xref: /titanic_41/usr/src/uts/common/inet/ip/ip_if.c (revision 5df82708d5dd3f4214863e7d3ce5a0ba6d0da2bf)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright (c) 1991, 2010, Oracle and/or its affiliates. All rights reserved.
23  * Copyright (c) 1990 Mentat Inc.
24  */
25 
26 /*
27  * This file contains the interface control functions for IP.
28  */
29 
30 #include <sys/types.h>
31 #include <sys/stream.h>
32 #include <sys/dlpi.h>
33 #include <sys/stropts.h>
34 #include <sys/strsun.h>
35 #include <sys/sysmacros.h>
36 #include <sys/strsubr.h>
37 #include <sys/strlog.h>
38 #include <sys/ddi.h>
39 #include <sys/sunddi.h>
40 #include <sys/cmn_err.h>
41 #include <sys/kstat.h>
42 #include <sys/debug.h>
43 #include <sys/zone.h>
44 #include <sys/sunldi.h>
45 #include <sys/file.h>
46 #include <sys/bitmap.h>
47 #include <sys/cpuvar.h>
48 #include <sys/time.h>
49 #include <sys/ctype.h>
50 #include <sys/kmem.h>
51 #include <sys/systm.h>
52 #include <sys/param.h>
53 #include <sys/socket.h>
54 #include <sys/isa_defs.h>
55 #include <net/if.h>
56 #include <net/if_arp.h>
57 #include <net/if_types.h>
58 #include <net/if_dl.h>
59 #include <net/route.h>
60 #include <sys/sockio.h>
61 #include <netinet/in.h>
62 #include <netinet/ip6.h>
63 #include <netinet/icmp6.h>
64 #include <netinet/igmp_var.h>
65 #include <sys/policy.h>
66 #include <sys/ethernet.h>
67 #include <sys/callb.h>
68 #include <sys/md5.h>
69 
70 #include <inet/common.h>   /* for various inet/mi.h and inet/nd.h needs */
71 #include <inet/mi.h>
72 #include <inet/nd.h>
73 #include <inet/tunables.h>
74 #include <inet/arp.h>
75 #include <inet/ip_arp.h>
76 #include <inet/mib2.h>
77 #include <inet/ip.h>
78 #include <inet/ip6.h>
79 #include <inet/ip6_asp.h>
80 #include <inet/tcp.h>
81 #include <inet/ip_multi.h>
82 #include <inet/ip_ire.h>
83 #include <inet/ip_ftable.h>
84 #include <inet/ip_rts.h>
85 #include <inet/ip_ndp.h>
86 #include <inet/ip_if.h>
87 #include <inet/ip_impl.h>
88 #include <inet/sctp_ip.h>
89 #include <inet/ip_netinfo.h>
90 #include <inet/ilb_ip.h>
91 
92 #include <netinet/igmp.h>
93 #include <inet/ip_listutils.h>
94 #include <inet/ipclassifier.h>
95 #include <sys/mac_client.h>
96 #include <sys/dld.h>
97 #include <sys/mac_flow.h>
98 
99 #include <sys/systeminfo.h>
100 #include <sys/bootconf.h>
101 
102 #include <sys/tsol/tndb.h>
103 #include <sys/tsol/tnet.h>
104 
105 #include <inet/rawip_impl.h> /* needed for icmp_stack_t */
106 #include <inet/udp_impl.h> /* needed for udp_stack_t */
107 
108 /* The character which tells where the ill_name ends */
109 #define	IPIF_SEPARATOR_CHAR	':'
110 
111 /* IP ioctl function table entry */
112 typedef struct ipft_s {
113 	int	ipft_cmd;
114 	pfi_t	ipft_pfi;
115 	int	ipft_min_size;
116 	int	ipft_flags;
117 } ipft_t;
118 #define	IPFT_F_NO_REPLY		0x1	/* IP ioctl does not expect any reply */
119 #define	IPFT_F_SELF_REPLY	0x2	/* ioctl callee does the ioctl reply */
120 
121 static int	nd_ill_forward_get(queue_t *, mblk_t *, caddr_t, cred_t *);
122 static int	nd_ill_forward_set(queue_t *q, mblk_t *mp,
123 		    char *value, caddr_t cp, cred_t *ioc_cr);
124 
125 static boolean_t ill_is_quiescent(ill_t *);
126 static boolean_t ip_addr_ok_v4(ipaddr_t addr, ipaddr_t subnet_mask);
127 static ip_m_t	*ip_m_lookup(t_uscalar_t mac_type);
128 static int	ip_sioctl_addr_tail(ipif_t *ipif, sin_t *sin, queue_t *q,
129     mblk_t *mp, boolean_t need_up);
130 static int	ip_sioctl_dstaddr_tail(ipif_t *ipif, sin_t *sin, queue_t *q,
131     mblk_t *mp, boolean_t need_up);
132 static int	ip_sioctl_slifzone_tail(ipif_t *ipif, zoneid_t zoneid,
133     queue_t *q, mblk_t *mp, boolean_t need_up);
134 static int	ip_sioctl_flags_tail(ipif_t *ipif, uint64_t flags, queue_t *q,
135     mblk_t *mp);
136 static int	ip_sioctl_netmask_tail(ipif_t *ipif, sin_t *sin, queue_t *q,
137     mblk_t *mp);
138 static int	ip_sioctl_subnet_tail(ipif_t *ipif, in6_addr_t, in6_addr_t,
139     queue_t *q, mblk_t *mp, boolean_t need_up);
140 static int	ip_sioctl_plink_ipmod(ipsq_t *ipsq, queue_t *q, mblk_t *mp,
141     int ioccmd, struct linkblk *li);
142 static ipaddr_t	ip_subnet_mask(ipaddr_t addr, ipif_t **, ip_stack_t *);
143 static void	ip_wput_ioctl(queue_t *q, mblk_t *mp);
144 static void	ipsq_flush(ill_t *ill);
145 
146 static	int	ip_sioctl_token_tail(ipif_t *ipif, sin6_t *sin6, int addrlen,
147     queue_t *q, mblk_t *mp, boolean_t need_up);
148 static void	ipsq_delete(ipsq_t *);
149 
150 static ipif_t	*ipif_allocate(ill_t *ill, int id, uint_t ire_type,
151     boolean_t initialize, boolean_t insert, int *errorp);
152 static ire_t	**ipif_create_bcast_ires(ipif_t *ipif, ire_t **irep);
153 static void	ipif_delete_bcast_ires(ipif_t *ipif);
154 static int	ipif_add_ires_v4(ipif_t *, boolean_t);
155 static boolean_t ipif_comp_multi(ipif_t *old_ipif, ipif_t *new_ipif,
156 		    boolean_t isv6);
157 static int	ipif_logical_down(ipif_t *ipif, queue_t *q, mblk_t *mp);
158 static void	ipif_free(ipif_t *ipif);
159 static void	ipif_free_tail(ipif_t *ipif);
160 static void	ipif_set_default(ipif_t *ipif);
161 static int	ipif_set_values(queue_t *q, mblk_t *mp,
162     char *interf_name, uint_t *ppa);
163 static int	ipif_set_values_tail(ill_t *ill, ipif_t *ipif, mblk_t *mp,
164     queue_t *q);
165 static ipif_t	*ipif_lookup_on_name(char *name, size_t namelen,
166     boolean_t do_alloc, boolean_t *exists, boolean_t isv6, zoneid_t zoneid,
167     ip_stack_t *);
168 static ipif_t	*ipif_lookup_on_name_async(char *name, size_t namelen,
169     boolean_t isv6, zoneid_t zoneid, queue_t *q, mblk_t *mp, ipsq_func_t func,
170     int *error, ip_stack_t *);
171 
172 static int	ill_alloc_ppa(ill_if_t *, ill_t *);
173 static void	ill_delete_interface_type(ill_if_t *);
174 static int	ill_dl_up(ill_t *ill, ipif_t *ipif, mblk_t *mp, queue_t *q);
175 static void	ill_dl_down(ill_t *ill);
176 static void	ill_down(ill_t *ill);
177 static void	ill_down_ipifs(ill_t *, boolean_t);
178 static void	ill_free_mib(ill_t *ill);
179 static void	ill_glist_delete(ill_t *);
180 static void	ill_phyint_reinit(ill_t *ill);
181 static void	ill_set_nce_router_flags(ill_t *, boolean_t);
182 static void	ill_set_phys_addr_tail(ipsq_t *, queue_t *, mblk_t *, void *);
183 static void	ill_replumb_tail(ipsq_t *, queue_t *, mblk_t *, void *);
184 
185 static ip_v6intfid_func_t ip_ether_v6intfid, ip_ib_v6intfid;
186 static ip_v6intfid_func_t ip_ipv4_v6intfid, ip_ipv6_v6intfid;
187 static ip_v6intfid_func_t ip_ipmp_v6intfid, ip_nodef_v6intfid;
188 static ip_v6intfid_func_t ip_ipv4_v6destintfid, ip_ipv6_v6destintfid;
189 static ip_v4mapinfo_func_t ip_ether_v4_mapping;
190 static ip_v6mapinfo_func_t ip_ether_v6_mapping;
191 static ip_v4mapinfo_func_t ip_ib_v4_mapping;
192 static ip_v6mapinfo_func_t ip_ib_v6_mapping;
193 static ip_v4mapinfo_func_t ip_mbcast_mapping;
194 static void 	ip_cgtp_bcast_add(ire_t *, ip_stack_t *);
195 static void 	ip_cgtp_bcast_delete(ire_t *, ip_stack_t *);
196 static void	phyint_free(phyint_t *);
197 
198 static void ill_capability_dispatch(ill_t *, mblk_t *, dl_capability_sub_t *);
199 static void ill_capability_id_ack(ill_t *, mblk_t *, dl_capability_sub_t *);
200 static void ill_capability_vrrp_ack(ill_t *, mblk_t *, dl_capability_sub_t *);
201 static void ill_capability_hcksum_ack(ill_t *, mblk_t *, dl_capability_sub_t *);
202 static void ill_capability_hcksum_reset_fill(ill_t *, mblk_t *);
203 static void ill_capability_zerocopy_ack(ill_t *, mblk_t *,
204     dl_capability_sub_t *);
205 static void ill_capability_zerocopy_reset_fill(ill_t *, mblk_t *);
206 static void	ill_capability_dld_reset_fill(ill_t *, mblk_t *);
207 static void	ill_capability_dld_ack(ill_t *, mblk_t *,
208 		    dl_capability_sub_t *);
209 static void	ill_capability_dld_enable(ill_t *);
210 static void	ill_capability_ack_thr(void *);
211 static void	ill_capability_lso_enable(ill_t *);
212 
213 static ill_t	*ill_prev_usesrc(ill_t *);
214 static int	ill_relink_usesrc_ills(ill_t *, ill_t *, uint_t);
215 static void	ill_disband_usesrc_group(ill_t *);
216 static void	ip_sioctl_garp_reply(mblk_t *, ill_t *, void *, int);
217 
218 #ifdef DEBUG
219 static	void	ill_trace_cleanup(const ill_t *);
220 static	void	ipif_trace_cleanup(const ipif_t *);
221 #endif
222 
223 static	void	ill_dlpi_clear_deferred(ill_t *ill);
224 
225 /*
226  * if we go over the memory footprint limit more than once in this msec
227  * interval, we'll start pruning aggressively.
228  */
229 int ip_min_frag_prune_time = 0;
230 
231 static ipft_t	ip_ioctl_ftbl[] = {
232 	{ IP_IOC_IRE_DELETE, ip_ire_delete, sizeof (ipid_t), 0 },
233 	{ IP_IOC_IRE_DELETE_NO_REPLY, ip_ire_delete, sizeof (ipid_t),
234 		IPFT_F_NO_REPLY },
235 	{ IP_IOC_RTS_REQUEST, ip_rts_request, 0, IPFT_F_SELF_REPLY },
236 	{ 0 }
237 };
238 
239 /* Simple ICMP IP Header Template */
240 static ipha_t icmp_ipha = {
241 	IP_SIMPLE_HDR_VERSION, 0, 0, 0, 0, 0, IPPROTO_ICMP
242 };
243 
244 static uchar_t	ip_six_byte_all_ones[] = { 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF };
245 
246 static ip_m_t   ip_m_tbl[] = {
247 	{ DL_ETHER, IFT_ETHER, ETHERTYPE_IP, ETHERTYPE_IPV6,
248 	    ip_ether_v4_mapping, ip_ether_v6_mapping, ip_ether_v6intfid,
249 	    ip_nodef_v6intfid },
250 	{ DL_CSMACD, IFT_ISO88023, ETHERTYPE_IP, ETHERTYPE_IPV6,
251 	    ip_ether_v4_mapping, ip_ether_v6_mapping, ip_nodef_v6intfid,
252 	    ip_nodef_v6intfid },
253 	{ DL_TPB, IFT_ISO88024, ETHERTYPE_IP, ETHERTYPE_IPV6,
254 	    ip_ether_v4_mapping, ip_ether_v6_mapping, ip_nodef_v6intfid,
255 	    ip_nodef_v6intfid },
256 	{ DL_TPR, IFT_ISO88025, ETHERTYPE_IP, ETHERTYPE_IPV6,
257 	    ip_ether_v4_mapping, ip_ether_v6_mapping, ip_nodef_v6intfid,
258 	    ip_nodef_v6intfid },
259 	{ DL_FDDI, IFT_FDDI, ETHERTYPE_IP, ETHERTYPE_IPV6,
260 	    ip_ether_v4_mapping, ip_ether_v6_mapping, ip_ether_v6intfid,
261 	    ip_nodef_v6intfid },
262 	{ DL_IB, IFT_IB, ETHERTYPE_IP, ETHERTYPE_IPV6,
263 	    ip_ib_v4_mapping, ip_ib_v6_mapping, ip_ib_v6intfid,
264 	    ip_nodef_v6intfid },
265 	{ DL_IPV4, IFT_IPV4, IPPROTO_ENCAP, IPPROTO_IPV6,
266 	    ip_mbcast_mapping, ip_mbcast_mapping, ip_ipv4_v6intfid,
267 	    ip_ipv4_v6destintfid },
268 	{ DL_IPV6, IFT_IPV6, IPPROTO_ENCAP, IPPROTO_IPV6,
269 	    ip_mbcast_mapping, ip_mbcast_mapping, ip_ipv6_v6intfid,
270 	    ip_ipv6_v6destintfid },
271 	{ DL_6TO4, IFT_6TO4, IPPROTO_ENCAP, IPPROTO_IPV6,
272 	    ip_mbcast_mapping, ip_mbcast_mapping, ip_ipv4_v6intfid,
273 	    ip_nodef_v6intfid },
274 	{ SUNW_DL_VNI, IFT_OTHER, ETHERTYPE_IP, ETHERTYPE_IPV6,
275 	    NULL, NULL, ip_nodef_v6intfid, ip_nodef_v6intfid },
276 	{ SUNW_DL_IPMP, IFT_OTHER, ETHERTYPE_IP, ETHERTYPE_IPV6,
277 	    NULL, NULL, ip_ipmp_v6intfid, ip_nodef_v6intfid },
278 	{ DL_OTHER, IFT_OTHER, ETHERTYPE_IP, ETHERTYPE_IPV6,
279 	    ip_ether_v4_mapping, ip_ether_v6_mapping, ip_nodef_v6intfid,
280 	    ip_nodef_v6intfid }
281 };
282 
283 static ill_t	ill_null;		/* Empty ILL for init. */
284 char	ipif_loopback_name[] = "lo0";
285 
286 /* These are used by all IP network modules. */
287 sin6_t	sin6_null;	/* Zero address for quick clears */
288 sin_t	sin_null;	/* Zero address for quick clears */
289 
290 /* When set search for unused ipif_seqid */
291 static ipif_t	ipif_zero;
292 
293 /*
294  * ppa arena is created after these many
295  * interfaces have been plumbed.
296  */
297 uint_t	ill_no_arena = 12;	/* Setable in /etc/system */
298 
299 /*
300  * Allocate per-interface mibs.
301  * Returns true if ok. False otherwise.
302  *  ipsq  may not yet be allocated (loopback case ).
303  */
304 static boolean_t
305 ill_allocate_mibs(ill_t *ill)
306 {
307 	/* Already allocated? */
308 	if (ill->ill_ip_mib != NULL) {
309 		if (ill->ill_isv6)
310 			ASSERT(ill->ill_icmp6_mib != NULL);
311 		return (B_TRUE);
312 	}
313 
314 	ill->ill_ip_mib = kmem_zalloc(sizeof (*ill->ill_ip_mib),
315 	    KM_NOSLEEP);
316 	if (ill->ill_ip_mib == NULL) {
317 		return (B_FALSE);
318 	}
319 
320 	/* Setup static information */
321 	SET_MIB(ill->ill_ip_mib->ipIfStatsEntrySize,
322 	    sizeof (mib2_ipIfStatsEntry_t));
323 	if (ill->ill_isv6) {
324 		ill->ill_ip_mib->ipIfStatsIPVersion = MIB2_INETADDRESSTYPE_ipv6;
325 		SET_MIB(ill->ill_ip_mib->ipIfStatsAddrEntrySize,
326 		    sizeof (mib2_ipv6AddrEntry_t));
327 		SET_MIB(ill->ill_ip_mib->ipIfStatsRouteEntrySize,
328 		    sizeof (mib2_ipv6RouteEntry_t));
329 		SET_MIB(ill->ill_ip_mib->ipIfStatsNetToMediaEntrySize,
330 		    sizeof (mib2_ipv6NetToMediaEntry_t));
331 		SET_MIB(ill->ill_ip_mib->ipIfStatsMemberEntrySize,
332 		    sizeof (ipv6_member_t));
333 		SET_MIB(ill->ill_ip_mib->ipIfStatsGroupSourceEntrySize,
334 		    sizeof (ipv6_grpsrc_t));
335 	} else {
336 		ill->ill_ip_mib->ipIfStatsIPVersion = MIB2_INETADDRESSTYPE_ipv4;
337 		SET_MIB(ill->ill_ip_mib->ipIfStatsAddrEntrySize,
338 		    sizeof (mib2_ipAddrEntry_t));
339 		SET_MIB(ill->ill_ip_mib->ipIfStatsRouteEntrySize,
340 		    sizeof (mib2_ipRouteEntry_t));
341 		SET_MIB(ill->ill_ip_mib->ipIfStatsNetToMediaEntrySize,
342 		    sizeof (mib2_ipNetToMediaEntry_t));
343 		SET_MIB(ill->ill_ip_mib->ipIfStatsMemberEntrySize,
344 		    sizeof (ip_member_t));
345 		SET_MIB(ill->ill_ip_mib->ipIfStatsGroupSourceEntrySize,
346 		    sizeof (ip_grpsrc_t));
347 
348 		/*
349 		 * For a v4 ill, we are done at this point, because per ill
350 		 * icmp mibs are only used for v6.
351 		 */
352 		return (B_TRUE);
353 	}
354 
355 	ill->ill_icmp6_mib = kmem_zalloc(sizeof (*ill->ill_icmp6_mib),
356 	    KM_NOSLEEP);
357 	if (ill->ill_icmp6_mib == NULL) {
358 		kmem_free(ill->ill_ip_mib, sizeof (*ill->ill_ip_mib));
359 		ill->ill_ip_mib = NULL;
360 		return (B_FALSE);
361 	}
362 	/* static icmp info */
363 	ill->ill_icmp6_mib->ipv6IfIcmpEntrySize =
364 	    sizeof (mib2_ipv6IfIcmpEntry_t);
365 	/*
366 	 * The ipIfStatsIfindex and ipv6IfIcmpIndex will be assigned later
367 	 * after the phyint merge occurs in ipif_set_values -> ill_glist_insert
368 	 * -> ill_phyint_reinit
369 	 */
370 	return (B_TRUE);
371 }
372 
373 /*
374  * Completely vaporize a lower level tap and all associated interfaces.
375  * ill_delete is called only out of ip_close when the device control
376  * stream is being closed.
377  */
378 void
379 ill_delete(ill_t *ill)
380 {
381 	ipif_t	*ipif;
382 	ill_t	*prev_ill;
383 	ip_stack_t	*ipst = ill->ill_ipst;
384 
385 	/*
386 	 * ill_delete may be forcibly entering the ipsq. The previous
387 	 * ioctl may not have completed and may need to be aborted.
388 	 * ipsq_flush takes care of it. If we don't need to enter the
389 	 * the ipsq forcibly, the 2nd invocation of ipsq_flush in
390 	 * ill_delete_tail is sufficient.
391 	 */
392 	ipsq_flush(ill);
393 
394 	/*
395 	 * Nuke all interfaces.  ipif_free will take down the interface,
396 	 * remove it from the list, and free the data structure.
397 	 * Walk down the ipif list and remove the logical interfaces
398 	 * first before removing the main ipif. We can't unplumb
399 	 * zeroth interface first in the case of IPv6 as update_conn_ill
400 	 * -> ip_ll_multireq de-references ill_ipif for checking
401 	 * POINTOPOINT.
402 	 *
403 	 * If ill_ipif was not properly initialized (i.e low on memory),
404 	 * then no interfaces to clean up. In this case just clean up the
405 	 * ill.
406 	 */
407 	for (ipif = ill->ill_ipif; ipif != NULL; ipif = ipif->ipif_next)
408 		ipif_free(ipif);
409 
410 	/*
411 	 * clean out all the nce_t entries that depend on this
412 	 * ill for the ill_phys_addr.
413 	 */
414 	nce_flush(ill, B_TRUE);
415 
416 	/* Clean up msgs on pending upcalls for mrouted */
417 	reset_mrt_ill(ill);
418 
419 	update_conn_ill(ill, ipst);
420 
421 	/*
422 	 * Remove multicast references added as a result of calls to
423 	 * ip_join_allmulti().
424 	 */
425 	ip_purge_allmulti(ill);
426 
427 	/*
428 	 * If the ill being deleted is under IPMP, boot it out of the illgrp.
429 	 */
430 	if (IS_UNDER_IPMP(ill))
431 		ipmp_ill_leave_illgrp(ill);
432 
433 	/*
434 	 * ill_down will arrange to blow off any IRE's dependent on this
435 	 * ILL, and shut down fragmentation reassembly.
436 	 */
437 	ill_down(ill);
438 
439 	/* Let SCTP know, so that it can remove this from its list. */
440 	sctp_update_ill(ill, SCTP_ILL_REMOVE);
441 
442 	/*
443 	 * Walk all CONNs that can have a reference on an ire or nce for this
444 	 * ill (we actually walk all that now have stale references).
445 	 */
446 	ipcl_walk(conn_ixa_cleanup, (void *)B_TRUE, ipst);
447 
448 	/* With IPv6 we have dce_ifindex. Cleanup for neatness */
449 	if (ill->ill_isv6)
450 		dce_cleanup(ill->ill_phyint->phyint_ifindex, ipst);
451 
452 	/*
453 	 * If an address on this ILL is being used as a source address then
454 	 * clear out the pointers in other ILLs that point to this ILL.
455 	 */
456 	rw_enter(&ipst->ips_ill_g_usesrc_lock, RW_WRITER);
457 	if (ill->ill_usesrc_grp_next != NULL) {
458 		if (ill->ill_usesrc_ifindex == 0) { /* usesrc ILL ? */
459 			ill_disband_usesrc_group(ill);
460 		} else {	/* consumer of the usesrc ILL */
461 			prev_ill = ill_prev_usesrc(ill);
462 			prev_ill->ill_usesrc_grp_next =
463 			    ill->ill_usesrc_grp_next;
464 		}
465 	}
466 	rw_exit(&ipst->ips_ill_g_usesrc_lock);
467 }
468 
469 static void
470 ipif_non_duplicate(ipif_t *ipif)
471 {
472 	ill_t *ill = ipif->ipif_ill;
473 	mutex_enter(&ill->ill_lock);
474 	if (ipif->ipif_flags & IPIF_DUPLICATE) {
475 		ipif->ipif_flags &= ~IPIF_DUPLICATE;
476 		ASSERT(ill->ill_ipif_dup_count > 0);
477 		ill->ill_ipif_dup_count--;
478 	}
479 	mutex_exit(&ill->ill_lock);
480 }
481 
482 /*
483  * ill_delete_tail is called from ip_modclose after all references
484  * to the closing ill are gone. The wait is done in ip_modclose
485  */
486 void
487 ill_delete_tail(ill_t *ill)
488 {
489 	mblk_t	**mpp;
490 	ipif_t	*ipif;
491 	ip_stack_t *ipst = ill->ill_ipst;
492 
493 	for (ipif = ill->ill_ipif; ipif != NULL; ipif = ipif->ipif_next) {
494 		ipif_non_duplicate(ipif);
495 		(void) ipif_down_tail(ipif);
496 	}
497 
498 	ASSERT(ill->ill_ipif_dup_count == 0);
499 
500 	/*
501 	 * If polling capability is enabled (which signifies direct
502 	 * upcall into IP and driver has ill saved as a handle),
503 	 * we need to make sure that unbind has completed before we
504 	 * let the ill disappear and driver no longer has any reference
505 	 * to this ill.
506 	 */
507 	mutex_enter(&ill->ill_lock);
508 	while (ill->ill_state_flags & ILL_DL_UNBIND_IN_PROGRESS)
509 		cv_wait(&ill->ill_cv, &ill->ill_lock);
510 	mutex_exit(&ill->ill_lock);
511 	ASSERT(!(ill->ill_capabilities &
512 	    (ILL_CAPAB_DLD | ILL_CAPAB_DLD_POLL | ILL_CAPAB_DLD_DIRECT)));
513 
514 	if (ill->ill_net_type != IRE_LOOPBACK)
515 		qprocsoff(ill->ill_rq);
516 
517 	/*
518 	 * We do an ipsq_flush once again now. New messages could have
519 	 * landed up from below (M_ERROR or M_HANGUP). Similarly ioctls
520 	 * could also have landed up if an ioctl thread had looked up
521 	 * the ill before we set the ILL_CONDEMNED flag, but not yet
522 	 * enqueued the ioctl when we did the ipsq_flush last time.
523 	 */
524 	ipsq_flush(ill);
525 
526 	/*
527 	 * Free capabilities.
528 	 */
529 	if (ill->ill_hcksum_capab != NULL) {
530 		kmem_free(ill->ill_hcksum_capab, sizeof (ill_hcksum_capab_t));
531 		ill->ill_hcksum_capab = NULL;
532 	}
533 
534 	if (ill->ill_zerocopy_capab != NULL) {
535 		kmem_free(ill->ill_zerocopy_capab,
536 		    sizeof (ill_zerocopy_capab_t));
537 		ill->ill_zerocopy_capab = NULL;
538 	}
539 
540 	if (ill->ill_lso_capab != NULL) {
541 		kmem_free(ill->ill_lso_capab, sizeof (ill_lso_capab_t));
542 		ill->ill_lso_capab = NULL;
543 	}
544 
545 	if (ill->ill_dld_capab != NULL) {
546 		kmem_free(ill->ill_dld_capab, sizeof (ill_dld_capab_t));
547 		ill->ill_dld_capab = NULL;
548 	}
549 
550 	/* Clean up ill_allowed_ips* related state */
551 	if (ill->ill_allowed_ips != NULL) {
552 		ASSERT(ill->ill_allowed_ips_cnt > 0);
553 		kmem_free(ill->ill_allowed_ips,
554 		    ill->ill_allowed_ips_cnt * sizeof (in6_addr_t));
555 		ill->ill_allowed_ips = NULL;
556 		ill->ill_allowed_ips_cnt = 0;
557 	}
558 
559 	while (ill->ill_ipif != NULL)
560 		ipif_free_tail(ill->ill_ipif);
561 
562 	/*
563 	 * We have removed all references to ilm from conn and the ones joined
564 	 * within the kernel.
565 	 *
566 	 * We don't walk conns, mrts and ires because
567 	 *
568 	 * 1) update_conn_ill and reset_mrt_ill cleans up conns and mrts.
569 	 * 2) ill_down ->ill_downi walks all the ires and cleans up
570 	 *    ill references.
571 	 */
572 
573 	/*
574 	 * If this ill is an IPMP meta-interface, blow away the illgrp.  This
575 	 * is safe to do because the illgrp has already been unlinked from the
576 	 * group by I_PUNLINK, and thus SIOCSLIFGROUPNAME cannot find it.
577 	 */
578 	if (IS_IPMP(ill)) {
579 		ipmp_illgrp_destroy(ill->ill_grp);
580 		ill->ill_grp = NULL;
581 	}
582 
583 	if (ill->ill_mphysaddr_list != NULL) {
584 		multiphysaddr_t *mpa, *tmpa;
585 
586 		mpa = ill->ill_mphysaddr_list;
587 		ill->ill_mphysaddr_list = NULL;
588 		while (mpa) {
589 			tmpa = mpa->mpa_next;
590 			kmem_free(mpa, sizeof (*mpa));
591 			mpa = tmpa;
592 		}
593 	}
594 	/*
595 	 * Take us out of the list of ILLs. ill_glist_delete -> phyint_free
596 	 * could free the phyint. No more reference to the phyint after this
597 	 * point.
598 	 */
599 	(void) ill_glist_delete(ill);
600 
601 	if (ill->ill_frag_ptr != NULL) {
602 		uint_t count;
603 
604 		for (count = 0; count < ILL_FRAG_HASH_TBL_COUNT; count++) {
605 			mutex_destroy(&ill->ill_frag_hash_tbl[count].ipfb_lock);
606 		}
607 		mi_free(ill->ill_frag_ptr);
608 		ill->ill_frag_ptr = NULL;
609 		ill->ill_frag_hash_tbl = NULL;
610 	}
611 
612 	freemsg(ill->ill_nd_lla_mp);
613 	/* Free all retained control messages. */
614 	mpp = &ill->ill_first_mp_to_free;
615 	do {
616 		while (mpp[0]) {
617 			mblk_t  *mp;
618 			mblk_t  *mp1;
619 
620 			mp = mpp[0];
621 			mpp[0] = mp->b_next;
622 			for (mp1 = mp; mp1 != NULL; mp1 = mp1->b_cont) {
623 				mp1->b_next = NULL;
624 				mp1->b_prev = NULL;
625 			}
626 			freemsg(mp);
627 		}
628 	} while (mpp++ != &ill->ill_last_mp_to_free);
629 
630 	ill_free_mib(ill);
631 
632 #ifdef DEBUG
633 	ill_trace_cleanup(ill);
634 #endif
635 
636 	/* The default multicast interface might have changed */
637 	ire_increment_multicast_generation(ipst, ill->ill_isv6);
638 
639 	/* Drop refcnt here */
640 	netstack_rele(ill->ill_ipst->ips_netstack);
641 	ill->ill_ipst = NULL;
642 }
643 
644 static void
645 ill_free_mib(ill_t *ill)
646 {
647 	ip_stack_t *ipst = ill->ill_ipst;
648 
649 	/*
650 	 * MIB statistics must not be lost, so when an interface
651 	 * goes away the counter values will be added to the global
652 	 * MIBs.
653 	 */
654 	if (ill->ill_ip_mib != NULL) {
655 		if (ill->ill_isv6) {
656 			ip_mib2_add_ip_stats(&ipst->ips_ip6_mib,
657 			    ill->ill_ip_mib);
658 		} else {
659 			ip_mib2_add_ip_stats(&ipst->ips_ip_mib,
660 			    ill->ill_ip_mib);
661 		}
662 
663 		kmem_free(ill->ill_ip_mib, sizeof (*ill->ill_ip_mib));
664 		ill->ill_ip_mib = NULL;
665 	}
666 	if (ill->ill_icmp6_mib != NULL) {
667 		ip_mib2_add_icmp6_stats(&ipst->ips_icmp6_mib,
668 		    ill->ill_icmp6_mib);
669 		kmem_free(ill->ill_icmp6_mib, sizeof (*ill->ill_icmp6_mib));
670 		ill->ill_icmp6_mib = NULL;
671 	}
672 }
673 
674 /*
675  * Concatenate together a physical address and a sap.
676  *
677  * Sap_lengths are interpreted as follows:
678  *   sap_length == 0	==>	no sap
679  *   sap_length > 0	==>	sap is at the head of the dlpi address
680  *   sap_length < 0	==>	sap is at the tail of the dlpi address
681  */
682 static void
683 ill_dlur_copy_address(uchar_t *phys_src, uint_t phys_length,
684     t_scalar_t sap_src, t_scalar_t sap_length, uchar_t *dst)
685 {
686 	uint16_t sap_addr = (uint16_t)sap_src;
687 
688 	if (sap_length == 0) {
689 		if (phys_src == NULL)
690 			bzero(dst, phys_length);
691 		else
692 			bcopy(phys_src, dst, phys_length);
693 	} else if (sap_length < 0) {
694 		if (phys_src == NULL)
695 			bzero(dst, phys_length);
696 		else
697 			bcopy(phys_src, dst, phys_length);
698 		bcopy(&sap_addr, (char *)dst + phys_length, sizeof (sap_addr));
699 	} else {
700 		bcopy(&sap_addr, dst, sizeof (sap_addr));
701 		if (phys_src == NULL)
702 			bzero((char *)dst + sap_length, phys_length);
703 		else
704 			bcopy(phys_src, (char *)dst + sap_length, phys_length);
705 	}
706 }
707 
708 /*
709  * Generate a dl_unitdata_req mblk for the device and address given.
710  * addr_length is the length of the physical portion of the address.
711  * If addr is NULL include an all zero address of the specified length.
712  * TRUE? In any case, addr_length is taken to be the entire length of the
713  * dlpi address, including the absolute value of sap_length.
714  */
715 mblk_t *
716 ill_dlur_gen(uchar_t *addr, uint_t addr_length, t_uscalar_t sap,
717 		t_scalar_t sap_length)
718 {
719 	dl_unitdata_req_t *dlur;
720 	mblk_t	*mp;
721 	t_scalar_t	abs_sap_length;		/* absolute value */
722 
723 	abs_sap_length = ABS(sap_length);
724 	mp = ip_dlpi_alloc(sizeof (*dlur) + addr_length + abs_sap_length,
725 	    DL_UNITDATA_REQ);
726 	if (mp == NULL)
727 		return (NULL);
728 	dlur = (dl_unitdata_req_t *)mp->b_rptr;
729 	/* HACK: accomodate incompatible DLPI drivers */
730 	if (addr_length == 8)
731 		addr_length = 6;
732 	dlur->dl_dest_addr_length = addr_length + abs_sap_length;
733 	dlur->dl_dest_addr_offset = sizeof (*dlur);
734 	dlur->dl_priority.dl_min = 0;
735 	dlur->dl_priority.dl_max = 0;
736 	ill_dlur_copy_address(addr, addr_length, sap, sap_length,
737 	    (uchar_t *)&dlur[1]);
738 	return (mp);
739 }
740 
741 /*
742  * Add the pending mp to the list. There can be only 1 pending mp
743  * in the list. Any exclusive ioctl that needs to wait for a response
744  * from another module or driver needs to use this function to set
745  * the ipx_pending_mp to the ioctl mblk and wait for the response from
746  * the other module/driver. This is also used while waiting for the
747  * ipif/ill/ire refcnts to drop to zero in bringing down an ipif.
748  */
749 boolean_t
750 ipsq_pending_mp_add(conn_t *connp, ipif_t *ipif, queue_t *q, mblk_t *add_mp,
751     int waitfor)
752 {
753 	ipxop_t	*ipx = ipif->ipif_ill->ill_phyint->phyint_ipsq->ipsq_xop;
754 
755 	ASSERT(IAM_WRITER_IPIF(ipif));
756 	ASSERT(MUTEX_HELD(&ipif->ipif_ill->ill_lock));
757 	ASSERT((add_mp->b_next == NULL) && (add_mp->b_prev == NULL));
758 	ASSERT(ipx->ipx_pending_mp == NULL);
759 	/*
760 	 * The caller may be using a different ipif than the one passed into
761 	 * ipsq_current_start() (e.g., suppose an ioctl that came in on the V4
762 	 * ill needs to wait for the V6 ill to quiesce).  So we can't ASSERT
763 	 * that `ipx_current_ipif == ipif'.
764 	 */
765 	ASSERT(ipx->ipx_current_ipif != NULL);
766 
767 	/*
768 	 * M_IOCDATA from ioctls, M_ERROR/M_HANGUP/M_PROTO/M_PCPROTO from the
769 	 * driver.
770 	 */
771 	ASSERT((DB_TYPE(add_mp) == M_IOCDATA) || (DB_TYPE(add_mp) == M_ERROR) ||
772 	    (DB_TYPE(add_mp) == M_HANGUP) || (DB_TYPE(add_mp) == M_PROTO) ||
773 	    (DB_TYPE(add_mp) == M_PCPROTO));
774 
775 	if (connp != NULL) {
776 		ASSERT(MUTEX_HELD(&connp->conn_lock));
777 		/*
778 		 * Return error if the conn has started closing. The conn
779 		 * could have finished cleaning up the pending mp list,
780 		 * If so we should not add another mp to the list negating
781 		 * the cleanup.
782 		 */
783 		if (connp->conn_state_flags & CONN_CLOSING)
784 			return (B_FALSE);
785 	}
786 	mutex_enter(&ipx->ipx_lock);
787 	ipx->ipx_pending_ipif = ipif;
788 	/*
789 	 * Note down the queue in b_queue. This will be returned by
790 	 * ipsq_pending_mp_get. Caller will then use these values to restart
791 	 * the processing
792 	 */
793 	add_mp->b_next = NULL;
794 	add_mp->b_queue = q;
795 	ipx->ipx_pending_mp = add_mp;
796 	ipx->ipx_waitfor = waitfor;
797 	mutex_exit(&ipx->ipx_lock);
798 
799 	if (connp != NULL)
800 		connp->conn_oper_pending_ill = ipif->ipif_ill;
801 
802 	return (B_TRUE);
803 }
804 
805 /*
806  * Retrieve the ipx_pending_mp and return it. There can be only 1 mp
807  * queued in the list.
808  */
809 mblk_t *
810 ipsq_pending_mp_get(ipsq_t *ipsq, conn_t **connpp)
811 {
812 	mblk_t	*curr = NULL;
813 	ipxop_t	*ipx = ipsq->ipsq_xop;
814 
815 	*connpp = NULL;
816 	mutex_enter(&ipx->ipx_lock);
817 	if (ipx->ipx_pending_mp == NULL) {
818 		mutex_exit(&ipx->ipx_lock);
819 		return (NULL);
820 	}
821 
822 	/* There can be only 1 such excl message */
823 	curr = ipx->ipx_pending_mp;
824 	ASSERT(curr->b_next == NULL);
825 	ipx->ipx_pending_ipif = NULL;
826 	ipx->ipx_pending_mp = NULL;
827 	ipx->ipx_waitfor = 0;
828 	mutex_exit(&ipx->ipx_lock);
829 
830 	if (CONN_Q(curr->b_queue)) {
831 		/*
832 		 * This mp did a refhold on the conn, at the start of the ioctl.
833 		 * So we can safely return a pointer to the conn to the caller.
834 		 */
835 		*connpp = Q_TO_CONN(curr->b_queue);
836 	} else {
837 		*connpp = NULL;
838 	}
839 	curr->b_next = NULL;
840 	curr->b_prev = NULL;
841 	return (curr);
842 }
843 
844 /*
845  * Cleanup the ioctl mp queued in ipx_pending_mp
846  * - Called in the ill_delete path
847  * - Called in the M_ERROR or M_HANGUP path on the ill.
848  * - Called in the conn close path.
849  *
850  * Returns success on finding the pending mblk associated with the ioctl or
851  * exclusive operation in progress, failure otherwise.
852  */
853 boolean_t
854 ipsq_pending_mp_cleanup(ill_t *ill, conn_t *connp)
855 {
856 	mblk_t	*mp;
857 	ipxop_t	*ipx;
858 	queue_t	*q;
859 	ipif_t	*ipif;
860 	int	cmd;
861 
862 	ASSERT(IAM_WRITER_ILL(ill));
863 	ipx = ill->ill_phyint->phyint_ipsq->ipsq_xop;
864 
865 	mutex_enter(&ipx->ipx_lock);
866 	mp = ipx->ipx_pending_mp;
867 	if (connp != NULL) {
868 		if (mp == NULL || mp->b_queue != CONNP_TO_WQ(connp)) {
869 			/*
870 			 * Nothing to clean since the conn that is closing
871 			 * does not have a matching pending mblk in
872 			 * ipx_pending_mp.
873 			 */
874 			mutex_exit(&ipx->ipx_lock);
875 			return (B_FALSE);
876 		}
877 	} else {
878 		/*
879 		 * A non-zero ill_error signifies we are called in the
880 		 * M_ERROR or M_HANGUP path and we need to unconditionally
881 		 * abort any current ioctl and do the corresponding cleanup.
882 		 * A zero ill_error means we are in the ill_delete path and
883 		 * we do the cleanup only if there is a pending mp.
884 		 */
885 		if (mp == NULL && ill->ill_error == 0) {
886 			mutex_exit(&ipx->ipx_lock);
887 			return (B_FALSE);
888 		}
889 	}
890 
891 	/* Now remove from the ipx_pending_mp */
892 	ipx->ipx_pending_mp = NULL;
893 	ipif = ipx->ipx_pending_ipif;
894 	ipx->ipx_pending_ipif = NULL;
895 	ipx->ipx_waitfor = 0;
896 	ipx->ipx_current_ipif = NULL;
897 	cmd = ipx->ipx_current_ioctl;
898 	ipx->ipx_current_ioctl = 0;
899 	ipx->ipx_current_done = B_TRUE;
900 	mutex_exit(&ipx->ipx_lock);
901 
902 	if (mp == NULL)
903 		return (B_FALSE);
904 
905 	q = mp->b_queue;
906 	mp->b_next = NULL;
907 	mp->b_prev = NULL;
908 	mp->b_queue = NULL;
909 
910 	if (DB_TYPE(mp) == M_IOCTL || DB_TYPE(mp) == M_IOCDATA) {
911 		DTRACE_PROBE4(ipif__ioctl,
912 		    char *, "ipsq_pending_mp_cleanup",
913 		    int, cmd, ill_t *, ipif == NULL ? NULL : ipif->ipif_ill,
914 		    ipif_t *, ipif);
915 		if (connp == NULL) {
916 			ip_ioctl_finish(q, mp, ENXIO, NO_COPYOUT, NULL);
917 		} else {
918 			ip_ioctl_finish(q, mp, ENXIO, CONN_CLOSE, NULL);
919 			mutex_enter(&ipif->ipif_ill->ill_lock);
920 			ipif->ipif_state_flags &= ~IPIF_CHANGING;
921 			mutex_exit(&ipif->ipif_ill->ill_lock);
922 		}
923 	} else {
924 		inet_freemsg(mp);
925 	}
926 	return (B_TRUE);
927 }
928 
929 /*
930  * Called in the conn close path and ill delete path
931  */
932 static void
933 ipsq_xopq_mp_cleanup(ill_t *ill, conn_t *connp)
934 {
935 	ipsq_t	*ipsq;
936 	mblk_t	*prev;
937 	mblk_t	*curr;
938 	mblk_t	*next;
939 	queue_t	*wq, *rq = NULL;
940 	mblk_t	*tmp_list = NULL;
941 
942 	ASSERT(IAM_WRITER_ILL(ill));
943 	if (connp != NULL)
944 		wq = CONNP_TO_WQ(connp);
945 	else
946 		wq = ill->ill_wq;
947 
948 	/*
949 	 * In the case of lo0 being unplumbed, ill_wq will be NULL. Guard
950 	 * against this here.
951 	 */
952 	if (wq != NULL)
953 		rq = RD(wq);
954 
955 	ipsq = ill->ill_phyint->phyint_ipsq;
956 	/*
957 	 * Cleanup the ioctl mp's queued in ipsq_xopq_pending_mp if any.
958 	 * In the case of ioctl from a conn, there can be only 1 mp
959 	 * queued on the ipsq. If an ill is being unplumbed flush all
960 	 * the messages.
961 	 */
962 	mutex_enter(&ipsq->ipsq_lock);
963 	for (prev = NULL, curr = ipsq->ipsq_xopq_mphead; curr != NULL;
964 	    curr = next) {
965 		next = curr->b_next;
966 		if (connp == NULL ||
967 		    (curr->b_queue == wq || curr->b_queue == rq)) {
968 			/* Unlink the mblk from the pending mp list */
969 			if (prev != NULL) {
970 				prev->b_next = curr->b_next;
971 			} else {
972 				ASSERT(ipsq->ipsq_xopq_mphead == curr);
973 				ipsq->ipsq_xopq_mphead = curr->b_next;
974 			}
975 			if (ipsq->ipsq_xopq_mptail == curr)
976 				ipsq->ipsq_xopq_mptail = prev;
977 			/*
978 			 * Create a temporary list and release the ipsq lock
979 			 * New elements are added to the head of the tmp_list
980 			 */
981 			curr->b_next = tmp_list;
982 			tmp_list = curr;
983 		} else {
984 			prev = curr;
985 		}
986 	}
987 	mutex_exit(&ipsq->ipsq_lock);
988 
989 	while (tmp_list != NULL) {
990 		curr = tmp_list;
991 		tmp_list = curr->b_next;
992 		curr->b_next = NULL;
993 		curr->b_prev = NULL;
994 		wq = curr->b_queue;
995 		curr->b_queue = NULL;
996 		if (DB_TYPE(curr) == M_IOCTL || DB_TYPE(curr) == M_IOCDATA) {
997 			DTRACE_PROBE4(ipif__ioctl,
998 			    char *, "ipsq_xopq_mp_cleanup",
999 			    int, 0, ill_t *, NULL, ipif_t *, NULL);
1000 			ip_ioctl_finish(wq, curr, ENXIO, connp != NULL ?
1001 			    CONN_CLOSE : NO_COPYOUT, NULL);
1002 		} else {
1003 			/*
1004 			 * IP-MT XXX In the case of TLI/XTI bind / optmgmt
1005 			 * this can't be just inet_freemsg. we have to
1006 			 * restart it otherwise the thread will be stuck.
1007 			 */
1008 			inet_freemsg(curr);
1009 		}
1010 	}
1011 }
1012 
1013 /*
1014  * This conn has started closing. Cleanup any pending ioctl from this conn.
1015  * STREAMS ensures that there can be at most 1 active ioctl on a stream.
1016  */
1017 void
1018 conn_ioctl_cleanup(conn_t *connp)
1019 {
1020 	ipsq_t	*ipsq;
1021 	ill_t	*ill;
1022 	boolean_t refheld;
1023 
1024 	/*
1025 	 * Check for a queued ioctl. If the ioctl has not yet started, the mp
1026 	 * is pending in the list headed by ipsq_xopq_head. If the ioctl has
1027 	 * started the mp could be present in ipx_pending_mp. Note that if
1028 	 * conn_oper_pending_ill is NULL, the ioctl may still be in flight and
1029 	 * not yet queued anywhere. In this case, the conn close code will wait
1030 	 * until the conn_ref is dropped. If the stream was a tcp stream, then
1031 	 * tcp_close will wait first until all ioctls have completed for this
1032 	 * conn.
1033 	 */
1034 	mutex_enter(&connp->conn_lock);
1035 	ill = connp->conn_oper_pending_ill;
1036 	if (ill == NULL) {
1037 		mutex_exit(&connp->conn_lock);
1038 		return;
1039 	}
1040 
1041 	/*
1042 	 * We may not be able to refhold the ill if the ill/ipif
1043 	 * is changing. But we need to make sure that the ill will
1044 	 * not vanish. So we just bump up the ill_waiter count.
1045 	 */
1046 	refheld = ill_waiter_inc(ill);
1047 	mutex_exit(&connp->conn_lock);
1048 	if (refheld) {
1049 		if (ipsq_enter(ill, B_TRUE, NEW_OP)) {
1050 			ill_waiter_dcr(ill);
1051 			/*
1052 			 * Check whether this ioctl has started and is
1053 			 * pending. If it is not found there then check
1054 			 * whether this ioctl has not even started and is in
1055 			 * the ipsq_xopq list.
1056 			 */
1057 			if (!ipsq_pending_mp_cleanup(ill, connp))
1058 				ipsq_xopq_mp_cleanup(ill, connp);
1059 			ipsq = ill->ill_phyint->phyint_ipsq;
1060 			ipsq_exit(ipsq);
1061 			return;
1062 		}
1063 	}
1064 
1065 	/*
1066 	 * The ill is also closing and we could not bump up the
1067 	 * ill_waiter_count or we could not enter the ipsq. Leave
1068 	 * the cleanup to ill_delete
1069 	 */
1070 	mutex_enter(&connp->conn_lock);
1071 	while (connp->conn_oper_pending_ill != NULL)
1072 		cv_wait(&connp->conn_refcv, &connp->conn_lock);
1073 	mutex_exit(&connp->conn_lock);
1074 	if (refheld)
1075 		ill_waiter_dcr(ill);
1076 }
1077 
1078 /*
1079  * ipcl_walk function for cleaning up conn_*_ill fields.
1080  * Note that we leave ixa_multicast_ifindex, conn_incoming_ifindex, and
1081  * conn_bound_if in place. We prefer dropping
1082  * packets instead of sending them out the wrong interface, or accepting
1083  * packets from the wrong ifindex.
1084  */
1085 static void
1086 conn_cleanup_ill(conn_t *connp, caddr_t arg)
1087 {
1088 	ill_t	*ill = (ill_t *)arg;
1089 
1090 	mutex_enter(&connp->conn_lock);
1091 	if (connp->conn_dhcpinit_ill == ill) {
1092 		connp->conn_dhcpinit_ill = NULL;
1093 		ASSERT(ill->ill_dhcpinit != 0);
1094 		atomic_dec_32(&ill->ill_dhcpinit);
1095 		ill_set_inputfn(ill);
1096 	}
1097 	mutex_exit(&connp->conn_lock);
1098 }
1099 
1100 static int
1101 ill_down_ipifs_tail(ill_t *ill)
1102 {
1103 	ipif_t	*ipif;
1104 	int err;
1105 
1106 	ASSERT(IAM_WRITER_ILL(ill));
1107 	for (ipif = ill->ill_ipif; ipif != NULL; ipif = ipif->ipif_next) {
1108 		ipif_non_duplicate(ipif);
1109 		/*
1110 		 * ipif_down_tail will call arp_ll_down on the last ipif
1111 		 * and typically return EINPROGRESS when the DL_UNBIND is sent.
1112 		 */
1113 		if ((err = ipif_down_tail(ipif)) != 0)
1114 			return (err);
1115 	}
1116 	return (0);
1117 }
1118 
1119 /* ARGSUSED */
1120 void
1121 ipif_all_down_tail(ipsq_t *ipsq, queue_t *q, mblk_t *mp, void *dummy_arg)
1122 {
1123 	ASSERT(IAM_WRITER_IPSQ(ipsq));
1124 	(void) ill_down_ipifs_tail(q->q_ptr);
1125 	freemsg(mp);
1126 	ipsq_current_finish(ipsq);
1127 }
1128 
1129 /*
1130  * ill_down_start is called when we want to down this ill and bring it up again
1131  * It is called when we receive an M_ERROR / M_HANGUP. In this case we shut down
1132  * all interfaces, but don't tear down any plumbing.
1133  */
1134 boolean_t
1135 ill_down_start(queue_t *q, mblk_t *mp)
1136 {
1137 	ill_t	*ill = q->q_ptr;
1138 	ipif_t	*ipif;
1139 
1140 	ASSERT(IAM_WRITER_ILL(ill));
1141 	/*
1142 	 * It is possible that some ioctl is already in progress while we
1143 	 * received the M_ERROR / M_HANGUP in which case, we need to abort
1144 	 * the ioctl. ill_down_start() is being processed as CUR_OP rather
1145 	 * than as NEW_OP since the cause of the M_ERROR / M_HANGUP may prevent
1146 	 * the in progress ioctl from ever completing.
1147 	 *
1148 	 * The thread that started the ioctl (if any) must have returned,
1149 	 * since we are now executing as writer. After the 2 calls below,
1150 	 * the state of the ipsq and the ill would reflect no trace of any
1151 	 * pending operation. Subsequently if there is any response to the
1152 	 * original ioctl from the driver, it would be discarded as an
1153 	 * unsolicited message from the driver.
1154 	 */
1155 	(void) ipsq_pending_mp_cleanup(ill, NULL);
1156 	ill_dlpi_clear_deferred(ill);
1157 
1158 	for (ipif = ill->ill_ipif; ipif != NULL; ipif = ipif->ipif_next)
1159 		(void) ipif_down(ipif, NULL, NULL);
1160 
1161 	ill_down(ill);
1162 
1163 	/*
1164 	 * Walk all CONNs that can have a reference on an ire or nce for this
1165 	 * ill (we actually walk all that now have stale references).
1166 	 */
1167 	ipcl_walk(conn_ixa_cleanup, (void *)B_TRUE, ill->ill_ipst);
1168 
1169 	/* With IPv6 we have dce_ifindex. Cleanup for neatness */
1170 	if (ill->ill_isv6)
1171 		dce_cleanup(ill->ill_phyint->phyint_ifindex, ill->ill_ipst);
1172 
1173 	ipsq_current_start(ill->ill_phyint->phyint_ipsq, ill->ill_ipif, 0);
1174 
1175 	/*
1176 	 * Atomically test and add the pending mp if references are active.
