xref: /illumos-gate/usr/src/uts/common/io/mac/mac_protect.c (revision d9c5840bd764434fd93f85a52eb4cbc24bff03da)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
24  */
25 /*
26  * Copyright 2014 Nexenta Systems, Inc.  All rights reserved.
27  */
28 
29 #include <sys/strsun.h>
30 #include <sys/sdt.h>
31 #include <sys/mac.h>
32 #include <sys/mac_impl.h>
33 #include <sys/mac_client_impl.h>
34 #include <sys/mac_client_priv.h>
35 #include <sys/ethernet.h>
36 #include <sys/vlan.h>
37 #include <sys/dlpi.h>
38 #include <sys/avl.h>
39 #include <inet/ip.h>
40 #include <inet/ip6.h>
41 #include <inet/arp.h>
42 #include <netinet/arp.h>
43 #include <netinet/udp.h>
44 #include <netinet/dhcp.h>
45 #include <netinet/dhcp6.h>
46 
47 /*
48  * Implementation overview for DHCP address detection
49  *
50  * The purpose of DHCP address detection is to relieve the user of having to
51  * manually configure static IP addresses when ip-nospoof protection is turned
52  * on. To achieve this, the mac layer needs to intercept DHCP packets to
53  * determine the assigned IP addresses.
54  *
55  * A DHCP handshake between client and server typically requires at least
56  * 4 messages:
57  *
58  * 1. DISCOVER - client attempts to locate DHCP servers via a
59  *               broadcast message to its subnet.
60  * 2. OFFER    - server responds to client with an IP address and
61  *               other parameters.
62  * 3. REQUEST  - client requests the offered address.
63  * 4. ACK      - server verifies that the requested address matches
64  *               the one it offered.
65  *
66  * DHCPv6 behaves pretty much the same way aside from different message names.
67  *
68  * Address information is embedded in either the OFFER or REQUEST message.
69  * We chose to intercept REQUEST because this is at the last part of the
70  * handshake and it indicates that the client intends to keep the address.
71  * Intercepting OFFERs is unreliable because the client may receive multiple
72  * offers from different servers, and we can't tell which address the client
73  * will keep.
74  *
75  * Each DHCP message has a transaction ID. We use this transaction ID to match
76  * REQUESTs with ACKs received from servers.
77  *
78  * For IPv4, the process to acquire a DHCP-assigned address is as follows:
79  *
80  * 1. Client sends REQUEST. a new dhcpv4_txn_t object is created and inserted
81  *    in the the mci_v4_pending_txn table (keyed by xid). This object represents
82  *    a new transaction. It contains the xid, the client ID and requested IP
83  *    address.
84  *
85  * 2. Server responds with an ACK. The xid from this ACK is used to lookup the
86  *    pending transaction from the mci_v4_pending_txn table. Once the object is
87  *    found, it is removed from the pending table and inserted into the
88  *    completed table (mci_v4_completed_txn, keyed by client ID) and the dynamic
89  *    IP table (mci_v4_dyn_ip, keyed by IP address).
90  *
91  * 3. An outgoing packet that goes through the ip-nospoof path will be checked
92  *    against the dynamic IP table. Packets that have the assigned DHCP address
93  *    as the source IP address will pass the check and be admitted onto the
94  *    network.
95  *
96  * IPv4 notes:
97  *
98  * If the server never responds with an ACK, there is a timer that is set after
99  * the insertion of the transaction into the pending table. When the timer
100  * fires, it will check whether the transaction is old (by comparing current
101  * time and the txn's timestamp), if so the transaction will be freed. along
102  * with this, any transaction in the completed/dyn-ip tables matching the client
103  * ID of this stale transaction will also be freed. If the client fails to
104  * extend a lease, we want to stop the client from using any IP addresses that
105  * were granted previously.
106  *
107  * A RELEASE message from the client will not cause a transaction to be created.
108  * The client ID in the RELEASE message will be used for finding and removing
109  * transactions in the completed and dyn-ip tables.
110  *
111  *
112  * For IPv6, the process to acquire a DHCPv6-assigned address is as follows:
113  *
114  * 1. Client sends REQUEST. The DUID is extracted and stored into a dhcpv6_cid_t
115  *    structure. A new transaction structure (dhcpv6_txn_t) is also created and
116  *    it will point to the dhcpv6_cid_t. If an existing transaction with a
117  *    matching xid is not found, this dhcpv6_txn_t will be inserted into the
118  *    mci_v6_pending_txn table (keyed by xid).
119  *
120  * 2. Server responds with a REPLY. If a pending transaction is found, the
121  *    addresses in the reply will be placed into the dhcpv6_cid_t pointed to by
122  *    the transaction. The dhcpv6_cid_t will then be moved to the mci_v6_cid
123  *    table (keyed by cid). The associated addresses will be added to the
124  *    mci_v6_dyn_ip table (while still being pointed to by the dhcpv6_cid_t).
125  *
126  * 3. IPv6 ip-nospoof will now check mci_v6_dyn_ip for matching packets.
127  *    Packets with a source address matching one of the DHCPv6-assigned
128  *    addresses will be allowed through.
129  *
130  * IPv6 notes:
131  *
132  * The v6 code shares the same timer as v4 for scrubbing stale transactions.
133  * Just like v4, as part of removing an expired transaction, a RELEASE will be
134  * be triggered on the cid associated with the expired transaction.
135  *
136  * The data structures used for v6 are slightly different because a v6 client
137  * may have multiple addresses associated with it.
138  */
139 
140 /*
141  * These are just arbitrary limits meant for preventing abuse (e.g. a user
142  * flooding the network with bogus transactions). They are not meant to be
143  * user-modifiable so they are not exposed as linkprops.
144  */
145 static ulong_t	dhcp_max_pending_txn = 512;
146 static ulong_t	dhcp_max_completed_txn = 512;
147 static hrtime_t	txn_cleanup_interval = 60 * NANOSEC;
148 
149 /*
150  * DHCPv4 transaction. It may be added to three different tables
151  * (keyed by different fields).
152  */
153 typedef struct dhcpv4_txn {
154 	uint32_t		dt_xid;
155 	hrtime_t		dt_timestamp;
156 	uint8_t			dt_cid[DHCP_MAX_OPT_SIZE];
157 	uint8_t			dt_cid_len;
158 	ipaddr_t		dt_ipaddr;
159 	avl_node_t		dt_node;
160 	avl_node_t		dt_ipnode;
161 	struct dhcpv4_txn	*dt_next;
162 } dhcpv4_txn_t;
163 
164 /*
165  * DHCPv6 address. May be added to mci_v6_dyn_ip.
166  * It is always pointed to by its parent dhcpv6_cid_t structure.
167  */
168 typedef struct dhcpv6_addr {
169 	in6_addr_t		da_addr;
170 	avl_node_t		da_node;
171 	struct dhcpv6_addr	*da_next;
172 } dhcpv6_addr_t;
173 
174 /*
175  * DHCPv6 client ID. May be added to mci_v6_cid.
176  * No dhcpv6_txn_t should be pointing to it after it is added to mci_v6_cid.
177  */
178 typedef struct dhcpv6_cid {
179 	uchar_t			*dc_cid;
180 	uint_t			dc_cid_len;
181 	dhcpv6_addr_t		*dc_addr;
182 	uint_t			dc_addrcnt;
183 	avl_node_t		dc_node;
184 } dhcpv6_cid_t;
185 
186 /*
187  * DHCPv6 transaction. Unlike its v4 counterpart, this object gets freed up
188  * as soon as the transaction completes or expires.
189  */
190 typedef struct dhcpv6_txn {
191 	uint32_t		dt_xid;
192 	hrtime_t		dt_timestamp;
193 	dhcpv6_cid_t		*dt_cid;
194 	avl_node_t		dt_node;
195 	struct dhcpv6_txn	*dt_next;
196 } dhcpv6_txn_t;
197 
198 static void	start_txn_cleanup_timer(mac_client_impl_t *);
199 static boolean_t allowed_ips_set(mac_resource_props_t *, uint32_t);
200 
201 #define	BUMP_STAT(m, s)	(m)->mci_misc_stat.mms_##s++
202 
203 /*
204  * Comparison functions for the 3 AVL trees used:
205  * mci_v4_pending_txn, mci_v4_completed_txn, mci_v4_dyn_ip
206  */
207 static int
208 compare_dhcpv4_xid(const void *arg1, const void *arg2)
209 {
210 	const dhcpv4_txn_t	*txn1 = arg1, *txn2 = arg2;
211 
212 	if (txn1->dt_xid < txn2->dt_xid)
213 		return (-1);
214 	else if (txn1->dt_xid > txn2->dt_xid)
215 		return (1);
216 	else
217 		return (0);
218 }
219 
220 static int
221 compare_dhcpv4_cid(const void *arg1, const void *arg2)
222 {
223 	const dhcpv4_txn_t	*txn1 = arg1, *txn2 = arg2;
224 	int			ret;
225 
226 	if (txn1->dt_cid_len < txn2->dt_cid_len)
227 		return (-1);
228 	else if (txn1->dt_cid_len > txn2->dt_cid_len)
229 		return (1);
230 
231 	if (txn1->dt_cid_len == 0)
232 		return (0);
233 
234 	ret = memcmp(txn1->dt_cid, txn2->dt_cid, txn1->dt_cid_len);
235 	if (ret < 0)
236 		return (-1);
237 	else if (ret > 0)
238 		return (1);
239 	else
240 		return (0);
241 }
242 
243 static int
244 compare_dhcpv4_ip(const void *arg1, const void *arg2)
245 {
246 	const dhcpv4_txn_t	*txn1 = arg1, *txn2 = arg2;
247 
248 	if (txn1->dt_ipaddr < txn2->dt_ipaddr)
249 		return (-1);
250 	else if (txn1->dt_ipaddr > txn2->dt_ipaddr)
251 		return (1);
252 	else
253 		return (0);
254 }
255 
256 /*
257  * Find the specified DHCPv4 option.
258  */
259 static int
260 get_dhcpv4_option(struct dhcp *dh4, uchar_t *end, uint8_t type,
261     uchar_t **opt, uint8_t *opt_len)
262 {
263 	uchar_t		*start = (uchar_t *)dh4->options;
264 	uint8_t		otype, olen;
265 
266 	while (start < end) {
267 		if (*start == CD_PAD) {
268 			start++;
269 			continue;
270 		}
271 		if (*start == CD_END)
272 			break;
273 
274 		otype = *start++;
275 		olen = *start++;
276 		if (otype == type && olen > 0) {
277 			*opt = start;
278 			*opt_len = olen;
279 			return (0);
280 		}
281 		start += olen;
282 	}
283 	return (ENOENT);
284 }
285 
286 /*
287  * Locate the start of a DHCPv4 header.
288  * The possible return values and associated meanings are:
289  * 0      - packet is DHCP and has a DHCP header.
290  * EINVAL - packet is not DHCP. the recommended action is to let it pass.
291  * ENOSPC - packet is a initial fragment that is DHCP or is unidentifiable.
292  *          the recommended action is to drop it.
293  */
294 static int
295 get_dhcpv4_info(ipha_t *ipha, uchar_t *end, struct dhcp **dh4)
296 {
297 	uint16_t	offset_and_flags, client, server;
298 	boolean_t	first_frag = B_FALSE;
299 	struct udphdr	*udph;
300 	uchar_t		*dh;
301 
302 	if (ipha->ipha_protocol != IPPROTO_UDP)
303 		return (EINVAL);
304 
305 	offset_and_flags = ntohs(ipha->ipha_fragment_offset_and_flags);
306 	if ((offset_and_flags & (IPH_MF | IPH_OFFSET)) != 0) {
307 		/*
308 		 * All non-initial fragments may pass because we cannot
309 		 * identify their type. It's safe to let them through
310 		 * because reassembly will fail if we decide to drop the
311 		 * initial fragment.
