/*
2450 	 * If we never got a disconnect before, clear it now.
2451 	 */
2452 	connp->conn_fully_bound = B_FALSE;
2453 
2454 	zoneid = connp->conn_zoneid;
2455 
2456 	if (IN6_IS_ADDR_MULTICAST(v6dst)) {
2457 		ipif_t *ipif;
2458 
2459 		/*
2460 		 * Use an "emulated" IRE_BROADCAST to tell the transport it
2461 		 * is a multicast.
2462 		 * Pass other information that matches
2463 		 * the ipif (e.g. the source address).
2464 		 *
2465 		 * conn_multicast_ill is only used for IPv6 packets
2466 		 */
2467 		mutex_enter(&connp->conn_lock);
2468 		if (connp->conn_multicast_ill != NULL) {
2469 			(void) ipif_lookup_zoneid(connp->conn_multicast_ill,
2470 			    zoneid, 0, &ipif);
2471 		} else {
2472 			/* Look for default like ip_wput_v6 */
2473 			ipif = ipif_lookup_group_v6(v6dst, zoneid, ipst);
2474 		}
2475 		mutex_exit(&connp->conn_lock);
2476 		if (ipif == NULL || ire_requested ||
2477 		    (dst_ire = ipif_to_ire_v6(ipif)) == NULL) {
2478 			if (ipif != NULL)
2479 				ipif_refrele(ipif);
2480 			if (ip_debug > 2) {
2481 				/* ip1dbg */
2482 				pr_addr_dbg("ip_bind_connected_v6: bad "
2483 				    "connected multicast %s\n", AF_INET6,
2484 				    v6dst);
2485 			}
2486 			error = ENETUNREACH;
2487 			goto bad_addr;
2488 		}
2489 		if (ipif != NULL)
2490 			ipif_refrele(ipif);
2491 	} else {
2492 		dst_ire = ire_route_lookup_v6(v6dst, NULL, NULL, 0,
2493 		    NULL, &sire, zoneid, tsl,
2494 		    MATCH_IRE_RECURSIVE | MATCH_IRE_DEFAULT |
2495 		    MATCH_IRE_PARENT | MATCH_IRE_RJ_BHOLE | MATCH_IRE_SECATTR,
2496 		    ipst);
2497 		/*
2498 		 * We also prevent ire's with src address INADDR_ANY to
2499 		 * be used, which are created temporarily for
2500 		 * sending out packets from endpoints that have
2501 		 * conn_unspec_src set.
2502 		 */
2503 		if (dst_ire == NULL ||
2504 		    (dst_ire->ire_flags & (RTF_REJECT|RTF_BLACKHOLE)) ||
2505 		    IN6_IS_ADDR_UNSPECIFIED(&dst_ire->ire_src_addr_v6)) {
2506 			/*
2507 			 * When verifying destination reachability, we always
2508 			 * complain.
2509 			 *
2510 			 * When not verifying destination reachability but we
2511 			 * found an IRE, i.e. the destination is reachable,
2512 			 * then the other tests still apply and we complain.
2513 			 */
2514 			if (verify_dst || (dst_ire != NULL)) {
2515 				if (ip_debug > 2) {
2516 					/* ip1dbg */
2517 					pr_addr_dbg("ip_bind_connected_v6: bad"
2518 					    " connected dst %s\n", AF_INET6,
2519 					    v6dst);
2520 				}
2521 				if (dst_ire == NULL ||
2522 				    !(dst_ire->ire_type & IRE_HOST)) {
2523 					error = ENETUNREACH;
2524 				} else {
2525 					error = EHOSTUNREACH;
2526 				}
2527 				goto bad_addr;
2528 			}
2529 		}
2530 	}
2531 
2532 	/*
2533 	 * We now know that routing will allow us to reach the destination.
2534 	 * Check whether Trusted Solaris policy allows communication with this
2535 	 * host, and pretend that the destination is unreachable if not.
2536 	 *
2537 	 * This is never a problem for TCP, since that transport is known to
2538 	 * compute the label properly as part of the tcp_rput_other T_BIND_ACK
2539 	 * handling.  If the remote is unreachable, it will be detected at that
2540 	 * point, so there's no reason to check it here.
2541 	 *
2542 	 * Note that for sendto (and other datagram-oriented friends), this
2543 	 * check is done as part of the data path label computation instead.
2544 	 * The check here is just to make non-TCP connect() report the right
2545 	 * error.
2546 	 */
2547 	if (dst_ire != NULL && is_system_labeled() &&
2548 	    !IPCL_IS_TCP(connp) &&
2549 	    tsol_compute_label_v6(DB_CREDDEF(mp, connp->conn_cred),
2550 	    v6dst, NULL, connp->conn_mac_exempt, ipst) != 0) {
2551 		error = EHOSTUNREACH;
2552 		if (ip_debug > 2) {
2553 			pr_addr_dbg("ip_bind_connected: no label for dst %s\n",
2554 			    AF_INET6, v6dst);
2555 		}
2556 		goto bad_addr;
2557 	}
2558 
2559 	/*
2560 	 * If the app does a connect(), it means that it will most likely
2561 	 * send more than 1 packet to the destination.  It makes sense
2562 	 * to clear the temporary flag.
2563 	 */
2564 	if (dst_ire != NULL && dst_ire->ire_type == IRE_CACHE &&
2565 	    (dst_ire->ire_marks & IRE_MARK_TEMPORARY)) {
2566 		irb_t *irb = dst_ire->ire_bucket;
2567 
2568 		rw_enter(&irb->irb_lock, RW_WRITER);
2569 		/*
2570 		 * We need to recheck for IRE_MARK_TEMPORARY after acquiring
2571 		 * the lock in order to guarantee irb_tmp_ire_cnt.
2572 		 */
2573 		if (dst_ire->ire_marks & IRE_MARK_TEMPORARY) {
2574 			dst_ire->ire_marks &= ~IRE_MARK_TEMPORARY;
2575 			irb->irb_tmp_ire_cnt--;
2576 		}
2577 		rw_exit(&irb->irb_lock);
2578 	}
2579 
2580 	ASSERT(dst_ire == NULL || dst_ire->ire_ipversion == IPV6_VERSION);
2581 
2582 	/*
2583 	 * See if we should notify ULP about MDT; we do this whether or not
2584 	 * ire_requested is TRUE, in order to handle active connects; MDT
2585 	 * eligibility tests for passive connects are handled separately
2586 	 * through tcp_adapt_ire().  We do this before the source address
2587 	 * selection, because dst_ire may change after a call to
2588 	 * ipif_select_source_v6().  This is a best-effort check, as the
2589 	 * packet for this connection may not actually go through
2590 	 * dst_ire->ire_stq, and the exact IRE can only be known after
2591 	 * calling ip_newroute_v6().  This is why we further check on the
2592 	 * IRE during Multidata packet transmission in tcp_multisend().
2593 	 */
2594 	if (ipst->ips_ip_multidata_outbound && !ipsec_policy_set &&
2595 	    dst_ire != NULL &&
2596 	    !(dst_ire->ire_type & (IRE_LOCAL | IRE_LOOPBACK | IRE_BROADCAST)) &&
2597 	    (md_ill = ire_to_ill(dst_ire), md_ill != NULL) &&
2598 	    ILL_MDT_CAPABLE(md_ill)) {
2599 		md_dst_ire = dst_ire;
2600 		IRE_REFHOLD(md_dst_ire);
2601 	}
2602 
2603 	if (dst_ire != NULL &&
2604 	    dst_ire->ire_type == IRE_LOCAL &&
2605 	    dst_ire->ire_zoneid != zoneid &&
2606 	    dst_ire->ire_zoneid != ALL_ZONES) {
2607 		src_ire = ire_ftable_lookup_v6(v6dst, 0, 0, 0, NULL, NULL,
2608 		    zoneid, 0, NULL,
2609 		    MATCH_IRE_RECURSIVE | MATCH_IRE_DEFAULT |
2610 		    MATCH_IRE_RJ_BHOLE, ipst);
2611 		if (src_ire == NULL) {
2612 			error = EHOSTUNREACH;
2613 			goto bad_addr;
2614 		} else if (src_ire->ire_flags & (RTF_REJECT|RTF_BLACKHOLE)) {
2615 			if (!(src_ire->ire_type & IRE_HOST))
2616 				error = ENETUNREACH;
2617 			else
2618 				error = EHOSTUNREACH;
2619 			goto bad_addr;
2620 		}
2621 		if (IN6_IS_ADDR_UNSPECIFIED(v6src)) {
2622 			src_ipif = src_ire->ire_ipif;
2623 			ipif_refhold(src_ipif);
2624 			*v6src = src_ipif->ipif_v6lcl_addr;
2625 		}
2626 		ire_refrele(src_ire);
2627 		src_ire = NULL;
2628 	} else if (IN6_IS_ADDR_UNSPECIFIED(v6src) && dst_ire != NULL) {
2629 		if ((sire != NULL) && (sire->ire_flags & RTF_SETSRC)) {
2630 			*v6src = sire->ire_src_addr_v6;
2631 			ire_refrele(dst_ire);
2632 			dst_ire = sire;
2633 			sire = NULL;
2634 		} else if (dst_ire->ire_type == IRE_CACHE &&
2635 		    (dst_ire->ire_flags & RTF_SETSRC)) {
2636 			ASSERT(dst_ire->ire_zoneid == zoneid ||
2637 			    dst_ire->ire_zoneid == ALL_ZONES);
2638 			*v6src = dst_ire->ire_src_addr_v6;
2639 		} else {
2640 			/*
2641 			 * Pick a source address so that a proper inbound load
2642 			 * spreading would happen. Use dst_ill specified by the
2643 			 * app. when socket option or scopeid is set.
2644 			 */
2645 			int  err;
2646 
2647 			if (ipp != NULL && ipp->ipp_ifindex != 0) {
2648 				uint_t	if_index;
2649 
2650 				/*
2651 				 * Scope id or IPV6_PKTINFO
2652 				 */
2653 
2654 				if_index = ipp->ipp_ifindex;
2655 				dst_ill = ill_lookup_on_ifindex(
2656 				    if_index, B_TRUE, NULL, NULL, NULL, NULL,
2657 				    ipst);
2658 				if (dst_ill == NULL) {
2659 					ip1dbg(("ip_bind_connected_v6:"
2660 					    " bad ifindex %d\n", if_index));
2661 					error = EADDRNOTAVAIL;
2662 					goto bad_addr;
2663 				}
2664 				ill_held = B_TRUE;
2665 			} else if (connp->conn_outgoing_ill != NULL) {
2666 				/*
2667 				 * For IPV6_BOUND_IF socket option,
2668 				 * conn_outgoing_ill should be set
2669 				 * already in TCP or UDP/ICMP.
2670 				 */
2671 				dst_ill = conn_get_held_ill(connp,
2672 				    &connp->conn_outgoing_ill, &err);
2673 				if (err == ILL_LOOKUP_FAILED) {
2674 					ip1dbg(("ip_bind_connected_v6:"
2675 					    "no ill for bound_if\n"));
2676 					error = EADDRNOTAVAIL;
2677 					goto bad_addr;
2678 				}
2679 				ill_held = B_TRUE;
2680 			} else if (dst_ire->ire_stq != NULL) {
2681 				/* No need to hold ill here */
2682 				dst_ill = (ill_t *)dst_ire->ire_stq->q_ptr;
2683 			} else {
2684 				/* No need to hold ill here */
2685 				dst_ill = dst_ire->ire_ipif->ipif_ill;
2686 			}
2687 			if (ip6_asp_can_lookup(ipst)) {
2688 				src_ipif = ipif_select_source_v6(dst_ill,
2689 				    v6dst, B_FALSE, connp->conn_src_preferences,
2690 				    zoneid);
2691 				ip6_asp_table_refrele(ipst);
2692 				if (src_ipif == NULL) {
2693 					pr_addr_dbg("ip_bind_connected_v6: "
2694 					    "no usable source address for "
2695 					    "connection to %s\n",
2696 					    AF_INET6, v6dst);
2697 					error = EADDRNOTAVAIL;
2698 					goto bad_addr;
2699 				}
2700 				*v6src = src_ipif->ipif_v6lcl_addr;
2701 			} else {
2702 				error = EADDRNOTAVAIL;
2703 				goto bad_addr;
2704 			}
2705 		}
2706 	}
2707 
2708 	/*
2709 	 * We do ire_route_lookup_v6() here (and not an interface lookup)
2710 	 * as we assert that v6src should only come from an
2711 	 * UP interface for hard binding.
2712 	 */
2713 	src_ire = ire_route_lookup_v6(v6src, 0, 0, 0, NULL,
2714 	    NULL, zoneid, NULL, MATCH_IRE_ZONEONLY, ipst);
2715 
2716 	/* src_ire must be a local|loopback */
2717 	if (!IRE_IS_LOCAL(src_ire)) {
2718 		if (ip_debug > 2) {
2719 			/* ip1dbg */
2720 			pr_addr_dbg("ip_bind_connected_v6: bad "
2721 			    "connected src %s\n", AF_INET6, v6src);
2722 		}
2723 		error = EADDRNOTAVAIL;
2724 		goto bad_addr;
2725 	}
2726 
2727 	/*
2728 	 * If the source address is a loopback address, the
2729 	 * destination had best be local or multicast.
2730 	 * The transports that can't handle multicast will reject
2731 	 * those addresses.
2732 	 */
2733 	if (src_ire->ire_type == IRE_LOOPBACK &&
2734 	    !(IRE_IS_LOCAL(dst_ire) || IN6_IS_ADDR_MULTICAST(v6dst) ||
2735 	    IN6_IS_ADDR_V4MAPPED_CLASSD(v6dst))) {
2736 		ip1dbg(("ip_bind_connected_v6: bad connected loopback\n"));
2737 		error = -1;
2738 		goto bad_addr;
2739 	}
2740 	/*
2741 	 * Allow setting new policies. For example, disconnects come
2742 	 * down as ipa_t bind. As we would have set conn_policy_cached
2743 	 * to B_TRUE before, we should set it to B_FALSE, so that policy
2744 	 * can change after the disconnect.
2745 	 */
2746 	connp->conn_policy_cached = B_FALSE;
2747 
2748 	/*
2749 	 * The addresses have been verified. Initialize the conn
2750 	 * before calling the policy as they expect the conns
2751 	 * initialized.
2752 	 */
2753 	connp->conn_srcv6 = *v6src;
2754 	connp->conn_remv6 = *v6dst;
2755 	connp->conn_lport = lport;
2756 	connp->conn_fport = fport;
2757 
2758 	ASSERT(!(ipsec_policy_set && ire_requested));
2759 	if (ire_requested) {
2760 		iulp_t *ulp_info = NULL;
2761 
2762 		/*
2763 		 * Note that sire will not be NULL if this is an off-link
2764 		 * connection and there is not cache for that dest yet.
2765 		 *
2766 		 * XXX Because of an existing bug, if there are multiple
2767 		 * default routes, the IRE returned now may not be the actual
2768 		 * default route used (default routes are chosen in a
2769 		 * round robin fashion).  So if the metrics for different
2770 		 * default routes are different, we may return the wrong
2771 		 * metrics.  This will not be a problem if the existing
2772 		 * bug is fixed.
2773 		 */
2774 		if (sire != NULL)
2775 			ulp_info = &(sire->ire_uinfo);
2776 
2777 		if (!ip_bind_get_ire_v6(mpp, dst_ire, v6dst, ulp_info,
2778 		    ipst)) {
2779 			error = -1;
2780 			goto bad_addr;
2781 		}
2782 	} else if (ipsec_policy_set) {
2783 		if (!ip_bind_ipsec_policy_set(connp, mp)) {
2784 			error = -1;
2785 			goto bad_addr;
2786 		}
2787 	}
2788 
2789 	/*
2790 	 * Cache IPsec policy in this conn.  If we have per-socket policy,
2791 	 * we'll cache that.  If we don't, we'll inherit global policy.
2792 	 *
2793 	 * We can't insert until the conn reflects the policy. Note that
2794 	 * conn_policy_cached is set by ipsec_conn_cache_policy() even for
2795 	 * connections where we don't have a policy. This is to prevent
2796 	 * global policy lookups in the inbound path.
2797 	 *
2798 	 * If we insert before we set conn_policy_cached,
2799 	 * CONN_INBOUND_POLICY_PRESENT_V6() check can still evaluate true
2800 	 * because global policy cound be non-empty. We normally call
2801 	 * ipsec_check_policy() for conn_policy_cached connections only if
2802 	 * conn_in_enforce_policy is set. But in this case,
2803 	 * conn_policy_cached can get set anytime since we made the
2804 	 * CONN_INBOUND_POLICY_PRESENT_V6() check and ipsec_check_policy()
2805 	 * is called, which will make the above assumption false.  Thus, we
2806 	 * need to insert after we set conn_policy_cached.
2807 	 */
2808 	if ((error = ipsec_conn_cache_policy(connp, B_FALSE)) != 0)
2809 		goto bad_addr;
2810 
2811 	/* If not fanout_insert this was just an address verification */
2812 	if (fanout_insert) {
2813 		/*
2814 		 * The addresses have been verified. Time to insert in
2815 		 * the correct fanout list.
2816 		 */
2817 		error = ipcl_conn_insert_v6(connp, protocol, v6src, v6dst,
2818 		    connp->conn_ports,
2819 		    IPCL_IS_TCP(connp) ? connp->conn_tcp->tcp_bound_if : 0);
2820 	}
2821 	if (error == 0) {
2822 		connp->conn_fully_bound = B_TRUE;
2823 		/*
2824 		 * Our initial checks for MDT have passed; the IRE is not
2825 		 * LOCAL/LOOPBACK/BROADCAST, and the link layer seems to
2826 		 * be supporting MDT.  Pass the IRE, IPC and ILL into
2827 		 * ip_mdinfo_return(), which performs further checks
2828 		 * against them and upon success, returns the MDT info
2829 		 * mblk which we will attach to the bind acknowledgment.
2830 		 */
2831 		if (md_dst_ire != NULL) {
2832 			mblk_t *mdinfo_mp;
2833 
2834 			ASSERT(md_ill != NULL);
2835 			ASSERT(md_ill->ill_mdt_capab != NULL);
2836 			if ((mdinfo_mp = ip_mdinfo_return(md_dst_ire, connp,
2837 			    md_ill->ill_name, md_ill->ill_mdt_capab)) != NULL) {
2838 				if (mp == NULL) {
2839 					*mpp = mdinfo_mp;
2840 				} else {
2841 					linkb(mp, mdinfo_mp);
2842 				}
2843 			}
2844 		}
2845 	}
2846 bad_addr:
2847 	if (ipsec_policy_set) {
2848 		ASSERT(mp != NULL);
2849 		freeb(mp);
2850 		/*
2851 		 * As of now assume that nothing else accompanies
2852 		 * IPSEC_POLICY_SET.
2853 		 */
2854 		*mpp = NULL;
2855 	}
2856 refrele_and_quit:
2857 	if (src_ire != NULL)
2858 		IRE_REFRELE(src_ire);
2859 	if (dst_ire != NULL)
2860 		IRE_REFRELE(dst_ire);
2861 	if (sire != NULL)
2862 		IRE_REFRELE(sire);
2863 	if (src_ipif != NULL)
2864 		ipif_refrele(src_ipif);
2865 	if (md_dst_ire != NULL)
2866 		IRE_REFRELE(md_dst_ire);
2867 	if (ill_held && dst_ill != NULL)
2868 		ill_refrele(dst_ill);
2869 	return (error);
2870 }
2871 
2872 /* ARGSUSED */
2873 int
2874 ip_proto_bind_connected_v6(conn_t *connp, mblk_t **mpp, uint8_t protocol,
2875     in6_addr_t *v6srcp, uint16_t lport, const in6_addr_t *v6dstp,
2876     ip6_pkt_t *ipp, uint16_t fport, boolean_t fanout_insert,
2877     boolean_t verify_dst)
2878 {
2879 	int error = 0;
2880 	boolean_t orig_pkt_isv6 = connp->conn_pkt_isv6;
2881 	boolean_t ire_requested;
2882 	ip_stack_t *ipst = connp->conn_netstack->netstack_ip;
2883 
2884 	/*
2885 	 * Note that we allow connect to broadcast and multicast
2886 	 * address when ire_requested is set. Thus the ULP
2887 	 * has to check for IRE_BROADCAST and multicast.
2888 	 */
2889 	ASSERT(mpp != NULL);
2890 	ire_requested = (*mpp != NULL && DB_TYPE(*mpp) == IRE_DB_REQ_TYPE);
2891 
2892 	ASSERT(connp->conn_af_isv6);
2893 	connp->conn_ulp = protocol;
2894 
2895 	/* For raw socket, the local port is not set. */
2896 	lport = lport != 0 ? lport : connp->conn_lport;
2897 
2898 	/*
2899 	 * Bind to local and remote address. Local might be
2900 	 * unspecified in which case it will be extracted from
2901 	 * ire_src_addr_v6
2902 	 */
2903 	if (IN6_IS_ADDR_V4MAPPED(v6dstp) && !connp->conn_ipv6_v6only) {
2904 		/* Connect to IPv4 address */
2905 		ipaddr_t v4src;
2906 		ipaddr_t v4dst;
2907 
2908 		/* Is the source unspecified or mapped? */
2909 		if (!IN6_IS_ADDR_V4MAPPED(v6srcp) &&
2910 		    !IN6_IS_ADDR_UNSPECIFIED(v6srcp)) {
2911 			ip1dbg(("ip_proto_bind_connected_v6: "
2912 			    "dst is mapped, but not the src\n"));
2913 			goto bad_addr;
2914 		}
2915 		IN6_V4MAPPED_TO_IPADDR(v6srcp, v4src);
2916 		IN6_V4MAPPED_TO_IPADDR(v6dstp, v4dst);
2917 
2918 		/* Always verify destination reachability. */
2919 		error = ip_bind_connected_v4(connp, mpp, protocol, &v4src,
2920 		    lport, v4dst, fport, B_TRUE, B_TRUE);
2921 		if (error != 0)
2922 			goto bad_addr;
2923 		IN6_IPADDR_TO_V4MAPPED(v4src, v6srcp);
2924 		connp->conn_pkt_isv6 = B_FALSE;
2925 	} else if (IN6_IS_ADDR_V4MAPPED(v6srcp)) {
2926 		ip1dbg(("ip_proto_bind_connected_v6: "
2927 		    "src is mapped, but not the dst\n"));
2928 		goto bad_addr;
2929 	} else {
2930 		error = ip_bind_connected_v6(connp, mpp, protocol, v6srcp,
2931 		    lport, v6dstp, ipp, fport, B_TRUE, verify_dst);
2932 		if (error != 0)
2933 			goto bad_addr;
2934 		connp->conn_pkt_isv6 = B_TRUE;
2935 	}
2936 
2937 	ip_bind_post_handling_v6(connp, mpp ? *mpp : NULL,
2938 	    orig_pkt_isv6 != connp->conn_pkt_isv6, ire_requested, ipst);
2939 
2940 	/* Send it home. */
2941 	return (0);
2942 
2943 bad_addr:
2944 	if (error == 0)
2945 		error = -TBADADDR;
2946 	return (error);
2947 }
2948 
2949 /*
2950  * Get the ire in *mpp. Returns false if it fails (due to lack of space).
2951  * Makes the IRE be IRE_BROADCAST if dst is a multicast address.
2952  */
2953 /* ARGSUSED4 */
2954 static boolean_t
2955 ip_bind_get_ire_v6(mblk_t **mpp, ire_t *ire, const in6_addr_t *dst,
2956     iulp_t *ulp_info, ip_stack_t *ipst)
2957 {
2958 	mblk_t	*mp = *mpp;
2959 	ire_t	*ret_ire;
2960 
2961 	ASSERT(mp != NULL);
2962 
2963 	if (ire != NULL) {
2964 		/*
2965 		 * mp initialized above to IRE_DB_REQ_TYPE
2966 		 * appended mblk. Its <upper protocol>'s
2967 		 * job to make sure there is room.
2968 		 */
2969 		if ((mp->b_datap->db_lim - mp->b_rptr) < sizeof (ire_t))
2970 			return (B_FALSE);
2971 
2972 		mp->b_datap->db_type = IRE_DB_TYPE;
2973 		mp->b_wptr = mp->b_rptr + sizeof (ire_t);
2974 		bcopy(ire, mp->b_rptr, sizeof (ire_t));
2975 		ret_ire = (ire_t *)mp->b_rptr;
2976 		if (IN6_IS_ADDR_MULTICAST(dst) ||
2977 		    IN6_IS_ADDR_V4MAPPED_CLASSD(dst)) {
2978 			ret_ire->ire_type = IRE_BROADCAST;
2979 			ret_ire->ire_addr_v6 = *dst;
2980 		}
2981 		if (ulp_info != NULL) {
2982 			bcopy(ulp_info, &(ret_ire->ire_uinfo),
2983 			    sizeof (iulp_t));
2984 		}
2985 		ret_ire->ire_mp = mp;
2986 	} else {
2987 		/*
2988 		 * No IRE was found. Remove IRE mblk.
2989 		 */
2990 		*mpp = mp->b_cont;
2991 		freeb(mp);
2992 	}
2993 	return (B_TRUE);
2994 }
2995 
2996 /*
2997  * Add an ip6i_t header to the front of the mblk.
2998  * Inline if possible else allocate a separate mblk containing only the ip6i_t.
2999  * Returns NULL if allocation fails (and frees original message).
3000  * Used in outgoing path when going through ip_newroute_*v6().
3001  * Used in incoming path to pass ifindex to transports.
3002  */
3003 mblk_t *
3004 ip_add_info_v6(mblk_t *mp, ill_t *ill, const in6_addr_t *dst)
3005 {
3006 	mblk_t *mp1;
3007 	ip6i_t *ip6i;
3008 	ip6_t *ip6h;
3009 
3010 	ip6h = (ip6_t *)mp->b_rptr;
3011 	ip6i = (ip6i_t *)(mp->b_rptr - sizeof (ip6i_t));
3012 	if ((uchar_t *)ip6i < mp->b_datap->db_base ||
3013 	    mp->b_datap->db_ref > 1) {
3014 		mp1 = allocb(sizeof (ip6i_t), BPRI_MED);
3015 		if (mp1 == NULL) {
3016 			freemsg(mp);
3017 			return (NULL);
3018 		}
3019 		mp1->b_wptr = mp1->b_rptr = mp1->b_datap->db_lim;
3020 		mp1->b_cont = mp;
3021 		mp = mp1;
3022 		ip6i = (ip6i_t *)(mp->b_rptr - sizeof (ip6i_t));
3023 	}
3024 	mp->b_rptr = (uchar_t *)ip6i;
3025 	ip6i->ip6i_vcf = ip6h->ip6_vcf;
3026 	ip6i->ip6i_nxt = IPPROTO_RAW;
3027 	if (ill != NULL) {
3028 		ip6i->ip6i_flags = IP6I_IFINDEX;
3029 		/*
3030 		 * If `ill' is in an IPMP group, make sure we use the IPMP
3031 		 * interface index so that e.g. IPV6_RECVPKTINFO will get the
3032 		 * IPMP interface index and not an underlying interface index.
3033 		 */
3034 		if (IS_UNDER_IPMP(ill))
3035 			ip6i->ip6i_ifindex = ipmp_ill_get_ipmp_ifindex(ill);
3036 		else
3037 			ip6i->ip6i_ifindex = ill->ill_phyint->phyint_ifindex;
3038 	} else {
3039 		ip6i->ip6i_flags = 0;
3040 	}
3041 	ip6i->ip6i_nexthop = *dst;
3042 	return (mp);
3043 }
3044 
3045 /*
3046  * Handle protocols with which IP is less intimate.  There
3047  * can be more than one stream bound to a particular
3048  * protocol.  When this is the case, normally each one gets a copy
3049  * of any incoming packets.
3050  * However, if the packet was tunneled and not multicast we only send to it
3051  * the first match.
3052  *
3053  * Zones notes:
3054  * Packets will be distributed to streams in all zones. This is really only
3055  * useful for ICMPv6 as only applications in the global zone can create raw
3056  * sockets for other protocols.
3057  */
3058 static void
3059 ip_fanout_proto_v6(queue_t *q, mblk_t *mp, ip6_t *ip6h, ill_t *ill,
3060     ill_t *inill, uint8_t nexthdr, uint_t nexthdr_offset, uint_t flags,
3061     boolean_t mctl_present, zoneid_t zoneid)
3062 {
3063 	queue_t	*rq;
3064 	mblk_t	*mp1, *first_mp1;
3065 	in6_addr_t dst = ip6h->ip6_dst;
3066 	in6_addr_t src = ip6h->ip6_src;
3067 	boolean_t one_only;
3068 	mblk_t *first_mp = mp;
3069 	boolean_t secure, shared_addr;
3070 	conn_t	*connp, *first_connp, *next_connp;
3071 	connf_t *connfp;
3072 	ip_stack_t	*ipst = inill->ill_ipst;
3073 	ipsec_stack_t	*ipss = ipst->ips_netstack->netstack_ipsec;
3074 
3075 	if (mctl_present) {
3076 		mp = first_mp->b_cont;
3077 		secure = ipsec_in_is_secure(first_mp);
3078 		ASSERT(mp != NULL);
3079 	} else {
3080 		secure = B_FALSE;
3081 	}
3082 
3083 	/*
3084 	 * If the packet was tunneled and not multicast we only send to it
3085 	 * the first match.
3086 	 */
3087 	one_only = ((nexthdr == IPPROTO_ENCAP || nexthdr == IPPROTO_IPV6) &&
3088 	    !IN6_IS_ADDR_MULTICAST(&dst));
3089 
3090 	shared_addr = (zoneid == ALL_ZONES);
3091 	if (shared_addr) {
3092 		/*
3093 		 * We don't allow multilevel ports for raw IP, so no need to
3094 		 * check for that here.
3095 		 */
3096 		zoneid = tsol_packet_to_zoneid(mp);
3097 	}
3098 
3099 	connfp = &ipst->ips_ipcl_proto_fanout_v6[nexthdr];
3100 	mutex_enter(&connfp->connf_lock);
3101 	connp = connfp->connf_head;
3102 	for (connp = connfp->connf_head; connp != NULL;
3103 	    connp = connp->conn_next) {
3104 		if (IPCL_PROTO_MATCH_V6(connp, nexthdr, ip6h, ill, flags,
3105 		    zoneid) &&
3106 		    (!is_system_labeled() ||
3107 		    tsol_receive_local(mp, &dst, IPV6_VERSION, shared_addr,
3108 		    connp)))
3109 			break;
3110 	}
3111 
3112 	if (connp == NULL) {
3113 		/*
3114 		 * No one bound to this port.  Is
3115 		 * there a client that wants all
3116 		 * unclaimed datagrams?
3117 		 */
3118 		mutex_exit(&connfp->connf_lock);
3119 		if (ip_fanout_send_icmp_v6(q, first_mp, flags,
3120 		    ICMP6_PARAM_PROB, ICMP6_PARAMPROB_NEXTHEADER,
3121 		    nexthdr_offset, mctl_present, zoneid, ipst)) {
3122 			BUMP_MIB(ill->ill_ip_mib, ipIfStatsInUnknownProtos);
3123 		}
3124 
3125 		return;
3126 	}
3127 
3128 	ASSERT(IPCL_IS_NONSTR(connp) || connp->conn_upq != NULL);
3129 
3130 	CONN_INC_REF(connp);
3131 	first_connp = connp;
3132 
3133 	/*
3134 	 * XXX: Fix the multiple protocol listeners case. We should not
3135 	 * be walking the conn->next list here.
3136 	 */
3137 	if (one_only) {
3138 		/*
3139 		 * Only send message to one tunnel driver by immediately
3140 		 * terminating the loop.
3141 		 */
3142 		connp = NULL;
3143 	} else {
3144 		connp = connp->conn_next;
3145 
3146 	}
3147 	for (;;) {
3148 		while (connp != NULL) {
3149 			if (IPCL_PROTO_MATCH_V6(connp, nexthdr, ip6h, ill,
3150 			    flags, zoneid) &&
3151 			    (!is_system_labeled() ||
3152 			    tsol_receive_local(mp, &dst, IPV6_VERSION,
3153 			    shared_addr, connp)))
3154 				break;
3155 			connp = connp->conn_next;
3156 		}
3157 
3158 		/*
3159 		 * Just copy the data part alone. The mctl part is
3160 		 * needed just for verifying policy and it is never
3161 		 * sent up.
3162 		 */
3163 		if (connp == NULL ||
3164 		    (((first_mp1 = dupmsg(first_mp)) == NULL) &&
3165 		    ((first_mp1 = ip_copymsg(first_mp)) == NULL))) {
3166 			/*
3167 			 * No more intested clients or memory
3168 			 * allocation failed
3169 			 */
3170 			connp = first_connp;
3171 			break;
3172 		}
3173 		ASSERT(IPCL_IS_NONSTR(connp) || connp->conn_rq != NULL);
3174 		mp1 = mctl_present ? first_mp1->b_cont : first_mp1;
3175 		CONN_INC_REF(connp);
3176 		mutex_exit(&connfp->connf_lock);
3177 		rq = connp->conn_rq;
3178 		/*
3179 		 * For link-local always add ifindex so that transport can set
3180 		 * sin6_scope_id. Avoid it for ICMP error fanout.
3181 		 */
3182 		if ((connp->conn_ip_recvpktinfo ||
3183 		    IN6_IS_ADDR_LINKLOCAL(&src)) &&
3184 		    (flags & IP_FF_IPINFO)) {
3185 			/* Add header */
3186 			mp1 = ip_add_info_v6(mp1, inill, &dst);
3187 		}
3188 		if (mp1 == NULL) {
3189 			BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
3190 		} else if (
3191 		    (IPCL_IS_NONSTR(connp) && PROTO_FLOW_CNTRLD(connp)) ||
3192 		    (!IPCL_IS_NONSTR(connp) && !canputnext(rq))) {
3193 			if (flags & IP_FF_RAWIP) {
3194 				BUMP_MIB(ill->ill_ip_mib,
3195 				    rawipIfStatsInOverflows);
3196 			} else {
3197 				BUMP_MIB(ill->ill_icmp6_mib,
3198 				    ipv6IfIcmpInOverflows);
3199 			}
3200 
3201 			freemsg(mp1);
3202 		} else {
3203 			/*
3204 			 * Don't enforce here if we're a tunnel - let "tun" do
3205 			 * it instead.
3206 			 */
3207 			if (!IPCL_IS_IPTUN(connp) &&
3208 			    (CONN_INBOUND_POLICY_PRESENT_V6(connp, ipss) ||
3209 			    secure)) {
3210 				first_mp1 = ipsec_check_inbound_policy(
3211 				    first_mp1, connp, NULL, ip6h, mctl_present);
3212 			}
3213 			if (first_mp1 != NULL) {
3214 				if (mctl_present)
3215 					freeb(first_mp1);
3216 				BUMP_MIB(ill->ill_ip_mib,
3217 				    ipIfStatsHCInDelivers);
3218 				(connp->conn_recv)(connp, mp1, NULL);
3219 			}
3220 		}
3221 		mutex_enter(&connfp->connf_lock);
3222 		/* Follow the next pointer before releasing the conn. */
3223 		next_connp = connp->conn_next;
3224 		CONN_DEC_REF(connp);
3225 		connp = next_connp;
3226 	}
3227 
3228 	/* Last one.  Send it upstream. */
3229 	mutex_exit(&connfp->connf_lock);
3230 
3231 	/* Initiate IPPF processing */
3232 	if (IP6_IN_IPP(flags, ipst)) {
3233 		uint_t ifindex;
3234 
3235 		mutex_enter(&ill->ill_lock);
3236 		ifindex = ill->ill_phyint->phyint_ifindex;
3237 		mutex_exit(&ill->ill_lock);
3238 		ip_process(IPP_LOCAL_IN, &mp, ifindex);
3239 		if (mp == NULL) {
3240 			CONN_DEC_REF(connp);
3241 			if (mctl_present)
3242 				freeb(first_mp);
3243 			return;
3244 		}
3245 	}
3246 
3247 	/*
3248 	 * For link-local always add ifindex so that transport can set
3249 	 * sin6_scope_id. Avoid it for ICMP error fanout.
3250 	 */
3251 	if ((connp->conn_ip_recvpktinfo || IN6_IS_ADDR_LINKLOCAL(&src)) &&
3252 	    (flags & IP_FF_IPINFO)) {
3253 		/* Add header */
3254 		mp = ip_add_info_v6(mp, inill, &dst);
3255 		if (mp == NULL) {
3256 			BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
3257 			CONN_DEC_REF(connp);
3258 			if (mctl_present)
3259 				freeb(first_mp);
3260 			return;
3261 		} else if (mctl_present) {
3262 			first_mp->b_cont = mp;
3263 		} else {
3264 			first_mp = mp;
3265 		}
3266 	}
3267 
3268 	rq = connp->conn_rq;
3269 	if ((IPCL_IS_NONSTR(connp) && PROTO_FLOW_CNTRLD(connp)) ||
3270 	    (!IPCL_IS_NONSTR(connp) && !canputnext(rq))) {
3271 
3272 		if (flags & IP_FF_RAWIP) {
3273 			BUMP_MIB(ill->ill_ip_mib, rawipIfStatsInOverflows);
3274 		} else {
3275 			BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpInOverflows);
3276 		}
3277 
3278 		freemsg(first_mp);
3279 	} else {
3280 		if (IPCL_IS_IPTUN(connp)) {
3281 			/*
3282 			 * Tunneled packet.  We enforce policy in the tunnel
3283 			 * module itself.
3284 			 *
3285 			 * Send the WHOLE packet up (incl. IPSEC_IN) without
3286 			 * a policy check.
3287 			 */
3288 			putnext(rq, first_mp);
3289 			CONN_DEC_REF(connp);
3290 			return;
3291 		}
3292 		/*
3293 		 * Don't enforce here if we're a tunnel - let "tun" do
3294 		 * it instead.
3295 		 */
3296 		if (nexthdr != IPPROTO_ENCAP && nexthdr != IPPROTO_IPV6 &&
3297 		    (CONN_INBOUND_POLICY_PRESENT(connp, ipss) || secure)) {
3298 			first_mp = ipsec_check_inbound_policy(first_mp, connp,
3299 			    NULL, ip6h, mctl_present);
3300 			if (first_mp == NULL) {
3301 				CONN_DEC_REF(connp);
3302 				return;
3303 			}
3304 		}
3305 		BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInDelivers);
3306 		(connp->conn_recv)(connp, mp, NULL);
3307 		if (mctl_present)
3308 			freeb(first_mp);
3309 	}
3310 	CONN_DEC_REF(connp);
3311 }
3312 
3313 /*
3314  * Send an ICMP error after patching up the packet appropriately.  Returns
3315  * non-zero if the appropriate MIB should be bumped; zero otherwise.
3316  */
3317 int
3318 ip_fanout_send_icmp_v6(queue_t *q, mblk_t *mp, uint_t flags,
3319     uint_t icmp_type, uint8_t icmp_code, uint_t nexthdr_offset,
3320     boolean_t mctl_present, zoneid_t zoneid, ip_stack_t *ipst)
3321 {
3322 	ip6_t *ip6h;
3323 	mblk_t *first_mp;
3324 	boolean_t secure;
3325 	unsigned char db_type;
3326 	ipsec_stack_t	*ipss = ipst->ips_netstack->netstack_ipsec;
3327 
3328 	first_mp = mp;
3329 	if (mctl_present) {
3330 		mp = mp->b_cont;
3331 		secure = ipsec_in_is_secure(first_mp);
3332 		ASSERT(mp != NULL);
3333 	} else {
3334 		/*
3335 		 * If this is an ICMP error being reported - which goes
3336 		 * up as M_CTLs, we need to convert them to M_DATA till
3337 		 * we finish checking with global policy because
3338 		 * ipsec_check_global_policy() assumes M_DATA as clear
3339 		 * and M_CTL as secure.
3340 		 */
3341 		db_type = mp->b_datap->db_type;
3342 		mp->b_datap->db_type = M_DATA;
3343 		secure = B_FALSE;
3344 	}
3345 	/*
3346 	 * We are generating an icmp error for some inbound packet.
3347 	 * Called from all ip_fanout_(udp, tcp, proto) functions.
3348 	 * Before we generate an error, check with global policy
3349 	 * to see whether this is allowed to enter the system. As
3350 	 * there is no "conn", we are checking with global policy.
3351 	 */
3352 	ip6h = (ip6_t *)mp->b_rptr;
3353 	if (secure || ipss->ipsec_inbound_v6_policy_present) {
3354 		first_mp = ipsec_check_global_policy(first_mp, NULL,
3355 		    NULL, ip6h, mctl_present, ipst->ips_netstack);
3356 		if (first_mp == NULL)
3357 			return (0);
3358 	}
3359 
3360 	if (!mctl_present)
3361 		mp->b_datap->db_type = db_type;
3362 
3363 	if (flags & IP_FF_SEND_ICMP) {
3364 		if (flags & IP_FF_HDR_COMPLETE) {
3365 			if (ip_hdr_complete_v6(ip6h, zoneid, ipst)) {
3366 				freemsg(first_mp);
3367 				return (1);
3368 			}
3369 		}
3370 		switch (icmp_type) {
3371 		case ICMP6_DST_UNREACH:
3372 			icmp_unreachable_v6(WR(q), first_mp, icmp_code,
3373 			    B_FALSE, B_FALSE, zoneid, ipst);
3374 			break;
3375 		case ICMP6_PARAM_PROB:
3376 			icmp_param_problem_v6(WR(q), first_mp, icmp_code,
3377 			    nexthdr_offset, B_FALSE, B_FALSE, zoneid, ipst);
3378 			break;
3379 		default:
3380 #ifdef DEBUG
3381 			panic("ip_fanout_send_icmp_v6: wrong type");
3382 			/*NOTREACHED*/
3383 #else
3384 			freemsg(first_mp);
3385 			break;
3386 #endif
3387 		}
3388 	} else {
3389 		freemsg(first_mp);
3390 		return (0);
3391 	}
3392 
3393 	return (1);
3394 }
3395 
3396 
3397 /*
3398  * Fanout for TCP packets
3399  * The caller puts <fport, lport> in the ports parameter.
3400  */
3401 static void
3402 ip_fanout_tcp_v6(queue_t *q, mblk_t *mp, ip6_t *ip6h, ill_t *ill, ill_t *inill,
3403     uint_t flags, uint_t hdr_len, boolean_t mctl_present, zoneid_t zoneid)
3404 {
3405 	mblk_t  	*first_mp;
3406 	boolean_t 	secure;
3407 	conn_t		*connp;
3408 	tcph_t		*tcph;
3409 	boolean_t	syn_present = B_FALSE;
3410 	ip_stack_t	*ipst = inill->ill_ipst;
3411 	ipsec_stack_t	*ipss = ipst->ips_netstack->netstack_ipsec;
3412 
3413 	first_mp = mp;
3414 	if (mctl_present) {
3415 		mp = first_mp->b_cont;
3416 		secure = ipsec_in_is_secure(first_mp);
3417 		ASSERT(mp != NULL);
3418 	} else {
3419 		secure = B_FALSE;
3420 	}
3421 
3422 	connp = ipcl_classify_v6(mp, IPPROTO_TCP, hdr_len, zoneid, ipst);
3423 
3424 	if (connp == NULL ||
3425 	    !conn_wantpacket_v6(connp, ill, ip6h, flags, zoneid)) {
3426 		/*
3427 		 * No hard-bound match. Send Reset.
3428 		 */
3429 		dblk_t *dp = mp->b_datap;
3430 		uint32_t ill_index;
3431 
3432 		ASSERT((dp->db_struioflag & STRUIO_IP) == 0);
3433 
3434 		/* Initiate IPPf processing, if needed. */
3435 		if (IPP_ENABLED(IPP_LOCAL_IN, ipst) &&
3436 		    (flags & IP6_NO_IPPOLICY)) {
3437 			ill_index = ill->ill_phyint->phyint_ifindex;
3438 			ip_process(IPP_LOCAL_IN, &first_mp, ill_index);
3439 			if (first_mp == NULL) {
3440 				if (connp != NULL)
3441 					CONN_DEC_REF(connp);
3442 				return;
3443 			}
3444 		}
3445 		BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInDelivers);
3446 		tcp_xmit_listeners_reset(first_mp, hdr_len, zoneid,
3447 		    ipst->ips_netstack->netstack_tcp, connp);
3448 		if (connp != NULL)
3449 			CONN_DEC_REF(connp);
3450 		return;
3451 	}
3452 
3453 	tcph = (tcph_t *)&mp->b_rptr[hdr_len];
3454 	if ((tcph->th_flags[0] & (TH_SYN|TH_ACK|TH_RST|TH_URG)) == TH_SYN) {
3455 		if (connp->conn_flags & IPCL_TCP) {
3456 			squeue_t *sqp;
3457 
3458 			/*
3459 			 * For fused tcp loopback, assign the eager's
3460 			 * squeue to be that of the active connect's.
3461 			 */
3462 			if ((flags & IP_FF_LOOPBACK) && do_tcp_fusion &&
3463 			    !CONN_INBOUND_POLICY_PRESENT_V6(connp, ipss) &&
3464 			    !secure &&
3465 			    !IP6_IN_IPP(flags, ipst)) {
3466 				ASSERT(Q_TO_CONN(q) != NULL);
3467 				sqp = Q_TO_CONN(q)->conn_sqp;
3468 			} else {
3469 				sqp = IP_SQUEUE_GET(lbolt);
3470 			}
3471 
3472 			mp->b_datap->db_struioflag |= STRUIO_EAGER;
3473 			DB_CKSUMSTART(mp) = (intptr_t)sqp;
3474 
3475 			/*
3476 			 * db_cksumstuff is unused in the incoming
3477 			 * path; Thus store the ifindex here. It will
3478 			 * be cleared in tcp_conn_create_v6().
3479 			 */
3480 			DB_CKSUMSTUFF(mp) =
3481 			    (intptr_t)ill->ill_phyint->phyint_ifindex;
3482 			syn_present = B_TRUE;
3483 		}
3484 	}
3485 
3486 	if (IPCL_IS_TCP(connp) && IPCL_IS_BOUND(connp) && !syn_present) {
3487 		uint_t	flags = (unsigned int)tcph->th_flags[0] & 0xFF;
3488 		if ((flags & TH_RST) || (flags & TH_URG)) {
3489 			CONN_DEC_REF(connp);
3490 			freemsg(first_mp);
3491 			return;
3492 		}
3493 		if (flags & TH_ACK) {
3494 			tcp_xmit_listeners_reset(first_mp, hdr_len, zoneid,
3495 			    ipst->ips_netstack->netstack_tcp, connp);
3496 			CONN_DEC_REF(connp);
3497 			return;
3498 		}
3499 
3500 		CONN_DEC_REF(connp);
3501 		freemsg(first_mp);
3502 		return;
3503 	}
3504 
3505 	if (CONN_INBOUND_POLICY_PRESENT_V6(connp, ipss) || secure) {
3506 		first_mp = ipsec_check_inbound_policy(first_mp, connp,
3507 		    NULL, ip6h, mctl_present);
3508 		if (first_mp == NULL) {
3509 			CONN_DEC_REF(connp);
3510 			return;
3511 		}
3512 		if (IPCL_IS_TCP(connp) && IPCL_IS_BOUND(connp)) {
3513 			ASSERT(syn_present);
3514 			if (mctl_present) {
3515 				ASSERT(first_mp != mp);
3516 				first_mp->b_datap->db_struioflag |=
3517 				    STRUIO_POLICY;
3518 			} else {
3519 				ASSERT(first_mp == mp);
3520 				mp->b_datap->db_struioflag &=
3521 				    ~STRUIO_EAGER;
3522 				mp->b_datap->db_struioflag |=
3523 				    STRUIO_POLICY;
3524 			}
3525 		} else {
3526 			/*
3527 			 * Discard first_mp early since we're dealing with a
3528 			 * fully-connected conn_t and tcp doesn't do policy in
3529 			 * this case. Also, if someone is bound to IPPROTO_TCP
3530 			 * over raw IP, they don't expect to see a M_CTL.
3531 			 */
3532 			if (mctl_present) {
3533 				freeb(first_mp);
3534 				mctl_present = B_FALSE;
3535 			}
3536 			first_mp = mp;
3537 		}
3538 	}
3539 
3540 	/* Initiate IPPF processing */
3541 	if (IP6_IN_IPP(flags, ipst)) {
3542 		uint_t	ifindex;
3543 
3544 		mutex_enter(&ill->ill_lock);
3545 		ifindex = ill->ill_phyint->phyint_ifindex;
3546 		mutex_exit(&ill->ill_lock);
3547 		ip_process(IPP_LOCAL_IN, &mp, ifindex);
3548 		if (mp == NULL) {
3549 			CONN_DEC_REF(connp);
3550 			if (mctl_present) {
3551 				freeb(first_mp);
3552 			}
3553 			return;
3554 		} else if (mctl_present) {
3555 			/*
3556 			 * ip_add_info_v6 might return a new mp.
3557 			 */
3558 			ASSERT(first_mp != mp);
3559 			first_mp->b_cont = mp;
3560 		} else {
3561 			first_mp = mp;
3562 		}
3563 	}
3564 
3565 	/*
3566 	 * For link-local always add ifindex so that TCP can bind to that
3567 	 * interface. Avoid it for ICMP error fanout.
3568 	 */
3569 	if (!syn_present && ((connp->conn_ip_recvpktinfo ||
3570 	    IN6_IS_ADDR_LINKLOCAL(&ip6h->ip6_src)) &&
3571 	    (flags & IP_FF_IPINFO))) {
3572 		/* Add header */
3573 		mp = ip_add_info_v6(mp, inill, &ip6h->ip6_dst);
3574 		if (mp == NULL) {
3575 			BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
3576 			CONN_DEC_REF(connp);
3577 			if (mctl_present)
3578 				freeb(first_mp);
3579 			return;
3580 		} else if (mctl_present) {
3581 			ASSERT(first_mp != mp);
3582 			first_mp->b_cont = mp;
3583 		} else {
3584 			first_mp = mp;
3585 		}
3586 	}
3587 
3588 	BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInDelivers);
3589 	if (IPCL_IS_TCP(connp)) {
3590 		SQUEUE_ENTER_ONE(connp->conn_sqp, first_mp, connp->conn_recv,
3591 		    connp, ip_squeue_flag, SQTAG_IP6_TCP_INPUT);
3592 	} else {
3593 		/* SOCK_RAW, IPPROTO_TCP case */
3594 		(connp->conn_recv)(connp, first_mp, NULL);
3595 		CONN_DEC_REF(connp);
3596 	}
3597 }
3598 
3599 /*
3600  * Fanout for UDP packets.
3601  * The caller puts <fport, lport> in the ports parameter.
3602  * ire_type must be IRE_BROADCAST for multicast and broadcast packets.
3603  *
3604  * If SO_REUSEADDR is set all multicast and broadcast packets
3605  * will be delivered to all streams bound to the same port.
3606  *
3607  * Zones notes:
3608  * Multicast packets will be distributed to streams in all zones.
3609  */
3610 static void
3611 ip_fanout_udp_v6(queue_t *q, mblk_t *mp, ip6_t *ip6h, uint32_t ports,
3612     ill_t *ill, ill_t *inill, uint_t flags, boolean_t mctl_present,
3613     zoneid_t zoneid)
3614 {
3615 	uint32_t	dstport, srcport;
3616 	in6_addr_t	dst;
3617 	mblk_t		*first_mp;
3618 	boolean_t	secure;
3619 	conn_t		*connp;
3620 	connf_t		*connfp;
3621 	conn_t		*first_conn;
3622 	conn_t 		*next_conn;
3623 	mblk_t		*mp1, *first_mp1;
3624 	in6_addr_t	src;
3625 	boolean_t	shared_addr;
3626 	ip_stack_t	*ipst = inill->ill_ipst;
3627 	ipsec_stack_t	*ipss = ipst->ips_netstack->netstack_ipsec;
3628 
3629 	first_mp = mp;
3630 	if (mctl_present) {
3631 		mp = first_mp->b_cont;
3632 		secure = ipsec_in_is_secure(first_mp);
3633 		ASSERT(mp != NULL);
3634 	} else {
3635 		secure = B_FALSE;
3636 	}
3637 
3638 	/* Extract ports in net byte order */
3639 	dstport = htons(ntohl(ports) & 0xFFFF);
3640 	srcport = htons(ntohl(ports) >> 16);
3641 	dst = ip6h->ip6_dst;
3642 	src = ip6h->ip6_src;
3643 
3644 	shared_addr = (zoneid == ALL_ZONES);
3645 	if (shared_addr) {
3646 		/*
3647 		 * No need to handle exclusive-stack zones since ALL_ZONES
3648 		 * only applies to the shared stack.
3649 		 */
3650 		zoneid = tsol_mlp_findzone(IPPROTO_UDP, dstport);
3651 		/*
3652 		 * If no shared MLP is found, tsol_mlp_findzone returns
3653 		 * ALL_ZONES.  In that case, we assume it's SLP, and
3654 		 * search for the zone based on the packet label.
3655 		 * That will also return ALL_ZONES on failure, but
3656 		 * we never allow conn_zoneid to be set to ALL_ZONES.
3657 		 */
3658 		if (zoneid == ALL_ZONES)
3659 			zoneid = tsol_packet_to_zoneid(mp);
3660 	}
3661 
3662 	/* Attempt to find a client stream based on destination port. */
3663 	connfp = &ipst->ips_ipcl_udp_fanout[IPCL_UDP_HASH(dstport, ipst)];
3664 	mutex_enter(&connfp->connf_lock);
3665 	connp = connfp->connf_head;
3666 	if (!IN6_IS_ADDR_MULTICAST(&dst)) {
3667 		/*
3668 		 * Not multicast. Send to the one (first) client we find.
3669 		 */
3670 		while (connp != NULL) {
3671 			if (IPCL_UDP_MATCH_V6(connp, dstport, dst, srcport,
3672 			    src) && IPCL_ZONE_MATCH(connp, zoneid) &&
3673 			    conn_wantpacket_v6(connp, ill, ip6h,
3674 			    flags, zoneid)) {
3675 				break;
3676 			}
3677 			connp = connp->conn_next;
3678 		}
3679 		if (connp == NULL || connp->conn_upq == NULL)
3680 			goto notfound;
3681 
3682 		if (is_system_labeled() &&
3683 		    !tsol_receive_local(mp, &dst, IPV6_VERSION, shared_addr,
3684 		    connp))
3685 			goto notfound;
3686 
3687 		/* Found a client */
3688 		CONN_INC_REF(connp);
3689 		mutex_exit(&connfp->connf_lock);
3690 
3691 		if ((IPCL_IS_NONSTR(connp) && PROTO_FLOW_CNTRLD(connp)) ||
3692 		    (!IPCL_IS_NONSTR(connp) && CONN_UDP_FLOWCTLD(connp))) {
3693 			freemsg(first_mp);
3694 			CONN_DEC_REF(connp);
3695 			return;
3696 		}
3697 		if (CONN_INBOUND_POLICY_PRESENT_V6(connp, ipss) || secure) {
3698 			first_mp = ipsec_check_inbound_policy(first_mp,
3699 			    connp, NULL, ip6h, mctl_present);
3700 			if (first_mp == NULL) {
3701 				CONN_DEC_REF(connp);
3702 				return;
3703 			}
3704 		}
3705 		/* Initiate IPPF processing */
3706 		if (IP6_IN_IPP(flags, ipst)) {
3707 			uint_t	ifindex;
3708 
3709 			mutex_enter(&ill->ill_lock);
3710 			ifindex = ill->ill_phyint->phyint_ifindex;
3711 			mutex_exit(&ill->ill_lock);
3712 			ip_process(IPP_LOCAL_IN, &mp, ifindex);
3713 			if (mp == NULL) {
3714 				CONN_DEC_REF(connp);
3715 				if (mctl_present)
3716 					freeb(first_mp);
3717 				return;
3718 			}
3719 		}
3720 		/*
3721 		 * For link-local always add ifindex so that
3722 		 * transport can set sin6_scope_id. Avoid it for
3723 		 * ICMP error fanout.
3724 		 */
3725 		if ((connp->conn_ip_recvpktinfo ||
3726 		    IN6_IS_ADDR_LINKLOCAL(&src)) &&
3727 		    (flags & IP_FF_IPINFO)) {
3728 				/* Add header */
3729 			mp = ip_add_info_v6(mp, inill, &dst);
3730 			if (mp == NULL) {
3731 				BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
3732 				CONN_DEC_REF(connp);
3733 				if (mctl_present)
3734 					freeb(first_mp);
3735 				return;
3736 			} else if (mctl_present) {
3737 				first_mp->b_cont = mp;
3738 			} else {
3739 				first_mp = mp;
3740 			}
3741 		}
3742 		BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInDelivers);
3743 
3744 		/* Send it upstream */
3745 		(connp->conn_recv)(connp, mp, NULL);
3746 
3747 		IP6_STAT(ipst, ip6_udp_fannorm);
3748 		CONN_DEC_REF(connp);
3749 		if (mctl_present)
3750 			freeb(first_mp);
3751 		return;
3752 	}
3753 
3754 	while (connp != NULL) {
3755 		if ((IPCL_UDP_MATCH_V6(connp, dstport, dst, srcport, src)) &&
3756 		    conn_wantpacket_v6(connp, ill, ip6h, flags, zoneid) &&
3757 		    (!is_system_labeled() ||
3758 		    tsol_receive_local(mp, &dst, IPV6_VERSION, shared_addr,
3759 		    connp)))
3760 			break;
3761 		connp = connp->conn_next;
3762 	}
3763 
3764 	if (connp == NULL || connp->conn_upq == NULL)
3765 		goto notfound;
3766 
3767 	first_conn = connp;
3768 
3769 	CONN_INC_REF(connp);
3770 	connp = connp->conn_next;
3771 	for (;;) {
3772 		while (connp != NULL) {
3773 			if (IPCL_UDP_MATCH_V6(connp, dstport, dst, srcport,
3774 			    src) && conn_wantpacket_v6(connp, ill, ip6h,
3775 			    flags, zoneid) &&
3776 			    (!is_system_labeled() ||
3777 			    tsol_receive_local(mp, &dst, IPV6_VERSION,
3778 			    shared_addr, connp)))
3779 				break;
3780 			connp = connp->conn_next;
3781 		}
3782 		/*
3783 		 * Just copy the data part alone. The mctl part is
3784 		 * needed just for verifying policy and it is never
3785 		 * sent up.