1177 	 */
1178 	mutex_enter(&ill->ill_lock);
1179 	if (!ill_is_quiescent(ill)) {
1180 		/* call cannot fail since `conn_t *' argument is NULL */
1181 		(void) ipsq_pending_mp_add(NULL, ill->ill_ipif, ill->ill_rq,
1182 		    mp, ILL_DOWN);
1183 		mutex_exit(&ill->ill_lock);
1184 		return (B_FALSE);
1185 	}
1186 	mutex_exit(&ill->ill_lock);
1187 	return (B_TRUE);
1188 }
1189 
1190 static void
1191 ill_down(ill_t *ill)
1192 {
1193 	mblk_t	*mp;
1194 	ip_stack_t	*ipst = ill->ill_ipst;
1195 
1196 	/*
1197 	 * Blow off any IREs dependent on this ILL.
1198 	 * The caller needs to handle conn_ixa_cleanup
1199 	 */
1200 	ill_delete_ires(ill);
1201 
1202 	ire_walk_ill(0, 0, ill_downi, ill, ill);
1203 
1204 	/* Remove any conn_*_ill depending on this ill */
1205 	ipcl_walk(conn_cleanup_ill, (caddr_t)ill, ipst);
1206 
1207 	/*
1208 	 * Free state for additional IREs.
1209 	 */
1210 	mutex_enter(&ill->ill_saved_ire_lock);
1211 	mp = ill->ill_saved_ire_mp;
1212 	ill->ill_saved_ire_mp = NULL;
1213 	ill->ill_saved_ire_cnt = 0;
1214 	mutex_exit(&ill->ill_saved_ire_lock);
1215 	freemsg(mp);
1216 }
1217 
1218 /*
1219  * ire_walk routine used to delete every IRE that depends on
1220  * 'ill'.  (Always called as writer, and may only be called from ire_walk.)
1221  *
1222  * Note: since the routes added by the kernel are deleted separately,
1223  * this will only be 1) IRE_IF_CLONE and 2) manually added IRE_INTERFACE.
1224  *
1225  * We also remove references on ire_nce_cache entries that refer to the ill.
1226  */
1227 void
1228 ill_downi(ire_t *ire, char *ill_arg)
1229 {
1230 	ill_t	*ill = (ill_t *)ill_arg;
1231 	nce_t	*nce;
1232 
1233 	mutex_enter(&ire->ire_lock);
1234 	nce = ire->ire_nce_cache;
1235 	if (nce != NULL && nce->nce_ill == ill)
1236 		ire->ire_nce_cache = NULL;
1237 	else
1238 		nce = NULL;
1239 	mutex_exit(&ire->ire_lock);
1240 	if (nce != NULL)
1241 		nce_refrele(nce);
1242 	if (ire->ire_ill == ill) {
1243 		/*
1244 		 * The existing interface binding for ire must be
1245 		 * deleted before trying to bind the route to another
1246 		 * interface. However, since we are using the contents of the
1247 		 * ire after ire_delete, the caller has to ensure that
1248 		 * CONDEMNED (deleted) ire's are not removed from the list
1249 		 * when ire_delete() returns. Currently ill_downi() is
1250 		 * only called as part of ire_walk*() routines, so that
1251 		 * the irb_refhold() done by ire_walk*() will ensure that
1252 		 * ire_delete() does not lead to ire_inactive().
1253 		 */
1254 		ASSERT(ire->ire_bucket->irb_refcnt > 0);
1255 		ire_delete(ire);
1256 		if (ire->ire_unbound)
1257 			ire_rebind(ire);
1258 	}
1259 }
1260 
1261 /* Remove IRE_IF_CLONE on this ill */
1262 void
1263 ill_downi_if_clone(ire_t *ire, char *ill_arg)
1264 {
1265 	ill_t	*ill = (ill_t *)ill_arg;
1266 
1267 	ASSERT(ire->ire_type & IRE_IF_CLONE);
1268 	if (ire->ire_ill == ill)
1269 		ire_delete(ire);
1270 }
1271 
1272 /* Consume an M_IOCACK of the fastpath probe. */
1273 void
1274 ill_fastpath_ack(ill_t *ill, mblk_t *mp)
1275 {
1276 	mblk_t	*mp1 = mp;
1277 
1278 	/*
1279 	 * If this was the first attempt turn on the fastpath probing.
1280 	 */
1281 	mutex_enter(&ill->ill_lock);
1282 	if (ill->ill_dlpi_fastpath_state == IDS_INPROGRESS)
1283 		ill->ill_dlpi_fastpath_state = IDS_OK;
1284 	mutex_exit(&ill->ill_lock);
1285 
1286 	/* Free the M_IOCACK mblk, hold on to the data */
1287 	mp = mp->b_cont;
1288 	freeb(mp1);
1289 	if (mp == NULL)
1290 		return;
1291 	if (mp->b_cont != NULL)
1292 		nce_fastpath_update(ill, mp);
1293 	else
1294 		ip0dbg(("ill_fastpath_ack:  no b_cont\n"));
1295 	freemsg(mp);
1296 }
1297 
1298 /*
1299  * Throw an M_IOCTL message downstream asking "do you know fastpath?"
1300  * The data portion of the request is a dl_unitdata_req_t template for
1301  * what we would send downstream in the absence of a fastpath confirmation.
1302  */
1303 int
1304 ill_fastpath_probe(ill_t *ill, mblk_t *dlur_mp)
1305 {
1306 	struct iocblk	*ioc;
1307 	mblk_t	*mp;
1308 
1309 	if (dlur_mp == NULL)
1310 		return (EINVAL);
1311 
1312 	mutex_enter(&ill->ill_lock);
1313 	switch (ill->ill_dlpi_fastpath_state) {
1314 	case IDS_FAILED:
1315 		/*
1316 		 * Driver NAKed the first fastpath ioctl - assume it doesn't
1317 		 * support it.
1318 		 */
1319 		mutex_exit(&ill->ill_lock);
1320 		return (ENOTSUP);
1321 	case IDS_UNKNOWN:
1322 		/* This is the first probe */
1323 		ill->ill_dlpi_fastpath_state = IDS_INPROGRESS;
1324 		break;
1325 	default:
1326 		break;
1327 	}
1328 	mutex_exit(&ill->ill_lock);
1329 
1330 	if ((mp = mkiocb(DL_IOC_HDR_INFO)) == NULL)
1331 		return (EAGAIN);
1332 
1333 	mp->b_cont = copyb(dlur_mp);
1334 	if (mp->b_cont == NULL) {
1335 		freeb(mp);
1336 		return (EAGAIN);
1337 	}
1338 
1339 	ioc = (struct iocblk *)mp->b_rptr;
1340 	ioc->ioc_count = msgdsize(mp->b_cont);
1341 
1342 	DTRACE_PROBE3(ill__dlpi, char *, "ill_fastpath_probe",
1343 	    char *, "DL_IOC_HDR_INFO", ill_t *, ill);
1344 	putnext(ill->ill_wq, mp);
1345 	return (0);
1346 }
1347 
1348 void
1349 ill_capability_probe(ill_t *ill)
1350 {
1351 	mblk_t	*mp;
1352 
1353 	ASSERT(IAM_WRITER_ILL(ill));
1354 
1355 	if (ill->ill_dlpi_capab_state != IDCS_UNKNOWN &&
1356 	    ill->ill_dlpi_capab_state != IDCS_FAILED)
1357 		return;
1358 
1359 	/*
1360 	 * We are starting a new cycle of capability negotiation.
1361 	 * Free up the capab reset messages of any previous incarnation.
1362 	 * We will do a fresh allocation when we get the response to our probe
1363 	 */
1364 	if (ill->ill_capab_reset_mp != NULL) {
1365 		freemsg(ill->ill_capab_reset_mp);
1366 		ill->ill_capab_reset_mp = NULL;
1367 	}
1368 
1369 	ip1dbg(("ill_capability_probe: starting capability negotiation\n"));
1370 
1371 	mp = ip_dlpi_alloc(sizeof (dl_capability_req_t), DL_CAPABILITY_REQ);
1372 	if (mp == NULL)
1373 		return;
1374 
1375 	ill_capability_send(ill, mp);
1376 	ill->ill_dlpi_capab_state = IDCS_PROBE_SENT;
1377 }
1378 
1379 void
1380 ill_capability_reset(ill_t *ill, boolean_t reneg)
1381 {
1382 	ASSERT(IAM_WRITER_ILL(ill));
1383 
1384 	if (ill->ill_dlpi_capab_state != IDCS_OK)
1385 		return;
1386 
1387 	ill->ill_dlpi_capab_state = reneg ? IDCS_RENEG : IDCS_RESET_SENT;
1388 
1389 	ill_capability_send(ill, ill->ill_capab_reset_mp);
1390 	ill->ill_capab_reset_mp = NULL;
1391 	/*
1392 	 * We turn off all capabilities except those pertaining to
1393 	 * direct function call capabilities viz. ILL_CAPAB_DLD*
1394 	 * which will be turned off by the corresponding reset functions.
1395 	 */
1396 	ill->ill_capabilities &= ~(ILL_CAPAB_HCKSUM  | ILL_CAPAB_ZEROCOPY);
1397 }
1398 
1399 static void
1400 ill_capability_reset_alloc(ill_t *ill)
1401 {
1402 	mblk_t *mp;
1403 	size_t	size = 0;
1404 	int	err;
1405 	dl_capability_req_t	*capb;
1406 
1407 	ASSERT(IAM_WRITER_ILL(ill));
1408 	ASSERT(ill->ill_capab_reset_mp == NULL);
1409 
1410 	if (ILL_HCKSUM_CAPABLE(ill)) {
1411 		size += sizeof (dl_capability_sub_t) +
1412 		    sizeof (dl_capab_hcksum_t);
1413 	}
1414 
1415 	if (ill->ill_capabilities & ILL_CAPAB_ZEROCOPY) {
1416 		size += sizeof (dl_capability_sub_t) +
1417 		    sizeof (dl_capab_zerocopy_t);
1418 	}
1419 
1420 	if (ill->ill_capabilities & ILL_CAPAB_DLD) {
1421 		size += sizeof (dl_capability_sub_t) +
1422 		    sizeof (dl_capab_dld_t);
1423 	}
1424 
1425 	mp = allocb_wait(size + sizeof (dl_capability_req_t), BPRI_MED,
1426 	    STR_NOSIG, &err);
1427 
1428 	mp->b_datap->db_type = M_PROTO;
1429 	bzero(mp->b_rptr, size + sizeof (dl_capability_req_t));
1430 
1431 	capb = (dl_capability_req_t *)mp->b_rptr;
1432 	capb->dl_primitive = DL_CAPABILITY_REQ;
1433 	capb->dl_sub_offset = sizeof (dl_capability_req_t);
1434 	capb->dl_sub_length = size;
1435 
1436 	mp->b_wptr += sizeof (dl_capability_req_t);
1437 
1438 	/*
1439 	 * Each handler fills in the corresponding dl_capability_sub_t
1440 	 * inside the mblk,
1441 	 */
1442 	ill_capability_hcksum_reset_fill(ill, mp);
1443 	ill_capability_zerocopy_reset_fill(ill, mp);
1444 	ill_capability_dld_reset_fill(ill, mp);
1445 
1446 	ill->ill_capab_reset_mp = mp;
1447 }
1448 
1449 static void
1450 ill_capability_id_ack(ill_t *ill, mblk_t *mp, dl_capability_sub_t *outers)
1451 {
1452 	dl_capab_id_t *id_ic;
1453 	uint_t sub_dl_cap = outers->dl_cap;
1454 	dl_capability_sub_t *inners;
1455 	uint8_t *capend;
1456 
1457 	ASSERT(sub_dl_cap == DL_CAPAB_ID_WRAPPER);
1458 
1459 	/*
1460 	 * Note: range checks here are not absolutely sufficient to
1461 	 * make us robust against malformed messages sent by drivers;
1462 	 * this is in keeping with the rest of IP's dlpi handling.
1463 	 * (Remember, it's coming from something else in the kernel
1464 	 * address space)
1465 	 */
1466 
1467 	capend = (uint8_t *)(outers + 1) + outers->dl_length;
1468 	if (capend > mp->b_wptr) {
1469 		cmn_err(CE_WARN, "ill_capability_id_ack: "
1470 		    "malformed sub-capability too long for mblk");
1471 		return;
1472 	}
1473 
1474 	id_ic = (dl_capab_id_t *)(outers + 1);
1475 
1476 	if (outers->dl_length < sizeof (*id_ic) ||
1477 	    (inners = &id_ic->id_subcap,
1478 	    inners->dl_length > (outers->dl_length - sizeof (*inners)))) {
1479 		cmn_err(CE_WARN, "ill_capability_id_ack: malformed "
1480 		    "encapsulated capab type %d too long for mblk",
1481 		    inners->dl_cap);
1482 		return;
1483 	}
1484 
1485 	if (!dlcapabcheckqid(&id_ic->id_mid, ill->ill_lmod_rq)) {
1486 		ip1dbg(("ill_capability_id_ack: mid token for capab type %d "
1487 		    "isn't as expected; pass-thru module(s) detected, "
1488 		    "discarding capability\n", inners->dl_cap));
1489 		return;
1490 	}
1491 
1492 	/* Process the encapsulated sub-capability */
1493 	ill_capability_dispatch(ill, mp, inners);
1494 }
1495 
1496 static void
1497 ill_capability_dld_reset_fill(ill_t *ill, mblk_t *mp)
1498 {
1499 	dl_capability_sub_t *dl_subcap;
1500 
1501 	if (!(ill->ill_capabilities & ILL_CAPAB_DLD))
1502 		return;
1503 
1504 	/*
1505 	 * The dl_capab_dld_t that follows the dl_capability_sub_t is not
1506 	 * initialized below since it is not used by DLD.
1507 	 */
1508 	dl_subcap = (dl_capability_sub_t *)mp->b_wptr;
1509 	dl_subcap->dl_cap = DL_CAPAB_DLD;
1510 	dl_subcap->dl_length = sizeof (dl_capab_dld_t);
1511 
1512 	mp->b_wptr += sizeof (dl_capability_sub_t) + sizeof (dl_capab_dld_t);
1513 }
1514 
1515 static void
1516 ill_capability_dispatch(ill_t *ill, mblk_t *mp, dl_capability_sub_t *subp)
1517 {
1518 	/*
1519 	 * If no ipif was brought up over this ill, this DL_CAPABILITY_REQ/ACK
1520 	 * is only to get the VRRP capability.
1521 	 *
1522 	 * Note that we cannot check ill_ipif_up_count here since
1523 	 * ill_ipif_up_count is only incremented when the resolver is setup.
1524 	 * That is done asynchronously, and can race with this function.
1525 	 */
1526 	if (!ill->ill_dl_up) {
1527 		if (subp->dl_cap == DL_CAPAB_VRRP)
1528 			ill_capability_vrrp_ack(ill, mp, subp);
1529 		return;
1530 	}
1531 
1532 	switch (subp->dl_cap) {
1533 	case DL_CAPAB_HCKSUM:
1534 		ill_capability_hcksum_ack(ill, mp, subp);
1535 		break;
1536 	case DL_CAPAB_ZEROCOPY:
1537 		ill_capability_zerocopy_ack(ill, mp, subp);
1538 		break;
1539 	case DL_CAPAB_DLD:
1540 		ill_capability_dld_ack(ill, mp, subp);
1541 		break;
1542 	case DL_CAPAB_VRRP:
1543 		break;
1544 	default:
1545 		ip1dbg(("ill_capability_dispatch: unknown capab type %d\n",
1546 		    subp->dl_cap));
1547 	}
1548 }
1549 
1550 /*
1551  * Process the vrrp capability received from a DLS Provider. isub must point
1552  * to the sub-capability (DL_CAPAB_VRRP) of a DL_CAPABILITY_ACK message.
1553  */
1554 static void
1555 ill_capability_vrrp_ack(ill_t *ill, mblk_t *mp, dl_capability_sub_t *isub)
1556 {
1557 	dl_capab_vrrp_t	*vrrp;
1558 	uint_t		sub_dl_cap = isub->dl_cap;
1559 	uint8_t		*capend;
1560 
1561 	ASSERT(IAM_WRITER_ILL(ill));
1562 	ASSERT(sub_dl_cap == DL_CAPAB_VRRP);
1563 
1564 	/*
1565 	 * Note: range checks here are not absolutely sufficient to
1566 	 * make us robust against malformed messages sent by drivers;
1567 	 * this is in keeping with the rest of IP's dlpi handling.
1568 	 * (Remember, it's coming from something else in the kernel
1569 	 * address space)
1570 	 */
1571 	capend = (uint8_t *)(isub + 1) + isub->dl_length;
1572 	if (capend > mp->b_wptr) {
1573 		cmn_err(CE_WARN, "ill_capability_vrrp_ack: "
1574 		    "malformed sub-capability too long for mblk");
1575 		return;
1576 	}
1577 	vrrp = (dl_capab_vrrp_t *)(isub + 1);
1578 
1579 	/*
1580 	 * Compare the IP address family and set ILLF_VRRP for the right ill.
1581 	 */
1582 	if ((vrrp->vrrp_af == AF_INET6 && ill->ill_isv6) ||
1583 	    (vrrp->vrrp_af == AF_INET && !ill->ill_isv6)) {
1584 		ill->ill_flags |= ILLF_VRRP;
1585 	}
1586 }
1587 
1588 /*
1589  * Process a hardware checksum offload capability negotiation ack received
1590  * from a DLS Provider.isub must point to the sub-capability (DL_CAPAB_HCKSUM)
1591  * of a DL_CAPABILITY_ACK message.
1592  */
1593 static void
1594 ill_capability_hcksum_ack(ill_t *ill, mblk_t *mp, dl_capability_sub_t *isub)
1595 {
1596 	dl_capability_req_t	*ocap;
1597 	dl_capab_hcksum_t	*ihck, *ohck;
1598 	ill_hcksum_capab_t	**ill_hcksum;
1599 	mblk_t			*nmp = NULL;
1600 	uint_t			sub_dl_cap = isub->dl_cap;
1601 	uint8_t			*capend;
1602 
1603 	ASSERT(sub_dl_cap == DL_CAPAB_HCKSUM);
1604 
1605 	ill_hcksum = (ill_hcksum_capab_t **)&ill->ill_hcksum_capab;
1606 
1607 	/*
1608 	 * Note: range checks here are not absolutely sufficient to
1609 	 * make us robust against malformed messages sent by drivers;
1610 	 * this is in keeping with the rest of IP's dlpi handling.
1611 	 * (Remember, it's coming from something else in the kernel
1612 	 * address space)
1613 	 */
1614 	capend = (uint8_t *)(isub + 1) + isub->dl_length;
1615 	if (capend > mp->b_wptr) {
1616 		cmn_err(CE_WARN, "ill_capability_hcksum_ack: "
1617 		    "malformed sub-capability too long for mblk");
1618 		return;
1619 	}
1620 
1621 	/*
1622 	 * There are two types of acks we process here:
1623 	 * 1. acks in reply to a (first form) generic capability req
1624 	 *    (no ENABLE flag set)
1625 	 * 2. acks in reply to a ENABLE capability req.
1626 	 *    (ENABLE flag set)
1627 	 */
1628 	ihck = (dl_capab_hcksum_t *)(isub + 1);
1629 
1630 	if (ihck->hcksum_version != HCKSUM_VERSION_1) {
1631 		cmn_err(CE_CONT, "ill_capability_hcksum_ack: "
1632 		    "unsupported hardware checksum "
1633 		    "sub-capability (version %d, expected %d)",
1634 		    ihck->hcksum_version, HCKSUM_VERSION_1);
1635 		return;
1636 	}
1637 
1638 	if (!dlcapabcheckqid(&ihck->hcksum_mid, ill->ill_lmod_rq)) {
1639 		ip1dbg(("ill_capability_hcksum_ack: mid token for hardware "
1640 		    "checksum capability isn't as expected; pass-thru "
1641 		    "module(s) detected, discarding capability\n"));
1642 		return;
1643 	}
1644 
1645 #define	CURR_HCKSUM_CAPAB				\
1646 	(HCKSUM_INET_PARTIAL | HCKSUM_INET_FULL_V4 |	\
1647 	HCKSUM_INET_FULL_V6 | HCKSUM_IPHDRCKSUM)
1648 
1649 	if ((ihck->hcksum_txflags & HCKSUM_ENABLE) &&
1650 	    (ihck->hcksum_txflags & CURR_HCKSUM_CAPAB)) {
1651 		/* do ENABLE processing */
1652 		if (*ill_hcksum == NULL) {
1653 			*ill_hcksum = kmem_zalloc(sizeof (ill_hcksum_capab_t),
1654 			    KM_NOSLEEP);
1655 
1656 			if (*ill_hcksum == NULL) {
1657 				cmn_err(CE_WARN, "ill_capability_hcksum_ack: "
1658 				    "could not enable hcksum version %d "
1659 				    "for %s (ENOMEM)\n", HCKSUM_CURRENT_VERSION,
1660 				    ill->ill_name);
1661 				return;
1662 			}
1663 		}
1664 
1665 		(*ill_hcksum)->ill_hcksum_version = ihck->hcksum_version;
1666 		(*ill_hcksum)->ill_hcksum_txflags = ihck->hcksum_txflags;
1667 		ill->ill_capabilities |= ILL_CAPAB_HCKSUM;
1668 		ip1dbg(("ill_capability_hcksum_ack: interface %s "
1669 		    "has enabled hardware checksumming\n ",
1670 		    ill->ill_name));
1671 	} else if (ihck->hcksum_txflags & CURR_HCKSUM_CAPAB) {
1672 		/*
1673 		 * Enabling hardware checksum offload
1674 		 * Currently IP supports {TCP,UDP}/IPv4
1675 		 * partial and full cksum offload and
1676 		 * IPv4 header checksum offload.
1677 		 * Allocate new mblk which will
1678 		 * contain a new capability request
1679 		 * to enable hardware checksum offload.
1680 		 */
1681 		uint_t	size;
1682 		uchar_t	*rptr;
1683 
1684 		size = sizeof (dl_capability_req_t) +
1685 		    sizeof (dl_capability_sub_t) + isub->dl_length;
1686 
1687 		if ((nmp = ip_dlpi_alloc(size, DL_CAPABILITY_REQ)) == NULL) {
1688 			cmn_err(CE_WARN, "ill_capability_hcksum_ack: "
1689 			    "could not enable hardware cksum for %s (ENOMEM)\n",
1690 			    ill->ill_name);
1691 			return;
1692 		}
1693 
1694 		rptr = nmp->b_rptr;
1695 		/* initialize dl_capability_req_t */
1696 		ocap = (dl_capability_req_t *)nmp->b_rptr;
1697 		ocap->dl_sub_offset =
1698 		    sizeof (dl_capability_req_t);
1699 		ocap->dl_sub_length =
1700 		    sizeof (dl_capability_sub_t) +
1701 		    isub->dl_length;
1702 		nmp->b_rptr += sizeof (dl_capability_req_t);
1703 
1704 		/* initialize dl_capability_sub_t */
1705 		bcopy(isub, nmp->b_rptr, sizeof (*isub));
1706 		nmp->b_rptr += sizeof (*isub);
1707 
1708 		/* initialize dl_capab_hcksum_t */
1709 		ohck = (dl_capab_hcksum_t *)nmp->b_rptr;
1710 		bcopy(ihck, ohck, sizeof (*ihck));
1711 
1712 		nmp->b_rptr = rptr;
1713 		ASSERT(nmp->b_wptr == (nmp->b_rptr + size));
1714 
1715 		/* Set ENABLE flag */
1716 		ohck->hcksum_txflags &= CURR_HCKSUM_CAPAB;
1717 		ohck->hcksum_txflags |= HCKSUM_ENABLE;
1718 
1719 		/*
1720 		 * nmp points to a DL_CAPABILITY_REQ message to enable
1721 		 * hardware checksum acceleration.
1722 		 */
1723 		ill_capability_send(ill, nmp);
1724 	} else {
1725 		ip1dbg(("ill_capability_hcksum_ack: interface %s has "
1726 		    "advertised %x hardware checksum capability flags\n",
1727 		    ill->ill_name, ihck->hcksum_txflags));
1728 	}
1729 }
1730 
1731 static void
1732 ill_capability_hcksum_reset_fill(ill_t *ill, mblk_t *mp)
1733 {
1734 	dl_capab_hcksum_t *hck_subcap;
1735 	dl_capability_sub_t *dl_subcap;
1736 
1737 	if (!ILL_HCKSUM_CAPABLE(ill))
1738 		return;
1739 
1740 	ASSERT(ill->ill_hcksum_capab != NULL);
1741 
1742 	dl_subcap = (dl_capability_sub_t *)mp->b_wptr;
1743 	dl_subcap->dl_cap = DL_CAPAB_HCKSUM;
1744 	dl_subcap->dl_length = sizeof (*hck_subcap);
1745 
1746 	hck_subcap = (dl_capab_hcksum_t *)(dl_subcap + 1);
1747 	hck_subcap->hcksum_version = ill->ill_hcksum_capab->ill_hcksum_version;
1748 	hck_subcap->hcksum_txflags = 0;
1749 
1750 	mp->b_wptr += sizeof (*dl_subcap) + sizeof (*hck_subcap);
1751 }
1752 
1753 static void
1754 ill_capability_zerocopy_ack(ill_t *ill, mblk_t *mp, dl_capability_sub_t *isub)
1755 {
1756 	mblk_t *nmp = NULL;
1757 	dl_capability_req_t *oc;
1758 	dl_capab_zerocopy_t *zc_ic, *zc_oc;
1759 	ill_zerocopy_capab_t **ill_zerocopy_capab;
1760 	uint_t sub_dl_cap = isub->dl_cap;
1761 	uint8_t *capend;
1762 
1763 	ASSERT(sub_dl_cap == DL_CAPAB_ZEROCOPY);
1764 
1765 	ill_zerocopy_capab = (ill_zerocopy_capab_t **)&ill->ill_zerocopy_capab;
1766 
1767 	/*
1768 	 * Note: range checks here are not absolutely sufficient to
1769 	 * make us robust against malformed messages sent by drivers;
1770 	 * this is in keeping with the rest of IP's dlpi handling.
1771 	 * (Remember, it's coming from something else in the kernel
1772 	 * address space)
1773 	 */
1774 	capend = (uint8_t *)(isub + 1) + isub->dl_length;
1775 	if (capend > mp->b_wptr) {
1776 		cmn_err(CE_WARN, "ill_capability_zerocopy_ack: "
1777 		    "malformed sub-capability too long for mblk");
1778 		return;
1779 	}
1780 
1781 	zc_ic = (dl_capab_zerocopy_t *)(isub + 1);
1782 	if (zc_ic->zerocopy_version != ZEROCOPY_VERSION_1) {
1783 		cmn_err(CE_CONT, "ill_capability_zerocopy_ack: "
1784 		    "unsupported ZEROCOPY sub-capability (version %d, "
1785 		    "expected %d)", zc_ic->zerocopy_version,
1786 		    ZEROCOPY_VERSION_1);
1787 		return;
1788 	}
1789 
1790 	if (!dlcapabcheckqid(&zc_ic->zerocopy_mid, ill->ill_lmod_rq)) {
1791 		ip1dbg(("ill_capability_zerocopy_ack: mid token for zerocopy "
1792 		    "capability isn't as expected; pass-thru module(s) "
1793 		    "detected, discarding capability\n"));
1794 		return;
1795 	}
1796 
1797 	if ((zc_ic->zerocopy_flags & DL_CAPAB_VMSAFE_MEM) != 0) {
1798 		if (*ill_zerocopy_capab == NULL) {
1799 			*ill_zerocopy_capab =
1800 			    kmem_zalloc(sizeof (ill_zerocopy_capab_t),
1801 			    KM_NOSLEEP);
1802 
1803 			if (*ill_zerocopy_capab == NULL) {
1804 				cmn_err(CE_WARN, "ill_capability_zerocopy_ack: "
1805 				    "could not enable Zero-copy version %d "
1806 				    "for %s (ENOMEM)\n", ZEROCOPY_VERSION_1,
1807 				    ill->ill_name);
1808 				return;
1809 			}
1810 		}
1811 
1812 		ip1dbg(("ill_capability_zerocopy_ack: interface %s "
1813 		    "supports Zero-copy version %d\n", ill->ill_name,
1814 		    ZEROCOPY_VERSION_1));
1815 
1816 		(*ill_zerocopy_capab)->ill_zerocopy_version =
1817 		    zc_ic->zerocopy_version;
1818 		(*ill_zerocopy_capab)->ill_zerocopy_flags =
1819 		    zc_ic->zerocopy_flags;
1820 
1821 		ill->ill_capabilities |= ILL_CAPAB_ZEROCOPY;
1822 	} else {
1823 		uint_t size;
1824 		uchar_t *rptr;
1825 
1826 		size = sizeof (dl_capability_req_t) +
1827 		    sizeof (dl_capability_sub_t) +
1828 		    sizeof (dl_capab_zerocopy_t);
1829 
1830 		if ((nmp = ip_dlpi_alloc(size, DL_CAPABILITY_REQ)) == NULL) {
1831 			cmn_err(CE_WARN, "ill_capability_zerocopy_ack: "
1832 			    "could not enable zerocopy for %s (ENOMEM)\n",
1833 			    ill->ill_name);
1834 			return;
1835 		}
1836 
1837 		rptr = nmp->b_rptr;
1838 		/* initialize dl_capability_req_t */
1839 		oc = (dl_capability_req_t *)rptr;
1840 		oc->dl_sub_offset = sizeof (dl_capability_req_t);
1841 		oc->dl_sub_length = sizeof (dl_capability_sub_t) +
1842 		    sizeof (dl_capab_zerocopy_t);
1843 		rptr += sizeof (dl_capability_req_t);
1844 
1845 		/* initialize dl_capability_sub_t */
1846 		bcopy(isub, rptr, sizeof (*isub));
1847 		rptr += sizeof (*isub);
1848 
1849 		/* initialize dl_capab_zerocopy_t */
1850 		zc_oc = (dl_capab_zerocopy_t *)rptr;
1851 		*zc_oc = *zc_ic;
1852 
1853 		ip1dbg(("ill_capability_zerocopy_ack: asking interface %s "
1854 		    "to enable zero-copy version %d\n", ill->ill_name,
1855 		    ZEROCOPY_VERSION_1));
1856 
1857 		/* set VMSAFE_MEM flag */
1858 		zc_oc->zerocopy_flags |= DL_CAPAB_VMSAFE_MEM;
1859 
1860 		/* nmp points to a DL_CAPABILITY_REQ message to enable zcopy */
1861 		ill_capability_send(ill, nmp);
1862 	}
1863 }
1864 
1865 static void
1866 ill_capability_zerocopy_reset_fill(ill_t *ill, mblk_t *mp)
1867 {
1868 	dl_capab_zerocopy_t *zerocopy_subcap;
1869 	dl_capability_sub_t *dl_subcap;
1870 
1871 	if (!(ill->ill_capabilities & ILL_CAPAB_ZEROCOPY))
1872 		return;
1873 
1874 	ASSERT(ill->ill_zerocopy_capab != NULL);
1875 
1876 	dl_subcap = (dl_capability_sub_t *)mp->b_wptr;
1877 	dl_subcap->dl_cap = DL_CAPAB_ZEROCOPY;
1878 	dl_subcap->dl_length = sizeof (*zerocopy_subcap);
1879 
1880 	zerocopy_subcap = (dl_capab_zerocopy_t *)(dl_subcap + 1);
1881 	zerocopy_subcap->zerocopy_version =
1882 	    ill->ill_zerocopy_capab->ill_zerocopy_version;
1883 	zerocopy_subcap->zerocopy_flags = 0;
1884 
1885 	mp->b_wptr += sizeof (*dl_subcap) + sizeof (*zerocopy_subcap);
1886 }
1887 
1888 /*
1889  * DLD capability
1890  * Refer to dld.h for more information regarding the purpose and usage
1891  * of this capability.
1892  */
1893 static void
1894 ill_capability_dld_ack(ill_t *ill, mblk_t *mp, dl_capability_sub_t *isub)
1895 {
1896 	dl_capab_dld_t		*dld_ic, dld;
1897 	uint_t			sub_dl_cap = isub->dl_cap;
1898 	uint8_t			*capend;
1899 	ill_dld_capab_t		*idc;
1900 
1901 	ASSERT(IAM_WRITER_ILL(ill));
1902 	ASSERT(sub_dl_cap == DL_CAPAB_DLD);
1903 
1904 	/*
1905 	 * Note: range checks here are not absolutely sufficient to
1906 	 * make us robust against malformed messages sent by drivers;
1907 	 * this is in keeping with the rest of IP's dlpi handling.
1908 	 * (Remember, it's coming from something else in the kernel
1909 	 * address space)
1910 	 */
1911 	capend = (uint8_t *)(isub + 1) + isub->dl_length;
1912 	if (capend > mp->b_wptr) {
1913 		cmn_err(CE_WARN, "ill_capability_dld_ack: "
1914 		    "malformed sub-capability too long for mblk");
1915 		return;
1916 	}
1917 	dld_ic = (dl_capab_dld_t *)(isub + 1);
1918 	if (dld_ic->dld_version != DLD_CURRENT_VERSION) {
1919 		cmn_err(CE_CONT, "ill_capability_dld_ack: "
1920 		    "unsupported DLD sub-capability (version %d, "
1921 		    "expected %d)", dld_ic->dld_version,
1922 		    DLD_CURRENT_VERSION);
1923 		return;
1924 	}
1925 	if (!dlcapabcheckqid(&dld_ic->dld_mid, ill->ill_lmod_rq)) {
1926 		ip1dbg(("ill_capability_dld_ack: mid token for dld "
1927 		    "capability isn't as expected; pass-thru module(s) "
1928 		    "detected, discarding capability\n"));
1929 		return;
1930 	}
1931 
1932 	/*
1933 	 * Copy locally to ensure alignment.
1934 	 */
1935 	bcopy(dld_ic, &dld, sizeof (dl_capab_dld_t));
1936 
1937 	if ((idc = ill->ill_dld_capab) == NULL) {
1938 		idc = kmem_zalloc(sizeof (ill_dld_capab_t), KM_NOSLEEP);
1939 		if (idc == NULL) {
1940 			cmn_err(CE_WARN, "ill_capability_dld_ack: "
1941 			    "could not enable DLD version %d "
1942 			    "for %s (ENOMEM)\n", DLD_CURRENT_VERSION,
1943 			    ill->ill_name);
1944 			return;
1945 		}
1946 		ill->ill_dld_capab = idc;
1947 	}
1948 	idc->idc_capab_df = (ip_capab_func_t)dld.dld_capab;
1949 	idc->idc_capab_dh = (void *)dld.dld_capab_handle;
1950 	ip1dbg(("ill_capability_dld_ack: interface %s "
1951 	    "supports DLD version %d\n", ill->ill_name, DLD_CURRENT_VERSION));
1952 
1953 	ill_capability_dld_enable(ill);
1954 }
1955 
1956 /*
1957  * Typically capability negotiation between IP and the driver happens via
1958  * DLPI message exchange. However GLD also offers a direct function call
1959  * mechanism to exchange the DLD_DIRECT_CAPAB and DLD_POLL_CAPAB capabilities,
1960  * But arbitrary function calls into IP or GLD are not permitted, since both
1961  * of them are protected by their own perimeter mechanism. The perimeter can
1962  * be viewed as a coarse lock or serialization mechanism. The hierarchy of
1963  * these perimeters is IP -> MAC. Thus for example to enable the squeue
1964  * polling, IP needs to enter its perimeter, then call ill_mac_perim_enter
1965  * to enter the mac perimeter and then do the direct function calls into
1966  * GLD to enable squeue polling. The ring related callbacks from the mac into
1967  * the stack to add, bind, quiesce, restart or cleanup a ring are all
1968  * protected by the mac perimeter.
1969  */
1970 static void
1971 ill_mac_perim_enter(ill_t *ill, mac_perim_handle_t *mphp)
1972 {
1973 	ill_dld_capab_t		*idc = ill->ill_dld_capab;
1974 	int			err;
1975 
1976 	err = idc->idc_capab_df(idc->idc_capab_dh, DLD_CAPAB_PERIM, mphp,
1977 	    DLD_ENABLE);
1978 	ASSERT(err == 0);
1979 }
1980 
1981 static void
1982 ill_mac_perim_exit(ill_t *ill, mac_perim_handle_t mph)
1983 {
1984 	ill_dld_capab_t		*idc = ill->ill_dld_capab;
1985 	int			err;
1986 
1987 	err = idc->idc_capab_df(idc->idc_capab_dh, DLD_CAPAB_PERIM, mph,
1988 	    DLD_DISABLE);
1989 	ASSERT(err == 0);
1990 }
1991 
1992 boolean_t
1993 ill_mac_perim_held(ill_t *ill)
1994 {
1995 	ill_dld_capab_t		*idc = ill->ill_dld_capab;
1996 
1997 	return (idc->idc_capab_df(idc->idc_capab_dh, DLD_CAPAB_PERIM, NULL,
1998 	    DLD_QUERY));
1999 }
2000 
2001 static void
2002 ill_capability_direct_enable(ill_t *ill)
2003 {
2004 	ill_dld_capab_t		*idc = ill->ill_dld_capab;
2005 	ill_dld_direct_t	*idd = &idc->idc_direct;
2006 	dld_capab_direct_t	direct;
2007 	int			rc;
2008 
2009 	ASSERT(!ill->ill_isv6 && IAM_WRITER_ILL(ill));
2010 
2011 	bzero(&direct, sizeof (direct));
2012 	direct.di_rx_cf = (uintptr_t)ip_input;
2013 	direct.di_rx_ch = ill;
2014 
2015 	rc = idc->idc_capab_df(idc->idc_capab_dh, DLD_CAPAB_DIRECT, &direct,
2016 	    DLD_ENABLE);
2017 	if (rc == 0) {
2018 		idd->idd_tx_df = (ip_dld_tx_t)direct.di_tx_df;
2019 		idd->idd_tx_dh = direct.di_tx_dh;
2020 		idd->idd_tx_cb_df = (ip_dld_callb_t)direct.di_tx_cb_df;
2021 		idd->idd_tx_cb_dh = direct.di_tx_cb_dh;
2022 		idd->idd_tx_fctl_df = (ip_dld_fctl_t)direct.di_tx_fctl_df;
2023 		idd->idd_tx_fctl_dh = direct.di_tx_fctl_dh;
2024 		ASSERT(idd->idd_tx_cb_df != NULL);
2025 		ASSERT(idd->idd_tx_fctl_df != NULL);
2026 		ASSERT(idd->idd_tx_df != NULL);
2027 		/*
2028 		 * One time registration of flow enable callback function
2029 		 */
2030 		ill->ill_flownotify_mh = idd->idd_tx_cb_df(idd->idd_tx_cb_dh,
2031 		    ill_flow_enable, ill);
2032 		ill->ill_capabilities |= ILL_CAPAB_DLD_DIRECT;
2033 		DTRACE_PROBE1(direct_on, (ill_t *), ill);
2034 	} else {
2035 		cmn_err(CE_WARN, "warning: could not enable DIRECT "
2036 		    "capability, rc = %d\n", rc);
2037 		DTRACE_PROBE2(direct_off, (ill_t *), ill, (int), rc);
2038 	}
2039 }
2040 
2041 static void
2042 ill_capability_poll_enable(ill_t *ill)
2043 {
2044 	ill_dld_capab_t		*idc = ill->ill_dld_capab;
2045 	dld_capab_poll_t	poll;
2046 	int			rc;
2047 
2048 	ASSERT(!ill->ill_isv6 && IAM_WRITER_ILL(ill));
2049 
2050 	bzero(&poll, sizeof (poll));
2051 	poll.poll_ring_add_cf = (uintptr_t)ip_squeue_add_ring;
2052 	poll.poll_ring_remove_cf = (uintptr_t)ip_squeue_clean_ring;
2053 	poll.poll_ring_quiesce_cf = (uintptr_t)ip_squeue_quiesce_ring;
2054 	poll.poll_ring_restart_cf = (uintptr_t)ip_squeue_restart_ring;
2055 	poll.poll_ring_bind_cf = (uintptr_t)ip_squeue_bind_ring;
2056 	poll.poll_ring_ch = ill;
2057 	rc = idc->idc_capab_df(idc->idc_capab_dh, DLD_CAPAB_POLL, &poll,
2058 	    DLD_ENABLE);
2059 	if (rc == 0) {
2060 		ill->ill_capabilities |= ILL_CAPAB_DLD_POLL;
2061 		DTRACE_PROBE1(poll_on, (ill_t *), ill);
2062 	} else {
2063 		ip1dbg(("warning: could not enable POLL "
2064 		    "capability, rc = %d\n", rc));
2065 		DTRACE_PROBE2(poll_off, (ill_t *), ill, (int), rc);
2066 	}
2067 }
2068 
2069 /*
2070  * Enable the LSO capability.
2071  */
2072 static void
2073 ill_capability_lso_enable(ill_t *ill)
2074 {
2075 	ill_dld_capab_t	*idc = ill->ill_dld_capab;
2076 	dld_capab_lso_t	lso;
2077 	int rc;
2078 
2079 	ASSERT(!ill->ill_isv6 && IAM_WRITER_ILL(ill));
2080 
2081 	if (ill->ill_lso_capab == NULL) {
2082 		ill->ill_lso_capab = kmem_zalloc(sizeof (ill_lso_capab_t),
2083 		    KM_NOSLEEP);
2084 		if (ill->ill_lso_capab == NULL) {
2085 			cmn_err(CE_WARN, "ill_capability_lso_enable: "
2086 			    "could not enable LSO for %s (ENOMEM)\n",
2087 			    ill->ill_name);
2088 			return;
2089 		}
2090 	}
2091 
2092 	bzero(&lso, sizeof (lso));
2093 	if ((rc = idc->idc_capab_df(idc->idc_capab_dh, DLD_CAPAB_LSO, &lso,
2094 	    DLD_ENABLE)) == 0) {
2095 		ill->ill_lso_capab->ill_lso_flags = lso.lso_flags;
2096 		ill->ill_lso_capab->ill_lso_max = lso.lso_max;
2097 		ill->ill_capabilities |= ILL_CAPAB_LSO;
2098 		ip1dbg(("ill_capability_lso_enable: interface %s "
2099 		    "has enabled LSO\n ", ill->ill_name));
2100 	} else {
2101 		kmem_free(ill->ill_lso_capab, sizeof (ill_lso_capab_t));
2102 		ill->ill_lso_capab = NULL;
2103 		DTRACE_PROBE2(lso_off, (ill_t *), ill, (int), rc);
2104 	}
2105 }
2106 
2107 static void
2108 ill_capability_dld_enable(ill_t *ill)
2109 {
2110 	mac_perim_handle_t mph;
2111 
2112 	ASSERT(IAM_WRITER_ILL(ill));
2113 
2114 	if (ill->ill_isv6)
2115 		return;
2116 
2117 	ill_mac_perim_enter(ill, &mph);
2118 	if (!ill->ill_isv6) {
2119 		ill_capability_direct_enable(ill);
2120 		ill_capability_poll_enable(ill);
2121 		ill_capability_lso_enable(ill);
2122 	}
2123 	ill->ill_capabilities |= ILL_CAPAB_DLD;
2124 	ill_mac_perim_exit(ill, mph);
2125 }
2126 
2127 static void
2128 ill_capability_dld_disable(ill_t *ill)
2129 {
2130 	ill_dld_capab_t	*idc;
2131 	ill_dld_direct_t *idd;
2132 	mac_perim_handle_t	mph;
2133 
2134 	ASSERT(IAM_WRITER_ILL(ill));
2135 
2136 	if (!(ill->ill_capabilities & ILL_CAPAB_DLD))
2137 		return;
2138 
2139 	ill_mac_perim_enter(ill, &mph);
2140 
2141 	idc = ill->ill_dld_capab;
2142 	if ((ill->ill_capabilities & ILL_CAPAB_DLD_DIRECT) != 0) {
2143 		/*
2144 		 * For performance we avoid locks in the transmit data path
2145 		 * and don't maintain a count of the number of threads using
2146 		 * direct calls. Thus some threads could be using direct
2147 		 * transmit calls to GLD, even after the capability mechanism
2148 		 * turns it off. This is still safe since the handles used in
2149 		 * the direct calls continue to be valid until the unplumb is
2150 		 * completed. Remove the callback that was added (1-time) at
2151 		 * capab enable time.
2152 		 */
2153 		mutex_enter(&ill->ill_lock);
2154 		ill->ill_capabilities &= ~ILL_CAPAB_DLD_DIRECT;
2155 		mutex_exit(&ill->ill_lock);
2156 		if (ill->ill_flownotify_mh != NULL) {
2157 			idd = &idc->idc_direct;
2158 			idd->idd_tx_cb_df(idd->idd_tx_cb_dh, NULL,
2159 			    ill->ill_flownotify_mh);
2160 			ill->ill_flownotify_mh = NULL;
2161 		}
2162 		(void) idc->idc_capab_df(idc->idc_capab_dh, DLD_CAPAB_DIRECT,
2163 		    NULL, DLD_DISABLE);
2164 	}
2165 
2166 	if ((ill->ill_capabilities & ILL_CAPAB_DLD_POLL) != 0) {
2167 		ill->ill_capabilities &= ~ILL_CAPAB_DLD_POLL;
2168 		ip_squeue_clean_all(ill);
2169 		(void) idc->idc_capab_df(idc->idc_capab_dh, DLD_CAPAB_POLL,
2170 		    NULL, DLD_DISABLE);
2171 	}
2172 
2173 	if ((ill->ill_capabilities & ILL_CAPAB_LSO) != 0) {
2174 		ASSERT(ill->ill_lso_capab != NULL);
2175 		/*
2176 		 * Clear the capability flag for LSO but retain the
2177 		 * ill_lso_capab structure since it's possible that another
2178 		 * thread is still referring to it.  The structure only gets
2179 		 * deallocated when we destroy the ill.
2180 		 */
2181 
2182 		ill->ill_capabilities &= ~ILL_CAPAB_LSO;
2183 		(void) idc->idc_capab_df(idc->idc_capab_dh, DLD_CAPAB_LSO,
2184 		    NULL, DLD_DISABLE);
2185 	}
2186 
2187 	ill->ill_capabilities &= ~ILL_CAPAB_DLD;
2188 	ill_mac_perim_exit(ill, mph);
2189 }
2190 
2191 /*
2192  * Capability Negotiation protocol
2193  *
2194  * We don't wait for DLPI capability operations to finish during interface
2195  * bringup or teardown. Doing so would introduce more asynchrony and the
2196  * interface up/down operations will need multiple return and restarts.
2197  * Instead the 'ipsq_current_ipif' of the ipsq is not cleared as long as
2198  * the 'ill_dlpi_deferred' chain is non-empty. This ensures that the next
2199  * exclusive operation won't start until the DLPI operations of the previous
2200  * exclusive operation complete.
2201  *
2202  * The capability state machine is shown below.
2203  *
2204  * state		next state		event, action
2205  *
2206  * IDCS_UNKNOWN 	IDCS_PROBE_SENT		ill_capability_probe
2207  * IDCS_PROBE_SENT	IDCS_OK			ill_capability_ack
2208  * IDCS_PROBE_SENT	IDCS_FAILED		ip_rput_dlpi_writer (nack)
2209  * IDCS_OK		IDCS_RENEG		Receipt of DL_NOTE_CAPAB_RENEG
2210  * IDCS_OK		IDCS_RESET_SENT		ill_capability_reset
2211  * IDCS_RESET_SENT	IDCS_UNKNOWN		ill_capability_ack_thr
2212  * IDCS_RENEG		IDCS_PROBE_SENT		ill_capability_ack_thr ->
2213  *						    ill_capability_probe.
2214  */
2215 
2216 /*
2217  * Dedicated thread started from ip_stack_init that handles capability
2218  * disable. This thread ensures the taskq dispatch does not fail by waiting
2219  * for resources using TQ_SLEEP. The taskq mechanism is used to ensure
2220  * that direct calls to DLD are done in a cv_waitable context.
2221  */
2222 void
2223 ill_taskq_dispatch(ip_stack_t *ipst)
2224 {
2225 	callb_cpr_t cprinfo;
2226 	char 	name[64];
2227 	mblk_t	*mp;
2228 
2229 	(void) snprintf(name, sizeof (name), "ill_taskq_dispatch_%d",
2230 	    ipst->ips_netstack->netstack_stackid);
2231 	CALLB_CPR_INIT(&cprinfo, &ipst->ips_capab_taskq_lock, callb_generic_cpr,
2232 	    name);
2233 	mutex_enter(&ipst->ips_capab_taskq_lock);
2234 
2235 	for (;;) {
2236 		mp = ipst->ips_capab_taskq_head;
2237 		while (mp != NULL) {
2238 			ipst->ips_capab_taskq_head = mp->b_next;
2239 			if (ipst->ips_capab_taskq_head == NULL)
2240 				ipst->ips_capab_taskq_tail = NULL;
2241 			mutex_exit(&ipst->ips_capab_taskq_lock);
2242 			mp->b_next = NULL;
2243 
2244 			VERIFY(taskq_dispatch(system_taskq,
2245 			    ill_capability_ack_thr, mp, TQ_SLEEP) != 0);
2246 			mutex_enter(&ipst->ips_capab_taskq_lock);
2247 			mp = ipst->ips_capab_taskq_head;
2248 		}
2249 
2250 		if (ipst->ips_capab_taskq_quit)
2251 			break;
2252 		CALLB_CPR_SAFE_BEGIN(&cprinfo);
2253 		cv_wait(&ipst->ips_capab_taskq_cv, &ipst->ips_capab_taskq_lock);
2254 		CALLB_CPR_SAFE_END(&cprinfo, &ipst->ips_capab_taskq_lock);
2255 	}
2256 	VERIFY(ipst->ips_capab_taskq_head == NULL);
2257 	VERIFY(ipst->ips_capab_taskq_tail == NULL);
2258 	CALLB_CPR_EXIT(&cprinfo);
2259 	thread_exit();
2260 }
2261 
2262 /*
2263  * Consume a new-style hardware capabilities negotiation ack.
2264  * Called via taskq on receipt of DL_CAPABILITY_ACK.
2265  */
2266 static void
2267 ill_capability_ack_thr(void *arg)
2268 {
2269 	mblk_t	*mp = arg;
2270 	dl_capability_ack_t *capp;
2271 	dl_capability_sub_t *subp, *endp;
2272 	ill_t	*ill;
2273 	boolean_t reneg;
2274 
2275 	ill = (ill_t *)mp->b_prev;
2276 	mp->b_prev = NULL;
2277 
2278 	VERIFY(ipsq_enter(ill, B_FALSE, CUR_OP) == B_TRUE);
2279 
2280 	if (ill->ill_dlpi_capab_state == IDCS_RESET_SENT ||
2281 	    ill->ill_dlpi_capab_state == IDCS_RENEG) {
2282 		/*
2283 		 * We have received the ack for our DL_CAPAB reset request.
2284 		 * There isnt' anything in the message that needs processing.
2285 		 * All message based capabilities have been disabled, now
2286 		 * do the function call based capability disable.
2287 		 */
2288 		reneg = ill->ill_dlpi_capab_state == IDCS_RENEG;
2289 		ill_capability_dld_disable(ill);
2290 		ill->ill_dlpi_capab_state = IDCS_UNKNOWN;
2291 		if (reneg)
2292 			ill_capability_probe(ill);
2293 		goto done;
2294 	}
2295 
2296 	if (ill->ill_dlpi_capab_state == IDCS_PROBE_SENT)
2297 		ill->ill_dlpi_capab_state = IDCS_OK;
2298 
2299 	capp = (dl_capability_ack_t *)mp->b_rptr;
2300 
2301 	if (capp->dl_sub_length == 0) {
2302 		/* no new-style capabilities */
2303 		goto done;
2304 	}
2305 
2306 	/* make sure the driver supplied correct dl_sub_length */
2307 	if ((sizeof (*capp) + capp->dl_sub_length) > MBLKL(mp)) {
2308 		ip0dbg(("ill_capability_ack: bad DL_CAPABILITY_ACK, "
2309 		    "invalid dl_sub_length (%d)\n", capp->dl_sub_length));
2310 		goto done;
2311 	}
2312 
2313 #define	SC(base, offset) (dl_capability_sub_t *)(((uchar_t *)(base))+(offset))
2314 	/*
2315 	 * There are sub-capabilities. Process the ones we know about.
2316 	 * Loop until we don't have room for another sub-cap header..
2317 	 */
2318 	for (subp = SC(capp, capp->dl_sub_offset),
2319 	    endp = SC(subp, capp->dl_sub_length - sizeof (*subp));
2320 	    subp <= endp;
2321 	    subp = SC(subp, sizeof (dl_capability_sub_t) + subp->dl_length)) {
2322 
2323 		switch (subp->dl_cap) {
2324 		case DL_CAPAB_ID_WRAPPER:
2325 			ill_capability_id_ack(ill, mp, subp);
2326 			break;
2327 		default:
2328 			ill_capability_dispatch(ill, mp, subp);
2329 			break;
2330 		}
2331 	}
2332 #undef SC
2333 done:
2334 	inet_freemsg(mp);
2335 	ill_capability_done(ill);
2336 	ipsq_exit(ill->ill_phyint->phyint_ipsq);
2337 }
2338 
2339 /*
2340  * This needs to be started in a taskq thread to provide a cv_waitable
2341  * context.