312 		 */
313 		if (((offset_and_flags << 3) & 0xffff) != 0)
314 			return (EINVAL);
315 		first_frag = B_TRUE;
316 	}
317 	/* drop packets without a udp header */
318 	udph = (struct udphdr *)((uchar_t *)ipha + IPH_HDR_LENGTH(ipha));
319 	if ((uchar_t *)&udph[1] > end)
320 		return (ENOSPC);
321 
322 	client = htons(IPPORT_BOOTPC);
323 	server = htons(IPPORT_BOOTPS);
324 	if (udph->uh_sport != client && udph->uh_sport != server &&
325 	    udph->uh_dport != client && udph->uh_dport != server)
326 		return (EINVAL);
327 
328 	/* drop dhcp fragments */
329 	if (first_frag)
330 		return (ENOSPC);
331 
332 	dh = (uchar_t *)&udph[1];
333 	if (dh + BASE_PKT_SIZE > end)
334 		return (EINVAL);
335 
336 	*dh4 = (struct dhcp *)dh;
337 	return (0);
338 }
339 
340 /*
341  * Wrappers for accesses to avl trees to improve readability.
342  * Their purposes are fairly self-explanatory.
343  */
344 static dhcpv4_txn_t *
345 find_dhcpv4_pending_txn(mac_client_impl_t *mcip, uint32_t xid)
346 {
347 	dhcpv4_txn_t	tmp_txn;
348 
349 	ASSERT(MUTEX_HELD(&mcip->mci_protect_lock));
350 	tmp_txn.dt_xid = xid;
351 	return (avl_find(&mcip->mci_v4_pending_txn, &tmp_txn, NULL));
352 }
353 
354 static int
355 insert_dhcpv4_pending_txn(mac_client_impl_t *mcip, dhcpv4_txn_t *txn)
356 {
357 	avl_index_t	where;
358 
359 	ASSERT(MUTEX_HELD(&mcip->mci_protect_lock));
360 	if (avl_find(&mcip->mci_v4_pending_txn, txn, &where) != NULL)
361 		return (EEXIST);
362 
363 	if (avl_numnodes(&mcip->mci_v4_pending_txn) >= dhcp_max_pending_txn) {
364 		BUMP_STAT(mcip, dhcpdropped);
365 		return (EAGAIN);
366 	}
367 	avl_insert(&mcip->mci_v4_pending_txn, txn, where);
368 	return (0);
369 }
370 
371 static void
372 remove_dhcpv4_pending_txn(mac_client_impl_t *mcip, dhcpv4_txn_t *txn)
373 {
374 	ASSERT(MUTEX_HELD(&mcip->mci_protect_lock));
375 	avl_remove(&mcip->mci_v4_pending_txn, txn);
376 }
377 
378 static dhcpv4_txn_t *
379 find_dhcpv4_completed_txn(mac_client_impl_t *mcip, uint8_t *cid,
380     uint8_t cid_len)
381 {
382 	dhcpv4_txn_t	tmp_txn;
383 
384 	ASSERT(MUTEX_HELD(&mcip->mci_protect_lock));
385 	if (cid_len > 0)
386 		bcopy(cid, tmp_txn.dt_cid, cid_len);
387 	tmp_txn.dt_cid_len = cid_len;
388 	return (avl_find(&mcip->mci_v4_completed_txn, &tmp_txn, NULL));
389 }
390 
391 /*
392  * After a pending txn is removed from the pending table, it is inserted
393  * into both the completed and dyn-ip tables. These two insertions are
394  * done together because a client ID must have 1:1 correspondence with
395  * an IP address and IP addresses must be unique in the dyn-ip table.
396  */
397 static int
398 insert_dhcpv4_completed_txn(mac_client_impl_t *mcip, dhcpv4_txn_t *txn)
399 {
400 	avl_index_t	where;
401 
402 	ASSERT(MUTEX_HELD(&mcip->mci_protect_lock));
403 	if (avl_find(&mcip->mci_v4_completed_txn, txn, &where) != NULL)
404 		return (EEXIST);
405 
406 	if (avl_numnodes(&mcip->mci_v4_completed_txn) >=
407 	    dhcp_max_completed_txn) {
408 		BUMP_STAT(mcip, dhcpdropped);
409 		return (EAGAIN);
410 	}
411 
412 	avl_insert(&mcip->mci_v4_completed_txn, txn, where);
413 	if (avl_find(&mcip->mci_v4_dyn_ip, txn, &where) != NULL) {
414 		avl_remove(&mcip->mci_v4_completed_txn, txn);
415 		return (EEXIST);
416 	}
417 	avl_insert(&mcip->mci_v4_dyn_ip, txn, where);
418 	return (0);
419 }
420 
421 static void
422 remove_dhcpv4_completed_txn(mac_client_impl_t *mcip, dhcpv4_txn_t *txn)
423 {
424 	dhcpv4_txn_t	*ctxn;
425 
426 	ASSERT(MUTEX_HELD(&mcip->mci_protect_lock));
427 	if ((ctxn = avl_find(&mcip->mci_v4_dyn_ip, txn, NULL)) != NULL &&
428 	    ctxn == txn)
429 		avl_remove(&mcip->mci_v4_dyn_ip, txn);
430 
431 	avl_remove(&mcip->mci_v4_completed_txn, txn);
432 }
433 
434 /*
435  * Check whether an IP address is in the dyn-ip table.
436  */
437 static boolean_t
438 check_dhcpv4_dyn_ip(mac_client_impl_t *mcip, ipaddr_t ipaddr)
439 {
440 	dhcpv4_txn_t	tmp_txn, *txn;
441 
442 	mutex_enter(&mcip->mci_protect_lock);
443 	tmp_txn.dt_ipaddr = ipaddr;
444 	txn = avl_find(&mcip->mci_v4_dyn_ip, &tmp_txn, NULL);
445 	mutex_exit(&mcip->mci_protect_lock);
446 	return (txn != NULL);
447 }
448 
449 /*
450  * Create/destroy a DHCPv4 transaction.
451  */
452 static dhcpv4_txn_t *
453 create_dhcpv4_txn(uint32_t xid, uint8_t *cid, uint8_t cid_len, ipaddr_t ipaddr)
454 {
455 	dhcpv4_txn_t	*txn;
456 
457 	if ((txn = kmem_zalloc(sizeof (*txn), KM_NOSLEEP)) == NULL)
458 		return (NULL);
459 
460 	txn->dt_xid = xid;
461 	txn->dt_timestamp = gethrtime();
462 	if (cid_len > 0)
463 		bcopy(cid, &txn->dt_cid, cid_len);
464 	txn->dt_cid_len = cid_len;
465 	txn->dt_ipaddr = ipaddr;
466 	return (txn);
467 }
468 
469 static void
470 free_dhcpv4_txn(dhcpv4_txn_t *txn)
471 {
472 	kmem_free(txn, sizeof (*txn));
473 }
474 
475 /*
476  * Clean up all v4 tables.
477  */
478 static void
479 flush_dhcpv4(mac_client_impl_t *mcip)
480 {
481 	void		*cookie = NULL;
482 	dhcpv4_txn_t	*txn;
483 
484 	ASSERT(MUTEX_HELD(&mcip->mci_protect_lock));
485 	while ((txn = avl_destroy_nodes(&mcip->mci_v4_dyn_ip,
486 	    &cookie)) != NULL) {
487 		/*
488 		 * No freeing needed here because the same txn exists
489 		 * in the mci_v4_completed_txn table as well.
490 		 */
491 	}
492 	cookie = NULL;
493 	while ((txn = avl_destroy_nodes(&mcip->mci_v4_completed_txn,
494 	    &cookie)) != NULL) {
495 		free_dhcpv4_txn(txn);
496 	}
497 	cookie = NULL;
498 	while ((txn = avl_destroy_nodes(&mcip->mci_v4_pending_txn,
499 	    &cookie)) != NULL) {
500 		free_dhcpv4_txn(txn);
501 	}
502 }
503 
504 /*
505  * Cleanup stale DHCPv4 transactions.
506  */
507 static void
508 txn_cleanup_v4(mac_client_impl_t *mcip)
509 {
510 	dhcpv4_txn_t		*txn, *ctxn, *next, *txn_list = NULL;
511 
512 	/*
513 	 * Find stale pending transactions and place them on a list
514 	 * to be removed.
515 	 */
516 	for (txn = avl_first(&mcip->mci_v4_pending_txn); txn != NULL;
517 	    txn = avl_walk(&mcip->mci_v4_pending_txn, txn, AVL_AFTER)) {
518 		if (gethrtime() - txn->dt_timestamp > txn_cleanup_interval) {
519 			DTRACE_PROBE2(found__expired__txn,
520 			    mac_client_impl_t *, mcip,
521 			    dhcpv4_txn_t *, txn);
522 
523 			txn->dt_next = txn_list;
524 			txn_list = txn;
525 		}
526 	}
527 
528 	/*
529 	 * Remove and free stale pending transactions and completed
530 	 * transactions with the same client IDs as the stale transactions.
531 	 */
532 	for (txn = txn_list; txn != NULL; txn = next) {
533 		avl_remove(&mcip->mci_v4_pending_txn, txn);
534 
535 		ctxn = find_dhcpv4_completed_txn(mcip, txn->dt_cid,
536 		    txn->dt_cid_len);
537 		if (ctxn != NULL) {
538 			DTRACE_PROBE2(removing__completed__txn,
539 			    mac_client_impl_t *, mcip,
540 			    dhcpv4_txn_t *, ctxn);
541 
542 			remove_dhcpv4_completed_txn(mcip, ctxn);
543 			free_dhcpv4_txn(ctxn);
544 		}
545 		next = txn->dt_next;
546 		txn->dt_next = NULL;
547 
548 		DTRACE_PROBE2(freeing__txn, mac_client_impl_t *, mcip,
549 		    dhcpv4_txn_t *, txn);
550 		free_dhcpv4_txn(txn);
551 	}
552 }
553 
554 /*
555  * Core logic for intercepting outbound DHCPv4 packets.
556  */
557 static boolean_t
558 intercept_dhcpv4_outbound(mac_client_impl_t *mcip, ipha_t *ipha, uchar_t *end)
559 {
560 	struct dhcp		*dh4;
561 	uchar_t			*opt;
562 	dhcpv4_txn_t		*txn, *ctxn;
563 	ipaddr_t		ipaddr;
564 	uint8_t			opt_len, mtype, cid[DHCP_MAX_OPT_SIZE], cid_len;
565 	mac_resource_props_t	*mrp = MCIP_RESOURCE_PROPS(mcip);
566 
567 	if (get_dhcpv4_info(ipha, end, &dh4) != 0)
568 		return (B_TRUE);
569 
570 	/* ip_nospoof/allowed-ips and DHCP are mutually exclusive by default */
571 	if (allowed_ips_set(mrp, IPV4_VERSION))
572 		return (B_FALSE);
573 
574 	if (get_dhcpv4_option(dh4, end, CD_DHCP_TYPE, &opt, &opt_len) != 0 ||
575 	    opt_len != 1) {
576 		DTRACE_PROBE2(mtype__not__found, mac_client_impl_t *, mcip,
577 		    struct dhcp *, dh4);
578 		return (B_TRUE);
579 	}
580 	mtype = *opt;
581 	if (mtype != REQUEST && mtype != RELEASE) {
582 		DTRACE_PROBE3(ignored__mtype, mac_client_impl_t *, mcip,
583 		    struct dhcp *, dh4, uint8_t, mtype);
584 		return (B_TRUE);
585 	}
586 
587 	/* client ID is optional for IPv4 */
588 	if (get_dhcpv4_option(dh4, end, CD_CLIENT_ID, &opt, &opt_len) == 0 &&
589 	    opt_len >= 2) {
590 		bcopy(opt, cid, opt_len);
591 		cid_len = opt_len;
592 	} else {
593 		bzero(cid, DHCP_MAX_OPT_SIZE);
594 		cid_len = 0;
595 	}
596 
597 	mutex_enter(&mcip->mci_protect_lock);
598 	if (mtype == RELEASE) {
599 		DTRACE_PROBE2(release, mac_client_impl_t *, mcip,
600 		    struct dhcp *, dh4);
601 
602 		/* flush any completed txn with this cid */
603 		ctxn = find_dhcpv4_completed_txn(mcip, cid, cid_len);
604 		if (ctxn != NULL) {
605 			DTRACE_PROBE2(release__successful, mac_client_impl_t *,
606 			    mcip, struct dhcp *, dh4);
607 
608 			remove_dhcpv4_completed_txn(mcip, ctxn);
609 			free_dhcpv4_txn(ctxn);
610 		}
611 		goto done;
612 	}
613 
614 	/*
615 	 * If a pending txn already exists, we'll update its timestamp so
616 	 * it won't get flushed by the timer. We don't need to create new
617 	 * txns for retransmissions.