3786 		 */
3787 		if (connp == NULL ||
3788 		    (((first_mp1 = dupmsg(first_mp)) == NULL) &&
3789 		    ((first_mp1 = ip_copymsg(first_mp)) == NULL))) {
3790 			/*
3791 			 * No more interested clients or memory
3792 			 * allocation failed
3793 			 */
3794 			connp = first_conn;
3795 			break;
3796 		}
3797 		mp1 = mctl_present ? first_mp1->b_cont : first_mp1;
3798 		CONN_INC_REF(connp);
3799 		mutex_exit(&connfp->connf_lock);
3800 		/*
3801 		 * For link-local always add ifindex so that transport
3802 		 * can set sin6_scope_id. Avoid it for ICMP error
3803 		 * fanout.
3804 		 */
3805 		if ((connp->conn_ip_recvpktinfo ||
3806 		    IN6_IS_ADDR_LINKLOCAL(&src)) &&
3807 		    (flags & IP_FF_IPINFO)) {
3808 			/* Add header */
3809 			mp1 = ip_add_info_v6(mp1, inill, &dst);
3810 		}
3811 		/* mp1 could have changed */
3812 		if (mctl_present)
3813 			first_mp1->b_cont = mp1;
3814 		else
3815 			first_mp1 = mp1;
3816 		if (mp1 == NULL) {
3817 			if (mctl_present)
3818 				freeb(first_mp1);
3819 			BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
3820 			goto next_one;
3821 		}
3822 		if ((IPCL_IS_NONSTR(connp) && PROTO_FLOW_CNTRLD(connp)) ||
3823 		    (!IPCL_IS_NONSTR(connp) && CONN_UDP_FLOWCTLD(connp))) {
3824 			BUMP_MIB(ill->ill_ip_mib, udpIfStatsInOverflows);
3825 			freemsg(first_mp1);
3826 			goto next_one;
3827 		}
3828 
3829 		if (CONN_INBOUND_POLICY_PRESENT_V6(connp, ipss) || secure) {
3830 			first_mp1 = ipsec_check_inbound_policy
3831 			    (first_mp1, connp, NULL, ip6h,
3832 			    mctl_present);
3833 		}
3834 		if (first_mp1 != NULL) {
3835 			if (mctl_present)
3836 				freeb(first_mp1);
3837 			BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInDelivers);
3838 
3839 			/* Send it upstream */
3840 			(connp->conn_recv)(connp, mp1, NULL);
3841 		}
3842 next_one:
3843 		mutex_enter(&connfp->connf_lock);
3844 		/* Follow the next pointer before releasing the conn. */
3845 		next_conn = connp->conn_next;
3846 		IP6_STAT(ipst, ip6_udp_fanmb);
3847 		CONN_DEC_REF(connp);
3848 		connp = next_conn;
3849 	}
3850 
3851 	/* Last one.  Send it upstream. */
3852 	mutex_exit(&connfp->connf_lock);
3853 
3854 	/* Initiate IPPF processing */
3855 	if (IP6_IN_IPP(flags, ipst)) {
3856 		uint_t	ifindex;
3857 
3858 		mutex_enter(&ill->ill_lock);
3859 		ifindex = ill->ill_phyint->phyint_ifindex;
3860 		mutex_exit(&ill->ill_lock);
3861 		ip_process(IPP_LOCAL_IN, &mp, ifindex);
3862 		if (mp == NULL) {
3863 			CONN_DEC_REF(connp);
3864 			if (mctl_present) {
3865 				freeb(first_mp);
3866 			}
3867 			return;
3868 		}
3869 	}
3870 
3871 	/*
3872 	 * For link-local always add ifindex so that transport can set
3873 	 * sin6_scope_id. Avoid it for ICMP error fanout.
3874 	 */
3875 	if ((connp->conn_ip_recvpktinfo ||
3876 	    IN6_IS_ADDR_LINKLOCAL(&src)) && (flags & IP_FF_IPINFO)) {
3877 		/* Add header */
3878 		mp = ip_add_info_v6(mp, inill, &dst);
3879 		if (mp == NULL) {
3880 			BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
3881 			CONN_DEC_REF(connp);
3882 			if (mctl_present)
3883 				freeb(first_mp);
3884 			return;
3885 		} else if (mctl_present) {
3886 			first_mp->b_cont = mp;
3887 		} else {
3888 			first_mp = mp;
3889 		}
3890 	}
3891 	if ((IPCL_IS_NONSTR(connp) && PROTO_FLOW_CNTRLD(connp)) ||
3892 	    (!IPCL_IS_NONSTR(connp) && CONN_UDP_FLOWCTLD(connp))) {
3893 		BUMP_MIB(ill->ill_ip_mib, udpIfStatsInOverflows);
3894 		freemsg(mp);
3895 	} else {
3896 		if (CONN_INBOUND_POLICY_PRESENT_V6(connp, ipss) || secure) {
3897 			first_mp = ipsec_check_inbound_policy(first_mp,
3898 			    connp, NULL, ip6h, mctl_present);
3899 			if (first_mp == NULL) {
3900 				BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
3901 				CONN_DEC_REF(connp);
3902 				return;
3903 			}
3904 		}
3905 		BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInDelivers);
3906 
3907 		/* Send it upstream */
3908 		(connp->conn_recv)(connp, mp, NULL);
3909 	}
3910 	IP6_STAT(ipst, ip6_udp_fanmb);
3911 	CONN_DEC_REF(connp);
3912 	if (mctl_present)
3913 		freeb(first_mp);
3914 	return;
3915 
3916 notfound:
3917 	mutex_exit(&connfp->connf_lock);
3918 	/*
3919 	 * No one bound to this port.  Is
3920 	 * there a client that wants all
3921 	 * unclaimed datagrams?
3922 	 */
3923 	if (ipst->ips_ipcl_proto_fanout_v6[IPPROTO_UDP].connf_head != NULL) {
3924 		ip_fanout_proto_v6(q, first_mp, ip6h, ill, inill, IPPROTO_UDP,
3925 		    0, flags | IP_FF_RAWIP | IP_FF_IPINFO, mctl_present,
3926 		    zoneid);
3927 	} else {
3928 		if (ip_fanout_send_icmp_v6(q, first_mp, flags,
3929 		    ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_NOPORT, 0,
3930 		    mctl_present, zoneid, ipst)) {
3931 			BUMP_MIB(ill->ill_ip_mib, udpIfStatsNoPorts);
3932 		}
3933 	}
3934 }
3935 
3936 /*
3937  * int ip_find_hdr_v6()
3938  *
3939  * This routine is used by the upper layer protocols and the IP tunnel
3940  * module to:
3941  * - Set extension header pointers to appropriate locations
3942  * - Determine IPv6 header length and return it
3943  * - Return a pointer to the last nexthdr value
3944  *
3945  * The caller must initialize ipp_fields.
3946  *
3947  * NOTE: If multiple extension headers of the same type are present,
3948  * ip_find_hdr_v6() will set the respective extension header pointers
3949  * to the first one that it encounters in the IPv6 header.  It also
3950  * skips fragment headers.  This routine deals with malformed packets
3951  * of various sorts in which case the returned length is up to the
3952  * malformed part.
3953  */
3954 int
3955 ip_find_hdr_v6(mblk_t *mp, ip6_t *ip6h, ip6_pkt_t *ipp, uint8_t *nexthdrp)
3956 {
3957 	uint_t	length, ehdrlen;
3958 	uint8_t nexthdr;
3959 	uint8_t *whereptr, *endptr;
3960 	ip6_dest_t *tmpdstopts;
3961 	ip6_rthdr_t *tmprthdr;
3962 	ip6_hbh_t *tmphopopts;
3963 	ip6_frag_t *tmpfraghdr;
3964 
3965 	length = IPV6_HDR_LEN;
3966 	whereptr = ((uint8_t *)&ip6h[1]); /* point to next hdr */
3967 	endptr = mp->b_wptr;
3968 
3969 	nexthdr = ip6h->ip6_nxt;
3970 	while (whereptr < endptr) {
3971 		/* Is there enough left for len + nexthdr? */
3972 		if (whereptr + MIN_EHDR_LEN > endptr)
3973 			goto done;
3974 
3975 		switch (nexthdr) {
3976 		case IPPROTO_HOPOPTS:
3977 			tmphopopts = (ip6_hbh_t *)whereptr;
3978 			ehdrlen = 8 * (tmphopopts->ip6h_len + 1);
3979 			if ((uchar_t *)tmphopopts +  ehdrlen > endptr)
3980 				goto done;
3981 			nexthdr = tmphopopts->ip6h_nxt;
3982 			/* return only 1st hbh */
3983 			if (!(ipp->ipp_fields & IPPF_HOPOPTS)) {
3984 				ipp->ipp_fields |= IPPF_HOPOPTS;
3985 				ipp->ipp_hopopts = tmphopopts;
3986 				ipp->ipp_hopoptslen = ehdrlen;
3987 			}
3988 			break;
3989 		case IPPROTO_DSTOPTS:
3990 			tmpdstopts = (ip6_dest_t *)whereptr;
3991 			ehdrlen = 8 * (tmpdstopts->ip6d_len + 1);
3992 			if ((uchar_t *)tmpdstopts +  ehdrlen > endptr)
3993 				goto done;
3994 			nexthdr = tmpdstopts->ip6d_nxt;
3995 			/*
3996 			 * ipp_dstopts is set to the destination header after a
3997 			 * routing header.
3998 			 * Assume it is a post-rthdr destination header
3999 			 * and adjust when we find an rthdr.
4000 			 */
4001 			if (!(ipp->ipp_fields & IPPF_DSTOPTS)) {
4002 				ipp->ipp_fields |= IPPF_DSTOPTS;
4003 				ipp->ipp_dstopts = tmpdstopts;
4004 				ipp->ipp_dstoptslen = ehdrlen;
4005 			}
4006 			break;
4007 		case IPPROTO_ROUTING:
4008 			tmprthdr = (ip6_rthdr_t *)whereptr;
4009 			ehdrlen = 8 * (tmprthdr->ip6r_len + 1);
4010 			if ((uchar_t *)tmprthdr +  ehdrlen > endptr)
4011 				goto done;
4012 			nexthdr = tmprthdr->ip6r_nxt;
4013 			/* return only 1st rthdr */
4014 			if (!(ipp->ipp_fields & IPPF_RTHDR)) {
4015 				ipp->ipp_fields |= IPPF_RTHDR;
4016 				ipp->ipp_rthdr = tmprthdr;
4017 				ipp->ipp_rthdrlen = ehdrlen;
4018 			}
4019 			/*
4020 			 * Make any destination header we've seen be a
4021 			 * pre-rthdr destination header.
4022 			 */
4023 			if (ipp->ipp_fields & IPPF_DSTOPTS) {
4024 				ipp->ipp_fields &= ~IPPF_DSTOPTS;
4025 				ipp->ipp_fields |= IPPF_RTDSTOPTS;
4026 				ipp->ipp_rtdstopts = ipp->ipp_dstopts;
4027 				ipp->ipp_dstopts = NULL;
4028 				ipp->ipp_rtdstoptslen = ipp->ipp_dstoptslen;
4029 				ipp->ipp_dstoptslen = 0;
4030 			}
4031 			break;
4032 		case IPPROTO_FRAGMENT:
4033 			tmpfraghdr = (ip6_frag_t *)whereptr;
4034 			ehdrlen = sizeof (ip6_frag_t);
4035 			if ((uchar_t *)tmpfraghdr + ehdrlen > endptr)
4036 				goto done;
4037 			nexthdr = tmpfraghdr->ip6f_nxt;
4038 			if (!(ipp->ipp_fields & IPPF_FRAGHDR)) {
4039 				ipp->ipp_fields |= IPPF_FRAGHDR;
4040 				ipp->ipp_fraghdr = tmpfraghdr;
4041 				ipp->ipp_fraghdrlen = ehdrlen;
4042 			}
4043 			break;
4044 		case IPPROTO_NONE:
4045 		default:
4046 			goto done;
4047 		}
4048 		length += ehdrlen;
4049 		whereptr += ehdrlen;
4050 	}
4051 done:
4052 	if (nexthdrp != NULL)
4053 		*nexthdrp = nexthdr;
4054 	return (length);
4055 }
4056 
4057 int
4058 ip_hdr_complete_v6(ip6_t *ip6h, zoneid_t zoneid, ip_stack_t *ipst)
4059 {
4060 	ire_t *ire;
4061 
4062 	if (IN6_IS_ADDR_UNSPECIFIED(&ip6h->ip6_src)) {
4063 		ire = ire_lookup_local_v6(zoneid, ipst);
4064 		if (ire == NULL) {
4065 			ip1dbg(("ip_hdr_complete_v6: no source IRE\n"));
4066 			return (1);
4067 		}
4068 		ip6h->ip6_src = ire->ire_addr_v6;
4069 		ire_refrele(ire);
4070 	}
4071 	ip6h->ip6_vcf = IPV6_DEFAULT_VERS_AND_FLOW;
4072 	ip6h->ip6_hops = ipst->ips_ipv6_def_hops;
4073 	return (0);
4074 }
4075 
4076 /*
4077  * Try to determine where and what are the IPv6 header length and
4078  * pointer to nexthdr value for the upper layer protocol (or an
4079  * unknown next hdr).
4080  *
4081  * Parameters returns a pointer to the nexthdr value;
4082  * Must handle malformed packets of various sorts.
4083  * Function returns failure for malformed cases.
4084  */
4085 boolean_t
4086 ip_hdr_length_nexthdr_v6(mblk_t *mp, ip6_t *ip6h, uint16_t *hdr_length_ptr,
4087     uint8_t **nexthdrpp)
4088 {
4089 	uint16_t length;
4090 	uint_t	ehdrlen;
4091 	uint8_t	*nexthdrp;
4092 	uint8_t *whereptr;
4093 	uint8_t *endptr;
4094 	ip6_dest_t *desthdr;
4095 	ip6_rthdr_t *rthdr;
4096 	ip6_frag_t *fraghdr;
4097 
4098 	ASSERT((IPH_HDR_VERSION(ip6h) & ~IP_FORWARD_PROG_BIT) == IPV6_VERSION);
4099 	length = IPV6_HDR_LEN;
4100 	whereptr = ((uint8_t *)&ip6h[1]); /* point to next hdr */
4101 	endptr = mp->b_wptr;
4102 
4103 	nexthdrp = &ip6h->ip6_nxt;
4104 	while (whereptr < endptr) {
4105 		/* Is there enough left for len + nexthdr? */
4106 		if (whereptr + MIN_EHDR_LEN > endptr)
4107 			break;
4108 
4109 		switch (*nexthdrp) {
4110 		case IPPROTO_HOPOPTS:
4111 		case IPPROTO_DSTOPTS:
4112 			/* Assumes the headers are identical for hbh and dst */
4113 			desthdr = (ip6_dest_t *)whereptr;
4114 			ehdrlen = 8 * (desthdr->ip6d_len + 1);
4115 			if ((uchar_t *)desthdr +  ehdrlen > endptr)
4116 				return (B_FALSE);
4117 			nexthdrp = &desthdr->ip6d_nxt;
4118 			break;
4119 		case IPPROTO_ROUTING:
4120 			rthdr = (ip6_rthdr_t *)whereptr;
4121 			ehdrlen =  8 * (rthdr->ip6r_len + 1);
4122 			if ((uchar_t *)rthdr +  ehdrlen > endptr)
4123 				return (B_FALSE);
4124 			nexthdrp = &rthdr->ip6r_nxt;
4125 			break;
4126 		case IPPROTO_FRAGMENT:
4127 			fraghdr = (ip6_frag_t *)whereptr;
4128 			ehdrlen = sizeof (ip6_frag_t);
4129 			if ((uchar_t *)&fraghdr[1] > endptr)
4130 				return (B_FALSE);
4131 			nexthdrp = &fraghdr->ip6f_nxt;
4132 			break;
4133 		case IPPROTO_NONE:
4134 			/* No next header means we're finished */
4135 		default:
4136 			*hdr_length_ptr = length;
4137 			*nexthdrpp = nexthdrp;
4138 			return (B_TRUE);
4139 		}
4140 		length += ehdrlen;
4141 		whereptr += ehdrlen;
4142 		*hdr_length_ptr = length;
4143 		*nexthdrpp = nexthdrp;
4144 	}
4145 	switch (*nexthdrp) {
4146 	case IPPROTO_HOPOPTS:
4147 	case IPPROTO_DSTOPTS:
4148 	case IPPROTO_ROUTING:
4149 	case IPPROTO_FRAGMENT:
4150 		/*
4151 		 * If any know extension headers are still to be processed,
4152 		 * the packet's malformed (or at least all the IP header(s) are
4153 		 * not in the same mblk - and that should never happen.
4154 		 */
4155 		return (B_FALSE);
4156 
4157 	default:
4158 		/*
4159 		 * If we get here, we know that all of the IP headers were in
4160 		 * the same mblk, even if the ULP header is in the next mblk.
4161 		 */
4162 		*hdr_length_ptr = length;
4163 		*nexthdrpp = nexthdrp;
4164 		return (B_TRUE);
4165 	}
4166 }
4167 
4168 /*
4169  * Return the length of the IPv6 related headers (including extension headers)
4170  * Returns a length even if the packet is malformed.
4171  */
4172 int
4173 ip_hdr_length_v6(mblk_t *mp, ip6_t *ip6h)
4174 {
4175 	uint16_t hdr_len;
4176 	uint8_t	*nexthdrp;
4177 
4178 	(void) ip_hdr_length_nexthdr_v6(mp, ip6h, &hdr_len, &nexthdrp);
4179 	return (hdr_len);
4180 }
4181 
4182 /*
4183  * IPv6 -
4184  * ip_newroute_v6 is called by ip_rput_data_v6 or ip_wput_v6 whenever we need
4185  * to send out a packet to a destination address for which we do not have
4186  * specific routing information.
4187  *
4188  * Handle non-multicast packets. If ill is non-NULL the match is done
4189  * for that ill.
4190  *
4191  * When a specific ill is specified (using IPV6_PKTINFO,
4192  * IPV6_MULTICAST_IF, or IPV6_BOUND_IF) we will only match
4193  * on routing entries (ftable and ctable) that have a matching
4194  * ire->ire_ipif->ipif_ill. Thus this can only be used
4195  * for destinations that are on-link for the specific ill
4196  * and that can appear on multiple links. Thus it is useful
4197  * for multicast destinations, link-local destinations, and
4198  * at some point perhaps for site-local destinations (if the
4199  * node sits at a site boundary).
4200  * We create the cache entries in the regular ctable since
4201  * it can not "confuse" things for other destinations.
4202  *
4203  * NOTE : These are the scopes of some of the variables that point at IRE,
4204  *	  which needs to be followed while making any future modifications
4205  *	  to avoid memory leaks.
4206  *
4207  *	- ire and sire are the entries looked up initially by
4208  *	  ire_ftable_lookup_v6.
4209  *	- ipif_ire is used to hold the interface ire associated with
4210  *	  the new cache ire. But it's scope is limited, so we always REFRELE
4211  *	  it before branching out to error paths.
4212  *	- save_ire is initialized before ire_create, so that ire returned
4213  *	  by ire_create will not over-write the ire. We REFRELE save_ire
4214  *	  before breaking out of the switch.
4215  *
4216  *	Thus on failures, we have to REFRELE only ire and sire, if they
4217  *	are not NULL.
4218  */
4219 /* ARGSUSED */
4220 void
4221 ip_newroute_v6(queue_t *q, mblk_t *mp, const in6_addr_t *v6dstp,
4222     const in6_addr_t *v6srcp, ill_t *ill, zoneid_t zoneid, ip_stack_t *ipst)
4223 {
4224 	in6_addr_t	v6gw;
4225 	in6_addr_t	dst;
4226 	ire_t		*ire = NULL;
4227 	ipif_t		*src_ipif = NULL;
4228 	ill_t		*dst_ill = NULL;
4229 	ire_t		*sire = NULL;
4230 	ire_t		*save_ire;
4231 	ip6_t		*ip6h;
4232 	int		err = 0;
4233 	mblk_t		*first_mp;
4234 	ipsec_out_t	*io;
4235 	ushort_t	ire_marks = 0;
4236 	int		match_flags;
4237 	ire_t		*first_sire = NULL;
4238 	mblk_t		*copy_mp = NULL;
4239 	mblk_t		*xmit_mp = NULL;
4240 	in6_addr_t	save_dst;
4241 	uint32_t	multirt_flags =
4242 	    MULTIRT_CACHEGW | MULTIRT_USESTAMP | MULTIRT_SETSTAMP;
4243 	boolean_t	multirt_is_resolvable;
4244 	boolean_t	multirt_resolve_next;
4245 	boolean_t	need_rele = B_FALSE;
4246 	boolean_t	ip6_asp_table_held = B_FALSE;
4247 	tsol_ire_gw_secattr_t *attrp = NULL;
4248 	tsol_gcgrp_t	*gcgrp = NULL;
4249 	tsol_gcgrp_addr_t ga;
4250 
4251 	ASSERT(!IN6_IS_ADDR_MULTICAST(v6dstp));
4252 
4253 	first_mp = mp;
4254 	if (mp->b_datap->db_type == M_CTL) {
4255 		mp = mp->b_cont;
4256 		io = (ipsec_out_t *)first_mp->b_rptr;
4257 		ASSERT(io->ipsec_out_type == IPSEC_OUT);
4258 	} else {
4259 		io = NULL;
4260 	}
4261 
4262 	ip6h = (ip6_t *)mp->b_rptr;
4263 
4264 	if (IN6_IS_ADDR_LOOPBACK(v6dstp)) {
4265 		ip1dbg(("ip_newroute_v6: dst with loopback addr\n"));
4266 		goto icmp_err_ret;
4267 	} else if (IN6_IS_ADDR_LOOPBACK(v6srcp)) {
4268 		ip1dbg(("ip_newroute_v6: src with loopback addr\n"));
4269 		goto icmp_err_ret;
4270 	}
4271 
4272 	/*
4273 	 * If this IRE is created for forwarding or it is not for
4274 	 * TCP traffic, mark it as temporary.
4275 	 *
4276 	 * Is it sufficient just to check the next header??
4277 	 */
4278 	if (mp->b_prev != NULL || !IP_FLOW_CONTROLLED_ULP(ip6h->ip6_nxt))
4279 		ire_marks |= IRE_MARK_TEMPORARY;
4280 
4281 	/*
4282 	 * Get what we can from ire_ftable_lookup_v6 which will follow an IRE
4283 	 * chain until it gets the most specific information available.
4284 	 * For example, we know that there is no IRE_CACHE for this dest,
4285 	 * but there may be an IRE_OFFSUBNET which specifies a gateway.
4286 	 * ire_ftable_lookup_v6 will look up the gateway, etc.
4287 	 */
4288 
4289 	if (ill == NULL) {
4290 		match_flags = MATCH_IRE_RECURSIVE | MATCH_IRE_DEFAULT |
4291 		    MATCH_IRE_PARENT | MATCH_IRE_RJ_BHOLE | MATCH_IRE_SECATTR;
4292 		ire = ire_ftable_lookup_v6(v6dstp, 0, 0, 0,
4293 		    NULL, &sire, zoneid, 0, MBLK_GETLABEL(mp),
4294 		    match_flags, ipst);
4295 	} else {
4296 		match_flags = MATCH_IRE_RECURSIVE | MATCH_IRE_DEFAULT |
4297 		    MATCH_IRE_RJ_BHOLE | MATCH_IRE_ILL;
4298 		match_flags |= MATCH_IRE_PARENT | MATCH_IRE_SECATTR;
4299 
4300 		/*
4301 		 * Because nce_xmit() calls ip_output_v6() and NCEs are always
4302 		 * tied to an underlying interface, IS_UNDER_IPMP() may be
4303 		 * true even when building IREs that will be used for data
4304 		 * traffic.  As such, use the packet's source address to
4305 		 * determine whether the traffic is test traffic, and set
4306 		 * MATCH_IRE_MARK_TESTHIDDEN if so.
4307 		 */
4308 		if (IS_UNDER_IPMP(ill) && !IN6_IS_ADDR_UNSPECIFIED(v6srcp)) {
4309 			if (ipif_lookup_testaddr_v6(ill, v6srcp, NULL))
4310 				match_flags |= MATCH_IRE_MARK_TESTHIDDEN;
4311 		}
4312 
4313 		ire = ire_ftable_lookup_v6(v6dstp, NULL, NULL, 0, ill->ill_ipif,
4314 		    &sire, zoneid, 0, MBLK_GETLABEL(mp), match_flags, ipst);
4315 	}
4316 
4317 	ip3dbg(("ip_newroute_v6: ire_ftable_lookup_v6() "
4318 	    "returned ire %p, sire %p\n", (void *)ire, (void *)sire));
4319 
4320 	/*
4321 	 * We enter a loop that will be run only once in most cases.
4322 	 * The loop is re-entered in the case where the destination
4323 	 * can be reached through multiple RTF_MULTIRT-flagged routes.
4324 	 * The intention is to compute multiple routes to a single
4325 	 * destination in a single ip_newroute_v6 call.
4326 	 * The information is contained in sire->ire_flags.
4327 	 */
4328 	do {
4329 		multirt_resolve_next = B_FALSE;
4330 
4331 		if (dst_ill != NULL) {
4332 			ill_refrele(dst_ill);
4333 			dst_ill = NULL;
4334 		}
4335 		if (src_ipif != NULL) {
4336 			ipif_refrele(src_ipif);
4337 			src_ipif = NULL;
4338 		}
4339 		if ((sire != NULL) && sire->ire_flags & RTF_MULTIRT) {
4340 			ip3dbg(("ip_newroute_v6: starting new resolution "
4341 			    "with first_mp %p, tag %d\n",
4342 			    (void *)first_mp, MULTIRT_DEBUG_TAGGED(first_mp)));
4343 
4344 			/*
4345 			 * We check if there are trailing unresolved routes for
4346 			 * the destination contained in sire.
4347 			 */
4348 			multirt_is_resolvable = ire_multirt_lookup_v6(&ire,
4349 			    &sire, multirt_flags, MBLK_GETLABEL(mp), ipst);
4350 
4351 			ip3dbg(("ip_newroute_v6: multirt_is_resolvable %d, "
4352 			    "ire %p, sire %p\n",
4353 			    multirt_is_resolvable, (void *)ire, (void *)sire));
4354 
4355 			if (!multirt_is_resolvable) {
4356 				/*
4357 				 * No more multirt routes to resolve; give up
4358 				 * (all routes resolved or no more resolvable
4359 				 * routes).
4360 				 */
4361 				if (ire != NULL) {
4362 					ire_refrele(ire);
4363 					ire = NULL;
4364 				}
4365 			} else {
4366 				ASSERT(sire != NULL);
4367 				ASSERT(ire != NULL);
4368 				/*
4369 				 * We simply use first_sire as a flag that
4370 				 * indicates if a resolvable multirt route has
4371 				 * already been found during the preceding
4372 				 * loops. If it is not the case, we may have
4373 				 * to send an ICMP error to report that the
4374 				 * destination is unreachable. We do not
4375 				 * IRE_REFHOLD first_sire.
4376 				 */
4377 				if (first_sire == NULL) {
4378 					first_sire = sire;
4379 				}
4380 			}
4381 		}
4382 		if ((ire == NULL) || (ire == sire)) {
4383 			/*
4384 			 * either ire == NULL (the destination cannot be
4385 			 * resolved) or ire == sire (the gateway cannot be
4386 			 * resolved). At this point, there are no more routes
4387 			 * to resolve for the destination, thus we exit.
4388 			 */
4389 			if (ip_debug > 3) {
4390 				/* ip2dbg */
4391 				pr_addr_dbg("ip_newroute_v6: "
4392 				    "can't resolve %s\n", AF_INET6, v6dstp);
4393 			}
4394 			ip3dbg(("ip_newroute_v6: "
4395 			    "ire %p, sire %p, first_sire %p\n",
4396 			    (void *)ire, (void *)sire, (void *)first_sire));
4397 
4398 			if (sire != NULL) {
4399 				ire_refrele(sire);
4400 				sire = NULL;
4401 			}
4402 
4403 			if (first_sire != NULL) {
4404 				/*
4405 				 * At least one multirt route has been found
4406 				 * in the same ip_newroute() call; there is no
4407 				 * need to report an ICMP error.
4408 				 * first_sire was not IRE_REFHOLDed.
4409 				 */
4410 				MULTIRT_DEBUG_UNTAG(first_mp);
4411 				freemsg(first_mp);
4412 				return;
4413 			}
4414 			ip_rts_change_v6(RTM_MISS, v6dstp, 0, 0, 0, 0, 0, 0,
4415 			    RTA_DST, ipst);
4416 			goto icmp_err_ret;
4417 		}
4418 
4419 		ASSERT(ire->ire_ipversion == IPV6_VERSION);
4420 
4421 		/*
4422 		 * Verify that the returned IRE does not have either the
4423 		 * RTF_REJECT or RTF_BLACKHOLE flags set and that the IRE is
4424 		 * either an IRE_CACHE, IRE_IF_NORESOLVER or IRE_IF_RESOLVER.
4425 		 */
4426 		if ((ire->ire_flags & (RTF_REJECT | RTF_BLACKHOLE)) ||
4427 		    (ire->ire_type & (IRE_CACHE | IRE_INTERFACE)) == 0)
4428 			goto icmp_err_ret;
4429 
4430 		/*
4431 		 * Increment the ire_ob_pkt_count field for ire if it is an
4432 		 * INTERFACE (IF_RESOLVER or IF_NORESOLVER) IRE type, and
4433 		 * increment the same for the parent IRE, sire, if it is some
4434 		 * sort of prefix IRE (which includes DEFAULT, PREFIX, and HOST)
4435 		 */
4436 		if ((ire->ire_type & IRE_INTERFACE) != 0) {
4437 			UPDATE_OB_PKT_COUNT(ire);
4438 			ire->ire_last_used_time = lbolt;
4439 		}
4440 
4441 		if (sire != NULL) {
4442 			mutex_enter(&sire->ire_lock);
4443 			v6gw = sire->ire_gateway_addr_v6;
4444 			mutex_exit(&sire->ire_lock);
4445 			ASSERT((sire->ire_type & (IRE_CACHETABLE |
4446 			    IRE_INTERFACE)) == 0);
4447 			UPDATE_OB_PKT_COUNT(sire);
4448 			sire->ire_last_used_time = lbolt;
4449 		} else {
4450 			v6gw = ipv6_all_zeros;
4451 		}
4452 
4453 		/*
4454 		 * We have a route to reach the destination.  Find the
4455 		 * appropriate ill, then get a source address that matches the
4456 		 * right scope via ipif_select_source_v6().
4457 		 *
4458 		 * If we are here trying to create an IRE_CACHE for an offlink
4459 		 * destination and have an IRE_CACHE entry for VNI, then use
4460 		 * ire_stq instead since VNI's queue is a black hole.
4461 		 *
4462 		 * Note: While we pick a dst_ill we are really only interested
4463 		 * in the ill for load spreading.  The source ipif is
4464 		 * determined by source address selection below.
4465 		 */
4466 		if ((ire->ire_type == IRE_CACHE) &&
4467 		    IS_VNI(ire->ire_ipif->ipif_ill)) {
4468 			dst_ill = ire->ire_stq->q_ptr;
4469 			ill_refhold(dst_ill);
4470 		} else {
4471 			ill_t *ill = ire->ire_ipif->ipif_ill;
4472 
4473 			if (IS_IPMP(ill)) {
4474 				dst_ill =
4475 				    ipmp_illgrp_hold_next_ill(ill->ill_grp);
4476 			} else {
4477 				dst_ill = ill;
4478 				ill_refhold(dst_ill);
4479 			}
4480 		}
4481 
4482 		if (dst_ill == NULL) {
4483 			if (ip_debug > 2) {
4484 				pr_addr_dbg("ip_newroute_v6 : no dst "
4485 				    "ill for dst %s\n", AF_INET6, v6dstp);
4486 			}
4487 			goto icmp_err_ret;
4488 		}
4489 
4490 		if (ill != NULL && dst_ill != ill &&
4491 		    !IS_IN_SAME_ILLGRP(dst_ill, ill)) {
4492 			/*
4493 			 * We should have found a route matching "ill"
4494 			 * as we called ire_ftable_lookup_v6 with
4495 			 * MATCH_IRE_ILL.  Rather than asserting when
4496 			 * there is a mismatch, we just drop the packet.
4497 			 */
4498 			ip0dbg(("ip_newroute_v6: BOUND_IF failed: "
4499 			    "dst_ill %s ill %s\n", dst_ill->ill_name,
4500 			    ill->ill_name));
4501 			goto icmp_err_ret;
4502 		}
4503 
4504 		/*
4505 		 * Pick a source address which matches the scope of the
4506 		 * destination address.
4507 		 * For RTF_SETSRC routes, the source address is imposed by the
4508 		 * parent ire (sire).
4509 		 */
4510 		ASSERT(src_ipif == NULL);
4511 
4512 		/*
4513 		 * Because nce_xmit() calls ip_output_v6() and NCEs are always
4514 		 * tied to the underlying interface, IS_UNDER_IPMP() may be
4515 		 * true even when building IREs that will be used for data
4516 		 * traffic.  As such, see if the packet's source address is a
4517 		 * test address, and if so use that test address's ipif for
4518 		 * the IRE so that the logic that sets IRE_MARK_TESTHIDDEN in
4519 		 * ire_add_v6() can work properly.
4520 		 */
4521 		if (ill != NULL && IS_UNDER_IPMP(ill))
4522 			(void) ipif_lookup_testaddr_v6(ill, v6srcp, &src_ipif);
4523 
4524 		if (src_ipif == NULL && ire->ire_type == IRE_IF_RESOLVER &&
4525 		    !IN6_IS_ADDR_UNSPECIFIED(&v6gw) &&
4526 		    ip6_asp_can_lookup(ipst)) {
4527 			/*
4528 			 * The ire cache entry we're adding is for the
4529 			 * gateway itself.  The source address in this case
4530 			 * is relative to the gateway's address.
4531 			 */
4532 			ip6_asp_table_held = B_TRUE;
4533 			src_ipif = ipif_select_source_v6(dst_ill, &v6gw,
4534 			    B_TRUE, IPV6_PREFER_SRC_DEFAULT, zoneid);
4535 			if (src_ipif != NULL)
4536 				ire_marks |= IRE_MARK_USESRC_CHECK;
4537 		} else if (src_ipif == NULL) {
4538 			if ((sire != NULL) && (sire->ire_flags & RTF_SETSRC)) {
4539 				/*
4540 				 * Check that the ipif matching the requested
4541 				 * source address still exists.
4542 				 */
4543 				src_ipif = ipif_lookup_addr_v6(
4544 				    &sire->ire_src_addr_v6, NULL, zoneid,
4545 				    NULL, NULL, NULL, NULL, ipst);
4546 			}
4547 			if (src_ipif == NULL && ip6_asp_can_lookup(ipst)) {
4548 				ip6_asp_table_held = B_TRUE;
4549 				src_ipif = ipif_select_source_v6(dst_ill,
4550 				    v6dstp, B_FALSE,
4551 				    IPV6_PREFER_SRC_DEFAULT, zoneid);
4552 				if (src_ipif != NULL)
4553 					ire_marks |= IRE_MARK_USESRC_CHECK;
4554 			}
4555 		}
4556 
4557 		if (src_ipif == NULL) {
4558 			if (ip_debug > 2) {
4559 				/* ip1dbg */
4560 				pr_addr_dbg("ip_newroute_v6: no src for "
4561 				    "dst %s\n", AF_INET6, v6dstp);
4562 				printf("ip_newroute_v6: interface name %s\n",
4563 				    dst_ill->ill_name);
4564 			}
4565 			goto icmp_err_ret;
4566 		}
4567 
4568 		if (ip_debug > 3) {
4569 			/* ip2dbg */
4570 			pr_addr_dbg("ip_newroute_v6: first hop %s\n",
4571 			    AF_INET6, &v6gw);
4572 		}
4573 		ip2dbg(("\tire type %s (%d)\n",
4574 		    ip_nv_lookup(ire_nv_tbl, ire->ire_type), ire->ire_type));
4575 
4576 		/*
4577 		 * At this point in ip_newroute_v6(), ire is either the
4578 		 * IRE_CACHE of the next-hop gateway for an off-subnet
4579 		 * destination or an IRE_INTERFACE type that should be used
4580 		 * to resolve an on-subnet destination or an on-subnet
4581 		 * next-hop gateway.
4582 		 *
4583 		 * In the IRE_CACHE case, we have the following :
4584 		 *
4585 		 * 1) src_ipif - used for getting a source address.
4586 		 *
4587 		 * 2) dst_ill - from which we derive ire_stq/ire_rfq. This
4588 		 *    means packets using this IRE_CACHE will go out on dst_ill.
4589 		 *
4590 		 * 3) The IRE sire will point to the prefix that is the longest
4591 		 *    matching route for the destination. These prefix types
4592 		 *    include IRE_DEFAULT, IRE_PREFIX, IRE_HOST.
4593 		 *
4594 		 *    The newly created IRE_CACHE entry for the off-subnet
4595 		 *    destination is tied to both the prefix route and the
4596 		 *    interface route used to resolve the next-hop gateway
4597 		 *    via the ire_phandle and ire_ihandle fields, respectively.
4598 		 *
4599 		 * In the IRE_INTERFACE case, we have the following :
4600 		 *
4601 		 * 1) src_ipif - used for getting a source address.
4602 		 *
4603 		 * 2) dst_ill - from which we derive ire_stq/ire_rfq. This
4604 		 *    means packets using the IRE_CACHE that we will build
4605 		 *    here will go out on dst_ill.
4606 		 *
4607 		 * 3) sire may or may not be NULL. But, the IRE_CACHE that is
4608 		 *    to be created will only be tied to the IRE_INTERFACE that
4609 		 *    was derived from the ire_ihandle field.
4610 		 *
4611 		 *    If sire is non-NULL, it means the destination is off-link
4612 		 *    and we will first create the IRE_CACHE for the gateway.
4613 		 *    Next time through ip_newroute_v6, we will create the
4614 		 *    IRE_CACHE for the final destination as described above.
4615 		 */
4616 		save_ire = ire;
4617 		switch (ire->ire_type) {
4618 		case IRE_CACHE: {
4619 			ire_t	*ipif_ire;
4620 
4621 			ASSERT(sire != NULL);
4622 			if (IN6_IS_ADDR_UNSPECIFIED(&v6gw)) {
4623 				mutex_enter(&ire->ire_lock);
4624 				v6gw = ire->ire_gateway_addr_v6;
4625 				mutex_exit(&ire->ire_lock);
4626 			}
4627 			/*
4628 			 * We need 3 ire's to create a new cache ire for an
4629 			 * off-link destination from the cache ire of the
4630 			 * gateway.
4631 			 *
4632 			 *	1. The prefix ire 'sire'
4633 			 *	2. The cache ire of the gateway 'ire'
4634 			 *	3. The interface ire 'ipif_ire'
4635 			 *
4636 			 * We have (1) and (2). We lookup (3) below.
4637 			 *
4638 			 * If there is no interface route to the gateway,
4639 			 * it is a race condition, where we found the cache
4640 			 * but the inteface route has been deleted.
4641 			 */
4642 			ipif_ire = ire_ihandle_lookup_offlink_v6(ire, sire);
4643 			if (ipif_ire == NULL) {
4644 				ip1dbg(("ip_newroute_v6:"
4645 				    "ire_ihandle_lookup_offlink_v6 failed\n"));
4646 				goto icmp_err_ret;
4647 			}
4648 
4649 			/*
4650 			 * Note: the new ire inherits RTF_SETSRC
4651 			 * and RTF_MULTIRT to propagate these flags from prefix
4652 			 * to cache.
4653 			 */
4654 
4655 			/*
4656 			 * Check cached gateway IRE for any security
4657 			 * attributes; if found, associate the gateway
4658 			 * credentials group to the destination IRE.
4659 			 */
4660 			if ((attrp = save_ire->ire_gw_secattr) != NULL) {
4661 				mutex_enter(&attrp->igsa_lock);
4662 				if ((gcgrp = attrp->igsa_gcgrp) != NULL)
4663 					GCGRP_REFHOLD(gcgrp);
4664 				mutex_exit(&attrp->igsa_lock);
4665 			}
4666 
4667 			ire = ire_create_v6(
4668 			    v6dstp,			/* dest address */
4669 			    &ipv6_all_ones,		/* mask */
4670 			    &src_ipif->ipif_v6src_addr, /* source address */
4671 			    &v6gw,			/* gateway address */
4672 			    &save_ire->ire_max_frag,
4673 			    NULL,			/* src nce */
4674 			    dst_ill->ill_rq,		/* recv-from queue */
4675 			    dst_ill->ill_wq,		/* send-to queue */
4676 			    IRE_CACHE,
4677 			    src_ipif,
4678 			    &sire->ire_mask_v6,		/* Parent mask */
4679 			    sire->ire_phandle,		/* Parent handle */
4680 			    ipif_ire->ire_ihandle,	/* Interface handle */
4681 			    sire->ire_flags &		/* flags if any */
4682 			    (RTF_SETSRC | RTF_MULTIRT),
4683 			    &(sire->ire_uinfo),
4684 			    NULL,
4685 			    gcgrp,
4686 			    ipst);
4687 
4688 			if (ire == NULL) {
4689 				if (gcgrp != NULL) {
4690 					GCGRP_REFRELE(gcgrp);
4691 					gcgrp = NULL;
4692 				}
4693 				ire_refrele(save_ire);
4694 				ire_refrele(ipif_ire);
4695 				break;
4696 			}
4697 
4698 			/* reference now held by IRE */
4699 			gcgrp = NULL;
4700 
4701 			ire->ire_marks |= ire_marks;
4702 
4703 			/*
4704 			 * Prevent sire and ipif_ire from getting deleted. The
4705 			 * newly created ire is tied to both of them via the
4706 			 * phandle and ihandle respectively.
4707 			 */
4708 			IRB_REFHOLD(sire->ire_bucket);
4709 			/* Has it been removed already ? */
4710 			if (sire->ire_marks & IRE_MARK_CONDEMNED) {
4711 				IRB_REFRELE(sire->ire_bucket);
4712 				ire_refrele(ipif_ire);
4713 				ire_refrele(save_ire);
4714 				break;
4715 			}
4716 
4717 			IRB_REFHOLD(ipif_ire->ire_bucket);
4718 			/* Has it been removed already ? */
4719 			if (ipif_ire->ire_marks & IRE_MARK_CONDEMNED) {
4720 				IRB_REFRELE(ipif_ire->ire_bucket);
4721 				IRB_REFRELE(sire->ire_bucket);
4722 				ire_refrele(ipif_ire);
4723 				ire_refrele(save_ire);
4724 				break;
4725 			}
4726 
4727 			xmit_mp = first_mp;
4728 			if (ire->ire_flags & RTF_MULTIRT) {
4729 				copy_mp = copymsg(first_mp);
4730 				if (copy_mp != NULL) {
4731 					xmit_mp = copy_mp;
4732 					MULTIRT_DEBUG_TAG(first_mp);
4733 				}
4734 			}
4735 			ire_add_then_send(q, ire, xmit_mp);
4736 			if (ip6_asp_table_held) {
4737 				ip6_asp_table_refrele(ipst);
4738 				ip6_asp_table_held = B_FALSE;
4739 			}
4740 			ire_refrele(save_ire);
4741 
4742 			/* Assert that sire is not deleted yet. */
4743 			ASSERT(sire->ire_ptpn != NULL);
4744 			IRB_REFRELE(sire->ire_bucket);
4745 
4746 			/* Assert that ipif_ire is not deleted yet. */
4747 			ASSERT(ipif_ire->ire_ptpn != NULL);
4748 			IRB_REFRELE(ipif_ire->ire_bucket);
4749 			ire_refrele(ipif_ire);
4750 
4751 			if (copy_mp != NULL) {
4752 				/*
4753 				 * Search for the next unresolved
4754 				 * multirt route.
4755 				 */
4756 				copy_mp = NULL;
4757 				ipif_ire = NULL;
4758 				ire = NULL;
4759 				/* re-enter the loop */
4760 				multirt_resolve_next = B_TRUE;
4761 				continue;
4762 			}
4763 			ire_refrele(sire);
4764 			ill_refrele(dst_ill);
4765 			ipif_refrele(src_ipif);
4766 			return;
4767 		}
4768 		case IRE_IF_NORESOLVER:
4769 			/*
4770 			 * We have what we need to build an IRE_CACHE.
4771 			 *
4772 			 * handle the Gated case, where we create
4773 			 * a NORESOLVER route for loopback.
4774 			 */
4775 			if (dst_ill->ill_net_type != IRE_IF_NORESOLVER)
4776 				break;
4777 			/*
4778 			 * TSol note: We are creating the ire cache for the
4779 			 * destination 'dst'. If 'dst' is offlink, going
4780 			 * through the first hop 'gw', the security attributes
4781 			 * of 'dst' must be set to point to the gateway
4782 			 * credentials of gateway 'gw'. If 'dst' is onlink, it
4783 			 * is possible that 'dst' is a potential gateway that is
4784 			 * referenced by some route that has some security
4785 			 * attributes. Thus in the former case, we need to do a
4786 			 * gcgrp_lookup of 'gw' while in the latter case we
4787 			 * need to do gcgrp_lookup of 'dst' itself.
4788 			 */
4789 			ga.ga_af = AF_INET6;
4790 			if (!IN6_IS_ADDR_UNSPECIFIED(&v6gw))
4791 				ga.ga_addr = v6gw;
4792 			else
4793 				ga.ga_addr = *v6dstp;
4794 			gcgrp = gcgrp_lookup(&ga, B_FALSE);
4795 
4796 			/*
4797 			 * Note: the new ire inherits sire flags RTF_SETSRC
4798 			 * and RTF_MULTIRT to propagate those rules from prefix
4799 			 * to cache.
4800 			 */
4801 			ire = ire_create_v6(
4802 			    v6dstp,			/* dest address */
4803 			    &ipv6_all_ones,		/* mask */
4804 			    &src_ipif->ipif_v6src_addr, /* source address */
4805 			    &v6gw,			/* gateway address */
4806 			    &save_ire->ire_max_frag,
4807 			    NULL,			/* no src nce */
4808 			    dst_ill->ill_rq,		/* recv-from queue */
4809 			    dst_ill->ill_wq,		/* send-to queue */
4810 			    IRE_CACHE,
4811 			    src_ipif,
4812 			    &save_ire->ire_mask_v6,	/* Parent mask */
4813 			    (sire != NULL) ?		/* Parent handle */
4814 			    sire->ire_phandle : 0,
4815 			    save_ire->ire_ihandle,	/* Interface handle */
4816 			    (sire != NULL) ?		/* flags if any */
4817 			    sire->ire_flags &
4818 			    (RTF_SETSRC | RTF_MULTIRT) : 0,
4819 			    &(save_ire->ire_uinfo),
4820 			    NULL,
4821 			    gcgrp,
4822 			    ipst);
4823 
4824 			if (ire == NULL) {
4825 				if (gcgrp != NULL) {
4826 					GCGRP_REFRELE(gcgrp);
4827 					gcgrp = NULL;
4828 				}
4829 				ire_refrele(save_ire);
4830 				break;
4831 			}
4832 
4833 			/* reference now held by IRE */
4834 			gcgrp = NULL;
4835 
4836 			ire->ire_marks |= ire_marks;
4837 
4838 			if (!IN6_IS_ADDR_UNSPECIFIED(&v6gw))
4839 				dst = v6gw;
4840 			else
4841 				dst = *v6dstp;
4842 			err = ndp_noresolver(dst_ill, &dst);
4843 			if (err != 0) {
4844 				ire_refrele(save_ire);
4845 				break;
4846 			}
4847 
4848 			/* Prevent save_ire from getting deleted */
4849 			IRB_REFHOLD(save_ire->ire_bucket);
4850 			/* Has it been removed already ? */
4851 			if (save_ire->ire_marks & IRE_MARK_CONDEMNED) {
4852 				IRB_REFRELE(save_ire->ire_bucket);
4853 				ire_refrele(save_ire);
4854 				break;
4855 			}
4856 
4857 			xmit_mp = first_mp;
4858 			/*
4859 			 * In case of MULTIRT, a copy of the current packet
4860 			 * to send is made to further re-enter the
4861 			 * loop and attempt another route resolution
4862 			 */
4863 			if ((sire != NULL) && sire->ire_flags & RTF_MULTIRT) {
4864 				copy_mp = copymsg(first_mp);
4865 				if (copy_mp != NULL) {
4866 					xmit_mp = copy_mp;
4867 					MULTIRT_DEBUG_TAG(first_mp);
4868 				}
4869 			}
4870 			ire_add_then_send(q, ire, xmit_mp);
4871 			if (ip6_asp_table_held) {
4872 				ip6_asp_table_refrele(ipst);
4873 				ip6_asp_table_held = B_FALSE;
4874 			}
4875 
4876 			/* Assert that it is not deleted yet. */
4877 			ASSERT(save_ire->ire_ptpn != NULL);
4878 			IRB_REFRELE(save_ire->ire_bucket);
4879 			ire_refrele(save_ire);
4880 
4881 			if (copy_mp != NULL) {
4882 				/*
4883 				 * If we found a (no)resolver, we ignore any
4884 				 * trailing top priority IRE_CACHE in
4885 				 * further loops. This ensures that we do not
4886 				 * omit any (no)resolver despite the priority
4887 				 * in this call.
4888 				 * IRE_CACHE, if any, will be processed
4889 				 * by another thread entering ip_newroute(),
4890 				 * (on resolver response, for example).
4891 				 * We use this to force multiple parallel
4892 				 * resolution as soon as a packet needs to be
4893 				 * sent. The result is, after one packet
4894 				 * emission all reachable routes are generally
4895 				 * resolved.
4896 				 * Otherwise, complete resolution of MULTIRT
4897 				 * routes would require several emissions as
4898 				 * side effect.
4899 				 */
4900 				multirt_flags &= ~MULTIRT_CACHEGW;
4901 
4902 				/*
4903 				 * Search for the next unresolved multirt
4904 				 * route.
4905 				 */
4906 				copy_mp = NULL;
4907 				save_ire = NULL;
4908 				ire = NULL;
4909 				/* re-enter the loop */
4910 				multirt_resolve_next = B_TRUE;
4911 				continue;
4912 			}
4913 
4914 			/* Don't need sire anymore */
4915 			if (sire != NULL)
4916 				ire_refrele(sire);
4917 			ill_refrele(dst_ill);
4918 			ipif_refrele(src_ipif);
4919 			return;
4920 
4921 		case IRE_IF_RESOLVER:
4922 			/*
4923 			 * We can't build an IRE_CACHE yet, but at least we
4924 			 * found a resolver that can help.
4925 			 */
4926 			dst = *v6dstp;
4927 
4928 			/*
4929 			 * To be at this point in the code with a non-zero gw
4930 			 * means that dst is reachable through a gateway that
4931 			 * we have never resolved.  By changing dst to the gw
4932 			 * addr we resolve the gateway first.  When
4933 			 * ire_add_then_send() tries to put the IP dg to dst,
4934 			 * it will reenter ip_newroute() at which time we will
4935 			 * find the IRE_CACHE for the gw and create another
4936 			 * IRE_CACHE above (for dst itself).
4937 			 */
4938 			if (!IN6_IS_ADDR_UNSPECIFIED(&v6gw)) {
4939 				save_dst = dst;
4940 				dst = v6gw;
4941 				v6gw = ipv6_all_zeros;
4942 			}
4943 			if (dst_ill->ill_flags & ILLF_XRESOLV) {
4944 				/*
4945 				 * Ask the external resolver to do its thing.
4946 				 * Make an mblk chain in the following form:
4947 				 * ARQ_REQ_MBLK-->IRE_MBLK-->packet
4948 				 */
4949 				mblk_t		*ire_mp;
4950 				mblk_t		*areq_mp;
4951 				areq_t		*areq;
4952 				in6_addr_t	*addrp;
4953 
4954 				ip1dbg(("ip_newroute_v6:ILLF_XRESOLV\n"));
4955 				if (ip6_asp_table_held) {
4956 					ip6_asp_table_refrele(ipst);
4957 					ip6_asp_table_held = B_FALSE;
4958 				}
4959 				ire = ire_create_mp_v6(
4960 				    &dst,		/* dest address */
4961 				    &ipv6_all_ones,	/* mask */
4962 				    &src_ipif->ipif_v6src_addr,
4963 				    /* source address */
4964 				    &v6gw,		/* gateway address */
4965 				    NULL,		/* no src nce */
4966 				    dst_ill->ill_rq,	/* recv-from queue */
4967 				    dst_ill->ill_wq, 	/* send-to queue */
4968 				    IRE_CACHE,
4969 				    src_ipif,
4970 				    &save_ire->ire_mask_v6, /* Parent mask */
4971 				    0,
4972 				    save_ire->ire_ihandle,
4973 				    /* Interface handle */
4974 				    0,		/* flags if any */
4975 				    &(save_ire->ire_uinfo),
4976 				    NULL,
4977 				    NULL,
4978 				    ipst);
4979 
4980 				ire_refrele(save_ire);
4981 				if (ire == NULL) {
4982 					ip1dbg(("ip_newroute_v6:"
4983 					    "ire is NULL\n"));
4984 					break;
4985 				}
4986 
4987 				if ((sire != NULL) &&
4988 				    (sire->ire_flags & RTF_MULTIRT)) {
4989 					/*
4990 					 * processing a copy of the packet to
4991 					 * send for further resolution loops
4992 					 */
4993 					copy_mp = copymsg(first_mp);
4994 					if (copy_mp != NULL)
4995 						MULTIRT_DEBUG_TAG(copy_mp);
4996 				}
4997 				ire->ire_marks |= ire_marks;
4998 				ire_mp = ire->ire_mp;
4999 				/*
5000 				 * Now create or find an nce for this interface.
5001 				 * The hw addr will need to to be set from
5002 				 * the reply to the AR_ENTRY_QUERY that
5003 				 * we're about to send. This will be done in
5004 				 * ire_add_v6().
5005 				 */
5006 				err = ndp_resolver(dst_ill, &dst, mp, zoneid);
5007 				switch (err) {
5008 				case 0:
5009 					/*
5010 					 * New cache entry created.
5011 					 * Break, then ask the external
5012 					 * resolver.
5013 					 */
5014 					break;
5015 				case EINPROGRESS:
5016 					/*
5017 					 * Resolution in progress;
5018 					 * packet has been queued by
5019 					 * ndp_resolver().
5020 					 */
5021 					ire_delete(ire);
5022 					ire = NULL;
5023 					/*
5024 					 * Check if another multirt
5025 					 * route must be resolved.
5026 					 */
5027 					if (copy_mp != NULL) {
5028 						/*
5029 						 * If we found a resolver, we
5030 						 * ignore any trailing top
5031 						 * priority IRE_CACHE in
5032 						 * further loops. The reason is
5033 						 * the same as for noresolver.
5034 						 */
5035 						multirt_flags &=
5036 						    ~MULTIRT_CACHEGW;
5037 						/*
5038 						 * Search for the next
5039 						 * unresolved multirt route.
5040 						 */
5041 						first_mp = copy_mp;
5042 						copy_mp = NULL;
5043 						mp = first_mp;
5044 						if (mp->b_datap->db_type ==
5045 						    M_CTL) {
5046 							mp = mp->b_cont;
5047 						}
5048 						ASSERT(sire != NULL);
5049 						dst = save_dst;
5050 						/*
5051 						 * re-enter the loop
5052 						 */
5053 						multirt_resolve_next =
5054 						    B_TRUE;
5055 						continue;
5056 					}
5057 
5058 					if (sire != NULL)
5059 						ire_refrele(sire);
5060 					ill_refrele(dst_ill);
5061 					ipif_refrele(src_ipif);
5062 					return;
5063 				default:
5064 					/*
5065 					 * Transient error; packet will be
5066 					 * freed.
5067 					 */
5068 					ire_delete(ire);
5069 					ire = NULL;
5070 					break;
5071 				}
5072 				if (err != 0)
5073 					break;
5074 				/*
5075 				 * Now set up the AR_ENTRY_QUERY and send it.