2342  */
2343 void
2344 ill_capability_ack(ill_t *ill, mblk_t *mp)
2345 {
2346 	ip_stack_t	*ipst = ill->ill_ipst;
2347 
2348 	mp->b_prev = (mblk_t *)ill;
2349 	ASSERT(mp->b_next == NULL);
2350 
2351 	if (taskq_dispatch(system_taskq, ill_capability_ack_thr, mp,
2352 	    TQ_NOSLEEP) != 0)
2353 		return;
2354 
2355 	/*
2356 	 * The taskq dispatch failed. Signal the ill_taskq_dispatch thread
2357 	 * which will do the dispatch using TQ_SLEEP to guarantee success.
2358 	 */
2359 	mutex_enter(&ipst->ips_capab_taskq_lock);
2360 	if (ipst->ips_capab_taskq_head == NULL) {
2361 		ASSERT(ipst->ips_capab_taskq_tail == NULL);
2362 		ipst->ips_capab_taskq_head = mp;
2363 	} else {
2364 		ipst->ips_capab_taskq_tail->b_next = mp;
2365 	}
2366 	ipst->ips_capab_taskq_tail = mp;
2367 
2368 	cv_signal(&ipst->ips_capab_taskq_cv);
2369 	mutex_exit(&ipst->ips_capab_taskq_lock);
2370 }
2371 
2372 /*
2373  * This routine is called to scan the fragmentation reassembly table for
2374  * the specified ILL for any packets that are starting to smell.
2375  * dead_interval is the maximum time in seconds that will be tolerated.  It
2376  * will either be the value specified in ip_g_frag_timeout, or zero if the
2377  * ILL is shutting down and it is time to blow everything off.
2378  *
2379  * It returns the number of seconds (as a time_t) that the next frag timer
2380  * should be scheduled for, 0 meaning that the timer doesn't need to be
2381  * re-started.  Note that the method of calculating next_timeout isn't
2382  * entirely accurate since time will flow between the time we grab
2383  * current_time and the time we schedule the next timeout.  This isn't a
2384  * big problem since this is the timer for sending an ICMP reassembly time
2385  * exceeded messages, and it doesn't have to be exactly accurate.
2386  *
2387  * This function is
2388  * sometimes called as writer, although this is not required.
2389  */
2390 time_t
2391 ill_frag_timeout(ill_t *ill, time_t dead_interval)
2392 {
2393 	ipfb_t	*ipfb;
2394 	ipfb_t	*endp;
2395 	ipf_t	*ipf;
2396 	ipf_t	*ipfnext;
2397 	mblk_t	*mp;
2398 	time_t	current_time = gethrestime_sec();
2399 	time_t	next_timeout = 0;
2400 	uint32_t	hdr_length;
2401 	mblk_t	*send_icmp_head;
2402 	mblk_t	*send_icmp_head_v6;
2403 	ip_stack_t *ipst = ill->ill_ipst;
2404 	ip_recv_attr_t iras;
2405 
2406 	bzero(&iras, sizeof (iras));
2407 	iras.ira_flags = 0;
2408 	iras.ira_ill = iras.ira_rill = ill;
2409 	iras.ira_ruifindex = ill->ill_phyint->phyint_ifindex;
2410 	iras.ira_rifindex = iras.ira_ruifindex;
2411 
2412 	ipfb = ill->ill_frag_hash_tbl;
2413 	if (ipfb == NULL)
2414 		return (B_FALSE);
2415 	endp = &ipfb[ILL_FRAG_HASH_TBL_COUNT];
2416 	/* Walk the frag hash table. */
2417 	for (; ipfb < endp; ipfb++) {
2418 		send_icmp_head = NULL;
2419 		send_icmp_head_v6 = NULL;
2420 		mutex_enter(&ipfb->ipfb_lock);
2421 		while ((ipf = ipfb->ipfb_ipf) != 0) {
2422 			time_t frag_time = current_time - ipf->ipf_timestamp;
2423 			time_t frag_timeout;
2424 
2425 			if (frag_time < dead_interval) {
2426 				/*
2427 				 * There are some outstanding fragments
2428 				 * that will timeout later.  Make note of
2429 				 * the time so that we can reschedule the
2430 				 * next timeout appropriately.
2431 				 */
2432 				frag_timeout = dead_interval - frag_time;
2433 				if (next_timeout == 0 ||
2434 				    frag_timeout < next_timeout) {
2435 					next_timeout = frag_timeout;
2436 				}
2437 				break;
2438 			}
2439 			/* Time's up.  Get it out of here. */
2440 			hdr_length = ipf->ipf_nf_hdr_len;
2441 			ipfnext = ipf->ipf_hash_next;
2442 			if (ipfnext)
2443 				ipfnext->ipf_ptphn = ipf->ipf_ptphn;
2444 			*ipf->ipf_ptphn = ipfnext;
2445 			mp = ipf->ipf_mp->b_cont;
2446 			for (; mp; mp = mp->b_cont) {
2447 				/* Extra points for neatness. */
2448 				IP_REASS_SET_START(mp, 0);
2449 				IP_REASS_SET_END(mp, 0);
2450 			}
2451 			mp = ipf->ipf_mp->b_cont;
2452 			atomic_add_32(&ill->ill_frag_count, -ipf->ipf_count);
2453 			ASSERT(ipfb->ipfb_count >= ipf->ipf_count);
2454 			ipfb->ipfb_count -= ipf->ipf_count;
2455 			ASSERT(ipfb->ipfb_frag_pkts > 0);
2456 			ipfb->ipfb_frag_pkts--;
2457 			/*
2458 			 * We do not send any icmp message from here because
2459 			 * we currently are holding the ipfb_lock for this
2460 			 * hash chain. If we try and send any icmp messages
2461 			 * from here we may end up via a put back into ip
2462 			 * trying to get the same lock, causing a recursive
2463 			 * mutex panic. Instead we build a list and send all
2464 			 * the icmp messages after we have dropped the lock.
2465 			 */
2466 			if (ill->ill_isv6) {
2467 				if (hdr_length != 0) {
2468 					mp->b_next = send_icmp_head_v6;
2469 					send_icmp_head_v6 = mp;
2470 				} else {
2471 					freemsg(mp);
2472 				}
2473 			} else {
2474 				if (hdr_length != 0) {
2475 					mp->b_next = send_icmp_head;
2476 					send_icmp_head = mp;
2477 				} else {
2478 					freemsg(mp);
2479 				}
2480 			}
2481 			BUMP_MIB(ill->ill_ip_mib, ipIfStatsReasmFails);
2482 			ip_drop_input("ipIfStatsReasmFails", ipf->ipf_mp, ill);
2483 			freeb(ipf->ipf_mp);
2484 		}
2485 		mutex_exit(&ipfb->ipfb_lock);
2486 		/*
2487 		 * Now need to send any icmp messages that we delayed from
2488 		 * above.
2489 		 */
2490 		while (send_icmp_head_v6 != NULL) {
2491 			ip6_t *ip6h;
2492 
2493 			mp = send_icmp_head_v6;
2494 			send_icmp_head_v6 = send_icmp_head_v6->b_next;
2495 			mp->b_next = NULL;
2496 			ip6h = (ip6_t *)mp->b_rptr;
2497 			iras.ira_flags = 0;
2498 			/*
2499 			 * This will result in an incorrect ALL_ZONES zoneid
2500 			 * for multicast packets, but we
2501 			 * don't send ICMP errors for those in any case.
2502 			 */
2503 			iras.ira_zoneid =
2504 			    ipif_lookup_addr_zoneid_v6(&ip6h->ip6_dst,
2505 			    ill, ipst);
2506 			ip_drop_input("ICMP_TIME_EXCEEDED reass", mp, ill);
2507 			icmp_time_exceeded_v6(mp,
2508 			    ICMP_REASSEMBLY_TIME_EXCEEDED, B_FALSE,
2509 			    &iras);
2510 			ASSERT(!(iras.ira_flags & IRAF_IPSEC_SECURE));
2511 		}
2512 		while (send_icmp_head != NULL) {
2513 			ipaddr_t dst;
2514 
2515 			mp = send_icmp_head;
2516 			send_icmp_head = send_icmp_head->b_next;
2517 			mp->b_next = NULL;
2518 
2519 			dst = ((ipha_t *)mp->b_rptr)->ipha_dst;
2520 
2521 			iras.ira_flags = IRAF_IS_IPV4;
2522 			/*
2523 			 * This will result in an incorrect ALL_ZONES zoneid
2524 			 * for broadcast and multicast packets, but we
2525 			 * don't send ICMP errors for those in any case.
2526 			 */
2527 			iras.ira_zoneid = ipif_lookup_addr_zoneid(dst,
2528 			    ill, ipst);
2529 			ip_drop_input("ICMP_TIME_EXCEEDED reass", mp, ill);
2530 			icmp_time_exceeded(mp,
2531 			    ICMP_REASSEMBLY_TIME_EXCEEDED, &iras);
2532 			ASSERT(!(iras.ira_flags & IRAF_IPSEC_SECURE));
2533 		}
2534 	}
2535 	/*
2536 	 * A non-dying ILL will use the return value to decide whether to
2537 	 * restart the frag timer, and for how long.
2538 	 */
2539 	return (next_timeout);
2540 }
2541 
2542 /*
2543  * This routine is called when the approximate count of mblk memory used
2544  * for the specified ILL has exceeded max_count.
2545  */
2546 void
2547 ill_frag_prune(ill_t *ill, uint_t max_count)
2548 {
2549 	ipfb_t	*ipfb;
2550 	ipf_t	*ipf;
2551 	size_t	count;
2552 	clock_t now;
2553 
2554 	/*
2555 	 * If we are here within ip_min_frag_prune_time msecs remove
2556 	 * ill_frag_free_num_pkts oldest packets from each bucket and increment
2557 	 * ill_frag_free_num_pkts.
2558 	 */
2559 	mutex_enter(&ill->ill_lock);
2560 	now = ddi_get_lbolt();
2561 	if (TICK_TO_MSEC(now - ill->ill_last_frag_clean_time) <=
2562 	    (ip_min_frag_prune_time != 0 ?
2563 	    ip_min_frag_prune_time : msec_per_tick)) {
2564 
2565 		ill->ill_frag_free_num_pkts++;
2566 
2567 	} else {
2568 		ill->ill_frag_free_num_pkts = 0;
2569 	}
2570 	ill->ill_last_frag_clean_time = now;
2571 	mutex_exit(&ill->ill_lock);
2572 
2573 	/*
2574 	 * free ill_frag_free_num_pkts oldest packets from each bucket.
2575 	 */
2576 	if (ill->ill_frag_free_num_pkts != 0) {
2577 		int ix;
2578 
2579 		for (ix = 0; ix < ILL_FRAG_HASH_TBL_COUNT; ix++) {
2580 			ipfb = &ill->ill_frag_hash_tbl[ix];
2581 			mutex_enter(&ipfb->ipfb_lock);
2582 			if (ipfb->ipfb_ipf != NULL) {
2583 				ill_frag_free_pkts(ill, ipfb, ipfb->ipfb_ipf,
2584 				    ill->ill_frag_free_num_pkts);
2585 			}
2586 			mutex_exit(&ipfb->ipfb_lock);
2587 		}
2588 	}
2589 	/*
2590 	 * While the reassembly list for this ILL is too big, prune a fragment
2591 	 * queue by age, oldest first.
2592 	 */
2593 	while (ill->ill_frag_count > max_count) {
2594 		int	ix;
2595 		ipfb_t	*oipfb = NULL;
2596 		uint_t	oldest = UINT_MAX;
2597 
2598 		count = 0;
2599 		for (ix = 0; ix < ILL_FRAG_HASH_TBL_COUNT; ix++) {
2600 			ipfb = &ill->ill_frag_hash_tbl[ix];
2601 			mutex_enter(&ipfb->ipfb_lock);
2602 			ipf = ipfb->ipfb_ipf;
2603 			if (ipf != NULL && ipf->ipf_gen < oldest) {
2604 				oldest = ipf->ipf_gen;
2605 				oipfb = ipfb;
2606 			}
2607 			count += ipfb->ipfb_count;
2608 			mutex_exit(&ipfb->ipfb_lock);
2609 		}
2610 		if (oipfb == NULL)
2611 			break;
2612 
2613 		if (count <= max_count)
2614 			return;	/* Somebody beat us to it, nothing to do */
2615 		mutex_enter(&oipfb->ipfb_lock);
2616 		ipf = oipfb->ipfb_ipf;
2617 		if (ipf != NULL) {
2618 			ill_frag_free_pkts(ill, oipfb, ipf, 1);
2619 		}
2620 		mutex_exit(&oipfb->ipfb_lock);
2621 	}
2622 }
2623 
2624 /*
2625  * free 'free_cnt' fragmented packets starting at ipf.
2626  */
2627 void
2628 ill_frag_free_pkts(ill_t *ill, ipfb_t *ipfb, ipf_t *ipf, int free_cnt)
2629 {
2630 	size_t	count;
2631 	mblk_t	*mp;
2632 	mblk_t	*tmp;
2633 	ipf_t **ipfp = ipf->ipf_ptphn;
2634 
2635 	ASSERT(MUTEX_HELD(&ipfb->ipfb_lock));
2636 	ASSERT(ipfp != NULL);
2637 	ASSERT(ipf != NULL);
2638 
2639 	while (ipf != NULL && free_cnt-- > 0) {
2640 		count = ipf->ipf_count;
2641 		mp = ipf->ipf_mp;
2642 		ipf = ipf->ipf_hash_next;
2643 		for (tmp = mp; tmp; tmp = tmp->b_cont) {
2644 			IP_REASS_SET_START(tmp, 0);
2645 			IP_REASS_SET_END(tmp, 0);
2646 		}
2647 		atomic_add_32(&ill->ill_frag_count, -count);
2648 		ASSERT(ipfb->ipfb_count >= count);
2649 		ipfb->ipfb_count -= count;
2650 		ASSERT(ipfb->ipfb_frag_pkts > 0);
2651 		ipfb->ipfb_frag_pkts--;
2652 		BUMP_MIB(ill->ill_ip_mib, ipIfStatsReasmFails);
2653 		ip_drop_input("ipIfStatsReasmFails", mp, ill);
2654 		freemsg(mp);
2655 	}
2656 
2657 	if (ipf)
2658 		ipf->ipf_ptphn = ipfp;
2659 	ipfp[0] = ipf;
2660 }
2661 
2662 /*
2663  * Helper function for ill_forward_set().
2664  */
2665 static void
2666 ill_forward_set_on_ill(ill_t *ill, boolean_t enable)
2667 {
2668 	ip_stack_t	*ipst = ill->ill_ipst;
2669 
2670 	ASSERT(IAM_WRITER_ILL(ill) || RW_READ_HELD(&ipst->ips_ill_g_lock));
2671 
2672 	ip1dbg(("ill_forward_set: %s %s forwarding on %s",
2673 	    (enable ? "Enabling" : "Disabling"),
2674 	    (ill->ill_isv6 ? "IPv6" : "IPv4"), ill->ill_name));
2675 	mutex_enter(&ill->ill_lock);
2676 	if (enable)
2677 		ill->ill_flags |= ILLF_ROUTER;
2678 	else
2679 		ill->ill_flags &= ~ILLF_ROUTER;
2680 	mutex_exit(&ill->ill_lock);
2681 	if (ill->ill_isv6)
2682 		ill_set_nce_router_flags(ill, enable);
2683 	/* Notify routing socket listeners of this change. */
2684 	if (ill->ill_ipif != NULL)
2685 		ip_rts_ifmsg(ill->ill_ipif, RTSQ_DEFAULT);
2686 }
2687 
2688 /*
2689  * Set an ill's ILLF_ROUTER flag appropriately.  Send up RTS_IFINFO routing
2690  * socket messages for each interface whose flags we change.
2691  */
2692 int
2693 ill_forward_set(ill_t *ill, boolean_t enable)
2694 {
2695 	ipmp_illgrp_t *illg;
2696 	ip_stack_t *ipst = ill->ill_ipst;
2697 
2698 	ASSERT(IAM_WRITER_ILL(ill) || RW_READ_HELD(&ipst->ips_ill_g_lock));
2699 
2700 	if ((enable && (ill->ill_flags & ILLF_ROUTER)) ||
2701 	    (!enable && !(ill->ill_flags & ILLF_ROUTER)))
2702 		return (0);
2703 
2704 	if (IS_LOOPBACK(ill))
2705 		return (EINVAL);
2706 
2707 	if (enable && ill->ill_allowed_ips_cnt > 0)
2708 		return (EPERM);
2709 
2710 	if (IS_IPMP(ill) || IS_UNDER_IPMP(ill)) {
2711 		/*
2712 		 * Update all of the interfaces in the group.
2713 		 */
2714 		illg = ill->ill_grp;
2715 		ill = list_head(&illg->ig_if);
2716 		for (; ill != NULL; ill = list_next(&illg->ig_if, ill))
2717 			ill_forward_set_on_ill(ill, enable);
2718 
2719 		/*
2720 		 * Update the IPMP meta-interface.
2721 		 */
2722 		ill_forward_set_on_ill(ipmp_illgrp_ipmp_ill(illg), enable);
2723 		return (0);
2724 	}
2725 
2726 	ill_forward_set_on_ill(ill, enable);
2727 	return (0);
2728 }
2729 
2730 /*
2731  * Based on the ILLF_ROUTER flag of an ill, make sure all local nce's for
2732  * addresses assigned to the ill have the NCE_F_ISROUTER flag appropriately
2733  * set or clear.
2734  */
2735 static void
2736 ill_set_nce_router_flags(ill_t *ill, boolean_t enable)
2737 {
2738 	ipif_t *ipif;
2739 	ncec_t *ncec;
2740 	nce_t *nce;
2741 
2742 	for (ipif = ill->ill_ipif; ipif != NULL; ipif = ipif->ipif_next) {
2743 		/*
2744 		 * NOTE: we match across the illgrp because nce's for
2745 		 * addresses on IPMP interfaces have an nce_ill that points to
2746 		 * the bound underlying ill.
2747 		 */
2748 		nce = nce_lookup_v6(ill, &ipif->ipif_v6lcl_addr);
2749 		if (nce != NULL) {
2750 			ncec = nce->nce_common;
2751 			mutex_enter(&ncec->ncec_lock);
2752 			if (enable)
2753 				ncec->ncec_flags |= NCE_F_ISROUTER;
2754 			else
2755 				ncec->ncec_flags &= ~NCE_F_ISROUTER;
2756 			mutex_exit(&ncec->ncec_lock);
2757 			nce_refrele(nce);
2758 		}
2759 	}
2760 }
2761 
2762 /*
2763  * Intializes the context structure and returns the first ill in the list
2764  * cuurently start_list and end_list can have values:
2765  * MAX_G_HEADS		Traverse both IPV4 and IPV6 lists.
2766  * IP_V4_G_HEAD		Traverse IPV4 list only.
2767  * IP_V6_G_HEAD		Traverse IPV6 list only.
2768  */
2769 
2770 /*
2771  * We don't check for CONDEMNED ills here. Caller must do that if
2772  * necessary under the ill lock.
2773  */
2774 ill_t *
2775 ill_first(int start_list, int end_list, ill_walk_context_t *ctx,
2776     ip_stack_t *ipst)
2777 {
2778 	ill_if_t *ifp;
2779 	ill_t *ill;
2780 	avl_tree_t *avl_tree;
2781 
2782 	ASSERT(RW_LOCK_HELD(&ipst->ips_ill_g_lock));
2783 	ASSERT(end_list <= MAX_G_HEADS && start_list >= 0);
2784 
2785 	/*
2786 	 * setup the lists to search
2787 	 */
2788 	if (end_list != MAX_G_HEADS) {
2789 		ctx->ctx_current_list = start_list;
2790 		ctx->ctx_last_list = end_list;
2791 	} else {
2792 		ctx->ctx_last_list = MAX_G_HEADS - 1;
2793 		ctx->ctx_current_list = 0;
2794 	}
2795 
2796 	while (ctx->ctx_current_list <= ctx->ctx_last_list) {
2797 		ifp = IP_VX_ILL_G_LIST(ctx->ctx_current_list, ipst);
2798 		if (ifp != (ill_if_t *)
2799 		    &IP_VX_ILL_G_LIST(ctx->ctx_current_list, ipst)) {
2800 			avl_tree = &ifp->illif_avl_by_ppa;
2801 			ill = avl_first(avl_tree);
2802 			/*
2803 			 * ill is guaranteed to be non NULL or ifp should have
2804 			 * not existed.
2805 			 */
2806 			ASSERT(ill != NULL);
2807 			return (ill);
2808 		}
2809 		ctx->ctx_current_list++;
2810 	}
2811 
2812 	return (NULL);
2813 }
2814 
2815 /*
2816  * returns the next ill in the list. ill_first() must have been called
2817  * before calling ill_next() or bad things will happen.
2818  */
2819 
2820 /*
2821  * We don't check for CONDEMNED ills here. Caller must do that if
2822  * necessary under the ill lock.
2823  */
2824 ill_t *
2825 ill_next(ill_walk_context_t *ctx, ill_t *lastill)
2826 {
2827 	ill_if_t *ifp;
2828 	ill_t *ill;
2829 	ip_stack_t	*ipst = lastill->ill_ipst;
2830 
2831 	ASSERT(lastill->ill_ifptr != (ill_if_t *)
2832 	    &IP_VX_ILL_G_LIST(ctx->ctx_current_list, ipst));
2833 	if ((ill = avl_walk(&lastill->ill_ifptr->illif_avl_by_ppa, lastill,
2834 	    AVL_AFTER)) != NULL) {
2835 		return (ill);
2836 	}
2837 
2838 	/* goto next ill_ifp in the list. */
2839 	ifp = lastill->ill_ifptr->illif_next;
2840 
2841 	/* make sure not at end of circular list */
2842 	while (ifp ==
2843 	    (ill_if_t *)&IP_VX_ILL_G_LIST(ctx->ctx_current_list, ipst)) {
2844 		if (++ctx->ctx_current_list > ctx->ctx_last_list)
2845 			return (NULL);
2846 		ifp = IP_VX_ILL_G_LIST(ctx->ctx_current_list, ipst);
2847 	}
2848 
2849 	return (avl_first(&ifp->illif_avl_by_ppa));
2850 }
2851 
2852 /*
2853  * Check interface name for correct format: [a-zA-Z]+[a-zA-Z0-9._]*[0-9]+
2854  * The final number (PPA) must not have any leading zeros.  Upon success, a
2855  * pointer to the start of the PPA is returned; otherwise NULL is returned.
2856  */
2857 static char *
2858 ill_get_ppa_ptr(char *name)
2859 {
2860 	int namelen = strlen(name);
2861 	int end_ndx = namelen - 1;
2862 	int ppa_ndx, i;
2863 
2864 	/*
2865 	 * Check that the first character is [a-zA-Z], and that the last
2866 	 * character is [0-9].
2867 	 */
2868 	if (namelen == 0 || !isalpha(name[0]) || !isdigit(name[end_ndx]))
2869 		return (NULL);
2870 
2871 	/*
2872 	 * Set `ppa_ndx' to the PPA start, and check for leading zeroes.
2873 	 */
2874 	for (ppa_ndx = end_ndx; ppa_ndx > 0; ppa_ndx--)
2875 		if (!isdigit(name[ppa_ndx - 1]))
2876 			break;
2877 
2878 	if (name[ppa_ndx] == '0' && ppa_ndx < end_ndx)
2879 		return (NULL);
2880 
2881 	/*
2882 	 * Check that the intermediate characters are [a-z0-9.]
2883 	 */
2884 	for (i = 1; i < ppa_ndx; i++) {
2885 		if (!isalpha(name[i]) && !isdigit(name[i]) &&
2886 		    name[i] != '.' && name[i] != '_') {
2887 			return (NULL);
2888 		}
2889 	}
2890 
2891 	return (name + ppa_ndx);
2892 }
2893 
2894 /*
2895  * use avl tree to locate the ill.
2896  */
2897 static ill_t *
2898 ill_find_by_name(char *name, boolean_t isv6, ip_stack_t *ipst)
2899 {
2900 	char *ppa_ptr = NULL;
2901 	int len;
2902 	uint_t ppa;
2903 	ill_t *ill = NULL;
2904 	ill_if_t *ifp;
2905 	int list;
2906 
2907 	/*
2908 	 * get ppa ptr
2909 	 */
2910 	if (isv6)
2911 		list = IP_V6_G_HEAD;
2912 	else
2913 		list = IP_V4_G_HEAD;
2914 
2915 	if ((ppa_ptr = ill_get_ppa_ptr(name)) == NULL) {
2916 		return (NULL);
2917 	}
2918 
2919 	len = ppa_ptr - name + 1;
2920 
2921 	ppa = stoi(&ppa_ptr);
2922 
2923 	ifp = IP_VX_ILL_G_LIST(list, ipst);
2924 
2925 	while (ifp != (ill_if_t *)&IP_VX_ILL_G_LIST(list, ipst)) {
2926 		/*
2927 		 * match is done on len - 1 as the name is not null
2928 		 * terminated it contains ppa in addition to the interface
2929 		 * name.
2930 		 */
2931 		if ((ifp->illif_name_len == len) &&
2932 		    bcmp(ifp->illif_name, name, len - 1) == 0) {
2933 			break;
2934 		} else {
2935 			ifp = ifp->illif_next;
2936 		}
2937 	}
2938 
2939 	if (ifp == (ill_if_t *)&IP_VX_ILL_G_LIST(list, ipst)) {
2940 		/*
2941 		 * Even the interface type does not exist.
2942 		 */
2943 		return (NULL);
2944 	}
2945 
2946 	ill = avl_find(&ifp->illif_avl_by_ppa, (void *) &ppa, NULL);
2947 	if (ill != NULL) {
2948 		mutex_enter(&ill->ill_lock);
2949 		if (ILL_CAN_LOOKUP(ill)) {
2950 			ill_refhold_locked(ill);
2951 			mutex_exit(&ill->ill_lock);
2952 			return (ill);
2953 		}
2954 		mutex_exit(&ill->ill_lock);
2955 	}
2956 	return (NULL);
2957 }
2958 
2959 /*
2960  * comparison function for use with avl.
2961  */
2962 static int
2963 ill_compare_ppa(const void *ppa_ptr, const void *ill_ptr)
2964 {
2965 	uint_t ppa;
2966 	uint_t ill_ppa;
2967 
2968 	ASSERT(ppa_ptr != NULL && ill_ptr != NULL);
2969 
2970 	ppa = *((uint_t *)ppa_ptr);
2971 	ill_ppa = ((const ill_t *)ill_ptr)->ill_ppa;
2972 	/*
2973 	 * We want the ill with the lowest ppa to be on the
2974 	 * top.
2975 	 */
2976 	if (ill_ppa < ppa)
2977 		return (1);
2978 	if (ill_ppa > ppa)
2979 		return (-1);
2980 	return (0);
2981 }
2982 
2983 /*
2984  * remove an interface type from the global list.
2985  */
2986 static void
2987 ill_delete_interface_type(ill_if_t *interface)
2988 {
2989 	ASSERT(interface != NULL);
2990 	ASSERT(avl_numnodes(&interface->illif_avl_by_ppa) == 0);
2991 
2992 	avl_destroy(&interface->illif_avl_by_ppa);
2993 	if (interface->illif_ppa_arena != NULL)
2994 		vmem_destroy(interface->illif_ppa_arena);
2995 
2996 	remque(interface);
2997 
2998 	mi_free(interface);
2999 }
3000 
3001 /*
3002  * remove ill from the global list.
3003  */
3004 static void
3005 ill_glist_delete(ill_t *ill)
3006 {
3007 	ip_stack_t	*ipst;
3008 	phyint_t	*phyi;
3009 
3010 	if (ill == NULL)
3011 		return;
3012 	ipst = ill->ill_ipst;
3013 	rw_enter(&ipst->ips_ill_g_lock, RW_WRITER);
3014 
3015 	/*
3016 	 * If the ill was never inserted into the AVL tree
3017 	 * we skip the if branch.
3018 	 */
3019 	if (ill->ill_ifptr != NULL) {
3020 		/*
3021 		 * remove from AVL tree and free ppa number
3022 		 */
3023 		avl_remove(&ill->ill_ifptr->illif_avl_by_ppa, ill);
3024 
3025 		if (ill->ill_ifptr->illif_ppa_arena != NULL) {
3026 			vmem_free(ill->ill_ifptr->illif_ppa_arena,
3027 			    (void *)(uintptr_t)(ill->ill_ppa+1), 1);
3028 		}
3029 		if (avl_numnodes(&ill->ill_ifptr->illif_avl_by_ppa) == 0) {
3030 			ill_delete_interface_type(ill->ill_ifptr);
3031 		}
3032 
3033 		/*
3034 		 * Indicate ill is no longer in the list.
3035 		 */
3036 		ill->ill_ifptr = NULL;
3037 		ill->ill_name_length = 0;
3038 		ill->ill_name[0] = '\0';
3039 		ill->ill_ppa = UINT_MAX;
3040 	}
3041 
3042 	/* Generate one last event for this ill. */
3043 	ill_nic_event_dispatch(ill, 0, NE_UNPLUMB, ill->ill_name,
3044 	    ill->ill_name_length);
3045 
3046 	ASSERT(ill->ill_phyint != NULL);
3047 	phyi = ill->ill_phyint;
3048 	ill->ill_phyint = NULL;
3049 
3050 	/*
3051 	 * ill_init allocates a phyint always to store the copy
3052 	 * of flags relevant to phyint. At that point in time, we could
3053 	 * not assign the name and hence phyint_illv4/v6 could not be
3054 	 * initialized. Later in ipif_set_values, we assign the name to
3055 	 * the ill, at which point in time we assign phyint_illv4/v6.
3056 	 * Thus we don't rely on phyint_illv6 to be initialized always.
3057 	 */
3058 	if (ill->ill_flags & ILLF_IPV6)
3059 		phyi->phyint_illv6 = NULL;
3060 	else
3061 		phyi->phyint_illv4 = NULL;
3062 
3063 	if (phyi->phyint_illv4 != NULL || phyi->phyint_illv6 != NULL) {
3064 		rw_exit(&ipst->ips_ill_g_lock);
3065 		return;
3066 	}
3067 
3068 	/*
3069 	 * There are no ills left on this phyint; pull it out of the phyint
3070 	 * avl trees, and free it.
3071 	 */
3072 	if (phyi->phyint_ifindex > 0) {
3073 		avl_remove(&ipst->ips_phyint_g_list->phyint_list_avl_by_index,
3074 		    phyi);
3075 		avl_remove(&ipst->ips_phyint_g_list->phyint_list_avl_by_name,
3076 		    phyi);
3077 	}
3078 	rw_exit(&ipst->ips_ill_g_lock);
3079 
3080 	phyint_free(phyi);
3081 }
3082 
3083 /*
3084  * allocate a ppa, if the number of plumbed interfaces of this type are
3085  * less than ill_no_arena do a linear search to find a unused ppa.
3086  * When the number goes beyond ill_no_arena switch to using an arena.
3087  * Note: ppa value of zero cannot be allocated from vmem_arena as it
3088  * is the return value for an error condition, so allocation starts at one
3089  * and is decremented by one.
3090  */
3091 static int
3092 ill_alloc_ppa(ill_if_t *ifp, ill_t *ill)
3093 {
3094 	ill_t *tmp_ill;
3095 	uint_t start, end;
3096 	int ppa;
3097 
3098 	if (ifp->illif_ppa_arena == NULL &&
3099 	    (avl_numnodes(&ifp->illif_avl_by_ppa) + 1 > ill_no_arena)) {
3100 		/*
3101 		 * Create an arena.
3102 		 */
3103 		ifp->illif_ppa_arena = vmem_create(ifp->illif_name,
3104 		    (void *)1, UINT_MAX - 1, 1, NULL, NULL,
3105 		    NULL, 0, VM_SLEEP | VMC_IDENTIFIER);
3106 			/* allocate what has already been assigned */
3107 		for (tmp_ill = avl_first(&ifp->illif_avl_by_ppa);
3108 		    tmp_ill != NULL; tmp_ill = avl_walk(&ifp->illif_avl_by_ppa,
3109 		    tmp_ill, AVL_AFTER)) {
3110 			ppa = (int)(uintptr_t)vmem_xalloc(ifp->illif_ppa_arena,
3111 			    1,		/* size */
3112 			    1,		/* align/quantum */
3113 			    0,		/* phase */
3114 			    0,		/* nocross */
3115 			    /* minaddr */
3116 			    (void *)((uintptr_t)tmp_ill->ill_ppa + 1),
3117 			    /* maxaddr */
3118 			    (void *)((uintptr_t)tmp_ill->ill_ppa + 2),
3119 			    VM_NOSLEEP|VM_FIRSTFIT);
3120 			if (ppa == 0) {
3121 				ip1dbg(("ill_alloc_ppa: ppa allocation"
3122 				    " failed while switching"));
3123 				vmem_destroy(ifp->illif_ppa_arena);
3124 				ifp->illif_ppa_arena = NULL;
3125 				break;
3126 			}
3127 		}
3128 	}
3129 
3130 	if (ifp->illif_ppa_arena != NULL) {
3131 		if (ill->ill_ppa == UINT_MAX) {
3132 			ppa = (int)(uintptr_t)vmem_alloc(ifp->illif_ppa_arena,
3133 			    1, VM_NOSLEEP|VM_FIRSTFIT);
3134 			if (ppa == 0)
3135 				return (EAGAIN);
3136 			ill->ill_ppa = --ppa;
3137 		} else {
3138 			ppa = (int)(uintptr_t)vmem_xalloc(ifp->illif_ppa_arena,
3139 			    1, 		/* size */
3140 			    1, 		/* align/quantum */
3141 			    0, 		/* phase */
3142 			    0, 		/* nocross */
3143 			    (void *)(uintptr_t)(ill->ill_ppa + 1), /* minaddr */
3144 			    (void *)(uintptr_t)(ill->ill_ppa + 2), /* maxaddr */
3145 			    VM_NOSLEEP|VM_FIRSTFIT);
3146 			/*
3147 			 * Most likely the allocation failed because
3148 			 * the requested ppa was in use.
3149 			 */
3150 			if (ppa == 0)
3151 				return (EEXIST);
3152 		}
3153 		return (0);
3154 	}
3155 
3156 	/*
3157 	 * No arena is in use and not enough (>ill_no_arena) interfaces have
3158 	 * been plumbed to create one. Do a linear search to get a unused ppa.
3159 	 */
3160 	if (ill->ill_ppa == UINT_MAX) {
3161 		end = UINT_MAX - 1;
3162 		start = 0;
3163 	} else {
3164 		end = start = ill->ill_ppa;
3165 	}
3166 
3167 	tmp_ill = avl_find(&ifp->illif_avl_by_ppa, (void *)&start, NULL);
3168 	while (tmp_ill != NULL && tmp_ill->ill_ppa == start) {
3169 		if (start++ >= end) {
3170 			if (ill->ill_ppa == UINT_MAX)
3171 				return (EAGAIN);
3172 			else
3173 				return (EEXIST);
3174 		}
3175 		tmp_ill = avl_walk(&ifp->illif_avl_by_ppa, tmp_ill, AVL_AFTER);
3176 	}
3177 	ill->ill_ppa = start;
3178 	return (0);
3179 }
3180 
3181 /*
3182  * Insert ill into the list of configured ill's. Once this function completes,
3183  * the ill is globally visible and is available through lookups. More precisely
3184  * this happens after the caller drops the ill_g_lock.
3185  */
3186 static int
3187 ill_glist_insert(ill_t *ill, char *name, boolean_t isv6)
3188 {
3189 	ill_if_t *ill_interface;
3190 	avl_index_t where = 0;
3191 	int error;
3192 	int name_length;
3193 	int index;
3194 	boolean_t check_length = B_FALSE;
3195 	ip_stack_t	*ipst = ill->ill_ipst;
3196 
3197 	ASSERT(RW_WRITE_HELD(&ipst->ips_ill_g_lock));
3198 
3199 	name_length = mi_strlen(name) + 1;
3200 
3201 	if (isv6)
3202 		index = IP_V6_G_HEAD;
3203 	else
3204 		index = IP_V4_G_HEAD;
3205 
3206 	ill_interface = IP_VX_ILL_G_LIST(index, ipst);
3207 	/*
3208 	 * Search for interface type based on name
3209 	 */
3210 	while (ill_interface != (ill_if_t *)&IP_VX_ILL_G_LIST(index, ipst)) {
3211 		if ((ill_interface->illif_name_len == name_length) &&
3212 		    (strcmp(ill_interface->illif_name, name) == 0)) {
3213 			break;
3214 		}
3215 		ill_interface = ill_interface->illif_next;
3216 	}
3217 
3218 	/*
3219 	 * Interface type not found, create one.
3220 	 */
3221 	if (ill_interface == (ill_if_t *)&IP_VX_ILL_G_LIST(index, ipst)) {
3222 		ill_g_head_t ghead;
3223 
3224 		/*
3225 		 * allocate ill_if_t structure
3226 		 */
3227 		ill_interface = (ill_if_t *)mi_zalloc(sizeof (ill_if_t));
3228 		if (ill_interface == NULL) {
3229 			return (ENOMEM);
3230 		}
3231 
3232 		(void) strcpy(ill_interface->illif_name, name);
3233 		ill_interface->illif_name_len = name_length;
3234 
3235 		avl_create(&ill_interface->illif_avl_by_ppa,
3236 		    ill_compare_ppa, sizeof (ill_t),
3237 		    offsetof(struct ill_s, ill_avl_byppa));
3238 
3239 		/*
3240 		 * link the structure in the back to maintain order
3241 		 * of configuration for ifconfig output.
3242 		 */
3243 		ghead = ipst->ips_ill_g_heads[index];
3244 		insque(ill_interface, ghead.ill_g_list_tail);
3245 	}
3246 
3247 	if (ill->ill_ppa == UINT_MAX)
3248 		check_length = B_TRUE;
3249 
3250 	error = ill_alloc_ppa(ill_interface, ill);
3251 	if (error != 0) {
3252 		if (avl_numnodes(&ill_interface->illif_avl_by_ppa) == 0)
3253 			ill_delete_interface_type(ill->ill_ifptr);
3254 		return (error);
3255 	}
3256 
3257 	/*
3258 	 * When the ppa is choosen by the system, check that there is
3259 	 * enough space to insert ppa. if a specific ppa was passed in this
3260 	 * check is not required as the interface name passed in will have
3261 	 * the right ppa in it.
3262 	 */
3263 	if (check_length) {
3264 		/*
3265 		 * UINT_MAX - 1 should fit in 10 chars, alloc 12 chars.
3266 		 */
3267 		char buf[sizeof (uint_t) * 3];
3268 
3269 		/*
3270 		 * convert ppa to string to calculate the amount of space
3271 		 * required for it in the name.
3272 		 */
3273 		numtos(ill->ill_ppa, buf);
3274 
3275 		/* Do we have enough space to insert ppa ? */
3276 
3277 		if ((mi_strlen(name) + mi_strlen(buf) + 1) > LIFNAMSIZ) {
3278 			/* Free ppa and interface type struct */
3279 			if (ill_interface->illif_ppa_arena != NULL) {
3280 				vmem_free(ill_interface->illif_ppa_arena,
3281 				    (void *)(uintptr_t)(ill->ill_ppa+1), 1);
3282 			}
3283 			if (avl_numnodes(&ill_interface->illif_avl_by_ppa) == 0)
3284 				ill_delete_interface_type(ill->ill_ifptr);
3285 
3286 			return (EINVAL);
3287 		}
3288 	}
3289 
3290 	(void) sprintf(ill->ill_name, "%s%u", name, ill->ill_ppa);
3291 	ill->ill_name_length = mi_strlen(ill->ill_name) + 1;
3292 
3293 	(void) avl_find(&ill_interface->illif_avl_by_ppa, &ill->ill_ppa,
3294 	    &where);
3295 	ill->ill_ifptr = ill_interface;
3296 	avl_insert(&ill_interface->illif_avl_by_ppa, ill, where);
3297 
3298 	ill_phyint_reinit(ill);
3299 	return (0);
3300 }
3301 
3302 /* Initialize the per phyint ipsq used for serialization */
3303 static boolean_t
3304 ipsq_init(ill_t *ill, boolean_t enter)
3305 {
3306 	ipsq_t  *ipsq;
3307 	ipxop_t	*ipx;
3308 
3309 	if ((ipsq = kmem_zalloc(sizeof (ipsq_t), KM_NOSLEEP)) == NULL)
3310 		return (B_FALSE);
3311 
3312 	ill->ill_phyint->phyint_ipsq = ipsq;
3313 	ipx = ipsq->ipsq_xop = &ipsq->ipsq_ownxop;
3314 	ipx->ipx_ipsq = ipsq;
3315 	ipsq->ipsq_next = ipsq;
3316 	ipsq->ipsq_phyint = ill->ill_phyint;
3317 	mutex_init(&ipsq->ipsq_lock, NULL, MUTEX_DEFAULT, 0);
3318 	mutex_init(&ipx->ipx_lock, NULL, MUTEX_DEFAULT, 0);
3319 	ipsq->ipsq_ipst = ill->ill_ipst;	/* No netstack_hold */
3320 	if (enter) {
3321 		ipx->ipx_writer = curthread;
3322 		ipx->ipx_forced = B_FALSE;
3323 		ipx->ipx_reentry_cnt = 1;
3324 #ifdef DEBUG
3325 		ipx->ipx_depth = getpcstack(ipx->ipx_stack, IPX_STACK_DEPTH);
3326 #endif
3327 	}
3328 	return (B_TRUE);
3329 }
3330 
3331 /*
3332  * ill_init is called by ip_open when a device control stream is opened.
3333  * It does a few initializations, and shoots a DL_INFO_REQ message down
3334  * to the driver.  The response is later picked up in ip_rput_dlpi and
3335  * used to set up default mechanisms for talking to the driver.  (Always
3336  * called as writer.)
3337  *
3338  * If this function returns error, ip_open will call ip_close which in
3339  * turn will call ill_delete to clean up any memory allocated here that
3340  * is not yet freed.
3341  */
3342 int
3343 ill_init(queue_t *q, ill_t *ill)
3344 {
3345 	int	count;
3346 	dl_info_req_t	*dlir;
3347 	mblk_t	*info_mp;
3348 	uchar_t *frag_ptr;
3349 
3350 	/*
3351 	 * The ill is initialized to zero by mi_alloc*(). In addition
3352 	 * some fields already contain valid values, initialized in
3353 	 * ip_open(), before we reach here.
3354 	 */
3355 	mutex_init(&ill->ill_lock, NULL, MUTEX_DEFAULT, 0);
3356 	mutex_init(&ill->ill_saved_ire_lock, NULL, MUTEX_DEFAULT, NULL);
3357 	ill->ill_saved_ire_cnt = 0;
3358 
3359 	ill->ill_rq = q;
3360 	ill->ill_wq = WR(q);
3361 
3362 	info_mp = allocb(MAX(sizeof (dl_info_req_t), sizeof (dl_info_ack_t)),
3363 	    BPRI_HI);
3364 	if (info_mp == NULL)
3365 		return (ENOMEM);
3366 
3367 	/*
3368 	 * Allocate sufficient space to contain our fragment hash table and
3369 	 * the device name.
3370 	 */
3371 	frag_ptr = (uchar_t *)mi_zalloc(ILL_FRAG_HASH_TBL_SIZE + 2 * LIFNAMSIZ);
3372 	if (frag_ptr == NULL) {
3373 		freemsg(info_mp);
3374 		return (ENOMEM);
3375 	}
3376 	ill->ill_frag_ptr = frag_ptr;
3377 	ill->ill_frag_free_num_pkts = 0;
3378 	ill->ill_last_frag_clean_time = 0;
3379 	ill->ill_frag_hash_tbl = (ipfb_t *)frag_ptr;
3380 	ill->ill_name = (char *)(frag_ptr + ILL_FRAG_HASH_TBL_SIZE);
3381 	for (count = 0; count < ILL_FRAG_HASH_TBL_COUNT; count++) {
3382 		mutex_init(&ill->ill_frag_hash_tbl[count].ipfb_lock,
3383 		    NULL, MUTEX_DEFAULT, NULL);
3384 	}
3385 
3386 	ill->ill_phyint = (phyint_t *)mi_zalloc(sizeof (phyint_t));
3387 	if (ill->ill_phyint == NULL) {
3388 		freemsg(info_mp);
3389 		mi_free(frag_ptr);
3390 		return (ENOMEM);
3391 	}
3392 
3393 	mutex_init(&ill->ill_phyint->phyint_lock, NULL, MUTEX_DEFAULT, 0);
3394 	/*
3395 	 * For now pretend this is a v4 ill. We need to set phyint_ill*
3396 	 * at this point because of the following reason. If we can't
3397 	 * enter the ipsq at some point and cv_wait, the writer that
3398 	 * wakes us up tries to locate us using the list of all phyints
3399 	 * in an ipsq and the ills from the phyint thru the phyint_ill*.
3400 	 * If we don't set it now, we risk a missed wakeup.
3401 	 */
3402 	ill->ill_phyint->phyint_illv4 = ill;
3403 	ill->ill_ppa = UINT_MAX;
3404 	list_create(&ill->ill_nce, sizeof (nce_t), offsetof(nce_t, nce_node));
3405 
3406 	ill_set_inputfn(ill);
3407 
3408 	if (!ipsq_init(ill, B_TRUE)) {
3409 		freemsg(info_mp);
3410 		mi_free(frag_ptr);
3411 		mi_free(ill->ill_phyint);
3412 		return (ENOMEM);
3413 	}
3414 
3415 	ill->ill_state_flags |= ILL_LL_SUBNET_PENDING;
3416 
3417 	/* Frag queue limit stuff */
3418 	ill->ill_frag_count = 0;
3419 	ill->ill_ipf_gen = 0;
3420 
3421 	rw_init(&ill->ill_mcast_lock, NULL, RW_DEFAULT, NULL);
3422 	mutex_init(&ill->ill_mcast_serializer, NULL, MUTEX_DEFAULT, NULL);
3423 	ill->ill_global_timer = INFINITY;
3424 	ill->ill_mcast_v1_time = ill->ill_mcast_v2_time = 0;
3425 	ill->ill_mcast_v1_tset = ill->ill_mcast_v2_tset = 0;
3426 	ill->ill_mcast_rv = MCAST_DEF_ROBUSTNESS;
3427 	ill->ill_mcast_qi = MCAST_DEF_QUERY_INTERVAL;
3428 
3429 	/*
3430 	 * Initialize IPv6 configuration variables.  The IP module is always
3431 	 * opened as an IPv4 module.  Instead tracking down the cases where
3432 	 * it switches to do ipv6, we'll just initialize the IPv6 configuration
3433 	 * here for convenience, this has no effect until the ill is set to do
3434 	 * IPv6.
3435 	 */
3436 	ill->ill_reachable_time = ND_REACHABLE_TIME;
3437 	ill->ill_xmit_count = ND_MAX_MULTICAST_SOLICIT;
3438 	ill->ill_max_buf = ND_MAX_Q;
3439 	ill->ill_refcnt = 0;
3440 
3441 	/* Send down the Info Request to the driver. */
3442 	info_mp->b_datap->db_type = M_PCPROTO;
3443 	dlir = (dl_info_req_t *)info_mp->b_rptr;
3444 	info_mp->b_wptr = (uchar_t *)&dlir[1];
3445 	dlir->dl_primitive = DL_INFO_REQ;
3446 
3447 	ill->ill_dlpi_pending = DL_PRIM_INVAL;
3448 
3449 	qprocson(q);
3450 	ill_dlpi_send(ill, info_mp);
3451 
3452 	return (0);
3453 }
3454 
3455 /*
3456  * ill_dls_info
3457  * creates datalink socket info from the device.
3458  */
3459 int
3460 ill_dls_info(struct sockaddr_dl *sdl, const ill_t *ill)
3461 {
3462 	size_t	len;
3463 
3464 	sdl->sdl_family = AF_LINK;
3465 	sdl->sdl_index = ill_get_upper_ifindex(ill);
3466 	sdl->sdl_type = ill->ill_type;
3467 	ill_get_name(ill, sdl->sdl_data, sizeof (sdl->sdl_data));
3468 	len = strlen(sdl->sdl_data);
3469 	ASSERT(len < 256);
3470 	sdl->sdl_nlen = (uchar_t)len;
3471 	sdl->sdl_alen = ill->ill_phys_addr_length;
3472 	sdl->sdl_slen = 0;
3473 	if (ill->ill_phys_addr_length != 0 && ill->ill_phys_addr != NULL)
3474 		bcopy(ill->ill_phys_addr, &sdl->sdl_data[len], sdl->sdl_alen);
3475 
3476 	return (sizeof (struct sockaddr_dl));
3477 }
3478 
3479 /*
3480  * ill_xarp_info
3481  * creates xarp info from the device.
3482  */
3483 static int
3484 ill_xarp_info(struct sockaddr_dl *sdl, ill_t *ill)
3485 {
3486 	sdl->sdl_family = AF_LINK;
3487 	sdl->sdl_index = ill->ill_phyint->phyint_ifindex;
3488 	sdl->sdl_type = ill->ill_type;
3489 	ill_get_name(ill, sdl->sdl_data, sizeof (sdl->sdl_data));
3490 	sdl->sdl_nlen = (uchar_t)mi_strlen(sdl->sdl_data);
3491 	sdl->sdl_alen = ill->ill_phys_addr_length;
3492 	sdl->sdl_slen = 0;
3493 	return (sdl->sdl_nlen);
3494 }
3495 
3496 static int
3497 loopback_kstat_update(kstat_t *ksp, int rw)
3498 {
3499 	kstat_named_t *kn;
3500 	netstackid_t	stackid;
3501 	netstack_t	*ns;
3502 	ip_stack_t	*ipst;
3503 
3504 	if (ksp == NULL || ksp->ks_data == NULL)
3505 		return (EIO);
3506 
3507 	if (rw == KSTAT_WRITE)
3508 		return (EACCES);
3509 
3510 	kn = KSTAT_NAMED_PTR(ksp);
3511 	stackid = (zoneid_t)(uintptr_t)ksp->ks_private;
3512 
3513 	ns = netstack_find_by_stackid(stackid);
3514 	if (ns == NULL)
3515 		return (-1);
3516 
3517 	ipst = ns->netstack_ip;
3518 	if (ipst == NULL) {
3519 		netstack_rele(ns);
3520 		return (-1);
3521 	}
3522 	kn[0].value.ui32 = ipst->ips_loopback_packets;
3523 	kn[1].value.ui32 = ipst->ips_loopback_packets;
3524 	netstack_rele(ns);
3525 	return (0);
3526 }
3527 
3528 /*
3529  * Has ifindex been plumbed already?
3530  */
3531 static boolean_t
3532 phyint_exists(uint_t index, ip_stack_t *ipst)
3533 {
3534 	ASSERT(index != 0);
3535 	ASSERT(RW_LOCK_HELD(&ipst->ips_ill_g_lock));
3536 
3537 	return (avl_find(&ipst->ips_phyint_g_list->phyint_list_avl_by_index,
3538 	    &index, NULL) != NULL);
3539 }
3540 
3541 /*
3542  * Pick a unique ifindex.
3543  * When the index counter passes IF_INDEX_MAX for the first time, the wrap
3544  * flag is set so that next time time ip_assign_ifindex() is called, it
3545  * falls through and resets the index counter back to 1, the minimum value
3546  * for the interface index. The logic below assumes that ips_ill_index
3547  * can hold a value of IF_INDEX_MAX+1 without there being any loss
3548  * (i.e. reset back to 0.)
3549  */
3550 boolean_t
3551 ip_assign_ifindex(uint_t *indexp, ip_stack_t *ipst)
3552 {
3553 	uint_t loops;
3554 
3555 	if (!ipst->ips_ill_index_wrap) {
3556 		*indexp = ipst->ips_ill_index++;
3557 		if (ipst->ips_ill_index > IF_INDEX_MAX) {
3558 			/*
3559 			 * Reached the maximum ifindex value, set the wrap
3560 			 * flag to indicate that it is no longer possible
3561 			 * to assume that a given index is unallocated.
3562 			 */
3563 			ipst->ips_ill_index_wrap = B_TRUE;
3564 		}
3565 		return (B_TRUE);
3566 	}
3567 
3568 	if (ipst->ips_ill_index > IF_INDEX_MAX)
3569 		ipst->ips_ill_index = 1;
3570 
3571 	/*
3572 	 * Start reusing unused indexes. Note that we hold the ill_g_lock
3573 	 * at this point and don't want to call any function that attempts
3574 	 * to get the lock again.
3575 	 */
3576 	for (loops = IF_INDEX_MAX; loops > 0; loops--) {
3577 		if (!phyint_exists(ipst->ips_ill_index, ipst)) {
3578 			/* found unused index - use it */
3579 			*indexp = ipst->ips_ill_index;
3580 			return (B_TRUE);
3581 		}
3582 
3583 		ipst->ips_ill_index++;
3584 		if (ipst->ips_ill_index > IF_INDEX_MAX)
3585 			ipst->ips_ill_index = 1;
3586 	}
3587 
3588 	/*
3589 	 * all interface indicies are inuse.