618 	 */
619 	if ((txn = find_dhcpv4_pending_txn(mcip, dh4->xid)) != NULL) {
620 		DTRACE_PROBE2(update, mac_client_impl_t *, mcip,
621 		    dhcpv4_txn_t *, txn);
622 		txn->dt_timestamp = gethrtime();
623 		goto done;
624 	}
625 
626 	if (get_dhcpv4_option(dh4, end, CD_REQUESTED_IP_ADDR,
627 	    &opt, &opt_len) != 0 || opt_len != sizeof (ipaddr)) {
628 		DTRACE_PROBE2(ipaddr__not__found, mac_client_impl_t *, mcip,
629 		    struct dhcp *, dh4);
630 		goto done;
631 	}
632 	bcopy(opt, &ipaddr, sizeof (ipaddr));
633 	if ((txn = create_dhcpv4_txn(dh4->xid, cid, cid_len, ipaddr)) == NULL)
634 		goto done;
635 
636 	if (insert_dhcpv4_pending_txn(mcip, txn) != 0) {
637 		DTRACE_PROBE2(insert__failed, mac_client_impl_t *, mcip,
638 		    dhcpv4_txn_t *, txn);
639 		free_dhcpv4_txn(txn);
640 		goto done;
641 	}
642 	start_txn_cleanup_timer(mcip);
643 
644 	DTRACE_PROBE2(txn__pending, mac_client_impl_t *, mcip,
645 	    dhcpv4_txn_t *, txn);
646 
647 done:
648 	mutex_exit(&mcip->mci_protect_lock);
649 	return (B_TRUE);
650 }
651 
652 /*
653  * Core logic for intercepting inbound DHCPv4 packets.
654  */
655 static void
656 intercept_dhcpv4_inbound(mac_client_impl_t *mcip, ipha_t *ipha, uchar_t *end)
657 {
658 	uchar_t		*opt;
659 	struct dhcp	*dh4;
660 	dhcpv4_txn_t	*txn, *ctxn;
661 	uint8_t		opt_len, mtype;
662 
663 	if (get_dhcpv4_info(ipha, end, &dh4) != 0)
664 		return;
665 
666 	if (get_dhcpv4_option(dh4, end, CD_DHCP_TYPE, &opt, &opt_len) != 0 ||
667 	    opt_len != 1) {
668 		DTRACE_PROBE2(mtype__not__found, mac_client_impl_t *, mcip,
669 		    struct dhcp *, dh4);
670 		return;
671 	}
672 	mtype = *opt;
673 	if (mtype != ACK && mtype != NAK) {
674 		DTRACE_PROBE3(ignored__mtype, mac_client_impl_t *, mcip,
675 		    struct dhcp *, dh4, uint8_t, mtype);
676 		return;
677 	}
678 
679 	mutex_enter(&mcip->mci_protect_lock);
680 	if ((txn = find_dhcpv4_pending_txn(mcip, dh4->xid)) == NULL) {
681 		DTRACE_PROBE2(txn__not__found, mac_client_impl_t *, mcip,
682 		    struct dhcp *, dh4);
683 		goto done;
684 	}
685 	remove_dhcpv4_pending_txn(mcip, txn);
686 
687 	/*
688 	 * We're about to move a txn from the pending table to the completed/
689 	 * dyn-ip tables. If there is an existing completed txn with the
690 	 * same cid as our txn, we need to remove and free it.
691 	 */
692 	ctxn = find_dhcpv4_completed_txn(mcip, txn->dt_cid, txn->dt_cid_len);
693 	if (ctxn != NULL) {
694 		DTRACE_PROBE2(replacing__old__txn, mac_client_impl_t *, mcip,
695 		    dhcpv4_txn_t *, ctxn);
696 		remove_dhcpv4_completed_txn(mcip, ctxn);
697 		free_dhcpv4_txn(ctxn);
698 	}
699 	if (mtype == NAK) {
700 		DTRACE_PROBE2(nak__received, mac_client_impl_t *, mcip,
701 		    dhcpv4_txn_t *, txn);
702 		free_dhcpv4_txn(txn);
703 		goto done;
704 	}
705 	if (insert_dhcpv4_completed_txn(mcip, txn) != 0) {
706 		DTRACE_PROBE2(insert__failed, mac_client_impl_t *, mcip,
707 		    dhcpv4_txn_t *, txn);
708 		free_dhcpv4_txn(txn);
709 		goto done;
710 	}
711 	DTRACE_PROBE2(txn__completed, mac_client_impl_t *, mcip,
712 	    dhcpv4_txn_t *, txn);
713 
714 done:
715 	mutex_exit(&mcip->mci_protect_lock);
716 }
717 
718 
719 /*
720  * Comparison functions for the DHCPv6 AVL trees.
721  */
722 static int
723 compare_dhcpv6_xid(const void *arg1, const void *arg2)
724 {
725 	const dhcpv6_txn_t	*txn1 = arg1, *txn2 = arg2;
726 
727 	if (txn1->dt_xid < txn2->dt_xid)
728 		return (-1);
729 	else if (txn1->dt_xid > txn2->dt_xid)
730 		return (1);
731 	else
732 		return (0);
733 }
734 
735 static int
736 compare_dhcpv6_ip(const void *arg1, const void *arg2)
737 {
738 	const dhcpv6_addr_t	*ip1 = arg1, *ip2 = arg2;
739 	int			ret;
740 
741 	ret = memcmp(&ip1->da_addr, &ip2->da_addr, sizeof (in6_addr_t));
742 	if (ret < 0)
743 		return (-1);
744 	else if (ret > 0)
745 		return (1);
746 	else
747 		return (0);
748 }
749 
750 static int
751 compare_dhcpv6_cid(const void *arg1, const void *arg2)
752 {
753 	const dhcpv6_cid_t	*cid1 = arg1, *cid2 = arg2;
754 	int			ret;
755 
756 	if (cid1->dc_cid_len < cid2->dc_cid_len)
757 		return (-1);
758 	else if (cid1->dc_cid_len > cid2->dc_cid_len)
759 		return (1);
760 
761 	if (cid1->dc_cid_len == 0)
762 		return (0);
763 
764 	ret = memcmp(cid1->dc_cid, cid2->dc_cid, cid1->dc_cid_len);
765 	if (ret < 0)
766 		return (-1);
767 	else if (ret > 0)
768 		return (1);
769 	else
770 		return (0);
771 }
772 
773 /*
774  * Locate the start of a DHCPv6 header.
775  * The possible return values and associated meanings are:
776  * 0      - packet is DHCP and has a DHCP header.
777  * EINVAL - packet is not DHCP. the recommended action is to let it pass.
778  * ENOSPC - packet is a initial fragment that is DHCP or is unidentifiable.
779  *          the recommended action is to drop it.
780  */
781 static int
782 get_dhcpv6_info(ip6_t *ip6h, uchar_t *end, dhcpv6_message_t **dh6)
783 {
784 	uint16_t	hdrlen, client, server;
785 	boolean_t	first_frag = B_FALSE;
786 	ip6_frag_t	*frag = NULL;
787 	uint8_t		proto;
788 	struct udphdr	*udph;
789 	uchar_t		*dh;
790 
791 	if (!mac_ip_hdr_length_v6(ip6h, end, &hdrlen, &proto, &frag))
792 		return (ENOSPC);
793 
794 	if (proto != IPPROTO_UDP)
795 		return (EINVAL);
796 
797 	if (frag != NULL) {
798 		/*
799 		 * All non-initial fragments may pass because we cannot
800 		 * identify their type. It's safe to let them through
801 		 * because reassembly will fail if we decide to drop the
802 		 * initial fragment.
803 		 */
804 		if ((ntohs(frag->ip6f_offlg) & ~7) != 0)
805 			return (EINVAL);
806 		first_frag = B_TRUE;
807 	}
808 	/* drop packets without a udp header */
809 	udph = (struct udphdr *)((uchar_t *)ip6h + hdrlen);
810 	if ((uchar_t *)&udph[1] > end)
811 		return (ENOSPC);
812 
813 	client = htons(IPPORT_DHCPV6C);
814 	server = htons(IPPORT_DHCPV6S);
815 	if (udph->uh_sport != client && udph->uh_sport != server &&
816 	    udph->uh_dport != client && udph->uh_dport != server)
817 		return (EINVAL);
818 
819 	/* drop dhcp fragments */
820 	if (first_frag)
821 		return (ENOSPC);
822 
823 	dh = (uchar_t *)&udph[1];
824 	if (dh + sizeof (dhcpv6_message_t) > end)
825 		return (EINVAL);
826 
827 	*dh6 = (dhcpv6_message_t *)dh;
828 	return (0);
829 }
830 
831 /*
832  * Find the specified DHCPv6 option.
833  */
834 static dhcpv6_option_t *
835 get_dhcpv6_option(void *buf, size_t buflen, dhcpv6_option_t *oldopt,
836     uint16_t codenum, uint_t *retlenp)
837 {
838 	uchar_t		*bp;
839 	dhcpv6_option_t	d6o;
840 	uint_t		olen;
841 
842 	codenum = htons(codenum);
843 	bp = buf;
844 	while (buflen >= sizeof (dhcpv6_option_t)) {
845 		bcopy(bp, &d6o, sizeof (d6o));
846 		olen = ntohs(d6o.d6o_len) + sizeof (d6o);
847 		if (olen > buflen)
848 			break;
849 		if (d6o.d6o_code != codenum || d6o.d6o_len == 0 ||
850 		    (oldopt != NULL && bp <= (uchar_t *)oldopt)) {
851 			bp += olen;
852 			buflen -= olen;
853 			continue;
854 		}
855 		if (retlenp != NULL)
856 			*retlenp = olen;
857 		/* LINTED : alignment */
858 		return ((dhcpv6_option_t *)bp);
859 	}
860 	return (NULL);
861 }
862 
863 /*
864  * Get the status code from a reply message.
865  */
866 static int
867 get_dhcpv6_status(dhcpv6_message_t *dh6, uchar_t *end, uint16_t *status)
868 {
869 	dhcpv6_option_t	*d6o;
870 	uint_t		olen;
871 	uint16_t	s;
872 
873 	d6o = get_dhcpv6_option(&dh6[1], end - (uchar_t *)&dh6[1], NULL,
874 	    DHCPV6_OPT_STATUS_CODE, &olen);
875 
876 	/* Success is implied if status code is missing */
877 	if (d6o == NULL) {
878 		*status = DHCPV6_STAT_SUCCESS;
879 		return (0);
880 	}
881 	if ((uchar_t *)d6o + olen > end)
882 		return (EINVAL);
883 
884 	olen -= sizeof (*d6o);
885 	if (olen < sizeof (s))
886 		return (EINVAL);
887 
888 	bcopy(&d6o[1], &s, sizeof (s));
889 	*status = ntohs(s);
890 	return (0);
891 }
892 
893 /*
894  * Get the addresses from a reply message.