5076 				 */
5077 				areq_mp = ill_arp_alloc(dst_ill,
5078 				    (uchar_t *)&ipv6_areq_template,
5079 				    (caddr_t)&dst);
5080 				if (areq_mp == NULL) {
5081 					ip1dbg(("ip_newroute_v6:"
5082 					    "areq_mp is NULL\n"));
5083 					freemsg(ire_mp);
5084 					break;
5085 				}
5086 				areq = (areq_t *)areq_mp->b_rptr;
5087 				addrp = (in6_addr_t *)((char *)areq +
5088 				    areq->areq_target_addr_offset);
5089 				*addrp = dst;
5090 				addrp = (in6_addr_t *)((char *)areq +
5091 				    areq->areq_sender_addr_offset);
5092 				*addrp = src_ipif->ipif_v6src_addr;
5093 				/*
5094 				 * link the chain, then send up to the resolver.
5095 				 */
5096 				linkb(areq_mp, ire_mp);
5097 				linkb(areq_mp, mp);
5098 				ip1dbg(("ip_newroute_v6:"
5099 				    "putnext to resolver\n"));
5100 				putnext(dst_ill->ill_rq, areq_mp);
5101 				/*
5102 				 * Check if another multirt route
5103 				 * must be resolved.
5104 				 */
5105 				ire = NULL;
5106 				if (copy_mp != NULL) {
5107 					/*
5108 					 * If we find a resolver, we ignore any
5109 					 * trailing top priority IRE_CACHE in
5110 					 * further loops. The reason is the
5111 					 * same as for noresolver.
5112 					 */
5113 					multirt_flags &= ~MULTIRT_CACHEGW;
5114 					/*
5115 					 * Search for the next unresolved
5116 					 * multirt route.
5117 					 */
5118 					first_mp = copy_mp;
5119 					copy_mp = NULL;
5120 					mp = first_mp;
5121 					if (mp->b_datap->db_type == M_CTL) {
5122 						mp = mp->b_cont;
5123 					}
5124 					ASSERT(sire != NULL);
5125 					dst = save_dst;
5126 					/*
5127 					 * re-enter the loop
5128 					 */
5129 					multirt_resolve_next = B_TRUE;
5130 					continue;
5131 				}
5132 
5133 				if (sire != NULL)
5134 					ire_refrele(sire);
5135 				ill_refrele(dst_ill);
5136 				ipif_refrele(src_ipif);
5137 				return;
5138 			}
5139 			/*
5140 			 * Non-external resolver case.
5141 			 *
5142 			 * TSol note: Please see the note above the
5143 			 * IRE_IF_NORESOLVER case.
5144 			 */
5145 			ga.ga_af = AF_INET6;
5146 			ga.ga_addr = dst;
5147 			gcgrp = gcgrp_lookup(&ga, B_FALSE);
5148 
5149 			ire = ire_create_v6(
5150 			    &dst,			/* dest address */
5151 			    &ipv6_all_ones,		/* mask */
5152 			    &src_ipif->ipif_v6src_addr, /* source address */
5153 			    &v6gw,			/* gateway address */
5154 			    &save_ire->ire_max_frag,
5155 			    NULL,			/* no src nce */
5156 			    dst_ill->ill_rq,		/* recv-from queue */
5157 			    dst_ill->ill_wq,		/* send-to queue */
5158 			    IRE_CACHE,
5159 			    src_ipif,
5160 			    &save_ire->ire_mask_v6,	/* Parent mask */
5161 			    0,
5162 			    save_ire->ire_ihandle,	/* Interface handle */
5163 			    0,				/* flags if any */
5164 			    &(save_ire->ire_uinfo),
5165 			    NULL,
5166 			    gcgrp,
5167 			    ipst);
5168 
5169 			if (ire == NULL) {
5170 				if (gcgrp != NULL) {
5171 					GCGRP_REFRELE(gcgrp);
5172 					gcgrp = NULL;
5173 				}
5174 				ire_refrele(save_ire);
5175 				break;
5176 			}
5177 
5178 			/* reference now held by IRE */
5179 			gcgrp = NULL;
5180 
5181 			if ((sire != NULL) &&
5182 			    (sire->ire_flags & RTF_MULTIRT)) {
5183 				copy_mp = copymsg(first_mp);
5184 				if (copy_mp != NULL)
5185 					MULTIRT_DEBUG_TAG(copy_mp);
5186 			}
5187 
5188 			ire->ire_marks |= ire_marks;
5189 			err = ndp_resolver(dst_ill, &dst, first_mp, zoneid);
5190 			switch (err) {
5191 			case 0:
5192 				/* Prevent save_ire from getting deleted */
5193 				IRB_REFHOLD(save_ire->ire_bucket);
5194 				/* Has it been removed already ? */
5195 				if (save_ire->ire_marks & IRE_MARK_CONDEMNED) {
5196 					IRB_REFRELE(save_ire->ire_bucket);
5197 					ire_refrele(save_ire);
5198 					break;
5199 				}
5200 
5201 				/*
5202 				 * We have a resolved cache entry,
5203 				 * add in the IRE.
5204 				 */
5205 				ire_add_then_send(q, ire, first_mp);
5206 				if (ip6_asp_table_held) {
5207 					ip6_asp_table_refrele(ipst);
5208 					ip6_asp_table_held = B_FALSE;
5209 				}
5210 
5211 				/* Assert that it is not deleted yet. */
5212 				ASSERT(save_ire->ire_ptpn != NULL);
5213 				IRB_REFRELE(save_ire->ire_bucket);
5214 				ire_refrele(save_ire);
5215 				/*
5216 				 * Check if another multirt route
5217 				 * must be resolved.
5218 				 */
5219 				ire = NULL;
5220 				if (copy_mp != NULL) {
5221 					/*
5222 					 * If we find a resolver, we ignore any
5223 					 * trailing top priority IRE_CACHE in
5224 					 * further loops. The reason is the
5225 					 * same as for noresolver.
5226 					 */
5227 					multirt_flags &= ~MULTIRT_CACHEGW;
5228 					/*
5229 					 * Search for the next unresolved
5230 					 * multirt route.
5231 					 */
5232 					first_mp = copy_mp;
5233 					copy_mp = NULL;
5234 					mp = first_mp;
5235 					if (mp->b_datap->db_type == M_CTL) {
5236 						mp = mp->b_cont;
5237 					}
5238 					ASSERT(sire != NULL);
5239 					dst = save_dst;
5240 					/*
5241 					 * re-enter the loop
5242 					 */
5243 					multirt_resolve_next = B_TRUE;
5244 					continue;
5245 				}
5246 
5247 				if (sire != NULL)
5248 					ire_refrele(sire);
5249 				ill_refrele(dst_ill);
5250 				ipif_refrele(src_ipif);
5251 				return;
5252 
5253 			case EINPROGRESS:
5254 				/*
5255 				 * mp was consumed - presumably queued.
5256 				 * No need for ire, presumably resolution is
5257 				 * in progress, and ire will be added when the
5258 				 * address is resolved.
5259 				 */
5260 				if (ip6_asp_table_held) {
5261 					ip6_asp_table_refrele(ipst);
5262 					ip6_asp_table_held = B_FALSE;
5263 				}
5264 				ASSERT(ire->ire_nce == NULL);
5265 				ire_delete(ire);
5266 				ire_refrele(save_ire);
5267 				/*
5268 				 * Check if another multirt route
5269 				 * must be resolved.
5270 				 */
5271 				ire = NULL;
5272 				if (copy_mp != NULL) {
5273 					/*
5274 					 * If we find a resolver, we ignore any
5275 					 * trailing top priority IRE_CACHE in
5276 					 * further loops. The reason is the
5277 					 * same as for noresolver.
5278 					 */
5279 					multirt_flags &= ~MULTIRT_CACHEGW;
5280 					/*
5281 					 * Search for the next unresolved
5282 					 * multirt route.
5283 					 */
5284 					first_mp = copy_mp;
5285 					copy_mp = NULL;
5286 					mp = first_mp;
5287 					if (mp->b_datap->db_type == M_CTL) {
5288 						mp = mp->b_cont;
5289 					}
5290 					ASSERT(sire != NULL);
5291 					dst = save_dst;
5292 					/*
5293 					 * re-enter the loop
5294 					 */
5295 					multirt_resolve_next = B_TRUE;
5296 					continue;
5297 				}
5298 				if (sire != NULL)
5299 					ire_refrele(sire);
5300 				ill_refrele(dst_ill);
5301 				ipif_refrele(src_ipif);
5302 				return;
5303 			default:
5304 				/* Some transient error */
5305 				ASSERT(ire->ire_nce == NULL);
5306 				ire_refrele(save_ire);
5307 				break;
5308 			}
5309 			break;
5310 		default:
5311 			break;
5312 		}
5313 		if (ip6_asp_table_held) {
5314 			ip6_asp_table_refrele(ipst);
5315 			ip6_asp_table_held = B_FALSE;
5316 		}
5317 	} while (multirt_resolve_next);
5318 
5319 err_ret:
5320 	ip1dbg(("ip_newroute_v6: dropped\n"));
5321 	if (src_ipif != NULL)
5322 		ipif_refrele(src_ipif);
5323 	if (dst_ill != NULL) {
5324 		need_rele = B_TRUE;
5325 		ill = dst_ill;
5326 	}
5327 	if (ill != NULL) {
5328 		if (mp->b_prev != NULL) {
5329 			BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
5330 		} else {
5331 			BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
5332 		}
5333 
5334 		if (need_rele)
5335 			ill_refrele(ill);
5336 	} else {
5337 		if (mp->b_prev != NULL) {
5338 			BUMP_MIB(&ipst->ips_ip6_mib, ipIfStatsInDiscards);
5339 		} else {
5340 			BUMP_MIB(&ipst->ips_ip6_mib, ipIfStatsOutDiscards);
5341 		}
5342 	}
5343 	/* Did this packet originate externally? */
5344 	if (mp->b_prev) {
5345 		mp->b_next = NULL;
5346 		mp->b_prev = NULL;
5347 	}
5348 	if (copy_mp != NULL) {
5349 		MULTIRT_DEBUG_UNTAG(copy_mp);
5350 		freemsg(copy_mp);
5351 	}
5352 	MULTIRT_DEBUG_UNTAG(first_mp);
5353 	freemsg(first_mp);
5354 	if (ire != NULL)
5355 		ire_refrele(ire);
5356 	if (sire != NULL)
5357 		ire_refrele(sire);
5358 	return;
5359 
5360 icmp_err_ret:
5361 	if (ip6_asp_table_held)
5362 		ip6_asp_table_refrele(ipst);
5363 	if (src_ipif != NULL)
5364 		ipif_refrele(src_ipif);
5365 	if (dst_ill != NULL) {
5366 		need_rele = B_TRUE;
5367 		ill = dst_ill;
5368 	}
5369 	ip1dbg(("ip_newroute_v6: no route\n"));
5370 	if (sire != NULL)
5371 		ire_refrele(sire);
5372 	/*
5373 	 * We need to set sire to NULL to avoid double freeing if we
5374 	 * ever goto err_ret from below.
5375 	 */
5376 	sire = NULL;
5377 	ip6h = (ip6_t *)mp->b_rptr;
5378 	/* Skip ip6i_t header if present */
5379 	if (ip6h->ip6_nxt == IPPROTO_RAW) {
5380 		/* Make sure the IPv6 header is present */
5381 		if ((mp->b_wptr - (uchar_t *)ip6h) <
5382 		    sizeof (ip6i_t) + IPV6_HDR_LEN) {
5383 			if (!pullupmsg(mp, sizeof (ip6i_t) + IPV6_HDR_LEN)) {
5384 				ip1dbg(("ip_newroute_v6: pullupmsg failed\n"));
5385 				goto err_ret;
5386 			}
5387 		}
5388 		mp->b_rptr += sizeof (ip6i_t);
5389 		ip6h = (ip6_t *)mp->b_rptr;
5390 	}
5391 	/* Did this packet originate externally? */
5392 	if (mp->b_prev) {
5393 		if (ill != NULL) {
5394 			BUMP_MIB(ill->ill_ip_mib, ipIfStatsInNoRoutes);
5395 		} else {
5396 			BUMP_MIB(&ipst->ips_ip6_mib, ipIfStatsInNoRoutes);
5397 		}
5398 		mp->b_next = NULL;
5399 		mp->b_prev = NULL;
5400 		q = WR(q);
5401 	} else {
5402 		if (ill != NULL) {
5403 			BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutNoRoutes);
5404 		} else {
5405 			BUMP_MIB(&ipst->ips_ip6_mib, ipIfStatsOutNoRoutes);
5406 		}
5407 		if (ip_hdr_complete_v6(ip6h, zoneid, ipst)) {
5408 			/* Failed */
5409 			if (copy_mp != NULL) {
5410 				MULTIRT_DEBUG_UNTAG(copy_mp);
5411 				freemsg(copy_mp);
5412 			}
5413 			MULTIRT_DEBUG_UNTAG(first_mp);
5414 			freemsg(first_mp);
5415 			if (ire != NULL)
5416 				ire_refrele(ire);
5417 			if (need_rele)
5418 				ill_refrele(ill);
5419 			return;
5420 		}
5421 	}
5422 
5423 	if (need_rele)
5424 		ill_refrele(ill);
5425 
5426 	/*
5427 	 * At this point we will have ire only if RTF_BLACKHOLE
5428 	 * or RTF_REJECT flags are set on the IRE. It will not
5429 	 * generate ICMP6_DST_UNREACH_NOROUTE if RTF_BLACKHOLE is set.
5430 	 */
5431 	if (ire != NULL) {
5432 		if (ire->ire_flags & RTF_BLACKHOLE) {
5433 			ire_refrele(ire);
5434 			if (copy_mp != NULL) {
5435 				MULTIRT_DEBUG_UNTAG(copy_mp);
5436 				freemsg(copy_mp);
5437 			}
5438 			MULTIRT_DEBUG_UNTAG(first_mp);
5439 			freemsg(first_mp);
5440 			return;
5441 		}
5442 		ire_refrele(ire);
5443 	}
5444 	if (ip_debug > 3) {
5445 		/* ip2dbg */
5446 		pr_addr_dbg("ip_newroute_v6: no route to %s\n",
5447 		    AF_INET6, v6dstp);
5448 	}
5449 	icmp_unreachable_v6(WR(q), first_mp, ICMP6_DST_UNREACH_NOROUTE,
5450 	    B_FALSE, B_FALSE, zoneid, ipst);
5451 }
5452 
5453 /*
5454  * ip_newroute_ipif_v6 is called by ip_wput_v6 and ip_wput_ipsec_out_v6 whenever
5455  * we need to send out a packet to a destination address for which we do not
5456  * have specific routing information. It is only used for multicast packets.
5457  *
5458  * If unspec_src we allow creating an IRE with source address zero.
5459  * ire_send_v6() will delete it after the packet is sent.
5460  */
5461 void
5462 ip_newroute_ipif_v6(queue_t *q, mblk_t *mp, ipif_t *ipif,
5463     const in6_addr_t *v6dstp, const in6_addr_t *v6srcp, int unspec_src,
5464     zoneid_t zoneid)
5465 {
5466 	ire_t	*ire = NULL;
5467 	ipif_t	*src_ipif = NULL;
5468 	int	err = 0;
5469 	ill_t	*dst_ill = NULL;
5470 	ire_t	*save_ire;
5471 	ipsec_out_t *io;
5472 	ill_t *ill;
5473 	mblk_t *first_mp;
5474 	ire_t *fire = NULL;
5475 	mblk_t  *copy_mp = NULL;
5476 	const in6_addr_t *ire_v6srcp;
5477 	boolean_t probe = B_FALSE;
5478 	boolean_t multirt_resolve_next;
5479 	boolean_t ipif_held = B_FALSE;
5480 	boolean_t ill_held = B_FALSE;
5481 	boolean_t ip6_asp_table_held = B_FALSE;
5482 	ip_stack_t	*ipst = ipif->ipif_ill->ill_ipst;
5483 
5484 	/*
5485 	 * This loop is run only once in most cases.
5486 	 * We loop to resolve further routes only when the destination
5487 	 * can be reached through multiple RTF_MULTIRT-flagged ires.
5488 	 */
5489 	do {
5490 		multirt_resolve_next = B_FALSE;
5491 		if (dst_ill != NULL) {
5492 			ill_refrele(dst_ill);
5493 			dst_ill = NULL;
5494 		}
5495 
5496 		if (src_ipif != NULL) {
5497 			ipif_refrele(src_ipif);
5498 			src_ipif = NULL;
5499 		}
5500 		ASSERT(ipif != NULL);
5501 		ill = ipif->ipif_ill;
5502 
5503 		ASSERT(!IN6_IS_ADDR_V4MAPPED(v6dstp));
5504 		if (ip_debug > 2) {
5505 			/* ip1dbg */
5506 			pr_addr_dbg("ip_newroute_ipif_v6: v6dst %s\n",
5507 			    AF_INET6, v6dstp);
5508 			printf("ip_newroute_ipif_v6: if %s, v6 %d\n",
5509 			    ill->ill_name, ipif->ipif_isv6);
5510 		}
5511 
5512 		first_mp = mp;
5513 		if (mp->b_datap->db_type == M_CTL) {
5514 			mp = mp->b_cont;
5515 			io = (ipsec_out_t *)first_mp->b_rptr;
5516 			ASSERT(io->ipsec_out_type == IPSEC_OUT);
5517 		} else {
5518 			io = NULL;
5519 		}
5520 
5521 		/*
5522 		 * If the interface is a pt-pt interface we look for an
5523 		 * IRE_IF_RESOLVER or IRE_IF_NORESOLVER that matches both the
5524 		 * local_address and the pt-pt destination address.
5525 		 * Otherwise we just match the local address.
5526 		 */
5527 		if (!(ill->ill_flags & ILLF_MULTICAST)) {
5528 			goto err_ret;
5529 		}
5530 
5531 		/*
5532 		 * We check if an IRE_OFFSUBNET for the addr that goes through
5533 		 * ipif exists. We need it to determine if the RTF_SETSRC and/or
5534 		 * RTF_MULTIRT flags must be honored.
5535 		 */
5536 		fire = ipif_lookup_multi_ire_v6(ipif, v6dstp);
5537 		ip2dbg(("ip_newroute_ipif_v6: "
5538 		    "ipif_lookup_multi_ire_v6("
5539 		    "ipif %p, dst %08x) = fire %p\n",
5540 		    (void *)ipif, ntohl(V4_PART_OF_V6((*v6dstp))),
5541 		    (void *)fire));
5542 
5543 		ASSERT(src_ipif == NULL);
5544 
5545 		/*
5546 		 * Because nce_xmit() calls ip_output_v6() and NCEs are always
5547 		 * tied to the underlying interface, IS_UNDER_IPMP() may be
5548 		 * true even when building IREs that will be used for data
5549 		 * traffic.  As such, see if the packet's source address is a
5550 		 * test address, and if so use that test address's ipif for
5551 		 * the IRE so that the logic that sets IRE_MARK_TESTHIDDEN in
5552 		 * ire_add_v6() can work properly.
5553 		 */
5554 		if (IS_UNDER_IPMP(ill))
5555 			probe = ipif_lookup_testaddr_v6(ill, v6srcp, &src_ipif);
5556 
5557 		/*
5558 		 * Determine the outbound (destination) ill for this route.
5559 		 * If IPMP is not in use, that's the same as our ill.  If IPMP
5560 		 * is in-use and we're on the IPMP interface, or we're on an
5561 		 * underlying ill but sending data traffic, use a suitable
5562 		 * destination ill from the group.  The latter case covers a
5563 		 * subtle edge condition with multicast: when we bring up an
5564 		 * IPv6 data address, we will create an NCE on an underlying
5565 		 * interface, and send solitications to ff02::1, which would
5566 		 * take us through here, and cause us to create an IRE for
5567 		 * ff02::1.  To meet our defined semantics for multicast (and
5568 		 * ensure there aren't unexpected echoes), that IRE needs to
5569 		 * use the IPMP group's nominated multicast interface.
5570 		 *
5571 		 * Note: the source ipif is determined by source address
5572 		 * selection later.
5573 		 */
5574 		if (IS_IPMP(ill) || (IS_UNDER_IPMP(ill) && !probe)) {
5575 			ill_t *ipmp_ill;
5576 			ipmp_illgrp_t *illg;
5577 
5578 			if (IS_UNDER_IPMP(ill)) {
5579 				ipmp_ill = ipmp_ill_hold_ipmp_ill(ill);
5580 			} else {
5581 				ipmp_ill = ill;
5582 				ill_refhold(ipmp_ill);	/* for symmetry */
5583 			}
5584 
5585 			if (ipmp_ill == NULL)
5586 				goto err_ret;
5587 
5588 			illg = ipmp_ill->ill_grp;
5589 			if (IN6_IS_ADDR_MULTICAST(v6dstp))
5590 				dst_ill = ipmp_illgrp_hold_cast_ill(illg);
5591 			else
5592 				dst_ill = ipmp_illgrp_hold_next_ill(illg);
5593 
5594 			ill_refrele(ipmp_ill);
5595 		} else {
5596 			dst_ill = ill;
5597 			ill_refhold(dst_ill); 	/* for symmetry */
5598 		}
5599 
5600 		if (dst_ill == NULL) {
5601 			if (ip_debug > 2) {
5602 				pr_addr_dbg("ip_newroute_ipif_v6: "
5603 				    "no dst ill for dst %s\n",
5604 				    AF_INET6, v6dstp);
5605 			}
5606 			goto err_ret;
5607 		}
5608 
5609 		/*
5610 		 * Pick a source address which matches the scope of the
5611 		 * destination address.
5612 		 * For RTF_SETSRC routes, the source address is imposed by the
5613 		 * parent ire (fire).
5614 		 */
5615 
5616 		if (src_ipif == NULL && fire != NULL &&
5617 		    (fire->ire_flags & RTF_SETSRC)) {
5618 			/*
5619 			 * Check that the ipif matching the requested source
5620 			 * address still exists.
5621 			 */
5622 			src_ipif = ipif_lookup_addr_v6(&fire->ire_src_addr_v6,
5623 			    NULL, zoneid, NULL, NULL, NULL, NULL, ipst);
5624 		}
5625 
5626 		if (src_ipif == NULL && ip6_asp_can_lookup(ipst)) {
5627 			ip6_asp_table_held = B_TRUE;
5628 			src_ipif = ipif_select_source_v6(dst_ill, v6dstp,
5629 			    B_FALSE, IPV6_PREFER_SRC_DEFAULT, zoneid);
5630 		}
5631 
5632 		if (src_ipif == NULL) {
5633 			if (!unspec_src) {
5634 				if (ip_debug > 2) {
5635 					/* ip1dbg */
5636 					pr_addr_dbg("ip_newroute_ipif_v6: "
5637 					    "no src for dst %s\n",
5638 					    AF_INET6, v6dstp);
5639 					printf(" through interface %s\n",
5640 					    dst_ill->ill_name);
5641 				}
5642 				goto err_ret;
5643 			}
5644 			ire_v6srcp = &ipv6_all_zeros;
5645 			src_ipif = ipif;
5646 			ipif_refhold(src_ipif);
5647 		} else {
5648 			ire_v6srcp = &src_ipif->ipif_v6src_addr;
5649 		}
5650 
5651 		ire = ipif_to_ire_v6(ipif);
5652 		if (ire == NULL) {
5653 			if (ip_debug > 2) {
5654 				/* ip1dbg */
5655 				pr_addr_dbg("ip_newroute_ipif_v6: v6src %s\n",
5656 				    AF_INET6, &ipif->ipif_v6lcl_addr);
5657 				printf("ip_newroute_ipif_v6: "
5658 				    "if %s\n", dst_ill->ill_name);
5659 			}
5660 			goto err_ret;
5661 		}
5662 		if (ire->ire_flags & (RTF_REJECT | RTF_BLACKHOLE))
5663 			goto err_ret;
5664 
5665 		ASSERT(ire->ire_ipversion == IPV6_VERSION);
5666 
5667 		ip1dbg(("ip_newroute_ipif_v6: interface type %s (%d),",
5668 		    ip_nv_lookup(ire_nv_tbl, ire->ire_type), ire->ire_type));
5669 		if (ip_debug > 2) {
5670 			/* ip1dbg */
5671 			pr_addr_dbg(" address %s\n",
5672 			    AF_INET6, &ire->ire_src_addr_v6);
5673 		}
5674 		save_ire = ire;
5675 		ip2dbg(("ip_newroute_ipif: ire %p, ipif %p\n",
5676 		    (void *)ire, (void *)ipif));
5677 
5678 		if ((fire != NULL) && (fire->ire_flags & RTF_MULTIRT)) {
5679 			/*
5680 			 * an IRE_OFFSUBET was looked up
5681 			 * on that interface.
5682 			 * this ire has RTF_MULTIRT flag,
5683 			 * so the resolution loop
5684 			 * will be re-entered to resolve
5685 			 * additional routes on other
5686 			 * interfaces. For that purpose,
5687 			 * a copy of the packet is
5688 			 * made at this point.
5689 			 */
5690 			fire->ire_last_used_time = lbolt;
5691 			copy_mp = copymsg(first_mp);
5692 			if (copy_mp) {
5693 				MULTIRT_DEBUG_TAG(copy_mp);
5694 			}
5695 		}
5696 
5697 		switch (ire->ire_type) {
5698 		case IRE_IF_NORESOLVER: {
5699 			/*
5700 			 * We have what we need to build an IRE_CACHE.
5701 			 *
5702 			 * handle the Gated case, where we create
5703 			 * a NORESOLVER route for loopback.
5704 			 */
5705 			if (dst_ill->ill_net_type != IRE_IF_NORESOLVER)
5706 				break;
5707 			/*
5708 			 * The newly created ire will inherit the flags of the
5709 			 * parent ire, if any.
5710 			 */
5711 			ire = ire_create_v6(
5712 			    v6dstp,			/* dest address */
5713 			    &ipv6_all_ones,		/* mask */
5714 			    ire_v6srcp,			/* source address */
5715 			    NULL,			/* gateway address */
5716 			    &save_ire->ire_max_frag,
5717 			    NULL,			/* no src nce */
5718 			    dst_ill->ill_rq,		/* recv-from queue */
5719 			    dst_ill->ill_wq,		/* send-to queue */
5720 			    IRE_CACHE,
5721 			    src_ipif,
5722 			    NULL,
5723 			    (fire != NULL) ?		/* Parent handle */
5724 			    fire->ire_phandle : 0,
5725 			    save_ire->ire_ihandle,	/* Interface handle */
5726 			    (fire != NULL) ?
5727 			    (fire->ire_flags & (RTF_SETSRC | RTF_MULTIRT)) :
5728 			    0,
5729 			    &ire_uinfo_null,
5730 			    NULL,
5731 			    NULL,
5732 			    ipst);
5733 
5734 			if (ire == NULL) {
5735 				ire_refrele(save_ire);
5736 				break;
5737 			}
5738 
5739 			err = ndp_noresolver(dst_ill, v6dstp);
5740 			if (err != 0) {
5741 				ire_refrele(save_ire);
5742 				break;
5743 			}
5744 
5745 			/* Prevent save_ire from getting deleted */
5746 			IRB_REFHOLD(save_ire->ire_bucket);
5747 			/* Has it been removed already ? */
5748 			if (save_ire->ire_marks & IRE_MARK_CONDEMNED) {
5749 				IRB_REFRELE(save_ire->ire_bucket);
5750 				ire_refrele(save_ire);
5751 				break;
5752 			}
5753 
5754 			ire_add_then_send(q, ire, first_mp);
5755 			if (ip6_asp_table_held) {
5756 				ip6_asp_table_refrele(ipst);
5757 				ip6_asp_table_held = B_FALSE;
5758 			}
5759 
5760 			/* Assert that it is not deleted yet. */
5761 			ASSERT(save_ire->ire_ptpn != NULL);
5762 			IRB_REFRELE(save_ire->ire_bucket);
5763 			ire_refrele(save_ire);
5764 			if (fire != NULL) {
5765 				ire_refrele(fire);
5766 				fire = NULL;
5767 			}
5768 
5769 			/*
5770 			 * The resolution loop is re-entered if we
5771 			 * actually are in a multirouting case.
5772 			 */
5773 			if (copy_mp != NULL) {
5774 				boolean_t need_resolve =
5775 				    ire_multirt_need_resolve_v6(v6dstp,
5776 				    MBLK_GETLABEL(copy_mp), ipst);
5777 				if (!need_resolve) {
5778 					MULTIRT_DEBUG_UNTAG(copy_mp);
5779 					freemsg(copy_mp);
5780 					copy_mp = NULL;
5781 				} else {
5782 					/*
5783 					 * ipif_lookup_group_v6() calls
5784 					 * ire_lookup_multi_v6() that uses
5785 					 * ire_ftable_lookup_v6() to find
5786 					 * an IRE_INTERFACE for the group.
5787 					 * In the multirt case,
5788 					 * ire_lookup_multi_v6() then invokes
5789 					 * ire_multirt_lookup_v6() to find
5790 					 * the next resolvable ire.
5791 					 * As a result, we obtain a new
5792 					 * interface, derived from the
5793 					 * next ire.
5794 					 */
5795 					if (ipif_held) {
5796 						ipif_refrele(ipif);
5797 						ipif_held = B_FALSE;
5798 					}
5799 					ipif = ipif_lookup_group_v6(v6dstp,
5800 					    zoneid, ipst);
5801 					ip2dbg(("ip_newroute_ipif: "
5802 					    "multirt dst %08x, ipif %p\n",
5803 					    ntohl(V4_PART_OF_V6((*v6dstp))),
5804 					    (void *)ipif));
5805 					if (ipif != NULL) {
5806 						ipif_held = B_TRUE;
5807 						mp = copy_mp;
5808 						copy_mp = NULL;
5809 						multirt_resolve_next =
5810 						    B_TRUE;
5811 						continue;
5812 					} else {
5813 						freemsg(copy_mp);
5814 					}
5815 				}
5816 			}
5817 			ill_refrele(dst_ill);
5818 			if (ipif_held) {
5819 				ipif_refrele(ipif);
5820 				ipif_held = B_FALSE;
5821 			}
5822 			if (src_ipif != NULL)
5823 				ipif_refrele(src_ipif);
5824 			return;
5825 		}
5826 		case IRE_IF_RESOLVER: {
5827 
5828 			ASSERT(dst_ill->ill_isv6);
5829 
5830 			/*
5831 			 * We obtain a partial IRE_CACHE which we will pass
5832 			 * along with the resolver query.  When the response
5833 			 * comes back it will be there ready for us to add.
5834 			 */
5835 			/*
5836 			 * the newly created ire will inherit the flags of the
5837 			 * parent ire, if any.
5838 			 */
5839 			ire = ire_create_v6(
5840 			    v6dstp,			/* dest address */
5841 			    &ipv6_all_ones,		/* mask */
5842 			    ire_v6srcp,			/* source address */
5843 			    NULL,			/* gateway address */
5844 			    &save_ire->ire_max_frag,
5845 			    NULL,			/* src nce */
5846 			    dst_ill->ill_rq,		/* recv-from queue */
5847 			    dst_ill->ill_wq,		/* send-to queue */
5848 			    IRE_CACHE,
5849 			    src_ipif,
5850 			    NULL,
5851 			    (fire != NULL) ?		/* Parent handle */
5852 			    fire->ire_phandle : 0,
5853 			    save_ire->ire_ihandle,	/* Interface handle */
5854 			    (fire != NULL) ?
5855 			    (fire->ire_flags & (RTF_SETSRC | RTF_MULTIRT)) :
5856 			    0,
5857 			    &ire_uinfo_null,
5858 			    NULL,
5859 			    NULL,
5860 			    ipst);
5861 
5862 			if (ire == NULL) {
5863 				ire_refrele(save_ire);
5864 				break;
5865 			}
5866 
5867 			/* Resolve and add ire to the ctable */
5868 			err = ndp_resolver(dst_ill, v6dstp, first_mp, zoneid);
5869 			switch (err) {
5870 			case 0:
5871 				/* Prevent save_ire from getting deleted */
5872 				IRB_REFHOLD(save_ire->ire_bucket);
5873 				/* Has it been removed already ? */
5874 				if (save_ire->ire_marks & IRE_MARK_CONDEMNED) {
5875 					IRB_REFRELE(save_ire->ire_bucket);
5876 					ire_refrele(save_ire);
5877 					break;
5878 				}
5879 				/*
5880 				 * We have a resolved cache entry,
5881 				 * add in the IRE.
5882 				 */
5883 				ire_add_then_send(q, ire, first_mp);
5884 				if (ip6_asp_table_held) {
5885 					ip6_asp_table_refrele(ipst);
5886 					ip6_asp_table_held = B_FALSE;
5887 				}
5888 
5889 				/* Assert that it is not deleted yet. */
5890 				ASSERT(save_ire->ire_ptpn != NULL);
5891 				IRB_REFRELE(save_ire->ire_bucket);
5892 				ire_refrele(save_ire);
5893 				if (fire != NULL) {
5894 					ire_refrele(fire);
5895 					fire = NULL;
5896 				}
5897 
5898 				/*
5899 				 * The resolution loop is re-entered if we
5900 				 * actually are in a multirouting case.
5901 				 */
5902 				if (copy_mp != NULL) {
5903 					boolean_t need_resolve =
5904 					    ire_multirt_need_resolve_v6(v6dstp,
5905 					    MBLK_GETLABEL(copy_mp), ipst);
5906 					if (!need_resolve) {
5907 						MULTIRT_DEBUG_UNTAG(copy_mp);
5908 						freemsg(copy_mp);
5909 						copy_mp = NULL;
5910 					} else {
5911 						/*
5912 						 * ipif_lookup_group_v6() calls
5913 						 * ire_lookup_multi_v6() that
5914 						 * uses ire_ftable_lookup_v6()
5915 						 * to find an IRE_INTERFACE for
5916 						 * the group. In the multirt
5917 						 * case, ire_lookup_multi_v6()
5918 						 * then invokes
5919 						 * ire_multirt_lookup_v6() to
5920 						 * find the next resolvable ire.
5921 						 * As a result, we obtain a new
5922 						 * interface, derived from the
5923 						 * next ire.
5924 						 */
5925 						if (ipif_held) {
5926 							ipif_refrele(ipif);
5927 							ipif_held = B_FALSE;
5928 						}
5929 						ipif = ipif_lookup_group_v6(
5930 						    v6dstp, zoneid, ipst);
5931 						ip2dbg(("ip_newroute_ipif: "
5932 						    "multirt dst %08x, "
5933 						    "ipif %p\n",
5934 						    ntohl(V4_PART_OF_V6(
5935 						    (*v6dstp))),
5936 						    (void *)ipif));
5937 						if (ipif != NULL) {
5938 							ipif_held = B_TRUE;
5939 							mp = copy_mp;
5940 							copy_mp = NULL;
5941 							multirt_resolve_next =
5942 							    B_TRUE;
5943 							continue;
5944 						} else {
5945 							freemsg(copy_mp);
5946 						}
5947 					}
5948 				}
5949 				ill_refrele(dst_ill);
5950 				if (ipif_held) {
5951 					ipif_refrele(ipif);
5952 					ipif_held = B_FALSE;
5953 				}
5954 				if (src_ipif != NULL)
5955 					ipif_refrele(src_ipif);
5956 				return;
5957 
5958 			case EINPROGRESS:
5959 				/*
5960 				 * mp was consumed - presumably queued.
5961 				 * No need for ire, presumably resolution is
5962 				 * in progress, and ire will be added when the
5963 				 * address is resolved.
5964 				 */
5965 				if (ip6_asp_table_held) {
5966 					ip6_asp_table_refrele(ipst);
5967 					ip6_asp_table_held = B_FALSE;
5968 				}
5969 				ire_delete(ire);
5970 				ire_refrele(save_ire);
5971 				if (fire != NULL) {
5972 					ire_refrele(fire);
5973 					fire = NULL;
5974 				}
5975 
5976 				/*
5977 				 * The resolution loop is re-entered if we
5978 				 * actually are in a multirouting case.
5979 				 */
5980 				if (copy_mp != NULL) {
5981 					boolean_t need_resolve =
5982 					    ire_multirt_need_resolve_v6(v6dstp,
5983 					    MBLK_GETLABEL(copy_mp), ipst);
5984 					if (!need_resolve) {
5985 						MULTIRT_DEBUG_UNTAG(copy_mp);
5986 						freemsg(copy_mp);
5987 						copy_mp = NULL;
5988 					} else {
5989 						/*
5990 						 * ipif_lookup_group_v6() calls
5991 						 * ire_lookup_multi_v6() that
5992 						 * uses ire_ftable_lookup_v6()
5993 						 * to find an IRE_INTERFACE for
5994 						 * the group. In the multirt
5995 						 * case, ire_lookup_multi_v6()
5996 						 * then invokes
5997 						 * ire_multirt_lookup_v6() to
5998 						 * find the next resolvable ire.
5999 						 * As a result, we obtain a new
6000 						 * interface, derived from the
6001 						 * next ire.
6002 						 */
6003 						if (ipif_held) {
6004 							ipif_refrele(ipif);
6005 							ipif_held = B_FALSE;
6006 						}
6007 						ipif = ipif_lookup_group_v6(
6008 						    v6dstp, zoneid, ipst);
6009 						ip2dbg(("ip_newroute_ipif: "
6010 						    "multirt dst %08x, "
6011 						    "ipif %p\n",
6012 						    ntohl(V4_PART_OF_V6(
6013 						    (*v6dstp))),
6014 						    (void *)ipif));
6015 						if (ipif != NULL) {
6016 							ipif_held = B_TRUE;
6017 							mp = copy_mp;
6018 							copy_mp = NULL;
6019 							multirt_resolve_next =
6020 							    B_TRUE;
6021 							continue;
6022 						} else {
6023 							freemsg(copy_mp);
6024 						}
6025 					}
6026 				}
6027 				ill_refrele(dst_ill);
6028 				if (ipif_held) {
6029 					ipif_refrele(ipif);
6030 					ipif_held = B_FALSE;
6031 				}
6032 				if (src_ipif != NULL)
6033 					ipif_refrele(src_ipif);
6034 				return;
6035 			default:
6036 				/* Some transient error */
6037 				ire_refrele(save_ire);
6038 				break;
6039 			}
6040 			break;
6041 		}
6042 		default:
6043 			break;
6044 		}
6045 		if (ip6_asp_table_held) {
6046 			ip6_asp_table_refrele(ipst);
6047 			ip6_asp_table_held = B_FALSE;
6048 		}
6049 	} while (multirt_resolve_next);
6050 
6051 err_ret:
6052 	if (ip6_asp_table_held)
6053 		ip6_asp_table_refrele(ipst);
6054 	if (ire != NULL)
6055 		ire_refrele(ire);
6056 	if (fire != NULL)
6057 		ire_refrele(fire);
6058 	if (ipif != NULL && ipif_held)
6059 		ipif_refrele(ipif);
6060 	if (src_ipif != NULL)
6061 		ipif_refrele(src_ipif);
6062 
6063 	/* Multicast - no point in trying to generate ICMP error */
6064 	if (dst_ill != NULL) {
6065 		ill = dst_ill;
6066 		ill_held = B_TRUE;
6067 	}
6068 	if (mp->b_prev || mp->b_next) {
6069 		BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
6070 	} else {
6071 		BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
6072 	}
6073 	ip1dbg(("ip_newroute_ipif_v6: dropped\n"));
6074 	mp->b_next = NULL;
6075 	mp->b_prev = NULL;
6076 	freemsg(first_mp);
6077 	if (ill_held)
6078 		ill_refrele(ill);
6079 }
6080 
6081 /*
6082  * Parse and process any hop-by-hop or destination options.
6083  *
6084  * Assumes that q is an ill read queue so that ICMP errors for link-local
6085  * destinations are sent out the correct interface.
6086  *
6087  * Returns -1 if there was an error and mp has been consumed.
6088  * Returns 0 if no special action is needed.
6089  * Returns 1 if the packet contained a router alert option for this node
6090  * which is verified to be "interesting/known" for our implementation.
6091  *
6092  * XXX Note: In future as more hbh or dest options are defined,
6093  * it may be better to have different routines for hbh and dest
6094  * options as opt_type fields other than IP6OPT_PAD1 and IP6OPT_PADN
6095  * may have same value in different namespaces. Or is it same namespace ??
6096  * Current code checks for each opt_type (other than pads) if it is in
6097  * the expected  nexthdr (hbh or dest)
6098  */
6099 static int
6100 ip_process_options_v6(queue_t *q, mblk_t *mp, ip6_t *ip6h,
6101     uint8_t *optptr, uint_t optlen, uint8_t hdr_type, ip_stack_t *ipst)
6102 {
6103 	uint8_t opt_type;
6104 	uint_t optused;
6105 	int ret = 0;
6106 	mblk_t *first_mp;
6107 	const char *errtype;
6108 	zoneid_t zoneid;
6109 	ill_t *ill = q->q_ptr;
6110 	ipif_t *ipif;
6111 
6112 	first_mp = mp;
6113 	if (mp->b_datap->db_type == M_CTL) {
6114 		mp = mp->b_cont;
6115 	}
6116 
6117 	while (optlen != 0) {
6118 		opt_type = *optptr;
6119 		if (opt_type == IP6OPT_PAD1) {
6120 			optused = 1;
6121 		} else {
6122 			if (optlen < 2)
6123 				goto bad_opt;
6124 			errtype = "malformed";
6125 			if (opt_type == ip6opt_ls) {
6126 				optused = 2 + optptr[1];
6127 				if (optused > optlen)
6128 					goto bad_opt;
6129 			} else switch (opt_type) {
6130 			case IP6OPT_PADN:
6131 				/*
6132 				 * Note:We don't verify that (N-2) pad octets
6133 				 * are zero as required by spec. Adhere to
6134 				 * "be liberal in what you accept..." part of
6135 				 * implementation philosophy (RFC791,RFC1122)
6136 				 */
6137 				optused = 2 + optptr[1];
6138 				if (optused > optlen)
6139 					goto bad_opt;
6140 				break;
6141 
6142 			case IP6OPT_JUMBO:
6143 				if (hdr_type != IPPROTO_HOPOPTS)
6144 					goto opt_error;
6145 				goto opt_error; /* XXX Not implemented! */
6146 
6147 			case IP6OPT_ROUTER_ALERT: {
6148 				struct ip6_opt_router *or;
6149 
6150 				if (hdr_type != IPPROTO_HOPOPTS)
6151 					goto opt_error;
6152 				optused = 2 + optptr[1];
6153 				if (optused > optlen)
6154 					goto bad_opt;
6155 				or = (struct ip6_opt_router *)optptr;
6156 				/* Check total length and alignment */
6157 				if (optused != sizeof (*or) ||
6158 				    ((uintptr_t)or->ip6or_value & 0x1) != 0)
6159 					goto opt_error;
6160 				/* Check value */
6161 				switch (*((uint16_t *)or->ip6or_value)) {
6162 				case IP6_ALERT_MLD:
6163 				case IP6_ALERT_RSVP:
6164 					ret = 1;
6165 				}
6166 				break;
6167 			}
6168 			case IP6OPT_HOME_ADDRESS: {
6169 				/*
6170 				 * Minimal support for the home address option
6171 				 * (which is required by all IPv6 nodes).
6172 				 * Implement by just swapping the home address
6173 				 * and source address.
6174 				 * XXX Note: this has IPsec implications since
6175 				 * AH needs to take this into account.
6176 				 * Also, when IPsec is used we need to ensure
6177 				 * that this is only processed once
6178 				 * in the received packet (to avoid swapping
6179 				 * back and forth).
6180 				 * NOTE:This option processing is considered
6181 				 * to be unsafe and prone to a denial of
6182 				 * service attack.
6183 				 * The current processing is not safe even with
6184 				 * IPsec secured IP packets. Since the home
6185 				 * address option processing requirement still
6186 				 * is in the IETF draft and in the process of
6187 				 * being redefined for its usage, it has been
6188 				 * decided to turn off the option by default.
6189 				 * If this section of code needs to be executed,
6190 				 * ndd variable ip6_ignore_home_address_opt
6191 				 * should be set to 0 at the user's own risk.
6192 				 */
6193 				struct ip6_opt_home_address *oh;
6194 				in6_addr_t tmp;
6195 
6196 				if (ipst->ips_ipv6_ignore_home_address_opt)
6197 					goto opt_error;
6198 
6199 				if (hdr_type != IPPROTO_DSTOPTS)
6200 					goto opt_error;
6201 				optused = 2 + optptr[1];
6202 				if (optused > optlen)
6203 					goto bad_opt;
6204 
6205 				/*
6206 				 * We did this dest. opt the first time
6207 				 * around (i.e. before AH processing).
6208 				 * If we've done AH... stop now.
6209 				 */
6210 				if (first_mp != mp) {
6211 					ipsec_in_t *ii;
6212 
6213 					ii = (ipsec_in_t *)first_mp->b_rptr;
6214 					if (ii->ipsec_in_ah_sa != NULL)
6215 						break;
6216 				}
6217 
6218 				oh = (struct ip6_opt_home_address *)optptr;
6219 				/* Check total length and alignment */
6220 				if (optused < sizeof (*oh) ||
6221 				    ((uintptr_t)oh->ip6oh_addr & 0x7) != 0)
6222 					goto opt_error;
6223 				/* Swap ip6_src and the home address */
6224 				tmp = ip6h->ip6_src;
6225 				/* XXX Note: only 8 byte alignment option */
6226 				ip6h->ip6_src = *(in6_addr_t *)oh->ip6oh_addr;
6227 				*(in6_addr_t *)oh->ip6oh_addr = tmp;
6228 				break;
6229 			}
6230 
6231 			case IP6OPT_TUNNEL_LIMIT:
6232 				if (hdr_type != IPPROTO_DSTOPTS) {
6233 					goto opt_error;
6234 				}
6235 				optused = 2 + optptr[1];
6236 				if (optused > optlen) {
6237 					goto bad_opt;
6238 				}
6239 				if (optused != 3) {
6240 					goto opt_error;
6241 				}
6242 				break;
6243 
6244 			default:
6245 				errtype = "unknown";
6246 				/* FALLTHROUGH */
6247 			opt_error:
6248 				/* Determine which zone should send error */
6249 				zoneid = ipif_lookup_addr_zoneid_v6(
6250 				    &ip6h->ip6_dst, ill, ipst);
6251 				switch (IP6OPT_TYPE(opt_type)) {
6252 				case IP6OPT_TYPE_SKIP:
6253 					optused = 2 + optptr[1];
6254 					if (optused > optlen)
6255 						goto bad_opt;
6256 					ip1dbg(("ip_process_options_v6: %s "
6257 					    "opt 0x%x skipped\n",
6258 					    errtype, opt_type));
6259 					break;
6260 				case IP6OPT_TYPE_DISCARD:
6261 					ip1dbg(("ip_process_options_v6: %s "
6262 					    "opt 0x%x; packet dropped\n",
6263 					    errtype, opt_type));
6264 					freemsg(first_mp);
6265 					return (-1);
6266 				case IP6OPT_TYPE_ICMP:
6267 					if (zoneid == ALL_ZONES) {
6268 						freemsg(first_mp);
6269 						return (-1);
6270 					}
6271 					icmp_param_problem_v6(WR(q), first_mp,
6272 					    ICMP6_PARAMPROB_OPTION,
6273 					    (uint32_t)(optptr -
6274 					    (uint8_t *)ip6h),
6275 					    B_FALSE, B_FALSE, zoneid, ipst);
6276 					return (-1);
6277 				case IP6OPT_TYPE_FORCEICMP:
6278 					/*
6279 					 * If we don't have a zone and the dst
6280 					 * addr is multicast, then pick a zone
6281 					 * based on the inbound interface.
6282 					 */
6283 					if (zoneid == ALL_ZONES &&
6284 					    IN6_IS_ADDR_MULTICAST(
6285 					    &ip6h->ip6_dst)) {
6286 						ipif = ipif_select_source_v6(
6287 						    ill, &ip6h->ip6_src,
6288 						    B_TRUE,
6289 						    IPV6_PREFER_SRC_DEFAULT,
6290 						    ALL_ZONES);
6291 						if (ipif != NULL) {
6292 							zoneid =
6293 							    ipif->ipif_zoneid;
6294 							ipif_refrele(ipif);
6295 						}
6296 					}
6297 					if (zoneid == ALL_ZONES) {
6298 						freemsg(first_mp);
6299 						return (-1);
6300 					}
6301 					icmp_param_problem_v6(WR(q), first_mp,
6302 					    ICMP6_PARAMPROB_OPTION,
6303 					    (uint32_t)(optptr -
6304 					    (uint8_t *)ip6h),
6305 					    B_FALSE, B_TRUE, zoneid, ipst);
6306 					return (-1);
6307 				default:
6308 					ASSERT(0);
6309 				}
6310 			}
6311 		}
6312 		optlen -= optused;
6313 		optptr += optused;
6314 	}
6315 	return (ret);
6316 
6317 bad_opt:
6318 	/* Determine which zone should send error */
6319 	zoneid = ipif_lookup_addr_zoneid_v6(&ip6h->ip6_dst, ill, ipst);
6320 	if (zoneid == ALL_ZONES) {
6321 		freemsg(first_mp);
6322 	} else {
6323 		icmp_param_problem_v6(WR(q), first_mp, ICMP6_PARAMPROB_OPTION,
6324 		    (uint32_t)(optptr - (uint8_t *)ip6h),
6325 		    B_FALSE, B_FALSE, zoneid, ipst);
6326 	}
6327 	return (-1);
6328 }
6329 
6330 /*
6331  * Process a routing header that is not yet empty.
6332  * Only handles type 0 routing headers.
6333  */
6334 static void
6335 ip_process_rthdr(queue_t *q, mblk_t *mp, ip6_t *ip6h, ip6_rthdr_t *rth,
6336     ill_t *ill, uint_t flags, mblk_t *hada_mp, mblk_t *dl_mp)
6337 {
6338 	ip6_rthdr0_t *rthdr;
6339 	uint_t ehdrlen;
6340 	uint_t numaddr;
6341 	in6_addr_t *addrptr;
6342 	in6_addr_t tmp;
6343 	ip_stack_t	*ipst = ill->ill_ipst;
6344 
6345 	ASSERT(rth->ip6r_segleft != 0);
6346 
6347 	if (!ipst->ips_ipv6_forward_src_routed) {
6348 		/* XXX Check for source routed out same interface? */
6349 		BUMP_MIB(ill->ill_ip_mib, ipIfStatsForwProhibits);
6350 		BUMP_MIB(ill->ill_ip_mib, ipIfStatsInAddrErrors);
6351 		freemsg(hada_mp);
6352 		freemsg(mp);
6353 		return;
6354 	}
6355 
6356 	if (rth->ip6r_type != 0) {
6357 		if (hada_mp != NULL)
6358 			goto hada_drop;
6359 		/* Sent by forwarding path, and router is global zone */
6360 		icmp_param_problem_v6(WR(q), mp,
6361 		    ICMP6_PARAMPROB_HEADER,
6362 		    (uint32_t)((uchar_t *)&rth->ip6r_type - (uchar_t *)ip6h),
6363 		    B_FALSE, B_FALSE, GLOBAL_ZONEID, ipst);
6364 		return;
6365 	}
6366 	rthdr = (ip6_rthdr0_t *)rth;
6367 	ehdrlen = 8 * (rthdr->ip6r0_len + 1);
6368 	ASSERT(mp->b_rptr + ehdrlen <= mp->b_wptr);
6369 	addrptr = (in6_addr_t *)((char *)rthdr + sizeof (*rthdr));
6370 	/* rthdr->ip6r0_len is twice the number of addresses in the header */
6371 	if (rthdr->ip6r0_len & 0x1) {
6372 		/* An odd length is impossible */
6373 		if (hada_mp != NULL)
6374 			goto hada_drop;
6375 		/* Sent by forwarding path, and router is global zone */
6376 		icmp_param_problem_v6(WR(q), mp,
6377 		    ICMP6_PARAMPROB_HEADER,
6378 		    (uint32_t)((uchar_t *)&rthdr->ip6r0_len - (uchar_t *)ip6h),
6379 		    B_FALSE, B_FALSE, GLOBAL_ZONEID, ipst);
6380 		return;
6381 	}
6382 	numaddr = rthdr->ip6r0_len / 2;
6383 	if (rthdr->ip6r0_segleft > numaddr) {
6384 		/* segleft exceeds number of addresses in routing header */
6385 		if (hada_mp != NULL)
6386 			goto hada_drop;
6387 		/* Sent by forwarding path, and router is global zone */
6388 		icmp_param_problem_v6(WR(q), mp,
6389 		    ICMP6_PARAMPROB_HEADER,
6390 		    (uint32_t)((uchar_t *)&rthdr->ip6r0_segleft -
6391 		    (uchar_t *)ip6h),
6392 		    B_FALSE, B_FALSE, GLOBAL_ZONEID, ipst);
6393 		return;
6394 	}
6395 	addrptr += (numaddr - rthdr->ip6r0_segleft);
6396 	if (IN6_IS_ADDR_MULTICAST(&ip6h->ip6_dst) ||
6397 	    IN6_IS_ADDR_MULTICAST(addrptr)) {
6398 		BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
6399 		freemsg(hada_mp);
6400 		freemsg(mp);
6401 		return;
6402 	}
6403 	/* Swap */
6404 	tmp = *addrptr;
6405 	*addrptr = ip6h->ip6_dst;
6406 	ip6h->ip6_dst = tmp;
6407 	rthdr->ip6r0_segleft--;
6408 	/* Don't allow any mapped addresses - ip_wput_v6 can't handle them */
6409 	if (IN6_IS_ADDR_V4MAPPED(&ip6h->ip6_dst)) {
6410 		if (hada_mp != NULL)
6411 			goto hada_drop;
6412 		/* Sent by forwarding path, and router is global zone */
6413 		icmp_unreachable_v6(WR(q), mp, ICMP6_DST_UNREACH_NOROUTE,
6414 		    B_FALSE, B_FALSE, GLOBAL_ZONEID, ipst);
6415 		return;
6416 	}
6417 	if (ip_check_v6_mblk(mp, ill) == IP6_MBLK_OK) {
6418 		ip6h = (ip6_t *)mp->b_rptr;
6419 		ip_rput_data_v6(q, ill, mp, ip6h, flags, hada_mp, dl_mp);
6420 	} else {
6421 		freemsg(mp);
6422 	}
6423 	return;
6424 hada_drop:
6425 	/* IPsec kstats: bean counter? */
6426 	freemsg(hada_mp);
6427 	freemsg(mp);
6428 }
6429 
6430 /*
6431  * Read side put procedure for IPv6 module.
6432  */
6433 void
6434 ip_rput_v6(queue_t *q, mblk_t *mp)
6435 {
6436 	mblk_t		*first_mp;
6437 	mblk_t		*hada_mp = NULL;
6438 	ip6_t		*ip6h;
6439 	boolean_t	ll_multicast = B_FALSE;
6440 	boolean_t	mctl_present = B_FALSE;
6441 	ill_t		*ill;
6442 	struct iocblk	*iocp;
6443 	uint_t 		flags = 0;
6444 	mblk_t		*dl_mp;
6445 	ip_stack_t	*ipst;
6446 	int		check;
6447 
6448 	ill = (ill_t *)q->q_ptr;
6449 	ipst = ill->ill_ipst;
6450 	if (ill->ill_state_flags & ILL_CONDEMNED) {
6451 		union DL_primitives *dl;
6452 
6453 		dl = (union DL_primitives *)mp->b_rptr;
6454 		/*
6455 		 * Things are opening or closing - only accept DLPI
6456 		 * ack messages. If the stream is closing and ip_wsrv
6457 		 * has completed, ip_close is out of the qwait, but has
6458 		 * not yet completed qprocsoff. Don't proceed any further
6459 		 * because the ill has been cleaned up and things hanging
6460 		 * off the ill have been freed.
6461 		 */
6462 		if ((mp->b_datap->db_type != M_PCPROTO) ||
6463 		    (dl->dl_primitive == DL_UNITDATA_IND)) {
6464 			inet_freemsg(mp);
6465 			return;
6466 		}
6467 	}
6468 
6469 	dl_mp = NULL;
6470 	switch (mp->b_datap->db_type) {
6471 	case M_DATA: {
6472 		int hlen;
6473 		uchar_t *ucp;
6474 		struct ether_header *eh;
6475 		dl_unitdata_ind_t *dui;
6476 
6477 		/*
6478 		 * This is a work-around for CR 6451644, a bug in Nemo.  It
6479 		 * should be removed when that problem is fixed.
6480 		 */
6481 		if (ill->ill_mactype == DL_ETHER &&
6482 		    (hlen = MBLKHEAD(mp)) >= sizeof (struct ether_header) &&
6483 		    (ucp = mp->b_rptr)[-1] == (IP6_DL_SAP & 0xFF) &&
6484 		    ucp[-2] == (IP6_DL_SAP >> 8)) {
6485 			if (hlen >= sizeof (struct ether_vlan_header) &&
6486 			    ucp[-5] == 0 && ucp[-6] == 0x81)
6487 				ucp -= sizeof (struct ether_vlan_header);
6488 			else
6489 				ucp -= sizeof (struct ether_header);
6490 			/*
6491 			 * If it's a group address, then fabricate a
6492 			 * DL_UNITDATA_IND message.