3590 	 */
3591 	return (B_FALSE);
3592 }
3593 
3594 /*
3595  * Assign a unique interface index for the phyint.
3596  */
3597 static boolean_t
3598 phyint_assign_ifindex(phyint_t *phyi, ip_stack_t *ipst)
3599 {
3600 	ASSERT(phyi->phyint_ifindex == 0);
3601 	return (ip_assign_ifindex(&phyi->phyint_ifindex, ipst));
3602 }
3603 
3604 /*
3605  * Initialize the flags on `phyi' as per the provided mactype.
3606  */
3607 static void
3608 phyint_flags_init(phyint_t *phyi, t_uscalar_t mactype)
3609 {
3610 	uint64_t flags = 0;
3611 
3612 	/*
3613 	 * Initialize PHYI_RUNNING and PHYI_FAILED.  For non-IPMP interfaces,
3614 	 * we always presume the underlying hardware is working and set
3615 	 * PHYI_RUNNING (if it's not, the driver will subsequently send a
3616 	 * DL_NOTE_LINK_DOWN message).  For IPMP interfaces, at initialization
3617 	 * there are no active interfaces in the group so we set PHYI_FAILED.
3618 	 */
3619 	if (mactype == SUNW_DL_IPMP)
3620 		flags |= PHYI_FAILED;
3621 	else
3622 		flags |= PHYI_RUNNING;
3623 
3624 	switch (mactype) {
3625 	case SUNW_DL_VNI:
3626 		flags |= PHYI_VIRTUAL;
3627 		break;
3628 	case SUNW_DL_IPMP:
3629 		flags |= PHYI_IPMP;
3630 		break;
3631 	case DL_LOOP:
3632 		flags |= (PHYI_LOOPBACK | PHYI_VIRTUAL);
3633 		break;
3634 	}
3635 
3636 	mutex_enter(&phyi->phyint_lock);
3637 	phyi->phyint_flags |= flags;
3638 	mutex_exit(&phyi->phyint_lock);
3639 }
3640 
3641 /*
3642  * Return a pointer to the ill which matches the supplied name.  Note that
3643  * the ill name length includes the null termination character.  (May be
3644  * called as writer.)
3645  * If do_alloc and the interface is "lo0" it will be automatically created.
3646  * Cannot bump up reference on condemned ills. So dup detect can't be done
3647  * using this func.
3648  */
3649 ill_t *
3650 ill_lookup_on_name(char *name, boolean_t do_alloc, boolean_t isv6,
3651     boolean_t *did_alloc, ip_stack_t *ipst)
3652 {
3653 	ill_t	*ill;
3654 	ipif_t	*ipif;
3655 	ipsq_t	*ipsq;
3656 	kstat_named_t	*kn;
3657 	boolean_t isloopback;
3658 	in6_addr_t ov6addr;
3659 
3660 	isloopback = mi_strcmp(name, ipif_loopback_name) == 0;
3661 
3662 	rw_enter(&ipst->ips_ill_g_lock, RW_READER);
3663 	ill = ill_find_by_name(name, isv6, ipst);
3664 	rw_exit(&ipst->ips_ill_g_lock);
3665 	if (ill != NULL)
3666 		return (ill);
3667 
3668 	/*
3669 	 * Couldn't find it.  Does this happen to be a lookup for the
3670 	 * loopback device and are we allowed to allocate it?
3671 	 */
3672 	if (!isloopback || !do_alloc)
3673 		return (NULL);
3674 
3675 	rw_enter(&ipst->ips_ill_g_lock, RW_WRITER);
3676 	ill = ill_find_by_name(name, isv6, ipst);
3677 	if (ill != NULL) {
3678 		rw_exit(&ipst->ips_ill_g_lock);
3679 		return (ill);
3680 	}
3681 
3682 	/* Create the loopback device on demand */
3683 	ill = (ill_t *)(mi_alloc(sizeof (ill_t) +
3684 	    sizeof (ipif_loopback_name), BPRI_MED));
3685 	if (ill == NULL)
3686 		goto done;
3687 
3688 	*ill = ill_null;
3689 	mutex_init(&ill->ill_lock, NULL, MUTEX_DEFAULT, NULL);
3690 	ill->ill_ipst = ipst;
3691 	list_create(&ill->ill_nce, sizeof (nce_t), offsetof(nce_t, nce_node));
3692 	netstack_hold(ipst->ips_netstack);
3693 	/*
3694 	 * For exclusive stacks we set the zoneid to zero
3695 	 * to make IP operate as if in the global zone.
3696 	 */
3697 	ill->ill_zoneid = GLOBAL_ZONEID;
3698 
3699 	ill->ill_phyint = (phyint_t *)mi_zalloc(sizeof (phyint_t));
3700 	if (ill->ill_phyint == NULL)
3701 		goto done;
3702 
3703 	if (isv6)
3704 		ill->ill_phyint->phyint_illv6 = ill;
3705 	else
3706 		ill->ill_phyint->phyint_illv4 = ill;
3707 	mutex_init(&ill->ill_phyint->phyint_lock, NULL, MUTEX_DEFAULT, 0);
3708 	phyint_flags_init(ill->ill_phyint, DL_LOOP);
3709 
3710 	if (isv6) {
3711 		ill->ill_isv6 = B_TRUE;
3712 		ill->ill_max_frag = ip_loopback_mtu_v6plus;
3713 	} else {
3714 		ill->ill_max_frag = ip_loopback_mtuplus;
3715 	}
3716 	if (!ill_allocate_mibs(ill))
3717 		goto done;
3718 	ill->ill_current_frag = ill->ill_max_frag;
3719 	ill->ill_mtu = ill->ill_max_frag;	/* Initial value */
3720 	ill->ill_mc_mtu = ill->ill_mtu;
3721 	/*
3722 	 * ipif_loopback_name can't be pointed at directly because its used
3723 	 * by both the ipv4 and ipv6 interfaces.  When the ill is removed
3724 	 * from the glist, ill_glist_delete() sets the first character of
3725 	 * ill_name to '\0'.
3726 	 */
3727 	ill->ill_name = (char *)ill + sizeof (*ill);
3728 	(void) strcpy(ill->ill_name, ipif_loopback_name);
3729 	ill->ill_name_length = sizeof (ipif_loopback_name);
3730 	/* Set ill_dlpi_pending for ipsq_current_finish() to work properly */
3731 	ill->ill_dlpi_pending = DL_PRIM_INVAL;
3732 
3733 	rw_init(&ill->ill_mcast_lock, NULL, RW_DEFAULT, NULL);
3734 	mutex_init(&ill->ill_mcast_serializer, NULL, MUTEX_DEFAULT, NULL);
3735 	ill->ill_global_timer = INFINITY;
3736 	ill->ill_mcast_v1_time = ill->ill_mcast_v2_time = 0;
3737 	ill->ill_mcast_v1_tset = ill->ill_mcast_v2_tset = 0;
3738 	ill->ill_mcast_rv = MCAST_DEF_ROBUSTNESS;
3739 	ill->ill_mcast_qi = MCAST_DEF_QUERY_INTERVAL;
3740 
3741 	/* No resolver here. */
3742 	ill->ill_net_type = IRE_LOOPBACK;
3743 
3744 	/* Initialize the ipsq */
3745 	if (!ipsq_init(ill, B_FALSE))
3746 		goto done;
3747 
3748 	ipif = ipif_allocate(ill, 0L, IRE_LOOPBACK, B_TRUE, B_TRUE, NULL);
3749 	if (ipif == NULL)
3750 		goto done;
3751 
3752 	ill->ill_flags = ILLF_MULTICAST;
3753 
3754 	ov6addr = ipif->ipif_v6lcl_addr;
3755 	/* Set up default loopback address and mask. */
3756 	if (!isv6) {
3757 		ipaddr_t inaddr_loopback = htonl(INADDR_LOOPBACK);
3758 
3759 		IN6_IPADDR_TO_V4MAPPED(inaddr_loopback, &ipif->ipif_v6lcl_addr);
3760 		V4MASK_TO_V6(htonl(IN_CLASSA_NET), ipif->ipif_v6net_mask);
3761 		V6_MASK_COPY(ipif->ipif_v6lcl_addr, ipif->ipif_v6net_mask,
3762 		    ipif->ipif_v6subnet);
3763 		ill->ill_flags |= ILLF_IPV4;
3764 	} else {
3765 		ipif->ipif_v6lcl_addr = ipv6_loopback;
3766 		ipif->ipif_v6net_mask = ipv6_all_ones;
3767 		V6_MASK_COPY(ipif->ipif_v6lcl_addr, ipif->ipif_v6net_mask,
3768 		    ipif->ipif_v6subnet);
3769 		ill->ill_flags |= ILLF_IPV6;
3770 	}
3771 
3772 	/*
3773 	 * Chain us in at the end of the ill list. hold the ill
3774 	 * before we make it globally visible. 1 for the lookup.
3775 	 */
3776 	ill->ill_refcnt = 0;
3777 	ill_refhold(ill);
3778 
3779 	ill->ill_frag_count = 0;
3780 	ill->ill_frag_free_num_pkts = 0;
3781 	ill->ill_last_frag_clean_time = 0;
3782 
3783 	ipsq = ill->ill_phyint->phyint_ipsq;
3784 
3785 	ill_set_inputfn(ill);
3786 
3787 	if (ill_glist_insert(ill, "lo", isv6) != 0)
3788 		cmn_err(CE_PANIC, "cannot insert loopback interface");
3789 
3790 	/* Let SCTP know so that it can add this to its list */
3791 	sctp_update_ill(ill, SCTP_ILL_INSERT);
3792 
3793 	/*
3794 	 * We have already assigned ipif_v6lcl_addr above, but we need to
3795 	 * call sctp_update_ipif_addr() after SCTP_ILL_INSERT, which
3796 	 * requires to be after ill_glist_insert() since we need the
3797 	 * ill_index set. Pass on ipv6_loopback as the old address.
3798 	 */
3799 	sctp_update_ipif_addr(ipif, ov6addr);
3800 
3801 	ip_rts_newaddrmsg(RTM_CHGADDR, 0, ipif, RTSQ_DEFAULT);
3802 
3803 	/*
3804 	 * ill_glist_insert() -> ill_phyint_reinit() may have merged IPSQs.
3805 	 * If so, free our original one.
3806 	 */
3807 	if (ipsq != ill->ill_phyint->phyint_ipsq)
3808 		ipsq_delete(ipsq);
3809 
3810 	if (ipst->ips_loopback_ksp == NULL) {
3811 		/* Export loopback interface statistics */
3812 		ipst->ips_loopback_ksp = kstat_create_netstack("lo", 0,
3813 		    ipif_loopback_name, "net",
3814 		    KSTAT_TYPE_NAMED, 2, 0,
3815 		    ipst->ips_netstack->netstack_stackid);
3816 		if (ipst->ips_loopback_ksp != NULL) {
3817 			ipst->ips_loopback_ksp->ks_update =
3818 			    loopback_kstat_update;
3819 			kn = KSTAT_NAMED_PTR(ipst->ips_loopback_ksp);
3820 			kstat_named_init(&kn[0], "ipackets", KSTAT_DATA_UINT32);
3821 			kstat_named_init(&kn[1], "opackets", KSTAT_DATA_UINT32);
3822 			ipst->ips_loopback_ksp->ks_private =
3823 			    (void *)(uintptr_t)ipst->ips_netstack->
3824 			    netstack_stackid;
3825 			kstat_install(ipst->ips_loopback_ksp);
3826 		}
3827 	}
3828 
3829 	*did_alloc = B_TRUE;
3830 	rw_exit(&ipst->ips_ill_g_lock);
3831 	ill_nic_event_dispatch(ill, MAP_IPIF_ID(ill->ill_ipif->ipif_id),
3832 	    NE_PLUMB, ill->ill_name, ill->ill_name_length);
3833 	return (ill);
3834 done:
3835 	if (ill != NULL) {
3836 		if (ill->ill_phyint != NULL) {
3837 			ipsq = ill->ill_phyint->phyint_ipsq;
3838 			if (ipsq != NULL) {
3839 				ipsq->ipsq_phyint = NULL;
3840 				ipsq_delete(ipsq);
3841 			}
3842 			mi_free(ill->ill_phyint);
3843 		}
3844 		ill_free_mib(ill);
3845 		if (ill->ill_ipst != NULL)
3846 			netstack_rele(ill->ill_ipst->ips_netstack);
3847 		mi_free(ill);
3848 	}
3849 	rw_exit(&ipst->ips_ill_g_lock);
3850 	return (NULL);
3851 }
3852 
3853 /*
3854  * For IPP calls - use the ip_stack_t for global stack.
3855  */
3856 ill_t *
3857 ill_lookup_on_ifindex_global_instance(uint_t index, boolean_t isv6)
3858 {
3859 	ip_stack_t	*ipst;
3860 	ill_t		*ill;
3861 
3862 	ipst = netstack_find_by_stackid(GLOBAL_NETSTACKID)->netstack_ip;
3863 	if (ipst == NULL) {
3864 		cmn_err(CE_WARN, "No ip_stack_t for zoneid zero!\n");
3865 		return (NULL);
3866 	}
3867 
3868 	ill = ill_lookup_on_ifindex(index, isv6, ipst);
3869 	netstack_rele(ipst->ips_netstack);
3870 	return (ill);
3871 }
3872 
3873 /*
3874  * Return a pointer to the ill which matches the index and IP version type.
3875  */
3876 ill_t *
3877 ill_lookup_on_ifindex(uint_t index, boolean_t isv6, ip_stack_t *ipst)
3878 {
3879 	ill_t	*ill;
3880 	phyint_t *phyi;
3881 
3882 	/*
3883 	 * Indexes are stored in the phyint - a common structure
3884 	 * to both IPv4 and IPv6.
3885 	 */
3886 	rw_enter(&ipst->ips_ill_g_lock, RW_READER);
3887 	phyi = avl_find(&ipst->ips_phyint_g_list->phyint_list_avl_by_index,
3888 	    (void *) &index, NULL);
3889 	if (phyi != NULL) {
3890 		ill = isv6 ? phyi->phyint_illv6: phyi->phyint_illv4;
3891 		if (ill != NULL) {
3892 			mutex_enter(&ill->ill_lock);
3893 			if (!ILL_IS_CONDEMNED(ill)) {
3894 				ill_refhold_locked(ill);
3895 				mutex_exit(&ill->ill_lock);
3896 				rw_exit(&ipst->ips_ill_g_lock);
3897 				return (ill);
3898 			}
3899 			mutex_exit(&ill->ill_lock);
3900 		}
3901 	}
3902 	rw_exit(&ipst->ips_ill_g_lock);
3903 	return (NULL);
3904 }
3905 
3906 /*
3907  * Verify whether or not an interface index is valid for the specified zoneid
3908  * to transmit packets.
3909  * It can be zero (meaning "reset") or an interface index assigned
3910  * to a non-VNI interface. (We don't use VNI interface to send packets.)
3911  */
3912 boolean_t
3913 ip_xmit_ifindex_valid(uint_t ifindex, zoneid_t zoneid, boolean_t isv6,
3914     ip_stack_t *ipst)
3915 {
3916 	ill_t		*ill;
3917 
3918 	if (ifindex == 0)
3919 		return (B_TRUE);
3920 
3921 	ill = ill_lookup_on_ifindex_zoneid(ifindex, zoneid, isv6, ipst);
3922 	if (ill == NULL)
3923 		return (B_FALSE);
3924 	if (IS_VNI(ill)) {
3925 		ill_refrele(ill);
3926 		return (B_FALSE);
3927 	}
3928 	ill_refrele(ill);
3929 	return (B_TRUE);
3930 }
3931 
3932 /*
3933  * Return the ifindex next in sequence after the passed in ifindex.
3934  * If there is no next ifindex for the given protocol, return 0.
3935  */
3936 uint_t
3937 ill_get_next_ifindex(uint_t index, boolean_t isv6, ip_stack_t *ipst)
3938 {
3939 	phyint_t *phyi;
3940 	phyint_t *phyi_initial;
3941 	uint_t   ifindex;
3942 
3943 	rw_enter(&ipst->ips_ill_g_lock, RW_READER);
3944 
3945 	if (index == 0) {
3946 		phyi = avl_first(
3947 		    &ipst->ips_phyint_g_list->phyint_list_avl_by_index);
3948 	} else {
3949 		phyi = phyi_initial = avl_find(
3950 		    &ipst->ips_phyint_g_list->phyint_list_avl_by_index,
3951 		    (void *) &index, NULL);
3952 	}
3953 
3954 	for (; phyi != NULL;
3955 	    phyi = avl_walk(&ipst->ips_phyint_g_list->phyint_list_avl_by_index,
3956 	    phyi, AVL_AFTER)) {
3957 		/*
3958 		 * If we're not returning the first interface in the tree
3959 		 * and we still haven't moved past the phyint_t that
3960 		 * corresponds to index, avl_walk needs to be called again
3961 		 */
3962 		if (!((index != 0) && (phyi == phyi_initial))) {
3963 			if (isv6) {
3964 				if ((phyi->phyint_illv6) &&
3965 				    ILL_CAN_LOOKUP(phyi->phyint_illv6) &&
3966 				    (phyi->phyint_illv6->ill_isv6 == 1))
3967 					break;
3968 			} else {
3969 				if ((phyi->phyint_illv4) &&
3970 				    ILL_CAN_LOOKUP(phyi->phyint_illv4) &&
3971 				    (phyi->phyint_illv4->ill_isv6 == 0))
3972 					break;
3973 			}
3974 		}
3975 	}
3976 
3977 	rw_exit(&ipst->ips_ill_g_lock);
3978 
3979 	if (phyi != NULL)
3980 		ifindex = phyi->phyint_ifindex;
3981 	else
3982 		ifindex = 0;
3983 
3984 	return (ifindex);
3985 }
3986 
3987 /*
3988  * Return the ifindex for the named interface.
3989  * If there is no next ifindex for the interface, return 0.
3990  */
3991 uint_t
3992 ill_get_ifindex_by_name(char *name, ip_stack_t *ipst)
3993 {
3994 	phyint_t	*phyi;
3995 	avl_index_t	where = 0;
3996 	uint_t		ifindex;
3997 
3998 	rw_enter(&ipst->ips_ill_g_lock, RW_READER);
3999 
4000 	if ((phyi = avl_find(&ipst->ips_phyint_g_list->phyint_list_avl_by_name,
4001 	    name, &where)) == NULL) {
4002 		rw_exit(&ipst->ips_ill_g_lock);
4003 		return (0);
4004 	}
4005 
4006 	ifindex = phyi->phyint_ifindex;
4007 
4008 	rw_exit(&ipst->ips_ill_g_lock);
4009 
4010 	return (ifindex);
4011 }
4012 
4013 /*
4014  * Return the ifindex to be used by upper layer protocols for instance
4015  * for IPV6_RECVPKTINFO. If IPMP this is the one for the upper ill.
4016  */
4017 uint_t
4018 ill_get_upper_ifindex(const ill_t *ill)
4019 {
4020 	if (IS_UNDER_IPMP(ill))
4021 		return (ipmp_ill_get_ipmp_ifindex(ill));
4022 	else
4023 		return (ill->ill_phyint->phyint_ifindex);
4024 }
4025 
4026 
4027 /*
4028  * Obtain a reference to the ill. The ill_refcnt is a dynamic refcnt
4029  * that gives a running thread a reference to the ill. This reference must be
4030  * released by the thread when it is done accessing the ill and related
4031  * objects. ill_refcnt can not be used to account for static references
4032  * such as other structures pointing to an ill. Callers must generally
4033  * check whether an ill can be refheld by using ILL_CAN_LOOKUP macros
4034  * or be sure that the ill is not being deleted or changing state before
4035  * calling the refhold functions. A non-zero ill_refcnt ensures that the
4036  * ill won't change any of its critical state such as address, netmask etc.
4037  */
4038 void
4039 ill_refhold(ill_t *ill)
4040 {
4041 	mutex_enter(&ill->ill_lock);
4042 	ill->ill_refcnt++;
4043 	ILL_TRACE_REF(ill);
4044 	mutex_exit(&ill->ill_lock);
4045 }
4046 
4047 void
4048 ill_refhold_locked(ill_t *ill)
4049 {
4050 	ASSERT(MUTEX_HELD(&ill->ill_lock));
4051 	ill->ill_refcnt++;
4052 	ILL_TRACE_REF(ill);
4053 }
4054 
4055 /* Returns true if we managed to get a refhold */
4056 boolean_t
4057 ill_check_and_refhold(ill_t *ill)
4058 {
4059 	mutex_enter(&ill->ill_lock);
4060 	if (!ILL_IS_CONDEMNED(ill)) {
4061 		ill_refhold_locked(ill);
4062 		mutex_exit(&ill->ill_lock);
4063 		return (B_TRUE);
4064 	}
4065 	mutex_exit(&ill->ill_lock);
4066 	return (B_FALSE);
4067 }
4068 
4069 /*
4070  * Must not be called while holding any locks. Otherwise if this is
4071  * the last reference to be released, there is a chance of recursive mutex
4072  * panic due to ill_refrele -> ipif_ill_refrele_tail -> qwriter_ip trying
4073  * to restart an ioctl.
4074  */
4075 void
4076 ill_refrele(ill_t *ill)
4077 {
4078 	mutex_enter(&ill->ill_lock);
4079 	ASSERT(ill->ill_refcnt != 0);
4080 	ill->ill_refcnt--;
4081 	ILL_UNTRACE_REF(ill);
4082 	if (ill->ill_refcnt != 0) {
4083 		/* Every ire pointing to the ill adds 1 to ill_refcnt */
4084 		mutex_exit(&ill->ill_lock);
4085 		return;
4086 	}
4087 
4088 	/* Drops the ill_lock */
4089 	ipif_ill_refrele_tail(ill);
4090 }
4091 
4092 /*
4093  * Obtain a weak reference count on the ill. This reference ensures the
4094  * ill won't be freed, but the ill may change any of its critical state
4095  * such as netmask, address etc. Returns an error if the ill has started
4096  * closing.
4097  */
4098 boolean_t
4099 ill_waiter_inc(ill_t *ill)
4100 {
4101 	mutex_enter(&ill->ill_lock);
4102 	if (ill->ill_state_flags & ILL_CONDEMNED) {
4103 		mutex_exit(&ill->ill_lock);
4104 		return (B_FALSE);
4105 	}
4106 	ill->ill_waiters++;
4107 	mutex_exit(&ill->ill_lock);
4108 	return (B_TRUE);
4109 }
4110 
4111 void
4112 ill_waiter_dcr(ill_t *ill)
4113 {
4114 	mutex_enter(&ill->ill_lock);
4115 	ill->ill_waiters--;
4116 	if (ill->ill_waiters == 0)
4117 		cv_broadcast(&ill->ill_cv);
4118 	mutex_exit(&ill->ill_lock);
4119 }
4120 
4121 /*
4122  * ip_ll_subnet_defaults is called when we get the DL_INFO_ACK back from the
4123  * driver.  We construct best guess defaults for lower level information that
4124  * we need.  If an interface is brought up without injection of any overriding
4125  * information from outside, we have to be ready to go with these defaults.
4126  * When we get the first DL_INFO_ACK (from ip_open() sending a DL_INFO_REQ)
4127  * we primarely want the dl_provider_style.
4128  * The subsequent DL_INFO_ACK is received after doing a DL_ATTACH and DL_BIND
4129  * at which point we assume the other part of the information is valid.
4130  */
4131 void
4132 ip_ll_subnet_defaults(ill_t *ill, mblk_t *mp)
4133 {
4134 	uchar_t		*brdcst_addr;
4135 	uint_t		brdcst_addr_length, phys_addr_length;
4136 	t_scalar_t	sap_length;
4137 	dl_info_ack_t	*dlia;
4138 	ip_m_t		*ipm;
4139 	dl_qos_cl_sel1_t *sel1;
4140 	int		min_mtu;
4141 
4142 	ASSERT(IAM_WRITER_ILL(ill));
4143 
4144 	/*
4145 	 * Till the ill is fully up  the ill is not globally visible.
4146 	 * So no need for a lock.
4147 	 */
4148 	dlia = (dl_info_ack_t *)mp->b_rptr;
4149 	ill->ill_mactype = dlia->dl_mac_type;
4150 
4151 	ipm = ip_m_lookup(dlia->dl_mac_type);
4152 	if (ipm == NULL) {
4153 		ipm = ip_m_lookup(DL_OTHER);
4154 		ASSERT(ipm != NULL);
4155 	}
4156 	ill->ill_media = ipm;
4157 
4158 	/*
4159 	 * When the new DLPI stuff is ready we'll pull lengths
4160 	 * from dlia.
4161 	 */
4162 	if (dlia->dl_version == DL_VERSION_2) {
4163 		brdcst_addr_length = dlia->dl_brdcst_addr_length;
4164 		brdcst_addr = mi_offset_param(mp, dlia->dl_brdcst_addr_offset,
4165 		    brdcst_addr_length);
4166 		if (brdcst_addr == NULL) {
4167 			brdcst_addr_length = 0;
4168 		}
4169 		sap_length = dlia->dl_sap_length;
4170 		phys_addr_length = dlia->dl_addr_length - ABS(sap_length);
4171 		ip1dbg(("ip: bcast_len %d, sap_len %d, phys_len %d\n",
4172 		    brdcst_addr_length, sap_length, phys_addr_length));
4173 	} else {
4174 		brdcst_addr_length = 6;
4175 		brdcst_addr = ip_six_byte_all_ones;
4176 		sap_length = -2;
4177 		phys_addr_length = brdcst_addr_length;
4178 	}
4179 
4180 	ill->ill_bcast_addr_length = brdcst_addr_length;
4181 	ill->ill_phys_addr_length = phys_addr_length;
4182 	ill->ill_sap_length = sap_length;
4183 
4184 	/*
4185 	 * Synthetic DLPI types such as SUNW_DL_IPMP specify a zero SDU,
4186 	 * but we must ensure a minimum IP MTU is used since other bits of
4187 	 * IP will fly apart otherwise.
4188 	 */
4189 	min_mtu = ill->ill_isv6 ? IPV6_MIN_MTU : IP_MIN_MTU;
4190 	ill->ill_max_frag = MAX(min_mtu, dlia->dl_max_sdu);
4191 	ill->ill_current_frag = ill->ill_max_frag;
4192 	ill->ill_mtu = ill->ill_max_frag;
4193 	ill->ill_mc_mtu = ill->ill_mtu;	/* Overridden by DL_NOTE_SDU_SIZE2 */
4194 
4195 	ill->ill_type = ipm->ip_m_type;
4196 
4197 	if (!ill->ill_dlpi_style_set) {
4198 		if (dlia->dl_provider_style == DL_STYLE2)
4199 			ill->ill_needs_attach = 1;
4200 
4201 		phyint_flags_init(ill->ill_phyint, ill->ill_mactype);
4202 
4203 		/*
4204 		 * Allocate the first ipif on this ill.  We don't delay it
4205 		 * further as ioctl handling assumes at least one ipif exists.
4206 		 *
4207 		 * At this point we don't know whether the ill is v4 or v6.
4208 		 * We will know this whan the SIOCSLIFNAME happens and
4209 		 * the correct value for ill_isv6 will be assigned in
4210 		 * ipif_set_values(). We need to hold the ill lock and
4211 		 * clear the ILL_LL_SUBNET_PENDING flag and atomically do
4212 		 * the wakeup.
4213 		 */
4214 		(void) ipif_allocate(ill, 0, IRE_LOCAL,
4215 		    dlia->dl_provider_style != DL_STYLE2, B_TRUE, NULL);
4216 		mutex_enter(&ill->ill_lock);
4217 		ASSERT(ill->ill_dlpi_style_set == 0);
4218 		ill->ill_dlpi_style_set = 1;
4219 		ill->ill_state_flags &= ~ILL_LL_SUBNET_PENDING;
4220 		cv_broadcast(&ill->ill_cv);
4221 		mutex_exit(&ill->ill_lock);
4222 		freemsg(mp);
4223 		return;
4224 	}
4225 	ASSERT(ill->ill_ipif != NULL);
4226 	/*
4227 	 * We know whether it is IPv4 or IPv6 now, as this is the
4228 	 * second DL_INFO_ACK we are recieving in response to the
4229 	 * DL_INFO_REQ sent in ipif_set_values.
4230 	 */
4231 	ill->ill_sap = (ill->ill_isv6) ? ipm->ip_m_ipv6sap : ipm->ip_m_ipv4sap;
4232 	/*
4233 	 * Clear all the flags that were set based on ill_bcast_addr_length
4234 	 * and ill_phys_addr_length (in ipif_set_values) as these could have
4235 	 * changed now and we need to re-evaluate.
4236 	 */
4237 	ill->ill_flags &= ~(ILLF_MULTICAST | ILLF_NONUD | ILLF_NOARP);
4238 	ill->ill_ipif->ipif_flags &= ~(IPIF_BROADCAST | IPIF_POINTOPOINT);
4239 
4240 	/*
4241 	 * Free ill_bcast_mp as things could have changed now.
4242 	 *
4243 	 * NOTE: The IPMP meta-interface is special-cased because it starts
4244 	 * with no underlying interfaces (and thus an unknown broadcast
4245 	 * address length), but we enforce that an interface is broadcast-
4246 	 * capable as part of allowing it to join a group.
4247 	 */
4248 	if (ill->ill_bcast_addr_length == 0 && !IS_IPMP(ill)) {
4249 		if (ill->ill_bcast_mp != NULL)
4250 			freemsg(ill->ill_bcast_mp);
4251 		ill->ill_net_type = IRE_IF_NORESOLVER;
4252 
4253 		ill->ill_bcast_mp = ill_dlur_gen(NULL,
4254 		    ill->ill_phys_addr_length,
4255 		    ill->ill_sap,
4256 		    ill->ill_sap_length);
4257 
4258 		if (ill->ill_isv6)
4259 			/*
4260 			 * Note: xresolv interfaces will eventually need NOARP
4261 			 * set here as well, but that will require those
4262 			 * external resolvers to have some knowledge of
4263 			 * that flag and act appropriately. Not to be changed
4264 			 * at present.
4265 			 */
4266 			ill->ill_flags |= ILLF_NONUD;
4267 		else
4268 			ill->ill_flags |= ILLF_NOARP;
4269 
4270 		if (ill->ill_mactype == SUNW_DL_VNI) {
4271 			ill->ill_ipif->ipif_flags |= IPIF_NOXMIT;
4272 		} else if (ill->ill_phys_addr_length == 0 ||
4273 		    ill->ill_mactype == DL_IPV4 ||
4274 		    ill->ill_mactype == DL_IPV6) {
4275 			/*
4276 			 * The underying link is point-to-point, so mark the
4277 			 * interface as such.  We can do IP multicast over
4278 			 * such a link since it transmits all network-layer
4279 			 * packets to the remote side the same way.
4280 			 */
4281 			ill->ill_flags |= ILLF_MULTICAST;
4282 			ill->ill_ipif->ipif_flags |= IPIF_POINTOPOINT;
4283 		}
4284 	} else {
4285 		ill->ill_net_type = IRE_IF_RESOLVER;
4286 		if (ill->ill_bcast_mp != NULL)
4287 			freemsg(ill->ill_bcast_mp);
4288 		ill->ill_bcast_mp = ill_dlur_gen(brdcst_addr,
4289 		    ill->ill_bcast_addr_length, ill->ill_sap,
4290 		    ill->ill_sap_length);
4291 		/*
4292 		 * Later detect lack of DLPI driver multicast
4293 		 * capability by catching DL_ENABMULTI errors in
4294 		 * ip_rput_dlpi.
4295 		 */
4296 		ill->ill_flags |= ILLF_MULTICAST;
4297 		if (!ill->ill_isv6)
4298 			ill->ill_ipif->ipif_flags |= IPIF_BROADCAST;
4299 	}
4300 
4301 	/* For IPMP, PHYI_IPMP should already be set by phyint_flags_init() */
4302 	if (ill->ill_mactype == SUNW_DL_IPMP)
4303 		ASSERT(ill->ill_phyint->phyint_flags & PHYI_IPMP);
4304 
4305 	/* By default an interface does not support any CoS marking */
4306 	ill->ill_flags &= ~ILLF_COS_ENABLED;
4307 
4308 	/*
4309 	 * If we get QoS information in DL_INFO_ACK, the device supports
4310 	 * some form of CoS marking, set ILLF_COS_ENABLED.
4311 	 */
4312 	sel1 = (dl_qos_cl_sel1_t *)mi_offset_param(mp, dlia->dl_qos_offset,
4313 	    dlia->dl_qos_length);
4314 	if ((sel1 != NULL) && (sel1->dl_qos_type == DL_QOS_CL_SEL1)) {
4315 		ill->ill_flags |= ILLF_COS_ENABLED;
4316 	}
4317 
4318 	/* Clear any previous error indication. */
4319 	ill->ill_error = 0;
4320 	freemsg(mp);
4321 }
4322 
4323 /*
4324  * Perform various checks to verify that an address would make sense as a
4325  * local, remote, or subnet interface address.
4326  */
4327 static boolean_t
4328 ip_addr_ok_v4(ipaddr_t addr, ipaddr_t subnet_mask)
4329 {
4330 	ipaddr_t	net_mask;
4331 
4332 	/*
4333 	 * Don't allow all zeroes, or all ones, but allow
4334 	 * all ones netmask.
4335 	 */
4336 	if ((net_mask = ip_net_mask(addr)) == 0)
4337 		return (B_FALSE);
4338 	/* A given netmask overrides the "guess" netmask */
4339 	if (subnet_mask != 0)
4340 		net_mask = subnet_mask;
4341 	if ((net_mask != ~(ipaddr_t)0) && ((addr == (addr & net_mask)) ||
4342 	    (addr == (addr | ~net_mask)))) {
4343 		return (B_FALSE);
4344 	}
4345 
4346 	/*
4347 	 * Even if the netmask is all ones, we do not allow address to be
4348 	 * 255.255.255.255
4349 	 */
4350 	if (addr == INADDR_BROADCAST)
4351 		return (B_FALSE);
4352 
4353 	if (CLASSD(addr))
4354 		return (B_FALSE);
4355 
4356 	return (B_TRUE);
4357 }
4358 
4359 #define	V6_IPIF_LINKLOCAL(p)	\
4360 	IN6_IS_ADDR_LINKLOCAL(&(p)->ipif_v6lcl_addr)
4361 
4362 /*
4363  * Compare two given ipifs and check if the second one is better than
4364  * the first one using the order of preference (not taking deprecated
4365  * into acount) specified in ipif_lookup_multicast().
4366  */
4367 static boolean_t
4368 ipif_comp_multi(ipif_t *old_ipif, ipif_t *new_ipif, boolean_t isv6)
4369 {
4370 	/* Check the least preferred first. */
4371 	if (IS_LOOPBACK(old_ipif->ipif_ill)) {
4372 		/* If both ipifs are the same, use the first one. */
4373 		if (IS_LOOPBACK(new_ipif->ipif_ill))
4374 			return (B_FALSE);
4375 		else
4376 			return (B_TRUE);
4377 	}
4378 
4379 	/* For IPv6, check for link local address. */
4380 	if (isv6 && V6_IPIF_LINKLOCAL(old_ipif)) {
4381 		if (IS_LOOPBACK(new_ipif->ipif_ill) ||
4382 		    V6_IPIF_LINKLOCAL(new_ipif)) {
4383 			/* The second one is equal or less preferred. */
4384 			return (B_FALSE);
4385 		} else {
4386 			return (B_TRUE);
4387 		}
4388 	}
4389 
4390 	/* Then check for point to point interface. */
4391 	if (old_ipif->ipif_flags & IPIF_POINTOPOINT) {
4392 		if (IS_LOOPBACK(new_ipif->ipif_ill) ||
4393 		    (isv6 && V6_IPIF_LINKLOCAL(new_ipif)) ||
4394 		    (new_ipif->ipif_flags & IPIF_POINTOPOINT)) {
4395 			return (B_FALSE);
4396 		} else {
4397 			return (B_TRUE);
4398 		}
4399 	}
4400 
4401 	/* old_ipif is a normal interface, so no need to use the new one. */
4402 	return (B_FALSE);
4403 }
4404 
4405 /*
4406  * Find a mulitcast-capable ipif given an IP instance and zoneid.
4407  * The ipif must be up, and its ill must multicast-capable, not
4408  * condemned, not an underlying interface in an IPMP group, and
4409  * not a VNI interface.  Order of preference:
4410  *
4411  * 	1a. normal
4412  * 	1b. normal, but deprecated
4413  * 	2a. point to point
4414  * 	2b. point to point, but deprecated
4415  * 	3a. link local
4416  * 	3b. link local, but deprecated
4417  * 	4. loopback.
4418  */
4419 static ipif_t *
4420 ipif_lookup_multicast(ip_stack_t *ipst, zoneid_t zoneid, boolean_t isv6)
4421 {
4422 	ill_t			*ill;
4423 	ill_walk_context_t	ctx;
4424 	ipif_t			*ipif;
4425 	ipif_t			*saved_ipif = NULL;
4426 	ipif_t			*dep_ipif = NULL;
4427 
4428 	rw_enter(&ipst->ips_ill_g_lock, RW_READER);
4429 	if (isv6)
4430 		ill = ILL_START_WALK_V6(&ctx, ipst);
4431 	else
4432 		ill = ILL_START_WALK_V4(&ctx, ipst);
4433 
4434 	for (; ill != NULL; ill = ill_next(&ctx, ill)) {
4435 		mutex_enter(&ill->ill_lock);
4436 		if (IS_VNI(ill) || IS_UNDER_IPMP(ill) ||
4437 		    ILL_IS_CONDEMNED(ill) ||
4438 		    !(ill->ill_flags & ILLF_MULTICAST)) {
4439 			mutex_exit(&ill->ill_lock);
4440 			continue;
4441 		}
4442 		for (ipif = ill->ill_ipif; ipif != NULL;
4443 		    ipif = ipif->ipif_next) {
4444 			if (zoneid != ipif->ipif_zoneid &&
4445 			    zoneid != ALL_ZONES &&
4446 			    ipif->ipif_zoneid != ALL_ZONES) {
4447 				continue;
4448 			}
4449 			if (!(ipif->ipif_flags & IPIF_UP) ||
4450 			    IPIF_IS_CONDEMNED(ipif)) {
4451 				continue;
4452 			}
4453 
4454 			/*
4455 			 * Found one candidate.  If it is deprecated,
4456 			 * remember it in dep_ipif.  If it is not deprecated,
4457 			 * remember it in saved_ipif.
4458 			 */
4459 			if (ipif->ipif_flags & IPIF_DEPRECATED) {
4460 				if (dep_ipif == NULL) {
4461 					dep_ipif = ipif;
4462 				} else if (ipif_comp_multi(dep_ipif, ipif,
4463 				    isv6)) {
4464 					/*
4465 					 * If the previous dep_ipif does not
4466 					 * belong to the same ill, we've done
4467 					 * a ipif_refhold() on it.  So we need
4468 					 * to release it.
4469 					 */
4470 					if (dep_ipif->ipif_ill != ill)
4471 						ipif_refrele(dep_ipif);
4472 					dep_ipif = ipif;
4473 				}
4474 				continue;
4475 			}
4476 			if (saved_ipif == NULL) {
4477 				saved_ipif = ipif;
4478 			} else {
4479 				if (ipif_comp_multi(saved_ipif, ipif, isv6)) {
4480 					if (saved_ipif->ipif_ill != ill)
4481 						ipif_refrele(saved_ipif);
4482 					saved_ipif = ipif;
4483 				}
4484 			}
4485 		}
4486 		/*
4487 		 * Before going to the next ill, do a ipif_refhold() on the
4488 		 * saved ones.
4489 		 */
4490 		if (saved_ipif != NULL && saved_ipif->ipif_ill == ill)
4491 			ipif_refhold_locked(saved_ipif);
4492 		if (dep_ipif != NULL && dep_ipif->ipif_ill == ill)
4493 			ipif_refhold_locked(dep_ipif);
4494 		mutex_exit(&ill->ill_lock);
4495 	}
4496 	rw_exit(&ipst->ips_ill_g_lock);
4497 
4498 	/*
4499 	 * If we have only the saved_ipif, return it.  But if we have both
4500 	 * saved_ipif and dep_ipif, check to see which one is better.
4501 	 */
4502 	if (saved_ipif != NULL) {
4503 		if (dep_ipif != NULL) {
4504 			if (ipif_comp_multi(saved_ipif, dep_ipif, isv6)) {
4505 				ipif_refrele(saved_ipif);
4506 				return (dep_ipif);
4507 			} else {
4508 				ipif_refrele(dep_ipif);
4509 				return (saved_ipif);
4510 			}
4511 		}
4512 		return (saved_ipif);
4513 	} else {
4514 		return (dep_ipif);
4515 	}
4516 }
4517 
4518 ill_t *
4519 ill_lookup_multicast(ip_stack_t *ipst, zoneid_t zoneid, boolean_t isv6)
4520 {
4521 	ipif_t *ipif;
4522 	ill_t *ill;
4523 
4524 	ipif = ipif_lookup_multicast(ipst, zoneid, isv6);
4525 	if (ipif == NULL)
4526 		return (NULL);
4527 
4528 	ill = ipif->ipif_ill;
4529 	ill_refhold(ill);
4530 	ipif_refrele(ipif);
4531 	return (ill);
4532 }
4533 
4534 /*
4535  * This function is called when an application does not specify an interface
4536  * to be used for multicast traffic (joining a group/sending data).  It
4537  * calls ire_lookup_multi() to look for an interface route for the
4538  * specified multicast group.  Doing this allows the administrator to add
4539  * prefix routes for multicast to indicate which interface to be used for
4540  * multicast traffic in the above scenario.  The route could be for all
4541  * multicast (224.0/4), for a single multicast group (a /32 route) or
4542  * anything in between.  If there is no such multicast route, we just find
4543  * any multicast capable interface and return it.  The returned ipif
4544  * is refhold'ed.
4545  *
4546  * We support MULTIRT and RTF_SETSRC on the multicast routes added to the
4547  * unicast table. This is used by CGTP.
4548  */
4549 ill_t *
4550 ill_lookup_group_v4(ipaddr_t group, zoneid_t zoneid, ip_stack_t *ipst,
4551     boolean_t *multirtp, ipaddr_t *setsrcp)
4552 {
4553 	ill_t			*ill;
4554 
4555 	ill = ire_lookup_multi_ill_v4(group, zoneid, ipst, multirtp, setsrcp);
4556 	if (ill != NULL)
4557 		return (ill);
4558 
4559 	return (ill_lookup_multicast(ipst, zoneid, B_FALSE));
4560 }
4561 
4562 /*
4563  * Look for an ipif with the specified interface address and destination.
4564  * The destination address is used only for matching point-to-point interfaces.
4565  */
4566 ipif_t *
4567 ipif_lookup_interface(ipaddr_t if_addr, ipaddr_t dst, ip_stack_t *ipst)
4568 {
4569 	ipif_t	*ipif;
4570 	ill_t	*ill;
4571 	ill_walk_context_t ctx;
4572 
4573 	/*
4574 	 * First match all the point-to-point interfaces
4575 	 * before looking at non-point-to-point interfaces.
4576 	 * This is done to avoid returning non-point-to-point
4577 	 * ipif instead of unnumbered point-to-point ipif.
4578 	 */
4579 	rw_enter(&ipst->ips_ill_g_lock, RW_READER);
4580 	ill = ILL_START_WALK_V4(&ctx, ipst);
4581 	for (; ill != NULL; ill = ill_next(&ctx, ill)) {
4582 		mutex_enter(&ill->ill_lock);
4583 		for (ipif = ill->ill_ipif; ipif != NULL;
4584 		    ipif = ipif->ipif_next) {
4585 			/* Allow the ipif to be down */
4586 			if ((ipif->ipif_flags & IPIF_POINTOPOINT) &&
4587 			    (ipif->ipif_lcl_addr == if_addr) &&
4588 			    (ipif->ipif_pp_dst_addr == dst)) {
4589 				if (!IPIF_IS_CONDEMNED(ipif)) {
4590 					ipif_refhold_locked(ipif);
4591 					mutex_exit(&ill->ill_lock);
4592 					rw_exit(&ipst->ips_ill_g_lock);
4593 					return (ipif);
4594 				}
4595 			}
4596 		}
4597 		mutex_exit(&ill->ill_lock);
4598 	}
4599 	rw_exit(&ipst->ips_ill_g_lock);
4600 
4601 	/* lookup the ipif based on interface address */
4602 	ipif = ipif_lookup_addr(if_addr, NULL, ALL_ZONES, ipst);
4603 	ASSERT(ipif == NULL || !ipif->ipif_isv6);
4604 	return (ipif);
4605 }
4606 
4607 /*
4608  * Common function for ipif_lookup_addr() and ipif_lookup_addr_exact().
4609  */
4610 static ipif_t *
4611 ipif_lookup_addr_common(ipaddr_t addr, ill_t *match_ill, uint32_t match_flags,
4612     zoneid_t zoneid, ip_stack_t *ipst)
4613 {
4614 	ipif_t  *ipif;
4615 	ill_t   *ill;
4616 	boolean_t ptp = B_FALSE;
4617 	ill_walk_context_t	ctx;
4618 	boolean_t match_illgrp = (match_flags & IPIF_MATCH_ILLGRP);
4619 	boolean_t no_duplicate = (match_flags & IPIF_MATCH_NONDUP);
4620 
4621 	rw_enter(&ipst->ips_ill_g_lock, RW_READER);
4622 	/*
4623 	 * Repeat twice, first based on local addresses and
4624 	 * next time for pointopoint.
4625 	 */
4626 repeat:
4627 	ill = ILL_START_WALK_V4(&ctx, ipst);
4628 	for (; ill != NULL; ill = ill_next(&ctx, ill)) {
4629 		if (match_ill != NULL && ill != match_ill &&
4630 		    (!match_illgrp || !IS_IN_SAME_ILLGRP(ill, match_ill))) {
4631 			continue;
4632 		}
4633 		mutex_enter(&ill->ill_lock);
4634 		for (ipif = ill->ill_ipif; ipif != NULL;
4635 		    ipif = ipif->ipif_next) {
4636 			if (zoneid != ALL_ZONES &&
4637 			    zoneid != ipif->ipif_zoneid &&
4638 			    ipif->ipif_zoneid != ALL_ZONES)
4639 				continue;
4640 
4641 			if (no_duplicate && !(ipif->ipif_flags & IPIF_UP))
4642 				continue;
4643 
4644 			/* Allow the ipif to be down */
4645 			if ((!ptp && (ipif->ipif_lcl_addr == addr) &&
4646 			    ((ipif->ipif_flags & IPIF_UNNUMBERED) == 0)) ||
4647 			    (ptp && (ipif->ipif_flags & IPIF_POINTOPOINT) &&
4648 			    (ipif->ipif_pp_dst_addr == addr))) {
4649 				if (!IPIF_IS_CONDEMNED(ipif)) {
4650 					ipif_refhold_locked(ipif);
4651 					mutex_exit(&ill->ill_lock);
4652 					rw_exit(&ipst->ips_ill_g_lock);
4653 					return (ipif);
4654 				}
4655 			}
4656 		}
4657 		mutex_exit(&ill->ill_lock);
4658 	}
4659 
4660 	/* If we already did the ptp case, then we are done */
4661 	if (ptp) {
4662 		rw_exit(&ipst->ips_ill_g_lock);
4663 		return (NULL);
4664 	}
4665 	ptp = B_TRUE;
4666 	goto repeat;
4667 }
4668 
4669 /*
4670  * Lookup an ipif with the specified address.  For point-to-point links we
4671  * look for matches on either the destination address or the local address,
4672  * but we skip the local address check if IPIF_UNNUMBERED is set.  If the
4673  * `match_ill' argument is non-NULL, the lookup is restricted to that ill
4674  * (or illgrp if `match_ill' is in an IPMP group).
4675  */
4676 ipif_t *
4677 ipif_lookup_addr(ipaddr_t addr, ill_t *match_ill, zoneid_t zoneid,
4678     ip_stack_t *ipst)
4679 {
4680 	return (ipif_lookup_addr_common(addr, match_ill, IPIF_MATCH_ILLGRP,
4681 	    zoneid, ipst));
4682 }
4683 
4684 /*
4685  * Lookup an ipif with the specified address. Similar to ipif_lookup_addr,
4686  * except that we will only return an address if it is not marked as
4687  * IPIF_DUPLICATE
4688  */
4689 ipif_t *
4690 ipif_lookup_addr_nondup(ipaddr_t addr, ill_t *match_ill, zoneid_t zoneid,
4691     ip_stack_t *ipst)
4692 {
4693 	return (ipif_lookup_addr_common(addr, match_ill,
4694 	    (IPIF_MATCH_ILLGRP | IPIF_MATCH_NONDUP),
4695 	    zoneid, ipst));
4696 }
4697 
4698 /*
4699  * Special abbreviated version of ipif_lookup_addr() that doesn't match
4700  * `match_ill' across the IPMP group.  This function is only needed in some
4701  * corner-cases; almost everything should use ipif_lookup_addr().
4702  */
4703 ipif_t *
4704 ipif_lookup_addr_exact(ipaddr_t addr, ill_t *match_ill, ip_stack_t *ipst)
4705 {
4706 	ASSERT(match_ill != NULL);
4707 	return (ipif_lookup_addr_common(addr, match_ill, 0, ALL_ZONES,
4708 	    ipst));
4709 }
4710 
4711 /*
4712  * Look for an ipif with the specified address. For point-point links
4713  * we look for matches on either the destination address and the local
4714  * address, but we ignore the check on the local address if IPIF_UNNUMBERED
4715  * is set.
4716  * If the `match_ill' argument is non-NULL, the lookup is restricted to that
4717  * ill (or illgrp if `match_ill' is in an IPMP group).
4718  * Return the zoneid for the ipif which matches. ALL_ZONES if no match.
4719  */
4720 zoneid_t
4721 ipif_lookup_addr_zoneid(ipaddr_t addr, ill_t *match_ill, ip_stack_t *ipst)
4722 {
4723 	zoneid_t zoneid;
4724 	ipif_t  *ipif;
4725 	ill_t   *ill;
4726 	boolean_t ptp = B_FALSE;
4727 	ill_walk_context_t	ctx;
4728 
4729 	rw_enter(&ipst->ips_ill_g_lock, RW_READER);
4730 	/*
4731 	 * Repeat twice, first based on local addresses and
4732 	 * next time for pointopoint.
4733 	 */
4734 repeat:
4735 	ill = ILL_START_WALK_V4(&ctx, ipst);
4736 	for (; ill != NULL; ill = ill_next(&ctx, ill)) {
4737 		if (match_ill != NULL && ill != match_ill &&
4738 		    !IS_IN_SAME_ILLGRP(ill, match_ill)) {
4739 			continue;
4740 		}
4741 		mutex_enter(&ill->ill_lock);
4742 		for (ipif = ill->ill_ipif; ipif != NULL;
4743 		    ipif = ipif->ipif_next) {
4744 			/* Allow the ipif to be down */
4745 			if ((!ptp && (ipif->ipif_lcl_addr == addr) &&
4746 			    ((ipif->ipif_flags & IPIF_UNNUMBERED) == 0)) ||
4747 			    (ptp && (ipif->ipif_flags & IPIF_POINTOPOINT) &&
4748 			    (ipif->ipif_pp_dst_addr == addr)) &&
4749 			    !(ipif->ipif_state_flags & IPIF_CONDEMNED)) {
4750 				zoneid = ipif->ipif_zoneid;
4751 				mutex_exit(&ill->ill_lock);
4752 				rw_exit(&ipst->ips_ill_g_lock);
4753 				/*
4754 				 * If ipif_zoneid was ALL_ZONES then we have
4755 				 * a trusted extensions shared IP address.
4756 				 * In that case GLOBAL_ZONEID works to send.
4757 				 */
4758 				if (zoneid == ALL_ZONES)
4759 					zoneid = GLOBAL_ZONEID;
4760 				return (zoneid);
4761 			}
4762 		}
4763 		mutex_exit(&ill->ill_lock);
4764 	}
4765 
4766 	/* If we already did the ptp case, then we are done */
4767 	if (ptp) {
4768 		rw_exit(&ipst->ips_ill_g_lock);
4769 		return (ALL_ZONES);
4770 	}
4771 	ptp = B_TRUE;
4772 	goto repeat;
4773 }
4774 
4775 /*
4776  * Look for an ipif that matches the specified remote address i.e. the
4777  * ipif that would receive the specified packet.
4778  * First look for directly connected interfaces and then do a recursive
4779  * IRE lookup and pick the first ipif corresponding to the source address in the
4780  * ire.
4781  * Returns: held ipif
4782  *
4783  * This is only used for ICMP_ADDRESS_MASK_REQUESTs
4784  */
4785 ipif_t *
4786 ipif_lookup_remote(ill_t *ill, ipaddr_t addr, zoneid_t zoneid)
4787 {
4788 	ipif_t	*ipif;
4789 
4790 	ASSERT(!ill->ill_isv6);
4791 
4792 	/*
4793 	 * Someone could be changing this ipif currently or change it
4794 	 * after we return this. Thus  a few packets could use the old
4795 	 * old values. However structure updates/creates (ire, ilg, ilm etc)
4796 	 * will atomically be updated or cleaned up with the new value
4797 	 * Thus we don't need a lock to check the flags or other attrs below.