895  */
896 static int
897 get_dhcpv6_addrs(dhcpv6_message_t *dh6, uchar_t *end, dhcpv6_cid_t *cid)
898 {
899 	dhcpv6_option_t		*d6o;
900 	dhcpv6_addr_t		*next;
901 	uint_t			olen;
902 
903 	d6o = NULL;
904 	while ((d6o = get_dhcpv6_option(&dh6[1], end - (uchar_t *)&dh6[1],
905 	    d6o, DHCPV6_OPT_IA_NA, &olen)) != NULL) {
906 		dhcpv6_option_t		*d6so;
907 		dhcpv6_iaaddr_t		d6ia;
908 		dhcpv6_addr_t		**addrp;
909 		uchar_t			*obase;
910 		uint_t			solen;
911 
912 		if (olen < sizeof (dhcpv6_ia_na_t) ||
913 		    (uchar_t *)d6o + olen > end)
914 			goto fail;
915 
916 		obase = (uchar_t *)d6o + sizeof (dhcpv6_ia_na_t);
917 		olen -= sizeof (dhcpv6_ia_na_t);
918 		d6so = NULL;
919 		while ((d6so = get_dhcpv6_option(obase, olen, d6so,
920 		    DHCPV6_OPT_IAADDR, &solen)) != NULL) {
921 			if (solen < sizeof (dhcpv6_iaaddr_t) ||
922 			    (uchar_t *)d6so + solen > end)
923 				goto fail;
924 
925 			bcopy(d6so, &d6ia, sizeof (d6ia));
926 			for (addrp = &cid->dc_addr; *addrp != NULL;
927 			    addrp = &(*addrp)->da_next) {
928 				if (bcmp(&(*addrp)->da_addr, &d6ia.d6ia_addr,
929 				    sizeof (in6_addr_t)) == 0)
930 					goto fail;
931 			}
932 			if ((*addrp = kmem_zalloc(sizeof (dhcpv6_addr_t),
933 			    KM_NOSLEEP)) == NULL)
934 				goto fail;
935 
936 			bcopy(&d6ia.d6ia_addr, &(*addrp)->da_addr,
937 			    sizeof (in6_addr_t));
938 			cid->dc_addrcnt++;
939 		}
940 	}
941 	if (cid->dc_addrcnt == 0)
942 		return (ENOENT);
943 
944 	return (0);
945 
946 fail:
947 	for (; cid->dc_addr != NULL; cid->dc_addr = next) {
948 		next = cid->dc_addr->da_next;
949 		kmem_free(cid->dc_addr, sizeof (dhcpv6_addr_t));
950 		cid->dc_addrcnt--;
951 	}
952 	ASSERT(cid->dc_addrcnt == 0);
953 	return (EINVAL);
954 }
955 
956 /*
957  * Free a cid.
958  * Before this gets called the caller must ensure that all the
959  * addresses are removed from the mci_v6_dyn_ip table.
960  */
961 static void
962 free_dhcpv6_cid(dhcpv6_cid_t *cid)
963 {
964 	dhcpv6_addr_t	*addr, *next;
965 	uint_t		cnt = 0;
966 
967 	kmem_free(cid->dc_cid, cid->dc_cid_len);
968 	for (addr = cid->dc_addr; addr != NULL; addr = next) {
969 		next = addr->da_next;
970 		kmem_free(addr, sizeof (*addr));
971 		cnt++;
972 	}
973 	ASSERT(cnt == cid->dc_addrcnt);
974 	kmem_free(cid, sizeof (*cid));
975 }
976 
977 /*
978  * Extract the DUID from a message. The associated addresses will be
979  * extracted later from the reply message.
980  */
981 static dhcpv6_cid_t *
982 create_dhcpv6_cid(dhcpv6_message_t *dh6, uchar_t *end)
983 {
984 	dhcpv6_option_t		*d6o;
985 	dhcpv6_cid_t		*cid;
986 	uchar_t			*rawcid;
987 	uint_t			olen, rawcidlen;
988 
989 	d6o = get_dhcpv6_option(&dh6[1], end - (uchar_t *)&dh6[1], NULL,
990 	    DHCPV6_OPT_CLIENTID, &olen);
991 	if (d6o == NULL || (uchar_t *)d6o + olen > end)
992 		return (NULL);
993 
994 	rawcidlen = olen - sizeof (*d6o);
995 	if ((rawcid = kmem_zalloc(rawcidlen, KM_NOSLEEP)) == NULL)
996 		return (NULL);
997 	bcopy(d6o + 1, rawcid, rawcidlen);
998 
999 	if ((cid = kmem_zalloc(sizeof (*cid), KM_NOSLEEP)) == NULL) {
1000 		kmem_free(rawcid, rawcidlen);
1001 		return (NULL);
1002 	}
1003 	cid->dc_cid = rawcid;
1004 	cid->dc_cid_len = rawcidlen;
1005 	return (cid);
1006 }
1007 
1008 /*
1009  * Remove a cid from mci_v6_cid. The addresses owned by the cid
1010  * are also removed from mci_v6_dyn_ip.
1011  */
1012 static void
1013 remove_dhcpv6_cid(mac_client_impl_t *mcip, dhcpv6_cid_t *cid)
1014 {
1015 	dhcpv6_addr_t	*addr, *tmp_addr;
1016 
1017 	ASSERT(MUTEX_HELD(&mcip->mci_protect_lock));
1018 	avl_remove(&mcip->mci_v6_cid, cid);
1019 	for (addr = cid->dc_addr; addr != NULL; addr = addr->da_next) {
1020 		tmp_addr = avl_find(&mcip->mci_v6_dyn_ip, addr, NULL);
1021 		if (tmp_addr == addr)
1022 			avl_remove(&mcip->mci_v6_dyn_ip, addr);
1023 	}
1024 }
1025 
1026 /*
1027  * Find and remove a matching cid and associated addresses from
1028  * their respective tables.
1029  */
1030 static void
1031 release_dhcpv6_cid(mac_client_impl_t *mcip, dhcpv6_cid_t *cid)
1032 {
1033 	dhcpv6_cid_t	*oldcid;
1034 
1035 	ASSERT(MUTEX_HELD(&mcip->mci_protect_lock));
1036 	if ((oldcid = avl_find(&mcip->mci_v6_cid, cid, NULL)) == NULL)
1037 		return;
1038 
1039 	/*
1040 	 * Since cid belongs to a pending txn, it can't possibly be in
1041 	 * mci_v6_cid. Anything that's found must be an existing cid.
1042 	 */
1043 	ASSERT(oldcid != cid);
1044 	remove_dhcpv6_cid(mcip, oldcid);
1045 	free_dhcpv6_cid(oldcid);
1046 }
1047 
1048 /*
1049  * Insert cid into mci_v6_cid.
1050  */
1051 static int
1052 insert_dhcpv6_cid(mac_client_impl_t *mcip, dhcpv6_cid_t *cid)
1053 {
1054 	avl_index_t	where;
1055 	dhcpv6_addr_t	*addr;
1056 
1057 	ASSERT(MUTEX_HELD(&mcip->mci_protect_lock));
1058 	if (avl_find(&mcip->mci_v6_cid, cid, &where) != NULL)
1059 		return (EEXIST);
1060 
1061 	if (avl_numnodes(&mcip->mci_v6_cid) >= dhcp_max_completed_txn) {
1062 		BUMP_STAT(mcip, dhcpdropped);
1063 		return (EAGAIN);
1064 	}
1065 	avl_insert(&mcip->mci_v6_cid, cid, where);
1066 	for (addr = cid->dc_addr; addr != NULL; addr = addr->da_next) {
1067 		if (avl_find(&mcip->mci_v6_dyn_ip, addr, &where) != NULL)
1068 			goto fail;
1069 
1070 		avl_insert(&mcip->mci_v6_dyn_ip, addr, where);
1071 	}
1072 	return (0);
1073 
1074 fail:
1075 	remove_dhcpv6_cid(mcip, cid);
1076 	return (EEXIST);
1077 }
1078 
1079 /*
1080  * Check whether an IP address is in the dyn-ip table.
1081  */
1082 static boolean_t
1083 check_dhcpv6_dyn_ip(mac_client_impl_t *mcip, in6_addr_t *addr)
1084 {
1085 	dhcpv6_addr_t	tmp_addr, *a;
1086 
1087 	mutex_enter(&mcip->mci_protect_lock);
1088 	bcopy(addr, &tmp_addr.da_addr, sizeof (in6_addr_t));
1089 	a = avl_find(&mcip->mci_v6_dyn_ip, &tmp_addr, NULL);
1090 	mutex_exit(&mcip->mci_protect_lock);
1091 	return (a != NULL);
1092 }
1093 
1094 static dhcpv6_txn_t *
1095 find_dhcpv6_pending_txn(mac_client_impl_t *mcip, uint32_t xid)
1096 {
1097 	dhcpv6_txn_t	tmp_txn;
1098 
1099 	ASSERT(MUTEX_HELD(&mcip->mci_protect_lock));
1100 	tmp_txn.dt_xid = xid;
1101 	return (avl_find(&mcip->mci_v6_pending_txn, &tmp_txn, NULL));
1102 }
1103 
1104 static void
1105 remove_dhcpv6_pending_txn(mac_client_impl_t *mcip, dhcpv6_txn_t *txn)
1106 {
1107 	ASSERT(MUTEX_HELD(&mcip->mci_protect_lock));
1108 	avl_remove(&mcip->mci_v6_pending_txn, txn);
1109 }
1110 
1111 static dhcpv6_txn_t *
1112 create_dhcpv6_txn(uint32_t xid, dhcpv6_cid_t *cid)
1113 {
1114 	dhcpv6_txn_t	*txn;
1115 
1116 	if ((txn = kmem_zalloc(sizeof (dhcpv6_txn_t), KM_NOSLEEP)) == NULL)
1117 		return (NULL);
1118 
1119 	txn->dt_xid = xid;
1120 	txn->dt_cid = cid;
1121 	txn->dt_timestamp = gethrtime();
1122 	return (txn);
1123 }
1124 
1125 static void
1126 free_dhcpv6_txn(dhcpv6_txn_t *txn)
1127 {
1128 	if (txn->dt_cid != NULL)
1129 		free_dhcpv6_cid(txn->dt_cid);
1130 	kmem_free(txn, sizeof (dhcpv6_txn_t));
1131 }
1132 
1133 static int
1134 insert_dhcpv6_pending_txn(mac_client_impl_t *mcip, dhcpv6_txn_t *txn)
1135 {
1136 	avl_index_t	where;
1137 
1138 	ASSERT(MUTEX_HELD(&mcip->mci_protect_lock));
1139 	if (avl_find(&mcip->mci_v6_pending_txn, txn, &where) != NULL)
1140 		return (EEXIST);
1141 
1142 	if (avl_numnodes(&mcip->mci_v6_pending_txn) >= dhcp_max_pending_txn) {
1143 		BUMP_STAT(mcip, dhcpdropped);
1144 		return (EAGAIN);
1145 	}
1146 	avl_insert(&mcip->mci_v6_pending_txn, txn, where);
1147 	return (0);
1148 }
1149 
1150 /*
1151  * Clean up all v6 tables.
1152  */
1153 static void
1154 flush_dhcpv6(mac_client_impl_t *mcip)
1155 {
1156 	void		*cookie = NULL;
1157 	dhcpv6_cid_t	*cid;
1158 	dhcpv6_txn_t	*txn;
1159 
1160 	ASSERT(MUTEX_HELD(&mcip->mci_protect_lock));
1161 	while (avl_destroy_nodes(&mcip->mci_v6_dyn_ip, &cookie) != NULL) {
1162 	}
1163 	cookie = NULL;
1164 	while ((cid = avl_destroy_nodes(&mcip->mci_v6_cid, &cookie)) != NULL) {
1165 		free_dhcpv6_cid(cid);
1166 	}
1167 	cookie = NULL;
1168 	while ((txn = avl_destroy_nodes(&mcip->mci_v6_pending_txn,
1169 	    &cookie)) != NULL) {
1170 		free_dhcpv6_txn(txn);
1171 	}
1172 }
1173 
1174 /*
1175  * Cleanup stale DHCPv6 transactions.