6493 			 */
6494 			if ((ll_multicast = (ucp[0] & 1)) != 0 &&
6495 			    (dl_mp = allocb(DL_UNITDATA_IND_SIZE + 16,
6496 			    BPRI_HI)) != NULL) {
6497 				eh = (struct ether_header *)ucp;
6498 				dui = (dl_unitdata_ind_t *)dl_mp->b_rptr;
6499 				DB_TYPE(dl_mp) = M_PROTO;
6500 				dl_mp->b_wptr = (uchar_t *)(dui + 1) + 16;
6501 				dui->dl_primitive = DL_UNITDATA_IND;
6502 				dui->dl_dest_addr_length = 8;
6503 				dui->dl_dest_addr_offset = DL_UNITDATA_IND_SIZE;
6504 				dui->dl_src_addr_length = 8;
6505 				dui->dl_src_addr_offset = DL_UNITDATA_IND_SIZE +
6506 				    8;
6507 				dui->dl_group_address = 1;
6508 				ucp = (uchar_t *)(dui + 1);
6509 				if (ill->ill_sap_length > 0)
6510 					ucp += ill->ill_sap_length;
6511 				bcopy(&eh->ether_dhost, ucp, 6);
6512 				bcopy(&eh->ether_shost, ucp + 8, 6);
6513 				ucp = (uchar_t *)(dui + 1);
6514 				if (ill->ill_sap_length < 0)
6515 					ucp += 8 + ill->ill_sap_length;
6516 				bcopy(&eh->ether_type, ucp, 2);
6517 				bcopy(&eh->ether_type, ucp + 8, 2);
6518 			}
6519 		}
6520 		break;
6521 	}
6522 
6523 	case M_PROTO:
6524 	case M_PCPROTO:
6525 		if (((dl_unitdata_ind_t *)mp->b_rptr)->dl_primitive !=
6526 		    DL_UNITDATA_IND) {
6527 			/* Go handle anything other than data elsewhere. */
6528 			ip_rput_dlpi(q, mp);
6529 			return;
6530 		}
6531 		ll_multicast = ip_get_dlpi_mbcast(ill, mp);
6532 
6533 		/* Save the DLPI header. */
6534 		dl_mp = mp;
6535 		mp = mp->b_cont;
6536 		dl_mp->b_cont = NULL;
6537 		break;
6538 	case M_BREAK:
6539 		panic("ip_rput_v6: got an M_BREAK");
6540 		/*NOTREACHED*/
6541 	case M_IOCACK:
6542 		iocp = (struct iocblk *)mp->b_rptr;
6543 		switch (iocp->ioc_cmd) {
6544 		case DL_IOC_HDR_INFO:
6545 			ill = (ill_t *)q->q_ptr;
6546 			ill_fastpath_ack(ill, mp);
6547 			return;
6548 
6549 		case SIOCGTUNPARAM:
6550 		case OSIOCGTUNPARAM:
6551 			ip_rput_other(NULL, q, mp, NULL);
6552 			return;
6553 
6554 		case SIOCSTUNPARAM:
6555 		case OSIOCSTUNPARAM:
6556 			/* Go through qwriter */
6557 			break;
6558 		default:
6559 			putnext(q, mp);
6560 			return;
6561 		}
6562 		/* FALLTHRU */
6563 	case M_ERROR:
6564 	case M_HANGUP:
6565 		mutex_enter(&ill->ill_lock);
6566 		if (ill->ill_state_flags & ILL_CONDEMNED) {
6567 			mutex_exit(&ill->ill_lock);
6568 			freemsg(mp);
6569 			return;
6570 		}
6571 		ill_refhold_locked(ill);
6572 		mutex_exit(&ill->ill_lock);
6573 		qwriter_ip(ill, q, mp, ip_rput_other, CUR_OP, B_FALSE);
6574 		return;
6575 	case M_CTL:
6576 		if ((MBLKL(mp) > sizeof (int)) &&
6577 		    ((da_ipsec_t *)mp->b_rptr)->da_type == IPHADA_M_CTL) {
6578 			ASSERT(MBLKL(mp) >= sizeof (da_ipsec_t));
6579 			mctl_present = B_TRUE;
6580 			break;
6581 		}
6582 		putnext(q, mp);
6583 		return;
6584 	case M_IOCNAK:
6585 		iocp = (struct iocblk *)mp->b_rptr;
6586 		switch (iocp->ioc_cmd) {
6587 		case DL_IOC_HDR_INFO:
6588 		case SIOCGTUNPARAM:
6589 		case OSIOCGTUNPARAM:
6590 			ip_rput_other(NULL, q, mp, NULL);
6591 			return;
6592 
6593 		case SIOCSTUNPARAM:
6594 		case OSIOCSTUNPARAM:
6595 			mutex_enter(&ill->ill_lock);
6596 			if (ill->ill_state_flags & ILL_CONDEMNED) {
6597 				mutex_exit(&ill->ill_lock);
6598 				freemsg(mp);
6599 				return;
6600 			}
6601 			ill_refhold_locked(ill);
6602 			mutex_exit(&ill->ill_lock);
6603 			qwriter_ip(ill, q, mp, ip_rput_other, CUR_OP, B_FALSE);
6604 			return;
6605 		default:
6606 			break;
6607 		}
6608 		/* FALLTHRU */
6609 	default:
6610 		putnext(q, mp);
6611 		return;
6612 	}
6613 	BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInReceives);
6614 	UPDATE_MIB(ill->ill_ip_mib, ipIfStatsHCInOctets,
6615 	    (mp->b_cont == NULL) ? MBLKL(mp) : msgdsize(mp));
6616 	/*
6617 	 * if db_ref > 1 then copymsg and free original. Packet may be
6618 	 * changed and do not want other entity who has a reference to this
6619 	 * message to trip over the changes. This is a blind change because
6620 	 * trying to catch all places that might change packet is too
6621 	 * difficult (since it may be a module above this one).
6622 	 */
6623 	if (mp->b_datap->db_ref > 1) {
6624 		mblk_t  *mp1;
6625 
6626 		mp1 = copymsg(mp);
6627 		freemsg(mp);
6628 		if (mp1 == NULL) {
6629 			first_mp = NULL;
6630 			goto discard;
6631 		}
6632 		mp = mp1;
6633 	}
6634 	first_mp = mp;
6635 	if (mctl_present) {
6636 		hada_mp = first_mp;
6637 		mp = first_mp->b_cont;
6638 	}
6639 
6640 	if ((check = ip_check_v6_mblk(mp, ill)) == IP6_MBLK_HDR_ERR) {
6641 		freemsg(mp);
6642 		return;
6643 	}
6644 
6645 	ip6h = (ip6_t *)mp->b_rptr;
6646 
6647 	/*
6648 	 * ip:::receive must see ipv6 packets with a full header,
6649 	 * and so is placed after the IP6_MBLK_HDR_ERR check.
6650 	 */
6651 	DTRACE_IP7(receive, mblk_t *, first_mp, conn_t *, NULL, void_ip_t *,
6652 	    ip6h, __dtrace_ipsr_ill_t *, ill, ipha_t *, NULL, ip6_t *, ip6h,
6653 	    int, 0);
6654 
6655 	if (check != IP6_MBLK_OK) {
6656 		freemsg(mp);
6657 		return;
6658 	}
6659 
6660 	DTRACE_PROBE4(ip6__physical__in__start,
6661 	    ill_t *, ill, ill_t *, NULL,
6662 	    ip6_t *, ip6h, mblk_t *, first_mp);
6663 
6664 	FW_HOOKS6(ipst->ips_ip6_physical_in_event,
6665 	    ipst->ips_ipv6firewall_physical_in,
6666 	    ill, NULL, ip6h, first_mp, mp, ll_multicast, ipst);
6667 
6668 	DTRACE_PROBE1(ip6__physical__in__end, mblk_t *, first_mp);
6669 
6670 	if (first_mp == NULL)
6671 		return;
6672 
6673 	/*
6674 	 * Attach any necessary label information to this packet.
6675 	 */
6676 	if (is_system_labeled() && !tsol_get_pkt_label(mp, IPV6_VERSION)) {
6677 		if (ip6opt_ls != 0)
6678 			ip0dbg(("tsol_get_pkt_label v6 failed\n"));
6679 		BUMP_MIB(ill->ill_ip_mib, ipIfStatsInHdrErrors);
6680 		goto discard;
6681 	}
6682 
6683 	/* IP observability hook. */
6684 	if (ipst->ips_ipobs_enabled) {
6685 		zoneid_t dzone;
6686 
6687 		dzone = ip_get_zoneid_v6(&ip6h->ip6_dst, mp, ill, ipst,
6688 		    ALL_ZONES);
6689 		ipobs_hook(mp, IPOBS_HOOK_INBOUND, ALL_ZONES, dzone, ill,
6690 		    IPV6_VERSION, 0, ipst);
6691 	}
6692 
6693 	if ((ip6h->ip6_vcf & IPV6_VERS_AND_FLOW_MASK) ==
6694 	    IPV6_DEFAULT_VERS_AND_FLOW) {
6695 		/*
6696 		 * It may be a bit too expensive to do this mapped address
6697 		 * check here, but in the interest of robustness, it seems
6698 		 * like the correct place.
6699 		 * TODO: Avoid this check for e.g. connected TCP sockets
6700 		 */
6701 		if (IN6_IS_ADDR_V4MAPPED(&ip6h->ip6_src)) {
6702 			ip1dbg(("ip_rput_v6: pkt with mapped src addr\n"));
6703 			goto discard;
6704 		}
6705 
6706 		if (IN6_IS_ADDR_LOOPBACK(&ip6h->ip6_src)) {
6707 			ip1dbg(("ip_rput_v6: pkt with loopback src"));
6708 			goto discard;
6709 		} else if (IN6_IS_ADDR_LOOPBACK(&ip6h->ip6_dst)) {
6710 			ip1dbg(("ip_rput_v6: pkt with loopback dst"));
6711 			goto discard;
6712 		}
6713 
6714 		flags |= (ll_multicast ? IP6_IN_LLMCAST : 0);
6715 		ip_rput_data_v6(q, ill, mp, ip6h, flags, hada_mp, dl_mp);
6716 	} else {
6717 		BUMP_MIB(ill->ill_ip_mib, ipIfStatsInWrongIPVersion);
6718 		goto discard;
6719 	}
6720 	freemsg(dl_mp);
6721 	return;
6722 
6723 discard:
6724 	if (dl_mp != NULL)
6725 		freeb(dl_mp);
6726 	freemsg(first_mp);
6727 	BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
6728 }
6729 
6730 /*
6731  * Walk through the IPv6 packet in mp and see if there's an AH header
6732  * in it.  See if the AH header needs to get done before other headers in
6733  * the packet.  (Worker function for ipsec_early_ah_v6().)
6734  */
6735 #define	IPSEC_HDR_DONT_PROCESS	0
6736 #define	IPSEC_HDR_PROCESS	1
6737 #define	IPSEC_MEMORY_ERROR	2 /* or malformed packet */
6738 static int
6739 ipsec_needs_processing_v6(mblk_t *mp, uint8_t *nexthdr)
6740 {
6741 	uint_t	length;
6742 	uint_t	ehdrlen;
6743 	uint8_t *whereptr;
6744 	uint8_t *endptr;
6745 	uint8_t *nexthdrp;
6746 	ip6_dest_t *desthdr;
6747 	ip6_rthdr_t *rthdr;
6748 	ip6_t	*ip6h;
6749 
6750 	/*
6751 	 * For now just pullup everything.  In general, the less pullups,
6752 	 * the better, but there's so much squirrelling through anyway,
6753 	 * it's just easier this way.
6754 	 */
6755 	if (!pullupmsg(mp, -1)) {
6756 		return (IPSEC_MEMORY_ERROR);
6757 	}
6758 
6759 	ip6h = (ip6_t *)mp->b_rptr;
6760 	length = IPV6_HDR_LEN;
6761 	whereptr = ((uint8_t *)&ip6h[1]); /* point to next hdr */
6762 	endptr = mp->b_wptr;
6763 
6764 	/*
6765 	 * We can't just use the argument nexthdr in the place
6766 	 * of nexthdrp becaue we don't dereference nexthdrp
6767 	 * till we confirm whether it is a valid address.
6768 	 */
6769 	nexthdrp = &ip6h->ip6_nxt;
6770 	while (whereptr < endptr) {
6771 		/* Is there enough left for len + nexthdr? */
6772 		if (whereptr + MIN_EHDR_LEN > endptr)
6773 			return (IPSEC_MEMORY_ERROR);
6774 
6775 		switch (*nexthdrp) {
6776 		case IPPROTO_HOPOPTS:
6777 		case IPPROTO_DSTOPTS:
6778 			/* Assumes the headers are identical for hbh and dst */
6779 			desthdr = (ip6_dest_t *)whereptr;
6780 			ehdrlen = 8 * (desthdr->ip6d_len + 1);
6781 			if ((uchar_t *)desthdr +  ehdrlen > endptr)
6782 				return (IPSEC_MEMORY_ERROR);
6783 			/*
6784 			 * Return DONT_PROCESS because the destination
6785 			 * options header may be for each hop in a
6786 			 * routing-header, and we only want AH if we're
6787 			 * finished with routing headers.
6788 			 */
6789 			if (*nexthdrp == IPPROTO_DSTOPTS)
6790 				return (IPSEC_HDR_DONT_PROCESS);
6791 			nexthdrp = &desthdr->ip6d_nxt;
6792 			break;
6793 		case IPPROTO_ROUTING:
6794 			rthdr = (ip6_rthdr_t *)whereptr;
6795 
6796 			/*
6797 			 * If there's more hops left on the routing header,
6798 			 * return now with DON'T PROCESS.
6799 			 */
6800 			if (rthdr->ip6r_segleft > 0)
6801 				return (IPSEC_HDR_DONT_PROCESS);
6802 
6803 			ehdrlen =  8 * (rthdr->ip6r_len + 1);
6804 			if ((uchar_t *)rthdr +  ehdrlen > endptr)
6805 				return (IPSEC_MEMORY_ERROR);
6806 			nexthdrp = &rthdr->ip6r_nxt;
6807 			break;
6808 		case IPPROTO_FRAGMENT:
6809 			/* Wait for reassembly */
6810 			return (IPSEC_HDR_DONT_PROCESS);
6811 		case IPPROTO_AH:
6812 			*nexthdr = IPPROTO_AH;
6813 			return (IPSEC_HDR_PROCESS);
6814 		case IPPROTO_NONE:
6815 			/* No next header means we're finished */
6816 		default:
6817 			return (IPSEC_HDR_DONT_PROCESS);
6818 		}
6819 		length += ehdrlen;
6820 		whereptr += ehdrlen;
6821 	}
6822 	/*
6823 	 * Malformed/truncated packet.
6824 	 */
6825 	return (IPSEC_MEMORY_ERROR);
6826 }
6827 
6828 /*
6829  * Path for AH if options are present. If this is the first time we are
6830  * sending a datagram to AH, allocate a IPSEC_IN message and prepend it.
6831  * Otherwise, just fanout.  Return value answers the boolean question:
6832  * "Did I consume the mblk you sent me?"
6833  *
6834  * Sometimes AH needs to be done before other IPv6 headers for security
6835  * reasons.  This function (and its ipsec_needs_processing_v6() above)
6836  * indicates if that is so, and fans out to the appropriate IPsec protocol
6837  * for the datagram passed in.
6838  */
6839 static boolean_t
6840 ipsec_early_ah_v6(queue_t *q, mblk_t *first_mp, boolean_t mctl_present,
6841     ill_t *ill, ill_t *inill, mblk_t *hada_mp, zoneid_t zoneid)
6842 {
6843 	mblk_t *mp;
6844 	uint8_t nexthdr;
6845 	ipsec_in_t *ii = NULL;
6846 	ah_t *ah;
6847 	ipsec_status_t ipsec_rc;
6848 	ip_stack_t	*ipst = ill->ill_ipst;
6849 	netstack_t	*ns = ipst->ips_netstack;
6850 	ipsec_stack_t	*ipss = ns->netstack_ipsec;
6851 
6852 	ASSERT((hada_mp == NULL) || (!mctl_present));
6853 
6854 	switch (ipsec_needs_processing_v6(
6855 	    (mctl_present ? first_mp->b_cont : first_mp), &nexthdr)) {
6856 	case IPSEC_MEMORY_ERROR:
6857 		BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
6858 		freemsg(hada_mp);
6859 		freemsg(first_mp);
6860 		return (B_TRUE);
6861 	case IPSEC_HDR_DONT_PROCESS:
6862 		return (B_FALSE);
6863 	}
6864 
6865 	/* Default means send it to AH! */
6866 	ASSERT(nexthdr == IPPROTO_AH);
6867 	if (!mctl_present) {
6868 		mp = first_mp;
6869 		first_mp = ipsec_in_alloc(B_FALSE, ipst->ips_netstack);
6870 		if (first_mp == NULL) {
6871 			ip1dbg(("ipsec_early_ah_v6: IPSEC_IN "
6872 			    "allocation failure.\n"));
6873 			BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
6874 			freemsg(hada_mp);
6875 			freemsg(mp);
6876 			return (B_TRUE);
6877 		}
6878 		/*
6879 		 * Store the ill_index so that when we come back
6880 		 * from IPSEC we ride on the same queue.
6881 		 */
6882 		ii = (ipsec_in_t *)first_mp->b_rptr;
6883 		ii->ipsec_in_ill_index = ill->ill_phyint->phyint_ifindex;
6884 		ii->ipsec_in_rill_index = inill->ill_phyint->phyint_ifindex;
6885 		first_mp->b_cont = mp;
6886 	}
6887 	/*
6888 	 * Cache hardware acceleration info.
6889 	 */
6890 	if (hada_mp != NULL) {
6891 		ASSERT(ii != NULL);
6892 		IPSECHW_DEBUG(IPSECHW_PKT, ("ipsec_early_ah_v6: "
6893 		    "caching data attr.\n"));
6894 		ii->ipsec_in_accelerated = B_TRUE;
6895 		ii->ipsec_in_da = hada_mp;
6896 	}
6897 
6898 	if (!ipsec_loaded(ipss)) {
6899 		ip_proto_not_sup(q, first_mp, IP_FF_SEND_ICMP, zoneid, ipst);
6900 		return (B_TRUE);
6901 	}
6902 
6903 	ah = ipsec_inbound_ah_sa(first_mp, ns);
6904 	if (ah == NULL)
6905 		return (B_TRUE);
6906 	ASSERT(ii->ipsec_in_ah_sa != NULL);
6907 	ASSERT(ii->ipsec_in_ah_sa->ipsa_input_func != NULL);
6908 	ipsec_rc = ii->ipsec_in_ah_sa->ipsa_input_func(first_mp, ah);
6909 
6910 	switch (ipsec_rc) {
6911 	case IPSEC_STATUS_SUCCESS:
6912 		/* we're done with IPsec processing, send it up */
6913 		ip_fanout_proto_again(first_mp, ill, inill, NULL);
6914 		break;
6915 	case IPSEC_STATUS_FAILED:
6916 		BUMP_MIB(&ipst->ips_ip6_mib, ipIfStatsInDiscards);
6917 		break;
6918 	case IPSEC_STATUS_PENDING:
6919 		/* no action needed */
6920 		break;
6921 	}
6922 	return (B_TRUE);
6923 }
6924 
6925 /*
6926  * Validate the IPv6 mblk for alignment.
6927  */
6928 int
6929 ip_check_v6_mblk(mblk_t *mp, ill_t *ill)
6930 {
6931 	int pkt_len, ip6_len;
6932 	ip6_t *ip6h = (ip6_t *)mp->b_rptr;
6933 
6934 	/* check for alignment and full IPv6 header */
6935 	if (!OK_32PTR((uchar_t *)ip6h) ||
6936 	    (mp->b_wptr - (uchar_t *)ip6h) < IPV6_HDR_LEN) {
6937 		if (!pullupmsg(mp, IPV6_HDR_LEN)) {
6938 			BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
6939 			ip1dbg(("ip_rput_v6: pullupmsg failed\n"));
6940 			return (IP6_MBLK_HDR_ERR);
6941 		}
6942 		ip6h = (ip6_t *)mp->b_rptr;
6943 	}
6944 
6945 	ASSERT(OK_32PTR((uchar_t *)ip6h) &&
6946 	    (mp->b_wptr - (uchar_t *)ip6h) >= IPV6_HDR_LEN);
6947 
6948 	if (mp->b_cont == NULL)
6949 		pkt_len = mp->b_wptr - mp->b_rptr;
6950 	else
6951 		pkt_len = msgdsize(mp);
6952 	ip6_len = ntohs(ip6h->ip6_plen) + IPV6_HDR_LEN;
6953 
6954 	/*
6955 	 * Check for bogus (too short packet) and packet which
6956 	 * was padded by the link layer.
6957 	 */
6958 	if (ip6_len != pkt_len) {
6959 		ssize_t diff;
6960 
6961 		if (ip6_len > pkt_len) {
6962 			ip1dbg(("ip_rput_data_v6: packet too short %d %d\n",
6963 			    ip6_len, pkt_len));
6964 			BUMP_MIB(ill->ill_ip_mib, ipIfStatsInTruncatedPkts);
6965 			return (IP6_MBLK_LEN_ERR);
6966 		}
6967 		diff = (ssize_t)(pkt_len - ip6_len);
6968 
6969 		if (!adjmsg(mp, -diff)) {
6970 			ip1dbg(("ip_rput_data_v6: adjmsg failed\n"));
6971 			BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
6972 			return (IP6_MBLK_LEN_ERR);
6973 		}
6974 	}
6975 	return (IP6_MBLK_OK);
6976 }
6977 
6978 /*
6979  * ip_rput_data_v6 -- received IPv6 packets in M_DATA messages show up here.
6980  * ip_rput_v6 has already verified alignment, the min length, the version,
6981  * and db_ref = 1.
6982  *
6983  * The ill passed in (the arg named inill) is the ill that the packet
6984  * actually arrived on.  We need to remember this when saving the
6985  * input interface index into potential IPV6_PKTINFO data in
6986  * ip_add_info_v6().
6987  *
6988  * This routine doesn't free dl_mp; that's the caller's responsibility on
6989  * return.  (Note that the callers are complex enough that there's no tail
6990  * recursion here anyway.)
6991  */
6992 void
6993 ip_rput_data_v6(queue_t *q, ill_t *inill, mblk_t *mp, ip6_t *ip6h,
6994     uint_t flags, mblk_t *hada_mp, mblk_t *dl_mp)
6995 {
6996 	ire_t		*ire = NULL;
6997 	ill_t		*ill = inill;
6998 	ill_t		*outill;
6999 	ipif_t		*ipif;
7000 	uint8_t		*whereptr;
7001 	uint8_t		nexthdr;
7002 	uint16_t	remlen;
7003 	uint_t		prev_nexthdr_offset;
7004 	uint_t		used;
7005 	size_t		old_pkt_len;
7006 	size_t		pkt_len;
7007 	uint16_t	ip6_len;
7008 	uint_t		hdr_len;
7009 	boolean_t	mctl_present;
7010 	mblk_t		*first_mp;
7011 	mblk_t		*first_mp1;
7012 	boolean_t	no_forward;
7013 	ip6_hbh_t	*hbhhdr;
7014 	boolean_t	ll_multicast = (flags & IP6_IN_LLMCAST);
7015 	conn_t		*connp;
7016 	uint32_t	ports;
7017 	zoneid_t	zoneid = GLOBAL_ZONEID;
7018 	uint16_t	hck_flags, reass_hck_flags;
7019 	uint32_t	reass_sum;
7020 	boolean_t	cksum_err;
7021 	mblk_t		*mp1;
7022 	ip_stack_t	*ipst = inill->ill_ipst;
7023 
7024 	EXTRACT_PKT_MP(mp, first_mp, mctl_present);
7025 
7026 	if (hada_mp != NULL) {
7027 		/*
7028 		 * It's an IPsec accelerated packet.
7029 		 * Keep a pointer to the data attributes around until
7030 		 * we allocate the ipsecinfo structure.
7031 		 */
7032 		IPSECHW_DEBUG(IPSECHW_PKT,
7033 		    ("ip_rput_data_v6: inbound HW accelerated IPsec pkt\n"));
7034 		hada_mp->b_cont = NULL;
7035 		/*
7036 		 * Since it is accelerated, it came directly from
7037 		 * the ill.
7038 		 */
7039 		ASSERT(mctl_present == B_FALSE);
7040 		ASSERT(mp->b_datap->db_type != M_CTL);
7041 	}
7042 
7043 	ip6h = (ip6_t *)mp->b_rptr;
7044 	ip6_len = ntohs(ip6h->ip6_plen) + IPV6_HDR_LEN;
7045 	old_pkt_len = pkt_len = ip6_len;
7046 
7047 	if (ILL_HCKSUM_CAPABLE(ill) && !mctl_present && dohwcksum)
7048 		hck_flags = DB_CKSUMFLAGS(mp);
7049 	else
7050 		hck_flags = 0;
7051 
7052 	/* Clear checksum flags in case we need to forward */
7053 	DB_CKSUMFLAGS(mp) = 0;
7054 	reass_sum = reass_hck_flags = 0;
7055 
7056 	nexthdr = ip6h->ip6_nxt;
7057 
7058 	prev_nexthdr_offset = (uint_t)((uchar_t *)&ip6h->ip6_nxt -
7059 	    (uchar_t *)ip6h);
7060 	whereptr = (uint8_t *)&ip6h[1];
7061 	remlen = pkt_len - IPV6_HDR_LEN;	/* Track how much is left */
7062 
7063 	/* Process hop by hop header options */
7064 	if (nexthdr == IPPROTO_HOPOPTS) {
7065 		uint_t ehdrlen;
7066 		uint8_t *optptr;
7067 
7068 		if (remlen < MIN_EHDR_LEN)
7069 			goto pkt_too_short;
7070 		if (mp->b_cont != NULL &&
7071 		    whereptr + MIN_EHDR_LEN > mp->b_wptr) {
7072 			if (!pullupmsg(mp, IPV6_HDR_LEN + MIN_EHDR_LEN)) {
7073 				BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
7074 				freemsg(hada_mp);
7075 				freemsg(first_mp);
7076 				return;
7077 			}
7078 			ip6h = (ip6_t *)mp->b_rptr;
7079 			whereptr = (uint8_t *)ip6h + pkt_len - remlen;
7080 		}
7081 		hbhhdr = (ip6_hbh_t *)whereptr;
7082 		nexthdr = hbhhdr->ip6h_nxt;
7083 		prev_nexthdr_offset = (uint_t)(whereptr - (uint8_t *)ip6h);
7084 		ehdrlen = 8 * (hbhhdr->ip6h_len + 1);
7085 
7086 		if (remlen < ehdrlen)
7087 			goto pkt_too_short;
7088 		if (mp->b_cont != NULL &&
7089 		    whereptr + ehdrlen > mp->b_wptr) {
7090 			if (!pullupmsg(mp, IPV6_HDR_LEN + ehdrlen)) {
7091 				BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
7092 				freemsg(hada_mp);
7093 				freemsg(first_mp);
7094 				return;
7095 			}
7096 			ip6h = (ip6_t *)mp->b_rptr;
7097 			whereptr = (uint8_t *)ip6h + pkt_len - remlen;
7098 			hbhhdr = (ip6_hbh_t *)whereptr;
7099 		}
7100 
7101 		optptr = whereptr + 2;
7102 		whereptr += ehdrlen;
7103 		remlen -= ehdrlen;
7104 		switch (ip_process_options_v6(q, first_mp, ip6h, optptr,
7105 		    ehdrlen - 2, IPPROTO_HOPOPTS, ipst)) {
7106 		case -1:
7107 			/*
7108 			 * Packet has been consumed and any
7109 			 * needed ICMP messages sent.
7110 			 */
7111 			BUMP_MIB(ill->ill_ip_mib, ipIfStatsInHdrErrors);
7112 			freemsg(hada_mp);
7113 			return;
7114 		case 0:
7115 			/* no action needed */
7116 			break;
7117 		case 1:
7118 			/* Known router alert */
7119 			goto ipv6forus;
7120 		}
7121 	}
7122 
7123 	/*
7124 	 * On incoming v6 multicast packets we will bypass the ire table,
7125 	 * and assume that the read queue corresponds to the targetted
7126 	 * interface.
7127 	 *
7128 	 * The effect of this is the same as the IPv4 original code, but is
7129 	 * much cleaner I think.  See ip_rput for how that was done.
7130 	 */
7131 	if (IN6_IS_ADDR_MULTICAST(&ip6h->ip6_dst)) {
7132 		BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInMcastPkts);
7133 		UPDATE_MIB(ill->ill_ip_mib, ipIfStatsHCInMcastOctets, pkt_len);
7134 
7135 		/*
7136 		 * So that we don't end up with dups, only one ill in an IPMP
7137 		 * group is nominated to receive multicast data traffic.
7138 		 * However, link-locals on any underlying interfaces will have
7139 		 * joined their solicited-node multicast addresses and we must
7140 		 * accept those packets.  (We don't attempt to precisely
7141 		 * filter out duplicate solicited-node multicast packets since
7142 		 * e.g. an IPMP interface and underlying interface may have
7143 		 * the same solicited-node multicast address.)  Note that we
7144 		 * won't generally have duplicates because we only issue a
7145 		 * DL_ENABMULTI_REQ on one interface in a group; the exception
7146 		 * is when PHYI_MULTI_BCAST is set.
7147 		 */
7148 		if (IS_UNDER_IPMP(ill) && !ill->ill_nom_cast &&
7149 		    !IN6_IS_ADDR_MC_SOLICITEDNODE(&ip6h->ip6_dst)) {
7150 			goto drop_pkt;
7151 		}
7152 
7153 		/*
7154 		 * XXX TODO Give to mrouted to for multicast forwarding.
7155 		 */
7156 		if (ilm_lookup_ill_v6(ill, &ip6h->ip6_dst, B_FALSE,
7157 		    ALL_ZONES) == NULL) {
7158 			if (ip_debug > 3) {
7159 				/* ip2dbg */
7160 				pr_addr_dbg("ip_rput_data_v6: got mcast packet"
7161 				    "  which is not for us: %s\n", AF_INET6,
7162 				    &ip6h->ip6_dst);
7163 			}
7164 drop_pkt:		BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
7165 			freemsg(hada_mp);
7166 			freemsg(first_mp);
7167 			return;
7168 		}
7169 		if (ip_debug > 3) {
7170 			/* ip2dbg */
7171 			pr_addr_dbg("ip_rput_data_v6: multicast for us: %s\n",
7172 			    AF_INET6, &ip6h->ip6_dst);
7173 		}
7174 		zoneid = GLOBAL_ZONEID;
7175 		goto ipv6forus;
7176 	}
7177 
7178 	ipif = ill->ill_ipif;
7179 
7180 	/*
7181 	 * If a packet was received on an interface that is a 6to4 tunnel,
7182 	 * incoming IPv6 packets, with a 6to4 addressed IPv6 destination, must
7183 	 * be checked to have a 6to4 prefix (2002:V4ADDR::/48) that is equal to
7184 	 * the 6to4 prefix of the address configured on the receiving interface.
7185 	 * Otherwise, the packet was delivered to this interface in error and
7186 	 * the packet must be dropped.
7187 	 */
7188 	if ((ill->ill_is_6to4tun) && IN6_IS_ADDR_6TO4(&ip6h->ip6_dst)) {
7189 
7190 		if (!IN6_ARE_6TO4_PREFIX_EQUAL(&ipif->ipif_v6lcl_addr,
7191 		    &ip6h->ip6_dst)) {
7192 			if (ip_debug > 2) {
7193 				/* ip1dbg */
7194 				pr_addr_dbg("ip_rput_data_v6: received 6to4 "
7195 				    "addressed packet which is not for us: "
7196 				    "%s\n", AF_INET6, &ip6h->ip6_dst);
7197 			}
7198 			BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
7199 			freemsg(first_mp);
7200 			return;
7201 		}
7202 	}
7203 
7204 	/*
7205 	 * Find an ire that matches destination. For link-local addresses
7206 	 * we have to match the ill.
7207 	 * TBD for site local addresses.
7208 	 */
7209 	if (IN6_IS_ADDR_LINKLOCAL(&ip6h->ip6_dst)) {
7210 		ire = ire_ctable_lookup_v6(&ip6h->ip6_dst, NULL,
7211 		    IRE_CACHE|IRE_LOCAL, ill->ill_ipif, ALL_ZONES, NULL,
7212 		    MATCH_IRE_TYPE | MATCH_IRE_ILL, ipst);
7213 	} else {
7214 		ire = ire_cache_lookup_v6(&ip6h->ip6_dst, ALL_ZONES,
7215 		    MBLK_GETLABEL(mp), ipst);
7216 
7217 		if (ire != NULL && ire->ire_stq != NULL &&
7218 		    ire->ire_zoneid != GLOBAL_ZONEID &&
7219 		    ire->ire_zoneid != ALL_ZONES) {
7220 			/*
7221 			 * Should only use IREs that are visible from the
7222 			 * global zone for forwarding.
7223 			 */
7224 			ire_refrele(ire);
7225 			ire = ire_cache_lookup_v6(&ip6h->ip6_dst,
7226 			    GLOBAL_ZONEID, MBLK_GETLABEL(mp), ipst);
7227 		}
7228 	}
7229 
7230 	if (ire == NULL) {
7231 		/*
7232 		 * No matching IRE found.  Mark this packet as having
7233 		 * originated externally.
7234 		 */
7235 		if (!(ill->ill_flags & ILLF_ROUTER) || ll_multicast) {
7236 			BUMP_MIB(ill->ill_ip_mib, ipIfStatsForwProhibits);
7237 			if (!(ill->ill_flags & ILLF_ROUTER)) {
7238 				BUMP_MIB(ill->ill_ip_mib,
7239 				    ipIfStatsInAddrErrors);
7240 			}
7241 			freemsg(hada_mp);
7242 			freemsg(first_mp);
7243 			return;
7244 		}
7245 		if (ip6h->ip6_hops <= 1) {
7246 			if (hada_mp != NULL)
7247 				goto hada_drop;
7248 			/* Sent by forwarding path, and router is global zone */
7249 			icmp_time_exceeded_v6(WR(q), first_mp,
7250 			    ICMP6_TIME_EXCEED_TRANSIT, ll_multicast, B_FALSE,
7251 			    GLOBAL_ZONEID, ipst);
7252 			return;
7253 		}
7254 		/*
7255 		 * Per RFC 3513 section 2.5.2, we must not forward packets with
7256 		 * an unspecified source address.
7257 		 */
7258 		if (IN6_IS_ADDR_UNSPECIFIED(&ip6h->ip6_src)) {
7259 			BUMP_MIB(ill->ill_ip_mib, ipIfStatsForwProhibits);
7260 			freemsg(hada_mp);
7261 			freemsg(first_mp);
7262 			return;
7263 		}
7264 		mp->b_prev = (mblk_t *)(uintptr_t)
7265 		    ill->ill_phyint->phyint_ifindex;
7266 		ip_newroute_v6(q, mp, &ip6h->ip6_dst, &ip6h->ip6_src,
7267 		    IN6_IS_ADDR_LINKLOCAL(&ip6h->ip6_dst) ? ill : NULL,
7268 		    GLOBAL_ZONEID, ipst);
7269 		return;
7270 	}
7271 	/* we have a matching IRE */
7272 	if (ire->ire_stq != NULL) {
7273 		/*
7274 		 * To be quicker, we may wish not to chase pointers
7275 		 * (ire->ire_ipif->ipif_ill...) and instead store the
7276 		 * forwarding policy in the ire.  An unfortunate side-
7277 		 * effect of this would be requiring an ire flush whenever
7278 		 * the ILLF_ROUTER flag changes.  For now, chase pointers
7279 		 * once and store in the boolean no_forward.
7280 		 *
7281 		 * This appears twice to keep it out of the non-forwarding,
7282 		 * yes-it's-for-us-on-the-right-interface case.
7283 		 */
7284 		no_forward = ((ill->ill_flags &
7285 		    ire->ire_ipif->ipif_ill->ill_flags & ILLF_ROUTER) == 0);
7286 
7287 		ASSERT(first_mp == mp);
7288 		/*
7289 		 * This ire has a send-to queue - forward the packet.
7290 		 */
7291 		if (no_forward || ll_multicast || (hada_mp != NULL)) {
7292 			freemsg(hada_mp);
7293 			BUMP_MIB(ill->ill_ip_mib, ipIfStatsForwProhibits);
7294 			if (no_forward) {
7295 				BUMP_MIB(ill->ill_ip_mib,
7296 				    ipIfStatsInAddrErrors);
7297 			}
7298 			freemsg(mp);
7299 			ire_refrele(ire);
7300 			return;
7301 		}
7302 		/*
7303 		 * ipIfStatsHCInForwDatagrams should only be increment if there
7304 		 * will be an attempt to forward the packet, which is why we
7305 		 * increment after the above condition has been checked.
7306 		 */
7307 		BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInForwDatagrams);
7308 		if (ip6h->ip6_hops <= 1) {
7309 			ip1dbg(("ip_rput_data_v6: hop limit expired.\n"));
7310 			/* Sent by forwarding path, and router is global zone */
7311 			icmp_time_exceeded_v6(WR(q), mp,
7312 			    ICMP6_TIME_EXCEED_TRANSIT, ll_multicast, B_FALSE,
7313 			    GLOBAL_ZONEID, ipst);
7314 			ire_refrele(ire);
7315 			return;
7316 		}
7317 		/*
7318 		 * Per RFC 3513 section 2.5.2, we must not forward packets with
7319 		 * an unspecified source address.
7320 		 */
7321 		if (IN6_IS_ADDR_UNSPECIFIED(&ip6h->ip6_src)) {
7322 			BUMP_MIB(ill->ill_ip_mib, ipIfStatsForwProhibits);
7323 			freemsg(mp);
7324 			ire_refrele(ire);
7325 			return;
7326 		}
7327 
7328 		if (is_system_labeled()) {
7329 			mblk_t *mp1;
7330 
7331 			if ((mp1 = tsol_ip_forward(ire, mp)) == NULL) {
7332 				BUMP_MIB(ill->ill_ip_mib,
7333 				    ipIfStatsForwProhibits);
7334 				freemsg(mp);
7335 				ire_refrele(ire);
7336 				return;
7337 			}
7338 			/* Size may have changed */
7339 			mp = mp1;
7340 			ip6h = (ip6_t *)mp->b_rptr;
7341 			pkt_len = msgdsize(mp);
7342 		}
7343 
7344 		if (pkt_len > ire->ire_max_frag) {
7345 			int max_frag = ire->ire_max_frag;
7346 			BUMP_MIB(ill->ill_ip_mib, ipIfStatsInTooBigErrors);
7347 			/*
7348 			 * Handle labeled packet resizing.
7349 			 */
7350 			if (is_system_labeled()) {
7351 				max_frag = tsol_pmtu_adjust(mp, max_frag,
7352 				    pkt_len - old_pkt_len, AF_INET6);
7353 			}
7354 
7355 			/* Sent by forwarding path, and router is global zone */
7356 			icmp_pkt2big_v6(WR(q), mp, max_frag,
7357 			    ll_multicast, B_TRUE, GLOBAL_ZONEID, ipst);
7358 			ire_refrele(ire);
7359 			return;
7360 		}
7361 
7362 		/*
7363 		 * Check to see if we're forwarding the packet to a
7364 		 * different link from which it came.  If so, check the
7365 		 * source and destination addresses since routers must not
7366 		 * forward any packets with link-local source or
7367 		 * destination addresses to other links.  Otherwise (if
7368 		 * we're forwarding onto the same link), conditionally send
7369 		 * a redirect message.
7370 		 */
7371 		if (ire->ire_rfq != q &&
7372 		    !IS_IN_SAME_ILLGRP(ill, (ill_t *)ire->ire_rfq->q_ptr)) {
7373 			if (IN6_IS_ADDR_LINKLOCAL(&ip6h->ip6_dst) ||
7374 			    IN6_IS_ADDR_LINKLOCAL(&ip6h->ip6_src)) {
7375 				BUMP_MIB(ill->ill_ip_mib,
7376 				    ipIfStatsInAddrErrors);
7377 				freemsg(mp);
7378 				ire_refrele(ire);
7379 				return;
7380 			}
7381 			/* TBD add site-local check at site boundary? */
7382 		} else if (ipst->ips_ipv6_send_redirects) {
7383 			in6_addr_t	*v6targ;
7384 			in6_addr_t	gw_addr_v6;
7385 			ire_t		*src_ire_v6 = NULL;
7386 
7387 			/*
7388 			 * Don't send a redirect when forwarding a source
7389 			 * routed packet.
7390 			 */
7391 			if (ip_source_routed_v6(ip6h, mp, ipst))
7392 				goto forward;
7393 
7394 			mutex_enter(&ire->ire_lock);
7395 			gw_addr_v6 = ire->ire_gateway_addr_v6;
7396 			mutex_exit(&ire->ire_lock);
7397 			if (!IN6_IS_ADDR_UNSPECIFIED(&gw_addr_v6)) {
7398 				v6targ = &gw_addr_v6;
7399 				/*
7400 				 * We won't send redirects to a router
7401 				 * that doesn't have a link local
7402 				 * address, but will forward.
7403 				 */
7404 				if (!IN6_IS_ADDR_LINKLOCAL(v6targ)) {
7405 					BUMP_MIB(ill->ill_ip_mib,
7406 					    ipIfStatsInAddrErrors);
7407 					goto forward;
7408 				}
7409 			} else {
7410 				v6targ = &ip6h->ip6_dst;
7411 			}
7412 
7413 			src_ire_v6 = ire_ftable_lookup_v6(&ip6h->ip6_src,
7414 			    NULL, NULL, IRE_INTERFACE, ire->ire_ipif, NULL,
7415 			    GLOBAL_ZONEID, 0, NULL,
7416 			    MATCH_IRE_IPIF | MATCH_IRE_TYPE,
7417 			    ipst);
7418 
7419 			if (src_ire_v6 != NULL) {
7420 				/*
7421 				 * The source is directly connected.
7422 				 */
7423 				mp1 = copymsg(mp);
7424 				if (mp1 != NULL) {
7425 					icmp_send_redirect_v6(WR(q),
7426 					    mp1, v6targ, &ip6h->ip6_dst,
7427 					    ill, B_FALSE);
7428 				}
7429 				ire_refrele(src_ire_v6);
7430 			}
7431 		}
7432 
7433 forward:
7434 		/* Hoplimit verified above */
7435 		ip6h->ip6_hops--;
7436 
7437 		outill = ire->ire_ipif->ipif_ill;
7438 
7439 		DTRACE_PROBE4(ip6__forwarding__start,
7440 		    ill_t *, inill, ill_t *, outill,
7441 		    ip6_t *, ip6h, mblk_t *, mp);
7442 
7443 		FW_HOOKS6(ipst->ips_ip6_forwarding_event,
7444 		    ipst->ips_ipv6firewall_forwarding,
7445 		    inill, outill, ip6h, mp, mp, 0, ipst);
7446 
7447 		DTRACE_PROBE1(ip6__forwarding__end, mblk_t *, mp);
7448 
7449 		if (mp != NULL) {
7450 			UPDATE_IB_PKT_COUNT(ire);
7451 			ire->ire_last_used_time = lbolt;
7452 			BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCOutForwDatagrams);
7453 			ip_xmit_v6(mp, ire, 0, NULL, B_FALSE, NULL);
7454 		}
7455 		IRE_REFRELE(ire);
7456 		return;
7457 	}
7458 
7459 	/*
7460 	 * Need to put on correct queue for reassembly to find it.
7461 	 * No need to use put() since reassembly has its own locks.
7462 	 * Note: multicast packets and packets destined to addresses
7463 	 * assigned to loopback (ire_rfq is NULL) will be reassembled on
7464 	 * the arriving ill. Unlike the IPv4 case, enabling strict
7465 	 * destination multihoming will prevent accepting packets
7466 	 * addressed to an IRE_LOCAL on lo0.
7467 	 */
7468 	if (ire->ire_rfq != q) {
7469 		if ((ire = ip_check_multihome(&ip6h->ip6_dst, ire, ill))
7470 		    == NULL) {
7471 			BUMP_MIB(ill->ill_ip_mib, ipIfStatsForwProhibits);
7472 			freemsg(hada_mp);
7473 			freemsg(first_mp);
7474 			return;
7475 		}
7476 		if (ire->ire_rfq != NULL) {
7477 			q = ire->ire_rfq;
7478 			ill = (ill_t *)q->q_ptr;
7479 			ASSERT(ill != NULL);
7480 		}
7481 	}
7482 
7483 	zoneid = ire->ire_zoneid;
7484 	UPDATE_IB_PKT_COUNT(ire);
7485 	ire->ire_last_used_time = lbolt;
7486 	/* Don't use the ire after this point, we'll NULL it out to be sure. */
7487 	ire_refrele(ire);
7488 	ire = NULL;
7489 ipv6forus:
7490 	/*
7491 	 * Looks like this packet is for us one way or another.
7492 	 * This is where we'll process destination headers etc.
7493 	 */
7494 	for (; ; ) {
7495 		switch (nexthdr) {
7496 		case IPPROTO_TCP: {
7497 			uint16_t	*up;
7498 			uint32_t	sum;
7499 			int		offset;
7500 
7501 			hdr_len = pkt_len - remlen;
7502 
7503 			if (hada_mp != NULL) {
7504 				ip0dbg(("tcp hada drop\n"));
7505 				goto hada_drop;
7506 			}
7507 
7508 
7509 			/* TCP needs all of the TCP header */
7510 			if (remlen < TCP_MIN_HEADER_LENGTH)
7511 				goto pkt_too_short;
7512 			if (mp->b_cont != NULL &&
7513 			    whereptr + TCP_MIN_HEADER_LENGTH > mp->b_wptr) {
7514 				if (!pullupmsg(mp,
7515 				    hdr_len + TCP_MIN_HEADER_LENGTH)) {
7516 					BUMP_MIB(ill->ill_ip_mib,
7517 					    ipIfStatsInDiscards);
7518 					freemsg(first_mp);
7519 					return;
7520 				}
7521 				hck_flags = 0;
7522 				ip6h = (ip6_t *)mp->b_rptr;
7523 				whereptr = (uint8_t *)ip6h + hdr_len;
7524 			}
7525 			/*
7526 			 * Extract the offset field from the TCP header.
7527 			 */
7528 			offset = ((uchar_t *)ip6h)[hdr_len + 12] >> 4;
7529 			if (offset != 5) {
7530 				if (offset < 5) {
7531 					ip1dbg(("ip_rput_data_v6: short "
7532 					    "TCP data offset"));
7533 					BUMP_MIB(ill->ill_ip_mib,
7534 					    ipIfStatsInDiscards);
7535 					freemsg(first_mp);
7536 					return;
7537 				}
7538 				/*
7539 				 * There must be TCP options.
7540 				 * Make sure we can grab them.
7541 				 */
7542 				offset <<= 2;
7543 				if (remlen < offset)
7544 					goto pkt_too_short;
7545 				if (mp->b_cont != NULL &&
7546 				    whereptr + offset > mp->b_wptr) {
7547 					if (!pullupmsg(mp,
7548 					    hdr_len + offset)) {
7549 						BUMP_MIB(ill->ill_ip_mib,
7550 						    ipIfStatsInDiscards);
7551 						freemsg(first_mp);
7552 						return;
7553 					}
7554 					hck_flags = 0;
7555 					ip6h = (ip6_t *)mp->b_rptr;
7556 					whereptr = (uint8_t *)ip6h + hdr_len;
7557 				}
7558 			}
7559 
7560 			up = (uint16_t *)&ip6h->ip6_src;
7561 			/*
7562 			 * TCP checksum calculation.  First sum up the
7563 			 * pseudo-header fields:
7564 			 *  -	Source IPv6 address
7565 			 *  -	Destination IPv6 address
7566 			 *  -	TCP payload length
7567 			 *  -	TCP protocol ID
7568 			 */
7569 			sum = htons(IPPROTO_TCP + remlen) +
7570 			    up[0] + up[1] + up[2] + up[3] +
7571 			    up[4] + up[5] + up[6] + up[7] +
7572 			    up[8] + up[9] + up[10] + up[11] +
7573 			    up[12] + up[13] + up[14] + up[15];
7574 
7575 			/* Fold initial sum */
7576 			sum = (sum & 0xffff) + (sum >> 16);
7577 
7578 			mp1 = mp->b_cont;
7579 
7580 			if ((hck_flags & (HCK_FULLCKSUM|HCK_PARTIALCKSUM)) == 0)
7581 				IP6_STAT(ipst, ip6_in_sw_cksum);
7582 
7583 			IP_CKSUM_RECV(hck_flags, sum, (uchar_t *)
7584 			    ((uchar_t *)mp->b_rptr + DB_CKSUMSTART(mp)),
7585 			    (int32_t)(whereptr - (uchar_t *)mp->b_rptr),
7586 			    mp, mp1, cksum_err);
7587 
7588 			if (cksum_err) {
7589 				BUMP_MIB(ill->ill_ip_mib, tcpIfStatsInErrs);
7590 
7591 				if (hck_flags & HCK_FULLCKSUM) {
7592 					IP6_STAT(ipst,
7593 					    ip6_tcp_in_full_hw_cksum_err);
7594 				} else if (hck_flags & HCK_PARTIALCKSUM) {
7595 					IP6_STAT(ipst,
7596 					    ip6_tcp_in_part_hw_cksum_err);
7597 				} else {
7598 					IP6_STAT(ipst, ip6_tcp_in_sw_cksum_err);
7599 				}
7600 				freemsg(first_mp);
7601 				return;
7602 			}
7603 tcp_fanout:
7604 			ip_fanout_tcp_v6(q, first_mp, ip6h, ill, inill,
7605 			    (flags|IP_FF_SEND_ICMP|IP_FF_SYN_ADDIRE|
7606 			    IP_FF_IPINFO), hdr_len, mctl_present, zoneid);
7607 			return;
7608 		}
7609 		case IPPROTO_SCTP:
7610 		{
7611 			sctp_hdr_t *sctph;
7612 			uint32_t calcsum, pktsum;
7613 			uint_t hdr_len = pkt_len - remlen;
7614 			sctp_stack_t *sctps;
7615 
7616 			sctps = inill->ill_ipst->ips_netstack->netstack_sctp;
7617 
7618 			/* SCTP needs all of the SCTP header */
7619 			if (remlen < sizeof (*sctph)) {
7620 				goto pkt_too_short;
7621 			}
7622 			if (whereptr + sizeof (*sctph) > mp->b_wptr) {
7623 				ASSERT(mp->b_cont != NULL);
7624 				if (!pullupmsg(mp, hdr_len + sizeof (*sctph))) {
7625 					BUMP_MIB(ill->ill_ip_mib,
7626 					    ipIfStatsInDiscards);
7627 					freemsg(mp);
7628 					return;
7629 				}
7630 				ip6h = (ip6_t *)mp->b_rptr;
7631 				whereptr = (uint8_t *)ip6h + hdr_len;
7632 			}
7633 
7634 			sctph = (sctp_hdr_t *)(mp->b_rptr + hdr_len);
7635 			/* checksum */
7636 			pktsum = sctph->sh_chksum;
7637 			sctph->sh_chksum = 0;
7638 			calcsum = sctp_cksum(mp, hdr_len);
7639 			if (calcsum != pktsum) {
7640 				BUMP_MIB(&sctps->sctps_mib, sctpChecksumError);
7641 				freemsg(mp);
7642 				return;
7643 			}
7644 			sctph->sh_chksum = pktsum;
7645 			ports = *(uint32_t *)(mp->b_rptr + hdr_len);
7646 			if ((connp = sctp_fanout(&ip6h->ip6_src, &ip6h->ip6_dst,
7647 			    ports, zoneid, mp, sctps)) == NULL) {
7648 				ip_fanout_sctp_raw(first_mp, ill,
7649 				    (ipha_t *)ip6h, B_FALSE, ports,
7650 				    mctl_present,
7651 				    (flags|IP_FF_SEND_ICMP|IP_FF_IPINFO),
7652 				    B_TRUE, zoneid);
7653 				return;
7654 			}
7655 			BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInDelivers);
7656 			sctp_input(connp, (ipha_t *)ip6h, mp, first_mp, ill,
7657 			    B_FALSE, mctl_present);
7658 			return;
7659 		}
7660 		case IPPROTO_UDP: {
7661 			uint16_t	*up;
7662 			uint32_t	sum;
7663 
7664 			hdr_len = pkt_len - remlen;
7665 
7666 			if (hada_mp != NULL) {
7667 				ip0dbg(("udp hada drop\n"));
7668 				goto hada_drop;
7669 			}
7670 
7671 			/* Verify that at least the ports are present */
7672 			if (remlen < UDPH_SIZE)
7673 				goto pkt_too_short;
7674 			if (mp->b_cont != NULL &&
7675 			    whereptr + UDPH_SIZE > mp->b_wptr) {
7676 				if (!pullupmsg(mp, hdr_len + UDPH_SIZE)) {
7677 					BUMP_MIB(ill->ill_ip_mib,
7678 					    ipIfStatsInDiscards);
7679 					freemsg(first_mp);
7680 					return;
7681 				}
7682 				hck_flags = 0;
7683 				ip6h = (ip6_t *)mp->b_rptr;
7684 				whereptr = (uint8_t *)ip6h + hdr_len;
7685 			}
7686 
7687 			/*
7688 			 *  Before going through the regular checksum
7689 			 *  calculation, make sure the received checksum
7690 			 *  is non-zero. RFC 2460 says, a 0x0000 checksum
7691 			 *  in a UDP packet (within IPv6 packet) is invalid
7692 			 *  and should be replaced by 0xffff. This makes
7693 			 *  sense as regular checksum calculation will
7694 			 *  pass for both the cases i.e. 0x0000 and 0xffff.
7695 			 *  Removing one of the case makes error detection
7696 			 *  stronger.
7697 			 */
7698 
7699 			if (((udpha_t *)whereptr)->uha_checksum == 0) {
7700 				/* 0x0000 checksum is invalid */
7701 				ip1dbg(("ip_rput_data_v6: Invalid UDP "
7702 				    "checksum value 0x0000\n"));
7703 				BUMP_MIB(ill->ill_ip_mib,
7704 				    udpIfStatsInCksumErrs);
7705 				freemsg(first_mp);
7706 				return;
7707 			}
7708 
7709 			up = (uint16_t *)&ip6h->ip6_src;
7710 
7711 			/*
7712 			 * UDP checksum calculation.  First sum up the
7713 			 * pseudo-header fields:
7714 			 *  -	Source IPv6 address
7715 			 *  -	Destination IPv6 address
7716 			 *  -	UDP payload length
7717 			 *  -	UDP protocol ID
7718 			 */
7719 
7720 			sum = htons(IPPROTO_UDP + remlen) +
7721 			    up[0] + up[1] + up[2] + up[3] +
7722 			    up[4] + up[5] + up[6] + up[7] +
7723 			    up[8] + up[9] + up[10] + up[11] +
7724 			    up[12] + up[13] + up[14] + up[15];
7725 
7726 			/* Fold initial sum */
7727 			sum = (sum & 0xffff) + (sum >> 16);
7728 
7729 			if (reass_hck_flags != 0) {
7730 				hck_flags = reass_hck_flags;
7731 
7732 				IP_CKSUM_RECV_REASS(hck_flags,
7733 				    (int32_t)(whereptr - (uchar_t *)mp->b_rptr),
7734 				    sum, reass_sum, cksum_err);
7735 			} else {
7736 				mp1 = mp->b_cont;
7737 
7738 				IP_CKSUM_RECV(hck_flags, sum, (uchar_t *)
7739 				    ((uchar_t *)mp->b_rptr + DB_CKSUMSTART(mp)),
7740 				    (int32_t)(whereptr - (uchar_t *)mp->b_rptr),
7741 				    mp, mp1, cksum_err);
7742 			}
7743 
7744 			if ((hck_flags & (HCK_FULLCKSUM|HCK_PARTIALCKSUM)) == 0)
7745 				IP6_STAT(ipst, ip6_in_sw_cksum);
7746 
7747 			if (cksum_err) {
7748 				BUMP_MIB(ill->ill_ip_mib,
7749 				    udpIfStatsInCksumErrs);
7750 
7751 				if (hck_flags & HCK_FULLCKSUM)
7752 					IP6_STAT(ipst,
7753 					    ip6_udp_in_full_hw_cksum_err);
7754 				else if (hck_flags & HCK_PARTIALCKSUM)
7755 					IP6_STAT(ipst,
7756 					    ip6_udp_in_part_hw_cksum_err);
7757 				else
7758 					IP6_STAT(ipst, ip6_udp_in_sw_cksum_err);
7759 
7760 				freemsg(first_mp);
7761 				return;
7762 			}
7763 			goto udp_fanout;
7764 		}
7765 		case IPPROTO_ICMPV6: {
7766 			uint16_t	*up;
7767 			uint32_t	sum;
7768 			uint_t		hdr_len = pkt_len - remlen;
7769 
7770 			if (hada_mp != NULL) {
7771 				ip0dbg(("icmp hada drop\n"));
7772 				goto hada_drop;
7773 			}
7774 
7775 			up = (uint16_t *)&ip6h->ip6_src;
7776 			sum = htons(IPPROTO_ICMPV6 + remlen) +
7777 			    up[0] + up[1] + up[2] + up[3] +
7778 			    up[4] + up[5] + up[6] + up[7] +
7779 			    up[8] + up[9] + up[10] + up[11] +
7780 			    up[12] + up[13] + up[14] + up[15];
7781 			sum = (sum & 0xffff) + (sum >> 16);
7782 			sum = IP_CSUM(mp, hdr_len, sum);
7783 			if (sum != 0) {
7784 				/* IPv6 ICMP checksum failed */
7785 				ip1dbg(("ip_rput_data_v6: ICMPv6 checksum "
7786 				    "failed %x\n",
7787 				    sum));
7788 				BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpInMsgs);
7789 				BUMP_MIB(ill->ill_icmp6_mib,
7790 				    ipv6IfIcmpInErrors);
7791 				freemsg(first_mp);
7792 				return;
7793 			}
7794 
7795 		icmp_fanout:
7796 			/* Check variable for testing applications */
7797 			if (ipst->ips_ipv6_drop_inbound_icmpv6) {
7798 				freemsg(first_mp);
7799 				return;
7800 			}
7801 			/*
7802 			 * Assume that there is always at least one conn for
7803 			 * ICMPv6 (in.ndpd) i.e. don't optimize the case
7804 			 * where there is no conn.