4798 	 */
4799 	mutex_enter(&ill->ill_lock);
4800 	for (ipif = ill->ill_ipif; ipif != NULL; ipif = ipif->ipif_next) {
4801 		if (IPIF_IS_CONDEMNED(ipif))
4802 			continue;
4803 		if (zoneid != ALL_ZONES && zoneid != ipif->ipif_zoneid &&
4804 		    ipif->ipif_zoneid != ALL_ZONES)
4805 			continue;
4806 		/* Allow the ipif to be down */
4807 		if (ipif->ipif_flags & IPIF_POINTOPOINT) {
4808 			if ((ipif->ipif_pp_dst_addr == addr) ||
4809 			    (!(ipif->ipif_flags & IPIF_UNNUMBERED) &&
4810 			    ipif->ipif_lcl_addr == addr)) {
4811 				ipif_refhold_locked(ipif);
4812 				mutex_exit(&ill->ill_lock);
4813 				return (ipif);
4814 			}
4815 		} else if (ipif->ipif_subnet == (addr & ipif->ipif_net_mask)) {
4816 			ipif_refhold_locked(ipif);
4817 			mutex_exit(&ill->ill_lock);
4818 			return (ipif);
4819 		}
4820 	}
4821 	mutex_exit(&ill->ill_lock);
4822 	/*
4823 	 * For a remote destination it isn't possible to nail down a particular
4824 	 * ipif.
4825 	 */
4826 
4827 	/* Pick the first interface */
4828 	ipif = ipif_get_next_ipif(NULL, ill);
4829 	return (ipif);
4830 }
4831 
4832 /*
4833  * This func does not prevent refcnt from increasing. But if
4834  * the caller has taken steps to that effect, then this func
4835  * can be used to determine whether the ill has become quiescent
4836  */
4837 static boolean_t
4838 ill_is_quiescent(ill_t *ill)
4839 {
4840 	ipif_t	*ipif;
4841 
4842 	ASSERT(MUTEX_HELD(&ill->ill_lock));
4843 
4844 	for (ipif = ill->ill_ipif; ipif != NULL; ipif = ipif->ipif_next) {
4845 		if (ipif->ipif_refcnt != 0)
4846 			return (B_FALSE);
4847 	}
4848 	if (!ILL_DOWN_OK(ill) || ill->ill_refcnt != 0) {
4849 		return (B_FALSE);
4850 	}
4851 	return (B_TRUE);
4852 }
4853 
4854 boolean_t
4855 ill_is_freeable(ill_t *ill)
4856 {
4857 	ipif_t	*ipif;
4858 
4859 	ASSERT(MUTEX_HELD(&ill->ill_lock));
4860 
4861 	for (ipif = ill->ill_ipif; ipif != NULL; ipif = ipif->ipif_next) {
4862 		if (ipif->ipif_refcnt != 0) {
4863 			return (B_FALSE);
4864 		}
4865 	}
4866 	if (!ILL_FREE_OK(ill) || ill->ill_refcnt != 0) {
4867 		return (B_FALSE);
4868 	}
4869 	return (B_TRUE);
4870 }
4871 
4872 /*
4873  * This func does not prevent refcnt from increasing. But if
4874  * the caller has taken steps to that effect, then this func
4875  * can be used to determine whether the ipif has become quiescent
4876  */
4877 static boolean_t
4878 ipif_is_quiescent(ipif_t *ipif)
4879 {
4880 	ill_t *ill;
4881 
4882 	ASSERT(MUTEX_HELD(&ipif->ipif_ill->ill_lock));
4883 
4884 	if (ipif->ipif_refcnt != 0)
4885 		return (B_FALSE);
4886 
4887 	ill = ipif->ipif_ill;
4888 	if (ill->ill_ipif_up_count != 0 || ill->ill_ipif_dup_count != 0 ||
4889 	    ill->ill_logical_down) {
4890 		return (B_TRUE);
4891 	}
4892 
4893 	/* This is the last ipif going down or being deleted on this ill */
4894 	if (ill->ill_ire_cnt != 0 || ill->ill_refcnt != 0) {
4895 		return (B_FALSE);
4896 	}
4897 
4898 	return (B_TRUE);
4899 }
4900 
4901 /*
4902  * return true if the ipif can be destroyed: the ipif has to be quiescent
4903  * with zero references from ire/ilm to it.
4904  */
4905 static boolean_t
4906 ipif_is_freeable(ipif_t *ipif)
4907 {
4908 	ASSERT(MUTEX_HELD(&ipif->ipif_ill->ill_lock));
4909 	ASSERT(ipif->ipif_id != 0);
4910 	return (ipif->ipif_refcnt == 0);
4911 }
4912 
4913 /*
4914  * The ipif/ill/ire has been refreled. Do the tail processing.
4915  * Determine if the ipif or ill in question has become quiescent and if so
4916  * wakeup close and/or restart any queued pending ioctl that is waiting
4917  * for the ipif_down (or ill_down)
4918  */
4919 void
4920 ipif_ill_refrele_tail(ill_t *ill)
4921 {
4922 	mblk_t	*mp;
4923 	conn_t	*connp;
4924 	ipsq_t	*ipsq;
4925 	ipxop_t	*ipx;
4926 	ipif_t	*ipif;
4927 	dl_notify_ind_t *dlindp;
4928 
4929 	ASSERT(MUTEX_HELD(&ill->ill_lock));
4930 
4931 	if ((ill->ill_state_flags & ILL_CONDEMNED) && ill_is_freeable(ill)) {
4932 		/* ip_modclose() may be waiting */
4933 		cv_broadcast(&ill->ill_cv);
4934 	}
4935 
4936 	ipsq = ill->ill_phyint->phyint_ipsq;
4937 	mutex_enter(&ipsq->ipsq_lock);
4938 	ipx = ipsq->ipsq_xop;
4939 	mutex_enter(&ipx->ipx_lock);
4940 	if (ipx->ipx_waitfor == 0)	/* no one's waiting; bail */
4941 		goto unlock;
4942 
4943 	ASSERT(ipx->ipx_pending_mp != NULL && ipx->ipx_pending_ipif != NULL);
4944 
4945 	ipif = ipx->ipx_pending_ipif;
4946 	if (ipif->ipif_ill != ill) 	/* wait is for another ill; bail */
4947 		goto unlock;
4948 
4949 	switch (ipx->ipx_waitfor) {
4950 	case IPIF_DOWN:
4951 		if (!ipif_is_quiescent(ipif))
4952 			goto unlock;
4953 		break;
4954 	case IPIF_FREE:
4955 		if (!ipif_is_freeable(ipif))
4956 			goto unlock;
4957 		break;
4958 	case ILL_DOWN:
4959 		if (!ill_is_quiescent(ill))
4960 			goto unlock;
4961 		break;
4962 	case ILL_FREE:
4963 		/*
4964 		 * ILL_FREE is only for loopback; normal ill teardown waits
4965 		 * synchronously in ip_modclose() without using ipx_waitfor,
4966 		 * handled by the cv_broadcast() at the top of this function.
4967 		 */
4968 		if (!ill_is_freeable(ill))
4969 			goto unlock;
4970 		break;
4971 	default:
4972 		cmn_err(CE_PANIC, "ipsq: %p unknown ipx_waitfor %d\n",
4973 		    (void *)ipsq, ipx->ipx_waitfor);
4974 	}
4975 
4976 	ill_refhold_locked(ill);	/* for qwriter_ip() call below */
4977 	mutex_exit(&ipx->ipx_lock);
4978 	mp = ipsq_pending_mp_get(ipsq, &connp);
4979 	mutex_exit(&ipsq->ipsq_lock);
4980 	mutex_exit(&ill->ill_lock);
4981 
4982 	ASSERT(mp != NULL);
4983 	/*
4984 	 * NOTE: all of the qwriter_ip() calls below use CUR_OP since
4985 	 * we can only get here when the current operation decides it
4986 	 * it needs to quiesce via ipsq_pending_mp_add().
4987 	 */
4988 	switch (mp->b_datap->db_type) {
4989 	case M_PCPROTO:
4990 	case M_PROTO:
4991 		/*
4992 		 * For now, only DL_NOTIFY_IND messages can use this facility.
4993 		 */
4994 		dlindp = (dl_notify_ind_t *)mp->b_rptr;
4995 		ASSERT(dlindp->dl_primitive == DL_NOTIFY_IND);
4996 
4997 		switch (dlindp->dl_notification) {
4998 		case DL_NOTE_PHYS_ADDR:
4999 			qwriter_ip(ill, ill->ill_rq, mp,
5000 			    ill_set_phys_addr_tail, CUR_OP, B_TRUE);
5001 			return;
5002 		case DL_NOTE_REPLUMB:
5003 			qwriter_ip(ill, ill->ill_rq, mp,
5004 			    ill_replumb_tail, CUR_OP, B_TRUE);
5005 			return;
5006 		default:
5007 			ASSERT(0);
5008 			ill_refrele(ill);
5009 		}
5010 		break;
5011 
5012 	case M_ERROR:
5013 	case M_HANGUP:
5014 		qwriter_ip(ill, ill->ill_rq, mp, ipif_all_down_tail, CUR_OP,
5015 		    B_TRUE);
5016 		return;
5017 
5018 	case M_IOCTL:
5019 	case M_IOCDATA:
5020 		qwriter_ip(ill, (connp != NULL ? CONNP_TO_WQ(connp) :
5021 		    ill->ill_wq), mp, ip_reprocess_ioctl, CUR_OP, B_TRUE);
5022 		return;
5023 
5024 	default:
5025 		cmn_err(CE_PANIC, "ipif_ill_refrele_tail mp %p "
5026 		    "db_type %d\n", (void *)mp, mp->b_datap->db_type);
5027 	}
5028 	return;
5029 unlock:
5030 	mutex_exit(&ipsq->ipsq_lock);
5031 	mutex_exit(&ipx->ipx_lock);
5032 	mutex_exit(&ill->ill_lock);
5033 }
5034 
5035 #ifdef DEBUG
5036 /* Reuse trace buffer from beginning (if reached the end) and record trace */
5037 static void
5038 th_trace_rrecord(th_trace_t *th_trace)
5039 {
5040 	tr_buf_t *tr_buf;
5041 	uint_t lastref;
5042 
5043 	lastref = th_trace->th_trace_lastref;
5044 	lastref++;
5045 	if (lastref == TR_BUF_MAX)
5046 		lastref = 0;
5047 	th_trace->th_trace_lastref = lastref;
5048 	tr_buf = &th_trace->th_trbuf[lastref];
5049 	tr_buf->tr_time = ddi_get_lbolt();
5050 	tr_buf->tr_depth = getpcstack(tr_buf->tr_stack, TR_STACK_DEPTH);
5051 }
5052 
5053 static void
5054 th_trace_free(void *value)
5055 {
5056 	th_trace_t *th_trace = value;
5057 
5058 	ASSERT(th_trace->th_refcnt == 0);
5059 	kmem_free(th_trace, sizeof (*th_trace));
5060 }
5061 
5062 /*
5063  * Find or create the per-thread hash table used to track object references.
5064  * The ipst argument is NULL if we shouldn't allocate.
5065  *
5066  * Accesses per-thread data, so there's no need to lock here.
5067  */
5068 static mod_hash_t *
5069 th_trace_gethash(ip_stack_t *ipst)
5070 {
5071 	th_hash_t *thh;
5072 
5073 	if ((thh = tsd_get(ip_thread_data)) == NULL && ipst != NULL) {
5074 		mod_hash_t *mh;
5075 		char name[256];
5076 		size_t objsize, rshift;
5077 		int retv;
5078 
5079 		if ((thh = kmem_alloc(sizeof (*thh), KM_NOSLEEP)) == NULL)
5080 			return (NULL);
5081 		(void) snprintf(name, sizeof (name), "th_trace_%p",
5082 		    (void *)curthread);
5083 
5084 		/*
5085 		 * We use mod_hash_create_extended here rather than the more
5086 		 * obvious mod_hash_create_ptrhash because the latter has a
5087 		 * hard-coded KM_SLEEP, and we'd prefer to fail rather than
5088 		 * block.
5089 		 */
5090 		objsize = MAX(MAX(sizeof (ill_t), sizeof (ipif_t)),
5091 		    MAX(sizeof (ire_t), sizeof (ncec_t)));
5092 		rshift = highbit(objsize);
5093 		mh = mod_hash_create_extended(name, 64, mod_hash_null_keydtor,
5094 		    th_trace_free, mod_hash_byptr, (void *)rshift,
5095 		    mod_hash_ptrkey_cmp, KM_NOSLEEP);
5096 		if (mh == NULL) {
5097 			kmem_free(thh, sizeof (*thh));
5098 			return (NULL);
5099 		}
5100 		thh->thh_hash = mh;
5101 		thh->thh_ipst = ipst;
5102 		/*
5103 		 * We trace ills, ipifs, ires, and nces.  All of these are
5104 		 * per-IP-stack, so the lock on the thread list is as well.
5105 		 */
5106 		rw_enter(&ip_thread_rwlock, RW_WRITER);
5107 		list_insert_tail(&ip_thread_list, thh);
5108 		rw_exit(&ip_thread_rwlock);
5109 		retv = tsd_set(ip_thread_data, thh);
5110 		ASSERT(retv == 0);
5111 	}
5112 	return (thh != NULL ? thh->thh_hash : NULL);
5113 }
5114 
5115 boolean_t
5116 th_trace_ref(const void *obj, ip_stack_t *ipst)
5117 {
5118 	th_trace_t *th_trace;
5119 	mod_hash_t *mh;
5120 	mod_hash_val_t val;
5121 
5122 	if ((mh = th_trace_gethash(ipst)) == NULL)
5123 		return (B_FALSE);
5124 
5125 	/*
5126 	 * Attempt to locate the trace buffer for this obj and thread.
5127 	 * If it does not exist, then allocate a new trace buffer and
5128 	 * insert into the hash.
5129 	 */
5130 	if (mod_hash_find(mh, (mod_hash_key_t)obj, &val) == MH_ERR_NOTFOUND) {
5131 		th_trace = kmem_zalloc(sizeof (th_trace_t), KM_NOSLEEP);
5132 		if (th_trace == NULL)
5133 			return (B_FALSE);
5134 
5135 		th_trace->th_id = curthread;
5136 		if (mod_hash_insert(mh, (mod_hash_key_t)obj,
5137 		    (mod_hash_val_t)th_trace) != 0) {
5138 			kmem_free(th_trace, sizeof (th_trace_t));
5139 			return (B_FALSE);
5140 		}
5141 	} else {
5142 		th_trace = (th_trace_t *)val;
5143 	}
5144 
5145 	ASSERT(th_trace->th_refcnt >= 0 &&
5146 	    th_trace->th_refcnt < TR_BUF_MAX - 1);
5147 
5148 	th_trace->th_refcnt++;
5149 	th_trace_rrecord(th_trace);
5150 	return (B_TRUE);
5151 }
5152 
5153 /*
5154  * For the purpose of tracing a reference release, we assume that global
5155  * tracing is always on and that the same thread initiated the reference hold
5156  * is releasing.
5157  */
5158 void
5159 th_trace_unref(const void *obj)
5160 {
5161 	int retv;
5162 	mod_hash_t *mh;
5163 	th_trace_t *th_trace;
5164 	mod_hash_val_t val;
5165 
5166 	mh = th_trace_gethash(NULL);
5167 	retv = mod_hash_find(mh, (mod_hash_key_t)obj, &val);
5168 	ASSERT(retv == 0);
5169 	th_trace = (th_trace_t *)val;
5170 
5171 	ASSERT(th_trace->th_refcnt > 0);
5172 	th_trace->th_refcnt--;
5173 	th_trace_rrecord(th_trace);
5174 }
5175 
5176 /*
5177  * If tracing has been disabled, then we assume that the reference counts are
5178  * now useless, and we clear them out before destroying the entries.
5179  */
5180 void
5181 th_trace_cleanup(const void *obj, boolean_t trace_disable)
5182 {
5183 	th_hash_t	*thh;
5184 	mod_hash_t	*mh;
5185 	mod_hash_val_t	val;
5186 	th_trace_t	*th_trace;
5187 	int		retv;
5188 
5189 	rw_enter(&ip_thread_rwlock, RW_READER);
5190 	for (thh = list_head(&ip_thread_list); thh != NULL;
5191 	    thh = list_next(&ip_thread_list, thh)) {
5192 		if (mod_hash_find(mh = thh->thh_hash, (mod_hash_key_t)obj,
5193 		    &val) == 0) {
5194 			th_trace = (th_trace_t *)val;
5195 			if (trace_disable)
5196 				th_trace->th_refcnt = 0;
5197 			retv = mod_hash_destroy(mh, (mod_hash_key_t)obj);
5198 			ASSERT(retv == 0);
5199 		}
5200 	}
5201 	rw_exit(&ip_thread_rwlock);
5202 }
5203 
5204 void
5205 ipif_trace_ref(ipif_t *ipif)
5206 {
5207 	ASSERT(MUTEX_HELD(&ipif->ipif_ill->ill_lock));
5208 
5209 	if (ipif->ipif_trace_disable)
5210 		return;
5211 
5212 	if (!th_trace_ref(ipif, ipif->ipif_ill->ill_ipst)) {
5213 		ipif->ipif_trace_disable = B_TRUE;
5214 		ipif_trace_cleanup(ipif);
5215 	}
5216 }
5217 
5218 void
5219 ipif_untrace_ref(ipif_t *ipif)
5220 {
5221 	ASSERT(MUTEX_HELD(&ipif->ipif_ill->ill_lock));
5222 
5223 	if (!ipif->ipif_trace_disable)
5224 		th_trace_unref(ipif);
5225 }
5226 
5227 void
5228 ill_trace_ref(ill_t *ill)
5229 {
5230 	ASSERT(MUTEX_HELD(&ill->ill_lock));
5231 
5232 	if (ill->ill_trace_disable)
5233 		return;
5234 
5235 	if (!th_trace_ref(ill, ill->ill_ipst)) {
5236 		ill->ill_trace_disable = B_TRUE;
5237 		ill_trace_cleanup(ill);
5238 	}
5239 }
5240 
5241 void
5242 ill_untrace_ref(ill_t *ill)
5243 {
5244 	ASSERT(MUTEX_HELD(&ill->ill_lock));
5245 
5246 	if (!ill->ill_trace_disable)
5247 		th_trace_unref(ill);
5248 }
5249 
5250 /*
5251  * Called when ipif is unplumbed or when memory alloc fails.  Note that on
5252  * failure, ipif_trace_disable is set.
5253  */
5254 static void
5255 ipif_trace_cleanup(const ipif_t *ipif)
5256 {
5257 	th_trace_cleanup(ipif, ipif->ipif_trace_disable);
5258 }
5259 
5260 /*
5261  * Called when ill is unplumbed or when memory alloc fails.  Note that on
5262  * failure, ill_trace_disable is set.
5263  */
5264 static void
5265 ill_trace_cleanup(const ill_t *ill)
5266 {
5267 	th_trace_cleanup(ill, ill->ill_trace_disable);
5268 }
5269 #endif /* DEBUG */
5270 
5271 void
5272 ipif_refhold_locked(ipif_t *ipif)
5273 {
5274 	ASSERT(MUTEX_HELD(&ipif->ipif_ill->ill_lock));
5275 	ipif->ipif_refcnt++;
5276 	IPIF_TRACE_REF(ipif);
5277 }
5278 
5279 void
5280 ipif_refhold(ipif_t *ipif)
5281 {
5282 	ill_t	*ill;
5283 
5284 	ill = ipif->ipif_ill;
5285 	mutex_enter(&ill->ill_lock);
5286 	ipif->ipif_refcnt++;
5287 	IPIF_TRACE_REF(ipif);
5288 	mutex_exit(&ill->ill_lock);
5289 }
5290 
5291 /*
5292  * Must not be called while holding any locks. Otherwise if this is
5293  * the last reference to be released there is a chance of recursive mutex
5294  * panic due to ipif_refrele -> ipif_ill_refrele_tail -> qwriter_ip trying
5295  * to restart an ioctl.
5296  */
5297 void
5298 ipif_refrele(ipif_t *ipif)
5299 {
5300 	ill_t	*ill;
5301 
5302 	ill = ipif->ipif_ill;
5303 
5304 	mutex_enter(&ill->ill_lock);
5305 	ASSERT(ipif->ipif_refcnt != 0);
5306 	ipif->ipif_refcnt--;
5307 	IPIF_UNTRACE_REF(ipif);
5308 	if (ipif->ipif_refcnt != 0) {
5309 		mutex_exit(&ill->ill_lock);
5310 		return;
5311 	}
5312 
5313 	/* Drops the ill_lock */
5314 	ipif_ill_refrele_tail(ill);
5315 }
5316 
5317 ipif_t *
5318 ipif_get_next_ipif(ipif_t *curr, ill_t *ill)
5319 {
5320 	ipif_t	*ipif;
5321 
5322 	mutex_enter(&ill->ill_lock);
5323 	for (ipif = (curr == NULL ? ill->ill_ipif : curr->ipif_next);
5324 	    ipif != NULL; ipif = ipif->ipif_next) {
5325 		if (IPIF_IS_CONDEMNED(ipif))
5326 			continue;
5327 		ipif_refhold_locked(ipif);
5328 		mutex_exit(&ill->ill_lock);
5329 		return (ipif);
5330 	}
5331 	mutex_exit(&ill->ill_lock);
5332 	return (NULL);
5333 }
5334 
5335 /*
5336  * TODO: make this table extendible at run time
5337  * Return a pointer to the mac type info for 'mac_type'
5338  */
5339 static ip_m_t *
5340 ip_m_lookup(t_uscalar_t mac_type)
5341 {
5342 	ip_m_t	*ipm;
5343 
5344 	for (ipm = ip_m_tbl; ipm < A_END(ip_m_tbl); ipm++)
5345 		if (ipm->ip_m_mac_type == mac_type)
5346 			return (ipm);
5347 	return (NULL);
5348 }
5349 
5350 /*
5351  * Make a link layer address from the multicast IP address *addr.
5352  * To form the link layer address, invoke the ip_m_v*mapping function
5353  * associated with the link-layer type.
5354  */
5355 void
5356 ip_mcast_mapping(ill_t *ill, uchar_t *addr, uchar_t *hwaddr)
5357 {
5358 	ip_m_t *ipm;
5359 
5360 	if (ill->ill_net_type == IRE_IF_NORESOLVER)
5361 		return;
5362 
5363 	ASSERT(addr != NULL);
5364 
5365 	ipm = ip_m_lookup(ill->ill_mactype);
5366 	if (ipm == NULL ||
5367 	    (ill->ill_isv6 && ipm->ip_m_v6mapping == NULL) ||
5368 	    (!ill->ill_isv6 && ipm->ip_m_v4mapping == NULL)) {
5369 		ip0dbg(("no mapping for ill %s mactype 0x%x\n",
5370 		    ill->ill_name, ill->ill_mactype));
5371 		return;
5372 	}
5373 	if (ill->ill_isv6)
5374 		(*ipm->ip_m_v6mapping)(ill, addr, hwaddr);
5375 	else
5376 		(*ipm->ip_m_v4mapping)(ill, addr, hwaddr);
5377 }
5378 
5379 /*
5380  * Returns B_FALSE if the IPv4 netmask pointed by `mask' is non-contiguous.
5381  * Otherwise returns B_TRUE.
5382  *
5383  * The netmask can be verified to be contiguous with 32 shifts and or
5384  * operations. Take the contiguous mask (in host byte order) and compute
5385  * 	mask | mask << 1 | mask << 2 | ... | mask << 31
5386  * the result will be the same as the 'mask' for contiguous mask.
5387  */
5388 static boolean_t
5389 ip_contiguous_mask(uint32_t mask)
5390 {
5391 	uint32_t	m = mask;
5392 	int		i;
5393 
5394 	for (i = 1; i < 32; i++)
5395 		m |= (mask << i);
5396 
5397 	return (m == mask);
5398 }
5399 
5400 /*
5401  * ip_rt_add is called to add an IPv4 route to the forwarding table.
5402  * ill is passed in to associate it with the correct interface.
5403  * If ire_arg is set, then we return the held IRE in that location.
5404  */
5405 int
5406 ip_rt_add(ipaddr_t dst_addr, ipaddr_t mask, ipaddr_t gw_addr,
5407     ipaddr_t src_addr, int flags, ill_t *ill, ire_t **ire_arg,
5408     boolean_t ioctl_msg, struct rtsa_s *sp, ip_stack_t *ipst, zoneid_t zoneid)
5409 {
5410 	ire_t	*ire, *nire;
5411 	ire_t	*gw_ire = NULL;
5412 	ipif_t	*ipif = NULL;
5413 	uint_t	type;
5414 	int	match_flags = MATCH_IRE_TYPE;
5415 	tsol_gc_t *gc = NULL;
5416 	tsol_gcgrp_t *gcgrp = NULL;
5417 	boolean_t gcgrp_xtraref = B_FALSE;
5418 	boolean_t cgtp_broadcast;
5419 	boolean_t unbound = B_FALSE;
5420 
5421 	ip1dbg(("ip_rt_add:"));
5422 
5423 	if (ire_arg != NULL)
5424 		*ire_arg = NULL;
5425 
5426 	/* disallow non-contiguous netmasks */
5427 	if (!ip_contiguous_mask(ntohl(mask)))
5428 		return (ENOTSUP);
5429 
5430 	/*
5431 	 * If this is the case of RTF_HOST being set, then we set the netmask
5432 	 * to all ones (regardless if one was supplied).
5433 	 */
5434 	if (flags & RTF_HOST)
5435 		mask = IP_HOST_MASK;
5436 
5437 	/*
5438 	 * Prevent routes with a zero gateway from being created (since
5439 	 * interfaces can currently be plumbed and brought up no assigned
5440 	 * address).
5441 	 */
5442 	if (gw_addr == 0)
5443 		return (ENETUNREACH);
5444 	/*
5445 	 * Get the ipif, if any, corresponding to the gw_addr
5446 	 * If -ifp was specified we restrict ourselves to the ill, otherwise
5447 	 * we match on the gatway and destination to handle unnumbered pt-pt
5448 	 * interfaces.
5449 	 */
5450 	if (ill != NULL)
5451 		ipif = ipif_lookup_addr(gw_addr, ill, ALL_ZONES, ipst);
5452 	else
5453 		ipif = ipif_lookup_interface(gw_addr, dst_addr, ipst);
5454 	if (ipif != NULL) {
5455 		if (IS_VNI(ipif->ipif_ill)) {
5456 			ipif_refrele(ipif);
5457 			return (EINVAL);
5458 		}
5459 	}
5460 
5461 	/*
5462 	 * GateD will attempt to create routes with a loopback interface
5463 	 * address as the gateway and with RTF_GATEWAY set.  We allow
5464 	 * these routes to be added, but create them as interface routes
5465 	 * since the gateway is an interface address.
5466 	 */
5467 	if ((ipif != NULL) && (ipif->ipif_ire_type == IRE_LOOPBACK)) {
5468 		flags &= ~RTF_GATEWAY;
5469 		if (gw_addr == INADDR_LOOPBACK && dst_addr == INADDR_LOOPBACK &&
5470 		    mask == IP_HOST_MASK) {
5471 			ire = ire_ftable_lookup_v4(dst_addr, 0, 0, IRE_LOOPBACK,
5472 			    NULL, ALL_ZONES, NULL, MATCH_IRE_TYPE, 0, ipst,
5473 			    NULL);
5474 			if (ire != NULL) {
5475 				ire_refrele(ire);
5476 				ipif_refrele(ipif);
5477 				return (EEXIST);
5478 			}
5479 			ip1dbg(("ip_rt_add: 0x%p creating IRE 0x%x"
5480 			    "for 0x%x\n", (void *)ipif,
5481 			    ipif->ipif_ire_type,
5482 			    ntohl(ipif->ipif_lcl_addr)));
5483 			ire = ire_create(
5484 			    (uchar_t *)&dst_addr,	/* dest address */
5485 			    (uchar_t *)&mask,		/* mask */
5486 			    NULL,			/* no gateway */
5487 			    ipif->ipif_ire_type,	/* LOOPBACK */
5488 			    ipif->ipif_ill,
5489 			    zoneid,
5490 			    (ipif->ipif_flags & IPIF_PRIVATE) ? RTF_PRIVATE : 0,
5491 			    NULL,
5492 			    ipst);
5493 
5494 			if (ire == NULL) {
5495 				ipif_refrele(ipif);
5496 				return (ENOMEM);
5497 			}
5498 			/* src address assigned by the caller? */
5499 			if ((src_addr != INADDR_ANY) && (flags & RTF_SETSRC))
5500 				ire->ire_setsrc_addr = src_addr;
5501 
5502 			nire = ire_add(ire);
5503 			if (nire == NULL) {
5504 				/*
5505 				 * In the result of failure, ire_add() will have
5506 				 * already deleted the ire in question, so there
5507 				 * is no need to do that here.
5508 				 */
5509 				ipif_refrele(ipif);
5510 				return (ENOMEM);
5511 			}
5512 			/*
5513 			 * Check if it was a duplicate entry. This handles
5514 			 * the case of two racing route adds for the same route
5515 			 */
5516 			if (nire != ire) {
5517 				ASSERT(nire->ire_identical_ref > 1);
5518 				ire_delete(nire);
5519 				ire_refrele(nire);
5520 				ipif_refrele(ipif);
5521 				return (EEXIST);
5522 			}
5523 			ire = nire;
5524 			goto save_ire;
5525 		}
5526 	}
5527 
5528 	/*
5529 	 * The routes for multicast with CGTP are quite special in that
5530 	 * the gateway is the local interface address, yet RTF_GATEWAY
5531 	 * is set. We turn off RTF_GATEWAY to provide compatibility with
5532 	 * this undocumented and unusual use of multicast routes.
5533 	 */
5534 	if ((flags & RTF_MULTIRT) && ipif != NULL)
5535 		flags &= ~RTF_GATEWAY;
5536 
5537 	/*
5538 	 * Traditionally, interface routes are ones where RTF_GATEWAY isn't set
5539 	 * and the gateway address provided is one of the system's interface
5540 	 * addresses.  By using the routing socket interface and supplying an
5541 	 * RTA_IFP sockaddr with an interface index, an alternate method of
5542 	 * specifying an interface route to be created is available which uses
5543 	 * the interface index that specifies the outgoing interface rather than
5544 	 * the address of an outgoing interface (which may not be able to
5545 	 * uniquely identify an interface).  When coupled with the RTF_GATEWAY
5546 	 * flag, routes can be specified which not only specify the next-hop to
5547 	 * be used when routing to a certain prefix, but also which outgoing
5548 	 * interface should be used.
5549 	 *
5550 	 * Previously, interfaces would have unique addresses assigned to them
5551 	 * and so the address assigned to a particular interface could be used
5552 	 * to identify a particular interface.  One exception to this was the
5553 	 * case of an unnumbered interface (where IPIF_UNNUMBERED was set).
5554 	 *
5555 	 * With the advent of IPv6 and its link-local addresses, this
5556 	 * restriction was relaxed and interfaces could share addresses between
5557 	 * themselves.  In fact, typically all of the link-local interfaces on
5558 	 * an IPv6 node or router will have the same link-local address.  In
5559 	 * order to differentiate between these interfaces, the use of an
5560 	 * interface index is necessary and this index can be carried inside a
5561 	 * RTA_IFP sockaddr (which is actually a sockaddr_dl).  One restriction
5562 	 * of using the interface index, however, is that all of the ipif's that
5563 	 * are part of an ill have the same index and so the RTA_IFP sockaddr
5564 	 * cannot be used to differentiate between ipif's (or logical
5565 	 * interfaces) that belong to the same ill (physical interface).
5566 	 *
5567 	 * For example, in the following case involving IPv4 interfaces and
5568 	 * logical interfaces
5569 	 *
5570 	 *	192.0.2.32	255.255.255.224	192.0.2.33	U	if0
5571 	 *	192.0.2.32	255.255.255.224	192.0.2.34	U	if0
5572 	 *	192.0.2.32	255.255.255.224	192.0.2.35	U	if0
5573 	 *
5574 	 * the ipif's corresponding to each of these interface routes can be
5575 	 * uniquely identified by the "gateway" (actually interface address).
5576 	 *
5577 	 * In this case involving multiple IPv6 default routes to a particular
5578 	 * link-local gateway, the use of RTA_IFP is necessary to specify which
5579 	 * default route is of interest:
5580 	 *
5581 	 *	default		fe80::123:4567:89ab:cdef	U	if0
5582 	 *	default		fe80::123:4567:89ab:cdef	U	if1
5583 	 */
5584 
5585 	/* RTF_GATEWAY not set */
5586 	if (!(flags & RTF_GATEWAY)) {
5587 		if (sp != NULL) {
5588 			ip2dbg(("ip_rt_add: gateway security attributes "
5589 			    "cannot be set with interface route\n"));
5590 			if (ipif != NULL)
5591 				ipif_refrele(ipif);
5592 			return (EINVAL);
5593 		}
5594 
5595 		/*
5596 		 * Whether or not ill (RTA_IFP) is set, we require that
5597 		 * the gateway is one of our local addresses.
5598 		 */
5599 		if (ipif == NULL)
5600 			return (ENETUNREACH);
5601 
5602 		/*
5603 		 * We use MATCH_IRE_ILL here. If the caller specified an
5604 		 * interface (from the RTA_IFP sockaddr) we use it, otherwise
5605 		 * we use the ill derived from the gateway address.
5606 		 * We can always match the gateway address since we record it
5607 		 * in ire_gateway_addr.
5608 		 * We don't allow RTA_IFP to specify a different ill than the
5609 		 * one matching the ipif to make sure we can delete the route.
5610 		 */
5611 		match_flags |= MATCH_IRE_GW | MATCH_IRE_ILL;
5612 		if (ill == NULL) {
5613 			ill = ipif->ipif_ill;
5614 		} else if (ill != ipif->ipif_ill) {
5615 			ipif_refrele(ipif);
5616 			return (EINVAL);
5617 		}
5618 
5619 		/*
5620 		 * We check for an existing entry at this point.
5621 		 *
5622 		 * Since a netmask isn't passed in via the ioctl interface
5623 		 * (SIOCADDRT), we don't check for a matching netmask in that
5624 		 * case.
5625 		 */
5626 		if (!ioctl_msg)
5627 			match_flags |= MATCH_IRE_MASK;
5628 		ire = ire_ftable_lookup_v4(dst_addr, mask, gw_addr,
5629 		    IRE_INTERFACE, ill, ALL_ZONES, NULL, match_flags, 0, ipst,
5630 		    NULL);
5631 		if (ire != NULL) {
5632 			ire_refrele(ire);
5633 			ipif_refrele(ipif);
5634 			return (EEXIST);
5635 		}
5636 
5637 		/*
5638 		 * Some software (for example, GateD and Sun Cluster) attempts
5639 		 * to create (what amount to) IRE_PREFIX routes with the
5640 		 * loopback address as the gateway.  This is primarily done to
5641 		 * set up prefixes with the RTF_REJECT flag set (for example,
5642 		 * when generating aggregate routes.)
5643 		 *
5644 		 * If the IRE type (as defined by ill->ill_net_type) would be
5645 		 * IRE_LOOPBACK, then we map the request into a
5646 		 * IRE_IF_NORESOLVER. We also OR in the RTF_BLACKHOLE flag as
5647 		 * these interface routes, by definition, can only be that.
5648 		 *
5649 		 * Needless to say, the real IRE_LOOPBACK is NOT created by this
5650 		 * routine, but rather using ire_create() directly.
5651 		 *
5652 		 */
5653 		type = ill->ill_net_type;
5654 		if (type == IRE_LOOPBACK) {
5655 			type = IRE_IF_NORESOLVER;
5656 			flags |= RTF_BLACKHOLE;
5657 		}
5658 
5659 		/*
5660 		 * Create a copy of the IRE_IF_NORESOLVER or
5661 		 * IRE_IF_RESOLVER with the modified address, netmask, and
5662 		 * gateway.
5663 		 */
5664 		ire = ire_create(
5665 		    (uchar_t *)&dst_addr,
5666 		    (uint8_t *)&mask,
5667 		    (uint8_t *)&gw_addr,
5668 		    type,
5669 		    ill,
5670 		    zoneid,
5671 		    flags,
5672 		    NULL,
5673 		    ipst);
5674 		if (ire == NULL) {
5675 			ipif_refrele(ipif);
5676 			return (ENOMEM);
5677 		}
5678 
5679 		/* src address assigned by the caller? */
5680 		if ((src_addr != INADDR_ANY) && (flags & RTF_SETSRC))
5681 			ire->ire_setsrc_addr = src_addr;
5682 
5683 		nire = ire_add(ire);
5684 		if (nire == NULL) {
5685 			/*
5686 			 * In the result of failure, ire_add() will have
5687 			 * already deleted the ire in question, so there
5688 			 * is no need to do that here.
5689 			 */
5690 			ipif_refrele(ipif);
5691 			return (ENOMEM);
5692 		}
5693 		/*
5694 		 * Check if it was a duplicate entry. This handles
5695 		 * the case of two racing route adds for the same route
5696 		 */
5697 		if (nire != ire) {
5698 			ire_delete(nire);
5699 			ire_refrele(nire);
5700 			ipif_refrele(ipif);
5701 			return (EEXIST);
5702 		}
5703 		ire = nire;
5704 		goto save_ire;
5705 	}
5706 
5707 	/*
5708 	 * Get an interface IRE for the specified gateway.
5709 	 * If we don't have an IRE_IF_NORESOLVER or IRE_IF_RESOLVER for the
5710 	 * gateway, it is currently unreachable and we fail the request
5711 	 * accordingly. We reject any RTF_GATEWAY routes where the gateway
5712 	 * is an IRE_LOCAL or IRE_LOOPBACK.
5713 	 * If RTA_IFP was specified we look on that particular ill.
5714 	 */
5715 	if (ill != NULL)
5716 		match_flags |= MATCH_IRE_ILL;
5717 
5718 	/* Check whether the gateway is reachable. */
5719 again:
5720 	type = IRE_INTERFACE | IRE_LOCAL | IRE_LOOPBACK;
5721 	if (flags & RTF_INDIRECT)
5722 		type |= IRE_OFFLINK;
5723 
5724 	gw_ire = ire_ftable_lookup_v4(gw_addr, 0, 0, type, ill,
5725 	    ALL_ZONES, NULL, match_flags, 0, ipst, NULL);
5726 	if (gw_ire == NULL) {
5727 		/*
5728 		 * With IPMP, we allow host routes to influence in.mpathd's
5729 		 * target selection.  However, if the test addresses are on
5730 		 * their own network, the above lookup will fail since the
5731 		 * underlying IRE_INTERFACEs are marked hidden.  So allow
5732 		 * hidden test IREs to be found and try again.
5733 		 */
5734 		if (!(match_flags & MATCH_IRE_TESTHIDDEN))  {
5735 			match_flags |= MATCH_IRE_TESTHIDDEN;
5736 			goto again;
5737 		}
5738 		if (ipif != NULL)
5739 			ipif_refrele(ipif);
5740 		return (ENETUNREACH);
5741 	}
5742 	if (gw_ire->ire_type & (IRE_LOCAL|IRE_LOOPBACK)) {
5743 		ire_refrele(gw_ire);
5744 		if (ipif != NULL)
5745 			ipif_refrele(ipif);
5746 		return (ENETUNREACH);
5747 	}
5748 
5749 	if (ill == NULL && !(flags & RTF_INDIRECT)) {
5750 		unbound = B_TRUE;
5751 		if (ipst->ips_ip_strict_src_multihoming > 0)
5752 			ill = gw_ire->ire_ill;
5753 	}
5754 
5755 	/*
5756 	 * We create one of three types of IREs as a result of this request
5757 	 * based on the netmask.  A netmask of all ones (which is automatically
5758 	 * assumed when RTF_HOST is set) results in an IRE_HOST being created.
5759 	 * An all zeroes netmask implies a default route so an IRE_DEFAULT is
5760 	 * created.  Otherwise, an IRE_PREFIX route is created for the
5761 	 * destination prefix.
5762 	 */
5763 	if (mask == IP_HOST_MASK)
5764 		type = IRE_HOST;
5765 	else if (mask == 0)
5766 		type = IRE_DEFAULT;
5767 	else
5768 		type = IRE_PREFIX;
5769 
5770 	/* check for a duplicate entry */
5771 	ire = ire_ftable_lookup_v4(dst_addr, mask, gw_addr, type, ill,
5772 	    ALL_ZONES, NULL, match_flags | MATCH_IRE_MASK | MATCH_IRE_GW,
5773 	    0, ipst, NULL);
5774 	if (ire != NULL) {
5775 		if (ipif != NULL)
5776 			ipif_refrele(ipif);
5777 		ire_refrele(gw_ire);
5778 		ire_refrele(ire);
5779 		return (EEXIST);
5780 	}
5781 
5782 	/* Security attribute exists */
5783 	if (sp != NULL) {
5784 		tsol_gcgrp_addr_t ga;
5785 
5786 		/* find or create the gateway credentials group */
5787 		ga.ga_af = AF_INET;
5788 		IN6_IPADDR_TO_V4MAPPED(gw_addr, &ga.ga_addr);
5789 
5790 		/* we hold reference to it upon success */
5791 		gcgrp = gcgrp_lookup(&ga, B_TRUE);
5792 		if (gcgrp == NULL) {
5793 			if (ipif != NULL)
5794 				ipif_refrele(ipif);
5795 			ire_refrele(gw_ire);
5796 			return (ENOMEM);
5797 		}
5798 
5799 		/*
5800 		 * Create and add the security attribute to the group; a
5801 		 * reference to the group is made upon allocating a new
5802 		 * entry successfully.  If it finds an already-existing
5803 		 * entry for the security attribute in the group, it simply
5804 		 * returns it and no new reference is made to the group.
5805 		 */
5806 		gc = gc_create(sp, gcgrp, &gcgrp_xtraref);
5807 		if (gc == NULL) {
5808 			if (ipif != NULL)
5809 				ipif_refrele(ipif);
5810 			/* release reference held by gcgrp_lookup */
5811 			GCGRP_REFRELE(gcgrp);
5812 			ire_refrele(gw_ire);
5813 			return (ENOMEM);
5814 		}
5815 	}
5816 
5817 	/* Create the IRE. */
5818 	ire = ire_create(
5819 	    (uchar_t *)&dst_addr,		/* dest address */
5820 	    (uchar_t *)&mask,			/* mask */
5821 	    (uchar_t *)&gw_addr,		/* gateway address */
5822 	    (ushort_t)type,			/* IRE type */
5823 	    ill,
5824 	    zoneid,
5825 	    flags,
5826 	    gc,					/* security attribute */
5827 	    ipst);
5828 
5829 	/*
5830 	 * The ire holds a reference to the 'gc' and the 'gc' holds a
5831 	 * reference to the 'gcgrp'. We can now release the extra reference
5832 	 * the 'gcgrp' acquired in the gcgrp_lookup, if it was not used.
5833 	 */
5834 	if (gcgrp_xtraref)
5835 		GCGRP_REFRELE(gcgrp);
5836 	if (ire == NULL) {
5837 		if (gc != NULL)
5838 			GC_REFRELE(gc);
5839 		if (ipif != NULL)
5840 			ipif_refrele(ipif);
5841 		ire_refrele(gw_ire);
5842 		return (ENOMEM);
5843 	}
5844 
5845 	/* Before we add, check if an extra CGTP broadcast is needed */
5846 	cgtp_broadcast = ((flags & RTF_MULTIRT) &&
5847 	    ip_type_v4(ire->ire_addr, ipst) == IRE_BROADCAST);
5848 
5849 	/* src address assigned by the caller? */
5850 	if ((src_addr != INADDR_ANY) && (flags & RTF_SETSRC))
5851 		ire->ire_setsrc_addr = src_addr;
5852 
5853 	ire->ire_unbound = unbound;
5854 
5855 	/*
5856 	 * POLICY: should we allow an RTF_HOST with address INADDR_ANY?
5857 	 * SUN/OS socket stuff does but do we really want to allow 0.0.0.0?
5858 	 */
5859 
5860 	/* Add the new IRE. */
5861 	nire = ire_add(ire);
5862 	if (nire == NULL) {
5863 		/*
5864 		 * In the result of failure, ire_add() will have
5865 		 * already deleted the ire in question, so there
5866 		 * is no need to do that here.
5867 		 */
5868 		if (ipif != NULL)
5869 			ipif_refrele(ipif);
5870 		ire_refrele(gw_ire);
5871 		return (ENOMEM);
5872 	}
5873 	/*
5874 	 * Check if it was a duplicate entry. This handles
5875 	 * the case of two racing route adds for the same route
5876 	 */
5877 	if (nire != ire) {
5878 		ire_delete(nire);
5879 		ire_refrele(nire);
5880 		if (ipif != NULL)
5881 			ipif_refrele(ipif);
5882 		ire_refrele(gw_ire);
5883 		return (EEXIST);
5884 	}
5885 	ire = nire;
5886 
5887 	if (flags & RTF_MULTIRT) {
5888 		/*
5889 		 * Invoke the CGTP (multirouting) filtering module
5890 		 * to add the dst address in the filtering database.
5891 		 * Replicated inbound packets coming from that address
5892 		 * will be filtered to discard the duplicates.
5893 		 * It is not necessary to call the CGTP filter hook
5894 		 * when the dst address is a broadcast or multicast,
5895 		 * because an IP source address cannot be a broadcast
5896 		 * or a multicast.
5897 		 */
5898 		if (cgtp_broadcast) {
5899 			ip_cgtp_bcast_add(ire, ipst);
5900 			goto save_ire;
5901 		}
5902 		if (ipst->ips_ip_cgtp_filter_ops != NULL &&
5903 		    !CLASSD(ire->ire_addr)) {
5904 			int res;
5905 			ipif_t *src_ipif;
5906 
5907 			/* Find the source address corresponding to gw_ire */
5908 			src_ipif = ipif_lookup_addr(gw_ire->ire_gateway_addr,
5909 			    NULL, zoneid, ipst);
5910 			if (src_ipif != NULL) {
5911 				res = ipst->ips_ip_cgtp_filter_ops->
5912 				    cfo_add_dest_v4(
5913 				    ipst->ips_netstack->netstack_stackid,
5914 				    ire->ire_addr,
5915 				    ire->ire_gateway_addr,
5916 				    ire->ire_setsrc_addr,
5917 				    src_ipif->ipif_lcl_addr);
5918 				ipif_refrele(src_ipif);
5919 			} else {
5920 				res = EADDRNOTAVAIL;
5921 			}
5922 			if (res != 0) {
5923 				if (ipif != NULL)
5924 					ipif_refrele(ipif);
5925 				ire_refrele(gw_ire);
5926 				ire_delete(ire);
5927 				ire_refrele(ire);	/* Held in ire_add */
5928 				return (res);
5929 			}
5930 		}
5931 	}
5932 
5933 save_ire:
5934 	if (gw_ire != NULL) {
5935 		ire_refrele(gw_ire);
5936 		gw_ire = NULL;
5937 	}
5938 	if (ill != NULL) {
5939 		/*
5940 		 * Save enough information so that we can recreate the IRE if
5941 		 * the interface goes down and then up.  The metrics associated
5942 		 * with the route will be saved as well when rts_setmetrics() is
5943 		 * called after the IRE has been created.  In the case where
5944 		 * memory cannot be allocated, none of this information will be
5945 		 * saved.
5946 		 */
5947 		ill_save_ire(ill, ire);
5948 	}
5949 	if (ioctl_msg)
5950 		ip_rts_rtmsg(RTM_OLDADD, ire, 0, ipst);
5951 	if (ire_arg != NULL) {
5952 		/*
5953 		 * Store the ire that was successfully added into where ire_arg
5954 		 * points to so that callers don't have to look it up
5955 		 * themselves (but they are responsible for ire_refrele()ing
5956 		 * the ire when they are finished with it).
5957 		 */
5958 		*ire_arg = ire;
5959 	} else {
5960 		ire_refrele(ire);		/* Held in ire_add */
5961 	}
5962 	if (ipif != NULL)
5963 		ipif_refrele(ipif);
5964 	return (0);
5965 }
5966 
5967 /*
5968  * ip_rt_delete is called to delete an IPv4 route.
5969  * ill is passed in to associate it with the correct interface.
5970  */
5971 /* ARGSUSED4 */
5972 int
5973 ip_rt_delete(ipaddr_t dst_addr, ipaddr_t mask, ipaddr_t gw_addr,
5974     uint_t rtm_addrs, int flags, ill_t *ill, boolean_t ioctl_msg,
5975     ip_stack_t *ipst, zoneid_t zoneid)
5976 {
5977 	ire_t	*ire = NULL;
5978 	ipif_t	*ipif;
5979 	uint_t	type;
5980 	uint_t	match_flags = MATCH_IRE_TYPE;
5981 	int	err = 0;
5982 
5983 	ip1dbg(("ip_rt_delete:"));
5984 	/*
5985 	 * If this is the case of RTF_HOST being set, then we set the netmask
5986 	 * to all ones.  Otherwise, we use the netmask if one was supplied.
5987 	 */
5988 	if (flags & RTF_HOST) {
5989 		mask = IP_HOST_MASK;
5990 		match_flags |= MATCH_IRE_MASK;
5991 	} else if (rtm_addrs & RTA_NETMASK) {
5992 		match_flags |= MATCH_IRE_MASK;
5993 	}
5994 
5995 	/*
5996 	 * Note that RTF_GATEWAY is never set on a delete, therefore
5997 	 * we check if the gateway address is one of our interfaces first,
5998 	 * and fall back on RTF_GATEWAY routes.
5999 	 *
6000 	 * This makes it possible to delete an original
6001 	 * IRE_IF_NORESOLVER/IRE_IF_RESOLVER - consistent with SunOS 4.1.
6002 	 * However, we have RTF_KERNEL set on the ones created by ipif_up
6003 	 * and those can not be deleted here.
6004 	 *
6005 	 * We use MATCH_IRE_ILL if we know the interface. If the caller
6006 	 * specified an interface (from the RTA_IFP sockaddr) we use it,
6007 	 * otherwise we use the ill derived from the gateway address.
6008 	 * We can always match the gateway address since we record it
6009 	 * in ire_gateway_addr.
6010 	 *
6011 	 * For more detail on specifying routes by gateway address and by
6012 	 * interface index, see the comments in ip_rt_add().
6013 	 */
6014 	ipif = ipif_lookup_interface(gw_addr, dst_addr, ipst);
6015 	if (ipif != NULL) {
6016 		ill_t	*ill_match;
6017 
6018 		if (ill != NULL)
6019 			ill_match = ill;
6020 		else
6021 			ill_match = ipif->ipif_ill;
6022 
6023 		match_flags |= MATCH_IRE_ILL;
6024 		if (ipif->ipif_ire_type == IRE_LOOPBACK) {
6025 			ire = ire_ftable_lookup_v4(dst_addr, mask, 0,
6026 			    IRE_LOOPBACK, ill_match, ALL_ZONES, NULL,
6027 			    match_flags, 0, ipst, NULL);
6028 		}
6029 		if (ire == NULL) {
6030 			match_flags |= MATCH_IRE_GW;
6031 			ire = ire_ftable_lookup_v4(dst_addr, mask, gw_addr,
6032 			    IRE_INTERFACE, ill_match, ALL_ZONES, NULL,
6033 			    match_flags, 0, ipst, NULL);
6034 		}
6035 		/* Avoid deleting routes created by kernel from an ipif */
6036 		if (ire != NULL && (ire->ire_flags & RTF_KERNEL)) {
6037 			ire_refrele(ire);
6038 			ire = NULL;
6039 		}
6040 
6041 		/* Restore in case we didn't find a match */
6042 		match_flags &= ~(MATCH_IRE_GW|MATCH_IRE_ILL);
6043 	}
6044 
6045 	if (ire == NULL) {
6046 		/*
6047 		 * At this point, the gateway address is not one of our own
6048 		 * addresses or a matching interface route was not found.  We
6049 		 * set the IRE type to lookup based on whether
6050 		 * this is a host route, a default route or just a prefix.
6051 		 *
6052 		 * If an ill was passed in, then the lookup is based on an
6053 		 * interface index so MATCH_IRE_ILL is added to match_flags.
6054 		 */
6055 		match_flags |= MATCH_IRE_GW;
6056 		if (ill != NULL)
6057 			match_flags |= MATCH_IRE_ILL;
6058 		if (mask == IP_HOST_MASK)
6059 			type = IRE_HOST;
6060 		else if (mask == 0)
6061 			type = IRE_DEFAULT;
6062 		else
6063 			type = IRE_PREFIX;
6064 		ire = ire_ftable_lookup_v4(dst_addr, mask, gw_addr, type, ill,
6065 		    ALL_ZONES, NULL, match_flags, 0, ipst, NULL);
6066 	}
6067 
6068 	if (ipif != NULL) {
6069 		ipif_refrele(ipif);
6070 		ipif = NULL;
6071 	}
6072 
6073 	if (ire == NULL)
6074 		return (ESRCH);
6075 
6076 	if (ire->ire_flags & RTF_MULTIRT) {
6077 		/*
6078 		 * Invoke the CGTP (multirouting) filtering module
6079 		 * to remove the dst address from the filtering database.
6080 		 * Packets coming from that address will no longer be
6081 		 * filtered to remove duplicates.