1176  */
1177 static void
1178 txn_cleanup_v6(mac_client_impl_t *mcip)
1179 {
1180 	dhcpv6_txn_t		*txn, *next, *txn_list = NULL;
1181 
1182 	/*
1183 	 * Find stale pending transactions and place them on a list
1184 	 * to be removed.
1185 	 */
1186 	for (txn = avl_first(&mcip->mci_v6_pending_txn); txn != NULL;
1187 	    txn = avl_walk(&mcip->mci_v6_pending_txn, txn, AVL_AFTER)) {
1188 		if (gethrtime() - txn->dt_timestamp > txn_cleanup_interval) {
1189 			DTRACE_PROBE2(found__expired__txn,
1190 			    mac_client_impl_t *, mcip,
1191 			    dhcpv6_txn_t *, txn);
1192 
1193 			txn->dt_next = txn_list;
1194 			txn_list = txn;
1195 		}
1196 	}
1197 
1198 	/*
1199 	 * Remove and free stale pending transactions.
1200 	 * Release any existing cids matching the stale transactions.
1201 	 */
1202 	for (txn = txn_list; txn != NULL; txn = next) {
1203 		avl_remove(&mcip->mci_v6_pending_txn, txn);
1204 		release_dhcpv6_cid(mcip, txn->dt_cid);
1205 		next = txn->dt_next;
1206 		txn->dt_next = NULL;
1207 
1208 		DTRACE_PROBE2(freeing__txn, mac_client_impl_t *, mcip,
1209 		    dhcpv6_txn_t *, txn);
1210 		free_dhcpv6_txn(txn);
1211 	}
1212 
1213 }
1214 
1215 /*
1216  * Core logic for intercepting outbound DHCPv6 packets.
1217  */
1218 static boolean_t
1219 intercept_dhcpv6_outbound(mac_client_impl_t *mcip, ip6_t *ip6h, uchar_t *end)
1220 {
1221 	dhcpv6_message_t	*dh6;
1222 	dhcpv6_txn_t		*txn;
1223 	dhcpv6_cid_t		*cid = NULL;
1224 	uint32_t		xid;
1225 	uint8_t			mtype;
1226 	mac_resource_props_t *mrp = MCIP_RESOURCE_PROPS(mcip);
1227 
1228 	if (get_dhcpv6_info(ip6h, end, &dh6) != 0)
1229 		return (B_TRUE);
1230 
1231 	/* ip_nospoof/allowed-ips and DHCP are mutually exclusive by default */
1232 	if (allowed_ips_set(mrp, IPV6_VERSION))
1233 		return (B_FALSE);
1234 
1235 	mtype = dh6->d6m_msg_type;
1236 	if (mtype != DHCPV6_MSG_REQUEST && mtype != DHCPV6_MSG_RENEW &&
1237 	    mtype != DHCPV6_MSG_REBIND && mtype != DHCPV6_MSG_RELEASE)
1238 		return (B_TRUE);
1239 
1240 	if ((cid = create_dhcpv6_cid(dh6, end)) == NULL)
1241 		return (B_TRUE);
1242 
1243 	mutex_enter(&mcip->mci_protect_lock);
1244 	if (mtype == DHCPV6_MSG_RELEASE) {
1245 		release_dhcpv6_cid(mcip, cid);
1246 		goto done;
1247 	}
1248 	xid = DHCPV6_GET_TRANSID(dh6);
1249 	if ((txn = find_dhcpv6_pending_txn(mcip, xid)) != NULL) {
1250 		DTRACE_PROBE2(update, mac_client_impl_t *, mcip,
1251 		    dhcpv6_txn_t *, txn);
1252 		txn->dt_timestamp = gethrtime();
1253 		goto done;
1254 	}
1255 	if ((txn = create_dhcpv6_txn(xid, cid)) == NULL)
1256 		goto done;
1257 
1258 	cid = NULL;
1259 	if (insert_dhcpv6_pending_txn(mcip, txn) != 0) {
1260 		DTRACE_PROBE2(insert__failed, mac_client_impl_t *, mcip,
1261 		    dhcpv6_txn_t *, txn);
1262 		free_dhcpv6_txn(txn);
1263 		goto done;
1264 	}
1265 	start_txn_cleanup_timer(mcip);
1266 
1267 	DTRACE_PROBE2(txn__pending, mac_client_impl_t *, mcip,
1268 	    dhcpv6_txn_t *, txn);
1269 
1270 done:
1271 	if (cid != NULL)
1272 		free_dhcpv6_cid(cid);
1273 
1274 	mutex_exit(&mcip->mci_protect_lock);
1275 	return (B_TRUE);
1276 }
1277 
1278 /*
1279  * Core logic for intercepting inbound DHCPv6 packets.
1280  */
1281 static void
1282 intercept_dhcpv6_inbound(mac_client_impl_t *mcip, ip6_t *ip6h, uchar_t *end)
1283 {
1284 	dhcpv6_message_t	*dh6;
1285 	dhcpv6_txn_t		*txn;
1286 	uint32_t		xid;
1287 	uint8_t			mtype;
1288 	uint16_t		status;
1289 
1290 	if (get_dhcpv6_info(ip6h, end, &dh6) != 0)
1291 		return;
1292 
1293 	mtype = dh6->d6m_msg_type;
1294 	if (mtype != DHCPV6_MSG_REPLY)
1295 		return;
1296 
1297 	mutex_enter(&mcip->mci_protect_lock);
1298 	xid = DHCPV6_GET_TRANSID(dh6);
1299 	if ((txn = find_dhcpv6_pending_txn(mcip, xid)) == NULL) {
1300 		DTRACE_PROBE2(txn__not__found, mac_client_impl_t *, mcip,
1301 		    dhcpv6_message_t *, dh6);
1302 		goto done;
1303 	}
1304 	remove_dhcpv6_pending_txn(mcip, txn);
1305 	release_dhcpv6_cid(mcip, txn->dt_cid);
1306 
1307 	if (get_dhcpv6_status(dh6, end, &status) != 0 ||
1308 	    status != DHCPV6_STAT_SUCCESS) {
1309 		DTRACE_PROBE2(error__status, mac_client_impl_t *, mcip,
1310 		    dhcpv6_txn_t *, txn);
1311 		goto done;
1312 	}
1313 	if (get_dhcpv6_addrs(dh6, end, txn->dt_cid) != 0) {
1314 		DTRACE_PROBE2(no__addrs, mac_client_impl_t *, mcip,
1315 		    dhcpv6_txn_t *, txn);
1316 		goto done;
1317 	}
1318 	if (insert_dhcpv6_cid(mcip, txn->dt_cid) != 0) {
1319 		DTRACE_PROBE2(insert__failed, mac_client_impl_t *, mcip,
1320 		    dhcpv6_txn_t *, txn);
1321 		goto done;
1322 	}
1323 	DTRACE_PROBE2(txn__completed, mac_client_impl_t *, mcip,
1324 	    dhcpv6_txn_t *, txn);
1325 
1326 	txn->dt_cid = NULL;
1327 
1328 done:
1329 	if (txn != NULL)
1330 		free_dhcpv6_txn(txn);
1331 	mutex_exit(&mcip->mci_protect_lock);
1332 }
1333 
1334 /*
1335  * Timer for cleaning up stale transactions.
1336  */
1337 static void
1338 txn_cleanup_timer(void *arg)
1339 {
1340 	mac_client_impl_t	*mcip = arg;
1341 
1342 	mutex_enter(&mcip->mci_protect_lock);
1343 	if (mcip->mci_txn_cleanup_tid == 0) {
1344 		/* do nothing if timer got cancelled */
1345 		mutex_exit(&mcip->mci_protect_lock);
1346 		return;
1347 	}
1348 	mcip->mci_txn_cleanup_tid = 0;
1349 
1350 	txn_cleanup_v4(mcip);
1351 	txn_cleanup_v6(mcip);
1352 
1353 	/*
1354 	 * Restart timer if pending transactions still exist.
1355 	 */
1356 	if (!avl_is_empty(&mcip->mci_v4_pending_txn) ||
1357 	    !avl_is_empty(&mcip->mci_v6_pending_txn)) {
1358 		DTRACE_PROBE1(restarting__timer, mac_client_impl_t *, mcip);
1359 
1360 		mcip->mci_txn_cleanup_tid = timeout(txn_cleanup_timer, mcip,
1361 		    drv_usectohz(txn_cleanup_interval / (NANOSEC / MICROSEC)));
1362 	}
1363 	mutex_exit(&mcip->mci_protect_lock);
1364 }
1365 
1366 static void
1367 start_txn_cleanup_timer(mac_client_impl_t *mcip)
1368 {
1369 	ASSERT(MUTEX_HELD(&mcip->mci_protect_lock));
1370 	if (mcip->mci_txn_cleanup_tid == 0) {
1371 		mcip->mci_txn_cleanup_tid = timeout(txn_cleanup_timer, mcip,
1372 		    drv_usectohz(txn_cleanup_interval / (NANOSEC / MICROSEC)));
1373 	}
1374 }
1375 
1376 static void
1377 cancel_txn_cleanup_timer(mac_client_impl_t *mcip)
1378 {
1379 	timeout_id_t	tid;
1380 
1381 	ASSERT(MUTEX_HELD(&mcip->mci_protect_lock));
1382 
1383 	/*
1384 	 * This needs to be a while loop because the timer could get
1385 	 * rearmed during untimeout().
1386 	 */
1387 	while ((tid = mcip->mci_txn_cleanup_tid) != 0) {
1388 		mcip->mci_txn_cleanup_tid = 0;
1389 		mutex_exit(&mcip->mci_protect_lock);
1390 		(void) untimeout(tid);
1391 		mutex_enter(&mcip->mci_protect_lock);
1392 	}
1393 }
1394 
1395 /*
1396  * Get the start/end pointers of an L3 packet and also do pullup if needed.
1397  * pulled-up packet needs to be freed by the caller.
1398  */
1399 static int
1400 get_l3_info(mblk_t *mp, size_t hdrsize, uchar_t **start, uchar_t **end,
1401     mblk_t **nmp)
1402 {
1403 	uchar_t	*s, *e;
1404 	mblk_t	*newmp = NULL;
1405 
1406 	/*
1407 	 * Pullup if necessary but reject packets that do not have
1408 	 * a proper mac header.
1409 	 */
1410 	s = mp->b_rptr + hdrsize;
1411 	e = mp->b_wptr;
1412 
1413 	if (s > mp->b_wptr)
1414 		return (EINVAL);
1415 
1416 	if (!OK_32PTR(s) || mp->b_cont != NULL) {
1417 		/*
1418 		 * Temporarily adjust mp->b_rptr to ensure proper
1419 		 * alignment of IP header in newmp.
1420 		 */
1421 		DTRACE_PROBE1(pullup__needed, mblk_t *, mp);
1422 
1423 		mp->b_rptr += hdrsize;
1424 		newmp = msgpullup(mp, -1);
1425 		mp->b_rptr -= hdrsize;
1426 
1427 		if (newmp == NULL)
1428 			return (ENOMEM);
1429 
1430 		s = newmp->b_rptr;
1431 		e = newmp->b_wptr;
1432 	}
1433 
1434 	*start = s;
1435 	*end = e;
1436 	*nmp = newmp;
1437 	return (0);
1438 }
1439 
1440 void
1441 mac_protect_intercept_dhcp_one(mac_client_impl_t *mcip, mblk_t *mp)
1442 {
1443 	mac_impl_t		*mip = mcip->mci_mip;
1444 	uchar_t			*start, *end;
1445 	mblk_t			*nmp = NULL;
1446 	mac_header_info_t	mhi;
1447 	int			err;
1448 
1449 	err = mac_vlan_header_info((mac_handle_t)mip, mp, &mhi);
1450 	if (err != 0) {
1451 		DTRACE_PROBE2(invalid__header, mac_client_impl_t *, mcip,
1452 		    mblk_t *, mp);
1453 		return;
1454 	}
1455 
1456 	err = get_l3_info(mp, mhi.mhi_hdrsize, &start, &end, &nmp);
1457 	if (err != 0) {
1458 		DTRACE_PROBE2(invalid__l3, mac_client_impl_t *, mcip,
1459 		    mblk_t *, mp);
1460 		return;
1461 	}
1462 
1463 	switch (mhi.mhi_bindsap) {
1464 	case ETHERTYPE_IP: {
1465 		ipha_t	*ipha = (ipha_t *)start;
1466 
1467 		if (start + sizeof (ipha_t) > end)
1468 			return;
1469 
1470 		intercept_dhcpv4_inbound(mcip, ipha, end);
1471 		break;
1472 	}
1473 	case ETHERTYPE_IPV6: {
1474 		ip6_t		*ip6h = (ip6_t *)start;
1475 
1476 		if (start + sizeof (ip6_t) > end)
1477 			return;
1478 
1479 		intercept_dhcpv6_inbound(mcip, ip6h, end);
1480 		break;
1481 	}
1482 	}
1483 	freemsg(nmp);
1484 }
1485 
1486 void
1487 mac_protect_intercept_dhcp(mac_client_impl_t *mcip, mblk_t *mp)
1488 {
1489 	/*
1490 	 * Skip checks if we are part of an aggr.