7805 			 */
7806 			if (IN6_IS_ADDR_MULTICAST(&ip6h->ip6_dst)) {
7807 				ilm_t *ilm;
7808 				ilm_walker_t ilw;
7809 
7810 				ASSERT(!IS_LOOPBACK(ill));
7811 				/*
7812 				 * In the multicast case, applications may have
7813 				 * joined the group from different zones, so we
7814 				 * need to deliver the packet to each of them.
7815 				 * Loop through the multicast memberships
7816 				 * structures (ilm) on the receive ill and send
7817 				 * a copy of the packet up each matching one.
7818 				 */
7819 				ilm = ilm_walker_start(&ilw, inill);
7820 				for (; ilm != NULL;
7821 				    ilm = ilm_walker_step(&ilw, ilm)) {
7822 					if (!IN6_ARE_ADDR_EQUAL(
7823 					    &ilm->ilm_v6addr, &ip6h->ip6_dst))
7824 						continue;
7825 					if (!ipif_lookup_zoneid(
7826 					    ilw.ilw_walk_ill, ilm->ilm_zoneid,
7827 					    IPIF_UP, NULL))
7828 						continue;
7829 
7830 					first_mp1 = ip_copymsg(first_mp);
7831 					if (first_mp1 == NULL)
7832 						continue;
7833 					icmp_inbound_v6(q, first_mp1,
7834 					    ilw.ilw_walk_ill, inill,
7835 					    hdr_len, mctl_present, 0,
7836 					    ilm->ilm_zoneid, dl_mp);
7837 				}
7838 				ilm_walker_finish(&ilw);
7839 			} else {
7840 				first_mp1 = ip_copymsg(first_mp);
7841 				if (first_mp1 != NULL)
7842 					icmp_inbound_v6(q, first_mp1, ill,
7843 					    inill, hdr_len, mctl_present, 0,
7844 					    zoneid, dl_mp);
7845 			}
7846 		}
7847 			/* FALLTHRU */
7848 		default: {
7849 			/*
7850 			 * Handle protocols with which IPv6 is less intimate.
7851 			 */
7852 			uint_t proto_flags = IP_FF_RAWIP|IP_FF_IPINFO;
7853 
7854 			if (hada_mp != NULL) {
7855 				ip0dbg(("default hada drop\n"));
7856 				goto hada_drop;
7857 			}
7858 
7859 			/*
7860 			 * Enable sending ICMP for "Unknown" nexthdr
7861 			 * case. i.e. where we did not FALLTHRU from
7862 			 * IPPROTO_ICMPV6 processing case above.
7863 			 * If we did FALLTHRU, then the packet has already been
7864 			 * processed for IPPF, don't process it again in
7865 			 * ip_fanout_proto_v6; set IP6_NO_IPPOLICY in the
7866 			 * flags
7867 			 */
7868 			if (nexthdr != IPPROTO_ICMPV6)
7869 				proto_flags |= IP_FF_SEND_ICMP;
7870 			else
7871 				proto_flags |= IP6_NO_IPPOLICY;
7872 
7873 			ip_fanout_proto_v6(q, first_mp, ip6h, ill, inill,
7874 			    nexthdr, prev_nexthdr_offset, (flags|proto_flags),
7875 			    mctl_present, zoneid);
7876 			return;
7877 		}
7878 
7879 		case IPPROTO_DSTOPTS: {
7880 			uint_t ehdrlen;
7881 			uint8_t *optptr;
7882 			ip6_dest_t *desthdr;
7883 
7884 			/* If packet is too short, look no further */
7885 			if (remlen < MIN_EHDR_LEN)
7886 				goto pkt_too_short;
7887 
7888 			/* Check if AH is present. */
7889 			if (ipsec_early_ah_v6(q, first_mp, mctl_present, ill,
7890 			    inill, hada_mp, zoneid)) {
7891 				return;
7892 			}
7893 
7894 			/*
7895 			 * Reinitialize pointers, as ipsec_early_ah_v6() does
7896 			 * complete pullups.  We don't have to do more pullups
7897 			 * as a result.
7898 			 */
7899 			whereptr = (uint8_t *)((uintptr_t)mp->b_rptr +
7900 			    (uintptr_t)(whereptr - ((uint8_t *)ip6h)));
7901 			ip6h = (ip6_t *)mp->b_rptr;
7902 
7903 			desthdr = (ip6_dest_t *)whereptr;
7904 			nexthdr = desthdr->ip6d_nxt;
7905 			prev_nexthdr_offset = (uint_t)(whereptr -
7906 			    (uint8_t *)ip6h);
7907 			ehdrlen = 8 * (desthdr->ip6d_len + 1);
7908 			if (remlen < ehdrlen)
7909 				goto pkt_too_short;
7910 			optptr = whereptr + 2;
7911 			/*
7912 			 * Note: XXX This code does not seem to make
7913 			 * distinction between Destination Options Header
7914 			 * being before/after Routing Header which can
7915 			 * happen if we are at the end of source route.
7916 			 * This may become significant in future.
7917 			 * (No real significant Destination Options are
7918 			 * defined/implemented yet ).
7919 			 */
7920 			switch (ip_process_options_v6(q, first_mp, ip6h, optptr,
7921 			    ehdrlen - 2, IPPROTO_DSTOPTS, ipst)) {
7922 			case -1:
7923 				/*
7924 				 * Packet has been consumed and any needed
7925 				 * ICMP errors sent.
7926 				 */
7927 				BUMP_MIB(ill->ill_ip_mib, ipIfStatsInHdrErrors);
7928 				freemsg(hada_mp);
7929 				return;
7930 			case 0:
7931 				/* No action needed  continue */
7932 				break;
7933 			case 1:
7934 				/*
7935 				 * Unnexpected return value
7936 				 * (Router alert is a Hop-by-Hop option)
7937 				 */
7938 #ifdef DEBUG
7939 				panic("ip_rput_data_v6: router "
7940 				    "alert hbh opt indication in dest opt");
7941 				/*NOTREACHED*/
7942 #else
7943 				freemsg(hada_mp);
7944 				freemsg(first_mp);
7945 				BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
7946 				return;
7947 #endif
7948 			}
7949 			used = ehdrlen;
7950 			break;
7951 		}
7952 		case IPPROTO_FRAGMENT: {
7953 			ip6_frag_t *fraghdr;
7954 			size_t no_frag_hdr_len;
7955 
7956 			if (hada_mp != NULL) {
7957 				ip0dbg(("frag hada drop\n"));
7958 				goto hada_drop;
7959 			}
7960 
7961 			ASSERT(first_mp == mp);
7962 			if (remlen < sizeof (ip6_frag_t))
7963 				goto pkt_too_short;
7964 
7965 			if (mp->b_cont != NULL &&
7966 			    whereptr + sizeof (ip6_frag_t) > mp->b_wptr) {
7967 				if (!pullupmsg(mp,
7968 				    pkt_len - remlen + sizeof (ip6_frag_t))) {
7969 					BUMP_MIB(ill->ill_ip_mib,
7970 					    ipIfStatsInDiscards);
7971 					freemsg(mp);
7972 					return;
7973 				}
7974 				hck_flags = 0;
7975 				ip6h = (ip6_t *)mp->b_rptr;
7976 				whereptr = (uint8_t *)ip6h + pkt_len - remlen;
7977 			}
7978 
7979 			fraghdr = (ip6_frag_t *)whereptr;
7980 			used = (uint_t)sizeof (ip6_frag_t);
7981 			BUMP_MIB(ill->ill_ip_mib, ipIfStatsReasmReqds);
7982 
7983 			/*
7984 			 * Invoke the CGTP (multirouting) filtering module to
7985 			 * process the incoming packet. Packets identified as
7986 			 * duplicates must be discarded. Filtering is active
7987 			 * only if the the ip_cgtp_filter ndd variable is
7988 			 * non-zero.
7989 			 */
7990 			if (ipst->ips_ip_cgtp_filter &&
7991 			    ipst->ips_ip_cgtp_filter_ops != NULL) {
7992 				int cgtp_flt_pkt;
7993 				netstackid_t stackid;
7994 
7995 				stackid = ipst->ips_netstack->netstack_stackid;
7996 
7997 				cgtp_flt_pkt =
7998 				    ipst->ips_ip_cgtp_filter_ops->cfo_filter_v6(
7999 				    stackid, inill->ill_phyint->phyint_ifindex,
8000 				    ip6h, fraghdr);
8001 				if (cgtp_flt_pkt == CGTP_IP_PKT_DUPLICATE) {
8002 					freemsg(mp);
8003 					return;
8004 				}
8005 			}
8006 
8007 			/* Restore the flags */
8008 			DB_CKSUMFLAGS(mp) = hck_flags;
8009 
8010 			mp = ip_rput_frag_v6(ill, inill, mp, ip6h, fraghdr,
8011 			    remlen - used, &prev_nexthdr_offset,
8012 			    &reass_sum, &reass_hck_flags);
8013 			if (mp == NULL) {
8014 				/* Reassembly is still pending */
8015 				return;
8016 			}
8017 			/* The first mblk are the headers before the frag hdr */
8018 			BUMP_MIB(ill->ill_ip_mib, ipIfStatsReasmOKs);
8019 
8020 			first_mp = mp;	/* mp has most likely changed! */
8021 			no_frag_hdr_len = mp->b_wptr - mp->b_rptr;
8022 			ip6h = (ip6_t *)mp->b_rptr;
8023 			nexthdr = ((char *)ip6h)[prev_nexthdr_offset];
8024 			whereptr = mp->b_rptr + no_frag_hdr_len;
8025 			remlen = ntohs(ip6h->ip6_plen)  +
8026 			    (uint16_t)(IPV6_HDR_LEN - no_frag_hdr_len);
8027 			pkt_len = msgdsize(mp);
8028 			used = 0;
8029 			break;
8030 		}
8031 		case IPPROTO_HOPOPTS: {
8032 			if (hada_mp != NULL) {
8033 				ip0dbg(("hop hada drop\n"));
8034 				goto hada_drop;
8035 			}
8036 			/*
8037 			 * Illegal header sequence.
8038 			 * (Hop-by-hop headers are processed above
8039 			 *  and required to immediately follow IPv6 header)
8040 			 */
8041 			icmp_param_problem_v6(WR(q), first_mp,
8042 			    ICMP6_PARAMPROB_NEXTHEADER,
8043 			    prev_nexthdr_offset,
8044 			    B_FALSE, B_FALSE, zoneid, ipst);
8045 			return;
8046 		}
8047 		case IPPROTO_ROUTING: {
8048 			uint_t ehdrlen;
8049 			ip6_rthdr_t *rthdr;
8050 
8051 			/* If packet is too short, look no further */
8052 			if (remlen < MIN_EHDR_LEN)
8053 				goto pkt_too_short;
8054 
8055 			/* Check if AH is present. */
8056 			if (ipsec_early_ah_v6(q, first_mp, mctl_present, ill,
8057 			    inill, hada_mp, zoneid)) {
8058 				return;
8059 			}
8060 
8061 			/*
8062 			 * Reinitialize pointers, as ipsec_early_ah_v6() does
8063 			 * complete pullups.  We don't have to do more pullups
8064 			 * as a result.
8065 			 */
8066 			whereptr = (uint8_t *)((uintptr_t)mp->b_rptr +
8067 			    (uintptr_t)(whereptr - ((uint8_t *)ip6h)));
8068 			ip6h = (ip6_t *)mp->b_rptr;
8069 
8070 			rthdr = (ip6_rthdr_t *)whereptr;
8071 			nexthdr = rthdr->ip6r_nxt;
8072 			prev_nexthdr_offset = (uint_t)(whereptr -
8073 			    (uint8_t *)ip6h);
8074 			ehdrlen = 8 * (rthdr->ip6r_len + 1);
8075 			if (remlen < ehdrlen)
8076 				goto pkt_too_short;
8077 			if (rthdr->ip6r_segleft != 0) {
8078 				/* Not end of source route */
8079 				if (ll_multicast) {
8080 					BUMP_MIB(ill->ill_ip_mib,
8081 					    ipIfStatsForwProhibits);
8082 					freemsg(hada_mp);
8083 					freemsg(mp);
8084 					return;
8085 				}
8086 				ip_process_rthdr(q, mp, ip6h, rthdr, ill,
8087 				    flags, hada_mp, dl_mp);
8088 				return;
8089 			}
8090 			used = ehdrlen;
8091 			break;
8092 		}
8093 		case IPPROTO_AH:
8094 		case IPPROTO_ESP: {
8095 			/*
8096 			 * Fast path for AH/ESP. If this is the first time
8097 			 * we are sending a datagram to AH/ESP, allocate
8098 			 * a IPSEC_IN message and prepend it. Otherwise,
8099 			 * just fanout.
8100 			 */
8101 
8102 			ipsec_in_t *ii;
8103 			int ipsec_rc;
8104 			ipsec_stack_t *ipss;
8105 
8106 			ipss = ipst->ips_netstack->netstack_ipsec;
8107 			if (!mctl_present) {
8108 				ASSERT(first_mp == mp);
8109 				first_mp = ipsec_in_alloc(B_FALSE,
8110 				    ipst->ips_netstack);
8111 				if (first_mp == NULL) {
8112 					ip1dbg(("ip_rput_data_v6: IPSEC_IN "
8113 					    "allocation failure.\n"));
8114 					BUMP_MIB(ill->ill_ip_mib,
8115 					    ipIfStatsInDiscards);
8116 					freemsg(mp);
8117 					return;
8118 				}
8119 				/*
8120 				 * Store the ill_index so that when we come back
8121 				 * from IPSEC we ride on the same queue.
8122 				 */
8123 				ii = (ipsec_in_t *)first_mp->b_rptr;
8124 				ii->ipsec_in_ill_index =
8125 				    ill->ill_phyint->phyint_ifindex;
8126 				ii->ipsec_in_rill_index =
8127 				    inill->ill_phyint->phyint_ifindex;
8128 				first_mp->b_cont = mp;
8129 				/*
8130 				 * Cache hardware acceleration info.
8131 				 */
8132 				if (hada_mp != NULL) {
8133 					IPSECHW_DEBUG(IPSECHW_PKT,
8134 					    ("ip_rput_data_v6: "
8135 					    "caching data attr.\n"));
8136 					ii->ipsec_in_accelerated = B_TRUE;
8137 					ii->ipsec_in_da = hada_mp;
8138 					hada_mp = NULL;
8139 				}
8140 			} else {
8141 				ii = (ipsec_in_t *)first_mp->b_rptr;
8142 			}
8143 
8144 			if (!ipsec_loaded(ipss)) {
8145 				ip_proto_not_sup(q, first_mp, IP_FF_SEND_ICMP,
8146 				    zoneid, ipst);
8147 				return;
8148 			}
8149 
8150 			/* select inbound SA and have IPsec process the pkt */
8151 			if (nexthdr == IPPROTO_ESP) {
8152 				esph_t *esph = ipsec_inbound_esp_sa(first_mp,
8153 				    ipst->ips_netstack);
8154 				if (esph == NULL)
8155 					return;
8156 				ASSERT(ii->ipsec_in_esp_sa != NULL);
8157 				ASSERT(ii->ipsec_in_esp_sa->ipsa_input_func !=
8158 				    NULL);
8159 				ipsec_rc = ii->ipsec_in_esp_sa->ipsa_input_func(
8160 				    first_mp, esph);
8161 			} else {
8162 				ah_t *ah = ipsec_inbound_ah_sa(first_mp,
8163 				    ipst->ips_netstack);
8164 				if (ah == NULL)
8165 					return;
8166 				ASSERT(ii->ipsec_in_ah_sa != NULL);
8167 				ASSERT(ii->ipsec_in_ah_sa->ipsa_input_func !=
8168 				    NULL);
8169 				ipsec_rc = ii->ipsec_in_ah_sa->ipsa_input_func(
8170 				    first_mp, ah);
8171 			}
8172 
8173 			switch (ipsec_rc) {
8174 			case IPSEC_STATUS_SUCCESS:
8175 				break;
8176 			case IPSEC_STATUS_FAILED:
8177 				BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
8178 				/* FALLTHRU */
8179 			case IPSEC_STATUS_PENDING:
8180 				return;
8181 			}
8182 			/* we're done with IPsec processing, send it up */
8183 			ip_fanout_proto_again(first_mp, ill, inill, NULL);
8184 			return;
8185 		}
8186 		case IPPROTO_NONE:
8187 			/* All processing is done. Count as "delivered". */
8188 			freemsg(hada_mp);
8189 			freemsg(first_mp);
8190 			BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInDelivers);
8191 			return;
8192 		}
8193 		whereptr += used;
8194 		ASSERT(remlen >= used);
8195 		remlen -= used;
8196 	}
8197 	/* NOTREACHED */
8198 
8199 pkt_too_short:
8200 	ip1dbg(("ip_rput_data_v6: packet too short %d %lu %d\n",
8201 	    ip6_len, pkt_len, remlen));
8202 	BUMP_MIB(ill->ill_ip_mib, ipIfStatsInTruncatedPkts);
8203 	freemsg(hada_mp);
8204 	freemsg(first_mp);
8205 	return;
8206 udp_fanout:
8207 	if (mctl_present || IN6_IS_ADDR_MULTICAST(&ip6h->ip6_dst)) {
8208 		connp = NULL;
8209 	} else {
8210 		connp = ipcl_classify_v6(mp, IPPROTO_UDP, hdr_len, zoneid,
8211 		    ipst);
8212 		if ((connp != NULL) && (connp->conn_upq == NULL)) {
8213 			CONN_DEC_REF(connp);
8214 			connp = NULL;
8215 		}
8216 	}
8217 
8218 	if (connp == NULL) {
8219 		uint32_t	ports;
8220 
8221 		ports = *(uint32_t *)(mp->b_rptr + hdr_len +
8222 		    UDP_PORTS_OFFSET);
8223 		IP6_STAT(ipst, ip6_udp_slow_path);
8224 		ip_fanout_udp_v6(q, first_mp, ip6h, ports, ill, inill,
8225 		    (flags|IP_FF_SEND_ICMP|IP_FF_IPINFO), mctl_present,
8226 		    zoneid);
8227 		return;
8228 	}
8229 
8230 	if ((IPCL_IS_NONSTR(connp) && PROTO_FLOW_CNTRLD(connp)) ||
8231 	    (!IPCL_IS_NONSTR(connp) && CONN_UDP_FLOWCTLD(connp))) {
8232 		freemsg(first_mp);
8233 		BUMP_MIB(ill->ill_ip_mib, udpIfStatsInOverflows);
8234 		CONN_DEC_REF(connp);
8235 		return;
8236 	}
8237 
8238 	/* Initiate IPPF processing */
8239 	if (IP6_IN_IPP(flags, ipst)) {
8240 		ip_process(IPP_LOCAL_IN, &mp, ill->ill_phyint->phyint_ifindex);
8241 		if (mp == NULL) {
8242 			BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
8243 			CONN_DEC_REF(connp);
8244 			return;
8245 		}
8246 	}
8247 
8248 	if (connp->conn_ip_recvpktinfo ||
8249 	    IN6_IS_ADDR_LINKLOCAL(&ip6h->ip6_src)) {
8250 		mp = ip_add_info_v6(mp, inill, &ip6h->ip6_dst);
8251 		if (mp == NULL) {
8252 			BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
8253 			CONN_DEC_REF(connp);
8254 			return;
8255 		}
8256 	}
8257 
8258 	IP6_STAT(ipst, ip6_udp_fast_path);
8259 	BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInDelivers);
8260 
8261 	/* Send it upstream */
8262 	(connp->conn_recv)(connp, mp, NULL);
8263 
8264 	CONN_DEC_REF(connp);
8265 	freemsg(hada_mp);
8266 	return;
8267 
8268 hada_drop:
8269 	ip1dbg(("ip_rput_data_v6: malformed accelerated packet\n"));
8270 	/* IPsec kstats: bump counter here */
8271 	freemsg(hada_mp);
8272 	freemsg(first_mp);
8273 }
8274 
8275 /*
8276  * Reassemble fragment.
8277  * When it returns a completed message the first mblk will only contain
8278  * the headers prior to the fragment header.
8279  *
8280  * prev_nexthdr_offset is an offset indication of where the nexthdr field is
8281  * of the preceding header.  This is needed to patch the previous header's
8282  * nexthdr field when reassembly completes.
8283  */
8284 static mblk_t *
8285 ip_rput_frag_v6(ill_t *ill, ill_t *inill, mblk_t *mp, ip6_t *ip6h,
8286     ip6_frag_t *fraghdr, uint_t remlen, uint_t *prev_nexthdr_offset,
8287     uint32_t *cksum_val, uint16_t *cksum_flags)
8288 {
8289 	uint32_t	ident = ntohl(fraghdr->ip6f_ident);
8290 	uint16_t	offset;
8291 	boolean_t	more_frags;
8292 	uint8_t		nexthdr = fraghdr->ip6f_nxt;
8293 	in6_addr_t	*v6dst_ptr;
8294 	in6_addr_t	*v6src_ptr;
8295 	uint_t		end;
8296 	uint_t		hdr_length;
8297 	size_t		count;
8298 	ipf_t		*ipf;
8299 	ipf_t		**ipfp;
8300 	ipfb_t		*ipfb;
8301 	mblk_t		*mp1;
8302 	uint8_t		ecn_info = 0;
8303 	size_t		msg_len;
8304 	mblk_t		*tail_mp;
8305 	mblk_t		*t_mp;
8306 	boolean_t	pruned = B_FALSE;
8307 	uint32_t	sum_val;
8308 	uint16_t	sum_flags;
8309 	ip_stack_t	*ipst = ill->ill_ipst;
8310 
8311 	if (cksum_val != NULL)
8312 		*cksum_val = 0;
8313 	if (cksum_flags != NULL)
8314 		*cksum_flags = 0;
8315 
8316 	/*
8317 	 * We utilize hardware computed checksum info only for UDP since
8318 	 * IP fragmentation is a normal occurence for the protocol.  In
8319 	 * addition, checksum offload support for IP fragments carrying
8320 	 * UDP payload is commonly implemented across network adapters.
8321 	 */
8322 	ASSERT(inill != NULL);
8323 	if (nexthdr == IPPROTO_UDP && dohwcksum && ILL_HCKSUM_CAPABLE(inill) &&
8324 	    (DB_CKSUMFLAGS(mp) & (HCK_FULLCKSUM | HCK_PARTIALCKSUM))) {
8325 		mblk_t *mp1 = mp->b_cont;
8326 		int32_t len;
8327 
8328 		/* Record checksum information from the packet */
8329 		sum_val = (uint32_t)DB_CKSUM16(mp);
8330 		sum_flags = DB_CKSUMFLAGS(mp);
8331 
8332 		/* fragmented payload offset from beginning of mblk */
8333 		offset = (uint16_t)((uchar_t *)&fraghdr[1] - mp->b_rptr);
8334 
8335 		if ((sum_flags & HCK_PARTIALCKSUM) &&
8336 		    (mp1 == NULL || mp1->b_cont == NULL) &&
8337 		    offset >= (uint16_t)DB_CKSUMSTART(mp) &&
8338 		    ((len = offset - (uint16_t)DB_CKSUMSTART(mp)) & 1) == 0) {
8339 			uint32_t adj;
8340 			/*
8341 			 * Partial checksum has been calculated by hardware
8342 			 * and attached to the packet; in addition, any
8343 			 * prepended extraneous data is even byte aligned.
8344 			 * If any such data exists, we adjust the checksum;
8345 			 * this would also handle any postpended data.
8346 			 */
8347 			IP_ADJCKSUM_PARTIAL(mp->b_rptr + DB_CKSUMSTART(mp),
8348 			    mp, mp1, len, adj);
8349 
8350 			/* One's complement subtract extraneous checksum */
8351 			if (adj >= sum_val)
8352 				sum_val = ~(adj - sum_val) & 0xFFFF;
8353 			else
8354 				sum_val -= adj;
8355 		}
8356 	} else {
8357 		sum_val = 0;
8358 		sum_flags = 0;
8359 	}
8360 
8361 	/* Clear hardware checksumming flag */
8362 	DB_CKSUMFLAGS(mp) = 0;
8363 
8364 	/*
8365 	 * Note: Fragment offset in header is in 8-octet units.
8366 	 * Clearing least significant 3 bits not only extracts
8367 	 * it but also gets it in units of octets.
8368 	 */
8369 	offset = ntohs(fraghdr->ip6f_offlg) & ~7;
8370 	more_frags = (fraghdr->ip6f_offlg & IP6F_MORE_FRAG);
8371 
8372 	/*
8373 	 * Is the more frags flag on and the payload length not a multiple
8374 	 * of eight?
8375 	 */
8376 	if (more_frags && (ntohs(ip6h->ip6_plen) & 7)) {
8377 		zoneid_t zoneid;
8378 
8379 		BUMP_MIB(ill->ill_ip_mib, ipIfStatsInHdrErrors);
8380 		zoneid = ipif_lookup_addr_zoneid_v6(&ip6h->ip6_dst, ill, ipst);
8381 		if (zoneid == ALL_ZONES) {
8382 			freemsg(mp);
8383 			return (NULL);
8384 		}
8385 		icmp_param_problem_v6(ill->ill_wq, mp, ICMP6_PARAMPROB_HEADER,
8386 		    (uint32_t)((char *)&ip6h->ip6_plen -
8387 		    (char *)ip6h), B_FALSE, B_FALSE, zoneid, ipst);
8388 		return (NULL);
8389 	}
8390 
8391 	v6src_ptr = &ip6h->ip6_src;
8392 	v6dst_ptr = &ip6h->ip6_dst;
8393 	end = remlen;
8394 
8395 	hdr_length = (uint_t)((char *)&fraghdr[1] - (char *)ip6h);
8396 	end += offset;
8397 
8398 	/*
8399 	 * Would fragment cause reassembled packet to have a payload length
8400 	 * greater than IP_MAXPACKET - the max payload size?
8401 	 */
8402 	if (end > IP_MAXPACKET) {
8403 		zoneid_t	zoneid;
8404 
8405 		BUMP_MIB(ill->ill_ip_mib, ipIfStatsInHdrErrors);
8406 		zoneid = ipif_lookup_addr_zoneid_v6(&ip6h->ip6_dst, ill, ipst);
8407 		if (zoneid == ALL_ZONES) {
8408 			freemsg(mp);
8409 			return (NULL);
8410 		}
8411 		icmp_param_problem_v6(ill->ill_wq, mp, ICMP6_PARAMPROB_HEADER,
8412 		    (uint32_t)((char *)&fraghdr->ip6f_offlg -
8413 		    (char *)ip6h), B_FALSE, B_FALSE, zoneid, ipst);
8414 		return (NULL);
8415 	}
8416 
8417 	/*
8418 	 * This packet just has one fragment. Reassembly not
8419 	 * needed.
8420 	 */
8421 	if (!more_frags && offset == 0) {
8422 		goto reass_done;
8423 	}
8424 
8425 	/*
8426 	 * Drop the fragmented as early as possible, if
8427 	 * we don't have resource(s) to re-assemble.
8428 	 */
8429 	if (ipst->ips_ip_reass_queue_bytes == 0) {
8430 		freemsg(mp);
8431 		return (NULL);
8432 	}
8433 
8434 	/* Record the ECN field info. */
8435 	ecn_info = (uint8_t)(ntohl(ip6h->ip6_vcf & htonl(~0xFFCFFFFF)) >> 20);
8436 	/*
8437 	 * If this is not the first fragment, dump the unfragmentable
8438 	 * portion of the packet.
8439 	 */
8440 	if (offset)
8441 		mp->b_rptr = (uchar_t *)&fraghdr[1];
8442 
8443 	/*
8444 	 * Fragmentation reassembly.  Each ILL has a hash table for
8445 	 * queueing packets undergoing reassembly for all IPIFs
8446 	 * associated with the ILL.  The hash is based on the packet
8447 	 * IP ident field.  The ILL frag hash table was allocated
8448 	 * as a timer block at the time the ILL was created.  Whenever
8449 	 * there is anything on the reassembly queue, the timer will
8450 	 * be running.
8451 	 */
8452 	msg_len = MBLKSIZE(mp);
8453 	tail_mp = mp;
8454 	while (tail_mp->b_cont != NULL) {
8455 		tail_mp = tail_mp->b_cont;
8456 		msg_len += MBLKSIZE(tail_mp);
8457 	}
8458 	/*
8459 	 * If the reassembly list for this ILL will get too big
8460 	 * prune it.
8461 	 */
8462 
8463 	if ((msg_len + sizeof (*ipf) + ill->ill_frag_count) >=
8464 	    ipst->ips_ip_reass_queue_bytes) {
8465 		ill_frag_prune(ill,
8466 		    (ipst->ips_ip_reass_queue_bytes < msg_len) ? 0 :
8467 		    (ipst->ips_ip_reass_queue_bytes - msg_len));
8468 		pruned = B_TRUE;
8469 	}
8470 
8471 	ipfb = &ill->ill_frag_hash_tbl[ILL_FRAG_HASH_V6(*v6src_ptr, ident)];
8472 	mutex_enter(&ipfb->ipfb_lock);
8473 
8474 	ipfp = &ipfb->ipfb_ipf;
8475 	/* Try to find an existing fragment queue for this packet. */
8476 	for (;;) {
8477 		ipf = ipfp[0];
8478 		if (ipf) {
8479 			/*
8480 			 * It has to match on ident, source address, and
8481 			 * dest address.
8482 			 */
8483 			if (ipf->ipf_ident == ident &&
8484 			    IN6_ARE_ADDR_EQUAL(&ipf->ipf_v6src, v6src_ptr) &&
8485 			    IN6_ARE_ADDR_EQUAL(&ipf->ipf_v6dst, v6dst_ptr)) {
8486 
8487 				/*
8488 				 * If we have received too many
8489 				 * duplicate fragments for this packet
8490 				 * free it.
8491 				 */
8492 				if (ipf->ipf_num_dups > ip_max_frag_dups) {
8493 					ill_frag_free_pkts(ill, ipfb, ipf, 1);
8494 					freemsg(mp);
8495 					mutex_exit(&ipfb->ipfb_lock);
8496 					return (NULL);
8497 				}
8498 
8499 				break;
8500 			}
8501 			ipfp = &ipf->ipf_hash_next;
8502 			continue;
8503 		}
8504 
8505 
8506 		/*
8507 		 * If we pruned the list, do we want to store this new
8508 		 * fragment?. We apply an optimization here based on the
8509 		 * fact that most fragments will be received in order.
8510 		 * So if the offset of this incoming fragment is zero,
8511 		 * it is the first fragment of a new packet. We will
8512 		 * keep it.  Otherwise drop the fragment, as we have
8513 		 * probably pruned the packet already (since the
8514 		 * packet cannot be found).
8515 		 */
8516 
8517 		if (pruned && offset != 0) {
8518 			mutex_exit(&ipfb->ipfb_lock);
8519 			freemsg(mp);
8520 			return (NULL);
8521 		}
8522 
8523 		/* New guy.  Allocate a frag message. */
8524 		mp1 = allocb(sizeof (*ipf), BPRI_MED);
8525 		if (!mp1) {
8526 			BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
8527 			freemsg(mp);
8528 	partial_reass_done:
8529 			mutex_exit(&ipfb->ipfb_lock);
8530 			return (NULL);
8531 		}
8532 
8533 		if (ipfb->ipfb_frag_pkts >= MAX_FRAG_PKTS(ipst))  {
8534 			/*
8535 			 * Too many fragmented packets in this hash bucket.
8536 			 * Free the oldest.
8537 			 */
8538 			ill_frag_free_pkts(ill, ipfb, ipfb->ipfb_ipf, 1);
8539 		}
8540 
8541 		mp1->b_cont = mp;
8542 
8543 		/* Initialize the fragment header. */
8544 		ipf = (ipf_t *)mp1->b_rptr;
8545 		ipf->ipf_mp = mp1;
8546 		ipf->ipf_ptphn = ipfp;
8547 		ipfp[0] = ipf;
8548 		ipf->ipf_hash_next = NULL;
8549 		ipf->ipf_ident = ident;
8550 		ipf->ipf_v6src = *v6src_ptr;
8551 		ipf->ipf_v6dst = *v6dst_ptr;
8552 		/* Record reassembly start time. */
8553 		ipf->ipf_timestamp = gethrestime_sec();
8554 		/* Record ipf generation and account for frag header */
8555 		ipf->ipf_gen = ill->ill_ipf_gen++;
8556 		ipf->ipf_count = MBLKSIZE(mp1);
8557 		ipf->ipf_protocol = nexthdr;
8558 		ipf->ipf_nf_hdr_len = 0;
8559 		ipf->ipf_prev_nexthdr_offset = 0;
8560 		ipf->ipf_last_frag_seen = B_FALSE;
8561 		ipf->ipf_ecn = ecn_info;
8562 		ipf->ipf_num_dups = 0;
8563 		ipfb->ipfb_frag_pkts++;
8564 		ipf->ipf_checksum = 0;
8565 		ipf->ipf_checksum_flags = 0;
8566 
8567 		/* Store checksum value in fragment header */
8568 		if (sum_flags != 0) {
8569 			sum_val = (sum_val & 0xFFFF) + (sum_val >> 16);
8570 			sum_val = (sum_val & 0xFFFF) + (sum_val >> 16);
8571 			ipf->ipf_checksum = sum_val;
8572 			ipf->ipf_checksum_flags = sum_flags;
8573 		}
8574 
8575 		/*
8576 		 * We handle reassembly two ways.  In the easy case,
8577 		 * where all the fragments show up in order, we do
8578 		 * minimal bookkeeping, and just clip new pieces on
8579 		 * the end.  If we ever see a hole, then we go off
8580 		 * to ip_reassemble which has to mark the pieces and
8581 		 * keep track of the number of holes, etc.  Obviously,
8582 		 * the point of having both mechanisms is so we can
8583 		 * handle the easy case as efficiently as possible.
8584 		 */
8585 		if (offset == 0) {
8586 			/* Easy case, in-order reassembly so far. */
8587 			/* Update the byte count */
8588 			ipf->ipf_count += msg_len;
8589 			ipf->ipf_tail_mp = tail_mp;
8590 			/*
8591 			 * Keep track of next expected offset in
8592 			 * ipf_end.
8593 			 */
8594 			ipf->ipf_end = end;
8595 			ipf->ipf_nf_hdr_len = hdr_length;
8596 			ipf->ipf_prev_nexthdr_offset = *prev_nexthdr_offset;
8597 		} else {
8598 			/* Hard case, hole at the beginning. */
8599 			ipf->ipf_tail_mp = NULL;
8600 			/*
8601 			 * ipf_end == 0 means that we have given up
8602 			 * on easy reassembly.
8603 			 */
8604 			ipf->ipf_end = 0;
8605 
8606 			/* Forget checksum offload from now on */
8607 			ipf->ipf_checksum_flags = 0;
8608 
8609 			/*
8610 			 * ipf_hole_cnt is set by ip_reassemble.
8611 			 * ipf_count is updated by ip_reassemble.
8612 			 * No need to check for return value here
8613 			 * as we don't expect reassembly to complete or
8614 			 * fail for the first fragment itself.
8615 			 */
8616 			(void) ip_reassemble(mp, ipf, offset, more_frags, ill,
8617 			    msg_len);
8618 		}
8619 		/* Update per ipfb and ill byte counts */
8620 		ipfb->ipfb_count += ipf->ipf_count;
8621 		ASSERT(ipfb->ipfb_count > 0);	/* Wraparound */
8622 		atomic_add_32(&ill->ill_frag_count, ipf->ipf_count);
8623 		/* If the frag timer wasn't already going, start it. */
8624 		mutex_enter(&ill->ill_lock);
8625 		ill_frag_timer_start(ill);
8626 		mutex_exit(&ill->ill_lock);
8627 		goto partial_reass_done;
8628 	}
8629 
8630 	/*
8631 	 * If the packet's flag has changed (it could be coming up
8632 	 * from an interface different than the previous, therefore
8633 	 * possibly different checksum capability), then forget about
8634 	 * any stored checksum states.  Otherwise add the value to
8635 	 * the existing one stored in the fragment header.
8636 	 */
8637 	if (sum_flags != 0 && sum_flags == ipf->ipf_checksum_flags) {
8638 		sum_val += ipf->ipf_checksum;
8639 		sum_val = (sum_val & 0xFFFF) + (sum_val >> 16);
8640 		sum_val = (sum_val & 0xFFFF) + (sum_val >> 16);
8641 		ipf->ipf_checksum = sum_val;
8642 	} else if (ipf->ipf_checksum_flags != 0) {
8643 		/* Forget checksum offload from now on */
8644 		ipf->ipf_checksum_flags = 0;
8645 	}
8646 
8647 	/*
8648 	 * We have a new piece of a datagram which is already being
8649 	 * reassembled.  Update the ECN info if all IP fragments
8650 	 * are ECN capable.  If there is one which is not, clear
8651 	 * all the info.  If there is at least one which has CE
8652 	 * code point, IP needs to report that up to transport.
8653 	 */
8654 	if (ecn_info != IPH_ECN_NECT && ipf->ipf_ecn != IPH_ECN_NECT) {
8655 		if (ecn_info == IPH_ECN_CE)
8656 			ipf->ipf_ecn = IPH_ECN_CE;
8657 	} else {
8658 		ipf->ipf_ecn = IPH_ECN_NECT;
8659 	}
8660 
8661 	if (offset && ipf->ipf_end == offset) {
8662 		/* The new fragment fits at the end */
8663 		ipf->ipf_tail_mp->b_cont = mp;
8664 		/* Update the byte count */
8665 		ipf->ipf_count += msg_len;
8666 		/* Update per ipfb and ill byte counts */
8667 		ipfb->ipfb_count += msg_len;
8668 		ASSERT(ipfb->ipfb_count > 0);	/* Wraparound */
8669 		atomic_add_32(&ill->ill_frag_count, msg_len);
8670 		if (more_frags) {
8671 			/* More to come. */
8672 			ipf->ipf_end = end;
8673 			ipf->ipf_tail_mp = tail_mp;
8674 			goto partial_reass_done;
8675 		}
8676 	} else {
8677 		/*
8678 		 * Go do the hard cases.
8679 		 * Call ip_reassemble().
8680 		 */
8681 		int ret;
8682 
8683 		if (offset == 0) {
8684 			if (ipf->ipf_prev_nexthdr_offset == 0) {
8685 				ipf->ipf_nf_hdr_len = hdr_length;
8686 				ipf->ipf_prev_nexthdr_offset =
8687 				    *prev_nexthdr_offset;
8688 			}
8689 		}
8690 		/* Save current byte count */
8691 		count = ipf->ipf_count;
8692 		ret = ip_reassemble(mp, ipf, offset, more_frags, ill, msg_len);
8693 
8694 		/* Count of bytes added and subtracted (freeb()ed) */
8695 		count = ipf->ipf_count - count;
8696 		if (count) {
8697 			/* Update per ipfb and ill byte counts */
8698 			ipfb->ipfb_count += count;
8699 			ASSERT(ipfb->ipfb_count > 0);	/* Wraparound */
8700 			atomic_add_32(&ill->ill_frag_count, count);
8701 		}
8702 		if (ret == IP_REASS_PARTIAL) {
8703 			goto partial_reass_done;
8704 		} else if (ret == IP_REASS_FAILED) {
8705 			/* Reassembly failed. Free up all resources */
8706 			ill_frag_free_pkts(ill, ipfb, ipf, 1);
8707 			for (t_mp = mp; t_mp != NULL; t_mp = t_mp->b_cont) {
8708 				IP_REASS_SET_START(t_mp, 0);
8709 				IP_REASS_SET_END(t_mp, 0);
8710 			}
8711 			freemsg(mp);
8712 			goto partial_reass_done;
8713 		}
8714 
8715 		/* We will reach here iff 'ret' is IP_REASS_COMPLETE */
8716 	}
8717 	/*
8718 	 * We have completed reassembly.  Unhook the frag header from
8719 	 * the reassembly list.
8720 	 *
8721 	 * Grab the unfragmentable header length next header value out
8722 	 * of the first fragment
8723 	 */
8724 	ASSERT(ipf->ipf_nf_hdr_len != 0);
8725 	hdr_length = ipf->ipf_nf_hdr_len;
8726 
8727 	/*
8728 	 * Before we free the frag header, record the ECN info
8729 	 * to report back to the transport.
8730 	 */
8731 	ecn_info = ipf->ipf_ecn;
8732 
8733 	/*
8734 	 * Store the nextheader field in the header preceding the fragment
8735 	 * header
8736 	 */
8737 	nexthdr = ipf->ipf_protocol;
8738 	*prev_nexthdr_offset = ipf->ipf_prev_nexthdr_offset;
8739 	ipfp = ipf->ipf_ptphn;
8740 
8741 	/* We need to supply these to caller */
8742 	if ((sum_flags = ipf->ipf_checksum_flags) != 0)
8743 		sum_val = ipf->ipf_checksum;
8744 	else
8745 		sum_val = 0;
8746 
8747 	mp1 = ipf->ipf_mp;
8748 	count = ipf->ipf_count;
8749 	ipf = ipf->ipf_hash_next;
8750 	if (ipf)
8751 		ipf->ipf_ptphn = ipfp;
8752 	ipfp[0] = ipf;
8753 	atomic_add_32(&ill->ill_frag_count, -count);
8754 	ASSERT(ipfb->ipfb_count >= count);
8755 	ipfb->ipfb_count -= count;
8756 	ipfb->ipfb_frag_pkts--;
8757 	mutex_exit(&ipfb->ipfb_lock);
8758 	/* Ditch the frag header. */
8759 	mp = mp1->b_cont;
8760 	freeb(mp1);
8761 
8762 	/*
8763 	 * Make sure the packet is good by doing some sanity
8764 	 * check. If bad we can silentely drop the packet.
8765 	 */
8766 reass_done:
8767 	if (hdr_length < sizeof (ip6_frag_t)) {
8768 		BUMP_MIB(ill->ill_ip_mib, ipIfStatsInHdrErrors);
8769 		ip1dbg(("ip_rput_frag_v6: bad packet\n"));
8770 		freemsg(mp);
8771 		return (NULL);
8772 	}
8773 
8774 	/*
8775 	 * Remove the fragment header from the initial header by
8776 	 * splitting the mblk into the non-fragmentable header and
8777 	 * everthing after the fragment extension header.  This has the
8778 	 * side effect of putting all the headers that need destination
8779 	 * processing into the b_cont block-- on return this fact is
8780 	 * used in order to avoid having to look at the extensions
8781 	 * already processed.
8782 	 *
8783 	 * Note that this code assumes that the unfragmentable portion
8784 	 * of the header is in the first mblk and increments
8785 	 * the read pointer past it.  If this assumption is broken
8786 	 * this code fails badly.
8787 	 */
8788 	if (mp->b_rptr + hdr_length != mp->b_wptr) {
8789 		mblk_t *nmp;
8790 
8791 		if (!(nmp = dupb(mp))) {
8792 			BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
8793 			ip1dbg(("ip_rput_frag_v6: dupb failed\n"));
8794 			freemsg(mp);
8795 			return (NULL);
8796 		}
8797 		nmp->b_cont = mp->b_cont;
8798 		mp->b_cont = nmp;
8799 		nmp->b_rptr += hdr_length;
8800 	}
8801 	mp->b_wptr = mp->b_rptr + hdr_length - sizeof (ip6_frag_t);
8802 
8803 	ip6h = (ip6_t *)mp->b_rptr;
8804 	((char *)ip6h)[*prev_nexthdr_offset] = nexthdr;
8805 
8806 	/* Restore original IP length in header. */
8807 	ip6h->ip6_plen = htons((uint16_t)(msgdsize(mp) - IPV6_HDR_LEN));
8808 	/* Record the ECN info. */
8809 	ip6h->ip6_vcf &= htonl(0xFFCFFFFF);
8810 	ip6h->ip6_vcf |= htonl(ecn_info << 20);
8811 
8812 	/* Reassembly is successful; return checksum information if needed */
8813 	if (cksum_val != NULL)
8814 		*cksum_val = sum_val;
8815 	if (cksum_flags != NULL)
8816 		*cksum_flags = sum_flags;
8817 
8818 	return (mp);
8819 }
8820 
8821 /*
8822  * Walk through the options to see if there is a routing header.
8823  * If present get the destination which is the last address of
8824  * the option.
8825  */
8826 in6_addr_t
8827 ip_get_dst_v6(ip6_t *ip6h, mblk_t *mp, boolean_t *is_fragment)
8828 {
8829 	mblk_t *current_mp = mp;
8830 	uint8_t nexthdr;
8831 	uint8_t *whereptr;
8832 	ip6_hbh_t *hbhhdr;
8833 	ip6_dest_t *dsthdr;
8834 	ip6_rthdr0_t *rthdr;
8835 	ip6_frag_t *fraghdr;
8836 	int ehdrlen;
8837 	int left;
8838 	in6_addr_t *ap, rv;
8839 
8840 	rv = ip6h->ip6_dst;
8841 
8842 	if (is_fragment != NULL)
8843 		*is_fragment = B_FALSE;
8844 
8845 	if ((uint8_t *)ip6h >= current_mp->b_wptr ||
8846 	    (uint8_t *)ip6h < current_mp->b_rptr) {
8847 		/* Bad packet.  Return what we can. */
8848 		DTRACE_PROBE2(ip_get_dst_v6_badpkt1, mblk_t *, mp, ip6_t *,
8849 		    ip6h);
8850 		goto done;
8851 	}
8852 
8853 	nexthdr = ip6h->ip6_nxt;
8854 
8855 	whereptr = (uint8_t *)ip6h;
8856 	ehdrlen = sizeof (ip6_t);
8857 
8858 	for (;;) {
8859 		while (whereptr + ehdrlen >= current_mp->b_wptr) {
8860 			ehdrlen -= (current_mp->b_wptr - whereptr);
8861 			current_mp = current_mp->b_cont;
8862 			if (current_mp == NULL) {
8863 				/* Bad packet.  Return what we can. */
8864 				DTRACE_PROBE3(ip_get_dst_v6_badpkt2,
8865 				    mblk_t *, mp, mblk_t *, current_mp, ip6_t *,
8866 				    ip6h);
8867 				goto done;
8868 			}
8869 			whereptr = current_mp->b_rptr;
8870 		}
8871 		whereptr += ehdrlen;
8872 
8873 		/* Enough room for next-header and length (2 bytes)? */
8874 		if (whereptr + 2 > current_mp->b_wptr) {
8875 			whereptr -= (uintptr_t)current_mp->b_rptr;
8876 			/* Grumble -- eat the pullup. */
8877 			if (!pullupmsg(current_mp, -1)) {
8878 				DTRACE_PROBE3(ip_get_dst_v6_pullup_failed,
8879 				    mblk_t *, mp, mblk_t *, current_mp, ip6_t *,
8880 				    ip6h);
8881 				goto done;
8882 			}
8883 			whereptr += (uintptr_t)current_mp->b_rptr;
8884 			if (whereptr + 2 > current_mp->b_wptr) {
8885 				/* Bad packet.  Return what we can. */
8886 				DTRACE_PROBE3(ip_get_dst_v6_badpkt3,
8887 				    mblk_t *, mp, mblk_t *, current_mp, ip6_t *,
8888 				    ip6h);
8889 				goto done;
8890 			}
8891 		}
8892 
8893 		ASSERT(nexthdr != IPPROTO_RAW);
8894 		switch (nexthdr) {
8895 		case IPPROTO_HOPOPTS:
8896 			hbhhdr = (ip6_hbh_t *)whereptr;
8897 			nexthdr = hbhhdr->ip6h_nxt;
8898 			ehdrlen = 8 * (hbhhdr->ip6h_len + 1);
8899 			break;
8900 		case IPPROTO_DSTOPTS:
8901 			dsthdr = (ip6_dest_t *)whereptr;
8902 			nexthdr = dsthdr->ip6d_nxt;
8903 			ehdrlen = 8 * (dsthdr->ip6d_len + 1);
8904 			break;
8905 		case IPPROTO_ROUTING:
8906 			rthdr = (ip6_rthdr0_t *)whereptr;
8907 			nexthdr = rthdr->ip6r0_nxt;
8908 			ehdrlen = 8 * (rthdr->ip6r0_len + 1);
8909 			if (nexthdr + ehdrlen > (uintptr_t)current_mp->b_wptr) {
8910 				/* Bad packet.  Return what we can. */
8911 				DTRACE_PROBE3(ip_get_dst_v6_badpkt4,
8912 				    mblk_t *, mp, mblk_t *, current_mp, ip6_t *,
8913 				    ip6h);
8914 				goto done;
8915 			}
8916 
8917 			left = rthdr->ip6r0_segleft;
8918 			ap = (in6_addr_t *)((char *)rthdr + sizeof (*rthdr));
8919 			rv = *(ap + left - 1);
8920 			/*
8921 			 * If the caller doesn't care whether the packet
8922 			 * is a fragment or not, we can stop here since
8923 			 * we have our destination.
8924 			 */
8925 			if (is_fragment == NULL)
8926 				goto done;
8927 			break;
8928 		case IPPROTO_FRAGMENT:
8929 			fraghdr = (ip6_frag_t *)whereptr;
8930 			nexthdr = fraghdr->ip6f_nxt;
8931 			ehdrlen = sizeof (ip6_frag_t);
8932 			if (is_fragment != NULL)
8933 				*is_fragment = B_TRUE;
8934 			/* FALLTHRU */
8935 		default:
8936 			goto done;
8937 		}
8938 	}
8939 
8940 done:
8941 	return (rv);
8942 }
8943 
8944 /*
8945  * ip_source_routed_v6:
8946  * This function is called by redirect code in ip_rput_data_v6 to
8947  * know whether this packet is source routed through this node i.e
8948  * whether this node (router) is part of the journey. This
8949  * function is called under two cases :
8950  *
8951  * case 1 : Routing header was processed by this node and
8952  *	    ip_process_rthdr replaced ip6_dst with the next hop
8953  *	    and we are forwarding the packet to the next hop.
8954  *
8955  * case 2 : Routing header was not processed by this node and we
8956  *	    are just forwarding the packet.
8957  *
8958  * For case (1) we don't want to send redirects. For case(2) we
8959  * want to send redirects.
8960  */
8961 static boolean_t
8962 ip_source_routed_v6(ip6_t *ip6h, mblk_t *mp, ip_stack_t *ipst)
8963 {
8964 	uint8_t		nexthdr;
8965 	in6_addr_t	*addrptr;
8966 	ip6_rthdr0_t	*rthdr;
8967 	uint8_t		numaddr;
8968 	ip6_hbh_t	*hbhhdr;
8969 	uint_t		ehdrlen;
8970 	uint8_t		*byteptr;
8971 
8972 	ip2dbg(("ip_source_routed_v6\n"));
8973 	nexthdr = ip6h->ip6_nxt;
8974 	ehdrlen = IPV6_HDR_LEN;
8975 
8976 	/* if a routing hdr is preceeded by HOPOPT or DSTOPT */
8977 	while (nexthdr == IPPROTO_HOPOPTS ||
8978 	    nexthdr == IPPROTO_DSTOPTS) {
8979 		byteptr = (uint8_t *)ip6h + ehdrlen;
8980 		/*
8981 		 * Check if we have already processed
8982 		 * packets or we are just a forwarding
8983 		 * router which only pulled up msgs up
8984 		 * to IPV6HDR and  one HBH ext header
8985 		 */
8986 		if (byteptr + MIN_EHDR_LEN > mp->b_wptr) {
8987 			ip2dbg(("ip_source_routed_v6: Extension"
8988 			    " headers not processed\n"));
8989 			return (B_FALSE);
8990 		}
8991 		hbhhdr = (ip6_hbh_t *)byteptr;
8992 		nexthdr = hbhhdr->ip6h_nxt;
8993 		ehdrlen = ehdrlen + 8 * (hbhhdr->ip6h_len + 1);
8994 	}
8995 	switch (nexthdr) {
8996 	case IPPROTO_ROUTING:
8997 		byteptr = (uint8_t *)ip6h + ehdrlen;
8998 		/*
8999 		 * If for some reason, we haven't pulled up
9000 		 * the routing hdr data mblk, then we must
9001 		 * not have processed it at all. So for sure
9002 		 * we are not part of the source routed journey.
9003 		 */
9004 		if (byteptr + MIN_EHDR_LEN > mp->b_wptr) {
9005 			ip2dbg(("ip_source_routed_v6: Routing"
9006 			    " header not processed\n"));
9007 			return (B_FALSE);
9008 		}
9009 		rthdr = (ip6_rthdr0_t *)byteptr;
9010 		/*
9011 		 * Either we are an intermediate router or the
9012 		 * last hop before destination and we have
9013 		 * already processed the routing header.
9014 		 * If segment_left is greater than or equal to zero,
9015 		 * then we must be the (numaddr - segleft) entry
9016 		 * of the routing header. Although ip6r0_segleft
9017 		 * is a unit8_t variable, we still check for zero
9018 		 * or greater value, if in case the data type
9019 		 * is changed someday in future.
9020 		 */
9021 		if (rthdr->ip6r0_segleft > 0 ||
9022 		    rthdr->ip6r0_segleft == 0) {
9023 			ire_t 	*ire = NULL;
9024 
9025 			numaddr = rthdr->ip6r0_len / 2;
9026 			addrptr = (in6_addr_t *)((char *)rthdr +
9027 			    sizeof (*rthdr));
9028 			addrptr += (numaddr - (rthdr->ip6r0_segleft + 1));
9029 			if (addrptr != NULL) {
9030 				ire = ire_ctable_lookup_v6(addrptr, NULL,
9031 				    IRE_LOCAL, NULL, ALL_ZONES, NULL,
9032 				    MATCH_IRE_TYPE,
9033 				    ipst);
9034 				if (ire != NULL) {
9035 					ire_refrele(ire);
9036 					return (B_TRUE);
9037 				}
9038 				ip1dbg(("ip_source_routed_v6: No ire found\n"));
9039 			}
9040 		}
9041 	/* FALLTHRU */
9042 	default:
9043 		ip2dbg(("ip_source_routed_v6: Not source routed here\n"));
9044 		return (B_FALSE);
9045 	}
9046 }
9047 
9048 /*
9049  * ip_wput_v6 -- Packets sent down from transport modules show up here.
9050  * Assumes that the following set of headers appear in the first
9051  * mblk:
9052  *	ip6i_t (if present) CAN also appear as a separate mblk.
9053  *	ip6_t
9054  *	Any extension headers
9055  *	TCP/UDP/SCTP header (if present)
9056  * The routine can handle an ICMPv6 header that is not in the first mblk.
9057  *
9058  * The order to determine the outgoing interface is as follows:
9059  * 1. If an ip6i_t with IP6I_IFINDEX set then use that ill.
9060  * 2. If q is an ill queue and (link local or multicast destination) then
9061  *    use that ill.
9062  * 3. If IPV6_BOUND_IF has been set use that ill.
9063  * 4. For multicast: if IPV6_MULTICAST_IF has been set use it. Otherwise
9064  *    look for the best IRE match for the unspecified group to determine
9065  *    the ill.
9066  * 5. For unicast: Just do an IRE lookup for the best match.
9067  *
9068  * arg2 is always a queue_t *.
9069  * When that queue is an ill_t (i.e. q_next != NULL), then arg must be
9070  * the zoneid.
9071  * When that queue is not an ill_t, then arg must be a conn_t pointer.
9072  */
9073 void
9074 ip_output_v6(void *arg, mblk_t *mp, void *arg2, int caller)
9075 {
9076 	conn_t		*connp = NULL;
9077 	queue_t		*q = (queue_t *)arg2;
9078 	ire_t		*ire = NULL;
9079 	ire_t		*sctp_ire = NULL;
9080 	ip6_t		*ip6h;
9081 	in6_addr_t	*v6dstp;
9082 	ill_t		*ill = NULL;
9083 	ipif_t		*ipif;
9084 	ip6i_t		*ip6i;
9085 	int		cksum_request;	/* -1 => normal. */
9086 			/* 1 => Skip TCP/UDP/SCTP checksum */
9087 			/* Otherwise contains insert offset for checksum */
9088 	int		unspec_src;
9089 	boolean_t	do_outrequests;	/* Increment OutRequests? */
9090 	mib2_ipIfStatsEntry_t	*mibptr;
9091 	int 		match_flags = MATCH_IRE_ILL;
9092 	mblk_t		*first_mp;
9093 	boolean_t	mctl_present;
9094 	ipsec_out_t	*io;
9095 	boolean_t	multirt_need_resolve = B_FALSE;
9096 	mblk_t		*copy_mp = NULL;
9097 	int		err = 0;
9098 	int		ip6i_flags = 0;
9099 	zoneid_t	zoneid;
9100 	ill_t		*saved_ill = NULL;
9101 	boolean_t	conn_lock_held;
9102 	boolean_t	need_decref = B_FALSE;
9103 	ip_stack_t	*ipst;
9104 
9105 	if (q->q_next != NULL) {
9106 		ill = (ill_t *)q->q_ptr;
9107 		ipst = ill->ill_ipst;
9108 	} else {
9109 		connp = (conn_t *)arg;
9110 		ASSERT(connp != NULL);
9111 		ipst = connp->conn_netstack->netstack_ip;
9112 	}
9113 
9114 	/*
9115 	 * Highest bit in version field is Reachability Confirmation bit
9116 	 * used by NUD in ip_xmit_v6().