6082 		 */
6083 		if (ipst->ips_ip_cgtp_filter_ops != NULL) {
6084 			err = ipst->ips_ip_cgtp_filter_ops->cfo_del_dest_v4(
6085 			    ipst->ips_netstack->netstack_stackid,
6086 			    ire->ire_addr, ire->ire_gateway_addr);
6087 		}
6088 		ip_cgtp_bcast_delete(ire, ipst);
6089 	}
6090 
6091 	ill = ire->ire_ill;
6092 	if (ill != NULL)
6093 		ill_remove_saved_ire(ill, ire);
6094 	if (ioctl_msg)
6095 		ip_rts_rtmsg(RTM_OLDDEL, ire, 0, ipst);
6096 	ire_delete(ire);
6097 	ire_refrele(ire);
6098 	return (err);
6099 }
6100 
6101 /*
6102  * ip_siocaddrt is called to complete processing of an SIOCADDRT IOCTL.
6103  */
6104 /* ARGSUSED */
6105 int
6106 ip_siocaddrt(ipif_t *dummy_ipif, sin_t *dummy_sin, queue_t *q, mblk_t *mp,
6107     ip_ioctl_cmd_t *ipip, void *dummy_if_req)
6108 {
6109 	ipaddr_t dst_addr;
6110 	ipaddr_t gw_addr;
6111 	ipaddr_t mask;
6112 	int error = 0;
6113 	mblk_t *mp1;
6114 	struct rtentry *rt;
6115 	ipif_t *ipif = NULL;
6116 	ip_stack_t	*ipst;
6117 
6118 	ASSERT(q->q_next == NULL);
6119 	ipst = CONNQ_TO_IPST(q);
6120 
6121 	ip1dbg(("ip_siocaddrt:"));
6122 	/* Existence of mp1 verified in ip_wput_nondata */
6123 	mp1 = mp->b_cont->b_cont;
6124 	rt = (struct rtentry *)mp1->b_rptr;
6125 
6126 	dst_addr = ((sin_t *)&rt->rt_dst)->sin_addr.s_addr;
6127 	gw_addr = ((sin_t *)&rt->rt_gateway)->sin_addr.s_addr;
6128 
6129 	/*
6130 	 * If the RTF_HOST flag is on, this is a request to assign a gateway
6131 	 * to a particular host address.  In this case, we set the netmask to
6132 	 * all ones for the particular destination address.  Otherwise,
6133 	 * determine the netmask to be used based on dst_addr and the interfaces
6134 	 * in use.
6135 	 */
6136 	if (rt->rt_flags & RTF_HOST) {
6137 		mask = IP_HOST_MASK;
6138 	} else {
6139 		/*
6140 		 * Note that ip_subnet_mask returns a zero mask in the case of
6141 		 * default (an all-zeroes address).
6142 		 */
6143 		mask = ip_subnet_mask(dst_addr, &ipif, ipst);
6144 	}
6145 
6146 	error = ip_rt_add(dst_addr, mask, gw_addr, 0, rt->rt_flags, NULL, NULL,
6147 	    B_TRUE, NULL, ipst, ALL_ZONES);
6148 	if (ipif != NULL)
6149 		ipif_refrele(ipif);
6150 	return (error);
6151 }
6152 
6153 /*
6154  * ip_siocdelrt is called to complete processing of an SIOCDELRT IOCTL.
6155  */
6156 /* ARGSUSED */
6157 int
6158 ip_siocdelrt(ipif_t *dummy_ipif, sin_t *dummy_sin, queue_t *q, mblk_t *mp,
6159     ip_ioctl_cmd_t *ipip, void *dummy_if_req)
6160 {
6161 	ipaddr_t dst_addr;
6162 	ipaddr_t gw_addr;
6163 	ipaddr_t mask;
6164 	int error;
6165 	mblk_t *mp1;
6166 	struct rtentry *rt;
6167 	ipif_t *ipif = NULL;
6168 	ip_stack_t	*ipst;
6169 
6170 	ASSERT(q->q_next == NULL);
6171 	ipst = CONNQ_TO_IPST(q);
6172 
6173 	ip1dbg(("ip_siocdelrt:"));
6174 	/* Existence of mp1 verified in ip_wput_nondata */
6175 	mp1 = mp->b_cont->b_cont;
6176 	rt = (struct rtentry *)mp1->b_rptr;
6177 
6178 	dst_addr = ((sin_t *)&rt->rt_dst)->sin_addr.s_addr;
6179 	gw_addr = ((sin_t *)&rt->rt_gateway)->sin_addr.s_addr;
6180 
6181 	/*
6182 	 * If the RTF_HOST flag is on, this is a request to delete a gateway
6183 	 * to a particular host address.  In this case, we set the netmask to
6184 	 * all ones for the particular destination address.  Otherwise,
6185 	 * determine the netmask to be used based on dst_addr and the interfaces
6186 	 * in use.
6187 	 */
6188 	if (rt->rt_flags & RTF_HOST) {
6189 		mask = IP_HOST_MASK;
6190 	} else {
6191 		/*
6192 		 * Note that ip_subnet_mask returns a zero mask in the case of
6193 		 * default (an all-zeroes address).
6194 		 */
6195 		mask = ip_subnet_mask(dst_addr, &ipif, ipst);
6196 	}
6197 
6198 	error = ip_rt_delete(dst_addr, mask, gw_addr,
6199 	    RTA_DST | RTA_GATEWAY | RTA_NETMASK, rt->rt_flags, NULL, B_TRUE,
6200 	    ipst, ALL_ZONES);
6201 	if (ipif != NULL)
6202 		ipif_refrele(ipif);
6203 	return (error);
6204 }
6205 
6206 /*
6207  * Enqueue the mp onto the ipsq, chained by b_next.
6208  * b_prev stores the function to be executed later, and b_queue the queue
6209  * where this mp originated.
6210  */
6211 void
6212 ipsq_enq(ipsq_t *ipsq, queue_t *q, mblk_t *mp, ipsq_func_t func, int type,
6213     ill_t *pending_ill)
6214 {
6215 	conn_t	*connp;
6216 	ipxop_t *ipx = ipsq->ipsq_xop;
6217 
6218 	ASSERT(MUTEX_HELD(&ipsq->ipsq_lock));
6219 	ASSERT(MUTEX_HELD(&ipx->ipx_lock));
6220 	ASSERT(func != NULL);
6221 
6222 	mp->b_queue = q;
6223 	mp->b_prev = (void *)func;
6224 	mp->b_next = NULL;
6225 
6226 	switch (type) {
6227 	case CUR_OP:
6228 		if (ipx->ipx_mptail != NULL) {
6229 			ASSERT(ipx->ipx_mphead != NULL);
6230 			ipx->ipx_mptail->b_next = mp;
6231 		} else {
6232 			ASSERT(ipx->ipx_mphead == NULL);
6233 			ipx->ipx_mphead = mp;
6234 		}
6235 		ipx->ipx_mptail = mp;
6236 		break;
6237 
6238 	case NEW_OP:
6239 		if (ipsq->ipsq_xopq_mptail != NULL) {
6240 			ASSERT(ipsq->ipsq_xopq_mphead != NULL);
6241 			ipsq->ipsq_xopq_mptail->b_next = mp;
6242 		} else {
6243 			ASSERT(ipsq->ipsq_xopq_mphead == NULL);
6244 			ipsq->ipsq_xopq_mphead = mp;
6245 		}
6246 		ipsq->ipsq_xopq_mptail = mp;
6247 		ipx->ipx_ipsq_queued = B_TRUE;
6248 		break;
6249 
6250 	case SWITCH_OP:
6251 		ASSERT(ipsq->ipsq_swxop != NULL);
6252 		/* only one switch operation is currently allowed */
6253 		ASSERT(ipsq->ipsq_switch_mp == NULL);
6254 		ipsq->ipsq_switch_mp = mp;
6255 		ipx->ipx_ipsq_queued = B_TRUE;
6256 		break;
6257 	default:
6258 		cmn_err(CE_PANIC, "ipsq_enq %d type \n", type);
6259 	}
6260 
6261 	if (CONN_Q(q) && pending_ill != NULL) {
6262 		connp = Q_TO_CONN(q);
6263 		ASSERT(MUTEX_HELD(&connp->conn_lock));
6264 		connp->conn_oper_pending_ill = pending_ill;
6265 	}
6266 }
6267 
6268 /*
6269  * Dequeue the next message that requested exclusive access to this IPSQ's
6270  * xop.  Specifically:
6271  *
6272  *  1. If we're still processing the current operation on `ipsq', then
6273  *     dequeue the next message for the operation (from ipx_mphead), or
6274  *     return NULL if there are no queued messages for the operation.
6275  *     These messages are queued via CUR_OP to qwriter_ip() and friends.
6276  *
6277  *  2. If the current operation on `ipsq' has completed (ipx_current_ipif is
6278  *     not set) see if the ipsq has requested an xop switch.  If so, switch
6279  *     `ipsq' to a different xop.  Xop switches only happen when joining or
6280  *     leaving IPMP groups and require a careful dance -- see the comments
6281  *     in-line below for details.  If we're leaving a group xop or if we're
6282  *     joining a group xop and become writer on it, then we proceed to (3).
6283  *     Otherwise, we return NULL and exit the xop.
6284  *
6285  *  3. For each IPSQ in the xop, return any switch operation stored on
6286  *     ipsq_switch_mp (set via SWITCH_OP); these must be processed before
6287  *     any other messages queued on the IPSQ.  Otherwise, dequeue the next
6288  *     exclusive operation (queued via NEW_OP) stored on ipsq_xopq_mphead.
6289  *     Note that if the phyint tied to `ipsq' is not using IPMP there will
6290  *     only be one IPSQ in the xop.  Otherwise, there will be one IPSQ for
6291  *     each phyint in the group, including the IPMP meta-interface phyint.
6292  */
6293 static mblk_t *
6294 ipsq_dq(ipsq_t *ipsq)
6295 {
6296 	ill_t	*illv4, *illv6;
6297 	mblk_t	*mp;
6298 	ipsq_t	*xopipsq;
6299 	ipsq_t	*leftipsq = NULL;
6300 	ipxop_t *ipx;
6301 	phyint_t *phyi = ipsq->ipsq_phyint;
6302 	ip_stack_t *ipst = ipsq->ipsq_ipst;
6303 	boolean_t emptied = B_FALSE;
6304 
6305 	/*
6306 	 * Grab all the locks we need in the defined order (ill_g_lock ->
6307 	 * ipsq_lock -> ipx_lock); ill_g_lock is needed to use ipsq_next.
6308 	 */
6309 	rw_enter(&ipst->ips_ill_g_lock,
6310 	    ipsq->ipsq_swxop != NULL ? RW_WRITER : RW_READER);
6311 	mutex_enter(&ipsq->ipsq_lock);
6312 	ipx = ipsq->ipsq_xop;
6313 	mutex_enter(&ipx->ipx_lock);
6314 
6315 	/*
6316 	 * Dequeue the next message associated with the current exclusive
6317 	 * operation, if any.
6318 	 */
6319 	if ((mp = ipx->ipx_mphead) != NULL) {
6320 		ipx->ipx_mphead = mp->b_next;
6321 		if (ipx->ipx_mphead == NULL)
6322 			ipx->ipx_mptail = NULL;
6323 		mp->b_next = (void *)ipsq;
6324 		goto out;
6325 	}
6326 
6327 	if (ipx->ipx_current_ipif != NULL)
6328 		goto empty;
6329 
6330 	if (ipsq->ipsq_swxop != NULL) {
6331 		/*
6332 		 * The exclusive operation that is now being completed has
6333 		 * requested a switch to a different xop.  This happens
6334 		 * when an interface joins or leaves an IPMP group.  Joins
6335 		 * happen through SIOCSLIFGROUPNAME (ip_sioctl_groupname()).
6336 		 * Leaves happen via SIOCSLIFGROUPNAME, interface unplumb
6337 		 * (phyint_free()), or interface plumb for an ill type
6338 		 * not in the IPMP group (ip_rput_dlpi_writer()).
6339 		 *
6340 		 * Xop switches are not allowed on the IPMP meta-interface.
6341 		 */
6342 		ASSERT(phyi == NULL || !(phyi->phyint_flags & PHYI_IPMP));
6343 		ASSERT(RW_WRITE_HELD(&ipst->ips_ill_g_lock));
6344 		DTRACE_PROBE1(ipsq__switch, (ipsq_t *), ipsq);
6345 
6346 		if (ipsq->ipsq_swxop == &ipsq->ipsq_ownxop) {
6347 			/*
6348 			 * We're switching back to our own xop, so we have two
6349 			 * xop's to drain/exit: our own, and the group xop
6350 			 * that we are leaving.
6351 			 *
6352 			 * First, pull ourselves out of the group ipsq list.
6353 			 * This is safe since we're writer on ill_g_lock.
6354 			 */
6355 			ASSERT(ipsq->ipsq_xop != &ipsq->ipsq_ownxop);
6356 
6357 			xopipsq = ipx->ipx_ipsq;
6358 			while (xopipsq->ipsq_next != ipsq)
6359 				xopipsq = xopipsq->ipsq_next;
6360 
6361 			xopipsq->ipsq_next = ipsq->ipsq_next;
6362 			ipsq->ipsq_next = ipsq;
6363 			ipsq->ipsq_xop = ipsq->ipsq_swxop;
6364 			ipsq->ipsq_swxop = NULL;
6365 
6366 			/*
6367 			 * Second, prepare to exit the group xop.  The actual
6368 			 * ipsq_exit() is done at the end of this function
6369 			 * since we cannot hold any locks across ipsq_exit().
6370 			 * Note that although we drop the group's ipx_lock, no
6371 			 * threads can proceed since we're still ipx_writer.
6372 			 */
6373 			leftipsq = xopipsq;
6374 			mutex_exit(&ipx->ipx_lock);
6375 
6376 			/*
6377 			 * Third, set ipx to point to our own xop (which was
6378 			 * inactive and therefore can be entered).
6379 			 */
6380 			ipx = ipsq->ipsq_xop;
6381 			mutex_enter(&ipx->ipx_lock);
6382 			ASSERT(ipx->ipx_writer == NULL);
6383 			ASSERT(ipx->ipx_current_ipif == NULL);
6384 		} else {
6385 			/*
6386 			 * We're switching from our own xop to a group xop.
6387 			 * The requestor of the switch must ensure that the
6388 			 * group xop cannot go away (e.g. by ensuring the
6389 			 * phyint associated with the xop cannot go away).
6390 			 *
6391 			 * If we can become writer on our new xop, then we'll
6392 			 * do the drain.  Otherwise, the current writer of our
6393 			 * new xop will do the drain when it exits.
6394 			 *
6395 			 * First, splice ourselves into the group IPSQ list.
6396 			 * This is safe since we're writer on ill_g_lock.
6397 			 */
6398 			ASSERT(ipsq->ipsq_xop == &ipsq->ipsq_ownxop);
6399 
6400 			xopipsq = ipsq->ipsq_swxop->ipx_ipsq;
6401 			while (xopipsq->ipsq_next != ipsq->ipsq_swxop->ipx_ipsq)
6402 				xopipsq = xopipsq->ipsq_next;
6403 
6404 			xopipsq->ipsq_next = ipsq;
6405 			ipsq->ipsq_next = ipsq->ipsq_swxop->ipx_ipsq;
6406 			ipsq->ipsq_xop = ipsq->ipsq_swxop;
6407 			ipsq->ipsq_swxop = NULL;
6408 
6409 			/*
6410 			 * Second, exit our own xop, since it's now unused.
6411 			 * This is safe since we've got the only reference.
6412 			 */
6413 			ASSERT(ipx->ipx_writer == curthread);
6414 			ipx->ipx_writer = NULL;
6415 			VERIFY(--ipx->ipx_reentry_cnt == 0);
6416 			ipx->ipx_ipsq_queued = B_FALSE;
6417 			mutex_exit(&ipx->ipx_lock);
6418 
6419 			/*
6420 			 * Third, set ipx to point to our new xop, and check
6421 			 * if we can become writer on it.  If we cannot, then
6422 			 * the current writer will drain the IPSQ group when
6423 			 * it exits.  Our ipsq_xop is guaranteed to be stable
6424 			 * because we're still holding ipsq_lock.
6425 			 */
6426 			ipx = ipsq->ipsq_xop;
6427 			mutex_enter(&ipx->ipx_lock);
6428 			if (ipx->ipx_writer != NULL ||
6429 			    ipx->ipx_current_ipif != NULL) {
6430 				goto out;
6431 			}
6432 		}
6433 
6434 		/*
6435 		 * Fourth, become writer on our new ipx before we continue
6436 		 * with the drain.  Note that we never dropped ipsq_lock
6437 		 * above, so no other thread could've raced with us to
6438 		 * become writer first.  Also, we're holding ipx_lock, so
6439 		 * no other thread can examine the ipx right now.
6440 		 */
6441 		ASSERT(ipx->ipx_current_ipif == NULL);
6442 		ASSERT(ipx->ipx_mphead == NULL && ipx->ipx_mptail == NULL);
6443 		VERIFY(ipx->ipx_reentry_cnt++ == 0);
6444 		ipx->ipx_writer = curthread;
6445 		ipx->ipx_forced = B_FALSE;
6446 #ifdef DEBUG
6447 		ipx->ipx_depth = getpcstack(ipx->ipx_stack, IPX_STACK_DEPTH);
6448 #endif
6449 	}
6450 
6451 	xopipsq = ipsq;
6452 	do {
6453 		/*
6454 		 * So that other operations operate on a consistent and
6455 		 * complete phyint, a switch message on an IPSQ must be
6456 		 * handled prior to any other operations on that IPSQ.
6457 		 */
6458 		if ((mp = xopipsq->ipsq_switch_mp) != NULL) {
6459 			xopipsq->ipsq_switch_mp = NULL;
6460 			ASSERT(mp->b_next == NULL);
6461 			mp->b_next = (void *)xopipsq;
6462 			goto out;
6463 		}
6464 
6465 		if ((mp = xopipsq->ipsq_xopq_mphead) != NULL) {
6466 			xopipsq->ipsq_xopq_mphead = mp->b_next;
6467 			if (xopipsq->ipsq_xopq_mphead == NULL)
6468 				xopipsq->ipsq_xopq_mptail = NULL;
6469 			mp->b_next = (void *)xopipsq;
6470 			goto out;
6471 		}
6472 	} while ((xopipsq = xopipsq->ipsq_next) != ipsq);
6473 empty:
6474 	/*
6475 	 * There are no messages.  Further, we are holding ipx_lock, hence no
6476 	 * new messages can end up on any IPSQ in the xop.
6477 	 */
6478 	ipx->ipx_writer = NULL;
6479 	ipx->ipx_forced = B_FALSE;
6480 	VERIFY(--ipx->ipx_reentry_cnt == 0);
6481 	ipx->ipx_ipsq_queued = B_FALSE;
6482 	emptied = B_TRUE;
6483 #ifdef	DEBUG
6484 	ipx->ipx_depth = 0;
6485 #endif
6486 out:
6487 	mutex_exit(&ipx->ipx_lock);
6488 	mutex_exit(&ipsq->ipsq_lock);
6489 
6490 	/*
6491 	 * If we completely emptied the xop, then wake up any threads waiting
6492 	 * to enter any of the IPSQ's associated with it.
6493 	 */
6494 	if (emptied) {
6495 		xopipsq = ipsq;
6496 		do {
6497 			if ((phyi = xopipsq->ipsq_phyint) == NULL)
6498 				continue;
6499 
6500 			illv4 = phyi->phyint_illv4;
6501 			illv6 = phyi->phyint_illv6;
6502 
6503 			GRAB_ILL_LOCKS(illv4, illv6);
6504 			if (illv4 != NULL)
6505 				cv_broadcast(&illv4->ill_cv);
6506 			if (illv6 != NULL)
6507 				cv_broadcast(&illv6->ill_cv);
6508 			RELEASE_ILL_LOCKS(illv4, illv6);
6509 		} while ((xopipsq = xopipsq->ipsq_next) != ipsq);
6510 	}
6511 	rw_exit(&ipst->ips_ill_g_lock);
6512 
6513 	/*
6514 	 * Now that all locks are dropped, exit the IPSQ we left.
6515 	 */
6516 	if (leftipsq != NULL)
6517 		ipsq_exit(leftipsq);
6518 
6519 	return (mp);
6520 }
6521 
6522 /*
6523  * Return completion status of previously initiated DLPI operations on
6524  * ills in the purview of an ipsq.
6525  */
6526 static boolean_t
6527 ipsq_dlpi_done(ipsq_t *ipsq)
6528 {
6529 	ipsq_t		*ipsq_start;
6530 	phyint_t	*phyi;
6531 	ill_t		*ill;
6532 
6533 	ASSERT(RW_LOCK_HELD(&ipsq->ipsq_ipst->ips_ill_g_lock));
6534 	ipsq_start = ipsq;
6535 
6536 	do {
6537 		/*
6538 		 * The only current users of this function are ipsq_try_enter
6539 		 * and ipsq_enter which have made sure that ipsq_writer is
6540 		 * NULL before we reach here. ill_dlpi_pending is modified
6541 		 * only by an ipsq writer
6542 		 */
6543 		ASSERT(ipsq->ipsq_xop->ipx_writer == NULL);
6544 		phyi = ipsq->ipsq_phyint;
6545 		/*
6546 		 * phyi could be NULL if a phyint that is part of an
6547 		 * IPMP group is being unplumbed. A more detailed
6548 		 * comment is in ipmp_grp_update_kstats()
6549 		 */
6550 		if (phyi != NULL) {
6551 			ill = phyi->phyint_illv4;
6552 			if (ill != NULL &&
6553 			    (ill->ill_dlpi_pending != DL_PRIM_INVAL ||
6554 			    ill->ill_arl_dlpi_pending))
6555 				return (B_FALSE);
6556 
6557 			ill = phyi->phyint_illv6;
6558 			if (ill != NULL &&
6559 			    ill->ill_dlpi_pending != DL_PRIM_INVAL)
6560 				return (B_FALSE);
6561 		}
6562 
6563 	} while ((ipsq = ipsq->ipsq_next) != ipsq_start);
6564 
6565 	return (B_TRUE);
6566 }
6567 
6568 /*
6569  * Enter the ipsq corresponding to ill, by waiting synchronously till
6570  * we can enter the ipsq exclusively. Unless 'force' is used, the ipsq
6571  * will have to drain completely before ipsq_enter returns success.
6572  * ipx_current_ipif will be set if some exclusive op is in progress,
6573  * and the ipsq_exit logic will start the next enqueued op after
6574  * completion of the current op. If 'force' is used, we don't wait
6575  * for the enqueued ops. This is needed when a conn_close wants to
6576  * enter the ipsq and abort an ioctl that is somehow stuck. Unplumb
6577  * of an ill can also use this option. But we dont' use it currently.
6578  */
6579 #define	ENTER_SQ_WAIT_TICKS 100
6580 boolean_t
6581 ipsq_enter(ill_t *ill, boolean_t force, int type)
6582 {
6583 	ipsq_t	*ipsq;
6584 	ipxop_t *ipx;
6585 	boolean_t waited_enough = B_FALSE;
6586 	ip_stack_t *ipst = ill->ill_ipst;
6587 
6588 	/*
6589 	 * Note that the relationship between ill and ipsq is fixed as long as
6590 	 * the ill is not ILL_CONDEMNED.  Holding ipsq_lock ensures the
6591 	 * relationship between the IPSQ and xop cannot change.  However,
6592 	 * since we cannot hold ipsq_lock across the cv_wait(), it may change
6593 	 * while we're waiting.  We wait on ill_cv and rely on ipsq_exit()
6594 	 * waking up all ills in the xop when it becomes available.
6595 	 */
6596 	for (;;) {
6597 		rw_enter(&ipst->ips_ill_g_lock, RW_READER);
6598 		mutex_enter(&ill->ill_lock);
6599 		if (ill->ill_state_flags & ILL_CONDEMNED) {
6600 			mutex_exit(&ill->ill_lock);
6601 			rw_exit(&ipst->ips_ill_g_lock);
6602 			return (B_FALSE);
6603 		}
6604 
6605 		ipsq = ill->ill_phyint->phyint_ipsq;
6606 		mutex_enter(&ipsq->ipsq_lock);
6607 		ipx = ipsq->ipsq_xop;
6608 		mutex_enter(&ipx->ipx_lock);
6609 
6610 		if (ipx->ipx_writer == NULL && (type == CUR_OP ||
6611 		    (ipx->ipx_current_ipif == NULL && ipsq_dlpi_done(ipsq)) ||
6612 		    waited_enough))
6613 			break;
6614 
6615 		rw_exit(&ipst->ips_ill_g_lock);
6616 
6617 		if (!force || ipx->ipx_writer != NULL) {
6618 			mutex_exit(&ipx->ipx_lock);
6619 			mutex_exit(&ipsq->ipsq_lock);
6620 			cv_wait(&ill->ill_cv, &ill->ill_lock);
6621 		} else {
6622 			mutex_exit(&ipx->ipx_lock);
6623 			mutex_exit(&ipsq->ipsq_lock);
6624 			(void) cv_reltimedwait(&ill->ill_cv,
6625 			    &ill->ill_lock, ENTER_SQ_WAIT_TICKS, TR_CLOCK_TICK);
6626 			waited_enough = B_TRUE;
6627 		}
6628 		mutex_exit(&ill->ill_lock);
6629 	}
6630 
6631 	ASSERT(ipx->ipx_mphead == NULL && ipx->ipx_mptail == NULL);
6632 	ASSERT(ipx->ipx_reentry_cnt == 0);
6633 	ipx->ipx_writer = curthread;
6634 	ipx->ipx_forced = (ipx->ipx_current_ipif != NULL);
6635 	ipx->ipx_reentry_cnt++;
6636 #ifdef DEBUG
6637 	ipx->ipx_depth = getpcstack(ipx->ipx_stack, IPX_STACK_DEPTH);
6638 #endif
6639 	mutex_exit(&ipx->ipx_lock);
6640 	mutex_exit(&ipsq->ipsq_lock);
6641 	mutex_exit(&ill->ill_lock);
6642 	rw_exit(&ipst->ips_ill_g_lock);
6643 
6644 	return (B_TRUE);
6645 }
6646 
6647 /*
6648  * ipif_set_values() has a constraint that it cannot drop the ips_ill_g_lock
6649  * across the call to the core interface ipsq_try_enter() and hence calls this
6650  * function directly. This is explained more fully in ipif_set_values().
6651  * In order to support the above constraint, ipsq_try_enter is implemented as
6652  * a wrapper that grabs the ips_ill_g_lock and calls this function subsequently
6653  */
6654 static ipsq_t *
6655 ipsq_try_enter_internal(ill_t *ill, queue_t *q, mblk_t *mp, ipsq_func_t func,
6656     int type, boolean_t reentry_ok)
6657 {
6658 	ipsq_t	*ipsq;
6659 	ipxop_t	*ipx;
6660 	ip_stack_t *ipst = ill->ill_ipst;
6661 
6662 	/*
6663 	 * lock ordering:
6664 	 * ill_g_lock -> conn_lock -> ill_lock -> ipsq_lock -> ipx_lock.
6665 	 *
6666 	 * ipx of an ipsq can't change when ipsq_lock is held.
6667 	 */
6668 	ASSERT(RW_LOCK_HELD(&ipst->ips_ill_g_lock));
6669 	GRAB_CONN_LOCK(q);
6670 	mutex_enter(&ill->ill_lock);
6671 	ipsq = ill->ill_phyint->phyint_ipsq;
6672 	mutex_enter(&ipsq->ipsq_lock);
6673 	ipx = ipsq->ipsq_xop;
6674 	mutex_enter(&ipx->ipx_lock);
6675 
6676 	/*
6677 	 * 1. Enter the ipsq if we are already writer and reentry is ok.
6678 	 *    (Note: If the caller does not specify reentry_ok then neither
6679 	 *    'func' nor any of its callees must ever attempt to enter the ipsq
6680 	 *    again. Otherwise it can lead to an infinite loop
6681 	 * 2. Enter the ipsq if there is no current writer and this attempted
6682 	 *    entry is part of the current operation
6683 	 * 3. Enter the ipsq if there is no current writer and this is a new
6684 	 *    operation and the operation queue is empty and there is no
6685 	 *    operation currently in progress and if all previously initiated
6686 	 *    DLPI operations have completed.
6687 	 */
6688 	if ((ipx->ipx_writer == curthread && reentry_ok) ||
6689 	    (ipx->ipx_writer == NULL && (type == CUR_OP || (type == NEW_OP &&
6690 	    !ipx->ipx_ipsq_queued && ipx->ipx_current_ipif == NULL &&
6691 	    ipsq_dlpi_done(ipsq))))) {
6692 		/* Success. */
6693 		ipx->ipx_reentry_cnt++;
6694 		ipx->ipx_writer = curthread;
6695 		ipx->ipx_forced = B_FALSE;
6696 		mutex_exit(&ipx->ipx_lock);
6697 		mutex_exit(&ipsq->ipsq_lock);
6698 		mutex_exit(&ill->ill_lock);
6699 		RELEASE_CONN_LOCK(q);
6700 #ifdef DEBUG
6701 		ipx->ipx_depth = getpcstack(ipx->ipx_stack, IPX_STACK_DEPTH);
6702 #endif
6703 		return (ipsq);
6704 	}
6705 
6706 	if (func != NULL)
6707 		ipsq_enq(ipsq, q, mp, func, type, ill);
6708 
6709 	mutex_exit(&ipx->ipx_lock);
6710 	mutex_exit(&ipsq->ipsq_lock);
6711 	mutex_exit(&ill->ill_lock);
6712 	RELEASE_CONN_LOCK(q);
6713 	return (NULL);
6714 }
6715 
6716 /*
6717  * The ipsq_t (ipsq) is the synchronization data structure used to serialize
6718  * certain critical operations like plumbing (i.e. most set ioctls), etc.
6719  * There is one ipsq per phyint. The ipsq
6720  * serializes exclusive ioctls issued by applications on a per ipsq basis in
6721  * ipsq_xopq_mphead. It also protects against multiple threads executing in
6722  * the ipsq. Responses from the driver pertain to the current ioctl (say a
6723  * DL_BIND_ACK in response to a DL_BIND_REQ initiated as part of bringing
6724  * up the interface) and are enqueued in ipx_mphead.
6725  *
6726  * If a thread does not want to reenter the ipsq when it is already writer,
6727  * it must make sure that the specified reentry point to be called later
6728  * when the ipsq is empty, nor any code path starting from the specified reentry
6729  * point must never ever try to enter the ipsq again. Otherwise it can lead
6730  * to an infinite loop. The reentry point ip_rput_dlpi_writer is an example.
6731  * When the thread that is currently exclusive finishes, it (ipsq_exit)
6732  * dequeues the requests waiting to become exclusive in ipx_mphead and calls
6733  * the reentry point. When the list at ipx_mphead becomes empty ipsq_exit
6734  * proceeds to dequeue the next ioctl in ipsq_xopq_mphead and start the next
6735  * ioctl if the current ioctl has completed. If the current ioctl is still
6736  * in progress it simply returns. The current ioctl could be waiting for
6737  * a response from another module (the driver or could be waiting for
6738  * the ipif/ill/ire refcnts to drop to zero. In such a case the ipx_pending_mp
6739  * and ipx_pending_ipif are set. ipx_current_ipif is set throughout the
6740  * execution of the ioctl and ipsq_exit does not start the next ioctl unless
6741  * ipx_current_ipif is NULL which happens only once the ioctl is complete and
6742  * all associated DLPI operations have completed.
6743  */
6744 
6745 /*
6746  * Try to enter the IPSQ corresponding to `ipif' or `ill' exclusively (`ipif'
6747  * and `ill' cannot both be specified).  Returns a pointer to the entered IPSQ
6748  * on success, or NULL on failure.  The caller ensures ipif/ill is valid by
6749  * refholding it as necessary.  If the IPSQ cannot be entered and `func' is
6750  * non-NULL, then `func' will be called back with `q' and `mp' once the IPSQ
6751  * can be entered.  If `func' is NULL, then `q' and `mp' are ignored.
6752  */
6753 ipsq_t *
6754 ipsq_try_enter(ipif_t *ipif, ill_t *ill, queue_t *q, mblk_t *mp,
6755     ipsq_func_t func, int type, boolean_t reentry_ok)
6756 {
6757 	ip_stack_t	*ipst;
6758 	ipsq_t		*ipsq;
6759 
6760 	/* Only 1 of ipif or ill can be specified */
6761 	ASSERT((ipif != NULL) ^ (ill != NULL));
6762 
6763 	if (ipif != NULL)
6764 		ill = ipif->ipif_ill;
6765 	ipst = ill->ill_ipst;
6766 
6767 	rw_enter(&ipst->ips_ill_g_lock, RW_READER);
6768 	ipsq = ipsq_try_enter_internal(ill, q, mp, func, type, reentry_ok);
6769 	rw_exit(&ipst->ips_ill_g_lock);
6770 
6771 	return (ipsq);
6772 }
6773 
6774 /*
6775  * Try to enter the IPSQ corresponding to `ill' as writer.  The caller ensures
6776  * ill is valid by refholding it if necessary; we will refrele.  If the IPSQ
6777  * cannot be entered, the mp is queued for completion.
6778  */
6779 void
6780 qwriter_ip(ill_t *ill, queue_t *q, mblk_t *mp, ipsq_func_t func, int type,
6781     boolean_t reentry_ok)
6782 {
6783 	ipsq_t	*ipsq;
6784 
6785 	ipsq = ipsq_try_enter(NULL, ill, q, mp, func, type, reentry_ok);
6786 
6787 	/*
6788 	 * Drop the caller's refhold on the ill.  This is safe since we either
6789 	 * entered the IPSQ (and thus are exclusive), or failed to enter the
6790 	 * IPSQ, in which case we return without accessing ill anymore.  This
6791 	 * is needed because func needs to see the correct refcount.
6792 	 * e.g. removeif can work only then.
6793 	 */
6794 	ill_refrele(ill);
6795 	if (ipsq != NULL) {
6796 		(*func)(ipsq, q, mp, NULL);
6797 		ipsq_exit(ipsq);
6798 	}
6799 }
6800 
6801 /*
6802  * Exit the specified IPSQ.  If this is the final exit on it then drain it
6803  * prior to exiting.  Caller must be writer on the specified IPSQ.
6804  */
6805 void
6806 ipsq_exit(ipsq_t *ipsq)
6807 {
6808 	mblk_t *mp;
6809 	ipsq_t *mp_ipsq;
6810 	queue_t	*q;
6811 	phyint_t *phyi;
6812 	ipsq_func_t func;
6813 
6814 	ASSERT(IAM_WRITER_IPSQ(ipsq));
6815 
6816 	ASSERT(ipsq->ipsq_xop->ipx_reentry_cnt >= 1);
6817 	if (ipsq->ipsq_xop->ipx_reentry_cnt != 1) {
6818 		ipsq->ipsq_xop->ipx_reentry_cnt--;
6819 		return;
6820 	}
6821 
6822 	for (;;) {
6823 		phyi = ipsq->ipsq_phyint;
6824 		mp = ipsq_dq(ipsq);
6825 		mp_ipsq = (mp == NULL) ? NULL : (ipsq_t *)mp->b_next;
6826 
6827 		/*
6828 		 * If we've changed to a new IPSQ, and the phyint associated
6829 		 * with the old one has gone away, free the old IPSQ.  Note
6830 		 * that this cannot happen while the IPSQ is in a group.
6831 		 */
6832 		if (mp_ipsq != ipsq && phyi == NULL) {
6833 			ASSERT(ipsq->ipsq_next == ipsq);
6834 			ASSERT(ipsq->ipsq_xop == &ipsq->ipsq_ownxop);
6835 			ipsq_delete(ipsq);
6836 		}
6837 
6838 		if (mp == NULL)
6839 			break;
6840 
6841 		q = mp->b_queue;
6842 		func = (ipsq_func_t)mp->b_prev;
6843 		ipsq = mp_ipsq;
6844 		mp->b_next = mp->b_prev = NULL;
6845 		mp->b_queue = NULL;
6846 
6847 		/*
6848 		 * If 'q' is an conn queue, it is valid, since we did a
6849 		 * a refhold on the conn at the start of the ioctl.
6850 		 * If 'q' is an ill queue, it is valid, since close of an
6851 		 * ill will clean up its IPSQ.
6852 		 */
6853 		(*func)(ipsq, q, mp, NULL);
6854 	}
6855 }
6856 
6857 /*
6858  * Used to start any igmp or mld timers that could not be started
6859  * while holding ill_mcast_lock. The timers can't be started while holding
6860  * the lock, since mld/igmp_start_timers may need to call untimeout()
6861  * which can't be done while holding the lock which the timeout handler
6862  * acquires. Otherwise
6863  * there could be a deadlock since the timeout handlers
6864  * mld_timeout_handler_per_ill/igmp_timeout_handler_per_ill also acquire
6865  * ill_mcast_lock.
6866  */
6867 void
6868 ill_mcast_timer_start(ip_stack_t *ipst)
6869 {
6870 	int		next;
6871 
6872 	mutex_enter(&ipst->ips_igmp_timer_lock);
6873 	next = ipst->ips_igmp_deferred_next;
6874 	ipst->ips_igmp_deferred_next = INFINITY;
6875 	mutex_exit(&ipst->ips_igmp_timer_lock);
6876 
6877 	if (next != INFINITY)
6878 		igmp_start_timers(next, ipst);
6879 
6880 	mutex_enter(&ipst->ips_mld_timer_lock);
6881 	next = ipst->ips_mld_deferred_next;
6882 	ipst->ips_mld_deferred_next = INFINITY;
6883 	mutex_exit(&ipst->ips_mld_timer_lock);
6884 
6885 	if (next != INFINITY)
6886 		mld_start_timers(next, ipst);
6887 }
6888 
6889 /*
6890  * Start the current exclusive operation on `ipsq'; associate it with `ipif'
6891  * and `ioccmd'.
6892  */
6893 void
6894 ipsq_current_start(ipsq_t *ipsq, ipif_t *ipif, int ioccmd)
6895 {
6896 	ill_t *ill = ipif->ipif_ill;
6897 	ipxop_t *ipx = ipsq->ipsq_xop;
6898 
6899 	ASSERT(IAM_WRITER_IPSQ(ipsq));
6900 	ASSERT(ipx->ipx_current_ipif == NULL);
6901 	ASSERT(ipx->ipx_current_ioctl == 0);
6902 
6903 	ipx->ipx_current_done = B_FALSE;
6904 	ipx->ipx_current_ioctl = ioccmd;
6905 	mutex_enter(&ipx->ipx_lock);
6906 	ipx->ipx_current_ipif = ipif;
6907 	mutex_exit(&ipx->ipx_lock);
6908 
6909 	/*
6910 	 * Set IPIF_CHANGING on one or more ipifs associated with the
6911 	 * current exclusive operation.  IPIF_CHANGING prevents any new
6912 	 * references to the ipif (so that the references will eventually
6913 	 * drop to zero) and also prevents any "get" operations (e.g.,
6914 	 * SIOCGLIFFLAGS) from being able to access the ipif until the
6915 	 * operation has completed and the ipif is again in a stable state.
6916 	 *
6917 	 * For ioctls, IPIF_CHANGING is set on the ipif associated with the
6918 	 * ioctl.  For internal operations (where ioccmd is zero), all ipifs
6919 	 * on the ill are marked with IPIF_CHANGING since it's unclear which
6920 	 * ipifs will be affected.
6921 	 *
6922 	 * Note that SIOCLIFREMOVEIF is a special case as it sets
6923 	 * IPIF_CONDEMNED internally after identifying the right ipif to
6924 	 * operate on.
6925 	 */
6926 	switch (ioccmd) {
6927 	case SIOCLIFREMOVEIF:
6928 		break;
6929 	case 0:
6930 		mutex_enter(&ill->ill_lock);
6931 		ipif = ipif->ipif_ill->ill_ipif;
6932 		for (; ipif != NULL; ipif = ipif->ipif_next)
6933 			ipif->ipif_state_flags |= IPIF_CHANGING;
6934 		mutex_exit(&ill->ill_lock);
6935 		break;
6936 	default:
6937 		mutex_enter(&ill->ill_lock);
6938 		ipif->ipif_state_flags |= IPIF_CHANGING;
6939 		mutex_exit(&ill->ill_lock);
6940 	}
6941 }
6942 
6943 /*
6944  * Finish the current exclusive operation on `ipsq'.  Usually, this will allow
6945  * the next exclusive operation to begin once we ipsq_exit().  However, if
6946  * pending DLPI operations remain, then we will wait for the queue to drain
6947  * before allowing the next exclusive operation to begin.  This ensures that
6948  * DLPI operations from one exclusive operation are never improperly processed
6949  * as part of a subsequent exclusive operation.
6950  */
6951 void
6952 ipsq_current_finish(ipsq_t *ipsq)
6953 {
6954 	ipxop_t	*ipx = ipsq->ipsq_xop;
6955 	t_uscalar_t dlpi_pending = DL_PRIM_INVAL;
6956 	ipif_t	*ipif = ipx->ipx_current_ipif;
6957 
6958 	ASSERT(IAM_WRITER_IPSQ(ipsq));
6959 
6960 	/*
6961 	 * For SIOCLIFREMOVEIF, the ipif has been already been blown away
6962 	 * (but in that case, IPIF_CHANGING will already be clear and no
6963 	 * pending DLPI messages can remain).
6964 	 */
6965 	if (ipx->ipx_current_ioctl != SIOCLIFREMOVEIF) {
6966 		ill_t *ill = ipif->ipif_ill;
6967 
6968 		mutex_enter(&ill->ill_lock);
6969 		dlpi_pending = ill->ill_dlpi_pending;
6970 		if (ipx->ipx_current_ioctl == 0) {
6971 			ipif = ill->ill_ipif;
6972 			for (; ipif != NULL; ipif = ipif->ipif_next)
6973 				ipif->ipif_state_flags &= ~IPIF_CHANGING;
6974 		} else {
6975 			ipif->ipif_state_flags &= ~IPIF_CHANGING;
6976 		}
6977 		mutex_exit(&ill->ill_lock);
6978 	}
6979 
6980 	ASSERT(!ipx->ipx_current_done);
6981 	ipx->ipx_current_done = B_TRUE;
6982 	ipx->ipx_current_ioctl = 0;
6983 	if (dlpi_pending == DL_PRIM_INVAL) {
6984 		mutex_enter(&ipx->ipx_lock);
6985 		ipx->ipx_current_ipif = NULL;
6986 		mutex_exit(&ipx->ipx_lock);
6987 	}
6988 }
6989 
6990 /*
6991  * The ill is closing. Flush all messages on the ipsq that originated
6992  * from this ill. Usually there wont' be any messages on the ipsq_xopq_mphead
6993  * for this ill since ipsq_enter could not have entered until then.
6994  * New messages can't be queued since the CONDEMNED flag is set.
6995  */
6996 static void
6997 ipsq_flush(ill_t *ill)
6998 {
6999 	queue_t	*q;
7000 	mblk_t	*prev;
7001 	mblk_t	*mp;
7002 	mblk_t	*mp_next;
7003 	ipxop_t	*ipx = ill->ill_phyint->phyint_ipsq->ipsq_xop;
7004 
7005 	ASSERT(IAM_WRITER_ILL(ill));
7006 
7007 	/*
7008 	 * Flush any messages sent up by the driver.
7009 	 */
7010 	mutex_enter(&ipx->ipx_lock);
7011 	for (prev = NULL, mp = ipx->ipx_mphead; mp != NULL; mp = mp_next) {
7012 		mp_next = mp->b_next;
7013 		q = mp->b_queue;
7014 		if (q == ill->ill_rq || q == ill->ill_wq) {
7015 			/* dequeue mp */
7016 			if (prev == NULL)
7017 				ipx->ipx_mphead = mp->b_next;
7018 			else
7019 				prev->b_next = mp->b_next;
7020 			if (ipx->ipx_mptail == mp) {
7021 				ASSERT(mp_next == NULL);
7022 				ipx->ipx_mptail = prev;
7023 			}
7024 			inet_freemsg(mp);
7025 		} else {
7026 			prev = mp;
7027 		}
7028 	}
7029 	mutex_exit(&ipx->ipx_lock);
7030 	(void) ipsq_pending_mp_cleanup(ill, NULL);
7031 	ipsq_xopq_mp_cleanup(ill, NULL);
7032 }
7033 
7034 /*
7035  * Parse an ifreq or lifreq struct coming down ioctls and refhold
7036  * and return the associated ipif.
7037  * Return value:
7038  *	Non zero: An error has occurred. ci may not be filled out.
7039  *	zero : ci is filled out with the ioctl cmd in ci.ci_name, and
7040  *	a held ipif in ci.ci_ipif.
7041  */
7042 int
7043 ip_extract_lifreq(queue_t *q, mblk_t *mp, const ip_ioctl_cmd_t *ipip,
7044     cmd_info_t *ci)
7045 {
7046 	char		*name;
7047 	struct ifreq    *ifr;
7048 	struct lifreq    *lifr;
7049 	ipif_t		*ipif = NULL;
7050 	ill_t		*ill;
7051 	conn_t		*connp;
7052 	boolean_t	isv6;
7053 	int		err;
7054 	mblk_t		*mp1;
7055 	zoneid_t	zoneid;
7056 	ip_stack_t	*ipst;
7057 
7058 	if (q->q_next != NULL) {
7059 		ill = (ill_t *)q->q_ptr;
7060 		isv6 = ill->ill_isv6;
7061 		connp = NULL;
7062 		zoneid = ALL_ZONES;
7063 		ipst = ill->ill_ipst;
7064 	} else {
7065 		ill = NULL;
7066 		connp = Q_TO_CONN(q);
7067 		isv6 = (connp->conn_family == AF_INET6);
7068 		zoneid = connp->conn_zoneid;
7069 		if (zoneid == GLOBAL_ZONEID) {
7070 			/* global zone can access ipifs in all zones */
7071 			zoneid = ALL_ZONES;
7072 		}
7073 		ipst = connp->conn_netstack->netstack_ip;
7074 	}
7075 
7076 	/* Has been checked in ip_wput_nondata */
7077 	mp1 = mp->b_cont->b_cont;
7078 
7079 	if (ipip->ipi_cmd_type == IF_CMD) {
7080 		/* This a old style SIOC[GS]IF* command */
7081 		ifr = (struct ifreq *)mp1->b_rptr;
7082 		/*
7083 		 * Null terminate the string to protect against buffer
7084 		 * overrun. String was generated by user code and may not
7085 		 * be trusted.
7086 		 */
7087 		ifr->ifr_name[IFNAMSIZ - 1] = '\0';
7088 		name = ifr->ifr_name;
7089 		ci->ci_sin = (sin_t *)&ifr->ifr_addr;
7090 		ci->ci_sin6 = NULL;
7091 		ci->ci_lifr = (struct lifreq *)ifr;
7092 	} else {
7093 		/* This a new style SIOC[GS]LIF* command */
7094 		ASSERT(ipip->ipi_cmd_type == LIF_CMD);
7095 		lifr = (struct lifreq *)mp1->b_rptr;
7096 		/*
7097 		 * Null terminate the string to protect against buffer
7098 		 * overrun. String was generated by user code and may not
7099 		 * be trusted.
7100 		 */
7101 		lifr->lifr_name[LIFNAMSIZ - 1] = '\0';
7102 		name = lifr->lifr_name;
7103 		ci->ci_sin = (sin_t *)&lifr->lifr_addr;
7104 		ci->ci_sin6 = (sin6_t *)&lifr->lifr_addr;
7105 		ci->ci_lifr = lifr;
7106 	}
7107 
7108 	if (ipip->ipi_cmd == SIOCSLIFNAME) {
7109 		/*
7110 		 * The ioctl will be failed if the ioctl comes down
7111 		 * an conn stream
7112 		 */
7113 		if (ill == NULL) {
7114 			/*
7115 			 * Not an ill queue, return EINVAL same as the
7116 			 * old error code.
7117 			 */
7118 			return (ENXIO);
7119 		}
7120 		ipif = ill->ill_ipif;
7121 		ipif_refhold(ipif);
7122 	} else {
7123 		/*
7124 		 * Ensure that ioctls don't see any internal state changes
7125 		 * caused by set ioctls by deferring them if IPIF_CHANGING is
7126 		 * set.
7127 		 */
7128 		ipif = ipif_lookup_on_name_async(name, mi_strlen(name),
7129 		    isv6, zoneid, q, mp, ip_process_ioctl, &err, ipst);
7130 		if (ipif == NULL) {
7131 			if (err == EINPROGRESS)
7132 				return (err);
7133 			err = 0;	/* Ensure we don't use it below */
7134 		}
7135 	}
7136 
7137 	/*
7138 	 * Old style [GS]IFCMD does not admit IPv6 ipif
7139 	 */
7140 	if (ipif != NULL && ipif->ipif_isv6 && ipip->ipi_cmd_type == IF_CMD) {
7141 		ipif_refrele(ipif);
7142 		return (ENXIO);
7143 	}
7144 
7145 	if (ipif == NULL && ill != NULL && ill->ill_ipif != NULL &&
7146 	    name[0] == '\0') {
7147 		/*
7148 		 * Handle a or a SIOC?IF* with a null name
7149 		 * during plumb (on the ill queue before the I_PLINK).
7150 		 */
7151 		ipif = ill->ill_ipif;
7152 		ipif_refhold(ipif);
7153 	}
7154 
7155 	if (ipif == NULL)
7156 		return (ENXIO);
7157 
7158 	DTRACE_PROBE4(ipif__ioctl, char *, "ip_extract_lifreq",
7159 	    int, ipip->ipi_cmd, ill_t *, ipif->ipif_ill, ipif_t *, ipif);
7160 
7161 	ci->ci_ipif = ipif;
7162 	return (0);
7163 }
7164 
7165 /*
7166  * Return the total number of ipifs.
7167  */
7168 static uint_t
7169 ip_get_numifs(zoneid_t zoneid, ip_stack_t *ipst)
7170 {
7171 	uint_t numifs = 0;
7172 	ill_t	*ill;
7173 	ill_walk_context_t	ctx;
7174 	ipif_t	*ipif;
7175 
7176 	rw_enter(&ipst->ips_ill_g_lock, RW_READER);
7177 	ill = ILL_START_WALK_V4(&ctx, ipst);
7178 	for (; ill != NULL; ill = ill_next(&ctx, ill)) {
7179 		if (IS_UNDER_IPMP(ill))
7180 			continue;
7181 		for (ipif = ill->ill_ipif; ipif != NULL;
7182 		    ipif = ipif->ipif_next) {
7183 			if (ipif->ipif_zoneid == zoneid ||
7184 			    ipif->ipif_zoneid == ALL_ZONES)
7185 				numifs++;
7186 		}
7187 	}
7188 	rw_exit(&ipst->ips_ill_g_lock);
7189 	return (numifs);
7190 }
7191 
7192 /*
7193  * Return the total number of ipifs.