1491 	 */
1492 	if ((mcip->mci_state_flags & MCIS_IS_AGGR_PORT) != 0)
1493 		return;
1494 
1495 	for (; mp != NULL; mp = mp->b_next)
1496 		mac_protect_intercept_dhcp_one(mcip, mp);
1497 }
1498 
1499 void
1500 mac_protect_flush_dhcp(mac_client_impl_t *mcip)
1501 {
1502 	mutex_enter(&mcip->mci_protect_lock);
1503 	flush_dhcpv4(mcip);
1504 	flush_dhcpv6(mcip);
1505 	mutex_exit(&mcip->mci_protect_lock);
1506 }
1507 
1508 void
1509 mac_protect_cancel_timer(mac_client_impl_t *mcip)
1510 {
1511 	mutex_enter(&mcip->mci_protect_lock);
1512 	cancel_txn_cleanup_timer(mcip);
1513 	mutex_exit(&mcip->mci_protect_lock);
1514 }
1515 
1516 /*
1517  * Check if addr is in the 'allowed-ips' list.
1518  */
1519 
1520 /* ARGSUSED */
1521 static boolean_t
1522 ipnospoof_check_v4(mac_client_impl_t *mcip, mac_protect_t *protect,
1523     ipaddr_t *addr)
1524 {
1525 	uint_t	i;
1526 
1527 	/*
1528 	 * The unspecified address is allowed.
1529 	 */
1530 	if (*addr == INADDR_ANY)
1531 		return (B_TRUE);
1532 
1533 	for (i = 0; i < protect->mp_ipaddrcnt; i++) {
1534 		mac_ipaddr_t	*v4addr = &protect->mp_ipaddrs[i];
1535 
1536 		if (v4addr->ip_version == IPV4_VERSION &&
1537 		    V4_PART_OF_V6(v4addr->ip_addr) == *addr)
1538 			return (B_TRUE);
1539 	}
1540 	return (protect->mp_ipaddrcnt == 0 ?
1541 	    check_dhcpv4_dyn_ip(mcip, *addr) : B_FALSE);
1542 }
1543 
1544 static boolean_t
1545 ipnospoof_check_v6(mac_client_impl_t *mcip, mac_protect_t *protect,
1546     in6_addr_t *addr)
1547 {
1548 	uint_t	i;
1549 
1550 	/*
1551 	 * The unspecified address and the v6 link local address are allowed.
1552 	 */
1553 	if (IN6_IS_ADDR_UNSPECIFIED(addr) ||
1554 	    ((mcip->mci_protect_flags & MPT_FLAG_V6_LOCAL_ADDR_SET) != 0 &&
1555 	    IN6_ARE_ADDR_EQUAL(&mcip->mci_v6_local_addr, addr)))
1556 		return (B_TRUE);
1557 
1558 
1559 	for (i = 0; i < protect->mp_ipaddrcnt; i++) {
1560 		mac_ipaddr_t	*v6addr = &protect->mp_ipaddrs[i];
1561 
1562 		if (v6addr->ip_version == IPV6_VERSION &&
1563 		    IN6_ARE_ADDR_EQUAL(&v6addr->ip_addr, addr))
1564 			return (B_TRUE);
1565 	}
1566 	return (protect->mp_ipaddrcnt == 0 ?
1567 	    check_dhcpv6_dyn_ip(mcip, addr) : B_FALSE);
1568 }
1569 
1570 /*
1571  * Checks various fields within an IPv6 NDP packet.
1572  */
1573 static boolean_t
1574 ipnospoof_check_ndp(mac_client_impl_t *mcip, mac_protect_t *protect,
1575     ip6_t *ip6h, uchar_t *end)
1576 {
1577 	icmp6_t			*icmp_nd = (icmp6_t *)&ip6h[1];
1578 	int			hdrlen, optlen, opttype, len;
1579 	uint_t			addrlen, maclen;
1580 	uint8_t			type;
1581 	nd_opt_hdr_t		*opt;
1582 	struct nd_opt_lla	*lla = NULL;
1583 
1584 	/*
1585 	 * NDP packets do not have extension headers so the ICMPv6 header
1586 	 * must immediately follow the IPv6 header.
1587 	 */
1588 	if (ip6h->ip6_nxt != IPPROTO_ICMPV6)
1589 		return (B_TRUE);
1590 
1591 	/* ICMPv6 header missing */
1592 	if ((uchar_t *)&icmp_nd[1] > end)
1593 		return (B_FALSE);
1594 
1595 	len = end - (uchar_t *)icmp_nd;
1596 	type = icmp_nd->icmp6_type;
1597 
1598 	switch (type) {
1599 	case ND_ROUTER_SOLICIT:
1600 		hdrlen = sizeof (nd_router_solicit_t);
1601 		break;
1602 	case ND_ROUTER_ADVERT:
1603 		hdrlen = sizeof (nd_router_advert_t);
1604 		break;
1605 	case ND_NEIGHBOR_SOLICIT:
1606 		hdrlen = sizeof (nd_neighbor_solicit_t);
1607 		break;
1608 	case ND_NEIGHBOR_ADVERT:
1609 		hdrlen = sizeof (nd_neighbor_advert_t);
1610 		break;
1611 	case ND_REDIRECT:
1612 		hdrlen = sizeof (nd_redirect_t);
1613 		break;
1614 	default:
1615 		return (B_TRUE);
1616 	}
1617 
1618 	if (len < hdrlen)
1619 		return (B_FALSE);
1620 
1621 	/* SLLA option checking is needed for RS/RA/NS */
1622 	opttype = ND_OPT_SOURCE_LINKADDR;
1623 
1624 	switch (type) {
1625 	case ND_NEIGHBOR_ADVERT: {
1626 		nd_neighbor_advert_t	*na = (nd_neighbor_advert_t *)icmp_nd;
1627 
1628 		if (!ipnospoof_check_v6(mcip, protect, &na->nd_na_target)) {
1629 			DTRACE_PROBE2(ndp__na__fail,
1630 			    mac_client_impl_t *, mcip, ip6_t *, ip6h);
1631 			return (B_FALSE);
1632 		}
1633 
1634 		/* TLLA option for NA */
1635 		opttype = ND_OPT_TARGET_LINKADDR;
1636 		break;
1637 	}
1638 	case ND_REDIRECT: {
1639 		/* option checking not needed for RD */
1640 		return (B_TRUE);
1641 	}
1642 	default:
1643 		break;
1644 	}
1645 
1646 	if (len == hdrlen) {
1647 		/* no options, we're done */
1648 		return (B_TRUE);
1649 	}
1650 	opt = (nd_opt_hdr_t *)((uchar_t *)icmp_nd + hdrlen);
1651 	optlen = len - hdrlen;
1652 
1653 	/* find the option header we need */
1654 	while (optlen > sizeof (nd_opt_hdr_t)) {
1655 		if (opt->nd_opt_type == opttype) {
1656 			lla = (struct nd_opt_lla *)opt;
1657 			break;
1658 		}
1659 		optlen -= 8 * opt->nd_opt_len;
1660 		opt = (nd_opt_hdr_t *)
1661 		    ((uchar_t *)opt + 8 * opt->nd_opt_len);
1662 	}
1663 	if (lla == NULL)
1664 		return (B_TRUE);
1665 
1666 	addrlen = lla->nd_opt_lla_len * 8 - sizeof (nd_opt_hdr_t);
1667 	maclen = mcip->mci_mip->mi_info.mi_addr_length;
1668 
1669 	if (addrlen != maclen ||
1670 	    bcmp(mcip->mci_unicast->ma_addr,
1671 	    lla->nd_opt_lla_hdw_addr, maclen) != 0) {
1672 		DTRACE_PROBE2(ndp__lla__fail,
1673 		    mac_client_impl_t *, mcip, ip6_t *, ip6h);
1674 		return (B_FALSE);
1675 	}
1676 
1677 	DTRACE_PROBE2(ndp__lla__ok, mac_client_impl_t *, mcip, ip6_t *, ip6h);
1678 	return (B_TRUE);
1679 }
1680 
1681 /*
1682  * Enforce ip-nospoof protection.