9117 	 */
9118 #ifdef	_BIG_ENDIAN
9119 #define	IPVER(ip6h)	((((uint32_t *)ip6h)[0] >> 28) & 0x7)
9120 #else
9121 #define	IPVER(ip6h)	((((uint32_t *)ip6h)[0] >> 4) & 0x7)
9122 #endif
9123 
9124 	/*
9125 	 * M_CTL comes from 6 places
9126 	 *
9127 	 * 1) TCP sends down IPSEC_OUT(M_CTL) for detached connections
9128 	 *    both V4 and V6 datagrams.
9129 	 *
9130 	 * 2) AH/ESP sends down M_CTL after doing their job with both
9131 	 *    V4 and V6 datagrams.
9132 	 *
9133 	 * 3) NDP callbacks when nce is resolved and IPSEC_OUT has been
9134 	 *    attached.
9135 	 *
9136 	 * 4) Notifications from an external resolver (for XRESOLV ifs)
9137 	 *
9138 	 * 5) AH/ESP send down IPSEC_CTL(M_CTL) to be relayed to hardware for
9139 	 *    IPsec hardware acceleration support.
9140 	 *
9141 	 * 6) TUN_HELLO.
9142 	 *
9143 	 * We need to handle (1)'s IPv6 case and (3) here.  For the
9144 	 * IPv4 case in (1), and (2), IPSEC processing has already
9145 	 * started. The code in ip_wput() already knows how to handle
9146 	 * continuing IPSEC processing (for IPv4 and IPv6).  All other
9147 	 * M_CTLs (including case (4)) are passed on to ip_wput_nondata()
9148 	 * for handling.
9149 	 */
9150 	first_mp = mp;
9151 	mctl_present = B_FALSE;
9152 	io = NULL;
9153 
9154 	/* Multidata transmit? */
9155 	if (DB_TYPE(mp) == M_MULTIDATA) {
9156 		/*
9157 		 * We should never get here, since all Multidata messages
9158 		 * originating from tcp should have been directed over to
9159 		 * tcp_multisend() in the first place.
9160 		 */
9161 		BUMP_MIB(&ipst->ips_ip6_mib, ipIfStatsOutDiscards);
9162 		freemsg(mp);
9163 		return;
9164 	} else if (DB_TYPE(mp) == M_CTL) {
9165 		uint32_t mctltype = 0;
9166 		uint32_t mlen = MBLKL(first_mp);
9167 
9168 		mp = mp->b_cont;
9169 		mctl_present = B_TRUE;
9170 		io = (ipsec_out_t *)first_mp->b_rptr;
9171 
9172 		/*
9173 		 * Validate this M_CTL message.  The only three types of
9174 		 * M_CTL messages we expect to see in this code path are
9175 		 * ipsec_out_t or ipsec_in_t structures (allocated as
9176 		 * ipsec_info_t unions), or ipsec_ctl_t structures.
9177 		 * The ipsec_out_type and ipsec_in_type overlap in the two
9178 		 * data structures, and they are either set to IPSEC_OUT
9179 		 * or IPSEC_IN depending on which data structure it is.
9180 		 * ipsec_ctl_t is an IPSEC_CTL.
9181 		 *
9182 		 * All other M_CTL messages are sent to ip_wput_nondata()
9183 		 * for handling.
9184 		 */
9185 		if (mlen >= sizeof (io->ipsec_out_type))
9186 			mctltype = io->ipsec_out_type;
9187 
9188 		if ((mlen == sizeof (ipsec_ctl_t)) &&
9189 		    (mctltype == IPSEC_CTL)) {
9190 			ip_output(arg, first_mp, arg2, caller);
9191 			return;
9192 		}
9193 
9194 		if ((mlen < sizeof (ipsec_info_t)) ||
9195 		    (mctltype != IPSEC_OUT && mctltype != IPSEC_IN) ||
9196 		    mp == NULL) {
9197 			ip_wput_nondata(NULL, q, first_mp, NULL);
9198 			return;
9199 		}
9200 		/* NDP callbacks have q_next non-NULL.  That's case #3. */
9201 		if (q->q_next == NULL) {
9202 			ip6h = (ip6_t *)mp->b_rptr;
9203 			/*
9204 			 * For a freshly-generated TCP dgram that needs IPV6
9205 			 * processing, don't call ip_wput immediately. We can
9206 			 * tell this by the ipsec_out_proc_begin. In-progress
9207 			 * IPSEC_OUT messages have proc_begin set to TRUE,
9208 			 * and we want to send all IPSEC_IN messages to
9209 			 * ip_wput() for IPsec processing or finishing.
9210 			 */
9211 			if (mctltype == IPSEC_IN ||
9212 			    IPVER(ip6h) != IPV6_VERSION ||
9213 			    io->ipsec_out_proc_begin) {
9214 				mibptr = &ipst->ips_ip6_mib;
9215 				goto notv6;
9216 			}
9217 		}
9218 	} else if (DB_TYPE(mp) != M_DATA) {
9219 		ip_wput_nondata(NULL, q, mp, NULL);
9220 		return;
9221 	}
9222 
9223 	ip6h = (ip6_t *)mp->b_rptr;
9224 
9225 	if (IPVER(ip6h) != IPV6_VERSION) {
9226 		mibptr = &ipst->ips_ip6_mib;
9227 		goto notv6;
9228 	}
9229 
9230 	if (is_system_labeled() && DB_TYPE(mp) == M_DATA &&
9231 	    (connp == NULL || !connp->conn_ulp_labeled)) {
9232 		if (connp != NULL) {
9233 			ASSERT(CONN_CRED(connp) != NULL);
9234 			err = tsol_check_label_v6(BEST_CRED(mp, connp),
9235 			    &mp, connp->conn_mac_exempt, ipst);
9236 		} else if (DB_CRED(mp) != NULL) {
9237 			err = tsol_check_label_v6(DB_CRED(mp),
9238 			    &mp, B_FALSE, ipst);
9239 		}
9240 		if (mctl_present)
9241 			first_mp->b_cont = mp;
9242 		else
9243 			first_mp = mp;
9244 		if (err != 0) {
9245 			DTRACE_PROBE3(
9246 			    tsol_ip_log_drop_checklabel_ip6, char *,
9247 			    "conn(1), failed to check/update mp(2)",
9248 			    conn_t, connp, mblk_t, mp);
9249 			freemsg(first_mp);
9250 			return;
9251 		}
9252 		ip6h = (ip6_t *)mp->b_rptr;
9253 	}
9254 	if (q->q_next != NULL) {
9255 		/*
9256 		 * We don't know if this ill will be used for IPv6
9257 		 * until the ILLF_IPV6 flag is set via SIOCSLIFNAME.
9258 		 * ipif_set_values() sets the ill_isv6 flag to true if
9259 		 * ILLF_IPV6 is set.  If the ill_isv6 flag isn't true,
9260 		 * just drop the packet.
9261 		 */
9262 		if (!ill->ill_isv6) {
9263 			ip1dbg(("ip_wput_v6: Received an IPv6 packet before "
9264 			    "ILLF_IPV6 was set\n"));
9265 			freemsg(first_mp);
9266 			return;
9267 		}
9268 		/* For uniformity do a refhold */
9269 		mutex_enter(&ill->ill_lock);
9270 		if (!ILL_CAN_LOOKUP(ill)) {
9271 			mutex_exit(&ill->ill_lock);
9272 			freemsg(first_mp);
9273 			return;
9274 		}
9275 		ill_refhold_locked(ill);
9276 		mutex_exit(&ill->ill_lock);
9277 		mibptr = ill->ill_ip_mib;
9278 
9279 		ASSERT(mibptr != NULL);
9280 		unspec_src = 0;
9281 		BUMP_MIB(mibptr, ipIfStatsHCOutRequests);
9282 		do_outrequests = B_FALSE;
9283 		zoneid = (zoneid_t)(uintptr_t)arg;
9284 	} else {
9285 		ASSERT(connp != NULL);
9286 		zoneid = connp->conn_zoneid;
9287 
9288 		/* is queue flow controlled? */
9289 		if ((q->q_first || connp->conn_draining) &&
9290 		    (caller == IP_WPUT)) {
9291 			/*
9292 			 * 1) TCP sends down M_CTL for detached connections.
9293 			 * 2) AH/ESP sends down M_CTL.
9294 			 *
9295 			 * We don't flow control either of the above. Only
9296 			 * UDP and others are flow controlled for which we
9297 			 * can't have a M_CTL.
9298 			 */
9299 			ASSERT(first_mp == mp);
9300 			(void) putq(q, mp);
9301 			return;
9302 		}
9303 		mibptr = &ipst->ips_ip6_mib;
9304 		unspec_src = connp->conn_unspec_src;
9305 		do_outrequests = B_TRUE;
9306 		if (mp->b_flag & MSGHASREF) {
9307 			mp->b_flag &= ~MSGHASREF;
9308 			ASSERT(connp->conn_ulp == IPPROTO_SCTP);
9309 			SCTP_EXTRACT_IPINFO(mp, sctp_ire);
9310 			need_decref = B_TRUE;
9311 		}
9312 
9313 		/*
9314 		 * If there is a policy, try to attach an ipsec_out in
9315 		 * the front. At the end, first_mp either points to a
9316 		 * M_DATA message or IPSEC_OUT message linked to a
9317 		 * M_DATA message. We have to do it now as we might
9318 		 * lose the "conn" if we go through ip_newroute.
9319 		 */
9320 		if (!mctl_present &&
9321 		    (connp->conn_out_enforce_policy ||
9322 		    connp->conn_latch != NULL)) {
9323 			ASSERT(first_mp == mp);
9324 			/* XXX Any better way to get the protocol fast ? */
9325 			if (((mp = ipsec_attach_ipsec_out(&mp, connp, NULL,
9326 			    connp->conn_ulp, ipst->ips_netstack)) == NULL)) {
9327 				BUMP_MIB(mibptr, ipIfStatsOutDiscards);
9328 				if (need_decref)
9329 					CONN_DEC_REF(connp);
9330 				return;
9331 			} else {
9332 				ASSERT(mp->b_datap->db_type == M_CTL);
9333 				first_mp = mp;
9334 				mp = mp->b_cont;
9335 				mctl_present = B_TRUE;
9336 				io = (ipsec_out_t *)first_mp->b_rptr;
9337 			}
9338 		}
9339 	}
9340 
9341 	/* check for alignment and full IPv6 header */
9342 	if (!OK_32PTR((uchar_t *)ip6h) ||
9343 	    (mp->b_wptr - (uchar_t *)ip6h) < IPV6_HDR_LEN) {
9344 		ip0dbg(("ip_wput_v6: bad alignment or length\n"));
9345 		if (do_outrequests)
9346 			BUMP_MIB(mibptr, ipIfStatsHCOutRequests);
9347 		BUMP_MIB(mibptr, ipIfStatsOutDiscards);
9348 		freemsg(first_mp);
9349 		if (ill != NULL)
9350 			ill_refrele(ill);
9351 		if (need_decref)
9352 			CONN_DEC_REF(connp);
9353 		return;
9354 	}
9355 	v6dstp = &ip6h->ip6_dst;
9356 	cksum_request = -1;
9357 	ip6i = NULL;
9358 
9359 	/*
9360 	 * Once neighbor discovery has completed, ndp_process() will provide
9361 	 * locally generated packets for which processing can be reattempted.
9362 	 * In these cases, connp is NULL and the original zone is part of a
9363 	 * prepended ipsec_out_t.
9364 	 */
9365 	if (io != NULL) {
9366 		/*
9367 		 * When coming from icmp_input_v6, the zoneid might not match
9368 		 * for the loopback case, because inside icmp_input_v6 the
9369 		 * queue_t is a conn queue from the sending side.
9370 		 */
9371 		zoneid = io->ipsec_out_zoneid;
9372 		ASSERT(zoneid != ALL_ZONES);
9373 	}
9374 
9375 	if (ip6h->ip6_nxt == IPPROTO_RAW) {
9376 		/*
9377 		 * This is an ip6i_t header followed by an ip6_hdr.
9378 		 * Check which fields are set.
9379 		 *
9380 		 * When the packet comes from a transport we should have
9381 		 * all needed headers in the first mblk. However, when
9382 		 * going through ip_newroute*_v6 the ip6i might be in
9383 		 * a separate mblk when we return here. In that case
9384 		 * we pullup everything to ensure that extension and transport
9385 		 * headers "stay" in the first mblk.
9386 		 */
9387 		ip6i = (ip6i_t *)ip6h;
9388 		ip6i_flags = ip6i->ip6i_flags;
9389 
9390 		ASSERT((mp->b_wptr - (uchar_t *)ip6i) == sizeof (ip6i_t) ||
9391 		    ((mp->b_wptr - (uchar_t *)ip6i) >=
9392 		    sizeof (ip6i_t) + IPV6_HDR_LEN));
9393 
9394 		if ((mp->b_wptr - (uchar_t *)ip6i) == sizeof (ip6i_t)) {
9395 			if (!pullupmsg(mp, -1)) {
9396 				ip1dbg(("ip_wput_v6: pullupmsg failed\n"));
9397 				if (do_outrequests) {
9398 					BUMP_MIB(mibptr,
9399 					    ipIfStatsHCOutRequests);
9400 				}
9401 				BUMP_MIB(mibptr, ipIfStatsOutDiscards);
9402 				freemsg(first_mp);
9403 				if (ill != NULL)
9404 					ill_refrele(ill);
9405 				if (need_decref)
9406 					CONN_DEC_REF(connp);
9407 				return;
9408 			}
9409 			ip6h = (ip6_t *)mp->b_rptr;
9410 			v6dstp = &ip6h->ip6_dst;
9411 			ip6i = (ip6i_t *)ip6h;
9412 		}
9413 		ip6h = (ip6_t *)&ip6i[1];
9414 
9415 		/*
9416 		 * Advance rptr past the ip6i_t to get ready for
9417 		 * transmitting the packet. However, if the packet gets
9418 		 * passed to ip_newroute*_v6 then rptr is moved back so
9419 		 * that the ip6i_t header can be inspected when the
9420 		 * packet comes back here after passing through
9421 		 * ire_add_then_send.
9422 		 */
9423 		mp->b_rptr = (uchar_t *)ip6h;
9424 
9425 		if (ip6i->ip6i_flags & IP6I_IFINDEX) {
9426 			ASSERT(ip6i->ip6i_ifindex != 0);
9427 			if (ill != NULL)
9428 				ill_refrele(ill);
9429 			ill = ill_lookup_on_ifindex(ip6i->ip6i_ifindex, 1,
9430 			    NULL, NULL, NULL, NULL, ipst);
9431 			if (ill == NULL) {
9432 				if (do_outrequests) {
9433 					BUMP_MIB(mibptr,
9434 					    ipIfStatsHCOutRequests);
9435 				}
9436 				BUMP_MIB(mibptr, ipIfStatsOutDiscards);
9437 				ip1dbg(("ip_wput_v6: bad ifindex %d\n",
9438 				    ip6i->ip6i_ifindex));
9439 				if (need_decref)
9440 					CONN_DEC_REF(connp);
9441 				freemsg(first_mp);
9442 				return;
9443 			}
9444 			mibptr = ill->ill_ip_mib;
9445 			/*
9446 			 * Preserve the index so that when we return from
9447 			 * IPSEC processing, we know where to send the packet.
9448 			 */
9449 			if (mctl_present) {
9450 				ASSERT(io != NULL);
9451 				io->ipsec_out_ill_index = ip6i->ip6i_ifindex;
9452 			}
9453 		}
9454 		if (ip6i->ip6i_flags & IP6I_VERIFY_SRC) {
9455 			cred_t *cr = DB_CREDDEF(mp, GET_QUEUE_CRED(q));
9456 
9457 			ASSERT(!IN6_IS_ADDR_UNSPECIFIED(&ip6h->ip6_src));
9458 			if (secpolicy_net_rawaccess(cr) != 0) {
9459 				/*
9460 				 * Use IPCL_ZONEID to honor SO_ALLZONES.
9461 				 */
9462 				ire = ire_route_lookup_v6(&ip6h->ip6_src,
9463 				    0, 0, (IRE_LOCAL|IRE_LOOPBACK), NULL,
9464 				    NULL, connp != NULL ?
9465 				    IPCL_ZONEID(connp) : zoneid, NULL,
9466 				    MATCH_IRE_TYPE | MATCH_IRE_ZONEONLY, ipst);
9467 				if (ire == NULL) {
9468 					if (do_outrequests)
9469 						BUMP_MIB(mibptr,
9470 						    ipIfStatsHCOutRequests);
9471 					BUMP_MIB(mibptr, ipIfStatsOutDiscards);
9472 					ip1dbg(("ip_wput_v6: bad source "
9473 					    "addr\n"));
9474 					freemsg(first_mp);
9475 					if (ill != NULL)
9476 						ill_refrele(ill);
9477 					if (need_decref)
9478 						CONN_DEC_REF(connp);
9479 					return;
9480 				}
9481 				ire_refrele(ire);
9482 			}
9483 			/* No need to verify again when using ip_newroute */
9484 			ip6i->ip6i_flags &= ~IP6I_VERIFY_SRC;
9485 		}
9486 		if (!(ip6i->ip6i_flags & IP6I_NEXTHOP)) {
9487 			/*
9488 			 * Make sure they match since ip_newroute*_v6 etc might
9489 			 * (unknown to them) inspect ip6i_nexthop when
9490 			 * they think they access ip6_dst.
9491 			 */
9492 			ip6i->ip6i_nexthop = ip6h->ip6_dst;
9493 		}
9494 		if (ip6i->ip6i_flags & IP6I_NO_ULP_CKSUM)
9495 			cksum_request = 1;
9496 		if (ip6i->ip6i_flags & IP6I_RAW_CHECKSUM)
9497 			cksum_request = ip6i->ip6i_checksum_off;
9498 		if (ip6i->ip6i_flags & IP6I_UNSPEC_SRC)
9499 			unspec_src = 1;
9500 
9501 		if (do_outrequests && ill != NULL) {
9502 			BUMP_MIB(mibptr, ipIfStatsHCOutRequests);
9503 			do_outrequests = B_FALSE;
9504 		}
9505 		/*
9506 		 * Store ip6i_t info that we need after we come back
9507 		 * from IPSEC processing.
9508 		 */
9509 		if (mctl_present) {
9510 			ASSERT(io != NULL);
9511 			io->ipsec_out_unspec_src = unspec_src;
9512 		}
9513 	}
9514 	if (connp != NULL && connp->conn_dontroute)
9515 		ip6h->ip6_hops = 1;
9516 
9517 	if (IN6_IS_ADDR_MULTICAST(v6dstp))
9518 		goto ipv6multicast;
9519 
9520 	/* 1. If an ip6i_t with IP6I_IFINDEX set then use that ill. */
9521 	if (ip6i != NULL && (ip6i->ip6i_flags & IP6I_IFINDEX)) {
9522 		ASSERT(ill != NULL);
9523 		goto send_from_ill;
9524 	}
9525 
9526 	/*
9527 	 * 2. If q is an ill queue and there's a link-local destination
9528 	 *    then use that ill.
9529 	 */
9530 	if (ill != NULL && IN6_IS_ADDR_LINKLOCAL(v6dstp))
9531 		goto send_from_ill;
9532 
9533 	/* 3. If IPV6_BOUND_IF has been set use that ill. */
9534 	if (connp != NULL && connp->conn_outgoing_ill != NULL) {
9535 		ill_t	*conn_outgoing_ill;
9536 
9537 		conn_outgoing_ill = conn_get_held_ill(connp,
9538 		    &connp->conn_outgoing_ill, &err);
9539 		if (err == ILL_LOOKUP_FAILED) {
9540 			if (ill != NULL)
9541 				ill_refrele(ill);
9542 			if (need_decref)
9543 				CONN_DEC_REF(connp);
9544 			freemsg(first_mp);
9545 			return;
9546 		}
9547 		if (ill != NULL)
9548 			ill_refrele(ill);
9549 		ill = conn_outgoing_ill;
9550 		mibptr = ill->ill_ip_mib;
9551 		goto send_from_ill;
9552 	}
9553 
9554 	/*
9555 	 * 4. For unicast: Just do an IRE lookup for the best match.
9556 	 * If we get here for a link-local address it is rather random
9557 	 * what interface we pick on a multihomed host.
9558 	 * *If* there is an IRE_CACHE (and the link-local address
9559 	 * isn't duplicated on multi links) this will find the IRE_CACHE.
9560 	 * Otherwise it will use one of the matching IRE_INTERFACE routes
9561 	 * for the link-local prefix. Hence, applications
9562 	 * *should* be encouraged to specify an outgoing interface when sending
9563 	 * to a link local address.
9564 	 */
9565 	if (connp == NULL || (IP_FLOW_CONTROLLED_ULP(connp->conn_ulp) &&
9566 	    !connp->conn_fully_bound)) {
9567 		/*
9568 		 * We cache IRE_CACHEs to avoid lookups. We don't do
9569 		 * this for the tcp global queue and listen end point
9570 		 * as it does not really have a real destination to
9571 		 * talk to.
9572 		 */
9573 		ire = ire_cache_lookup_v6(v6dstp, zoneid, MBLK_GETLABEL(mp),
9574 		    ipst);
9575 	} else {
9576 		/*
9577 		 * IRE_MARK_CONDEMNED is marked in ire_delete. We don't
9578 		 * grab a lock here to check for CONDEMNED as it is okay
9579 		 * to send a packet or two with the IRE_CACHE that is going
9580 		 * away.
9581 		 */
9582 		mutex_enter(&connp->conn_lock);
9583 		ire = sctp_ire != NULL ? sctp_ire : connp->conn_ire_cache;
9584 		if (ire != NULL &&
9585 		    IN6_ARE_ADDR_EQUAL(&ire->ire_addr_v6, v6dstp) &&
9586 		    !(ire->ire_marks & IRE_MARK_CONDEMNED)) {
9587 
9588 			IRE_REFHOLD(ire);
9589 			mutex_exit(&connp->conn_lock);
9590 
9591 		} else {
9592 			boolean_t cached = B_FALSE;
9593 
9594 			connp->conn_ire_cache = NULL;
9595 			mutex_exit(&connp->conn_lock);
9596 			/* Release the old ire */
9597 			if (ire != NULL && sctp_ire == NULL)
9598 				IRE_REFRELE_NOTR(ire);
9599 
9600 			ire = ire_cache_lookup_v6(v6dstp, zoneid,
9601 			    MBLK_GETLABEL(mp), ipst);
9602 			if (ire != NULL) {
9603 				IRE_REFHOLD_NOTR(ire);
9604 
9605 				mutex_enter(&connp->conn_lock);
9606 				if (CONN_CACHE_IRE(connp) &&
9607 				    (connp->conn_ire_cache == NULL)) {
9608 					rw_enter(&ire->ire_bucket->irb_lock,
9609 					    RW_READER);
9610 					if (!(ire->ire_marks &
9611 					    IRE_MARK_CONDEMNED)) {
9612 						connp->conn_ire_cache = ire;
9613 						cached = B_TRUE;
9614 					}
9615 					rw_exit(&ire->ire_bucket->irb_lock);
9616 				}
9617 				mutex_exit(&connp->conn_lock);
9618 
9619 				/*
9620 				 * We can continue to use the ire but since it
9621 				 * was not cached, we should drop the extra
9622 				 * reference.
9623 				 */
9624 				if (!cached)
9625 					IRE_REFRELE_NOTR(ire);
9626 			}
9627 		}
9628 	}
9629 
9630 	if (ire != NULL) {
9631 		if (do_outrequests) {
9632 			/* Handle IRE_LOCAL's that might appear here */
9633 			if (ire->ire_type == IRE_CACHE) {
9634 				mibptr = ((ill_t *)ire->ire_stq->q_ptr)->
9635 				    ill_ip_mib;
9636 			} else {
9637 				mibptr = ire->ire_ipif->ipif_ill->ill_ip_mib;
9638 			}
9639 			BUMP_MIB(mibptr, ipIfStatsHCOutRequests);
9640 		}
9641 
9642 		/*
9643 		 * Check if the ire has the RTF_MULTIRT flag, inherited
9644 		 * from an IRE_OFFSUBNET ire entry in ip_newroute().
9645 		 */
9646 		if (ire->ire_flags & RTF_MULTIRT) {
9647 			/*
9648 			 * Force hop limit of multirouted packets if required.
9649 			 * The hop limit of such packets is bounded by the
9650 			 * ip_multirt_ttl ndd variable.
9651 			 * NDP packets must have a hop limit of 255; don't
9652 			 * change the hop limit in that case.
9653 			 */
9654 			if ((ipst->ips_ip_multirt_ttl > 0) &&
9655 			    (ip6h->ip6_hops > ipst->ips_ip_multirt_ttl) &&
9656 			    (ip6h->ip6_hops != IPV6_MAX_HOPS)) {
9657 				if (ip_debug > 3) {
9658 					ip2dbg(("ip_wput_v6: forcing multirt "
9659 					    "hop limit to %d (was %d) ",
9660 					    ipst->ips_ip_multirt_ttl,
9661 					    ip6h->ip6_hops));
9662 					pr_addr_dbg("v6dst %s\n", AF_INET6,
9663 					    &ire->ire_addr_v6);
9664 				}
9665 				ip6h->ip6_hops = ipst->ips_ip_multirt_ttl;
9666 			}
9667 
9668 			/*
9669 			 * We look at this point if there are pending
9670 			 * unresolved routes. ire_multirt_need_resolve_v6()
9671 			 * checks in O(n) that all IRE_OFFSUBNET ire
9672 			 * entries for the packet's destination and
9673 			 * flagged RTF_MULTIRT are currently resolved.
9674 			 * If some remain unresolved, we do a copy
9675 			 * of the current message. It will be used
9676 			 * to initiate additional route resolutions.
9677 			 */
9678 			multirt_need_resolve =
9679 			    ire_multirt_need_resolve_v6(&ire->ire_addr_v6,
9680 			    MBLK_GETLABEL(first_mp), ipst);
9681 			ip2dbg(("ip_wput_v6: ire %p, "
9682 			    "multirt_need_resolve %d, first_mp %p\n",
9683 			    (void *)ire, multirt_need_resolve,
9684 			    (void *)first_mp));
9685 			if (multirt_need_resolve) {
9686 				copy_mp = copymsg(first_mp);
9687 				if (copy_mp != NULL) {
9688 					MULTIRT_DEBUG_TAG(copy_mp);
9689 				}
9690 			}
9691 		}
9692 		ip_wput_ire_v6(q, first_mp, ire, unspec_src, cksum_request,
9693 		    connp, caller, ip6i_flags, zoneid);
9694 		if (need_decref) {
9695 			CONN_DEC_REF(connp);
9696 			connp = NULL;
9697 		}
9698 		IRE_REFRELE(ire);
9699 
9700 		/*
9701 		 * Try to resolve another multiroute if
9702 		 * ire_multirt_need_resolve_v6() deemed it necessary.
9703 		 * copy_mp will be consumed (sent or freed) by
9704 		 * ip_newroute_v6().
9705 		 */
9706 		if (copy_mp != NULL) {
9707 			if (mctl_present) {
9708 				ip6h = (ip6_t *)copy_mp->b_cont->b_rptr;
9709 			} else {
9710 				ip6h = (ip6_t *)copy_mp->b_rptr;
9711 			}
9712 			ip_newroute_v6(q, copy_mp, &ip6h->ip6_dst,
9713 			    &ip6h->ip6_src, NULL, zoneid, ipst);
9714 		}
9715 		if (ill != NULL)
9716 			ill_refrele(ill);
9717 		return;
9718 	}
9719 
9720 	/*
9721 	 * No full IRE for this destination.  Send it to
9722 	 * ip_newroute_v6 to see if anything else matches.
9723 	 * Mark this packet as having originated on this
9724 	 * machine.
9725 	 * Update rptr if there was an ip6i_t header.
9726 	 */
9727 	mp->b_prev = NULL;
9728 	mp->b_next = NULL;
9729 	if (ip6i != NULL)
9730 		mp->b_rptr -= sizeof (ip6i_t);
9731 
9732 	if (unspec_src) {
9733 		if (ip6i == NULL) {
9734 			/*
9735 			 * Add ip6i_t header to carry unspec_src
9736 			 * until the packet comes back in ip_wput_v6.
9737 			 */
9738 			mp = ip_add_info_v6(mp, NULL, v6dstp);
9739 			if (mp == NULL) {
9740 				if (do_outrequests)
9741 					BUMP_MIB(mibptr,
9742 					    ipIfStatsHCOutRequests);
9743 				BUMP_MIB(mibptr, ipIfStatsOutDiscards);
9744 				if (mctl_present)
9745 					freeb(first_mp);
9746 				if (ill != NULL)
9747 					ill_refrele(ill);
9748 				if (need_decref)
9749 					CONN_DEC_REF(connp);
9750 				return;
9751 			}
9752 			ip6i = (ip6i_t *)mp->b_rptr;
9753 
9754 			if (mctl_present) {
9755 				ASSERT(first_mp != mp);
9756 				first_mp->b_cont = mp;
9757 			} else {
9758 				first_mp = mp;
9759 			}
9760 
9761 			if ((mp->b_wptr - (uchar_t *)ip6i) ==
9762 			    sizeof (ip6i_t)) {
9763 				/*
9764 				 * ndp_resolver called from ip_newroute_v6
9765 				 * expects pulled up message.
9766 				 */
9767 				if (!pullupmsg(mp, -1)) {
9768 					ip1dbg(("ip_wput_v6: pullupmsg"
9769 					    " failed\n"));
9770 					if (do_outrequests) {
9771 						BUMP_MIB(mibptr,
9772 						    ipIfStatsHCOutRequests);
9773 					}
9774 					BUMP_MIB(mibptr, ipIfStatsOutDiscards);
9775 					freemsg(first_mp);
9776 					if (ill != NULL)
9777 						ill_refrele(ill);
9778 					if (need_decref)
9779 						CONN_DEC_REF(connp);
9780 					return;
9781 				}
9782 				ip6i = (ip6i_t *)mp->b_rptr;
9783 			}
9784 			ip6h = (ip6_t *)&ip6i[1];
9785 			v6dstp = &ip6h->ip6_dst;
9786 		}
9787 		ip6i->ip6i_flags |= IP6I_UNSPEC_SRC;
9788 		if (mctl_present) {
9789 			ASSERT(io != NULL);
9790 			io->ipsec_out_unspec_src = unspec_src;
9791 		}
9792 	}
9793 	if (do_outrequests)
9794 		BUMP_MIB(mibptr, ipIfStatsHCOutRequests);
9795 	if (need_decref)
9796 		CONN_DEC_REF(connp);
9797 	ip_newroute_v6(q, first_mp, v6dstp, &ip6h->ip6_src, NULL, zoneid, ipst);
9798 	if (ill != NULL)
9799 		ill_refrele(ill);
9800 	return;
9801 
9802 
9803 	/*
9804 	 * Handle multicast packets with or without an conn.
9805 	 * Assumes that the transports set ip6_hops taking
9806 	 * IPV6_MULTICAST_HOPS (and the other ways to set the hoplimit)
9807 	 * into account.
9808 	 */
9809 ipv6multicast:
9810 	ip2dbg(("ip_wput_v6: multicast\n"));
9811 
9812 	/*
9813 	 * Hold the conn_lock till we refhold the ill of interest that is
9814 	 * pointed to from the conn. Since we cannot do an ill/ipif_refrele
9815 	 * while holding any locks, postpone the refrele until after the
9816 	 * conn_lock is dropped.
9817 	 */
9818 	if (connp != NULL) {
9819 		mutex_enter(&connp->conn_lock);
9820 		conn_lock_held = B_TRUE;
9821 	} else {
9822 		conn_lock_held = B_FALSE;
9823 	}
9824 	if (ip6i != NULL && (ip6i->ip6i_flags & IP6I_IFINDEX)) {
9825 		/* 1. If an ip6i_t with IP6I_IFINDEX set then use that ill. */
9826 		ASSERT(ill != NULL);
9827 	} else if (ill != NULL) {
9828 		/*
9829 		 * 2. If q is an ill queue and (link local or multicast
9830 		 * destination) then use that ill.
9831 		 * We don't need the ipif initialization here.
9832 		 * This useless assert below is just to prevent lint from
9833 		 * reporting a null body if statement.
9834 		 */
9835 		ASSERT(ill != NULL);
9836 	} else if (connp != NULL) {
9837 		/*
9838 		 * 3. If IPV6_BOUND_IF has been set use that ill.
9839 		 *
9840 		 * 4. For multicast: if IPV6_MULTICAST_IF has been set use it.
9841 		 * Otherwise look for the best IRE match for the unspecified
9842 		 * group to determine the ill.
9843 		 *
9844 		 * conn_multicast_ill is used for only IPv6 packets.
9845 		 * conn_multicast_ipif is used for only IPv4 packets.
9846 		 * Thus a PF_INET6 socket send both IPv4 and IPv6
9847 		 * multicast packets using different IP*_MULTICAST_IF
9848 		 * interfaces.
9849 		 */
9850 		if (connp->conn_outgoing_ill != NULL) {
9851 			err = ill_check_and_refhold(connp->conn_outgoing_ill);
9852 			if (err == ILL_LOOKUP_FAILED) {
9853 				ip1dbg(("ip_output_v6: multicast"
9854 				    " conn_outgoing_ill no ipif\n"));
9855 multicast_discard:
9856 				ASSERT(saved_ill == NULL);
9857 				if (conn_lock_held)
9858 					mutex_exit(&connp->conn_lock);
9859 				if (ill != NULL)
9860 					ill_refrele(ill);
9861 				freemsg(first_mp);
9862 				if (do_outrequests)
9863 					BUMP_MIB(mibptr, ipIfStatsOutDiscards);
9864 				if (need_decref)
9865 					CONN_DEC_REF(connp);
9866 				return;
9867 			}
9868 			ill = connp->conn_outgoing_ill;
9869 		} else if (connp->conn_multicast_ill != NULL) {
9870 			err = ill_check_and_refhold(connp->conn_multicast_ill);
9871 			if (err == ILL_LOOKUP_FAILED) {
9872 				ip1dbg(("ip_output_v6: multicast"
9873 				    " conn_multicast_ill no ipif\n"));
9874 				goto multicast_discard;
9875 			}
9876 			ill = connp->conn_multicast_ill;
9877 		} else {
9878 			mutex_exit(&connp->conn_lock);
9879 			conn_lock_held = B_FALSE;
9880 			ipif = ipif_lookup_group_v6(v6dstp, zoneid, ipst);
9881 			if (ipif == NULL) {
9882 				ip1dbg(("ip_output_v6: multicast no ipif\n"));
9883 				goto multicast_discard;
9884 			}
9885 			/*
9886 			 * We have a ref to this ipif, so we can safely
9887 			 * access ipif_ill.
9888 			 */
9889 			ill = ipif->ipif_ill;
9890 			mutex_enter(&ill->ill_lock);
9891 			if (!ILL_CAN_LOOKUP(ill)) {
9892 				mutex_exit(&ill->ill_lock);
9893 				ipif_refrele(ipif);
9894 				ill = NULL;
9895 				ip1dbg(("ip_output_v6: multicast no ipif\n"));
9896 				goto multicast_discard;
9897 			}
9898 			ill_refhold_locked(ill);
9899 			mutex_exit(&ill->ill_lock);
9900 			ipif_refrele(ipif);
9901 			/*
9902 			 * Save binding until IPV6_MULTICAST_IF
9903 			 * changes it
9904 			 */
9905 			mutex_enter(&connp->conn_lock);
9906 			connp->conn_multicast_ill = ill;
9907 			mutex_exit(&connp->conn_lock);
9908 		}
9909 	}
9910 	if (conn_lock_held)
9911 		mutex_exit(&connp->conn_lock);
9912 
9913 	if (saved_ill != NULL)
9914 		ill_refrele(saved_ill);
9915 
9916 	ASSERT(ill != NULL);
9917 	/*
9918 	 * For multicast loopback interfaces replace the multicast address
9919 	 * with a unicast address for the ire lookup.
9920 	 */
9921 	if (IS_LOOPBACK(ill))
9922 		v6dstp = &ill->ill_ipif->ipif_v6lcl_addr;
9923 
9924 	mibptr = ill->ill_ip_mib;
9925 	if (do_outrequests) {
9926 		BUMP_MIB(mibptr, ipIfStatsHCOutRequests);
9927 		do_outrequests = B_FALSE;
9928 	}
9929 	BUMP_MIB(mibptr, ipIfStatsHCOutMcastPkts);
9930 	UPDATE_MIB(mibptr, ipIfStatsHCOutMcastOctets,
9931 	    ntohs(ip6h->ip6_plen) + IPV6_HDR_LEN);
9932 
9933 	/*
9934 	 * As we may lose the conn by the time we reach ip_wput_ire_v6
9935 	 * we copy conn_multicast_loop and conn_dontroute on to an
9936 	 * ipsec_out. In case if this datagram goes out secure,
9937 	 * we need the ill_index also. Copy that also into the
9938 	 * ipsec_out.
9939 	 */
9940 	if (mctl_present) {
9941 		io = (ipsec_out_t *)first_mp->b_rptr;
9942 		ASSERT(first_mp->b_datap->db_type == M_CTL);
9943 		ASSERT(io->ipsec_out_type == IPSEC_OUT);
9944 	} else {
9945 		ASSERT(mp == first_mp);
9946 		if ((first_mp = ipsec_alloc_ipsec_out(ipst->ips_netstack)) ==
9947 		    NULL) {
9948 			BUMP_MIB(mibptr, ipIfStatsOutDiscards);
9949 			freemsg(mp);
9950 			if (ill != NULL)
9951 				ill_refrele(ill);
9952 			if (need_decref)
9953 				CONN_DEC_REF(connp);
9954 			return;
9955 		}
9956 		io = (ipsec_out_t *)first_mp->b_rptr;
9957 		/* This is not a secure packet */
9958 		io->ipsec_out_secure = B_FALSE;
9959 		io->ipsec_out_use_global_policy = B_TRUE;
9960 		io->ipsec_out_zoneid =
9961 		    (zoneid != ALL_ZONES ? zoneid : GLOBAL_ZONEID);
9962 		first_mp->b_cont = mp;
9963 		mctl_present = B_TRUE;
9964 	}
9965 	io->ipsec_out_ill_index = ill->ill_phyint->phyint_ifindex;
9966 	io->ipsec_out_unspec_src = unspec_src;
9967 	if (connp != NULL)
9968 		io->ipsec_out_dontroute = connp->conn_dontroute;
9969 
9970 send_from_ill:
9971 	ASSERT(ill != NULL);
9972 	ASSERT(mibptr == ill->ill_ip_mib);
9973 
9974 	if (do_outrequests) {
9975 		BUMP_MIB(mibptr, ipIfStatsHCOutRequests);
9976 		do_outrequests = B_FALSE;
9977 	}
9978 
9979 	/*
9980 	 * Because nce_xmit() calls ip_output_v6() and NCEs are always tied to
9981 	 * an underlying interface, IS_UNDER_IPMP() may be true even when
9982 	 * building IREs that will be used for data traffic.  As such, use the
9983 	 * packet's source address to determine whether the traffic is test
9984 	 * traffic, and set MATCH_IRE_MARK_TESTHIDDEN if so.
9985 	 *
9986 	 * Separately, we also need to mark probe packets so that ND can
9987 	 * process them specially; see the comments in nce_queue_mp_common().
9988 	 */
9989 	if (IS_UNDER_IPMP(ill) && !IN6_IS_ADDR_UNSPECIFIED(&ip6h->ip6_src) &&
9990 	    ipif_lookup_testaddr_v6(ill, &ip6h->ip6_src, NULL)) {
9991 		if (ip6i == NULL) {
9992 			if ((mp = ip_add_info_v6(mp, NULL, v6dstp)) == NULL) {
9993 				if (mctl_present)
9994 					freeb(first_mp);
9995 				goto discard;
9996 			}
9997 
9998 			if (mctl_present)
9999 				first_mp->b_cont = mp;
10000 			else
10001 				first_mp = mp;
10002 
10003 			/* ndp_resolver() expects a pulled-up message */
10004 			if (MBLKL(mp) == sizeof (ip6i_t) &&
10005 			    pullupmsg(mp, -1) == 0) {
10006 				ip1dbg(("ip_output_v6: pullupmsg failed\n"));
10007 discard:			BUMP_MIB(mibptr, ipIfStatsOutDiscards);
10008 				ill_refrele(ill);
10009 				if (need_decref)
10010 					CONN_DEC_REF(connp);
10011 				return;
10012 			}
10013 			ip6i = (ip6i_t *)mp->b_rptr;
10014 			ip6h = (ip6_t *)&ip6i[1];
10015 			v6dstp = &ip6h->ip6_dst;
10016 			mp->b_rptr = (uchar_t *)ip6h;	/* rewound below */
10017 		}
10018 		ip6i->ip6i_flags |= IP6I_IPMP_PROBE;
10019 		match_flags |= MATCH_IRE_MARK_TESTHIDDEN;
10020 	}
10021 
10022 	if (io != NULL)
10023 		io->ipsec_out_ill_index = ill->ill_phyint->phyint_ifindex;
10024 
10025 	/*
10026 	 * When a specific ill is specified (using IPV6_PKTINFO,
10027 	 * IPV6_MULTICAST_IF, or IPV6_BOUND_IF) we will only match
10028 	 * on routing entries (ftable and ctable) that have a matching
10029 	 * ire->ire_ipif->ipif_ill. Thus this can only be used
10030 	 * for destinations that are on-link for the specific ill
10031 	 * and that can appear on multiple links. Thus it is useful
10032 	 * for multicast destinations, link-local destinations, and
10033 	 * at some point perhaps for site-local destinations (if the
10034 	 * node sits at a site boundary).
10035 	 * We create the cache entries in the regular ctable since
10036 	 * it can not "confuse" things for other destinations.
10037 	 * table.
10038 	 *
10039 	 * NOTE : conn_ire_cache is not used for caching ire_ctable_lookups.
10040 	 *	  It is used only when ire_cache_lookup is used above.
10041 	 */
10042 	ire = ire_ctable_lookup_v6(v6dstp, 0, 0, ill->ill_ipif,
10043 	    zoneid, MBLK_GETLABEL(mp), match_flags, ipst);
10044 	if (ire != NULL) {
10045 		/*
10046 		 * Check if the ire has the RTF_MULTIRT flag, inherited
10047 		 * from an IRE_OFFSUBNET ire entry in ip_newroute().
10048 		 */
10049 		if (ire->ire_flags & RTF_MULTIRT) {
10050 			/*
10051 			 * Force hop limit of multirouted packets if required.
10052 			 * The hop limit of such packets is bounded by the
10053 			 * ip_multirt_ttl ndd variable.
10054 			 * NDP packets must have a hop limit of 255; don't
10055 			 * change the hop limit in that case.
10056 			 */
10057 			if ((ipst->ips_ip_multirt_ttl > 0) &&
10058 			    (ip6h->ip6_hops > ipst->ips_ip_multirt_ttl) &&
10059 			    (ip6h->ip6_hops != IPV6_MAX_HOPS)) {
10060 				if (ip_debug > 3) {
10061 					ip2dbg(("ip_wput_v6: forcing multirt "
10062 					    "hop limit to %d (was %d) ",
10063 					    ipst->ips_ip_multirt_ttl,
10064 					    ip6h->ip6_hops));
10065 					pr_addr_dbg("v6dst %s\n", AF_INET6,
10066 					    &ire->ire_addr_v6);
10067 				}
10068 				ip6h->ip6_hops = ipst->ips_ip_multirt_ttl;
10069 			}
10070 
10071 			/*
10072 			 * We look at this point if there are pending
10073 			 * unresolved routes. ire_multirt_need_resolve_v6()
10074 			 * checks in O(n) that all IRE_OFFSUBNET ire
10075 			 * entries for the packet's destination and
10076 			 * flagged RTF_MULTIRT are currently resolved.
10077 			 * If some remain unresolved, we make a copy
10078 			 * of the current message. It will be used
10079 			 * to initiate additional route resolutions.
10080 			 */
10081 			multirt_need_resolve =
10082 			    ire_multirt_need_resolve_v6(&ire->ire_addr_v6,
10083 			    MBLK_GETLABEL(first_mp), ipst);
10084 			ip2dbg(("ip_wput_v6[send_from_ill]: ire %p, "
10085 			    "multirt_need_resolve %d, first_mp %p\n",
10086 			    (void *)ire, multirt_need_resolve,
10087 			    (void *)first_mp));
10088 			if (multirt_need_resolve) {
10089 				copy_mp = copymsg(first_mp);
10090 				if (copy_mp != NULL) {
10091 					MULTIRT_DEBUG_TAG(copy_mp);
10092 				}
10093 			}
10094 		}
10095 
10096 		ip1dbg(("ip_wput_v6: send on %s, ire = %p, ill index = %d\n",
10097 		    ill->ill_name, (void *)ire,
10098 		    ill->ill_phyint->phyint_ifindex));
10099 		ip_wput_ire_v6(q, first_mp, ire, unspec_src, cksum_request,
10100 		    connp, caller, ip6i_flags, zoneid);
10101 		ire_refrele(ire);
10102 		if (need_decref) {
10103 			CONN_DEC_REF(connp);
10104 			connp = NULL;
10105 		}
10106 
10107 		/*
10108 		 * Try to resolve another multiroute if
10109 		 * ire_multirt_need_resolve_v6() deemed it necessary.
10110 		 * copy_mp will be consumed (sent or freed) by
10111 		 * ip_newroute_[ipif_]v6().
10112 		 */
10113 		if (copy_mp != NULL) {
10114 			if (mctl_present) {
10115 				ip6h = (ip6_t *)copy_mp->b_cont->b_rptr;
10116 			} else {
10117 				ip6h = (ip6_t *)copy_mp->b_rptr;
10118 			}
10119 			if (IN6_IS_ADDR_MULTICAST(&ip6h->ip6_dst)) {
10120 				ipif = ipif_lookup_group_v6(&ip6h->ip6_dst,
10121 				    zoneid, ipst);
10122 				if (ipif == NULL) {
10123 					ip1dbg(("ip_wput_v6: No ipif for "
10124 					    "multicast\n"));
10125 					MULTIRT_DEBUG_UNTAG(copy_mp);
10126 					freemsg(copy_mp);
10127 					return;
10128 				}
10129 				ip_newroute_ipif_v6(q, copy_mp, ipif,
10130 				    &ip6h->ip6_dst, &ip6h->ip6_src, unspec_src,
10131 				    zoneid);
10132 				ipif_refrele(ipif);
10133 			} else {
10134 				ip_newroute_v6(q, copy_mp, &ip6h->ip6_dst,
10135 				    &ip6h->ip6_src, ill, zoneid, ipst);
10136 			}
10137 		}
10138 		ill_refrele(ill);
10139 		return;
10140 	}
10141 	if (need_decref) {
10142 		CONN_DEC_REF(connp);
10143 		connp = NULL;
10144 	}
10145 
10146 	/* Update rptr if there was an ip6i_t header. */
10147 	if (ip6i != NULL)
10148 		mp->b_rptr -= sizeof (ip6i_t);
10149 	if (unspec_src) {
10150 		if (ip6i == NULL) {
10151 			/*
10152 			 * Add ip6i_t header to carry unspec_src
10153 			 * until the packet comes back in ip_wput_v6.
10154 			 */
10155 			if (mctl_present) {
10156 				first_mp->b_cont =
10157 				    ip_add_info_v6(mp, NULL, v6dstp);
10158 				mp = first_mp->b_cont;
10159 				if (mp == NULL)
10160 					freeb(first_mp);
10161 			} else {
10162 				first_mp = mp = ip_add_info_v6(mp, NULL,
10163 				    v6dstp);
10164 			}
10165 			if (mp == NULL) {
10166 				BUMP_MIB(mibptr, ipIfStatsOutDiscards);
10167 				ill_refrele(ill);
10168 				return;
10169 			}
10170 			ip6i = (ip6i_t *)mp->b_rptr;
10171 			if ((mp->b_wptr - (uchar_t *)ip6i) ==
10172 			    sizeof (ip6i_t)) {
10173 				/*
10174 				 * ndp_resolver called from ip_newroute_v6
10175 				 * expects a pulled up message.
10176 				 */
10177 				if (!pullupmsg(mp, -1)) {
10178 					ip1dbg(("ip_wput_v6: pullupmsg"
10179 					    " failed\n"));
10180 					BUMP_MIB(mibptr, ipIfStatsOutDiscards);
10181 					freemsg(first_mp);
10182 					return;
10183 				}
10184 				ip6i = (ip6i_t *)mp->b_rptr;
10185 			}
10186 			ip6h = (ip6_t *)&ip6i[1];
10187 			v6dstp = &ip6h->ip6_dst;
10188 		}
10189 		ip6i->ip6i_flags |= IP6I_UNSPEC_SRC;
10190 		if (mctl_present) {
10191 			ASSERT(io != NULL);
10192 			io->ipsec_out_unspec_src = unspec_src;
10193 		}
10194 	}
10195 	if (IN6_IS_ADDR_MULTICAST(v6dstp)) {
10196 		ip_newroute_ipif_v6(q, first_mp, ill->ill_ipif, v6dstp,
10197 		    &ip6h->ip6_src, unspec_src, zoneid);
10198 	} else {
10199 		ip_newroute_v6(q, first_mp, v6dstp, &ip6h->ip6_src, ill,
10200 		    zoneid, ipst);
10201 	}
10202 	ill_refrele(ill);
10203 	return;
10204 
10205 notv6:
10206 	/* FIXME?: assume the caller calls the right version of ip_output? */
10207 	if (q->q_next == NULL) {
10208 		connp = Q_TO_CONN(q);
10209 
10210 		/*
10211 		 * We can change conn_send for all types of conn, even
10212 		 * though only TCP uses it right now.
10213 		 * FIXME: sctp could use conn_send but doesn't currently.
10214 		 */
10215 		ip_setpktversion(connp, B_FALSE, B_TRUE, ipst);
10216 	}
10217 	BUMP_MIB(mibptr, ipIfStatsOutWrongIPVersion);
10218 	(void) ip_output(arg, first_mp, arg2, caller);
10219 	if (ill != NULL)
10220 		ill_refrele(ill);
10221 }
10222 
10223 /*
10224  * If this is a conn_t queue, then we pass in the conn. This includes the
10225  * zoneid.
10226  * Otherwise, this is a message for an ill_t queue,
10227  * in which case we use the global zoneid since those are all part of
10228  * the global zone.
10229  */
10230 void
10231 ip_wput_v6(queue_t *q, mblk_t *mp)
10232 {
10233 	if (CONN_Q(q))
10234 		ip_output_v6(Q_TO_CONN(q), mp, q, IP_WPUT);
10235 	else
10236 		ip_output_v6(GLOBAL_ZONEID, mp, q, IP_WPUT);
10237 }
10238 
10239 /*
10240  * NULL send-to queue - packet is to be delivered locally.
10241  */
10242 void
10243 ip_wput_local_v6(queue_t *q, ill_t *ill, ip6_t *ip6h, mblk_t *first_mp,
10244     ire_t *ire, int fanout_flags, zoneid_t zoneid)
10245 {
10246 	uint32_t	ports;
10247 	mblk_t		*mp = first_mp, *first_mp1;
10248 	boolean_t	mctl_present;
10249 	uint8_t		nexthdr;
10250 	uint16_t	hdr_length;
10251 	ipsec_out_t	*io;
10252 	mib2_ipIfStatsEntry_t	*mibptr;
10253 	ilm_t		*ilm;
10254 	uint_t	nexthdr_offset;
10255 	ip_stack_t	*ipst = ill->ill_ipst;
10256 
10257 	if (DB_TYPE(mp) == M_CTL) {
10258 		io = (ipsec_out_t *)mp->b_rptr;
10259 		if (!io->ipsec_out_secure) {
10260 			mp = mp->b_cont;
10261 			freeb(first_mp);
10262 			first_mp = mp;
10263 			mctl_present = B_FALSE;
10264 		} else {
10265 			mctl_present = B_TRUE;
10266 			mp = first_mp->b_cont;
10267 			ipsec_out_to_in(first_mp);
10268 		}
10269 	} else {
10270 		mctl_present = B_FALSE;
10271 	}
10272 
10273 	/*
10274 	 * Remove reachability confirmation bit from version field
10275 	 * before passing the packet on to any firewall hooks or
10276 	 * looping back the packet.
10277 	 */
10278 	if (ip6h->ip6_vcf & IP_FORWARD_PROG)
10279 		ip6h->ip6_vcf &= ~IP_FORWARD_PROG;
10280 
10281 	DTRACE_PROBE4(ip6__loopback__in__start,
10282 	    ill_t *, ill, ill_t *, NULL,
10283 	    ip6_t *, ip6h, mblk_t *, first_mp);
10284 
10285 	FW_HOOKS6(ipst->ips_ip6_loopback_in_event,
10286 	    ipst->ips_ipv6firewall_loopback_in,
10287 	    ill, NULL, ip6h, first_mp, mp, 0, ipst);
10288 
10289 	DTRACE_PROBE1(ip6__loopback__in__end, mblk_t *, first_mp);
10290 
10291 	if (first_mp == NULL)
10292 		return;
10293 
10294 	if (ipst->ips_ipobs_enabled) {
10295 		zoneid_t szone, dzone, lookup_zoneid = ALL_ZONES;
10296 		zoneid_t stackzoneid = netstackid_to_zoneid(
10297 		    ipst->ips_netstack->netstack_stackid);
10298 
10299 		szone = (stackzoneid == GLOBAL_ZONEID) ? zoneid : stackzoneid;
10300 		/*
10301 		 * ::1 is special, as we cannot lookup its zoneid by
10302 		 * address.  For this case, restrict the lookup to the
10303 		 * source zone.
10304 		 */
10305 		if (IN6_IS_ADDR_LOOPBACK(&ip6h->ip6_dst))
10306 			lookup_zoneid = zoneid;
10307 		dzone = ip_get_zoneid_v6(&ip6h->ip6_dst, mp, ill, ipst,
10308 		    lookup_zoneid);
10309 		ipobs_hook(mp, IPOBS_HOOK_LOCAL, szone, dzone, ill,
10310 		    IPV6_VERSION, 0, ipst);
10311 	}
10312 
10313 	DTRACE_IP7(receive, mblk_t *, first_mp, conn_t *, NULL, void_ip_t *,
10314 	    ip6h, __dtrace_ipsr_ill_t *, ill, ipha_t *, NULL, ip6_t *, ip6h,
10315 	    int, 1);
10316 
10317 	nexthdr = ip6h->ip6_nxt;
10318 	mibptr = ill->ill_ip_mib;
10319 
10320 	/* Fastpath */
10321 	switch (nexthdr) {
10322 	case IPPROTO_TCP:
10323 	case IPPROTO_UDP:
10324 	case IPPROTO_ICMPV6:
10325 	case IPPROTO_SCTP:
10326 		hdr_length = IPV6_HDR_LEN;
10327 		nexthdr_offset = (uint_t)((uchar_t *)&ip6h->ip6_nxt -
10328 		    (uchar_t *)ip6h);
10329 		break;
10330 	default: {
10331 		uint8_t	*nexthdrp;
10332 
10333 		if (!ip_hdr_length_nexthdr_v6(mp, ip6h,
10334 		    &hdr_length, &nexthdrp)) {
10335 			/* Malformed packet */
10336 			BUMP_MIB(mibptr, ipIfStatsOutDiscards);
10337 			freemsg(first_mp);
10338 			return;
10339 		}
10340 		nexthdr = *nexthdrp;
10341 		nexthdr_offset = nexthdrp - (uint8_t *)ip6h;
10342 		break;
10343 	}
10344 	}
10345 
10346 	UPDATE_OB_PKT_COUNT(ire);
10347 	ire->ire_last_used_time = lbolt;
10348 
10349 	switch (nexthdr) {
10350 		case IPPROTO_TCP:
10351 			if (DB_TYPE(mp) == M_DATA) {
10352 				/*
10353 				 * M_DATA mblk, so init mblk (chain) for
10354 				 * no struio().