7194  */
7195 static uint_t
7196 ip_get_numlifs(int family, int lifn_flags, zoneid_t zoneid, ip_stack_t *ipst)
7197 {
7198 	uint_t numifs = 0;
7199 	ill_t	*ill;
7200 	ipif_t	*ipif;
7201 	ill_walk_context_t	ctx;
7202 
7203 	ip1dbg(("ip_get_numlifs(%d %u %d)\n", family, lifn_flags, (int)zoneid));
7204 
7205 	rw_enter(&ipst->ips_ill_g_lock, RW_READER);
7206 	if (family == AF_INET)
7207 		ill = ILL_START_WALK_V4(&ctx, ipst);
7208 	else if (family == AF_INET6)
7209 		ill = ILL_START_WALK_V6(&ctx, ipst);
7210 	else
7211 		ill = ILL_START_WALK_ALL(&ctx, ipst);
7212 
7213 	for (; ill != NULL; ill = ill_next(&ctx, ill)) {
7214 		if (IS_UNDER_IPMP(ill) && !(lifn_flags & LIFC_UNDER_IPMP))
7215 			continue;
7216 
7217 		for (ipif = ill->ill_ipif; ipif != NULL;
7218 		    ipif = ipif->ipif_next) {
7219 			if ((ipif->ipif_flags & IPIF_NOXMIT) &&
7220 			    !(lifn_flags & LIFC_NOXMIT))
7221 				continue;
7222 			if ((ipif->ipif_flags & IPIF_TEMPORARY) &&
7223 			    !(lifn_flags & LIFC_TEMPORARY))
7224 				continue;
7225 			if (((ipif->ipif_flags &
7226 			    (IPIF_NOXMIT|IPIF_NOLOCAL|
7227 			    IPIF_DEPRECATED)) ||
7228 			    IS_LOOPBACK(ill) ||
7229 			    !(ipif->ipif_flags & IPIF_UP)) &&
7230 			    (lifn_flags & LIFC_EXTERNAL_SOURCE))
7231 				continue;
7232 
7233 			if (zoneid != ipif->ipif_zoneid &&
7234 			    ipif->ipif_zoneid != ALL_ZONES &&
7235 			    (zoneid != GLOBAL_ZONEID ||
7236 			    !(lifn_flags & LIFC_ALLZONES)))
7237 				continue;
7238 
7239 			numifs++;
7240 		}
7241 	}
7242 	rw_exit(&ipst->ips_ill_g_lock);
7243 	return (numifs);
7244 }
7245 
7246 uint_t
7247 ip_get_lifsrcofnum(ill_t *ill)
7248 {
7249 	uint_t numifs = 0;
7250 	ill_t	*ill_head = ill;
7251 	ip_stack_t	*ipst = ill->ill_ipst;
7252 
7253 	/*
7254 	 * ill_g_usesrc_lock protects ill_usesrc_grp_next, for example, some
7255 	 * other thread may be trying to relink the ILLs in this usesrc group
7256 	 * and adjusting the ill_usesrc_grp_next pointers
7257 	 */
7258 	rw_enter(&ipst->ips_ill_g_usesrc_lock, RW_READER);
7259 	if ((ill->ill_usesrc_ifindex == 0) &&
7260 	    (ill->ill_usesrc_grp_next != NULL)) {
7261 		for (; (ill != NULL) && (ill->ill_usesrc_grp_next != ill_head);
7262 		    ill = ill->ill_usesrc_grp_next)
7263 			numifs++;
7264 	}
7265 	rw_exit(&ipst->ips_ill_g_usesrc_lock);
7266 
7267 	return (numifs);
7268 }
7269 
7270 /* Null values are passed in for ipif, sin, and ifreq */
7271 /* ARGSUSED */
7272 int
7273 ip_sioctl_get_ifnum(ipif_t *dummy_ipif, sin_t *dummy_sin, queue_t *q,
7274     mblk_t *mp, ip_ioctl_cmd_t *ipip, void *ifreq)
7275 {
7276 	int *nump;
7277 	conn_t *connp = Q_TO_CONN(q);
7278 
7279 	ASSERT(q->q_next == NULL); /* not a valid ioctl for ip as a module */
7280 
7281 	/* Existence of b_cont->b_cont checked in ip_wput_nondata */
7282 	nump = (int *)mp->b_cont->b_cont->b_rptr;
7283 
7284 	*nump = ip_get_numifs(connp->conn_zoneid,
7285 	    connp->conn_netstack->netstack_ip);
7286 	ip1dbg(("ip_sioctl_get_ifnum numifs %d", *nump));
7287 	return (0);
7288 }
7289 
7290 /* Null values are passed in for ipif, sin, and ifreq */
7291 /* ARGSUSED */
7292 int
7293 ip_sioctl_get_lifnum(ipif_t *dummy_ipif, sin_t *dummy_sin,
7294     queue_t *q, mblk_t *mp, ip_ioctl_cmd_t *ipip, void *ifreq)
7295 {
7296 	struct lifnum *lifn;
7297 	mblk_t	*mp1;
7298 	conn_t *connp = Q_TO_CONN(q);
7299 
7300 	ASSERT(q->q_next == NULL); /* not a valid ioctl for ip as a module */
7301 
7302 	/* Existence checked in ip_wput_nondata */
7303 	mp1 = mp->b_cont->b_cont;
7304 
7305 	lifn = (struct lifnum *)mp1->b_rptr;
7306 	switch (lifn->lifn_family) {
7307 	case AF_UNSPEC:
7308 	case AF_INET:
7309 	case AF_INET6:
7310 		break;
7311 	default:
7312 		return (EAFNOSUPPORT);
7313 	}
7314 
7315 	lifn->lifn_count = ip_get_numlifs(lifn->lifn_family, lifn->lifn_flags,
7316 	    connp->conn_zoneid, connp->conn_netstack->netstack_ip);
7317 	ip1dbg(("ip_sioctl_get_lifnum numifs %d", lifn->lifn_count));
7318 	return (0);
7319 }
7320 
7321 /* ARGSUSED */
7322 int
7323 ip_sioctl_get_ifconf(ipif_t *dummy_ipif, sin_t *dummy_sin, queue_t *q,
7324     mblk_t *mp, ip_ioctl_cmd_t *ipip, void *ifreq)
7325 {
7326 	STRUCT_HANDLE(ifconf, ifc);
7327 	mblk_t *mp1;
7328 	struct iocblk *iocp;
7329 	struct ifreq *ifr;
7330 	ill_walk_context_t	ctx;
7331 	ill_t	*ill;
7332 	ipif_t	*ipif;
7333 	struct sockaddr_in *sin;
7334 	int32_t	ifclen;
7335 	zoneid_t zoneid;
7336 	ip_stack_t *ipst = CONNQ_TO_IPST(q);
7337 
7338 	ASSERT(q->q_next == NULL); /* not valid ioctls for ip as a module */
7339 
7340 	ip1dbg(("ip_sioctl_get_ifconf"));
7341 	/* Existence verified in ip_wput_nondata */
7342 	mp1 = mp->b_cont->b_cont;
7343 	iocp = (struct iocblk *)mp->b_rptr;
7344 	zoneid = Q_TO_CONN(q)->conn_zoneid;
7345 
7346 	/*
7347 	 * The original SIOCGIFCONF passed in a struct ifconf which specified
7348 	 * the user buffer address and length into which the list of struct
7349 	 * ifreqs was to be copied.  Since AT&T Streams does not seem to
7350 	 * allow M_COPYOUT to be used in conjunction with I_STR IOCTLS,
7351 	 * the SIOCGIFCONF operation was redefined to simply provide
7352 	 * a large output buffer into which we are supposed to jam the ifreq
7353 	 * array.  The same ioctl command code was used, despite the fact that
7354 	 * both the applications and the kernel code had to change, thus making
7355 	 * it impossible to support both interfaces.
7356 	 *
7357 	 * For reasons not good enough to try to explain, the following
7358 	 * algorithm is used for deciding what to do with one of these:
7359 	 * If the IOCTL comes in as an I_STR, it is assumed to be of the new
7360 	 * form with the output buffer coming down as the continuation message.
7361 	 * If it arrives as a TRANSPARENT IOCTL, it is assumed to be old style,
7362 	 * and we have to copy in the ifconf structure to find out how big the
7363 	 * output buffer is and where to copy out to.  Sure no problem...
7364 	 *
7365 	 */
7366 	STRUCT_SET_HANDLE(ifc, iocp->ioc_flag, NULL);
7367 	if ((mp1->b_wptr - mp1->b_rptr) == STRUCT_SIZE(ifc)) {
7368 		int numifs = 0;
7369 		size_t ifc_bufsize;
7370 
7371 		/*
7372 		 * Must be (better be!) continuation of a TRANSPARENT
7373 		 * IOCTL.  We just copied in the ifconf structure.
7374 		 */
7375 		STRUCT_SET_HANDLE(ifc, iocp->ioc_flag,
7376 		    (struct ifconf *)mp1->b_rptr);
7377 
7378 		/*
7379 		 * Allocate a buffer to hold requested information.
7380 		 *
7381 		 * If ifc_len is larger than what is needed, we only
7382 		 * allocate what we will use.
7383 		 *
7384 		 * If ifc_len is smaller than what is needed, return
7385 		 * EINVAL.
7386 		 *
7387 		 * XXX: the ill_t structure can hava 2 counters, for
7388 		 * v4 and v6 (not just ill_ipif_up_count) to store the
7389 		 * number of interfaces for a device, so we don't need
7390 		 * to count them here...
7391 		 */
7392 		numifs = ip_get_numifs(zoneid, ipst);
7393 
7394 		ifclen = STRUCT_FGET(ifc, ifc_len);
7395 		ifc_bufsize = numifs * sizeof (struct ifreq);
7396 		if (ifc_bufsize > ifclen) {
7397 			if (iocp->ioc_cmd == O_SIOCGIFCONF) {
7398 				/* old behaviour */
7399 				return (EINVAL);
7400 			} else {
7401 				ifc_bufsize = ifclen;
7402 			}
7403 		}
7404 
7405 		mp1 = mi_copyout_alloc(q, mp,
7406 		    STRUCT_FGETP(ifc, ifc_buf), ifc_bufsize, B_FALSE);
7407 		if (mp1 == NULL)
7408 			return (ENOMEM);
7409 
7410 		mp1->b_wptr = mp1->b_rptr + ifc_bufsize;
7411 	}
7412 	bzero(mp1->b_rptr, mp1->b_wptr - mp1->b_rptr);
7413 	/*
7414 	 * the SIOCGIFCONF ioctl only knows about
7415 	 * IPv4 addresses, so don't try to tell
7416 	 * it about interfaces with IPv6-only
7417 	 * addresses. (Last parm 'isv6' is B_FALSE)
7418 	 */
7419 
7420 	ifr = (struct ifreq *)mp1->b_rptr;
7421 
7422 	rw_enter(&ipst->ips_ill_g_lock, RW_READER);
7423 	ill = ILL_START_WALK_V4(&ctx, ipst);
7424 	for (; ill != NULL; ill = ill_next(&ctx, ill)) {
7425 		if (IS_UNDER_IPMP(ill))
7426 			continue;
7427 		for (ipif = ill->ill_ipif; ipif != NULL;
7428 		    ipif = ipif->ipif_next) {
7429 			if (zoneid != ipif->ipif_zoneid &&
7430 			    ipif->ipif_zoneid != ALL_ZONES)
7431 				continue;
7432 			if ((uchar_t *)&ifr[1] > mp1->b_wptr) {
7433 				if (iocp->ioc_cmd == O_SIOCGIFCONF) {
7434 					/* old behaviour */
7435 					rw_exit(&ipst->ips_ill_g_lock);
7436 					return (EINVAL);
7437 				} else {
7438 					goto if_copydone;
7439 				}
7440 			}
7441 			ipif_get_name(ipif, ifr->ifr_name,
7442 			    sizeof (ifr->ifr_name));
7443 			sin = (sin_t *)&ifr->ifr_addr;
7444 			*sin = sin_null;
7445 			sin->sin_family = AF_INET;
7446 			sin->sin_addr.s_addr = ipif->ipif_lcl_addr;
7447 			ifr++;
7448 		}
7449 	}
7450 if_copydone:
7451 	rw_exit(&ipst->ips_ill_g_lock);
7452 	mp1->b_wptr = (uchar_t *)ifr;
7453 
7454 	if (STRUCT_BUF(ifc) != NULL) {
7455 		STRUCT_FSET(ifc, ifc_len,
7456 		    (int)((uchar_t *)ifr - mp1->b_rptr));
7457 	}
7458 	return (0);
7459 }
7460 
7461 /*
7462  * Get the interfaces using the address hosted on the interface passed in,
7463  * as a source adddress
7464  */
7465 /* ARGSUSED */
7466 int
7467 ip_sioctl_get_lifsrcof(ipif_t *dummy_ipif, sin_t *dummy_sin, queue_t *q,
7468     mblk_t *mp, ip_ioctl_cmd_t *ipip, void *ifreq)
7469 {
7470 	mblk_t *mp1;
7471 	ill_t	*ill, *ill_head;
7472 	ipif_t	*ipif, *orig_ipif;
7473 	int	numlifs = 0;
7474 	size_t	lifs_bufsize, lifsmaxlen;
7475 	struct	lifreq *lifr;
7476 	struct iocblk *iocp = (struct iocblk *)mp->b_rptr;
7477 	uint_t	ifindex;
7478 	zoneid_t zoneid;
7479 	boolean_t isv6 = B_FALSE;
7480 	struct	sockaddr_in	*sin;
7481 	struct	sockaddr_in6	*sin6;
7482 	STRUCT_HANDLE(lifsrcof, lifs);
7483 	ip_stack_t		*ipst;
7484 
7485 	ipst = CONNQ_TO_IPST(q);
7486 
7487 	ASSERT(q->q_next == NULL);
7488 
7489 	zoneid = Q_TO_CONN(q)->conn_zoneid;
7490 
7491 	/* Existence verified in ip_wput_nondata */
7492 	mp1 = mp->b_cont->b_cont;
7493 
7494 	/*
7495 	 * Must be (better be!) continuation of a TRANSPARENT
7496 	 * IOCTL.  We just copied in the lifsrcof structure.
7497 	 */
7498 	STRUCT_SET_HANDLE(lifs, iocp->ioc_flag,
7499 	    (struct lifsrcof *)mp1->b_rptr);
7500 
7501 	if (MBLKL(mp1) != STRUCT_SIZE(lifs))
7502 		return (EINVAL);
7503 
7504 	ifindex = STRUCT_FGET(lifs, lifs_ifindex);
7505 	isv6 = (Q_TO_CONN(q))->conn_family == AF_INET6;
7506 	ipif = ipif_lookup_on_ifindex(ifindex, isv6, zoneid, ipst);
7507 	if (ipif == NULL) {
7508 		ip1dbg(("ip_sioctl_get_lifsrcof: no ipif for ifindex %d\n",
7509 		    ifindex));
7510 		return (ENXIO);
7511 	}
7512 
7513 	/* Allocate a buffer to hold requested information */
7514 	numlifs = ip_get_lifsrcofnum(ipif->ipif_ill);
7515 	lifs_bufsize = numlifs * sizeof (struct lifreq);
7516 	lifsmaxlen =  STRUCT_FGET(lifs, lifs_maxlen);
7517 	/* The actual size needed is always returned in lifs_len */
7518 	STRUCT_FSET(lifs, lifs_len, lifs_bufsize);
7519 
7520 	/* If the amount we need is more than what is passed in, abort */
7521 	if (lifs_bufsize > lifsmaxlen || lifs_bufsize == 0) {
7522 		ipif_refrele(ipif);
7523 		return (0);
7524 	}
7525 
7526 	mp1 = mi_copyout_alloc(q, mp,
7527 	    STRUCT_FGETP(lifs, lifs_buf), lifs_bufsize, B_FALSE);
7528 	if (mp1 == NULL) {
7529 		ipif_refrele(ipif);
7530 		return (ENOMEM);
7531 	}
7532 
7533 	mp1->b_wptr = mp1->b_rptr + lifs_bufsize;
7534 	bzero(mp1->b_rptr, lifs_bufsize);
7535 
7536 	lifr = (struct lifreq *)mp1->b_rptr;
7537 
7538 	ill = ill_head = ipif->ipif_ill;
7539 	orig_ipif = ipif;
7540 
7541 	/* ill_g_usesrc_lock protects ill_usesrc_grp_next */
7542 	rw_enter(&ipst->ips_ill_g_usesrc_lock, RW_READER);
7543 	rw_enter(&ipst->ips_ill_g_lock, RW_READER);
7544 
7545 	ill = ill->ill_usesrc_grp_next; /* start from next ill */
7546 	for (; (ill != NULL) && (ill != ill_head);
7547 	    ill = ill->ill_usesrc_grp_next) {
7548 
7549 		if ((uchar_t *)&lifr[1] > mp1->b_wptr)
7550 			break;
7551 
7552 		ipif = ill->ill_ipif;
7553 		ipif_get_name(ipif, lifr->lifr_name, sizeof (lifr->lifr_name));
7554 		if (ipif->ipif_isv6) {
7555 			sin6 = (sin6_t *)&lifr->lifr_addr;
7556 			*sin6 = sin6_null;
7557 			sin6->sin6_family = AF_INET6;
7558 			sin6->sin6_addr = ipif->ipif_v6lcl_addr;
7559 			lifr->lifr_addrlen = ip_mask_to_plen_v6(
7560 			    &ipif->ipif_v6net_mask);
7561 		} else {
7562 			sin = (sin_t *)&lifr->lifr_addr;
7563 			*sin = sin_null;
7564 			sin->sin_family = AF_INET;
7565 			sin->sin_addr.s_addr = ipif->ipif_lcl_addr;
7566 			lifr->lifr_addrlen = ip_mask_to_plen(
7567 			    ipif->ipif_net_mask);
7568 		}
7569 		lifr++;
7570 	}
7571 	rw_exit(&ipst->ips_ill_g_lock);
7572 	rw_exit(&ipst->ips_ill_g_usesrc_lock);
7573 	ipif_refrele(orig_ipif);
7574 	mp1->b_wptr = (uchar_t *)lifr;
7575 	STRUCT_FSET(lifs, lifs_len, (int)((uchar_t *)lifr - mp1->b_rptr));
7576 
7577 	return (0);
7578 }
7579 
7580 /* ARGSUSED */
7581 int
7582 ip_sioctl_get_lifconf(ipif_t *dummy_ipif, sin_t *dummy_sin, queue_t *q,
7583     mblk_t *mp, ip_ioctl_cmd_t *ipip, void *ifreq)
7584 {
7585 	mblk_t *mp1;
7586 	int	list;
7587 	ill_t	*ill;
7588 	ipif_t	*ipif;
7589 	int	flags;
7590 	int	numlifs = 0;
7591 	size_t	lifc_bufsize;
7592 	struct	lifreq *lifr;
7593 	sa_family_t	family;
7594 	struct	sockaddr_in	*sin;
7595 	struct	sockaddr_in6	*sin6;
7596 	ill_walk_context_t	ctx;
7597 	struct iocblk *iocp = (struct iocblk *)mp->b_rptr;
7598 	int32_t	lifclen;
7599 	zoneid_t zoneid;
7600 	STRUCT_HANDLE(lifconf, lifc);
7601 	ip_stack_t *ipst = CONNQ_TO_IPST(q);
7602 
7603 	ip1dbg(("ip_sioctl_get_lifconf"));
7604 
7605 	ASSERT(q->q_next == NULL);
7606 
7607 	zoneid = Q_TO_CONN(q)->conn_zoneid;
7608 
7609 	/* Existence verified in ip_wput_nondata */
7610 	mp1 = mp->b_cont->b_cont;
7611 
7612 	/*
7613 	 * An extended version of SIOCGIFCONF that takes an
7614 	 * additional address family and flags field.
7615 	 * AF_UNSPEC retrieve both IPv4 and IPv6.
7616 	 * Unless LIFC_NOXMIT is specified the IPIF_NOXMIT
7617 	 * interfaces are omitted.
7618 	 * Similarly, IPIF_TEMPORARY interfaces are omitted
7619 	 * unless LIFC_TEMPORARY is specified.
7620 	 * If LIFC_EXTERNAL_SOURCE is specified, IPIF_NOXMIT,
7621 	 * IPIF_NOLOCAL, PHYI_LOOPBACK, IPIF_DEPRECATED and
7622 	 * not IPIF_UP interfaces are omitted. LIFC_EXTERNAL_SOURCE
7623 	 * has priority over LIFC_NOXMIT.
7624 	 */
7625 	STRUCT_SET_HANDLE(lifc, iocp->ioc_flag, NULL);
7626 
7627 	if ((mp1->b_wptr - mp1->b_rptr) != STRUCT_SIZE(lifc))
7628 		return (EINVAL);
7629 
7630 	/*
7631 	 * Must be (better be!) continuation of a TRANSPARENT
7632 	 * IOCTL.  We just copied in the lifconf structure.
7633 	 */
7634 	STRUCT_SET_HANDLE(lifc, iocp->ioc_flag, (struct lifconf *)mp1->b_rptr);
7635 
7636 	family = STRUCT_FGET(lifc, lifc_family);
7637 	flags = STRUCT_FGET(lifc, lifc_flags);
7638 
7639 	switch (family) {
7640 	case AF_UNSPEC:
7641 		/*
7642 		 * walk all ILL's.
7643 		 */
7644 		list = MAX_G_HEADS;
7645 		break;
7646 	case AF_INET:
7647 		/*
7648 		 * walk only IPV4 ILL's.
7649 		 */
7650 		list = IP_V4_G_HEAD;
7651 		break;
7652 	case AF_INET6:
7653 		/*
7654 		 * walk only IPV6 ILL's.
7655 		 */
7656 		list = IP_V6_G_HEAD;
7657 		break;
7658 	default:
7659 		return (EAFNOSUPPORT);
7660 	}
7661 
7662 	/*
7663 	 * Allocate a buffer to hold requested information.
7664 	 *
7665 	 * If lifc_len is larger than what is needed, we only
7666 	 * allocate what we will use.
7667 	 *
7668 	 * If lifc_len is smaller than what is needed, return
7669 	 * EINVAL.
7670 	 */
7671 	numlifs = ip_get_numlifs(family, flags, zoneid, ipst);
7672 	lifc_bufsize = numlifs * sizeof (struct lifreq);
7673 	lifclen = STRUCT_FGET(lifc, lifc_len);
7674 	if (lifc_bufsize > lifclen) {
7675 		if (iocp->ioc_cmd == O_SIOCGLIFCONF)
7676 			return (EINVAL);
7677 		else
7678 			lifc_bufsize = lifclen;
7679 	}
7680 
7681 	mp1 = mi_copyout_alloc(q, mp,
7682 	    STRUCT_FGETP(lifc, lifc_buf), lifc_bufsize, B_FALSE);
7683 	if (mp1 == NULL)
7684 		return (ENOMEM);
7685 
7686 	mp1->b_wptr = mp1->b_rptr + lifc_bufsize;
7687 	bzero(mp1->b_rptr, mp1->b_wptr - mp1->b_rptr);
7688 
7689 	lifr = (struct lifreq *)mp1->b_rptr;
7690 
7691 	rw_enter(&ipst->ips_ill_g_lock, RW_READER);
7692 	ill = ill_first(list, list, &ctx, ipst);
7693 	for (; ill != NULL; ill = ill_next(&ctx, ill)) {
7694 		if (IS_UNDER_IPMP(ill) && !(flags & LIFC_UNDER_IPMP))
7695 			continue;
7696 
7697 		for (ipif = ill->ill_ipif; ipif != NULL;
7698 		    ipif = ipif->ipif_next) {
7699 			if ((ipif->ipif_flags & IPIF_NOXMIT) &&
7700 			    !(flags & LIFC_NOXMIT))
7701 				continue;
7702 
7703 			if ((ipif->ipif_flags & IPIF_TEMPORARY) &&
7704 			    !(flags & LIFC_TEMPORARY))
7705 				continue;
7706 
7707 			if (((ipif->ipif_flags &
7708 			    (IPIF_NOXMIT|IPIF_NOLOCAL|
7709 			    IPIF_DEPRECATED)) ||
7710 			    IS_LOOPBACK(ill) ||
7711 			    !(ipif->ipif_flags & IPIF_UP)) &&
7712 			    (flags & LIFC_EXTERNAL_SOURCE))
7713 				continue;
7714 
7715 			if (zoneid != ipif->ipif_zoneid &&
7716 			    ipif->ipif_zoneid != ALL_ZONES &&
7717 			    (zoneid != GLOBAL_ZONEID ||
7718 			    !(flags & LIFC_ALLZONES)))
7719 				continue;
7720 
7721 			if ((uchar_t *)&lifr[1] > mp1->b_wptr) {
7722 				if (iocp->ioc_cmd == O_SIOCGLIFCONF) {
7723 					rw_exit(&ipst->ips_ill_g_lock);
7724 					return (EINVAL);
7725 				} else {
7726 					goto lif_copydone;
7727 				}
7728 			}
7729 
7730 			ipif_get_name(ipif, lifr->lifr_name,
7731 			    sizeof (lifr->lifr_name));
7732 			lifr->lifr_type = ill->ill_type;
7733 			if (ipif->ipif_isv6) {
7734 				sin6 = (sin6_t *)&lifr->lifr_addr;
7735 				*sin6 = sin6_null;
7736 				sin6->sin6_family = AF_INET6;
7737 				sin6->sin6_addr =
7738 				    ipif->ipif_v6lcl_addr;
7739 				lifr->lifr_addrlen =
7740 				    ip_mask_to_plen_v6(
7741 				    &ipif->ipif_v6net_mask);
7742 			} else {
7743 				sin = (sin_t *)&lifr->lifr_addr;
7744 				*sin = sin_null;
7745 				sin->sin_family = AF_INET;
7746 				sin->sin_addr.s_addr =
7747 				    ipif->ipif_lcl_addr;
7748 				lifr->lifr_addrlen =
7749 				    ip_mask_to_plen(
7750 				    ipif->ipif_net_mask);
7751 			}
7752 			lifr++;
7753 		}
7754 	}
7755 lif_copydone:
7756 	rw_exit(&ipst->ips_ill_g_lock);
7757 
7758 	mp1->b_wptr = (uchar_t *)lifr;
7759 	if (STRUCT_BUF(lifc) != NULL) {
7760 		STRUCT_FSET(lifc, lifc_len,
7761 		    (int)((uchar_t *)lifr - mp1->b_rptr));
7762 	}
7763 	return (0);
7764 }
7765 
7766 static void
7767 ip_sioctl_ip6addrpolicy(queue_t *q, mblk_t *mp)
7768 {
7769 	ip6_asp_t *table;
7770 	size_t table_size;
7771 	mblk_t *data_mp;
7772 	struct iocblk *iocp = (struct iocblk *)mp->b_rptr;
7773 	ip_stack_t	*ipst;
7774 
7775 	if (q->q_next == NULL)
7776 		ipst = CONNQ_TO_IPST(q);
7777 	else
7778 		ipst = ILLQ_TO_IPST(q);
7779 
7780 	/* These two ioctls are I_STR only */
7781 	if (iocp->ioc_count == TRANSPARENT) {
7782 		miocnak(q, mp, 0, EINVAL);
7783 		return;
7784 	}
7785 
7786 	data_mp = mp->b_cont;
7787 	if (data_mp == NULL) {
7788 		/* The user passed us a NULL argument */
7789 		table = NULL;
7790 		table_size = iocp->ioc_count;
7791 	} else {
7792 		/*
7793 		 * The user provided a table.  The stream head
7794 		 * may have copied in the user data in chunks,
7795 		 * so make sure everything is pulled up
7796 		 * properly.
7797 		 */
7798 		if (MBLKL(data_mp) < iocp->ioc_count) {
7799 			mblk_t *new_data_mp;
7800 			if ((new_data_mp = msgpullup(data_mp, -1)) ==
7801 			    NULL) {
7802 				miocnak(q, mp, 0, ENOMEM);
7803 				return;
7804 			}
7805 			freemsg(data_mp);
7806 			data_mp = new_data_mp;
7807 			mp->b_cont = data_mp;
7808 		}
7809 		table = (ip6_asp_t *)data_mp->b_rptr;
7810 		table_size = iocp->ioc_count;
7811 	}
7812 
7813 	switch (iocp->ioc_cmd) {
7814 	case SIOCGIP6ADDRPOLICY:
7815 		iocp->ioc_rval = ip6_asp_get(table, table_size, ipst);
7816 		if (iocp->ioc_rval == -1)
7817 			iocp->ioc_error = EINVAL;
7818 #if defined(_SYSCALL32_IMPL) && _LONG_LONG_ALIGNMENT_32 == 4
7819 		else if (table != NULL &&
7820 		    (iocp->ioc_flag & IOC_MODELS) == IOC_ILP32) {
7821 			ip6_asp_t *src = table;
7822 			ip6_asp32_t *dst = (void *)table;
7823 			int count = table_size / sizeof (ip6_asp_t);
7824 			int i;
7825 
7826 			/*
7827 			 * We need to do an in-place shrink of the array
7828 			 * to match the alignment attributes of the
7829 			 * 32-bit ABI looking at it.
7830 			 */
7831 			/* LINTED: logical expression always true: op "||" */
7832 			ASSERT(sizeof (*src) > sizeof (*dst));
7833 			for (i = 1; i < count; i++)
7834 				bcopy(src + i, dst + i, sizeof (*dst));
7835 		}
7836 #endif
7837 		break;
7838 
7839 	case SIOCSIP6ADDRPOLICY:
7840 		ASSERT(mp->b_prev == NULL);
7841 		mp->b_prev = (void *)q;
7842 #if defined(_SYSCALL32_IMPL) && _LONG_LONG_ALIGNMENT_32 == 4
7843 		/*
7844 		 * We pass in the datamodel here so that the ip6_asp_replace()
7845 		 * routine can handle converting from 32-bit to native formats
7846 		 * where necessary.
7847 		 *
7848 		 * A better way to handle this might be to convert the inbound
7849 		 * data structure here, and hang it off a new 'mp'; thus the
7850 		 * ip6_asp_replace() logic would always be dealing with native
7851 		 * format data structures..
7852 		 *
7853 		 * (An even simpler way to handle these ioctls is to just
7854 		 * add a 32-bit trailing 'pad' field to the ip6_asp_t structure
7855 		 * and just recompile everything that depends on it.)
7856 		 */
7857 #endif
7858 		ip6_asp_replace(mp, table, table_size, B_FALSE, ipst,
7859 		    iocp->ioc_flag & IOC_MODELS);
7860 		return;
7861 	}
7862 
7863 	DB_TYPE(mp) =  (iocp->ioc_error == 0) ? M_IOCACK : M_IOCNAK;
7864 	qreply(q, mp);
7865 }
7866 
7867 static void
7868 ip_sioctl_dstinfo(queue_t *q, mblk_t *mp)
7869 {
7870 	mblk_t 		*data_mp;
7871 	struct dstinforeq	*dir;
7872 	uint8_t		*end, *cur;
7873 	in6_addr_t	*daddr, *saddr;
7874 	ipaddr_t	v4daddr;
7875 	ire_t		*ire;
7876 	ipaddr_t	v4setsrc;
7877 	in6_addr_t	v6setsrc;
7878 	char		*slabel, *dlabel;
7879 	boolean_t	isipv4;
7880 	int		match_ire;
7881 	ill_t		*dst_ill;
7882 	struct iocblk *iocp = (struct iocblk *)mp->b_rptr;
7883 	conn_t		*connp = Q_TO_CONN(q);
7884 	zoneid_t	zoneid = IPCL_ZONEID(connp);
7885 	ip_stack_t	*ipst = connp->conn_netstack->netstack_ip;
7886 	uint64_t	ipif_flags;
7887 
7888 	ASSERT(q->q_next == NULL); /* this ioctl not allowed if ip is module */
7889 
7890 	/*
7891 	 * This ioctl is I_STR only, and must have a
7892 	 * data mblk following the M_IOCTL mblk.
7893 	 */
7894 	data_mp = mp->b_cont;
7895 	if (iocp->ioc_count == TRANSPARENT || data_mp == NULL) {
7896 		miocnak(q, mp, 0, EINVAL);
7897 		return;
7898 	}
7899 
7900 	if (MBLKL(data_mp) < iocp->ioc_count) {
7901 		mblk_t *new_data_mp;
7902 
7903 		if ((new_data_mp = msgpullup(data_mp, -1)) == NULL) {
7904 			miocnak(q, mp, 0, ENOMEM);
7905 			return;
7906 		}
7907 		freemsg(data_mp);
7908 		data_mp = new_data_mp;
7909 		mp->b_cont = data_mp;
7910 	}
7911 	match_ire = MATCH_IRE_DSTONLY;
7912 
7913 	for (cur = data_mp->b_rptr, end = data_mp->b_wptr;
7914 	    end - cur >= sizeof (struct dstinforeq);
7915 	    cur += sizeof (struct dstinforeq)) {
7916 		dir = (struct dstinforeq *)cur;
7917 		daddr = &dir->dir_daddr;
7918 		saddr = &dir->dir_saddr;
7919 
7920 		/*
7921 		 * ip_addr_scope_v6() and ip6_asp_lookup() handle
7922 		 * v4 mapped addresses; ire_ftable_lookup_v6()
7923 		 * and ip_select_source_v6() do not.
7924 		 */
7925 		dir->dir_dscope = ip_addr_scope_v6(daddr);
7926 		dlabel = ip6_asp_lookup(daddr, &dir->dir_precedence, ipst);
7927 
7928 		isipv4 = IN6_IS_ADDR_V4MAPPED(daddr);
7929 		if (isipv4) {
7930 			IN6_V4MAPPED_TO_IPADDR(daddr, v4daddr);
7931 			v4setsrc = INADDR_ANY;
7932 			ire = ire_route_recursive_v4(v4daddr, 0, NULL, zoneid,
7933 			    NULL, match_ire, IRR_ALLOCATE, 0, ipst, &v4setsrc,
7934 			    NULL, NULL);
7935 		} else {
7936 			v6setsrc = ipv6_all_zeros;
7937 			ire = ire_route_recursive_v6(daddr, 0, NULL, zoneid,
7938 			    NULL, match_ire, IRR_ALLOCATE, 0, ipst, &v6setsrc,
7939 			    NULL, NULL);
7940 		}
7941 		ASSERT(ire != NULL);
7942 		if (ire->ire_flags & (RTF_REJECT|RTF_BLACKHOLE)) {
7943 			ire_refrele(ire);
7944 			dir->dir_dreachable = 0;
7945 
7946 			/* move on to next dst addr */
7947 			continue;
7948 		}
7949 		dir->dir_dreachable = 1;
7950 
7951 		dst_ill = ire_nexthop_ill(ire);
7952 		if (dst_ill == NULL) {
7953 			ire_refrele(ire);
7954 			continue;
7955 		}
7956 
7957 		/* With ipmp we most likely look at the ipmp ill here */
7958 		dir->dir_dmactype = dst_ill->ill_mactype;
7959 
7960 		if (isipv4) {
7961 			ipaddr_t v4saddr;
7962 
7963 			if (ip_select_source_v4(dst_ill, v4setsrc, v4daddr,
7964 			    connp->conn_ixa->ixa_multicast_ifaddr, zoneid, ipst,
7965 			    &v4saddr, NULL, &ipif_flags) != 0) {
7966 				v4saddr = INADDR_ANY;
7967 				ipif_flags = 0;
7968 			}
7969 			IN6_IPADDR_TO_V4MAPPED(v4saddr, saddr);
7970 		} else {
7971 			if (ip_select_source_v6(dst_ill, &v6setsrc, daddr,
7972 			    zoneid, ipst, B_FALSE, IPV6_PREFER_SRC_DEFAULT,
7973 			    saddr, NULL, &ipif_flags) != 0) {
7974 				*saddr = ipv6_all_zeros;
7975 				ipif_flags = 0;
7976 			}
7977 		}
7978 
7979 		dir->dir_sscope = ip_addr_scope_v6(saddr);
7980 		slabel = ip6_asp_lookup(saddr, NULL, ipst);
7981 		dir->dir_labelmatch = ip6_asp_labelcmp(dlabel, slabel);
7982 		dir->dir_sdeprecated = (ipif_flags & IPIF_DEPRECATED) ? 1 : 0;
7983 		ire_refrele(ire);
7984 		ill_refrele(dst_ill);
7985 	}
7986 	miocack(q, mp, iocp->ioc_count, 0);
7987 }
7988 
7989 /*
7990  * Check if this is an address assigned to this machine.
7991  * Skips interfaces that are down by using ire checks.
7992  * Translates mapped addresses to v4 addresses and then
7993  * treats them as such, returning true if the v4 address
7994  * associated with this mapped address is configured.
7995  * Note: Applications will have to be careful what they do
7996  * with the response; use of mapped addresses limits
7997  * what can be done with the socket, especially with
7998  * respect to socket options and ioctls - neither IPv4
7999  * options nor IPv6 sticky options/ancillary data options
8000  * may be used.
8001  */
8002 /* ARGSUSED */
8003 int
8004 ip_sioctl_tmyaddr(ipif_t *dummy_ipif, sin_t *dummy_sin, queue_t *q, mblk_t *mp,
8005     ip_ioctl_cmd_t *ipip, void *dummy_ifreq)
8006 {
8007 	struct sioc_addrreq *sia;
8008 	sin_t *sin;
8009 	ire_t *ire;
8010 	mblk_t *mp1;
8011 	zoneid_t zoneid;
8012 	ip_stack_t	*ipst;
8013 
8014 	ip1dbg(("ip_sioctl_tmyaddr"));
8015 
8016 	ASSERT(q->q_next == NULL); /* this ioctl not allowed if ip is module */
8017 	zoneid = Q_TO_CONN(q)->conn_zoneid;
8018 	ipst = CONNQ_TO_IPST(q);
8019 
8020 	/* Existence verified in ip_wput_nondata */
8021 	mp1 = mp->b_cont->b_cont;
8022 	sia = (struct sioc_addrreq *)mp1->b_rptr;
8023 	sin = (sin_t *)&sia->sa_addr;
8024 	switch (sin->sin_family) {
8025 	case AF_INET6: {
8026 		sin6_t *sin6 = (sin6_t *)sin;
8027 
8028 		if (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) {
8029 			ipaddr_t v4_addr;
8030 
8031 			IN6_V4MAPPED_TO_IPADDR(&sin6->sin6_addr,
8032 			    v4_addr);
8033 			ire = ire_ftable_lookup_v4(v4_addr, 0, 0,
8034 			    IRE_LOCAL|IRE_LOOPBACK, NULL, zoneid, NULL,
8035 			    MATCH_IRE_TYPE | MATCH_IRE_ZONEONLY, 0, ipst, NULL);
8036 		} else {
8037 			in6_addr_t v6addr;
8038 
8039 			v6addr = sin6->sin6_addr;
8040 			ire = ire_ftable_lookup_v6(&v6addr, 0, 0,
8041 			    IRE_LOCAL|IRE_LOOPBACK, NULL, zoneid, NULL,
8042 			    MATCH_IRE_TYPE | MATCH_IRE_ZONEONLY, 0, ipst, NULL);
8043 		}
8044 		break;
8045 	}
8046 	case AF_INET: {
8047 		ipaddr_t v4addr;
8048 
8049 		v4addr = sin->sin_addr.s_addr;
8050 		ire = ire_ftable_lookup_v4(v4addr, 0, 0,
8051 		    IRE_LOCAL|IRE_LOOPBACK, NULL, zoneid,
8052 		    NULL, MATCH_IRE_TYPE | MATCH_IRE_ZONEONLY, 0, ipst, NULL);
8053 		break;
8054 	}
8055 	default:
8056 		return (EAFNOSUPPORT);
8057 	}
8058 	if (ire != NULL) {
8059 		sia->sa_res = 1;
8060 		ire_refrele(ire);
8061 	} else {
8062 		sia->sa_res = 0;
8063 	}
8064 	return (0);
8065 }
8066 
8067 /*
8068  * Check if this is an address assigned on-link i.e. neighbor,
8069  * and makes sure it's reachable from the current zone.
8070  * Returns true for my addresses as well.
8071  * Translates mapped addresses to v4 addresses and then
8072  * treats them as such, returning true if the v4 address
8073  * associated with this mapped address is configured.
8074  * Note: Applications will have to be careful what they do
8075  * with the response; use of mapped addresses limits
8076  * what can be done with the socket, especially with
8077  * respect to socket options and ioctls - neither IPv4
8078  * options nor IPv6 sticky options/ancillary data options
8079  * may be used.
8080  */
8081 /* ARGSUSED */
8082 int
8083 ip_sioctl_tonlink(ipif_t *dummy_ipif, sin_t *dummy_sin, queue_t *q, mblk_t *mp,
8084     ip_ioctl_cmd_t *ipip, void *duymmy_ifreq)
8085 {
8086 	struct sioc_addrreq *sia;
8087 	sin_t *sin;
8088 	mblk_t	*mp1;
8089 	ire_t *ire = NULL;
8090 	zoneid_t zoneid;
8091 	ip_stack_t	*ipst;
8092 
8093 	ip1dbg(("ip_sioctl_tonlink"));
8094 
8095 	ASSERT(q->q_next == NULL); /* this ioctl not allowed if ip is module */
8096 	zoneid = Q_TO_CONN(q)->conn_zoneid;
8097 	ipst = CONNQ_TO_IPST(q);
8098 
8099 	/* Existence verified in ip_wput_nondata */
8100 	mp1 = mp->b_cont->b_cont;
8101 	sia = (struct sioc_addrreq *)mp1->b_rptr;
8102 	sin = (sin_t *)&sia->sa_addr;
8103 
8104 	/*
8105 	 * We check for IRE_ONLINK and exclude IRE_BROADCAST|IRE_MULTICAST
8106 	 * to make sure we only look at on-link unicast address.
8107 	 */
8108 	switch (sin->sin_family) {
8109 	case AF_INET6: {
8110 		sin6_t *sin6 = (sin6_t *)sin;
8111 
8112 		if (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) {
8113 			ipaddr_t v4_addr;
8114 
8115 			IN6_V4MAPPED_TO_IPADDR(&sin6->sin6_addr,
8116 			    v4_addr);
8117 			if (!CLASSD(v4_addr)) {
8118 				ire = ire_ftable_lookup_v4(v4_addr, 0, 0, 0,
8119 				    NULL, zoneid, NULL, MATCH_IRE_DSTONLY,
8120 				    0, ipst, NULL);
8121 			}
8122 		} else {
8123 			in6_addr_t v6addr;
8124 
8125 			v6addr = sin6->sin6_addr;
8126 			if (!IN6_IS_ADDR_MULTICAST(&v6addr)) {
8127 				ire = ire_ftable_lookup_v6(&v6addr, 0, 0, 0,
8128 				    NULL, zoneid, NULL, MATCH_IRE_DSTONLY, 0,
8129 				    ipst, NULL);
8130 			}
8131 		}
8132 		break;
8133 	}
8134 	case AF_INET: {
8135 		ipaddr_t v4addr;
8136 
8137 		v4addr = sin->sin_addr.s_addr;
8138 		if (!CLASSD(v4addr)) {
8139 			ire = ire_ftable_lookup_v4(v4addr, 0, 0, 0, NULL,
8140 			    zoneid, NULL, MATCH_IRE_DSTONLY, 0, ipst, NULL);
8141 		}
8142 		break;
8143 	}
8144 	default:
8145 		return (EAFNOSUPPORT);
8146 	}
8147 	sia->sa_res = 0;
8148 	if (ire != NULL) {
8149 		ASSERT(!(ire->ire_type & IRE_MULTICAST));
8150 
8151 		if ((ire->ire_type & IRE_ONLINK) &&
8152 		    !(ire->ire_type & IRE_BROADCAST))
8153 			sia->sa_res = 1;
8154 		ire_refrele(ire);
8155 	}
8156 	return (0);
8157 }
8158 
8159 /*
8160  * TBD: implement when kernel maintaines a list of site prefixes.
8161  */
8162 /* ARGSUSED */
8163 int
8164 ip_sioctl_tmysite(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
8165     ip_ioctl_cmd_t *ipip, void *ifreq)
8166 {
8167 	return (ENXIO);
8168 }
8169 
8170 /* ARP IOCTLs. */
8171 /* ARGSUSED */
8172 int
8173 ip_sioctl_arp(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
8174     ip_ioctl_cmd_t *ipip, void *dummy_ifreq)
8175 {
8176 	int		err;
8177 	ipaddr_t	ipaddr;
8178 	struct iocblk	*iocp;
8179 	conn_t		*connp;
8180 	struct arpreq	*ar;
8181 	struct xarpreq	*xar;
8182 	int		arp_flags, flags, alength;
8183 	uchar_t		*lladdr;
8184 	ip_stack_t	*ipst;
8185 	ill_t		*ill = ipif->ipif_ill;
8186 	ill_t		*proxy_ill = NULL;
8187 	ipmp_arpent_t	*entp = NULL;
8188 	boolean_t	proxyarp = B_FALSE;
8189 	boolean_t	if_arp_ioctl = B_FALSE;
8190 	ncec_t		*ncec = NULL;
8191 	nce_t		*nce;
8192 
8193 	ASSERT(!(q->q_flag & QREADR) && q->q_next == NULL);
8194 	connp = Q_TO_CONN(q);
8195 	ipst = connp->conn_netstack->netstack_ip;
8196 	iocp = (struct iocblk *)mp->b_rptr;
8197 
8198 	if (ipip->ipi_cmd_type == XARP_CMD) {
8199 		/* We have a chain - M_IOCTL-->MI_COPY_MBLK-->XARPREQ_MBLK */
8200 		xar = (struct xarpreq *)mp->b_cont->b_cont->b_rptr;
8201 		ar = NULL;
8202 
8203 		arp_flags = xar->xarp_flags;
8204 		lladdr = (uchar_t *)LLADDR(&xar->xarp_ha);
8205 		if_arp_ioctl = (xar->xarp_ha.sdl_nlen != 0);
8206 		/*
8207 		 * Validate against user's link layer address length
8208 		 * input and name and addr length limits.
8209 		 */
8210 		alength = ill->ill_phys_addr_length;
8211 		if (ipip->ipi_cmd == SIOCSXARP) {
8212 			if (alength != xar->xarp_ha.sdl_alen ||
8213 			    (alength + xar->xarp_ha.sdl_nlen >
8214 			    sizeof (xar->xarp_ha.sdl_data)))
8215 				return (EINVAL);
8216 		}
8217 	} else {
8218 		/* We have a chain - M_IOCTL-->MI_COPY_MBLK-->ARPREQ_MBLK */
8219 		ar = (struct arpreq *)mp->b_cont->b_cont->b_rptr;
8220 		xar = NULL;
8221 
8222 		arp_flags = ar->arp_flags;
8223 		lladdr = (uchar_t *)ar->arp_ha.sa_data;
8224 		/*
8225 		 * Theoretically, the sa_family could tell us what link
8226 		 * layer type this operation is trying to deal with. By
8227 		 * common usage AF_UNSPEC means ethernet. We'll assume
8228 		 * any attempt to use the SIOC?ARP ioctls is for ethernet,
8229 		 * for now. Our new SIOC*XARP ioctls can be used more
8230 		 * generally.
8231 		 *
8232 		 * If the underlying media happens to have a non 6 byte
8233 		 * address, arp module will fail set/get, but the del
8234 		 * operation will succeed.
8235 		 */
8236 		alength = 6;
8237 		if ((ipip->ipi_cmd != SIOCDARP) &&
8238 		    (alength != ill->ill_phys_addr_length)) {
8239 			return (EINVAL);
8240 		}
8241 	}
8242 
8243 	/* Translate ATF* flags to NCE* flags */
8244 	flags = 0;
8245 	if (arp_flags & ATF_AUTHORITY)
8246 		flags |= NCE_F_AUTHORITY;
8247 	if (arp_flags & ATF_PERM)
8248 		flags |= NCE_F_NONUD; /* not subject to aging */
8249 	if (arp_flags & ATF_PUBL)
8250 		flags |= NCE_F_PUBLISH;
8251 
8252 	/*
8253 	 * IPMP ARP special handling:
8254 	 *
8255 	 * 1. Since ARP mappings must appear consistent across the group,
8256 	 *    prohibit changing ARP mappings on the underlying interfaces.
8257 	 *
8258 	 * 2. Since ARP mappings for IPMP data addresses are maintained by
8259 	 *    IP itself, prohibit changing them.
8260 	 *
8261 	 * 3. For proxy ARP, use a functioning hardware address in the group,
8262 	 *    provided one exists.  If one doesn't, just add the entry as-is;
8263 	 *    ipmp_illgrp_refresh_arpent() will refresh it if things change.
8264 	 */
8265 	if (IS_UNDER_IPMP(ill)) {
8266 		if (ipip->ipi_cmd != SIOCGARP && ipip->ipi_cmd != SIOCGXARP)
8267 			return (EPERM);
8268 	}
8269 	if (IS_IPMP(ill)) {
8270 		ipmp_illgrp_t *illg = ill->ill_grp;
8271 
8272 		switch (ipip->ipi_cmd) {
8273 		case SIOCSARP:
8274 		case SIOCSXARP:
8275 			proxy_ill = ipmp_illgrp_find_ill(illg, lladdr, alength);
8276 			if (proxy_ill != NULL) {
8277 				proxyarp = B_TRUE;
8278 				if (!ipmp_ill_is_active(proxy_ill))
8279 					proxy_ill = ipmp_illgrp_next_ill(illg);
8280 				if (proxy_ill != NULL)
8281 					lladdr = proxy_ill->ill_phys_addr;
8282 			}
8283 			/* FALLTHRU */
8284 		}
8285 	}
8286 
8287 	ipaddr = sin->sin_addr.s_addr;
8288 	/*
8289 	 * don't match across illgrp per case (1) and (2).
8290 	 * XXX use IS_IPMP(ill) like ndp_sioc_update?
8291 	 */
8292 	nce = nce_lookup_v4(ill, &ipaddr);
8293 	if (nce != NULL)
8294 		ncec = nce->nce_common;
8295 
8296 	switch (iocp->ioc_cmd) {
8297 	case SIOCDARP:
8298 	case SIOCDXARP: {
8299 		/*
8300 		 * Delete the NCE if any.
8301 		 */
8302 		if (ncec == NULL) {
8303 			iocp->ioc_error = ENXIO;
8304 			break;
8305 		}
8306 		/* Don't allow changes to arp mappings of local addresses. */
8307 		if (NCE_MYADDR(ncec)) {
8308 			nce_refrele(nce);
8309 			return (ENOTSUP);
8310 		}
8311 		iocp->ioc_error = 0;
8312 
8313 		/*
8314 		 * Delete the nce_common which has ncec_ill set to ipmp_ill.
8315 		 * This will delete all the nce entries on the under_ills.
8316 		 */
8317 		ncec_delete(ncec);
8318 		/*
8319 		 * Once the NCE has been deleted, then the ire_dep* consistency
8320 		 * mechanism will find any IRE which depended on the now
8321 		 * condemned NCE (as part of sending packets).
8322 		 * That mechanism handles redirects by deleting redirects
8323 		 * that refer to UNREACHABLE nces.
8324 		 */
8325 		break;
8326 	}
8327 	case SIOCGARP:
8328 	case SIOCGXARP:
8329 		if (ncec != NULL) {
8330 			lladdr = ncec->ncec_lladdr;
8331 			flags = ncec->ncec_flags;
8332 			iocp->ioc_error = 0;
8333 			ip_sioctl_garp_reply(mp, ncec->ncec_ill, lladdr, flags);
8334 		} else {
8335 			iocp->ioc_error = ENXIO;
8336 		}
8337 		break;
8338 	case SIOCSARP:
8339 	case SIOCSXARP:
8340 		/* Don't allow changes to arp mappings of local addresses. */
8341 		if (ncec != NULL && NCE_MYADDR(ncec)) {
8342 			nce_refrele(nce);
8343 			return (ENOTSUP);
8344 		}
8345 
8346 		/* static arp entries will undergo NUD if ATF_PERM is not set */
8347 		flags |= NCE_F_STATIC;
8348 		if (!if_arp_ioctl) {
8349 			ip_nce_lookup_and_update(&ipaddr, NULL, ipst,
8350 			    lladdr, alength, flags);
8351 		} else {
8352 			ipif_t *ipif = ipif_get_next_ipif(NULL, ill);
8353 			if (ipif != NULL) {
8354 				ip_nce_lookup_and_update(&ipaddr, ipif, ipst,
8355 				    lladdr, alength, flags);
8356 				ipif_refrele(ipif);
8357 			}
8358 		}
8359 		if (nce != NULL) {
8360 			nce_refrele(nce);
8361 			nce = NULL;
8362 		}
8363 		/*
8364 		 * NCE_F_STATIC entries will be added in state ND_REACHABLE
8365 		 * by nce_add_common()
8366 		 */
8367 		err = nce_lookup_then_add_v4(ill, lladdr,
8368 		    ill->ill_phys_addr_length, &ipaddr, flags, ND_UNCHANGED,
8369 		    &nce);
8370 		if (err == EEXIST) {
8371 			ncec = nce->nce_common;
8372 			mutex_enter(&ncec->ncec_lock);
8373 			ncec->ncec_state = ND_REACHABLE;
8374 			ncec->ncec_flags = flags;
8375 			nce_update(ncec, ND_UNCHANGED, lladdr);
8376 			mutex_exit(&ncec->ncec_lock);
8377 			err = 0;
8378 		}
8379 		if (nce != NULL) {
8380 			nce_refrele(nce);
8381 			nce = NULL;
8382 		}
8383 		if (IS_IPMP(ill) && err == 0) {
8384 			entp = ipmp_illgrp_create_arpent(ill->ill_grp,
8385 			    proxyarp, ipaddr, lladdr, ill->ill_phys_addr_length,
8386 			    flags);
8387 			if (entp == NULL || (proxyarp && proxy_ill == NULL)) {
8388 				iocp->ioc_error = (entp == NULL ? ENOMEM : 0);
8389 				break;
8390 			}
8391 		}
8392 		iocp->ioc_error = err;
8393 	}
8394 
8395 	if (nce != NULL) {
8396 		nce_refrele(nce);
8397 	}
8398 
8399 	/*
8400 	 * If we created an IPMP ARP entry, mark that we've notified ARP.
8401 	 */
8402 	if (entp != NULL)
8403 		ipmp_illgrp_mark_arpent(ill->ill_grp, entp);
8404 
8405 	return (iocp->ioc_error);
8406 }
8407 
8408 /*
8409  * Parse an [x]arpreq structure coming down SIOC[GSD][X]ARP ioctls, identify
8410  * the associated sin and refhold and return the associated ipif via `ci'.