1683  */
1684 static int
1685 ipnospoof_check(mac_client_impl_t *mcip, mac_protect_t *protect,
1686     mblk_t *mp, mac_header_info_t *mhip)
1687 {
1688 	size_t		hdrsize = mhip->mhi_hdrsize;
1689 	uint32_t	sap = mhip->mhi_bindsap;
1690 	uchar_t		*start, *end;
1691 	mblk_t		*nmp = NULL;
1692 	int		err;
1693 
1694 	err = get_l3_info(mp, hdrsize, &start, &end, &nmp);
1695 	if (err != 0) {
1696 		DTRACE_PROBE2(invalid__l3, mac_client_impl_t *, mcip,
1697 		    mblk_t *, mp);
1698 		return (err);
1699 	}
1700 	err = EINVAL;
1701 
1702 	switch (sap) {
1703 	case ETHERTYPE_IP: {
1704 		ipha_t	*ipha = (ipha_t *)start;
1705 
1706 		if (start + sizeof (ipha_t) > end)
1707 			goto fail;
1708 
1709 		if (!ipnospoof_check_v4(mcip, protect, &ipha->ipha_src))
1710 			goto fail;
1711 
1712 		if (!intercept_dhcpv4_outbound(mcip, ipha, end))
1713 			goto fail;
1714 		break;
1715 	}
1716 	case ETHERTYPE_ARP: {
1717 		arh_t		*arh = (arh_t *)start;
1718 		uint32_t	maclen, hlen, plen, arplen;
1719 		ipaddr_t	spaddr;
1720 		uchar_t		*shaddr;
1721 
1722 		if (start + sizeof (arh_t) > end)
1723 			goto fail;
1724 
1725 		maclen = mcip->mci_mip->mi_info.mi_addr_length;
1726 		hlen = arh->arh_hlen;
1727 		plen = arh->arh_plen;
1728 		if ((hlen != 0 && hlen != maclen) ||
1729 		    plen != sizeof (ipaddr_t))
1730 			goto fail;
1731 
1732 		arplen = sizeof (arh_t) + 2 * hlen + 2 * plen;
1733 		if (start + arplen > end)
1734 			goto fail;
1735 
1736 		shaddr = start + sizeof (arh_t);
1737 		if (hlen != 0 &&
1738 		    bcmp(mcip->mci_unicast->ma_addr, shaddr, maclen) != 0)
1739 			goto fail;
1740 
1741 		bcopy(shaddr + hlen, &spaddr, sizeof (spaddr));
1742 		if (!ipnospoof_check_v4(mcip, protect, &spaddr))
1743 			goto fail;
1744 		break;
1745 	}
1746 	case ETHERTYPE_IPV6: {
1747 		ip6_t		*ip6h = (ip6_t *)start;
1748 
1749 		if (start + sizeof (ip6_t) > end)
1750 			goto fail;
1751 
1752 		if (!ipnospoof_check_v6(mcip, protect, &ip6h->ip6_src))
1753 			goto fail;
1754 
1755 		if (!ipnospoof_check_ndp(mcip, protect, ip6h, end))
1756 			goto fail;
1757 
1758 		if (!intercept_dhcpv6_outbound(mcip, ip6h, end))
1759 			goto fail;
1760 		break;
1761 	}
1762 	}
1763 	freemsg(nmp);
1764 	return (0);
1765 
1766 fail:
1767 	freemsg(nmp);
1768 	return (err);
1769 }
1770 
1771 static boolean_t
1772 dhcpnospoof_check_cid(mac_protect_t *p, uchar_t *cid, uint_t cidlen)
1773 {
1774 	int	i;
1775 
1776 	for (i = 0; i < p->mp_cidcnt; i++) {
1777 		mac_dhcpcid_t	*dcid = &p->mp_cids[i];
1778 
1779 		if (dcid->dc_len == cidlen &&
1780 		    bcmp(dcid->dc_id, cid, cidlen) == 0)
1781 			return (B_TRUE);
1782 	}
1783 	return (B_FALSE);
1784 }
1785 
1786 static boolean_t
1787 dhcpnospoof_check_v4(mac_client_impl_t *mcip, mac_protect_t *p,
1788     ipha_t *ipha, uchar_t *end)
1789 {
1790 	struct dhcp	*dh4;
1791 	uchar_t		*cid;
1792 	uint_t		maclen, cidlen = 0;
1793 	uint8_t		optlen;
1794 	int		err;
1795 
1796 	if ((err = get_dhcpv4_info(ipha, end, &dh4)) != 0)
1797 		return (err == EINVAL);
1798 
1799 	maclen = mcip->mci_mip->mi_info.mi_addr_length;
1800 	if (dh4->hlen == maclen &&
1801 	    bcmp(mcip->mci_unicast->ma_addr, dh4->chaddr, maclen) != 0) {
1802 		return (B_FALSE);
1803 	}
1804 	if (get_dhcpv4_option(dh4, end, CD_CLIENT_ID, &cid, &optlen) == 0)
1805 		cidlen = optlen;
1806 
1807 	if (cidlen == 0)
1808 		return (B_TRUE);
1809 
1810 	if (*cid == ARPHRD_ETHER && cidlen - 1 == maclen &&
1811 	    bcmp(mcip->mci_unicast->ma_addr, cid + 1, maclen) == 0)
1812 		return (B_TRUE);
1813 
1814 	return (dhcpnospoof_check_cid(p, cid, cidlen));
1815 }
1816 
1817 static boolean_t
1818 dhcpnospoof_check_v6(mac_client_impl_t *mcip, mac_protect_t *p,
1819     ip6_t *ip6h, uchar_t *end)
1820 {
1821 	dhcpv6_message_t	*dh6;
1822 	dhcpv6_option_t		*d6o;
1823 	uint8_t			mtype;
1824 	uchar_t			*cid, *lladdr = NULL;
1825 	uint_t			cidlen, maclen, addrlen = 0;
1826 	uint16_t		cidtype;
1827 	int			err;
1828 
1829 	if ((err = get_dhcpv6_info(ip6h, end, &dh6)) != 0)
1830 		return (err == EINVAL);
1831 
1832 	/*
1833 	 * We only check client-generated messages.
1834 	 */
1835 	mtype = dh6->d6m_msg_type;
1836 	if (mtype == DHCPV6_MSG_ADVERTISE || mtype == DHCPV6_MSG_REPLY ||
1837 	    mtype == DHCPV6_MSG_RECONFIGURE)
1838 		return (B_TRUE);
1839 
1840 	d6o = get_dhcpv6_option(&dh6[1], end - (uchar_t *)&dh6[1], NULL,
1841 	    DHCPV6_OPT_CLIENTID, &cidlen);
1842 	if (d6o == NULL || (uchar_t *)d6o + cidlen > end)
1843 		return (B_TRUE);
1844 
1845 	cid = (uchar_t *)&d6o[1];
1846 	cidlen -= sizeof (*d6o);
1847 	if (cidlen < sizeof (cidtype))
1848 		return (B_TRUE);
1849 
1850 	bcopy(cid, &cidtype, sizeof (cidtype));
1851 	cidtype = ntohs(cidtype);
1852 	if (cidtype == DHCPV6_DUID_LLT && cidlen >= sizeof (duid_llt_t)) {
1853 		lladdr = cid + sizeof (duid_llt_t);
1854 		addrlen = cidlen - sizeof (duid_llt_t);
1855 	}
1856 	if (cidtype == DHCPV6_DUID_LL && cidlen >= sizeof (duid_ll_t)) {
1857 		lladdr = cid + sizeof (duid_ll_t);
1858 		addrlen = cidlen - sizeof (duid_ll_t);
1859 	}
1860 	maclen = mcip->mci_mip->mi_info.mi_addr_length;
1861 	if (lladdr != NULL && addrlen == maclen &&
1862 	    bcmp(mcip->mci_unicast->ma_addr, lladdr, maclen) == 0) {
1863 		return (B_TRUE);
1864 	}
1865 	return (dhcpnospoof_check_cid(p, cid, cidlen));
1866 }
1867 
1868 /*
1869  * Enforce dhcp-nospoof protection.
1870  */
1871 static int
1872 dhcpnospoof_check(mac_client_impl_t *mcip, mac_protect_t *protect,
1873     mblk_t *mp, mac_header_info_t *mhip)
1874 {
1875 	size_t		hdrsize = mhip->mhi_hdrsize;
1876 	uint32_t	sap = mhip->mhi_bindsap;
1877 	uchar_t		*start, *end;
1878 	mblk_t		*nmp = NULL;
1879 	int		err;
1880 
1881 	err = get_l3_info(mp, hdrsize, &start, &end, &nmp);
1882 	if (err != 0) {
1883 		DTRACE_PROBE2(invalid__l3, mac_client_impl_t *, mcip,
1884 		    mblk_t *, mp);
1885 		return (err);
1886 	}
1887 	err = EINVAL;
1888 
1889 	switch (sap) {
1890 	case ETHERTYPE_IP: {
1891 		ipha_t	*ipha = (ipha_t *)start;
1892 
1893 		if (start + sizeof (ipha_t) > end)
1894 			goto fail;
1895 
1896 		if (!dhcpnospoof_check_v4(mcip, protect, ipha, end))
1897 			goto fail;
1898 
1899 		break;
1900 	}
1901 	case ETHERTYPE_IPV6: {
1902 		ip6_t		*ip6h = (ip6_t *)start;
1903 
1904 		if (start + sizeof (ip6_t) > end)
1905 			goto fail;
1906 
1907 		if (!dhcpnospoof_check_v6(mcip, protect, ip6h, end))
1908 			goto fail;
1909 
1910 		break;
1911 	}
1912 	}
1913 	freemsg(nmp);
1914 	return (0);
1915 
1916 fail:
1917 	/* increment dhcpnospoof stat here */
1918 	freemsg(nmp);
1919 	return (err);
1920 }
1921 
1922 /*
1923  * This needs to be called whenever the mac client's mac address changes.
1924  */
1925 void
1926 mac_protect_update_v6_local_addr(mac_client_impl_t *mcip)
1927 {
1928 	uint8_t		*p, *macaddr = mcip->mci_unicast->ma_addr;
1929 	uint_t		i, media = mcip->mci_mip->mi_info.mi_media;
1930 	in6_addr_t	token, *v6addr = &mcip->mci_v6_local_addr;
1931 	in6_addr_t	ll_template = {(uint32_t)V6_LINKLOCAL, 0x0, 0x0, 0x0};
1932 
1933 
1934 	bzero(&token, sizeof (token));
1935 	p = (uint8_t *)&token.s6_addr32[2];
1936 
1937 	switch (media) {
1938 	case DL_ETHER:
1939 		bcopy(macaddr, p, 3);
1940 		p[0] ^= 0x2;
1941 		p[3] = 0xff;
1942 		p[4] = 0xfe;
1943 		bcopy(macaddr + 3, p + 5, 3);
1944 		break;
1945 	case DL_IB:
1946 		ASSERT(mcip->mci_mip->mi_info.mi_addr_length == 20);
1947 		bcopy(macaddr + 12, p, 8);
1948 		p[0] |= 2;
1949 		break;
1950 	default:
1951 		/*
1952 		 * We do not need to generate the local address for link types
1953 		 * that do not support link protection. Wifi pretends to be
1954 		 * ethernet so it is covered by the DL_ETHER case (note the
1955 		 * use of mi_media instead of mi_nativemedia).
1956 		 */
1957 		return;
1958 	}
1959 
1960 	for (i = 0; i < 4; i++) {
1961 		v6addr->s6_addr32[i] = token.s6_addr32[i] |
1962 		    ll_template.s6_addr32[i];
1963 	}
1964 	mcip->mci_protect_flags |= MPT_FLAG_V6_LOCAL_ADDR_SET;
1965 }
1966 
1967 /*
1968  * Enforce link protection on one packet.
1969  */
1970 static int
1971 mac_protect_check_one(mac_client_impl_t *mcip, mblk_t *mp)
1972 {
1973 	mac_impl_t		*mip = mcip->mci_mip;
1974 	mac_resource_props_t	*mrp = MCIP_RESOURCE_PROPS(mcip);
1975 	mac_protect_t		*protect;
1976 	mac_header_info_t	mhi;
1977 	uint32_t		types;
1978 	int			err;
1979 
1980 	ASSERT(mp->b_next == NULL);
1981 	ASSERT(mrp != NULL);
1982 
1983 	err = mac_vlan_header_info((mac_handle_t)mip, mp, &mhi);
1984 	if (err != 0) {
1985 		DTRACE_PROBE2(invalid__header, mac_client_impl_t *, mcip,
1986 		    mblk_t *, mp);
1987 		return (err);
1988 	}
1989 	protect = &mrp->mrp_protect;
1990 	types = protect->mp_types;
1991 
1992 	if ((types & MPT_MACNOSPOOF) != 0) {
1993 		if (mhi.mhi_saddr != NULL &&
1994 		    bcmp(mcip->mci_unicast->ma_addr, mhi.mhi_saddr,
1995 		    mip->mi_info.mi_addr_length) != 0) {
1996 			BUMP_STAT(mcip, macspoofed);
1997 			DTRACE_PROBE2(mac__nospoof__fail,
1998 			    mac_client_impl_t *, mcip, mblk_t *, mp);
1999 			return (EINVAL);
2000 		}
2001 	}
2002 	if ((types & MPT_RESTRICTED) != 0) {
2003 		uint32_t	vid = VLAN_ID(mhi.mhi_tci);
2004 		uint32_t	sap = mhi.mhi_bindsap;
2005 
2006 		/*
2007 		 * ETHERTYPE_VLAN packets are allowed through, provided that
2008 		 * the vid is not spoofed.
2009 		 */
2010 		if (vid != 0 && !mac_client_check_flow_vid(mcip, vid)) {
2011 			BUMP_STAT(mcip, restricted);
2012 			DTRACE_PROBE2(restricted__vid__invalid,
2013 			    mac_client_impl_t *, mcip, mblk_t *, mp);
2014 			return (EINVAL);
2015 		}
2016 
2017 		if (sap != ETHERTYPE_IP && sap != ETHERTYPE_IPV6 &&
2018 		    sap != ETHERTYPE_ARP) {
2019 			BUMP_STAT(mcip, restricted);
2020 			DTRACE_PROBE2(restricted__fail,
2021 			    mac_client_impl_t *, mcip, mblk_t *, mp);
2022 			return (EINVAL);
2023 		}
2024 	}
2025 	if ((types & MPT_IPNOSPOOF) != 0) {
2026 		if ((err = ipnospoof_check(mcip, protect, mp, &mhi)) != 0) {
2027 			BUMP_STAT(mcip, ipspoofed);
2028 			DTRACE_PROBE2(ip__nospoof__fail,
2029 			    mac_client_impl_t *, mcip, mblk_t *, mp);
2030 			return (err);
2031 		}
2032 	}
2033 	if ((types & MPT_DHCPNOSPOOF) != 0) {
2034 		if ((err = dhcpnospoof_check(mcip, protect, mp, &mhi)) != 0) {
2035 			BUMP_STAT(mcip, dhcpspoofed);
2036 			DTRACE_PROBE2(dhcp__nospoof__fail,
2037 			    mac_client_impl_t *, mcip, mblk_t *, mp);
2038 			return (err);
2039 		}
2040 	}
2041 	return (0);
2042 }
2043 
2044 /*
2045  * Enforce link protection on a packet chain.