10355 				 */
10356 				mblk_t  *mp1 = mp;
10357 
10358 				do {
10359 					mp1->b_datap->db_struioflag = 0;
10360 				} while ((mp1 = mp1->b_cont) != NULL);
10361 			}
10362 			ports = *(uint32_t *)(mp->b_rptr + hdr_length +
10363 			    TCP_PORTS_OFFSET);
10364 			ip_fanout_tcp_v6(q, first_mp, ip6h, ill, ill,
10365 			    fanout_flags|IP_FF_SEND_ICMP|IP_FF_SYN_ADDIRE|
10366 			    IP_FF_IPINFO|IP6_NO_IPPOLICY|IP_FF_LOOPBACK,
10367 			    hdr_length, mctl_present, ire->ire_zoneid);
10368 			return;
10369 
10370 		case IPPROTO_UDP:
10371 			ports = *(uint32_t *)(mp->b_rptr + hdr_length +
10372 			    UDP_PORTS_OFFSET);
10373 			ip_fanout_udp_v6(q, first_mp, ip6h, ports, ill, ill,
10374 			    fanout_flags|IP_FF_SEND_ICMP|IP_FF_IPINFO|
10375 			    IP6_NO_IPPOLICY, mctl_present, ire->ire_zoneid);
10376 			return;
10377 
10378 		case IPPROTO_SCTP:
10379 		{
10380 			ports = *(uint32_t *)(mp->b_rptr + hdr_length);
10381 			ip_fanout_sctp(first_mp, ill, (ipha_t *)ip6h, ports,
10382 			    fanout_flags|IP_FF_SEND_ICMP|IP_FF_IPINFO,
10383 			    mctl_present, IP6_NO_IPPOLICY, ire->ire_zoneid);
10384 			return;
10385 		}
10386 		case IPPROTO_ICMPV6: {
10387 			icmp6_t *icmp6;
10388 
10389 			/* check for full IPv6+ICMPv6 header */
10390 			if ((mp->b_wptr - mp->b_rptr) <
10391 			    (hdr_length + ICMP6_MINLEN)) {
10392 				if (!pullupmsg(mp, hdr_length + ICMP6_MINLEN)) {
10393 					ip1dbg(("ip_wput_v6: ICMP hdr pullupmsg"
10394 					    " failed\n"));
10395 					BUMP_MIB(mibptr, ipIfStatsOutDiscards);
10396 					freemsg(first_mp);
10397 					return;
10398 				}
10399 				ip6h = (ip6_t *)mp->b_rptr;
10400 			}
10401 			icmp6 = (icmp6_t *)((uchar_t *)ip6h + hdr_length);
10402 
10403 			/* Update output mib stats */
10404 			icmp_update_out_mib_v6(ill, icmp6);
10405 
10406 			/* Check variable for testing applications */
10407 			if (ipst->ips_ipv6_drop_inbound_icmpv6) {
10408 				freemsg(first_mp);
10409 				return;
10410 			}
10411 			/*
10412 			 * Assume that there is always at least one conn for
10413 			 * ICMPv6 (in.ndpd) i.e. don't optimize the case
10414 			 * where there is no conn.
10415 			 */
10416 			if (IN6_IS_ADDR_MULTICAST(&ip6h->ip6_dst) &&
10417 			    !IS_LOOPBACK(ill)) {
10418 				ilm_walker_t ilw;
10419 
10420 				/*
10421 				 * In the multicast case, applications may have
10422 				 * joined the group from different zones, so we
10423 				 * need to deliver the packet to each of them.
10424 				 * Loop through the multicast memberships
10425 				 * structures (ilm) on the receive ill and send
10426 				 * a copy of the packet up each matching one.
10427 				 * However, we don't do this for multicasts sent
10428 				 * on the loopback interface (PHYI_LOOPBACK flag
10429 				 * set) as they must stay in the sender's zone.
10430 				 */
10431 				ilm = ilm_walker_start(&ilw, ill);
10432 				for (; ilm != NULL;
10433 				    ilm = ilm_walker_step(&ilw, ilm)) {
10434 					if (!IN6_ARE_ADDR_EQUAL(
10435 					    &ilm->ilm_v6addr, &ip6h->ip6_dst))
10436 						continue;
10437 					if ((fanout_flags &
10438 					    IP_FF_NO_MCAST_LOOP) &&
10439 					    ilm->ilm_zoneid == ire->ire_zoneid)
10440 						continue;
10441 					if (!ipif_lookup_zoneid(
10442 					    ilw.ilw_walk_ill, ilm->ilm_zoneid,
10443 					    IPIF_UP, NULL))
10444 						continue;
10445 
10446 					first_mp1 = ip_copymsg(first_mp);
10447 					if (first_mp1 == NULL)
10448 						continue;
10449 					icmp_inbound_v6(q, first_mp1,
10450 					    ilw.ilw_walk_ill, ill, hdr_length,
10451 					    mctl_present, IP6_NO_IPPOLICY,
10452 					    ilm->ilm_zoneid, NULL);
10453 				}
10454 				ilm_walker_finish(&ilw);
10455 			} else {
10456 				first_mp1 = ip_copymsg(first_mp);
10457 				if (first_mp1 != NULL)
10458 					icmp_inbound_v6(q, first_mp1, ill, ill,
10459 					    hdr_length, mctl_present,
10460 					    IP6_NO_IPPOLICY, ire->ire_zoneid,
10461 					    NULL);
10462 			}
10463 		}
10464 		/* FALLTHRU */
10465 		default: {
10466 			/*
10467 			 * Handle protocols with which IPv6 is less intimate.
10468 			 */
10469 			fanout_flags |= IP_FF_RAWIP|IP_FF_IPINFO;
10470 
10471 			/*
10472 			 * Enable sending ICMP for "Unknown" nexthdr
10473 			 * case. i.e. where we did not FALLTHRU from
10474 			 * IPPROTO_ICMPV6 processing case above.
10475 			 */
10476 			if (nexthdr != IPPROTO_ICMPV6)
10477 				fanout_flags |= IP_FF_SEND_ICMP;
10478 			/*
10479 			 * Note: There can be more than one stream bound
10480 			 * to a particular protocol. When this is the case,
10481 			 * each one gets a copy of any incoming packets.
10482 			 */
10483 			ip_fanout_proto_v6(q, first_mp, ip6h, ill, ill, nexthdr,
10484 			    nexthdr_offset, fanout_flags|IP6_NO_IPPOLICY,
10485 			    mctl_present, ire->ire_zoneid);
10486 			return;
10487 		}
10488 	}
10489 }
10490 
10491 /*
10492  * Send packet using IRE.
10493  * Checksumming is controlled by cksum_request:
10494  *	-1 => normal i.e. TCP/UDP/SCTP/ICMPv6 are checksummed and nothing else.
10495  *	1 => Skip TCP/UDP/SCTP checksum
10496  * 	Otherwise => checksum_request contains insert offset for checksum
10497  *
10498  * Assumes that the following set of headers appear in the first
10499  * mblk:
10500  *	ip6_t
10501  *	Any extension headers
10502  *	TCP/UDP/SCTP header (if present)
10503  * The routine can handle an ICMPv6 header that is not in the first mblk.
10504  *
10505  * NOTE : This function does not ire_refrele the ire passed in as the
10506  *	  argument unlike ip_wput_ire where the REFRELE is done.
10507  *	  Refer to ip_wput_ire for more on this.
10508  */
10509 static void
10510 ip_wput_ire_v6(queue_t *q, mblk_t *mp, ire_t *ire, int unspec_src,
10511     int cksum_request, conn_t *connp, int caller, int flags, zoneid_t zoneid)
10512 {
10513 	ip6_t		*ip6h;
10514 	uint8_t		nexthdr;
10515 	uint16_t	hdr_length;
10516 	uint_t		reachable = 0x0;
10517 	ill_t		*ill;
10518 	mib2_ipIfStatsEntry_t	*mibptr;
10519 	mblk_t		*first_mp;
10520 	boolean_t	mctl_present;
10521 	ipsec_out_t	*io;
10522 	boolean_t	conn_dontroute;	/* conn value for multicast */
10523 	boolean_t	conn_multicast_loop;	/* conn value for multicast */
10524 	boolean_t 	multicast_forward;	/* Should we forward ? */
10525 	int		max_frag;
10526 	ip_stack_t	*ipst = ire->ire_ipst;
10527 	ipsec_stack_t	*ipss = ipst->ips_netstack->netstack_ipsec;
10528 
10529 	ill = ire_to_ill(ire);
10530 	first_mp = mp;
10531 	multicast_forward = B_FALSE;
10532 
10533 	if (mp->b_datap->db_type != M_CTL) {
10534 		ip6h = (ip6_t *)first_mp->b_rptr;
10535 	} else {
10536 		io = (ipsec_out_t *)first_mp->b_rptr;
10537 		ASSERT(io->ipsec_out_type == IPSEC_OUT);
10538 		/*
10539 		 * Grab the zone id now because the M_CTL can be discarded by
10540 		 * ip_wput_ire_parse_ipsec_out() below.
10541 		 */
10542 		ASSERT(zoneid == io->ipsec_out_zoneid);
10543 		ASSERT(zoneid != ALL_ZONES);
10544 		ip6h = (ip6_t *)first_mp->b_cont->b_rptr;
10545 		/*
10546 		 * For the multicast case, ipsec_out carries conn_dontroute and
10547 		 * conn_multicast_loop as conn may not be available here. We
10548 		 * need this for multicast loopback and forwarding which is done
10549 		 * later in the code.
10550 		 */
10551 		if (IN6_IS_ADDR_MULTICAST(&ip6h->ip6_dst)) {
10552 			conn_dontroute = io->ipsec_out_dontroute;
10553 			conn_multicast_loop = io->ipsec_out_multicast_loop;
10554 			/*
10555 			 * If conn_dontroute is not set or conn_multicast_loop
10556 			 * is set, we need to do forwarding/loopback. For
10557 			 * datagrams from ip_wput_multicast, conn_dontroute is
10558 			 * set to B_TRUE and conn_multicast_loop is set to
10559 			 * B_FALSE so that we neither do forwarding nor
10560 			 * loopback.
10561 			 */
10562 			if (!conn_dontroute || conn_multicast_loop)
10563 				multicast_forward = B_TRUE;
10564 		}
10565 	}
10566 
10567 	/*
10568 	 * If the sender didn't supply the hop limit and there is a default
10569 	 * unicast hop limit associated with the output interface, we use
10570 	 * that if the packet is unicast.  Interface specific unicast hop
10571 	 * limits as set via the SIOCSLIFLNKINFO ioctl.
10572 	 */
10573 	if (ill->ill_max_hops != 0 && !(flags & IP6I_HOPLIMIT) &&
10574 	    !(IN6_IS_ADDR_MULTICAST(&ip6h->ip6_dst))) {
10575 		ip6h->ip6_hops = ill->ill_max_hops;
10576 	}
10577 
10578 	if (ire->ire_type == IRE_LOCAL && ire->ire_zoneid != zoneid &&
10579 	    ire->ire_zoneid != ALL_ZONES) {
10580 		/*
10581 		 * When a zone sends a packet to another zone, we try to deliver
10582 		 * the packet under the same conditions as if the destination
10583 		 * was a real node on the network. To do so, we look for a
10584 		 * matching route in the forwarding table.
10585 		 * RTF_REJECT and RTF_BLACKHOLE are handled just like
10586 		 * ip_newroute_v6() does.
10587 		 * Note that IRE_LOCAL are special, since they are used
10588 		 * when the zoneid doesn't match in some cases. This means that
10589 		 * we need to handle ipha_src differently since ire_src_addr
10590 		 * belongs to the receiving zone instead of the sending zone.
10591 		 * When ip_restrict_interzone_loopback is set, then
10592 		 * ire_cache_lookup_v6() ensures that IRE_LOCAL are only used
10593 		 * for loopback between zones when the logical "Ethernet" would
10594 		 * have looped them back.
10595 		 */
10596 		ire_t *src_ire;
10597 
10598 		src_ire = ire_ftable_lookup_v6(&ip6h->ip6_dst, 0, 0, 0,
10599 		    NULL, NULL, zoneid, 0, NULL, (MATCH_IRE_RECURSIVE |
10600 		    MATCH_IRE_DEFAULT | MATCH_IRE_RJ_BHOLE), ipst);
10601 		if (src_ire != NULL &&
10602 		    !(src_ire->ire_flags & (RTF_REJECT | RTF_BLACKHOLE)) &&
10603 		    (!ipst->ips_ip_restrict_interzone_loopback ||
10604 		    ire_local_same_lan(ire, src_ire))) {
10605 			if (IN6_IS_ADDR_UNSPECIFIED(&ip6h->ip6_src) &&
10606 			    !unspec_src) {
10607 				ip6h->ip6_src = src_ire->ire_src_addr_v6;
10608 			}
10609 			ire_refrele(src_ire);
10610 		} else {
10611 			BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutNoRoutes);
10612 			if (src_ire != NULL) {
10613 				if (src_ire->ire_flags & RTF_BLACKHOLE) {
10614 					ire_refrele(src_ire);
10615 					freemsg(first_mp);
10616 					return;
10617 				}
10618 				ire_refrele(src_ire);
10619 			}
10620 			if (ip_hdr_complete_v6(ip6h, zoneid, ipst)) {
10621 				/* Failed */
10622 				freemsg(first_mp);
10623 				return;
10624 			}
10625 			icmp_unreachable_v6(q, first_mp,
10626 			    ICMP6_DST_UNREACH_NOROUTE, B_FALSE, B_FALSE,
10627 			    zoneid, ipst);
10628 			return;
10629 		}
10630 	}
10631 
10632 	if (mp->b_datap->db_type == M_CTL ||
10633 	    ipss->ipsec_outbound_v6_policy_present) {
10634 		mp = ip_wput_ire_parse_ipsec_out(first_mp, NULL, ip6h, ire,
10635 		    connp, unspec_src, zoneid);
10636 		if (mp == NULL) {
10637 			return;
10638 		}
10639 	}
10640 
10641 	first_mp = mp;
10642 	if (mp->b_datap->db_type == M_CTL) {
10643 		io = (ipsec_out_t *)mp->b_rptr;
10644 		ASSERT(io->ipsec_out_type == IPSEC_OUT);
10645 		mp = mp->b_cont;
10646 		mctl_present = B_TRUE;
10647 	} else {
10648 		mctl_present = B_FALSE;
10649 	}
10650 
10651 	ip6h = (ip6_t *)mp->b_rptr;
10652 	nexthdr = ip6h->ip6_nxt;
10653 	mibptr = ill->ill_ip_mib;
10654 
10655 	if (IN6_IS_ADDR_UNSPECIFIED(&ip6h->ip6_src) && !unspec_src) {
10656 		ipif_t *ipif;
10657 
10658 		/*
10659 		 * Select the source address using ipif_select_source_v6.
10660 		 */
10661 		ipif = ipif_select_source_v6(ill, &ip6h->ip6_dst, B_FALSE,
10662 		    IPV6_PREFER_SRC_DEFAULT, zoneid);
10663 		if (ipif == NULL) {
10664 			if (ip_debug > 2) {
10665 				/* ip1dbg */
10666 				pr_addr_dbg("ip_wput_ire_v6: no src for "
10667 				    "dst %s\n", AF_INET6, &ip6h->ip6_dst);
10668 				printf("through interface %s\n", ill->ill_name);
10669 			}
10670 			freemsg(first_mp);
10671 			return;
10672 		}
10673 		ip6h->ip6_src = ipif->ipif_v6src_addr;
10674 		ipif_refrele(ipif);
10675 	}
10676 	if (IN6_IS_ADDR_MULTICAST(&ip6h->ip6_dst)) {
10677 		if ((connp != NULL && connp->conn_multicast_loop) ||
10678 		    !IS_LOOPBACK(ill)) {
10679 			if (ilm_lookup_ill_v6(ill, &ip6h->ip6_dst, B_FALSE,
10680 			    ALL_ZONES) != NULL) {
10681 				mblk_t *nmp;
10682 				int fanout_flags = 0;
10683 
10684 				if (connp != NULL &&
10685 				    !connp->conn_multicast_loop) {
10686 					fanout_flags |= IP_FF_NO_MCAST_LOOP;
10687 				}
10688 				ip1dbg(("ip_wput_ire_v6: "
10689 				    "Loopback multicast\n"));
10690 				nmp = ip_copymsg(first_mp);
10691 				if (nmp != NULL) {
10692 					ip6_t	*nip6h;
10693 					mblk_t	*mp_ip6h;
10694 
10695 					if (mctl_present) {
10696 						nip6h = (ip6_t *)
10697 						    nmp->b_cont->b_rptr;
10698 						mp_ip6h = nmp->b_cont;
10699 					} else {
10700 						nip6h = (ip6_t *)nmp->b_rptr;
10701 						mp_ip6h = nmp;
10702 					}
10703 
10704 					DTRACE_PROBE4(
10705 					    ip6__loopback__out__start,
10706 					    ill_t *, NULL,
10707 					    ill_t *, ill,
10708 					    ip6_t *, nip6h,
10709 					    mblk_t *, nmp);
10710 
10711 					FW_HOOKS6(
10712 					    ipst->ips_ip6_loopback_out_event,
10713 					    ipst->ips_ipv6firewall_loopback_out,
10714 					    NULL, ill, nip6h, nmp, mp_ip6h,
10715 					    0, ipst);
10716 
10717 					DTRACE_PROBE1(
10718 					    ip6__loopback__out__end,
10719 					    mblk_t *, nmp);
10720 
10721 					/*
10722 					 * DTrace this as ip:::send.  A blocked
10723 					 * packet will fire the send probe, but
10724 					 * not the receive probe.
10725 					 */
10726 					DTRACE_IP7(send, mblk_t *, nmp,
10727 					    conn_t *, NULL, void_ip_t *, nip6h,
10728 					    __dtrace_ipsr_ill_t *, ill,
10729 					    ipha_t *, NULL, ip6_t *, nip6h,
10730 					    int, 1);
10731 
10732 					if (nmp != NULL) {
10733 						/*
10734 						 * Deliver locally and to
10735 						 * every local zone, except
10736 						 * the sending zone when
10737 						 * IPV6_MULTICAST_LOOP is
10738 						 * disabled.
10739 						 */
10740 						ip_wput_local_v6(RD(q), ill,
10741 						    nip6h, nmp, ire,
10742 						    fanout_flags, zoneid);
10743 					}
10744 				} else {
10745 					BUMP_MIB(mibptr, ipIfStatsOutDiscards);
10746 					ip1dbg(("ip_wput_ire_v6: "
10747 					    "copymsg failed\n"));
10748 				}
10749 			}
10750 		}
10751 		if (ip6h->ip6_hops == 0 ||
10752 		    IN6_IS_ADDR_MC_NODELOCAL(&ip6h->ip6_dst) ||
10753 		    IS_LOOPBACK(ill)) {
10754 			/*
10755 			 * Local multicast or just loopback on loopback
10756 			 * interface.
10757 			 */
10758 			BUMP_MIB(mibptr, ipIfStatsHCOutMcastPkts);
10759 			UPDATE_MIB(mibptr, ipIfStatsHCOutMcastOctets,
10760 			    ntohs(ip6h->ip6_plen) + IPV6_HDR_LEN);
10761 			ip1dbg(("ip_wput_ire_v6: local multicast only\n"));
10762 			freemsg(first_mp);
10763 			return;
10764 		}
10765 	}
10766 
10767 	if (ire->ire_stq != NULL) {
10768 		uint32_t	sum;
10769 		uint_t		ill_index =  ((ill_t *)ire->ire_stq->q_ptr)->
10770 		    ill_phyint->phyint_ifindex;
10771 		queue_t		*dev_q = ire->ire_stq->q_next;
10772 
10773 		/*
10774 		 * non-NULL send-to queue - packet is to be sent
10775 		 * out an interface.
10776 		 */
10777 
10778 		/* Driver is flow-controlling? */
10779 		if (!IP_FLOW_CONTROLLED_ULP(nexthdr) &&
10780 		    DEV_Q_FLOW_BLOCKED(dev_q)) {
10781 			/*
10782 			 * Queue packet if we have an conn to give back
10783 			 * pressure.  We can't queue packets intended for
10784 			 * hardware acceleration since we've tossed that
10785 			 * state already.  If the packet is being fed back
10786 			 * from ire_send_v6, we don't know the position in
10787 			 * the queue to enqueue the packet and we discard
10788 			 * the packet.
10789 			 */
10790 			if (ipst->ips_ip_output_queue && connp != NULL &&
10791 			    !mctl_present && caller != IRE_SEND) {
10792 				if (caller == IP_WSRV) {
10793 					connp->conn_did_putbq = 1;
10794 					(void) putbq(connp->conn_wq, mp);
10795 					conn_drain_insert(connp);
10796 					/*
10797 					 * caller == IP_WSRV implies we are
10798 					 * the service thread, and the
10799 					 * queue is already noenabled.
10800 					 * The check for canput and
10801 					 * the putbq is not atomic.
10802 					 * So we need to check again.
10803 					 */
10804 					if (canput(dev_q))
10805 						connp->conn_did_putbq = 0;
10806 				} else {
10807 					(void) putq(connp->conn_wq, mp);
10808 				}
10809 				return;
10810 			}
10811 			BUMP_MIB(mibptr, ipIfStatsOutDiscards);
10812 			freemsg(first_mp);
10813 			return;
10814 		}
10815 
10816 		/*
10817 		 * Look for reachability confirmations from the transport.
10818 		 */
10819 		if (ip6h->ip6_vcf & IP_FORWARD_PROG) {
10820 			reachable |= IPV6_REACHABILITY_CONFIRMATION;
10821 			ip6h->ip6_vcf &= ~IP_FORWARD_PROG;
10822 			if (mctl_present)
10823 				io->ipsec_out_reachable = B_TRUE;
10824 		}
10825 		/* Fastpath */
10826 		switch (nexthdr) {
10827 		case IPPROTO_TCP:
10828 		case IPPROTO_UDP:
10829 		case IPPROTO_ICMPV6:
10830 		case IPPROTO_SCTP:
10831 			hdr_length = IPV6_HDR_LEN;
10832 			break;
10833 		default: {
10834 			uint8_t	*nexthdrp;
10835 
10836 			if (!ip_hdr_length_nexthdr_v6(mp, ip6h,
10837 			    &hdr_length, &nexthdrp)) {
10838 				/* Malformed packet */
10839 				BUMP_MIB(mibptr, ipIfStatsOutDiscards);
10840 				freemsg(first_mp);
10841 				return;
10842 			}
10843 			nexthdr = *nexthdrp;
10844 			break;
10845 		}
10846 		}
10847 
10848 		if (cksum_request != -1 && nexthdr != IPPROTO_ICMPV6) {
10849 			uint16_t	*up;
10850 			uint16_t	*insp;
10851 
10852 			/*
10853 			 * The packet header is processed once for all, even
10854 			 * in the multirouting case. We disable hardware
10855 			 * checksum if the packet is multirouted, as it will be
10856 			 * replicated via several interfaces, and not all of
10857 			 * them may have this capability.
10858 			 */
10859 			if (cksum_request == 1 &&
10860 			    !(ire->ire_flags & RTF_MULTIRT)) {
10861 				/* Skip the transport checksum */
10862 				goto cksum_done;
10863 			}
10864 			/*
10865 			 * Do user-configured raw checksum.
10866 			 * Compute checksum and insert at offset "cksum_request"
10867 			 */
10868 
10869 			/* check for enough headers for checksum */
10870 			cksum_request += hdr_length;	/* offset from rptr */
10871 			if ((mp->b_wptr - mp->b_rptr) <
10872 			    (cksum_request + sizeof (int16_t))) {
10873 				if (!pullupmsg(mp,
10874 				    cksum_request + sizeof (int16_t))) {
10875 					ip1dbg(("ip_wput_v6: ICMP hdr pullupmsg"
10876 					    " failed\n"));
10877 					BUMP_MIB(mibptr, ipIfStatsOutDiscards);
10878 					freemsg(first_mp);
10879 					return;
10880 				}
10881 				ip6h = (ip6_t *)mp->b_rptr;
10882 			}
10883 			insp = (uint16_t *)((uchar_t *)ip6h + cksum_request);
10884 			ASSERT(((uintptr_t)insp & 0x1) == 0);
10885 			up = (uint16_t *)&ip6h->ip6_src;
10886 			/*
10887 			 * icmp has placed length and routing
10888 			 * header adjustment in *insp.
10889 			 */
10890 			sum = htons(nexthdr) +
10891 			    up[0] + up[1] + up[2] + up[3] +
10892 			    up[4] + up[5] + up[6] + up[7] +
10893 			    up[8] + up[9] + up[10] + up[11] +
10894 			    up[12] + up[13] + up[14] + up[15];
10895 			sum = (sum & 0xffff) + (sum >> 16);
10896 			*insp = IP_CSUM(mp, hdr_length, sum);
10897 		} else if (nexthdr == IPPROTO_TCP) {
10898 			uint16_t	*up;
10899 
10900 			/*
10901 			 * Check for full IPv6 header + enough TCP header
10902 			 * to get at the checksum field.
10903 			 */
10904 			if ((mp->b_wptr - mp->b_rptr) <
10905 			    (hdr_length + TCP_CHECKSUM_OFFSET +
10906 			    TCP_CHECKSUM_SIZE)) {
10907 				if (!pullupmsg(mp, hdr_length +
10908 				    TCP_CHECKSUM_OFFSET + TCP_CHECKSUM_SIZE)) {
10909 					ip1dbg(("ip_wput_v6: TCP hdr pullupmsg"
10910 					    " failed\n"));
10911 					BUMP_MIB(mibptr, ipIfStatsOutDiscards);
10912 					freemsg(first_mp);
10913 					return;
10914 				}
10915 				ip6h = (ip6_t *)mp->b_rptr;
10916 			}
10917 
10918 			up = (uint16_t *)&ip6h->ip6_src;
10919 			/*
10920 			 * Note: The TCP module has stored the length value
10921 			 * into the tcp checksum field, so we don't
10922 			 * need to explicitly sum it in here.
10923 			 */
10924 			sum = up[0] + up[1] + up[2] + up[3] +
10925 			    up[4] + up[5] + up[6] + up[7] +
10926 			    up[8] + up[9] + up[10] + up[11] +
10927 			    up[12] + up[13] + up[14] + up[15];
10928 
10929 			/* Fold the initial sum */
10930 			sum = (sum & 0xffff) + (sum >> 16);
10931 
10932 			up = (uint16_t *)(((uchar_t *)ip6h) +
10933 			    hdr_length + TCP_CHECKSUM_OFFSET);
10934 
10935 			IP_CKSUM_XMIT(ill, ire, mp, ip6h, up, IPPROTO_TCP,
10936 			    hdr_length, ntohs(ip6h->ip6_plen) + IPV6_HDR_LEN,
10937 			    ire->ire_max_frag, mctl_present, sum);
10938 
10939 			/* Software checksum? */
10940 			if (DB_CKSUMFLAGS(mp) == 0) {
10941 				IP6_STAT(ipst, ip6_out_sw_cksum);
10942 				IP6_STAT_UPDATE(ipst,
10943 				    ip6_tcp_out_sw_cksum_bytes,
10944 				    (ntohs(ip6h->ip6_plen) + IPV6_HDR_LEN) -
10945 				    hdr_length);
10946 			}
10947 		} else if (nexthdr == IPPROTO_UDP) {
10948 			uint16_t	*up;
10949 
10950 			/*
10951 			 * check for full IPv6 header + enough UDP header
10952 			 * to get at the UDP checksum field
10953 			 */
10954 			if ((mp->b_wptr - mp->b_rptr) < (hdr_length +
10955 			    UDP_CHECKSUM_OFFSET + UDP_CHECKSUM_SIZE)) {
10956 				if (!pullupmsg(mp, hdr_length +
10957 				    UDP_CHECKSUM_OFFSET + UDP_CHECKSUM_SIZE)) {
10958 					ip1dbg(("ip_wput_v6: UDP hdr pullupmsg"
10959 					    " failed\n"));
10960 					BUMP_MIB(mibptr, ipIfStatsOutDiscards);
10961 					freemsg(first_mp);
10962 					return;
10963 				}
10964 				ip6h = (ip6_t *)mp->b_rptr;
10965 			}
10966 			up = (uint16_t *)&ip6h->ip6_src;
10967 			/*
10968 			 * Note: The UDP module has stored the length value
10969 			 * into the udp checksum field, so we don't
10970 			 * need to explicitly sum it in here.
10971 			 */
10972 			sum = up[0] + up[1] + up[2] + up[3] +
10973 			    up[4] + up[5] + up[6] + up[7] +
10974 			    up[8] + up[9] + up[10] + up[11] +
10975 			    up[12] + up[13] + up[14] + up[15];
10976 
10977 			/* Fold the initial sum */
10978 			sum = (sum & 0xffff) + (sum >> 16);
10979 
10980 			up = (uint16_t *)(((uchar_t *)ip6h) +
10981 			    hdr_length + UDP_CHECKSUM_OFFSET);
10982 
10983 			IP_CKSUM_XMIT(ill, ire, mp, ip6h, up, IPPROTO_UDP,
10984 			    hdr_length, ntohs(ip6h->ip6_plen) + IPV6_HDR_LEN,
10985 			    ire->ire_max_frag, mctl_present, sum);
10986 
10987 			/* Software checksum? */
10988 			if (DB_CKSUMFLAGS(mp) == 0) {
10989 				IP6_STAT(ipst, ip6_out_sw_cksum);
10990 				IP6_STAT_UPDATE(ipst,
10991 				    ip6_udp_out_sw_cksum_bytes,
10992 				    (ntohs(ip6h->ip6_plen) + IPV6_HDR_LEN) -
10993 				    hdr_length);
10994 			}
10995 		} else if (nexthdr == IPPROTO_ICMPV6) {
10996 			uint16_t	*up;
10997 			icmp6_t *icmp6;
10998 
10999 			/* check for full IPv6+ICMPv6 header */
11000 			if ((mp->b_wptr - mp->b_rptr) <
11001 			    (hdr_length + ICMP6_MINLEN)) {
11002 				if (!pullupmsg(mp, hdr_length + ICMP6_MINLEN)) {
11003 					ip1dbg(("ip_wput_v6: ICMP hdr pullupmsg"
11004 					    " failed\n"));
11005 					BUMP_MIB(mibptr, ipIfStatsOutDiscards);
11006 					freemsg(first_mp);
11007 					return;
11008 				}
11009 				ip6h = (ip6_t *)mp->b_rptr;
11010 			}
11011 			icmp6 = (icmp6_t *)((uchar_t *)ip6h + hdr_length);
11012 			up = (uint16_t *)&ip6h->ip6_src;
11013 			/*
11014 			 * icmp has placed length and routing
11015 			 * header adjustment in icmp6_cksum.
11016 			 */
11017 			sum = htons(IPPROTO_ICMPV6) +
11018 			    up[0] + up[1] + up[2] + up[3] +
11019 			    up[4] + up[5] + up[6] + up[7] +
11020 			    up[8] + up[9] + up[10] + up[11] +
11021 			    up[12] + up[13] + up[14] + up[15];
11022 			sum = (sum & 0xffff) + (sum >> 16);
11023 			icmp6->icmp6_cksum = IP_CSUM(mp, hdr_length, sum);
11024 
11025 			/* Update output mib stats */
11026 			icmp_update_out_mib_v6(ill, icmp6);
11027 		} else if (nexthdr == IPPROTO_SCTP) {
11028 			sctp_hdr_t *sctph;
11029 
11030 			if (MBLKL(mp) < (hdr_length + sizeof (*sctph))) {
11031 				if (!pullupmsg(mp, hdr_length +
11032 				    sizeof (*sctph))) {
11033 					ip1dbg(("ip_wput_v6: SCTP hdr pullupmsg"
11034 					    " failed\n"));
11035 					BUMP_MIB(ill->ill_ip_mib,
11036 					    ipIfStatsOutDiscards);
11037 					freemsg(mp);
11038 					return;
11039 				}
11040 				ip6h = (ip6_t *)mp->b_rptr;
11041 			}
11042 			sctph = (sctp_hdr_t *)(mp->b_rptr + hdr_length);
11043 			sctph->sh_chksum = 0;
11044 			sctph->sh_chksum = sctp_cksum(mp, hdr_length);
11045 		}
11046 
11047 	cksum_done:
11048 		/*
11049 		 * We force the insertion of a fragment header using the
11050 		 * IPH_FRAG_HDR flag in two cases:
11051 		 * - after reception of an ICMPv6 "packet too big" message
11052 		 *   with a MTU < 1280 (cf. RFC 2460 section 5)
11053 		 * - for multirouted IPv6 packets, so that the receiver can
11054 		 *   discard duplicates according to their fragment identifier
11055 		 *
11056 		 * Two flags modifed from the API can modify this behavior.
11057 		 * The first is IPV6_USE_MIN_MTU.  With this API the user
11058 		 * can specify how to manage PMTUD for unicast and multicast.
11059 		 *
11060 		 * IPV6_DONTFRAG disallows fragmentation.
11061 		 */
11062 		max_frag = ire->ire_max_frag;
11063 		switch (IP6I_USE_MIN_MTU_API(flags)) {
11064 		case IPV6_USE_MIN_MTU_DEFAULT:
11065 		case IPV6_USE_MIN_MTU_UNICAST:
11066 			if (IN6_IS_ADDR_MULTICAST(&ip6h->ip6_dst)) {
11067 				max_frag = IPV6_MIN_MTU;
11068 			}
11069 			break;
11070 
11071 		case IPV6_USE_MIN_MTU_NEVER:
11072 			max_frag = IPV6_MIN_MTU;
11073 			break;
11074 		}
11075 		if (ntohs(ip6h->ip6_plen) + IPV6_HDR_LEN > max_frag ||
11076 		    (ire->ire_frag_flag & IPH_FRAG_HDR)) {
11077 			if (connp != NULL && (flags & IP6I_DONTFRAG)) {
11078 				icmp_pkt2big_v6(ire->ire_stq, first_mp,
11079 				    max_frag, B_FALSE, B_TRUE, zoneid, ipst);
11080 				return;
11081 			}
11082 
11083 			if (ntohs(ip6h->ip6_plen) + IPV6_HDR_LEN !=
11084 			    (mp->b_cont ? msgdsize(mp) :
11085 			    mp->b_wptr - (uchar_t *)ip6h)) {
11086 				ip0dbg(("Packet length mismatch: %d, %ld\n",
11087 				    ntohs(ip6h->ip6_plen) + IPV6_HDR_LEN,
11088 				    msgdsize(mp)));
11089 				freemsg(first_mp);
11090 				return;
11091 			}
11092 			/* Do IPSEC processing first */
11093 			if (mctl_present) {
11094 				ipsec_out_process(q, first_mp, ire, ill_index);
11095 				return;
11096 			}
11097 			ASSERT(mp->b_prev == NULL);
11098 			ip2dbg(("Fragmenting Size = %d, mtu = %d\n",
11099 			    ntohs(ip6h->ip6_plen) +
11100 			    IPV6_HDR_LEN, max_frag));
11101 			ASSERT(mp == first_mp);
11102 			/* Initiate IPPF processing */
11103 			if (IPP_ENABLED(IPP_LOCAL_OUT, ipst)) {
11104 				ip_process(IPP_LOCAL_OUT, &mp, ill_index);
11105 				if (mp == NULL) {
11106 					return;
11107 				}
11108 			}
11109 			ip_wput_frag_v6(mp, ire, reachable, connp,
11110 			    caller, max_frag);
11111 			return;
11112 		}
11113 		/* Do IPSEC processing first */
11114 		if (mctl_present) {
11115 			int extra_len = ipsec_out_extra_length(first_mp);
11116 
11117 			if (ntohs(ip6h->ip6_plen) + IPV6_HDR_LEN + extra_len >
11118 			    max_frag) {
11119 				/*
11120 				 * IPsec headers will push the packet over the
11121 				 * MTU limit.  Issue an ICMPv6 Packet Too Big
11122 				 * message for this packet if the upper-layer
11123 				 * that issued this packet will be able to
11124 				 * react to the icmp_pkt2big_v6() that we'll
11125 				 * generate.
11126 				 */
11127 				icmp_pkt2big_v6(ire->ire_stq, first_mp,
11128 				    max_frag, B_FALSE, B_TRUE, zoneid, ipst);
11129 				return;
11130 			}
11131 			ipsec_out_process(q, first_mp, ire, ill_index);
11132 			return;
11133 		}
11134 		/*
11135 		 * XXX multicast: add ip_mforward_v6() here.
11136 		 * Check conn_dontroute
11137 		 */
11138 #ifdef lint
11139 		/*
11140 		 * XXX The only purpose of this statement is to avoid lint
11141 		 * errors.  See the above "XXX multicast".  When that gets
11142 		 * fixed, remove this whole #ifdef lint section.
11143 		 */
11144 		ip3dbg(("multicast forward is %s.\n",
11145 		    (multicast_forward ? "TRUE" : "FALSE")));
11146 #endif
11147 
11148 		UPDATE_OB_PKT_COUNT(ire);
11149 		ire->ire_last_used_time = lbolt;
11150 		ASSERT(mp == first_mp);
11151 		ip_xmit_v6(mp, ire, reachable, connp, caller, NULL);
11152 	} else {
11153 		/*
11154 		 * DTrace this as ip:::send.  A blocked packet will fire the
11155 		 * send probe, but not the receive probe.
11156 		 */
11157 		DTRACE_IP7(send, mblk_t *, first_mp, conn_t *, NULL,
11158 		    void_ip_t *, ip6h, __dtrace_ipsr_ill_t *, ill, ipha_t *,
11159 		    NULL, ip6_t *, ip6h, int, 1);
11160 		DTRACE_PROBE4(ip6__loopback__out__start,
11161 		    ill_t *, NULL, ill_t *, ill,
11162 		    ip6_t *, ip6h, mblk_t *, first_mp);
11163 		FW_HOOKS6(ipst->ips_ip6_loopback_out_event,
11164 		    ipst->ips_ipv6firewall_loopback_out,
11165 		    NULL, ill, ip6h, first_mp, mp, 0, ipst);
11166 		DTRACE_PROBE1(ip6__loopback__out__end, mblk_t *, first_mp);
11167 		if (first_mp != NULL) {
11168 			ip_wput_local_v6(RD(q), ill, ip6h, first_mp, ire, 0,
11169 			    zoneid);
11170 		}
11171 	}
11172 }
11173 
11174 /*
11175  * Outbound IPv6 fragmentation routine using MDT.
11176  */
11177 static void
11178 ip_wput_frag_mdt_v6(mblk_t *mp, ire_t *ire, size_t max_chunk,
11179     size_t unfragmentable_len, uint8_t nexthdr, uint_t prev_nexthdr_offset)
11180 {
11181 	ip6_t		*ip6h = (ip6_t *)mp->b_rptr;
11182 	uint_t		pkts, wroff, hdr_chunk_len, pbuf_idx;
11183 	mblk_t		*hdr_mp, *md_mp = NULL;
11184 	int		i1;
11185 	multidata_t	*mmd;
11186 	unsigned char	*hdr_ptr, *pld_ptr;
11187 	ip_pdescinfo_t	pdi;
11188 	uint32_t	ident;
11189 	size_t		len;
11190 	uint16_t	offset;
11191 	queue_t		*stq = ire->ire_stq;
11192 	ill_t		*ill = (ill_t *)stq->q_ptr;
11193 	ip_stack_t	*ipst = ill->ill_ipst;
11194 
11195 	ASSERT(DB_TYPE(mp) == M_DATA);
11196 	ASSERT(MBLKL(mp) > unfragmentable_len);
11197 
11198 	/*
11199 	 * Move read ptr past unfragmentable portion, we don't want this part
11200 	 * of the data in our fragments.
11201 	 */
11202 	mp->b_rptr += unfragmentable_len;
11203 
11204 	/* Calculate how many packets we will send out  */
11205 	i1 = (mp->b_cont == NULL) ? MBLKL(mp) : msgsize(mp);
11206 	pkts = (i1 + max_chunk - 1) / max_chunk;
11207 	ASSERT(pkts > 1);
11208 
11209 	/* Allocate a message block which will hold all the IP Headers. */
11210 	wroff = ipst->ips_ip_wroff_extra;
11211 	hdr_chunk_len = wroff + unfragmentable_len + sizeof (ip6_frag_t);
11212 
11213 	i1 = pkts * hdr_chunk_len;
11214 	/*
11215 	 * Create the header buffer, Multidata and destination address
11216 	 * and SAP attribute that should be associated with it.
11217 	 */
11218 	if ((hdr_mp = allocb(i1, BPRI_HI)) == NULL ||
11219 	    ((hdr_mp->b_wptr += i1),
11220 	    (mmd = mmd_alloc(hdr_mp, &md_mp, KM_NOSLEEP)) == NULL) ||
11221 	    !ip_md_addr_attr(mmd, NULL, ire->ire_nce->nce_res_mp)) {
11222 		freemsg(mp);
11223 		if (md_mp == NULL) {
11224 			freemsg(hdr_mp);
11225 		} else {
11226 free_mmd:		IP6_STAT(ipst, ip6_frag_mdt_discarded);
11227 			freemsg(md_mp);
11228 		}
11229 		IP6_STAT(ipst, ip6_frag_mdt_allocfail);
11230 		BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutFragFails);
11231 		return;
11232 	}
11233 	IP6_STAT(ipst, ip6_frag_mdt_allocd);
11234 
11235 	/*
11236 	 * Add a payload buffer to the Multidata; this operation must not
11237 	 * fail, or otherwise our logic in this routine is broken.  There
11238 	 * is no memory allocation done by the routine, so any returned
11239 	 * failure simply tells us that we've done something wrong.
11240 	 *
11241 	 * A failure tells us that either we're adding the same payload
11242 	 * buffer more than once, or we're trying to add more buffers than
11243 	 * allowed.  None of the above cases should happen, and we panic
11244 	 * because either there's horrible heap corruption, and/or
11245 	 * programming mistake.
11246 	 */
11247 	if ((pbuf_idx = mmd_addpldbuf(mmd, mp)) < 0) {
11248 		goto pbuf_panic;
11249 	}
11250 
11251 	hdr_ptr = hdr_mp->b_rptr;
11252 	pld_ptr = mp->b_rptr;
11253 
11254 	pdi.flags = PDESC_HBUF_REF | PDESC_PBUF_REF;
11255 
11256 	ident = htonl(atomic_add_32_nv(&ire->ire_ident, 1));
11257 
11258 	/*
11259 	 * len is the total length of the fragmentable data in this
11260 	 * datagram.  For each fragment sent, we will decrement len
11261 	 * by the amount of fragmentable data sent in that fragment
11262 	 * until len reaches zero.
11263 	 */
11264 	len = ntohs(ip6h->ip6_plen) - (unfragmentable_len - IPV6_HDR_LEN);
11265 
11266 	offset = 0;
11267 	prev_nexthdr_offset += wroff;
11268 
11269 	while (len != 0) {
11270 		size_t		mlen;
11271 		ip6_t		*fip6h;
11272 		ip6_frag_t	*fraghdr;
11273 		int		error;
11274 
11275 		ASSERT((hdr_ptr + hdr_chunk_len) <= hdr_mp->b_wptr);
11276 		mlen = MIN(len, max_chunk);
11277 		len -= mlen;
11278 
11279 		fip6h = (ip6_t *)(hdr_ptr + wroff);
11280 		ASSERT(OK_32PTR(fip6h));
11281 		bcopy(ip6h, fip6h, unfragmentable_len);
11282 		hdr_ptr[prev_nexthdr_offset] = IPPROTO_FRAGMENT;
11283 
11284 		fip6h->ip6_plen = htons((uint16_t)(mlen +
11285 		    unfragmentable_len - IPV6_HDR_LEN + sizeof (ip6_frag_t)));
11286 
11287 		fraghdr = (ip6_frag_t *)((unsigned char *)fip6h +
11288 		    unfragmentable_len);
11289 		fraghdr->ip6f_nxt = nexthdr;
11290 		fraghdr->ip6f_reserved = 0;
11291 		fraghdr->ip6f_offlg = htons(offset) |
11292 		    ((len != 0) ? IP6F_MORE_FRAG : 0);
11293 		fraghdr->ip6f_ident = ident;
11294 
11295 		/*
11296 		 * Record offset and size of header and data of the next packet
11297 		 * in the multidata message.
11298 		 */
11299 		PDESC_HDR_ADD(&pdi, hdr_ptr, wroff,
11300 		    unfragmentable_len + sizeof (ip6_frag_t), 0);
11301 		PDESC_PLD_INIT(&pdi);
11302 		i1 = MIN(mp->b_wptr - pld_ptr, mlen);
11303 		ASSERT(i1 > 0);
11304 		PDESC_PLD_SPAN_ADD(&pdi, pbuf_idx, pld_ptr, i1);
11305 		if (i1 == mlen) {
11306 			pld_ptr += mlen;
11307 		} else {
11308 			i1 = mlen - i1;
11309 			mp = mp->b_cont;
11310 			ASSERT(mp != NULL);
11311 			ASSERT(MBLKL(mp) >= i1);
11312 			/*
11313 			 * Attach the next payload message block to the
11314 			 * multidata message.
11315 			 */
11316 			if ((pbuf_idx = mmd_addpldbuf(mmd, mp)) < 0)
11317 				goto pbuf_panic;
11318 			PDESC_PLD_SPAN_ADD(&pdi, pbuf_idx, mp->b_rptr, i1);
11319 			pld_ptr = mp->b_rptr + i1;
11320 		}
11321 
11322 		if ((mmd_addpdesc(mmd, (pdescinfo_t *)&pdi, &error,
11323 		    KM_NOSLEEP)) == NULL) {
11324 			/*
11325 			 * Any failure other than ENOMEM indicates that we
11326 			 * have passed in invalid pdesc info or parameters
11327 			 * to mmd_addpdesc, which must not happen.
11328 			 *
11329 			 * EINVAL is a result of failure on boundary checks
11330 			 * against the pdesc info contents.  It should not
11331 			 * happen, and we panic because either there's
11332 			 * horrible heap corruption, and/or programming
11333 			 * mistake.
11334 			 */
11335 			if (error != ENOMEM) {
11336 				cmn_err(CE_PANIC, "ip_wput_frag_mdt_v6: "
11337 				    "pdesc logic error detected for "
11338 				    "mmd %p pinfo %p (%d)\n",
11339 				    (void *)mmd, (void *)&pdi, error);
11340 				/* NOTREACHED */
11341 			}
11342 			IP6_STAT(ipst, ip6_frag_mdt_addpdescfail);
11343 			/* Free unattached payload message blocks as well */
11344 			md_mp->b_cont = mp->b_cont;
11345 			goto free_mmd;
11346 		}
11347 
11348 		/* Advance fragment offset. */
11349 		offset += mlen;
11350 
11351 		/* Advance to location for next header in the buffer. */
11352 		hdr_ptr += hdr_chunk_len;
11353 
11354 		/* Did we reach the next payload message block? */
11355 		if (pld_ptr == mp->b_wptr && mp->b_cont != NULL) {
11356 			mp = mp->b_cont;
11357 			/*
11358 			 * Attach the next message block with payload
11359 			 * data to the multidata message.
11360 			 */
11361 			if ((pbuf_idx = mmd_addpldbuf(mmd, mp)) < 0)
11362 				goto pbuf_panic;
11363 			pld_ptr = mp->b_rptr;
11364 		}
11365 	}
11366 
11367 	ASSERT(hdr_mp->b_wptr == hdr_ptr);
11368 	ASSERT(mp->b_wptr == pld_ptr);
11369 
11370 	/* Update IP statistics */
11371 	UPDATE_MIB(ill->ill_ip_mib, ipIfStatsOutFragCreates, pkts);
11372 	BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutFragOKs);
11373 	UPDATE_MIB(ill->ill_ip_mib, ipIfStatsHCOutTransmits, pkts);
11374 	/*
11375 	 * The ipv6 header len is accounted for in unfragmentable_len so
11376 	 * when calculating the fragmentation overhead just add the frag
11377 	 * header len.
11378 	 */
11379 	UPDATE_MIB(ill->ill_ip_mib, ipIfStatsHCOutOctets,
11380 	    (ntohs(ip6h->ip6_plen) - (unfragmentable_len - IPV6_HDR_LEN)) +
11381 	    pkts * (unfragmentable_len + sizeof (ip6_frag_t)));
11382 	IP6_STAT_UPDATE(ipst, ip6_frag_mdt_pkt_out, pkts);
11383 
11384 	ire->ire_ob_pkt_count += pkts;
11385 	if (ire->ire_ipif != NULL)
11386 		atomic_add_32(&ire->ire_ipif->ipif_ob_pkt_count, pkts);
11387 
11388 	ire->ire_last_used_time = lbolt;
11389 	/* Send it down */
11390 	putnext(stq, md_mp);
11391 	return;
11392 
11393 pbuf_panic:
11394 	cmn_err(CE_PANIC, "ip_wput_frag_mdt_v6: payload buffer logic "
11395 	    "error for mmd %p pbuf %p (%d)", (void *)mmd, (void *)mp,
11396 	    pbuf_idx);
11397 	/* NOTREACHED */
11398 }
11399 
11400 /*
11401  * IPv6 fragmentation.  Essentially the same as IPv4 fragmentation.
11402  * We have not optimized this in terms of number of mblks
11403  * allocated. For instance, for each fragment sent we always allocate a
11404  * mblk to hold the IPv6 header and fragment header.
11405  *
11406  * Assumes that all the extension headers are contained in the first mblk.
11407  *
11408  * The fragment header is inserted after an hop-by-hop options header
11409  * and after [an optional destinations header followed by] a routing header.
11410  *
11411  * NOTE : This function does not ire_refrele the ire passed in as
11412  * the argument.
11413  */
11414 void
11415 ip_wput_frag_v6(mblk_t *mp, ire_t *ire, uint_t reachable, conn_t *connp,
11416     int caller, int max_frag)
11417 {
11418 	ip6_t		*ip6h = (ip6_t *)mp->b_rptr;
11419 	ip6_t		*fip6h;
11420 	mblk_t		*hmp;
11421 	mblk_t		*hmp0;
11422 	mblk_t		*dmp;
11423 	ip6_frag_t	*fraghdr;
11424 	size_t		unfragmentable_len;
11425 	size_t		len;
11426 	size_t		mlen;
11427 	size_t		max_chunk;
11428 	uint32_t	ident;
11429 	uint16_t	off_flags;
11430 	uint16_t	offset = 0;
11431 	ill_t		*ill;
11432 	uint8_t		nexthdr;
11433 	uint_t		prev_nexthdr_offset;
11434 	uint8_t		*ptr;
11435 	ip_stack_t	*ipst = ire->ire_ipst;
11436 
11437 	ASSERT(ire->ire_type == IRE_CACHE);
11438 	ill = (ill_t *)ire->ire_stq->q_ptr;
11439 
11440 	if (max_frag <= 0) {
11441 		BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutFragFails);
11442 		freemsg(mp);
11443 		return;
11444 	}
11445 	BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutFragReqds);
11446 
11447 	/*
11448 	 * Determine the length of the unfragmentable portion of this
11449 	 * datagram.  This consists of the IPv6 header, a potential
11450 	 * hop-by-hop options header, a potential pre-routing-header
11451 	 * destination options header, and a potential routing header.
11452 	 */
11453 	nexthdr = ip6h->ip6_nxt;
11454 	prev_nexthdr_offset = (uint8_t *)&ip6h->ip6_nxt - (uint8_t *)ip6h;
11455 	ptr = (uint8_t *)&ip6h[1];
11456 
11457 	if (nexthdr == IPPROTO_HOPOPTS) {
11458 		ip6_hbh_t	*hbh_hdr;
11459 		uint_t		hdr_len;
11460 
11461 		hbh_hdr = (ip6_hbh_t *)ptr;
11462 		hdr_len = 8 * (hbh_hdr->ip6h_len + 1);
11463 		nexthdr = hbh_hdr->ip6h_nxt;
11464 		prev_nexthdr_offset = (uint8_t *)&hbh_hdr->ip6h_nxt
11465 		    - (uint8_t *)ip6h;
11466 		ptr += hdr_len;
11467 	}
11468 	if (nexthdr == IPPROTO_DSTOPTS) {
11469 		ip6_dest_t	*dest_hdr;
11470 		uint_t		hdr_len;
11471 
11472 		dest_hdr = (ip6_dest_t *)ptr;
11473 		if (dest_hdr->ip6d_nxt == IPPROTO_ROUTING) {
11474 			hdr_len = 8 * (dest_hdr->ip6d_len + 1);
11475 			nexthdr = dest_hdr->ip6d_nxt;
11476 			prev_nexthdr_offset = (uint8_t *)&dest_hdr->ip6d_nxt
11477 			    - (uint8_t *)ip6h;
11478 			ptr += hdr_len;
11479 		}
11480 	}
11481 	if (nexthdr == IPPROTO_ROUTING) {
11482 		ip6_rthdr_t	*rthdr;
11483 		uint_t		hdr_len;
11484 
11485 		rthdr = (ip6_rthdr_t *)ptr;
11486 		nexthdr = rthdr->ip6r_nxt;
11487 		prev_nexthdr_offset = (uint8_t *)&rthdr->ip6r_nxt
11488 		    - (uint8_t *)ip6h;
11489 		hdr_len = 8 * (rthdr->ip6r_len + 1);
11490 		ptr += hdr_len;
11491 	}
11492 	unfragmentable_len = (uint_t)(ptr - (uint8_t *)ip6h);
11493 
11494 	max_chunk = (min(max_frag, ire->ire_max_frag) - unfragmentable_len -
11495 	    sizeof (ip6_frag_t)) & ~7;
11496 
11497 	/* Check if we can use MDT to send out the frags. */
11498 	ASSERT(!IRE_IS_LOCAL(ire));
11499 	if (ipst->ips_ip_multidata_outbound && reachable == 0 &&
11500 	    !(ire->ire_flags & RTF_MULTIRT) && ILL_MDT_CAPABLE(ill) &&
11501 	    IP_CAN_FRAG_MDT(mp, unfragmentable_len, max_chunk)) {
11502 		ip_wput_frag_mdt_v6(mp, ire, max_chunk, unfragmentable_len,
11503 		    nexthdr, prev_nexthdr_offset);
11504 		return;
11505 	}
11506 
11507 	/*
11508 	 * Allocate an mblk with enough room for the link-layer
11509 	 * header, the unfragmentable part of the datagram, and the
11510 	 * fragment header.  This (or a copy) will be used as the
11511 	 * first mblk for each fragment we send.
11512 	 */
11513 	hmp = allocb(unfragmentable_len + sizeof (ip6_frag_t) +
11514 	    ipst->ips_ip_wroff_extra, BPRI_HI);
11515 	if (hmp == NULL) {
11516 		BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutFragFails);
11517 		freemsg(mp);
11518 		return;
11519 	}
11520 	hmp->b_rptr += ipst->ips_ip_wroff_extra;
11521 	hmp->b_wptr = hmp->b_rptr + unfragmentable_len + sizeof (ip6_frag_t);
11522 
11523 	fip6h = (ip6_t *)hmp->b_rptr;
11524 	fraghdr = (ip6_frag_t *)(hmp->b_rptr + unfragmentable_len);
11525 
11526 	bcopy(ip6h, fip6h, unfragmentable_len);
11527 	hmp->b_rptr[prev_nexthdr_offset] = IPPROTO_FRAGMENT;
11528 
11529 	ident = atomic_add_32_nv(&ire->ire_ident, 1);
11530 
11531 	fraghdr->ip6f_nxt = nexthdr;
11532 	fraghdr->ip6f_reserved = 0;
11533 	fraghdr->ip6f_offlg = 0;
11534 	fraghdr->ip6f_ident = htonl(ident);
11535 
11536 	/*
11537 	 * len is the total length of the fragmentable data in this
11538 	 * datagram.  For each fragment sent, we will decrement len
11539 	 * by the amount of fragmentable data sent in that fragment
11540 	 * until len reaches zero.
11541 	 */
11542 	len = ntohs(ip6h->ip6_plen) - (unfragmentable_len - IPV6_HDR_LEN);
11543 
11544 	/*
11545 	 * Move read ptr past unfragmentable portion, we don't want this part
11546 	 * of the data in our fragments.
11547 	 */
11548 	mp->b_rptr += unfragmentable_len;
11549 
11550 	while (len != 0) {
11551 		mlen = MIN(len, max_chunk);
11552 		len -= mlen;
11553 		if (len != 0) {
11554 			/* Not last */
11555 			hmp0 = copyb(hmp);
11556 			if (hmp0 == NULL) {
11557 				freeb(hmp);
11558 				freemsg(mp);
11559 				BUMP_MIB(ill->ill_ip_mib,
11560 				    ipIfStatsOutFragFails);
11561 				ip1dbg(("ip_wput_frag_v6: copyb failed\n"));
11562 				return;
11563 			}
11564 			off_flags = IP6F_MORE_FRAG;
11565 		} else {
11566 			/* Last fragment */
11567 			hmp0 = hmp;
11568 			hmp = NULL;
11569 			off_flags = 0;
11570 		}
11571 		fip6h = (ip6_t *)(hmp0->b_rptr);
11572 		fraghdr = (ip6_frag_t *)(hmp0->b_rptr + unfragmentable_len);
11573 
11574 		fip6h->ip6_plen = htons((uint16_t)(mlen +
11575 		    unfragmentable_len - IPV6_HDR_LEN + sizeof (ip6_frag_t)));
11576 		/*
11577 		 * Note: Optimization alert.
11578 		 * In IPv6 (and IPv4) protocol header, Fragment Offset
11579 		 * ("offset") is 13 bits wide and in 8-octet units.
11580 		 * In IPv6 protocol header (unlike IPv4) in a 16 bit field,
11581 		 * it occupies the most significant 13 bits.
11582 		 * (least significant 13 bits in IPv4).
11583 		 * We do not do any shifts here. Not shifting is same effect
11584 		 * as taking offset value in octet units, dividing by 8 and
11585 		 * then shifting 3 bits left to line it up in place in proper
11586 		 * place protocol header.
11587 		 */
11588 		fraghdr->ip6f_offlg = htons(offset) | off_flags;
11589 
11590 		if (!(dmp = ip_carve_mp(&mp, mlen))) {
11591 			/* mp has already been freed by ip_carve_mp() */
11592 			if (hmp != NULL)
11593 				freeb(hmp);
11594 			freeb(hmp0);
11595 			ip1dbg(("ip_carve_mp: failed\n"));
11596 			BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutFragFails);
11597 			return;
11598 		}
11599 		hmp0->b_cont = dmp;
11600 		/* Get the priority marking, if any */
11601 		hmp0->b_band = dmp->b_band;
11602 		UPDATE_OB_PKT_COUNT(ire);
11603 		ire->ire_last_used_time = lbolt;
11604 		ip_xmit_v6(hmp0, ire, reachable | IP6_NO_IPPOLICY, connp,
11605 		    caller, NULL);
11606 		reachable = 0;	/* No need to redo state machine in loop */
11607 		BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutFragCreates);
11608 		offset += mlen;
11609 	}
11610 	BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutFragOKs);
11611 }
11612 
11613 /*
11614  * Determine if the ill and multicast aspects of that packets
11615  * "matches" the conn.