2046  * Packets that pass the checks are returned back to the caller.
2047  */
2048 mblk_t *
2049 mac_protect_check(mac_client_handle_t mch, mblk_t *mp)
2050 {
2051 	mac_client_impl_t	*mcip = (mac_client_impl_t *)mch;
2052 	mblk_t			*ret_mp = NULL, **tailp = &ret_mp, *next;
2053 
2054 	/*
2055 	 * Skip checks if we are part of an aggr.
2056 	 */
2057 	if ((mcip->mci_state_flags & MCIS_IS_AGGR_PORT) != 0)
2058 		return (mp);
2059 
2060 	for (; mp != NULL; mp = next) {
2061 		next = mp->b_next;
2062 		mp->b_next = NULL;
2063 
2064 		if (mac_protect_check_one(mcip, mp) == 0) {
2065 			*tailp = mp;
2066 			tailp = &mp->b_next;
2067 		} else {
2068 			freemsg(mp);
2069 		}
2070 	}
2071 	return (ret_mp);
2072 }
2073 
2074 /*
2075  * Check if a particular protection type is enabled.
2076  */
2077 boolean_t
2078 mac_protect_enabled(mac_client_handle_t mch, uint32_t type)
2079 {
2080 	return (MAC_PROTECT_ENABLED((mac_client_impl_t *)mch, type));
2081 }
2082 
2083 static int
2084 validate_ips(mac_protect_t *p)
2085 {
2086 	uint_t		i, j;
2087 
2088 	if (p->mp_ipaddrcnt == MPT_RESET)
2089 		return (0);
2090 
2091 	if (p->mp_ipaddrcnt > MPT_MAXIPADDR)
2092 		return (EINVAL);
2093 
2094 	for (i = 0; i < p->mp_ipaddrcnt; i++) {
2095 		mac_ipaddr_t	*addr = &p->mp_ipaddrs[i];
2096 
2097 		/*
2098 		 * The unspecified address is implicitly allowed
2099 		 * so there's no need to add it to the list.
2100 		 */
2101 		if (addr->ip_version == IPV4_VERSION) {
2102 			if (V4_PART_OF_V6(addr->ip_addr) == INADDR_ANY)
2103 				return (EINVAL);
2104 		} else if (addr->ip_version == IPV6_VERSION) {
2105 			if (IN6_IS_ADDR_UNSPECIFIED(&addr->ip_addr))
2106 				return (EINVAL);
2107 		} else {
2108 			/* invalid ip version */
2109 			return (EINVAL);
2110 		}
2111 
2112 		for (j = 0; j < p->mp_ipaddrcnt; j++) {
2113 			mac_ipaddr_t	*addr1 = &p->mp_ipaddrs[j];
2114 
2115 			if (i == j || addr->ip_version != addr1->ip_version)
2116 				continue;
2117 
2118 			/* found a duplicate */
2119 			if ((addr->ip_version == IPV4_VERSION &&
2120 			    V4_PART_OF_V6(addr->ip_addr) ==
2121 			    V4_PART_OF_V6(addr1->ip_addr)) ||
2122 			    IN6_ARE_ADDR_EQUAL(&addr->ip_addr,
2123 			    &addr1->ip_addr))
2124 				return (EINVAL);
2125 		}
2126 	}
2127 	return (0);
2128 }
2129 
2130 /* ARGSUSED */
2131 static int
2132 validate_cids(mac_protect_t *p)
2133 {
2134 	uint_t		i, j;
2135 
2136 	if (p->mp_cidcnt == MPT_RESET)
2137 		return (0);
2138 
2139 	if (p->mp_cidcnt > MPT_MAXCID)
2140 		return (EINVAL);
2141 
2142 	for (i = 0; i < p->mp_cidcnt; i++) {
2143 		mac_dhcpcid_t	*cid = &p->mp_cids[i];
2144 
2145 		if (cid->dc_len > MPT_MAXCIDLEN ||
2146 		    (cid->dc_form != CIDFORM_TYPED &&
2147 		    cid->dc_form != CIDFORM_HEX &&
2148 		    cid->dc_form != CIDFORM_STR))
2149 			return (EINVAL);
2150 
2151 		for (j = 0; j < p->mp_cidcnt; j++) {
2152 			mac_dhcpcid_t	*cid1 = &p->mp_cids[j];
2153 
2154 			if (i == j || cid->dc_len != cid1->dc_len)
2155 				continue;
2156 
2157 			/* found a duplicate */
2158 			if (bcmp(cid->dc_id, cid1->dc_id, cid->dc_len) == 0)
2159 				return (EINVAL);
2160 		}
2161 	}
2162 	return (0);
2163 }
2164 
2165 /*
2166  * Sanity-checks parameters given by userland.
2167  */
2168 int
2169 mac_protect_validate(mac_resource_props_t *mrp)
2170 {
2171 	mac_protect_t	*p = &mrp->mrp_protect;
2172 	int		err;
2173 
2174 	/* check for invalid types */
2175 	if (p->mp_types != MPT_RESET && (p->mp_types & ~MPT_ALL) != 0)
2176 		return (EINVAL);
2177 
2178 	if ((err = validate_ips(p)) != 0)
2179 		return (err);
2180 
2181 	if ((err = validate_cids(p)) != 0)
2182 		return (err);
2183 
2184 	return (0);
2185 }
2186 
2187 /*
2188  * Enable/disable link protection.
2189  */
2190 int
2191 mac_protect_set(mac_client_handle_t mch, mac_resource_props_t *mrp)
2192 {
2193 	mac_client_impl_t	*mcip = (mac_client_impl_t *)mch;
2194 	mac_impl_t		*mip = mcip->mci_mip;
2195 	uint_t			media = mip->mi_info.mi_nativemedia;
2196 	int			err;
2197 
2198 	ASSERT(MAC_PERIM_HELD((mac_handle_t)mip));
2199 
2200 	/* tunnels are not supported */
2201 	if (media == DL_IPV4 || media == DL_IPV6 || media == DL_6TO4)
2202 		return (ENOTSUP);
2203 
2204 	if ((err = mac_protect_validate(mrp)) != 0)
2205 		return (err);
2206 
2207 	if (err != 0)
2208 		return (err);
2209 
2210 	mac_update_resources(mrp, MCIP_RESOURCE_PROPS(mcip), B_FALSE);
2211 	i_mac_notify(((mcip->mci_state_flags & MCIS_IS_VNIC) != 0 ?
2212 	    mcip->mci_upper_mip : mip), MAC_NOTE_ALLOWED_IPS);
2213 	return (0);
2214 }
2215 
2216 void
2217 mac_protect_update(mac_resource_props_t *new, mac_resource_props_t *curr)
2218 {
2219 	mac_protect_t	*np = &new->mrp_protect;
2220 	mac_protect_t	*cp = &curr->mrp_protect;
2221 	uint32_t	types = np->mp_types;
2222 
2223 	if (types == MPT_RESET) {
2224 		cp->mp_types = 0;
2225 		curr->mrp_mask &= ~MRP_PROTECT;
2226 	} else {
2227 		if (types != 0) {
2228 			cp->mp_types = types;
2229 			curr->mrp_mask |= MRP_PROTECT;
2230 		}
2231 	}
2232 	if (np->mp_ipaddrcnt != 0) {
2233 		if (np->mp_ipaddrcnt <= MPT_MAXIPADDR) {
2234 			bcopy(np->mp_ipaddrs, cp->mp_ipaddrs,
2235 			    sizeof (cp->mp_ipaddrs));
2236 			cp->mp_ipaddrcnt = np->mp_ipaddrcnt;
2237 		} else if (np->mp_ipaddrcnt == MPT_RESET) {
2238 			bzero(cp->mp_ipaddrs, sizeof (cp->mp_ipaddrs));
2239 			cp->mp_ipaddrcnt = 0;
2240 		}
2241 	}
2242 	if (np->mp_cidcnt != 0) {
2243 		if (np->mp_cidcnt <= MPT_MAXCID) {
2244 			bcopy(np->mp_cids, cp->mp_cids, sizeof (cp->mp_cids));
2245 			cp->mp_cidcnt = np->mp_cidcnt;
2246 		} else if (np->mp_cidcnt == MPT_RESET) {
2247 			bzero(cp->mp_cids, sizeof (cp->mp_cids));
2248 			cp->mp_cidcnt = 0;
2249 		}
2250 	}
2251 }
2252 
2253 void
2254 mac_protect_init(mac_client_impl_t *mcip)
2255 {
2256 	mutex_init(&mcip->mci_protect_lock, NULL, MUTEX_DRIVER, NULL);
2257 	mcip->mci_protect_flags = 0;
2258 	mcip->mci_txn_cleanup_tid = 0;
2259 	avl_create(&mcip->mci_v4_pending_txn, compare_dhcpv4_xid,
2260 	    sizeof (dhcpv4_txn_t), offsetof(dhcpv4_txn_t, dt_node));
2261 	avl_create(&mcip->mci_v4_completed_txn, compare_dhcpv4_cid,
2262 	    sizeof (dhcpv4_txn_t), offsetof(dhcpv4_txn_t, dt_node));
2263 	avl_create(&mcip->mci_v4_dyn_ip, compare_dhcpv4_ip,
2264 	    sizeof (dhcpv4_txn_t), offsetof(dhcpv4_txn_t, dt_ipnode));
2265 	avl_create(&mcip->mci_v6_pending_txn, compare_dhcpv6_xid,
2266 	    sizeof (dhcpv6_txn_t), offsetof(dhcpv6_txn_t, dt_node));
2267 	avl_create(&mcip->mci_v6_cid, compare_dhcpv6_cid,
2268 	    sizeof (dhcpv6_cid_t), offsetof(dhcpv6_cid_t, dc_node));
2269 	avl_create(&mcip->mci_v6_dyn_ip, compare_dhcpv6_ip,
2270 	    sizeof (dhcpv6_addr_t), offsetof(dhcpv6_addr_t, da_node));
2271 }
2272 
2273 void
2274 mac_protect_fini(mac_client_impl_t *mcip)
2275 {
2276 	avl_destroy(&mcip->mci_v6_dyn_ip);
2277 	avl_destroy(&mcip->mci_v6_cid);
2278 	avl_destroy(&mcip->mci_v6_pending_txn);
2279 	avl_destroy(&mcip->mci_v4_dyn_ip);
2280 	avl_destroy(&mcip->mci_v4_completed_txn);
2281 	avl_destroy(&mcip->mci_v4_pending_txn);
2282 	mcip->mci_txn_cleanup_tid = 0;
2283 	mcip->mci_protect_flags = 0;
2284 	mutex_destroy(&mcip->mci_protect_lock);
2285 }
2286 
2287 static boolean_t
2288 allowed_ips_set(mac_resource_props_t *mrp, uint32_t af)
2289 {
2290 	int i;
2291 
2292 	for (i = 0; i < mrp->mrp_protect.mp_ipaddrcnt; i++) {
2293 		if (mrp->mrp_protect.mp_ipaddrs[i].ip_version == af)
2294 			return (B_TRUE);
2295 	}
2296 	return (B_FALSE);
2297 }
2298 
2299 mac_protect_t *
2300 mac_protect_get(mac_handle_t mh)
2301 {
2302 	mac_impl_t *mip = (mac_impl_t *)mh;
2303 
2304 	return (&mip->mi_resource_props.mrp_protect);
2305 }
2306