11616  */
11617 boolean_t
11618 conn_wantpacket_v6(conn_t *connp, ill_t *ill, ip6_t *ip6h, int fanout_flags,
11619     zoneid_t zoneid)
11620 {
11621 	ill_t *bound_ill;
11622 	boolean_t wantpacket;
11623 	in6_addr_t *v6dst_ptr = &ip6h->ip6_dst;
11624 	in6_addr_t *v6src_ptr = &ip6h->ip6_src;
11625 
11626 	/*
11627 	 * conn_incoming_ill is set by IPV6_BOUND_IF which limits
11628 	 * unicast and multicast reception to conn_incoming_ill.
11629 	 * conn_wantpacket_v6 is called both for unicast and
11630 	 * multicast.
11631 	 */
11632 	bound_ill = connp->conn_incoming_ill;
11633 	if (bound_ill != NULL) {
11634 		if (IS_IPMP(bound_ill)) {
11635 			if (bound_ill->ill_grp != ill->ill_grp)
11636 				return (B_FALSE);
11637 		} else {
11638 			if (bound_ill != ill)
11639 				return (B_FALSE);
11640 		}
11641 	}
11642 
11643 	if (connp->conn_multi_router)
11644 		return (B_TRUE);
11645 
11646 	if (!IN6_IS_ADDR_MULTICAST(v6dst_ptr) &&
11647 	    !IN6_IS_ADDR_V4MAPPED_CLASSD(v6dst_ptr)) {
11648 		/*
11649 		 * Unicast case: we match the conn only if it's in the specified
11650 		 * zone.
11651 		 */
11652 		return (IPCL_ZONE_MATCH(connp, zoneid));
11653 	}
11654 
11655 	if ((fanout_flags & IP_FF_NO_MCAST_LOOP) &&
11656 	    (connp->conn_zoneid == zoneid || zoneid == ALL_ZONES)) {
11657 		/*
11658 		 * Loopback case: the sending endpoint has IP_MULTICAST_LOOP
11659 		 * disabled, therefore we don't dispatch the multicast packet to
11660 		 * the sending zone.
11661 		 */
11662 		return (B_FALSE);
11663 	}
11664 
11665 	if (IS_LOOPBACK(ill) && connp->conn_zoneid != zoneid &&
11666 	    zoneid != ALL_ZONES) {
11667 		/*
11668 		 * Multicast packet on the loopback interface: we only match
11669 		 * conns who joined the group in the specified zone.
11670 		 */
11671 		return (B_FALSE);
11672 	}
11673 
11674 	mutex_enter(&connp->conn_lock);
11675 	wantpacket =
11676 	    ilg_lookup_ill_withsrc_v6(connp, v6dst_ptr, v6src_ptr, ill) != NULL;
11677 	mutex_exit(&connp->conn_lock);
11678 
11679 	return (wantpacket);
11680 }
11681 
11682 
11683 /*
11684  * Transmit a packet and update any NUD state based on the flags
11685  * XXX need to "recover" any ip6i_t when doing putq!
11686  *
11687  * NOTE : This function does not ire_refrele the ire passed in as the
11688  * argument.
11689  */
11690 void
11691 ip_xmit_v6(mblk_t *mp, ire_t *ire, uint_t flags, conn_t *connp,
11692     int caller, ipsec_out_t *io)
11693 {
11694 	mblk_t		*mp1;
11695 	nce_t		*nce = ire->ire_nce;
11696 	ill_t		*ill;
11697 	ill_t		*out_ill;
11698 	uint64_t	delta;
11699 	ip6_t		*ip6h;
11700 	queue_t		*stq = ire->ire_stq;
11701 	ire_t		*ire1 = NULL;
11702 	ire_t		*save_ire = ire;
11703 	boolean_t	multirt_send = B_FALSE;
11704 	mblk_t		*next_mp = NULL;
11705 	ip_stack_t	*ipst = ire->ire_ipst;
11706 	boolean_t	fp_prepend = B_FALSE;
11707 	uint32_t	hlen;
11708 
11709 	ip6h = (ip6_t *)mp->b_rptr;
11710 	ASSERT(!IN6_IS_ADDR_V4MAPPED(&ire->ire_addr_v6));
11711 	ASSERT(ire->ire_ipversion == IPV6_VERSION);
11712 	ASSERT(nce != NULL);
11713 	ASSERT(mp->b_datap->db_type == M_DATA);
11714 	ASSERT(stq != NULL);
11715 
11716 	ill = ire_to_ill(ire);
11717 	if (!ill) {
11718 		ip0dbg(("ip_xmit_v6: ire_to_ill failed\n"));
11719 		freemsg(mp);
11720 		return;
11721 	}
11722 
11723 	/*
11724 	 * If a packet is to be sent out an interface that is a 6to4
11725 	 * tunnel, outgoing IPv6 packets, with a 6to4 addressed IPv6
11726 	 * destination, must be checked to have a 6to4 prefix
11727 	 * (2002:V4ADDR::/48) that is NOT equal to the 6to4 prefix of
11728 	 * address configured on the sending interface.  Otherwise,
11729 	 * the packet was delivered to this interface in error and the
11730 	 * packet must be dropped.
11731 	 */
11732 	if ((ill->ill_is_6to4tun) && IN6_IS_ADDR_6TO4(&ip6h->ip6_dst)) {
11733 		ipif_t *ipif = ill->ill_ipif;
11734 
11735 		if (IN6_ARE_6TO4_PREFIX_EQUAL(&ipif->ipif_v6lcl_addr,
11736 		    &ip6h->ip6_dst)) {
11737 			if (ip_debug > 2) {
11738 				/* ip1dbg */
11739 				pr_addr_dbg("ip_xmit_v6: attempting to "
11740 				    "send 6to4 addressed IPv6 "
11741 				    "destination (%s) out the wrong "
11742 				    "interface.\n", AF_INET6,
11743 				    &ip6h->ip6_dst);
11744 			}
11745 			BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
11746 			freemsg(mp);
11747 			return;
11748 		}
11749 	}
11750 
11751 	/* Flow-control check has been done in ip_wput_ire_v6 */
11752 	if (IP_FLOW_CONTROLLED_ULP(ip6h->ip6_nxt) || caller == IP_WPUT ||
11753 	    caller == IP_WSRV || canput(stq->q_next)) {
11754 		uint32_t ill_index;
11755 
11756 		/*
11757 		 * In most cases, the emission loop below is entered only
11758 		 * once. Only in the case where the ire holds the
11759 		 * RTF_MULTIRT flag, do we loop to process all RTF_MULTIRT
11760 		 * flagged ires in the bucket, and send the packet
11761 		 * through all crossed RTF_MULTIRT routes.
11762 		 */
11763 		if (ire->ire_flags & RTF_MULTIRT) {
11764 			/*
11765 			 * Multirouting case. The bucket where ire is stored
11766 			 * probably holds other RTF_MULTIRT flagged ires
11767 			 * to the destination. In this call to ip_xmit_v6,
11768 			 * we attempt to send the packet through all
11769 			 * those ires. Thus, we first ensure that ire is the
11770 			 * first RTF_MULTIRT ire in the bucket,
11771 			 * before walking the ire list.
11772 			 */
11773 			ire_t *first_ire;
11774 			irb_t *irb = ire->ire_bucket;
11775 			ASSERT(irb != NULL);
11776 			multirt_send = B_TRUE;
11777 
11778 			/* Make sure we do not omit any multiroute ire. */
11779 			IRB_REFHOLD(irb);
11780 			for (first_ire = irb->irb_ire;
11781 			    first_ire != NULL;
11782 			    first_ire = first_ire->ire_next) {
11783 				if ((first_ire->ire_flags & RTF_MULTIRT) &&
11784 				    (IN6_ARE_ADDR_EQUAL(&first_ire->ire_addr_v6,
11785 				    &ire->ire_addr_v6)) &&
11786 				    !(first_ire->ire_marks &
11787 				    (IRE_MARK_CONDEMNED | IRE_MARK_TESTHIDDEN)))
11788 					break;
11789 			}
11790 
11791 			if ((first_ire != NULL) && (first_ire != ire)) {
11792 				IRE_REFHOLD(first_ire);
11793 				/* ire will be released by the caller */
11794 				ire = first_ire;
11795 				nce = ire->ire_nce;
11796 				stq = ire->ire_stq;
11797 				ill = ire_to_ill(ire);
11798 			}
11799 			IRB_REFRELE(irb);
11800 		} else if (connp != NULL && IPCL_IS_TCP(connp) &&
11801 		    connp->conn_mdt_ok && !connp->conn_tcp->tcp_mdt &&
11802 		    ILL_MDT_USABLE(ill)) {
11803 			/*
11804 			 * This tcp connection was marked as MDT-capable, but
11805 			 * it has been turned off due changes in the interface.
11806 			 * Now that the interface support is back, turn it on
11807 			 * by notifying tcp.  We don't directly modify tcp_mdt,
11808 			 * since we leave all the details to the tcp code that
11809 			 * knows better.
11810 			 */
11811 			mblk_t *mdimp = ip_mdinfo_alloc(ill->ill_mdt_capab);
11812 
11813 			if (mdimp == NULL) {
11814 				ip0dbg(("ip_xmit_v6: can't re-enable MDT for "
11815 				    "connp %p (ENOMEM)\n", (void *)connp));
11816 			} else {
11817 				CONN_INC_REF(connp);
11818 				SQUEUE_ENTER_ONE(connp->conn_sqp, mdimp,
11819 				    tcp_input, connp, SQ_FILL,
11820 				    SQTAG_TCP_INPUT_MCTL);
11821 			}
11822 		}
11823 
11824 		do {
11825 			mblk_t *mp_ip6h;
11826 
11827 			if (multirt_send) {
11828 				irb_t *irb;
11829 				/*
11830 				 * We are in a multiple send case, need to get
11831 				 * the next ire and make a duplicate of the
11832 				 * packet. ire1 holds here the next ire to
11833 				 * process in the bucket. If multirouting is
11834 				 * expected, any non-RTF_MULTIRT ire that has
11835 				 * the right destination address is ignored.
11836 				 */
11837 				irb = ire->ire_bucket;
11838 				ASSERT(irb != NULL);
11839 
11840 				IRB_REFHOLD(irb);
11841 				for (ire1 = ire->ire_next;
11842 				    ire1 != NULL;
11843 				    ire1 = ire1->ire_next) {
11844 					if (!(ire1->ire_flags & RTF_MULTIRT))
11845 						continue;
11846 					if (!IN6_ARE_ADDR_EQUAL(
11847 					    &ire1->ire_addr_v6,
11848 					    &ire->ire_addr_v6))
11849 						continue;
11850 					if (ire1->ire_marks &
11851 					    IRE_MARK_CONDEMNED)
11852 						continue;
11853 
11854 					/* Got one */
11855 					if (ire1 != save_ire) {
11856 						IRE_REFHOLD(ire1);
11857 					}
11858 					break;
11859 				}
11860 				IRB_REFRELE(irb);
11861 
11862 				if (ire1 != NULL) {
11863 					next_mp = copyb(mp);
11864 					if ((next_mp == NULL) ||
11865 					    ((mp->b_cont != NULL) &&
11866 					    ((next_mp->b_cont =
11867 					    dupmsg(mp->b_cont)) == NULL))) {
11868 						freemsg(next_mp);
11869 						next_mp = NULL;
11870 						ire_refrele(ire1);
11871 						ire1 = NULL;
11872 					}
11873 				}
11874 
11875 				/* Last multiroute ire; don't loop anymore. */
11876 				if (ire1 == NULL) {
11877 					multirt_send = B_FALSE;
11878 				}
11879 			}
11880 
11881 			ill_index =
11882 			    ((ill_t *)stq->q_ptr)->ill_phyint->phyint_ifindex;
11883 
11884 			/* Initiate IPPF processing */
11885 			if (IP6_OUT_IPP(flags, ipst)) {
11886 				ip_process(IPP_LOCAL_OUT, &mp, ill_index);
11887 				if (mp == NULL) {
11888 					BUMP_MIB(ill->ill_ip_mib,
11889 					    ipIfStatsOutDiscards);
11890 					if (next_mp != NULL)
11891 						freemsg(next_mp);
11892 					if (ire != save_ire) {
11893 						ire_refrele(ire);
11894 					}
11895 					return;
11896 				}
11897 				ip6h = (ip6_t *)mp->b_rptr;
11898 			}
11899 			mp_ip6h = mp;
11900 
11901 			/*
11902 			 * Check for fastpath, we need to hold nce_lock to
11903 			 * prevent fastpath update from chaining nce_fp_mp.
11904 			 */
11905 
11906 			ASSERT(nce->nce_ipversion != IPV4_VERSION);
11907 			mutex_enter(&nce->nce_lock);
11908 			if ((mp1 = nce->nce_fp_mp) != NULL) {
11909 				uchar_t	*rptr;
11910 
11911 				hlen = MBLKL(mp1);
11912 				rptr = mp->b_rptr - hlen;
11913 				/*
11914 				 * make sure there is room for the fastpath
11915 				 * datalink header
11916 				 */
11917 				if (rptr < mp->b_datap->db_base) {
11918 					mp1 = copyb(mp1);
11919 					mutex_exit(&nce->nce_lock);
11920 					if (mp1 == NULL) {
11921 						BUMP_MIB(ill->ill_ip_mib,
11922 						    ipIfStatsOutDiscards);
11923 						freemsg(mp);
11924 						if (next_mp != NULL)
11925 							freemsg(next_mp);
11926 						if (ire != save_ire) {
11927 							ire_refrele(ire);
11928 						}
11929 						return;
11930 					}
11931 					mp1->b_cont = mp;
11932 
11933 					/* Get the priority marking, if any */
11934 					mp1->b_band = mp->b_band;
11935 					mp = mp1;
11936 				} else {
11937 					mp->b_rptr = rptr;
11938 					/*
11939 					 * fastpath -  pre-pend datalink
11940 					 * header
11941 					 */
11942 					bcopy(mp1->b_rptr, rptr, hlen);
11943 					mutex_exit(&nce->nce_lock);
11944 					fp_prepend = B_TRUE;
11945 				}
11946 			} else {
11947 				/*
11948 				 * Get the DL_UNITDATA_REQ.
11949 				 */
11950 				mp1 = nce->nce_res_mp;
11951 				if (mp1 == NULL) {
11952 					mutex_exit(&nce->nce_lock);
11953 					ip1dbg(("ip_xmit_v6: No resolution "
11954 					    "block ire = %p\n", (void *)ire));
11955 					freemsg(mp);
11956 					if (next_mp != NULL)
11957 						freemsg(next_mp);
11958 					if (ire != save_ire) {
11959 						ire_refrele(ire);
11960 					}
11961 					return;
11962 				}
11963 				/*
11964 				 * Prepend the DL_UNITDATA_REQ.
11965 				 */
11966 				mp1 = copyb(mp1);
11967 				mutex_exit(&nce->nce_lock);
11968 				if (mp1 == NULL) {
11969 					BUMP_MIB(ill->ill_ip_mib,
11970 					    ipIfStatsOutDiscards);
11971 					freemsg(mp);
11972 					if (next_mp != NULL)
11973 						freemsg(next_mp);
11974 					if (ire != save_ire) {
11975 						ire_refrele(ire);
11976 					}
11977 					return;
11978 				}
11979 				mp1->b_cont = mp;
11980 
11981 				/* Get the priority marking, if any */
11982 				mp1->b_band = mp->b_band;
11983 				mp = mp1;
11984 			}
11985 
11986 			out_ill = (ill_t *)stq->q_ptr;
11987 
11988 			DTRACE_PROBE4(ip6__physical__out__start,
11989 			    ill_t *, NULL, ill_t *, out_ill,
11990 			    ip6_t *, ip6h, mblk_t *, mp);
11991 
11992 			FW_HOOKS6(ipst->ips_ip6_physical_out_event,
11993 			    ipst->ips_ipv6firewall_physical_out,
11994 			    NULL, out_ill, ip6h, mp, mp_ip6h, 0, ipst);
11995 
11996 			DTRACE_PROBE1(ip6__physical__out__end, mblk_t *, mp);
11997 
11998 			if (mp == NULL) {
11999 				if (multirt_send) {
12000 					ASSERT(ire1 != NULL);
12001 					if (ire != save_ire) {
12002 						ire_refrele(ire);
12003 					}
12004 					/*
12005 					 * Proceed with the next RTF_MULTIRT
12006 					 * ire, also set up the send-to queue
12007 					 * accordingly.
12008 					 */
12009 					ire = ire1;
12010 					ire1 = NULL;
12011 					stq = ire->ire_stq;
12012 					nce = ire->ire_nce;
12013 					ill = ire_to_ill(ire);
12014 					mp = next_mp;
12015 					next_mp = NULL;
12016 					continue;
12017 				} else {
12018 					ASSERT(next_mp == NULL);
12019 					ASSERT(ire1 == NULL);
12020 					break;
12021 				}
12022 			}
12023 
12024 			if (ipst->ips_ipobs_enabled) {
12025 				zoneid_t	szone;
12026 
12027 				szone = ip_get_zoneid_v6(&ip6h->ip6_src,
12028 				    mp_ip6h, out_ill, ipst, ALL_ZONES);
12029 				ipobs_hook(mp_ip6h, IPOBS_HOOK_OUTBOUND, szone,
12030 				    ALL_ZONES, out_ill, IPV6_VERSION,
12031 				    fp_prepend ? hlen : 0, ipst);
12032 			}
12033 
12034 			/*
12035 			 * Update ire and MIB counters; for save_ire, this has
12036 			 * been done by the caller.
12037 			 */
12038 			if (ire != save_ire) {
12039 				UPDATE_OB_PKT_COUNT(ire);
12040 				ire->ire_last_used_time = lbolt;
12041 
12042 				if (IN6_IS_ADDR_MULTICAST(&ip6h->ip6_dst)) {
12043 					BUMP_MIB(ill->ill_ip_mib,
12044 					    ipIfStatsHCOutMcastPkts);
12045 					UPDATE_MIB(ill->ill_ip_mib,
12046 					    ipIfStatsHCOutMcastOctets,
12047 					    ntohs(ip6h->ip6_plen) +
12048 					    IPV6_HDR_LEN);
12049 				}
12050 			}
12051 
12052 			/*
12053 			 * Send it down.  XXX Do we want to flow control AH/ESP
12054 			 * packets that carry TCP payloads?  We don't flow
12055 			 * control TCP packets, but we should also not
12056 			 * flow-control TCP packets that have been protected.
12057 			 * We don't have an easy way to find out if an AH/ESP
12058 			 * packet was originally TCP or not currently.
12059 			 */
12060 			if (io == NULL) {
12061 				BUMP_MIB(ill->ill_ip_mib,
12062 				    ipIfStatsHCOutTransmits);
12063 				UPDATE_MIB(ill->ill_ip_mib,
12064 				    ipIfStatsHCOutOctets,
12065 				    ntohs(ip6h->ip6_plen) + IPV6_HDR_LEN);
12066 				DTRACE_IP7(send, mblk_t *, mp, conn_t *, NULL,
12067 				    void_ip_t *, ip6h, __dtrace_ipsr_ill_t *,
12068 				    out_ill, ipha_t *, NULL, ip6_t *, ip6h,
12069 				    int, 0);
12070 
12071 				putnext(stq, mp);
12072 			} else {
12073 				/*
12074 				 * Safety Pup says: make sure this is
12075 				 * going to the right interface!
12076 				 */
12077 				if (io->ipsec_out_capab_ill_index !=
12078 				    ill_index) {
12079 					/* IPsec kstats: bump lose counter */
12080 					freemsg(mp1);
12081 				} else {
12082 					BUMP_MIB(ill->ill_ip_mib,
12083 					    ipIfStatsHCOutTransmits);
12084 					UPDATE_MIB(ill->ill_ip_mib,
12085 					    ipIfStatsHCOutOctets,
12086 					    ntohs(ip6h->ip6_plen) +
12087 					    IPV6_HDR_LEN);
12088 					DTRACE_IP7(send, mblk_t *, mp,
12089 					    conn_t *, NULL, void_ip_t *, ip6h,
12090 					    __dtrace_ipsr_ill_t *, out_ill,
12091 					    ipha_t *, NULL, ip6_t *, ip6h, int,
12092 					    0);
12093 					ipsec_hw_putnext(stq, mp);
12094 				}
12095 			}
12096 
12097 			if (nce->nce_flags & (NCE_F_NONUD|NCE_F_PERMANENT)) {
12098 				if (ire != save_ire) {
12099 					ire_refrele(ire);
12100 				}
12101 				if (multirt_send) {
12102 					ASSERT(ire1 != NULL);
12103 					/*
12104 					 * Proceed with the next RTF_MULTIRT
12105 					 * ire, also set up the send-to queue
12106 					 * accordingly.
12107 					 */
12108 					ire = ire1;
12109 					ire1 = NULL;
12110 					stq = ire->ire_stq;
12111 					nce = ire->ire_nce;
12112 					ill = ire_to_ill(ire);
12113 					mp = next_mp;
12114 					next_mp = NULL;
12115 					continue;
12116 				}
12117 				ASSERT(next_mp == NULL);
12118 				ASSERT(ire1 == NULL);
12119 				return;
12120 			}
12121 
12122 			ASSERT(nce->nce_state != ND_INCOMPLETE);
12123 
12124 			/*
12125 			 * Check for upper layer advice
12126 			 */
12127 			if (flags & IPV6_REACHABILITY_CONFIRMATION) {
12128 				/*
12129 				 * It should be o.k. to check the state without
12130 				 * a lock here, at most we lose an advice.
12131 				 */
12132 				nce->nce_last = TICK_TO_MSEC(lbolt64);
12133 				if (nce->nce_state != ND_REACHABLE) {
12134 
12135 					mutex_enter(&nce->nce_lock);
12136 					nce->nce_state = ND_REACHABLE;
12137 					nce->nce_pcnt = ND_MAX_UNICAST_SOLICIT;
12138 					mutex_exit(&nce->nce_lock);
12139 					(void) untimeout(nce->nce_timeout_id);
12140 					if (ip_debug > 2) {
12141 						/* ip1dbg */
12142 						pr_addr_dbg("ip_xmit_v6: state"
12143 						    " for %s changed to"
12144 						    " REACHABLE\n", AF_INET6,
12145 						    &ire->ire_addr_v6);
12146 					}
12147 				}
12148 				if (ire != save_ire) {
12149 					ire_refrele(ire);
12150 				}
12151 				if (multirt_send) {
12152 					ASSERT(ire1 != NULL);
12153 					/*
12154 					 * Proceed with the next RTF_MULTIRT
12155 					 * ire, also set up the send-to queue
12156 					 * accordingly.
12157 					 */
12158 					ire = ire1;
12159 					ire1 = NULL;
12160 					stq = ire->ire_stq;
12161 					nce = ire->ire_nce;
12162 					ill = ire_to_ill(ire);
12163 					mp = next_mp;
12164 					next_mp = NULL;
12165 					continue;
12166 				}
12167 				ASSERT(next_mp == NULL);
12168 				ASSERT(ire1 == NULL);
12169 				return;
12170 			}
12171 
12172 			delta =  TICK_TO_MSEC(lbolt64) - nce->nce_last;
12173 			ip1dbg(("ip_xmit_v6: delta = %" PRId64
12174 			    " ill_reachable_time = %d \n", delta,
12175 			    ill->ill_reachable_time));
12176 			if (delta > (uint64_t)ill->ill_reachable_time) {
12177 				nce = ire->ire_nce;
12178 				mutex_enter(&nce->nce_lock);
12179 				switch (nce->nce_state) {
12180 				case ND_REACHABLE:
12181 				case ND_STALE:
12182 					/*
12183 					 * ND_REACHABLE is identical to
12184 					 * ND_STALE in this specific case. If
12185 					 * reachable time has expired for this
12186 					 * neighbor (delta is greater than
12187 					 * reachable time), conceptually, the
12188 					 * neighbor cache is no longer in
12189 					 * REACHABLE state, but already in
12190 					 * STALE state.  So the correct
12191 					 * transition here is to ND_DELAY.
12192 					 */
12193 					nce->nce_state = ND_DELAY;
12194 					mutex_exit(&nce->nce_lock);
12195 					NDP_RESTART_TIMER(nce,
12196 					    ipst->ips_delay_first_probe_time);
12197 					if (ip_debug > 3) {
12198 						/* ip2dbg */
12199 						pr_addr_dbg("ip_xmit_v6: state"
12200 						    " for %s changed to"
12201 						    " DELAY\n", AF_INET6,
12202 						    &ire->ire_addr_v6);
12203 					}
12204 					break;
12205 				case ND_DELAY:
12206 				case ND_PROBE:
12207 					mutex_exit(&nce->nce_lock);
12208 					/* Timers have already started */
12209 					break;
12210 				case ND_UNREACHABLE:
12211 					/*
12212 					 * ndp timer has detected that this nce
12213 					 * is unreachable and initiated deleting
12214 					 * this nce and all its associated IREs.
12215 					 * This is a race where we found the
12216 					 * ire before it was deleted and have
12217 					 * just sent out a packet using this
12218 					 * unreachable nce.
12219 					 */
12220 					mutex_exit(&nce->nce_lock);
12221 					break;
12222 				default:
12223 					ASSERT(0);
12224 				}
12225 			}
12226 
12227 			if (multirt_send) {
12228 				ASSERT(ire1 != NULL);
12229 				/*
12230 				 * Proceed with the next RTF_MULTIRT ire,
12231 				 * Also set up the send-to queue accordingly.
12232 				 */
12233 				if (ire != save_ire) {
12234 					ire_refrele(ire);
12235 				}
12236 				ire = ire1;
12237 				ire1 = NULL;
12238 				stq = ire->ire_stq;
12239 				nce = ire->ire_nce;
12240 				ill = ire_to_ill(ire);
12241 				mp = next_mp;
12242 				next_mp = NULL;
12243 			}
12244 		} while (multirt_send);
12245 		/*
12246 		 * In the multirouting case, release the last ire used for
12247 		 * emission. save_ire will be released by the caller.
12248 		 */
12249 		if (ire != save_ire) {
12250 			ire_refrele(ire);
12251 		}
12252 	} else {
12253 		/*
12254 		 * Can't apply backpressure, just discard the packet.
12255 		 */
12256 		BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
12257 		freemsg(mp);
12258 		return;
12259 	}
12260 }
12261 
12262 /*
12263  * pr_addr_dbg function provides the needed buffer space to call
12264  * inet_ntop() function's 3rd argument. This function should be
12265  * used by any kernel routine which wants to save INET6_ADDRSTRLEN
12266  * stack buffer space in it's own stack frame. This function uses
12267  * a buffer from it's own stack and prints the information.
12268  * Example: pr_addr_dbg("func: no route for %s\n ", AF_INET, addr)
12269  *
12270  * Note:    This function can call inet_ntop() once.
12271  */
12272 void
12273 pr_addr_dbg(char *fmt1, int af, const void *addr)
12274 {
12275 	char	buf[INET6_ADDRSTRLEN];
12276 
12277 	if (fmt1 == NULL) {
12278 		ip0dbg(("pr_addr_dbg: Wrong arguments\n"));
12279 		return;
12280 	}
12281 
12282 	/*
12283 	 * This does not compare debug level and just prints
12284 	 * out. Thus it is the responsibility of the caller
12285 	 * to check the appropriate debug-level before calling
12286 	 * this function.
12287 	 */
12288 	if (ip_debug > 0) {
12289 		printf(fmt1, inet_ntop(af, addr, buf, sizeof (buf)));
12290 	}
12291 
12292 
12293 }
12294 
12295 
12296 /*
12297  * Return the length in bytes of the IPv6 headers (base header, ip6i_t
12298  * if needed and extension headers) that will be needed based on the
12299  * ip6_pkt_t structure passed by the caller.
12300  *
12301  * The returned length does not include the length of the upper level
12302  * protocol (ULP) header.
12303  */
12304 int
12305 ip_total_hdrs_len_v6(ip6_pkt_t *ipp)
12306 {
12307 	int len;
12308 
12309 	len = IPV6_HDR_LEN;
12310 	if (ipp->ipp_fields & IPPF_HAS_IP6I)
12311 		len += sizeof (ip6i_t);
12312 	if (ipp->ipp_fields & IPPF_HOPOPTS) {
12313 		ASSERT(ipp->ipp_hopoptslen != 0);
12314 		len += ipp->ipp_hopoptslen;
12315 	}
12316 	if (ipp->ipp_fields & IPPF_RTHDR) {
12317 		ASSERT(ipp->ipp_rthdrlen != 0);
12318 		len += ipp->ipp_rthdrlen;
12319 	}
12320 	/*
12321 	 * En-route destination options
12322 	 * Only do them if there's a routing header as well
12323 	 */
12324 	if ((ipp->ipp_fields & (IPPF_RTDSTOPTS|IPPF_RTHDR)) ==
12325 	    (IPPF_RTDSTOPTS|IPPF_RTHDR)) {
12326 		ASSERT(ipp->ipp_rtdstoptslen != 0);
12327 		len += ipp->ipp_rtdstoptslen;
12328 	}
12329 	if (ipp->ipp_fields & IPPF_DSTOPTS) {
12330 		ASSERT(ipp->ipp_dstoptslen != 0);
12331 		len += ipp->ipp_dstoptslen;
12332 	}
12333 	return (len);
12334 }
12335 
12336 /*
12337  * All-purpose routine to build a header chain of an IPv6 header
12338  * followed by any required extension headers and a proto header,
12339  * preceeded (where necessary) by an ip6i_t private header.
12340  *
12341  * The fields of the IPv6 header that are derived from the ip6_pkt_t
12342  * will be filled in appropriately.
12343  * Thus the caller must fill in the rest of the IPv6 header, such as
12344  * traffic class/flowid, source address (if not set here), hoplimit (if not
12345  * set here) and destination address.
12346  *
12347  * The extension headers and ip6i_t header will all be fully filled in.
12348  */
12349 void
12350 ip_build_hdrs_v6(uchar_t *ext_hdrs, uint_t ext_hdrs_len,
12351     ip6_pkt_t *ipp, uint8_t protocol)
12352 {
12353 	uint8_t *nxthdr_ptr;
12354 	uint8_t *cp;
12355 	ip6i_t	*ip6i;
12356 	ip6_t	*ip6h = (ip6_t *)ext_hdrs;
12357 
12358 	/*
12359 	 * If sending private ip6i_t header down (checksum info, nexthop,
12360 	 * or ifindex), adjust ip header pointer and set ip6i_t header pointer,
12361 	 * then fill it in. (The checksum info will be filled in by icmp).
12362 	 */
12363 	if (ipp->ipp_fields & IPPF_HAS_IP6I) {
12364 		ip6i = (ip6i_t *)ip6h;
12365 		ip6h = (ip6_t *)&ip6i[1];
12366 
12367 		ip6i->ip6i_flags = 0;
12368 		ip6i->ip6i_vcf = IPV6_DEFAULT_VERS_AND_FLOW;
12369 		if (ipp->ipp_fields & IPPF_IFINDEX ||
12370 		    ipp->ipp_fields & IPPF_SCOPE_ID) {
12371 			ASSERT(ipp->ipp_ifindex != 0);
12372 			ip6i->ip6i_flags |= IP6I_IFINDEX;
12373 			ip6i->ip6i_ifindex = ipp->ipp_ifindex;
12374 		}
12375 		if (ipp->ipp_fields & IPPF_ADDR) {
12376 			/*
12377 			 * Enable per-packet source address verification if
12378 			 * IPV6_PKTINFO specified the source address.
12379 			 * ip6_src is set in the transport's _wput function.
12380 			 */
12381 			ASSERT(!IN6_IS_ADDR_UNSPECIFIED(
12382 			    &ipp->ipp_addr));
12383 			ip6i->ip6i_flags |= IP6I_VERIFY_SRC;
12384 		}
12385 		if (ipp->ipp_fields & IPPF_UNICAST_HOPS) {
12386 			ip6h->ip6_hops = ipp->ipp_unicast_hops;
12387 			/*
12388 			 * We need to set this flag so that IP doesn't
12389 			 * rewrite the IPv6 header's hoplimit with the
12390 			 * current default value.
12391 			 */
12392 			ip6i->ip6i_flags |= IP6I_HOPLIMIT;
12393 		}
12394 		if (ipp->ipp_fields & IPPF_NEXTHOP) {
12395 			ASSERT(!IN6_IS_ADDR_UNSPECIFIED(
12396 			    &ipp->ipp_nexthop));
12397 			ip6i->ip6i_flags |= IP6I_NEXTHOP;
12398 			ip6i->ip6i_nexthop = ipp->ipp_nexthop;
12399 		}
12400 		/*
12401 		 * tell IP this is an ip6i_t private header
12402 		 */
12403 		ip6i->ip6i_nxt = IPPROTO_RAW;
12404 	}
12405 	/* Initialize IPv6 header */
12406 	ip6h->ip6_vcf = IPV6_DEFAULT_VERS_AND_FLOW;
12407 	if (ipp->ipp_fields & IPPF_TCLASS) {
12408 		ip6h->ip6_vcf = (ip6h->ip6_vcf & ~IPV6_FLOWINFO_TCLASS) |
12409 		    (ipp->ipp_tclass << 20);
12410 	}
12411 	if (ipp->ipp_fields & IPPF_ADDR)
12412 		ip6h->ip6_src = ipp->ipp_addr;
12413 
12414 	nxthdr_ptr = (uint8_t *)&ip6h->ip6_nxt;
12415 	cp = (uint8_t *)&ip6h[1];
12416 	/*
12417 	 * Here's where we have to start stringing together
12418 	 * any extension headers in the right order:
12419 	 * Hop-by-hop, destination, routing, and final destination opts.
12420 	 */
12421 	if (ipp->ipp_fields & IPPF_HOPOPTS) {
12422 		/* Hop-by-hop options */
12423 		ip6_hbh_t *hbh = (ip6_hbh_t *)cp;
12424 
12425 		*nxthdr_ptr = IPPROTO_HOPOPTS;
12426 		nxthdr_ptr = &hbh->ip6h_nxt;
12427 
12428 		bcopy(ipp->ipp_hopopts, cp, ipp->ipp_hopoptslen);
12429 		cp += ipp->ipp_hopoptslen;
12430 	}
12431 	/*
12432 	 * En-route destination options
12433 	 * Only do them if there's a routing header as well
12434 	 */
12435 	if ((ipp->ipp_fields & (IPPF_RTDSTOPTS|IPPF_RTHDR)) ==
12436 	    (IPPF_RTDSTOPTS|IPPF_RTHDR)) {
12437 		ip6_dest_t *dst = (ip6_dest_t *)cp;
12438 
12439 		*nxthdr_ptr = IPPROTO_DSTOPTS;
12440 		nxthdr_ptr = &dst->ip6d_nxt;
12441 
12442 		bcopy(ipp->ipp_rtdstopts, cp, ipp->ipp_rtdstoptslen);
12443 		cp += ipp->ipp_rtdstoptslen;
12444 	}
12445 	/*
12446 	 * Routing header next
12447 	 */
12448 	if (ipp->ipp_fields & IPPF_RTHDR) {
12449 		ip6_rthdr_t *rt = (ip6_rthdr_t *)cp;
12450 
12451 		*nxthdr_ptr = IPPROTO_ROUTING;
12452 		nxthdr_ptr = &rt->ip6r_nxt;
12453 
12454 		bcopy(ipp->ipp_rthdr, cp, ipp->ipp_rthdrlen);
12455 		cp += ipp->ipp_rthdrlen;
12456 	}
12457 	/*
12458 	 * Do ultimate destination options
12459 	 */
12460 	if (ipp->ipp_fields & IPPF_DSTOPTS) {
12461 		ip6_dest_t *dest = (ip6_dest_t *)cp;
12462 
12463 		*nxthdr_ptr = IPPROTO_DSTOPTS;
12464 		nxthdr_ptr = &dest->ip6d_nxt;
12465 
12466 		bcopy(ipp->ipp_dstopts, cp, ipp->ipp_dstoptslen);
12467 		cp += ipp->ipp_dstoptslen;
12468 	}
12469 	/*
12470 	 * Now set the last header pointer to the proto passed in
12471 	 */
12472 	*nxthdr_ptr = protocol;
12473 	ASSERT((int)(cp - ext_hdrs) == ext_hdrs_len);
12474 }
12475 
12476 /*
12477  * Return a pointer to the routing header extension header
12478  * in the IPv6 header(s) chain passed in.
12479  * If none found, return NULL
12480  * Assumes that all extension headers are in same mblk as the v6 header
12481  */
12482 ip6_rthdr_t *
12483 ip_find_rthdr_v6(ip6_t *ip6h, uint8_t *endptr)
12484 {
12485 	ip6_dest_t	*desthdr;
12486 	ip6_frag_t	*fraghdr;
12487 	uint_t		hdrlen;
12488 	uint8_t		nexthdr;
12489 	uint8_t		*ptr = (uint8_t *)&ip6h[1];
12490 
12491 	if (ip6h->ip6_nxt == IPPROTO_ROUTING)
12492 		return ((ip6_rthdr_t *)ptr);
12493 
12494 	/*
12495 	 * The routing header will precede all extension headers
12496 	 * other than the hop-by-hop and destination options
12497 	 * extension headers, so if we see anything other than those,
12498 	 * we're done and didn't find it.
12499 	 * We could see a destination options header alone but no
12500 	 * routing header, in which case we'll return NULL as soon as
12501 	 * we see anything after that.
12502 	 * Hop-by-hop and destination option headers are identical,
12503 	 * so we can use either one we want as a template.
12504 	 */
12505 	nexthdr = ip6h->ip6_nxt;
12506 	while (ptr < endptr) {
12507 		/* Is there enough left for len + nexthdr? */
12508 		if (ptr + MIN_EHDR_LEN > endptr)
12509 			return (NULL);
12510 
12511 		switch (nexthdr) {
12512 		case IPPROTO_HOPOPTS:
12513 		case IPPROTO_DSTOPTS:
12514 			/* Assumes the headers are identical for hbh and dst */
12515 			desthdr = (ip6_dest_t *)ptr;
12516 			hdrlen = 8 * (desthdr->ip6d_len + 1);
12517 			nexthdr = desthdr->ip6d_nxt;
12518 			break;
12519 
12520 		case IPPROTO_ROUTING:
12521 			return ((ip6_rthdr_t *)ptr);
12522 
12523 		case IPPROTO_FRAGMENT:
12524 			fraghdr = (ip6_frag_t *)ptr;
12525 			hdrlen = sizeof (ip6_frag_t);
12526 			nexthdr = fraghdr->ip6f_nxt;
12527 			break;
12528 
12529 		default:
12530 			return (NULL);
12531 		}
12532 		ptr += hdrlen;
12533 	}
12534 	return (NULL);
12535 }
12536 
12537 /*
12538  * Called for source-routed packets originating on this node.
12539  * Manipulates the original routing header by moving every entry up
12540  * one slot, placing the first entry in the v6 header's v6_dst field,
12541  * and placing the ultimate destination in the routing header's last
12542  * slot.
12543  *
12544  * Returns the checksum diference between the ultimate destination
12545  * (last hop in the routing header when the packet is sent) and
12546  * the first hop (ip6_dst when the packet is sent)
12547  */
12548 /* ARGSUSED2 */
12549 uint32_t
12550 ip_massage_options_v6(ip6_t *ip6h, ip6_rthdr_t *rth, netstack_t *ns)
12551 {
12552 	uint_t		numaddr;
12553 	uint_t		i;
12554 	in6_addr_t	*addrptr;
12555 	in6_addr_t	tmp;
12556 	ip6_rthdr0_t	*rthdr = (ip6_rthdr0_t *)rth;
12557 	uint32_t	cksm;
12558 	uint32_t	addrsum = 0;
12559 	uint16_t	*ptr;
12560 
12561 	/*
12562 	 * Perform any processing needed for source routing.
12563 	 * We know that all extension headers will be in the same mblk
12564 	 * as the IPv6 header.
12565 	 */
12566 
12567 	/*
12568 	 * If no segments left in header, or the header length field is zero,
12569 	 * don't move hop addresses around;
12570 	 * Checksum difference is zero.
12571 	 */
12572 	if ((rthdr->ip6r0_segleft == 0) || (rthdr->ip6r0_len == 0))
12573 		return (0);
12574 
12575 	ptr = (uint16_t *)&ip6h->ip6_dst;
12576 	cksm = 0;
12577 	for (i = 0; i < (sizeof (in6_addr_t) / sizeof (uint16_t)); i++) {
12578 		cksm += ptr[i];
12579 	}
12580 	cksm = (cksm & 0xFFFF) + (cksm >> 16);
12581 
12582 	/*
12583 	 * Here's where the fun begins - we have to
12584 	 * move all addresses up one spot, take the
12585 	 * first hop and make it our first ip6_dst,
12586 	 * and place the ultimate destination in the
12587 	 * newly-opened last slot.
12588 	 */
12589 	addrptr = (in6_addr_t *)((char *)rthdr + sizeof (*rthdr));
12590 	numaddr = rthdr->ip6r0_len / 2;
12591 	tmp = *addrptr;
12592 	for (i = 0; i < (numaddr - 1); addrptr++, i++) {
12593 		*addrptr = addrptr[1];
12594 	}
12595 	*addrptr = ip6h->ip6_dst;
12596 	ip6h->ip6_dst = tmp;
12597 
12598 	/*
12599 	 * From the checksummed ultimate destination subtract the checksummed
12600 	 * current ip6_dst (the first hop address). Return that number.
12601 	 * (In the v4 case, the second part of this is done in each routine
12602 	 *  that calls ip_massage_options(). We do it all in this one place
12603 	 *  for v6).
12604 	 */
12605 	ptr = (uint16_t *)&ip6h->ip6_dst;
12606 	for (i = 0; i < (sizeof (in6_addr_t) / sizeof (uint16_t)); i++) {
12607 		addrsum += ptr[i];
12608 	}
12609 	cksm -= ((addrsum >> 16) + (addrsum & 0xFFFF));
12610 	if ((int)cksm < 0)
12611 		cksm--;
12612 	cksm = (cksm & 0xFFFF) + (cksm >> 16);
12613 
12614 	return (cksm);
12615 }
12616 
12617 /*
12618  * Propagate a multicast group membership operation (join/leave) (*fn) on
12619  * all interfaces crossed by the related multirt routes.
12620  * The call is considered successful if the operation succeeds
12621  * on at least one interface.
12622  * The function is called if the destination address in the packet to send
12623  * is multirouted.
12624  */
12625 int
12626 ip_multirt_apply_membership_v6(int (*fn)(conn_t *, boolean_t,
12627     const in6_addr_t *, int, mcast_record_t, const in6_addr_t *, mblk_t *),
12628     ire_t *ire, conn_t *connp, boolean_t checkonly, const in6_addr_t *v6grp,
12629     mcast_record_t fmode, const in6_addr_t *v6src, mblk_t *first_mp)
12630 {
12631 	ire_t		*ire_gw;
12632 	irb_t		*irb;
12633 	int		index, error = 0;
12634 	opt_restart_t	*or;
12635 	ip_stack_t	*ipst = ire->ire_ipst;
12636 
12637 	irb = ire->ire_bucket;
12638 	ASSERT(irb != NULL);
12639 
12640 	ASSERT(DB_TYPE(first_mp) == M_CTL);
12641 	or = (opt_restart_t *)first_mp->b_rptr;
12642 
12643 	IRB_REFHOLD(irb);
12644 	for (; ire != NULL; ire = ire->ire_next) {
12645 		if ((ire->ire_flags & RTF_MULTIRT) == 0)
12646 			continue;
12647 		if (!IN6_ARE_ADDR_EQUAL(&ire->ire_addr_v6, v6grp))
12648 			continue;
12649 
12650 		ire_gw = ire_ftable_lookup_v6(&ire->ire_gateway_addr_v6, 0, 0,
12651 		    IRE_INTERFACE, NULL, NULL, ALL_ZONES, 0, NULL,
12652 		    MATCH_IRE_RECURSIVE | MATCH_IRE_TYPE, ipst);
12653 		/* No resolver exists for the gateway; skip this ire. */
12654 		if (ire_gw == NULL)
12655 			continue;
12656 		index = ire_gw->ire_ipif->ipif_ill->ill_phyint->phyint_ifindex;
12657 		/*
12658 		 * A resolver exists: we can get the interface on which we have
12659 		 * to apply the operation.
12660 		 */
12661 		error = fn(connp, checkonly, v6grp, index, fmode, v6src,
12662 		    first_mp);
12663 		if (error == 0)
12664 			or->or_private = CGTP_MCAST_SUCCESS;
12665 
12666 		if (ip_debug > 0) {
12667 			ulong_t	off;
12668 			char	*ksym;
12669 
12670 			ksym = kobj_getsymname((uintptr_t)fn, &off);
12671 			ip2dbg(("ip_multirt_apply_membership_v6: "
12672 			    "called %s, multirt group 0x%08x via itf 0x%08x, "
12673 			    "error %d [success %u]\n",
12674 			    ksym ? ksym : "?",
12675 			    ntohl(V4_PART_OF_V6((*v6grp))),
12676 			    ntohl(V4_PART_OF_V6(ire_gw->ire_src_addr_v6)),
12677 			    error, or->or_private));
12678 		}
12679 
12680 		ire_refrele(ire_gw);
12681 		if (error == EINPROGRESS) {
12682 			IRB_REFRELE(irb);
12683 			return (error);
12684 		}
12685 	}
12686 	IRB_REFRELE(irb);
12687 	/*
12688 	 * Consider the call as successful if we succeeded on at least
12689 	 * one interface. Otherwise, return the last encountered error.
12690 	 */
12691 	return (or->or_private == CGTP_MCAST_SUCCESS ? 0 : error);
12692 }
12693 
12694 void
12695 *ip6_kstat_init(netstackid_t stackid, ip6_stat_t *ip6_statisticsp)
12696 {
12697 	kstat_t *ksp;
12698 
12699 	ip6_stat_t template = {
12700 		{ "ip6_udp_fast_path", 	KSTAT_DATA_UINT64 },
12701 		{ "ip6_udp_slow_path", 	KSTAT_DATA_UINT64 },
12702 		{ "ip6_udp_fannorm", 	KSTAT_DATA_UINT64 },
12703 		{ "ip6_udp_fanmb", 	KSTAT_DATA_UINT64 },
12704 		{ "ip6_out_sw_cksum",			KSTAT_DATA_UINT64 },
12705 		{ "ip6_in_sw_cksum",			KSTAT_DATA_UINT64 },
12706 		{ "ip6_tcp_in_full_hw_cksum_err",	KSTAT_DATA_UINT64 },
12707 		{ "ip6_tcp_in_part_hw_cksum_err",	KSTAT_DATA_UINT64 },
12708 		{ "ip6_tcp_in_sw_cksum_err",		KSTAT_DATA_UINT64 },
12709 		{ "ip6_tcp_out_sw_cksum_bytes",		KSTAT_DATA_UINT64 },
12710 		{ "ip6_udp_in_full_hw_cksum_err",	KSTAT_DATA_UINT64 },
12711 		{ "ip6_udp_in_part_hw_cksum_err",	KSTAT_DATA_UINT64 },
12712 		{ "ip6_udp_in_sw_cksum_err",		KSTAT_DATA_UINT64 },
12713 		{ "ip6_udp_out_sw_cksum_bytes",		KSTAT_DATA_UINT64 },
12714 		{ "ip6_frag_mdt_pkt_out",		KSTAT_DATA_UINT64 },
12715 		{ "ip6_frag_mdt_discarded",		KSTAT_DATA_UINT64 },
12716 		{ "ip6_frag_mdt_allocfail",		KSTAT_DATA_UINT64 },
12717 		{ "ip6_frag_mdt_addpdescfail",		KSTAT_DATA_UINT64 },
12718 		{ "ip6_frag_mdt_allocd",		KSTAT_DATA_UINT64 },
12719 	};
12720 	ksp = kstat_create_netstack("ip", 0, "ip6stat", "net",
12721 	    KSTAT_TYPE_NAMED, sizeof (template) / sizeof (kstat_named_t),
12722 	    KSTAT_FLAG_VIRTUAL, stackid);
12723 
12724 	if (ksp == NULL)
12725 		return (NULL);
12726 
12727 	bcopy(&template, ip6_statisticsp, sizeof (template));
12728 	ksp->ks_data = (void *)ip6_statisticsp;
12729 	ksp->ks_private = (void *)(uintptr_t)stackid;
12730 
12731 	kstat_install(ksp);
12732 	return (ksp);
12733 }
12734 
12735 void
12736 ip6_kstat_fini(netstackid_t stackid, kstat_t *ksp)
12737 {
12738 	if (ksp != NULL) {
12739 		ASSERT(stackid == (netstackid_t)(uintptr_t)ksp->ks_private);
12740 		kstat_delete_netstack(ksp, stackid);
12741 	}
12742 }
12743 
12744 /*
12745  * The following two functions set and get the value for the
12746  * IPV6_SRC_PREFERENCES socket option.
12747  */
12748 int
12749 ip6_set_src_preferences(conn_t *connp, uint32_t prefs)
12750 {
12751 	/*
12752 	 * We only support preferences that are covered by
12753 	 * IPV6_PREFER_SRC_MASK.
12754 	 */
12755 	if (prefs & ~IPV6_PREFER_SRC_MASK)
12756 		return (EINVAL);
12757 
12758 	/*
12759 	 * Look for conflicting preferences or default preferences.  If
12760 	 * both bits of a related pair are clear, the application wants the
12761 	 * system's default value for that pair.  Both bits in a pair can't
12762 	 * be set.
12763 	 */
12764 	if ((prefs & IPV6_PREFER_SRC_MIPMASK) == 0) {
12765 		prefs |= IPV6_PREFER_SRC_MIPDEFAULT;
12766 	} else if ((prefs & IPV6_PREFER_SRC_MIPMASK) ==
12767 	    IPV6_PREFER_SRC_MIPMASK) {
12768 		return (EINVAL);
12769 	}
12770 	if ((prefs & IPV6_PREFER_SRC_TMPMASK) == 0) {
12771 		prefs |= IPV6_PREFER_SRC_TMPDEFAULT;
12772 	} else if ((prefs & IPV6_PREFER_SRC_TMPMASK) ==
12773 	    IPV6_PREFER_SRC_TMPMASK) {
12774 		return (EINVAL);
12775 	}
12776 	if ((prefs & IPV6_PREFER_SRC_CGAMASK) == 0) {
12777 		prefs |= IPV6_PREFER_SRC_CGADEFAULT;
12778 	} else if ((prefs & IPV6_PREFER_SRC_CGAMASK) ==
12779 	    IPV6_PREFER_SRC_CGAMASK) {
12780 		return (EINVAL);
12781 	}
12782 
12783 	connp->conn_src_preferences = prefs;
12784 	return (0);
12785 }
12786 
12787 size_t
12788 ip6_get_src_preferences(conn_t *connp, uint32_t *val)
12789 {
12790 	*val = connp->conn_src_preferences;
12791 	return (sizeof (connp->conn_src_preferences));
12792 }
12793 
12794 int
12795 ip6_set_pktinfo(cred_t *cr, conn_t *connp, struct in6_pktinfo *pkti)
12796 {
12797 	ire_t	*ire;
12798 	ip_stack_t	*ipst = connp->conn_netstack->netstack_ip;
12799 
12800 	/*
12801 	 * Verify the source address and ifindex. Privileged users can use
12802 	 * any source address.  For ancillary data the source address is
12803 	 * checked in ip_wput_v6.
12804 	 */
12805 	if (pkti->ipi6_ifindex != 0) {
12806 		rw_enter(&ipst->ips_ill_g_lock, RW_READER);
12807 		if (!phyint_exists(pkti->ipi6_ifindex, ipst)) {
12808 			rw_exit(&ipst->ips_ill_g_lock);
12809 			return (ENXIO);
12810 		}
12811 		rw_exit(&ipst->ips_ill_g_lock);
12812 	}
12813 	if (!IN6_IS_ADDR_UNSPECIFIED(&pkti->ipi6_addr) &&
12814 	    secpolicy_net_rawaccess(cr) != 0) {
12815 		ire = ire_route_lookup_v6(&pkti->ipi6_addr, 0, 0,
12816 		    (IRE_LOCAL|IRE_LOOPBACK), NULL, NULL,
12817 		    connp->conn_zoneid, NULL, MATCH_IRE_TYPE, ipst);
12818 		if (ire != NULL)
12819 			ire_refrele(ire);
12820 		else
12821 			return (ENXIO);
12822 	}
12823 	return (0);
12824 }
12825 
12826 /*
12827  * Get the size of the IP options (including the IP headers size)
12828  * without including the AH header's size. If till_ah is B_FALSE,
12829  * and if AH header is present, dest options beyond AH header will
12830  * also be included in the returned size.
12831  */
12832 int
12833 ipsec_ah_get_hdr_size_v6(mblk_t *mp, boolean_t till_ah)
12834 {
12835 	ip6_t *ip6h;
12836 	uint8_t nexthdr;
12837 	uint8_t *whereptr;
12838 	ip6_hbh_t *hbhhdr;
12839 	ip6_dest_t *dsthdr;
12840 	ip6_rthdr_t *rthdr;
12841 	int ehdrlen;
12842 	int size;
12843 	ah_t *ah;
12844 
12845 	ip6h = (ip6_t *)mp->b_rptr;
12846 	size = IPV6_HDR_LEN;
12847 	nexthdr = ip6h->ip6_nxt;
12848 	whereptr = (uint8_t *)&ip6h[1];
12849 	for (;;) {
12850 		/* Assume IP has already stripped it */
12851 		ASSERT(nexthdr != IPPROTO_FRAGMENT && nexthdr != IPPROTO_RAW);
12852 		switch (nexthdr) {
12853 		case IPPROTO_HOPOPTS:
12854 			hbhhdr = (ip6_hbh_t *)whereptr;
12855 			nexthdr = hbhhdr->ip6h_nxt;
12856 			ehdrlen = 8 * (hbhhdr->ip6h_len + 1);
12857 			break;
12858 		case IPPROTO_DSTOPTS:
12859 			dsthdr = (ip6_dest_t *)whereptr;
12860 			nexthdr = dsthdr->ip6d_nxt;
12861 			ehdrlen = 8 * (dsthdr->ip6d_len + 1);
12862 			break;
12863 		case IPPROTO_ROUTING:
12864 			rthdr = (ip6_rthdr_t *)whereptr;
12865 			nexthdr = rthdr->ip6r_nxt;
12866 			ehdrlen = 8 * (rthdr->ip6r_len + 1);
12867 			break;
12868 		default :
12869 			if (till_ah) {
12870 				ASSERT(nexthdr == IPPROTO_AH);
12871 				return (size);
12872 			}
12873 			/*
12874 			 * If we don't have a AH header to traverse,
12875 			 * return now. This happens normally for
12876 			 * outbound datagrams where we have not inserted
12877 			 * the AH header.
12878 			 */
12879 			if (nexthdr != IPPROTO_AH) {
12880 				return (size);
12881 			}
12882 
12883 			/*
12884 			 * We don't include the AH header's size
12885 			 * to be symmetrical with other cases where
12886 			 * we either don't have a AH header (outbound)
12887 			 * or peek into the AH header yet (inbound and
12888 			 * not pulled up yet).
12889 			 */
12890 			ah = (ah_t *)whereptr;
12891 			nexthdr = ah->ah_nexthdr;
12892 			ehdrlen = (ah->ah_length << 2) + 8;
12893 
12894 			if (nexthdr == IPPROTO_DSTOPTS) {
12895 				if (whereptr + ehdrlen >= mp->b_wptr) {
12896 					/*
12897 					 * The destination options header
12898 					 * is not part of the first mblk.
12899 					 */
12900 					whereptr = mp->b_cont->b_rptr;
12901 				} else {
12902 					whereptr += ehdrlen;
12903 				}
12904 
12905 				dsthdr = (ip6_dest_t *)whereptr;
12906 				ehdrlen = 8 * (dsthdr->ip6d_len + 1);
12907 				size += ehdrlen;
12908 			}
12909 			return (size);
12910 		}
12911 		whereptr += ehdrlen;
12912 		size += ehdrlen;
12913 	}
12914 }
12915 
12916 /*
12917  * Utility routine that checks if `v6srcp' is a valid address on underlying
12918  * interface `ill'.  If `ipifp' is non-NULL, it's set to a held ipif
12919  * associated with `v6srcp' on success.  NOTE: if this is not called from
12920  * inside the IPSQ (ill_g_lock is not held), `ill' may be removed from the
12921  * group during or after this lookup.
12922  */
12923 static boolean_t
12924 ipif_lookup_testaddr_v6(ill_t *ill, const in6_addr_t *v6srcp, ipif_t **ipifp)
12925 {
12926 	ipif_t *ipif;
12927 
12928 	ipif = ipif_lookup_addr_exact_v6(v6srcp, ill, ill->ill_ipst);
12929 	if (ipif != NULL) {
12930 		if (ipifp != NULL)
12931 			*ipifp = ipif;
12932 		else
12933 			ipif_refrele(ipif);
12934 		return (B_TRUE);
12935 	}
12936 
12937 	if (ip_debug > 2) {
12938 		pr_addr_dbg("ipif_lookup_testaddr_v6: cannot find ipif for "
12939 		    "src %s\n", AF_INET6, v6srcp);
12940 	}
12941 	return (B_FALSE);
12942 }
12943