8411  */
8412 int
8413 ip_extract_arpreq(queue_t *q, mblk_t *mp, const ip_ioctl_cmd_t *ipip,
8414     cmd_info_t *ci)
8415 {
8416 	mblk_t	*mp1;
8417 	sin_t	*sin;
8418 	conn_t	*connp;
8419 	ipif_t	*ipif;
8420 	ire_t	*ire = NULL;
8421 	ill_t	*ill = NULL;
8422 	boolean_t exists;
8423 	ip_stack_t *ipst;
8424 	struct arpreq *ar;
8425 	struct xarpreq *xar;
8426 	struct sockaddr_dl *sdl;
8427 
8428 	/* ioctl comes down on a conn */
8429 	ASSERT(!(q->q_flag & QREADR) && q->q_next == NULL);
8430 	connp = Q_TO_CONN(q);
8431 	if (connp->conn_family == AF_INET6)
8432 		return (ENXIO);
8433 
8434 	ipst = connp->conn_netstack->netstack_ip;
8435 
8436 	/* Verified in ip_wput_nondata */
8437 	mp1 = mp->b_cont->b_cont;
8438 
8439 	if (ipip->ipi_cmd_type == XARP_CMD) {
8440 		ASSERT(MBLKL(mp1) >= sizeof (struct xarpreq));
8441 		xar = (struct xarpreq *)mp1->b_rptr;
8442 		sin = (sin_t *)&xar->xarp_pa;
8443 		sdl = &xar->xarp_ha;
8444 
8445 		if (sdl->sdl_family != AF_LINK || sin->sin_family != AF_INET)
8446 			return (ENXIO);
8447 		if (sdl->sdl_nlen >= LIFNAMSIZ)
8448 			return (EINVAL);
8449 	} else {
8450 		ASSERT(ipip->ipi_cmd_type == ARP_CMD);
8451 		ASSERT(MBLKL(mp1) >= sizeof (struct arpreq));
8452 		ar = (struct arpreq *)mp1->b_rptr;
8453 		sin = (sin_t *)&ar->arp_pa;
8454 	}
8455 
8456 	if (ipip->ipi_cmd_type == XARP_CMD && sdl->sdl_nlen != 0) {
8457 		ipif = ipif_lookup_on_name(sdl->sdl_data, sdl->sdl_nlen,
8458 		    B_FALSE, &exists, B_FALSE, ALL_ZONES, ipst);
8459 		if (ipif == NULL)
8460 			return (ENXIO);
8461 		if (ipif->ipif_id != 0) {
8462 			ipif_refrele(ipif);
8463 			return (ENXIO);
8464 		}
8465 	} else {
8466 		/*
8467 		 * Either an SIOC[DGS]ARP or an SIOC[DGS]XARP with an sdl_nlen
8468 		 * of 0: use the IP address to find the ipif.  If the IP
8469 		 * address is an IPMP test address, ire_ftable_lookup() will
8470 		 * find the wrong ill, so we first do an ipif_lookup_addr().
8471 		 */
8472 		ipif = ipif_lookup_addr(sin->sin_addr.s_addr, NULL, ALL_ZONES,
8473 		    ipst);
8474 		if (ipif == NULL) {
8475 			ire = ire_ftable_lookup_v4(sin->sin_addr.s_addr,
8476 			    0, 0, IRE_IF_RESOLVER, NULL, ALL_ZONES,
8477 			    NULL, MATCH_IRE_TYPE, 0, ipst, NULL);
8478 			if (ire == NULL || ((ill = ire->ire_ill) == NULL)) {
8479 				if (ire != NULL)
8480 					ire_refrele(ire);
8481 				return (ENXIO);
8482 			}
8483 			ASSERT(ire != NULL && ill != NULL);
8484 			ipif = ill->ill_ipif;
8485 			ipif_refhold(ipif);
8486 			ire_refrele(ire);
8487 		}
8488 	}
8489 
8490 	if (ipif->ipif_ill->ill_net_type != IRE_IF_RESOLVER) {
8491 		ipif_refrele(ipif);
8492 		return (ENXIO);
8493 	}
8494 
8495 	ci->ci_sin = sin;
8496 	ci->ci_ipif = ipif;
8497 	return (0);
8498 }
8499 
8500 /*
8501  * Link or unlink the illgrp on IPMP meta-interface `ill' depending on the
8502  * value of `ioccmd'.  While an illgrp is linked to an ipmp_grp_t, it is
8503  * accessible from that ipmp_grp_t, which means SIOCSLIFGROUPNAME can look it
8504  * up and thus an ill can join that illgrp.
8505  *
8506  * We use I_PLINK/I_PUNLINK to do the link/unlink operations rather than
8507  * open()/close() primarily because close() is not allowed to fail or block
8508  * forever.  On the other hand, I_PUNLINK *can* fail, and there's no reason
8509  * why anyone should ever need to I_PUNLINK an in-use IPMP stream.  To ensure
8510  * symmetric behavior (e.g., doing an I_PLINK after and I_PUNLINK undoes the
8511  * I_PUNLINK) we defer linking to I_PLINK.  Separately, we also fail attempts
8512  * to I_LINK since I_UNLINK is optional and we'd end up in an inconsistent
8513  * state if I_UNLINK didn't occur.
8514  *
8515  * Note that for each plumb/unplumb operation, we may end up here more than
8516  * once because of the way ifconfig works.  However, it's OK to link the same
8517  * illgrp more than once, or unlink an illgrp that's already unlinked.
8518  */
8519 static int
8520 ip_sioctl_plink_ipmp(ill_t *ill, int ioccmd)
8521 {
8522 	int err;
8523 	ip_stack_t *ipst = ill->ill_ipst;
8524 
8525 	ASSERT(IS_IPMP(ill));
8526 	ASSERT(IAM_WRITER_ILL(ill));
8527 
8528 	switch (ioccmd) {
8529 	case I_LINK:
8530 		return (ENOTSUP);
8531 
8532 	case I_PLINK:
8533 		rw_enter(&ipst->ips_ipmp_lock, RW_WRITER);
8534 		ipmp_illgrp_link_grp(ill->ill_grp, ill->ill_phyint->phyint_grp);
8535 		rw_exit(&ipst->ips_ipmp_lock);
8536 		break;
8537 
8538 	case I_PUNLINK:
8539 		/*
8540 		 * Require all UP ipifs be brought down prior to unlinking the
8541 		 * illgrp so any associated IREs (and other state) is torched.
8542 		 */
8543 		if (ill->ill_ipif_up_count + ill->ill_ipif_dup_count > 0)
8544 			return (EBUSY);
8545 
8546 		/*
8547 		 * NOTE: We hold ipmp_lock across the unlink to prevent a race
8548 		 * with an SIOCSLIFGROUPNAME request from an ill trying to
8549 		 * join this group.  Specifically: ills trying to join grab
8550 		 * ipmp_lock and bump a "pending join" counter checked by
8551 		 * ipmp_illgrp_unlink_grp().  During the unlink no new pending
8552 		 * joins can occur (since we have ipmp_lock).  Once we drop
8553 		 * ipmp_lock, subsequent SIOCSLIFGROUPNAME requests will not
8554 		 * find the illgrp (since we unlinked it) and will return
8555 		 * EAFNOSUPPORT.  This will then take them back through the
8556 		 * IPMP meta-interface plumbing logic in ifconfig, and thus
8557 		 * back through I_PLINK above.
8558 		 */
8559 		rw_enter(&ipst->ips_ipmp_lock, RW_WRITER);
8560 		err = ipmp_illgrp_unlink_grp(ill->ill_grp);
8561 		rw_exit(&ipst->ips_ipmp_lock);
8562 		return (err);
8563 	default:
8564 		break;
8565 	}
8566 	return (0);
8567 }
8568 
8569 /*
8570  * Do I_PLINK/I_LINK or I_PUNLINK/I_UNLINK with consistency checks and also
8571  * atomically set/clear the muxids. Also complete the ioctl by acking or
8572  * naking it.  Note that the code is structured such that the link type,
8573  * whether it's persistent or not, is treated equally.  ifconfig(1M) and
8574  * its clones use the persistent link, while pppd(1M) and perhaps many
8575  * other daemons may use non-persistent link.  When combined with some
8576  * ill_t states, linking and unlinking lower streams may be used as
8577  * indicators of dynamic re-plumbing events [see PSARC/1999/348].
8578  */
8579 /* ARGSUSED */
8580 void
8581 ip_sioctl_plink(ipsq_t *ipsq, queue_t *q, mblk_t *mp, void *dummy_arg)
8582 {
8583 	mblk_t		*mp1;
8584 	struct linkblk	*li;
8585 	int		ioccmd = ((struct iocblk *)mp->b_rptr)->ioc_cmd;
8586 	int		err = 0;
8587 
8588 	ASSERT(ioccmd == I_PLINK || ioccmd == I_PUNLINK ||
8589 	    ioccmd == I_LINK || ioccmd == I_UNLINK);
8590 
8591 	mp1 = mp->b_cont;	/* This is the linkblk info */
8592 	li = (struct linkblk *)mp1->b_rptr;
8593 
8594 	err = ip_sioctl_plink_ipmod(ipsq, q, mp, ioccmd, li);
8595 	if (err == EINPROGRESS)
8596 		return;
8597 	if (err == 0)
8598 		miocack(q, mp, 0, 0);
8599 	else
8600 		miocnak(q, mp, 0, err);
8601 
8602 	/* Conn was refheld in ip_sioctl_copyin_setup */
8603 	if (CONN_Q(q)) {
8604 		CONN_DEC_IOCTLREF(Q_TO_CONN(q));
8605 		CONN_OPER_PENDING_DONE(Q_TO_CONN(q));
8606 	}
8607 }
8608 
8609 /*
8610  * Process I_{P}LINK and I_{P}UNLINK requests named by `ioccmd' and pointed to
8611  * by `mp' and `li' for the IP module stream (if li->q_bot is in fact an IP
8612  * module stream).
8613  * Returns zero on success, EINPROGRESS if the operation is still pending, or
8614  * an error code on failure.
8615  */
8616 static int
8617 ip_sioctl_plink_ipmod(ipsq_t *ipsq, queue_t *q, mblk_t *mp, int ioccmd,
8618     struct linkblk *li)
8619 {
8620 	int		err = 0;
8621 	ill_t  		*ill;
8622 	queue_t		*ipwq, *dwq;
8623 	const char	*name;
8624 	struct qinit	*qinfo;
8625 	boolean_t	islink = (ioccmd == I_PLINK || ioccmd == I_LINK);
8626 	boolean_t	entered_ipsq = B_FALSE;
8627 	boolean_t	is_ip = B_FALSE;
8628 	arl_t		*arl;
8629 
8630 	/*
8631 	 * Walk the lower stream to verify it's the IP module stream.
8632 	 * The IP module is identified by its name, wput function,
8633 	 * and non-NULL q_next.  STREAMS ensures that the lower stream
8634 	 * (li->l_qbot) will not vanish until this ioctl completes.
8635 	 */
8636 	for (ipwq = li->l_qbot; ipwq != NULL; ipwq = ipwq->q_next) {
8637 		qinfo = ipwq->q_qinfo;
8638 		name = qinfo->qi_minfo->mi_idname;
8639 		if (name != NULL && strcmp(name, ip_mod_info.mi_idname) == 0 &&
8640 		    qinfo->qi_putp != (pfi_t)ip_lwput && ipwq->q_next != NULL) {
8641 			is_ip = B_TRUE;
8642 			break;
8643 		}
8644 		if (name != NULL && strcmp(name, arp_mod_info.mi_idname) == 0 &&
8645 		    qinfo->qi_putp != (pfi_t)ip_lwput && ipwq->q_next != NULL) {
8646 			break;
8647 		}
8648 	}
8649 
8650 	/*
8651 	 * If this isn't an IP module stream, bail.
8652 	 */
8653 	if (ipwq == NULL)
8654 		return (0);
8655 
8656 	if (!is_ip) {
8657 		arl = (arl_t *)ipwq->q_ptr;
8658 		ill = arl_to_ill(arl);
8659 		if (ill == NULL)
8660 			return (0);
8661 	} else {
8662 		ill = ipwq->q_ptr;
8663 	}
8664 	ASSERT(ill != NULL);
8665 
8666 	if (ipsq == NULL) {
8667 		ipsq = ipsq_try_enter(NULL, ill, q, mp, ip_sioctl_plink,
8668 		    NEW_OP, B_FALSE);
8669 		if (ipsq == NULL) {
8670 			if (!is_ip)
8671 				ill_refrele(ill);
8672 			return (EINPROGRESS);
8673 		}
8674 		entered_ipsq = B_TRUE;
8675 	}
8676 	ASSERT(IAM_WRITER_ILL(ill));
8677 	mutex_enter(&ill->ill_lock);
8678 	if (!is_ip) {
8679 		if (islink && ill->ill_muxid == 0) {
8680 			/*
8681 			 * Plumbing has to be done with IP plumbed first, arp
8682 			 * second, but here we have arp being plumbed first.
8683 			 */
8684 			mutex_exit(&ill->ill_lock);
8685 			if (entered_ipsq)
8686 				ipsq_exit(ipsq);
8687 			ill_refrele(ill);
8688 			return (EINVAL);
8689 		}
8690 	}
8691 	mutex_exit(&ill->ill_lock);
8692 	if (!is_ip) {
8693 		arl->arl_muxid = islink ? li->l_index : 0;
8694 		ill_refrele(ill);
8695 		goto done;
8696 	}
8697 
8698 	if (IS_IPMP(ill) && (err = ip_sioctl_plink_ipmp(ill, ioccmd)) != 0)
8699 		goto done;
8700 
8701 	/*
8702 	 * As part of I_{P}LINKing, stash the number of downstream modules and
8703 	 * the read queue of the module immediately below IP in the ill.
8704 	 * These are used during the capability negotiation below.
8705 	 */
8706 	ill->ill_lmod_rq = NULL;
8707 	ill->ill_lmod_cnt = 0;
8708 	if (islink && ((dwq = ipwq->q_next) != NULL)) {
8709 		ill->ill_lmod_rq = RD(dwq);
8710 		for (; dwq != NULL; dwq = dwq->q_next)
8711 			ill->ill_lmod_cnt++;
8712 	}
8713 
8714 	ill->ill_muxid = islink ? li->l_index : 0;
8715 
8716 	/*
8717 	 * Mark the ipsq busy until the capability operations initiated below
8718 	 * complete. The PLINK/UNLINK ioctl itself completes when our caller
8719 	 * returns, but the capability operation may complete asynchronously
8720 	 * much later.
8721 	 */
8722 	ipsq_current_start(ipsq, ill->ill_ipif, ioccmd);
8723 	/*
8724 	 * If there's at least one up ipif on this ill, then we're bound to
8725 	 * the underlying driver via DLPI.  In that case, renegotiate
8726 	 * capabilities to account for any possible change in modules
8727 	 * interposed between IP and the driver.
8728 	 */
8729 	if (ill->ill_ipif_up_count > 0) {
8730 		if (islink)
8731 			ill_capability_probe(ill);
8732 		else
8733 			ill_capability_reset(ill, B_FALSE);
8734 	}
8735 	ipsq_current_finish(ipsq);
8736 done:
8737 	if (entered_ipsq)
8738 		ipsq_exit(ipsq);
8739 
8740 	return (err);
8741 }
8742 
8743 /*
8744  * Search the ioctl command in the ioctl tables and return a pointer
8745  * to the ioctl command information. The ioctl command tables are
8746  * static and fully populated at compile time.
8747  */
8748 ip_ioctl_cmd_t *
8749 ip_sioctl_lookup(int ioc_cmd)
8750 {
8751 	int index;
8752 	ip_ioctl_cmd_t *ipip;
8753 	ip_ioctl_cmd_t *ipip_end;
8754 
8755 	if (ioc_cmd == IPI_DONTCARE)
8756 		return (NULL);
8757 
8758 	/*
8759 	 * Do a 2 step search. First search the indexed table
8760 	 * based on the least significant byte of the ioctl cmd.
8761 	 * If we don't find a match, then search the misc table
8762 	 * serially.
8763 	 */
8764 	index = ioc_cmd & 0xFF;
8765 	if (index < ip_ndx_ioctl_count) {
8766 		ipip = &ip_ndx_ioctl_table[index];
8767 		if (ipip->ipi_cmd == ioc_cmd) {
8768 			/* Found a match in the ndx table */
8769 			return (ipip);
8770 		}
8771 	}
8772 
8773 	/* Search the misc table */
8774 	ipip_end = &ip_misc_ioctl_table[ip_misc_ioctl_count];
8775 	for (ipip = ip_misc_ioctl_table; ipip < ipip_end; ipip++) {
8776 		if (ipip->ipi_cmd == ioc_cmd)
8777 			/* Found a match in the misc table */
8778 			return (ipip);
8779 	}
8780 
8781 	return (NULL);
8782 }
8783 
8784 /*
8785  * helper function for ip_sioctl_getsetprop(), which does some sanity checks
8786  */
8787 static boolean_t
8788 getset_ioctl_checks(mblk_t *mp)
8789 {
8790 	struct iocblk	*iocp = (struct iocblk *)mp->b_rptr;
8791 	mblk_t		*mp1 = mp->b_cont;
8792 	mod_ioc_prop_t	*pioc;
8793 	uint_t		flags;
8794 	uint_t		pioc_size;
8795 
8796 	/* do sanity checks on various arguments */
8797 	if (mp1 == NULL || iocp->ioc_count == 0 ||
8798 	    iocp->ioc_count == TRANSPARENT) {
8799 		return (B_FALSE);
8800 	}
8801 	if (msgdsize(mp1) < iocp->ioc_count) {
8802 		if (!pullupmsg(mp1, iocp->ioc_count))
8803 			return (B_FALSE);
8804 	}
8805 
8806 	pioc = (mod_ioc_prop_t *)mp1->b_rptr;
8807 
8808 	/* sanity checks on mpr_valsize */
8809 	pioc_size = sizeof (mod_ioc_prop_t);
8810 	if (pioc->mpr_valsize != 0)
8811 		pioc_size += pioc->mpr_valsize - 1;
8812 
8813 	if (iocp->ioc_count != pioc_size)
8814 		return (B_FALSE);
8815 
8816 	flags = pioc->mpr_flags;
8817 	if (iocp->ioc_cmd == SIOCSETPROP) {
8818 		/*
8819 		 * One can either reset the value to it's default value or
8820 		 * change the current value or append/remove the value from
8821 		 * a multi-valued properties.
8822 		 */
8823 		if ((flags & MOD_PROP_DEFAULT) != MOD_PROP_DEFAULT &&
8824 		    flags != MOD_PROP_ACTIVE &&
8825 		    flags != (MOD_PROP_ACTIVE|MOD_PROP_APPEND) &&
8826 		    flags != (MOD_PROP_ACTIVE|MOD_PROP_REMOVE))
8827 			return (B_FALSE);
8828 	} else {
8829 		ASSERT(iocp->ioc_cmd == SIOCGETPROP);
8830 
8831 		/*
8832 		 * One can retrieve only one kind of property information
8833 		 * at a time.
8834 		 */
8835 		if ((flags & MOD_PROP_ACTIVE) != MOD_PROP_ACTIVE &&
8836 		    (flags & MOD_PROP_DEFAULT) != MOD_PROP_DEFAULT &&
8837 		    (flags & MOD_PROP_POSSIBLE) != MOD_PROP_POSSIBLE &&
8838 		    (flags & MOD_PROP_PERM) != MOD_PROP_PERM)
8839 			return (B_FALSE);
8840 	}
8841 
8842 	return (B_TRUE);
8843 }
8844 
8845 /*
8846  * process the SIOC{SET|GET}PROP ioctl's
8847  */
8848 /* ARGSUSED */
8849 static void
8850 ip_sioctl_getsetprop(queue_t *q, mblk_t *mp)
8851 {
8852 	struct iocblk	*iocp = (struct iocblk *)mp->b_rptr;
8853 	mblk_t		*mp1 = mp->b_cont;
8854 	mod_ioc_prop_t	*pioc;
8855 	mod_prop_info_t *ptbl = NULL, *pinfo = NULL;
8856 	ip_stack_t	*ipst;
8857 	icmp_stack_t	*is;
8858 	tcp_stack_t	*tcps;
8859 	sctp_stack_t	*sctps;
8860 	udp_stack_t	*us;
8861 	netstack_t	*stack;
8862 	void		*cbarg;
8863 	cred_t		*cr;
8864 	boolean_t 	set;
8865 	int		err;
8866 
8867 	ASSERT(q->q_next == NULL);
8868 	ASSERT(CONN_Q(q));
8869 
8870 	if (!getset_ioctl_checks(mp)) {
8871 		miocnak(q, mp, 0, EINVAL);
8872 		return;
8873 	}
8874 	ipst = CONNQ_TO_IPST(q);
8875 	stack = ipst->ips_netstack;
8876 	pioc = (mod_ioc_prop_t *)mp1->b_rptr;
8877 
8878 	switch (pioc->mpr_proto) {
8879 	case MOD_PROTO_IP:
8880 	case MOD_PROTO_IPV4:
8881 	case MOD_PROTO_IPV6:
8882 		ptbl = ipst->ips_propinfo_tbl;
8883 		cbarg = ipst;
8884 		break;
8885 	case MOD_PROTO_RAWIP:
8886 		is = stack->netstack_icmp;
8887 		ptbl = is->is_propinfo_tbl;
8888 		cbarg = is;
8889 		break;
8890 	case MOD_PROTO_TCP:
8891 		tcps = stack->netstack_tcp;
8892 		ptbl = tcps->tcps_propinfo_tbl;
8893 		cbarg = tcps;
8894 		break;
8895 	case MOD_PROTO_UDP:
8896 		us = stack->netstack_udp;
8897 		ptbl = us->us_propinfo_tbl;
8898 		cbarg = us;
8899 		break;
8900 	case MOD_PROTO_SCTP:
8901 		sctps = stack->netstack_sctp;
8902 		ptbl = sctps->sctps_propinfo_tbl;
8903 		cbarg = sctps;
8904 		break;
8905 	default:
8906 		miocnak(q, mp, 0, EINVAL);
8907 		return;
8908 	}
8909 
8910 	/* search for given property in respective protocol propinfo table */
8911 	for (pinfo = ptbl; pinfo->mpi_name != NULL; pinfo++) {
8912 		if (strcmp(pinfo->mpi_name, pioc->mpr_name) == 0 &&
8913 		    pinfo->mpi_proto == pioc->mpr_proto)
8914 			break;
8915 	}
8916 	if (pinfo->mpi_name == NULL) {
8917 		miocnak(q, mp, 0, ENOENT);
8918 		return;
8919 	}
8920 
8921 	set = (iocp->ioc_cmd == SIOCSETPROP) ? B_TRUE : B_FALSE;
8922 	if (set && pinfo->mpi_setf != NULL) {
8923 		cr = msg_getcred(mp, NULL);
8924 		if (cr == NULL)
8925 			cr = iocp->ioc_cr;
8926 		err = pinfo->mpi_setf(cbarg, cr, pinfo, pioc->mpr_ifname,
8927 		    pioc->mpr_val, pioc->mpr_flags);
8928 	} else if (!set && pinfo->mpi_getf != NULL) {
8929 		err = pinfo->mpi_getf(cbarg, pinfo, pioc->mpr_ifname,
8930 		    pioc->mpr_val, pioc->mpr_valsize, pioc->mpr_flags);
8931 	} else {
8932 		err = EPERM;
8933 	}
8934 
8935 	if (err != 0) {
8936 		miocnak(q, mp, 0, err);
8937 	} else {
8938 		if (set)
8939 			miocack(q, mp, 0, 0);
8940 		else    /* For get, we need to return back the data */
8941 			miocack(q, mp, iocp->ioc_count, 0);
8942 	}
8943 }
8944 
8945 /*
8946  * process the legacy ND_GET, ND_SET ioctl just for {ip|ip6}_forwarding
8947  * as several routing daemons have unfortunately used this 'unpublished'
8948  * but well-known ioctls.
8949  */
8950 /* ARGSUSED */
8951 static void
8952 ip_process_legacy_nddprop(queue_t *q, mblk_t *mp)
8953 {
8954 	struct iocblk	*iocp = (struct iocblk *)mp->b_rptr;
8955 	mblk_t		*mp1 = mp->b_cont;
8956 	char		*pname, *pval, *buf;
8957 	uint_t		bufsize, proto;
8958 	mod_prop_info_t *ptbl = NULL, *pinfo = NULL;
8959 	ip_stack_t	*ipst;
8960 	int		err = 0;
8961 
8962 	ASSERT(CONN_Q(q));
8963 	ipst = CONNQ_TO_IPST(q);
8964 
8965 	if (iocp->ioc_count == 0 || mp1 == NULL) {
8966 		miocnak(q, mp, 0, EINVAL);
8967 		return;
8968 	}
8969 
8970 	mp1->b_datap->db_lim[-1] = '\0';	/* Force null termination */
8971 	pval = buf = pname = (char *)mp1->b_rptr;
8972 	bufsize = MBLKL(mp1);
8973 
8974 	if (strcmp(pname, "ip_forwarding") == 0) {
8975 		pname = "forwarding";
8976 		proto = MOD_PROTO_IPV4;
8977 	} else if (strcmp(pname, "ip6_forwarding") == 0) {
8978 		pname = "forwarding";
8979 		proto = MOD_PROTO_IPV6;
8980 	} else {
8981 		miocnak(q, mp, 0, EINVAL);
8982 		return;
8983 	}
8984 
8985 	ptbl = ipst->ips_propinfo_tbl;
8986 	for (pinfo = ptbl; pinfo->mpi_name != NULL; pinfo++) {
8987 		if (strcmp(pinfo->mpi_name, pname) == 0 &&
8988 		    pinfo->mpi_proto == proto)
8989 			break;
8990 	}
8991 
8992 	ASSERT(pinfo->mpi_name != NULL);
8993 
8994 	switch (iocp->ioc_cmd) {
8995 	case ND_GET:
8996 		if ((err = pinfo->mpi_getf(ipst, pinfo, NULL, buf, bufsize,
8997 		    0)) == 0) {
8998 			miocack(q, mp, iocp->ioc_count, 0);
8999 			return;
9000 		}
9001 		break;
9002 	case ND_SET:
9003 		/*
9004 		 * buffer will have property name and value in the following
9005 		 * format,
9006 		 * <property name>'\0'<property value>'\0', extract them;
9007 		 */
9008 		while (*pval++)
9009 			noop;
9010 
9011 		if (!*pval || pval >= (char *)mp1->b_wptr) {
9012 			err = EINVAL;
9013 		} else if ((err = pinfo->mpi_setf(ipst, NULL, pinfo, NULL,
9014 		    pval, 0)) == 0) {
9015 			miocack(q, mp, 0, 0);
9016 			return;
9017 		}
9018 		break;
9019 	default:
9020 		err = EINVAL;
9021 		break;
9022 	}
9023 	miocnak(q, mp, 0, err);
9024 }
9025 
9026 /*
9027  * Wrapper function for resuming deferred ioctl processing
9028  * Used for SIOCGDSTINFO, SIOCGIP6ADDRPOLICY, SIOCGMSFILTER,
9029  * SIOCSMSFILTER, SIOCGIPMSFILTER, and SIOCSIPMSFILTER currently.
9030  */
9031 /* ARGSUSED */
9032 void
9033 ip_sioctl_copyin_resume(ipsq_t *dummy_ipsq, queue_t *q, mblk_t *mp,
9034     void *dummy_arg)
9035 {
9036 	ip_sioctl_copyin_setup(q, mp);
9037 }
9038 
9039 /*
9040  * ip_sioctl_copyin_setup is called by ip_wput_nondata with any M_IOCTL message
9041  * that arrives.  Most of the IOCTLs are "socket" IOCTLs which we handle
9042  * in either I_STR or TRANSPARENT form, using the mi_copy facility.
9043  * We establish here the size of the block to be copied in.  mi_copyin
9044  * arranges for this to happen, an processing continues in ip_wput_nondata with
9045  * an M_IOCDATA message.
9046  */
9047 void
9048 ip_sioctl_copyin_setup(queue_t *q, mblk_t *mp)
9049 {
9050 	int	copyin_size;
9051 	struct iocblk *iocp = (struct iocblk *)mp->b_rptr;
9052 	ip_ioctl_cmd_t *ipip;
9053 	cred_t *cr;
9054 	ip_stack_t	*ipst;
9055 
9056 	if (CONN_Q(q))
9057 		ipst = CONNQ_TO_IPST(q);
9058 	else
9059 		ipst = ILLQ_TO_IPST(q);
9060 
9061 	ipip = ip_sioctl_lookup(iocp->ioc_cmd);
9062 	if (ipip == NULL) {
9063 		/*
9064 		 * The ioctl is not one we understand or own.
9065 		 * Pass it along to be processed down stream,
9066 		 * if this is a module instance of IP, else nak
9067 		 * the ioctl.
9068 		 */
9069 		if (q->q_next == NULL) {
9070 			goto nak;
9071 		} else {
9072 			putnext(q, mp);
9073 			return;
9074 		}
9075 	}
9076 
9077 	/*
9078 	 * If this is deferred, then we will do all the checks when we
9079 	 * come back.
9080 	 */
9081 	if ((iocp->ioc_cmd == SIOCGDSTINFO ||
9082 	    iocp->ioc_cmd == SIOCGIP6ADDRPOLICY) && !ip6_asp_can_lookup(ipst)) {
9083 		ip6_asp_pending_op(q, mp, ip_sioctl_copyin_resume);
9084 		return;
9085 	}
9086 
9087 	/*
9088 	 * Only allow a very small subset of IP ioctls on this stream if
9089 	 * IP is a module and not a driver. Allowing ioctls to be processed
9090 	 * in this case may cause assert failures or data corruption.
9091 	 * Typically G[L]IFFLAGS, SLIFNAME/IF_UNITSEL are the only few
9092 	 * ioctls allowed on an IP module stream, after which this stream
9093 	 * normally becomes a multiplexor (at which time the stream head
9094 	 * will fail all ioctls).
9095 	 */
9096 	if ((q->q_next != NULL) && !(ipip->ipi_flags & IPI_MODOK)) {
9097 		goto nak;
9098 	}
9099 
9100 	/* Make sure we have ioctl data to process. */
9101 	if (mp->b_cont == NULL && !(ipip->ipi_flags & IPI_NULL_BCONT))
9102 		goto nak;
9103 
9104 	/*
9105 	 * Prefer dblk credential over ioctl credential; some synthesized
9106 	 * ioctls have kcred set because there's no way to crhold()
9107 	 * a credential in some contexts.  (ioc_cr is not crfree() by
9108 	 * the framework; the caller of ioctl needs to hold the reference
9109 	 * for the duration of the call).
9110 	 */
9111 	cr = msg_getcred(mp, NULL);
9112 	if (cr == NULL)
9113 		cr = iocp->ioc_cr;
9114 
9115 	/* Make sure normal users don't send down privileged ioctls */
9116 	if ((ipip->ipi_flags & IPI_PRIV) &&
9117 	    (cr != NULL) && secpolicy_ip_config(cr, B_TRUE) != 0) {
9118 		/* We checked the privilege earlier but log it here */
9119 		miocnak(q, mp, 0, secpolicy_ip_config(cr, B_FALSE));
9120 		return;
9121 	}
9122 
9123 	/*
9124 	 * The ioctl command tables can only encode fixed length
9125 	 * ioctl data. If the length is variable, the table will
9126 	 * encode the length as zero. Such special cases are handled
9127 	 * below in the switch.
9128 	 */
9129 	if (ipip->ipi_copyin_size != 0) {
9130 		mi_copyin(q, mp, NULL, ipip->ipi_copyin_size);
9131 		return;
9132 	}
9133 
9134 	switch (iocp->ioc_cmd) {
9135 	case O_SIOCGIFCONF:
9136 	case SIOCGIFCONF:
9137 		/*
9138 		 * This IOCTL is hilarious.  See comments in
9139 		 * ip_sioctl_get_ifconf for the story.
9140 		 */
9141 		if (iocp->ioc_count == TRANSPARENT)
9142 			copyin_size = SIZEOF_STRUCT(ifconf,
9143 			    iocp->ioc_flag);
9144 		else
9145 			copyin_size = iocp->ioc_count;
9146 		mi_copyin(q, mp, NULL, copyin_size);
9147 		return;
9148 
9149 	case O_SIOCGLIFCONF:
9150 	case SIOCGLIFCONF:
9151 		copyin_size = SIZEOF_STRUCT(lifconf, iocp->ioc_flag);
9152 		mi_copyin(q, mp, NULL, copyin_size);
9153 		return;
9154 
9155 	case SIOCGLIFSRCOF:
9156 		copyin_size = SIZEOF_STRUCT(lifsrcof, iocp->ioc_flag);
9157 		mi_copyin(q, mp, NULL, copyin_size);
9158 		return;
9159 
9160 	case SIOCGIP6ADDRPOLICY:
9161 		ip_sioctl_ip6addrpolicy(q, mp);
9162 		ip6_asp_table_refrele(ipst);
9163 		return;
9164 
9165 	case SIOCSIP6ADDRPOLICY:
9166 		ip_sioctl_ip6addrpolicy(q, mp);
9167 		return;
9168 
9169 	case SIOCGDSTINFO:
9170 		ip_sioctl_dstinfo(q, mp);
9171 		ip6_asp_table_refrele(ipst);
9172 		return;
9173 
9174 	case ND_SET:
9175 	case ND_GET:
9176 		ip_process_legacy_nddprop(q, mp);
9177 		return;
9178 
9179 	case SIOCSETPROP:
9180 	case SIOCGETPROP:
9181 		ip_sioctl_getsetprop(q, mp);
9182 		return;
9183 
9184 	case I_PLINK:
9185 	case I_PUNLINK:
9186 	case I_LINK:
9187 	case I_UNLINK:
9188 		/*
9189 		 * We treat non-persistent link similarly as the persistent
9190 		 * link case, in terms of plumbing/unplumbing, as well as
9191 		 * dynamic re-plumbing events indicator.  See comments
9192 		 * in ip_sioctl_plink() for more.
9193 		 *
9194 		 * Request can be enqueued in the 'ipsq' while waiting
9195 		 * to become exclusive. So bump up the conn ref.
9196 		 */
9197 		if (CONN_Q(q)) {
9198 			CONN_INC_REF(Q_TO_CONN(q));
9199 			CONN_INC_IOCTLREF(Q_TO_CONN(q))
9200 		}
9201 		ip_sioctl_plink(NULL, q, mp, NULL);
9202 		return;
9203 
9204 	case IP_IOCTL:
9205 		ip_wput_ioctl(q, mp);
9206 		return;
9207 
9208 	case SIOCILB:
9209 		/* The ioctl length varies depending on the ILB command. */
9210 		copyin_size = iocp->ioc_count;
9211 		if (copyin_size < sizeof (ilb_cmd_t))
9212 			goto nak;
9213 		mi_copyin(q, mp, NULL, copyin_size);
9214 		return;
9215 
9216 	default:
9217 		cmn_err(CE_PANIC, "should not happen ");
9218 	}
9219 nak:
9220 	if (mp->b_cont != NULL) {
9221 		freemsg(mp->b_cont);
9222 		mp->b_cont = NULL;
9223 	}
9224 	iocp->ioc_error = EINVAL;
9225 	mp->b_datap->db_type = M_IOCNAK;
9226 	iocp->ioc_count = 0;
9227 	qreply(q, mp);
9228 }
9229 
9230 static void
9231 ip_sioctl_garp_reply(mblk_t *mp, ill_t *ill, void *hwaddr, int flags)
9232 {
9233 	struct arpreq *ar;
9234 	struct xarpreq *xar;
9235 	mblk_t	*tmp;
9236 	struct iocblk *iocp;
9237 	int x_arp_ioctl = B_FALSE;
9238 	int *flagsp;
9239 	char *storage = NULL;
9240 
9241 	ASSERT(ill != NULL);
9242 
9243 	iocp = (struct iocblk *)mp->b_rptr;
9244 	ASSERT(iocp->ioc_cmd == SIOCGXARP || iocp->ioc_cmd == SIOCGARP);
9245 
9246 	tmp = (mp->b_cont)->b_cont; /* xarpreq/arpreq */
9247 	if ((iocp->ioc_cmd == SIOCGXARP) ||
9248 	    (iocp->ioc_cmd == SIOCSXARP)) {
9249 		x_arp_ioctl = B_TRUE;
9250 		xar = (struct xarpreq *)tmp->b_rptr;
9251 		flagsp = &xar->xarp_flags;
9252 		storage = xar->xarp_ha.sdl_data;
9253 	} else {
9254 		ar = (struct arpreq *)tmp->b_rptr;
9255 		flagsp = &ar->arp_flags;
9256 		storage = ar->arp_ha.sa_data;
9257 	}
9258 
9259 	/*
9260 	 * We're done if this is not an SIOCG{X}ARP
9261 	 */
9262 	if (x_arp_ioctl) {
9263 		storage += ill_xarp_info(&xar->xarp_ha, ill);
9264 		if ((ill->ill_phys_addr_length + ill->ill_name_length) >
9265 		    sizeof (xar->xarp_ha.sdl_data)) {
9266 			iocp->ioc_error = EINVAL;
9267 			return;
9268 		}
9269 	}
9270 	*flagsp = ATF_INUSE;
9271 	/*
9272 	 * If /sbin/arp told us we are the authority using the "permanent"
9273 	 * flag, or if this is one of my addresses print "permanent"
9274 	 * in the /sbin/arp output.
9275 	 */
9276 	if ((flags & NCE_F_MYADDR) || (flags & NCE_F_AUTHORITY))
9277 		*flagsp |= ATF_AUTHORITY;
9278 	if (flags & NCE_F_NONUD)
9279 		*flagsp |= ATF_PERM; /* not subject to aging */
9280 	if (flags & NCE_F_PUBLISH)
9281 		*flagsp |= ATF_PUBL;
9282 	if (hwaddr != NULL) {
9283 		*flagsp |= ATF_COM;
9284 		bcopy((char *)hwaddr, storage, ill->ill_phys_addr_length);
9285 	}
9286 }
9287 
9288 /*
9289  * Create a new logical interface. If ipif_id is zero (i.e. not a logical
9290  * interface) create the next available logical interface for this
9291  * physical interface.
9292  * If ipif is NULL (i.e. the lookup didn't find one) attempt to create an
9293  * ipif with the specified name.
9294  *
9295  * If the address family is not AF_UNSPEC then set the address as well.
9296  *
9297  * If ip_sioctl_addr returns EINPROGRESS then the ioctl (the copyout)
9298  * is completed when the DL_BIND_ACK arrive in ip_rput_dlpi_writer.
9299  *
9300  * Executed as a writer on the ill.
9301  * So no lock is needed to traverse the ipif chain, or examine the
9302  * phyint flags.
9303  */
9304 /* ARGSUSED */
9305 int
9306 ip_sioctl_addif(ipif_t *dummy_ipif, sin_t *dummy_sin, queue_t *q, mblk_t *mp,
9307     ip_ioctl_cmd_t *dummy_ipip, void *dummy_ifreq)
9308 {
9309 	mblk_t	*mp1;
9310 	struct lifreq *lifr;
9311 	boolean_t	isv6;
9312 	boolean_t	exists;
9313 	char 	*name;
9314 	char	*endp;
9315 	char	*cp;
9316 	int	namelen;
9317 	ipif_t	*ipif;
9318 	long	id;
9319 	ipsq_t	*ipsq;
9320 	ill_t	*ill;
9321 	sin_t	*sin;
9322 	int	err = 0;
9323 	boolean_t found_sep = B_FALSE;
9324 	conn_t	*connp;
9325 	zoneid_t zoneid;
9326 	ip_stack_t *ipst = CONNQ_TO_IPST(q);
9327 
9328 	ASSERT(q->q_next == NULL);
9329 	ip1dbg(("ip_sioctl_addif\n"));
9330 	/* Existence of mp1 has been checked in ip_wput_nondata */
9331 	mp1 = mp->b_cont->b_cont;
9332 	/*
9333 	 * Null terminate the string to protect against buffer
9334 	 * overrun. String was generated by user code and may not
9335 	 * be trusted.
9336 	 */
9337 	lifr = (struct lifreq *)mp1->b_rptr;
9338 	lifr->lifr_name[LIFNAMSIZ - 1] = '\0';
9339 	name = lifr->lifr_name;
9340 	ASSERT(CONN_Q(q));
9341 	connp = Q_TO_CONN(q);
9342 	isv6 = (connp->conn_family == AF_INET6);
9343 	zoneid = connp->conn_zoneid;
9344 	namelen = mi_strlen(name);
9345 	if (namelen == 0)
9346 		return (EINVAL);
9347 
9348 	exists = B_FALSE;
9349 	if ((namelen + 1 == sizeof (ipif_loopback_name)) &&
9350 	    (mi_strcmp(name, ipif_loopback_name) == 0)) {
9351 		/*
9352 		 * Allow creating lo0 using SIOCLIFADDIF.
9353 		 * can't be any other writer thread. So can pass null below
9354 		 * for the last 4 args to ipif_lookup_name.
9355 		 */
9356 		ipif = ipif_lookup_on_name(lifr->lifr_name, namelen, B_TRUE,
9357 		    &exists, isv6, zoneid, ipst);
9358 		/* Prevent any further action */
9359 		if (ipif == NULL) {
9360 			return (ENOBUFS);
9361 		} else if (!exists) {
9362 			/* We created the ipif now and as writer */
9363 			ipif_refrele(ipif);
9364 			return (0);
9365 		} else {
9366 			ill = ipif->ipif_ill;
9367 			ill_refhold(ill);
9368 			ipif_refrele(ipif);
9369 		}
9370 	} else {
9371 		/* Look for a colon in the name. */
9372 		endp = &name[namelen];
9373 		for (cp = endp; --cp > name; ) {
9374 			if (*cp == IPIF_SEPARATOR_CHAR) {
9375 				found_sep = B_TRUE;
9376 				/*
9377 				 * Reject any non-decimal aliases for plumbing
9378 				 * of logical interfaces. Aliases with leading
9379 				 * zeroes are also rejected as they introduce
9380 				 * ambiguity in the naming of the interfaces.
9381 				 * Comparing with "0" takes care of all such
9382 				 * cases.
9383 				 */
9384 				if ((strncmp("0", cp+1, 1)) == 0)
9385 					return (EINVAL);
9386 
9387 				if (ddi_strtol(cp+1, &endp, 10, &id) != 0 ||
9388 				    id <= 0 || *endp != '\0') {
9389 					return (EINVAL);
9390 				}
9391 				*cp = '\0';
9392 				break;
9393 			}
9394 		}
9395 		ill = ill_lookup_on_name(name, B_FALSE, isv6, NULL, ipst);
9396 		if (found_sep)
9397 			*cp = IPIF_SEPARATOR_CHAR;
9398 		if (ill == NULL)
9399 			return (ENXIO);
9400 	}
9401 
9402 	ipsq = ipsq_try_enter(NULL, ill, q, mp, ip_process_ioctl, NEW_OP,
9403 	    B_TRUE);
9404 
9405 	/*
9406 	 * Release the refhold due to the lookup, now that we are excl
9407 	 * or we are just returning
9408 	 */
9409 	ill_refrele(ill);
9410 
9411 	if (ipsq == NULL)
9412 		return (EINPROGRESS);
9413 
9414 	/* We are now exclusive on the IPSQ */
9415 	ASSERT(IAM_WRITER_ILL(ill));
9416 
9417 	if (found_sep) {
9418 		/* Now see if there is an IPIF with this unit number. */
9419 		for (ipif = ill->ill_ipif; ipif != NULL;
9420 		    ipif = ipif->ipif_next) {
9421 			if (ipif->ipif_id == id) {
9422 				err = EEXIST;
9423 				goto done;
9424 			}
9425 		}
9426 	}
9427 
9428 	/*
9429 	 * We use IRE_LOCAL for lo0:1 etc. for "receive only" use
9430 	 * of lo0.  Plumbing for lo0:0 happens in ipif_lookup_on_name()
9431 	 * instead.
9432 	 */
9433 	if ((ipif = ipif_allocate(ill, found_sep ? id : -1, IRE_LOCAL,
9434 	    B_TRUE, B_TRUE, &err)) == NULL) {
9435 		goto done;
9436 	}
9437 
9438 	/* Return created name with ioctl */
9439 	(void) sprintf(lifr->lifr_name, "%s%c%d", ill->ill_name,
9440 	    IPIF_SEPARATOR_CHAR, ipif->ipif_id);
9441 	ip1dbg(("created %s\n", lifr->lifr_name));
9442 
9443 	/* Set address */
9444 	sin = (sin_t *)&lifr->lifr_addr;
9445 	if (sin->sin_family != AF_UNSPEC) {
9446 		err = ip_sioctl_addr(ipif, sin, q, mp,
9447 		    &ip_ndx_ioctl_table[SIOCLIFADDR_NDX], lifr);
9448 	}
9449 
9450 done:
9451 	ipsq_exit(ipsq);
9452 	return (err);
9453 }
9454 
9455 /*
9456  * Remove an existing logical interface. If ipif_id is zero (i.e. not a logical
9457  * interface) delete it based on the IP address (on this physical interface).
9458  * Otherwise delete it based on the ipif_id.
9459  * Also, special handling to allow a removeif of lo0.
9460  */
9461 /* ARGSUSED */
9462 int
9463 ip_sioctl_removeif(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
9464     ip_ioctl_cmd_t *ipip, void *dummy_if_req)
9465 {
9466 	conn_t		*connp;
9467 	ill_t		*ill = ipif->ipif_ill;
9468 	boolean_t	 success;
9469 	ip_stack_t	*ipst;
9470 
9471 	ipst = CONNQ_TO_IPST(q);
9472 
9473 	ASSERT(q->q_next == NULL);
9474 	ip1dbg(("ip_sioctl_remove_if(%s:%u %p)\n",
9475 	    ill->ill_name, ipif->ipif_id, (void *)ipif));
9476 	ASSERT(IAM_WRITER_IPIF(ipif));
9477 
9478 	connp = Q_TO_CONN(q);
9479 	/*
9480 	 * Special case for unplumbing lo0 (the loopback physical interface).
9481 	 * If unplumbing lo0, the incoming address structure has been
9482 	 * initialized to all zeros. When unplumbing lo0, all its logical
9483 	 * interfaces must be removed too.
9484 	 *
9485 	 * Note that this interface may be called to remove a specific
9486 	 * loopback logical interface (eg, lo0:1). But in that case
9487 	 * ipif->ipif_id != 0 so that the code path for that case is the
9488 	 * same as any other interface (meaning it skips the code directly
9489 	 * below).
9490 	 */
9491 	if (ipif->ipif_id == 0 && ill->ill_net_type == IRE_LOOPBACK) {
9492 		if (sin->sin_family == AF_UNSPEC &&
9493 		    (IN6_IS_ADDR_UNSPECIFIED(&((sin6_t *)sin)->sin6_addr))) {
9494 			/*
9495 			 * Mark it condemned. No new ref. will be made to ill.
9496 			 */
9497 			mutex_enter(&ill->ill_lock);
9498 			ill->ill_state_flags |= ILL_CONDEMNED;
9499 			for (ipif = ill->ill_ipif; ipif != NULL;
9500 			    ipif = ipif->ipif_next) {
9501 				ipif->ipif_state_flags |= IPIF_CONDEMNED;
9502 			}
9503 			mutex_exit(&ill->ill_lock);
9504 
9505 			ipif = ill->ill_ipif;
9506 			/* unplumb the loopback interface */
9507 			ill_delete(ill);
9508 			mutex_enter(&connp->conn_lock);
9509 			mutex_enter(&ill->ill_lock);
9510 
9511 			/* Are any references to this ill active */
9512 			if (ill_is_freeable(ill)) {
9513 				mutex_exit(&ill->ill_lock);
9514 				mutex_exit(&connp->conn_lock);
9515 				ill_delete_tail(ill);
9516 				mi_free(ill);
9517 				return (0);
9518 			}
9519 			success = ipsq_pending_mp_add(connp, ipif,
9520 			    CONNP_TO_WQ(connp), mp, ILL_FREE);
9521 			mutex_exit(&connp->conn_lock);
9522 			mutex_exit(&ill->ill_lock);
9523 			if (success)
9524 				return (EINPROGRESS);
9525 			else
9526 				return (EINTR);
9527 		}
9528 	}
9529 
9530 	if (ipif->ipif_id == 0) {
9531 		ipsq_t *ipsq;
9532 
9533 		/* Find based on address */
9534 		if (ipif->ipif_isv6) {
9535 			sin6_t *sin6;
9536 
9537 			if (sin->sin_family != AF_INET6)
9538 				return (EAFNOSUPPORT);
9539 
9540 			sin6 = (sin6_t *)sin;
9541 			/* We are a writer, so we should be able to lookup */
9542 			ipif = ipif_lookup_addr_exact_v6(&sin6->sin6_addr, ill,
9543 			    ipst);
9544 		} else {
9545 			if (sin->sin_family != AF_INET)
9546 				return (EAFNOSUPPORT);
9547 
9548 			/* We are a writer, so we should be able to lookup */
9549 			ipif = ipif_lookup_addr_exact(sin->sin_addr.s_addr, ill,
9550 			    ipst);
9551 		}
9552 		if (ipif == NULL) {
9553 			return (EADDRNOTAVAIL);
9554 		}
9555 
9556 		/*
9557 		 * It is possible for a user to send an SIOCLIFREMOVEIF with
9558 		 * lifr_name of the physical interface but with an ip address
9559 		 * lifr_addr of a logical interface plumbed over it.
9560 		 * So update ipx_current_ipif now that ipif points to the
9561 		 * correct one.
9562 		 */
9563 		ipsq = ipif->ipif_ill->ill_phyint->phyint_ipsq;
9564 		ipsq->ipsq_xop->ipx_current_ipif = ipif;
9565 
9566 		/* This is a writer */
9567 		ipif_refrele(ipif);
9568 	}
9569 
9570 	/*
9571 	 * Can not delete instance zero since it is tied to the ill.
9572 	 */
9573 	if (ipif->ipif_id == 0)
9574 		return (EBUSY);
9575 
9576 	mutex_enter(&ill->ill_lock);
9577 	ipif->ipif_state_flags |= IPIF_CONDEMNED;
9578 	mutex_exit(&ill->ill_lock);
9579 
9580 	ipif_free(ipif);
9581 
9582 	mutex_enter(&connp->conn_lock);
9583 	mutex_enter(&ill->ill_lock);
9584 
9585 	/* Are any references to this ipif active */
9586 	if (ipif_is_freeable(ipif)) {
9587 		mutex_exit(&ill->ill_lock);
9588 		mutex_exit(&connp->conn_lock);
9589 		ipif_non_duplicate(ipif);
9590 		(void) ipif_down_tail(ipif);
9591 		ipif_free_tail(ipif); /* frees ipif */
9592 		return (0);
9593 	}
9594 	success = ipsq_pending_mp_add(connp, ipif, CONNP_TO_WQ(connp), mp,
9595 	    IPIF_FREE);
9596 	mutex_exit(&ill->ill_lock);
9597 	mutex_exit(&connp->conn_lock);
9598 	if (success)
9599 		return (EINPROGRESS);
9600 	else
9601 		return (EINTR);
9602 }
9603 
9604 /*
9605  * Restart the removeif ioctl. The refcnt has gone down to 0.
9606  * The ipif is already condemned. So can't find it thru lookups.
9607  */
9608 /* ARGSUSED */
9609 int
9610 ip_sioctl_removeif_restart(ipif_t *ipif, sin_t *dummy_sin, queue_t *q,
9611     mblk_t *mp, ip_ioctl_cmd_t *ipip, void *dummy_if_req)
9612 {
9613 	ill_t *ill = ipif->ipif_ill;
9614 
9615 	ASSERT(IAM_WRITER_IPIF(ipif));
9616 	ASSERT(ipif->ipif_state_flags & IPIF_CONDEMNED);
9617 
9618 	ip1dbg(("ip_sioctl_removeif_restart(%s:%u %p)\n",
9619 	    ill->ill_name, ipif->ipif_id, (void *)ipif));
9620 
9621 	if (ipif->ipif_id == 0 && ill->ill_net_type == IRE_LOOPBACK) {
9622 		ASSERT(ill->ill_state_flags & ILL_CONDEMNED);
9623 		ill_delete_tail(ill);
9624 		mi_free(ill);
9625 		return (0);
9626 	}
9627 
9628 	ipif_non_duplicate(ipif);
9629 	(void) ipif_down_tail(ipif);
9630 	ipif_free_tail(ipif);
9631 
9632 	return (0);
9633 }
9634 
9635 /*
9636  * Set the local interface address using the given prefix and ill_token.
9637  */
9638 /* ARGSUSED */
9639 int
9640 ip_sioctl_prefix(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
9641     ip_ioctl_cmd_t *dummy_ipip, void *dummy_ifreq)
9642 {
9643 	int err;
9644 	in6_addr_t v6addr;
9645 	sin6_t *sin6;
9646 	ill_t *ill;
9647 	int i;
9648 
9649 	ip1dbg(("ip_sioctl_prefix(%s:%u %p)\n",
9650 	    ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
9651 
9652 	ASSERT(IAM_WRITER_IPIF(ipif));
9653 
9654 	if (!ipif->ipif_isv6)
9655 		return (EINVAL);
9656 
9657 	if (sin->sin_family != AF_INET6)
9658 		return (EAFNOSUPPORT);
9659 
9660 	sin6 = (sin6_t *)sin;
9661 	v6addr = sin6->sin6_addr;
9662 	ill = ipif->ipif_ill;
9663 
9664 	if (IN6_IS_ADDR_UNSPECIFIED(&v6addr) ||
9665 	    IN6_IS_ADDR_UNSPECIFIED(&ill->ill_token))
9666 		return (EADDRNOTAVAIL);
9667 
9668 	for (i = 0; i < 4; i++)
9669 		sin6->sin6_addr.s6_addr32[i] |= ill->ill_token.s6_addr32[i];
9670 
9671 	err = ip_sioctl_addr(ipif, sin, q, mp,
9672 	    &ip_ndx_ioctl_table[SIOCLIFADDR_NDX], dummy_ifreq);
9673 	return (err);
9674 }
9675 
9676 /*
9677  * Restart entry point to restart the address set operation after the
9678  * refcounts have dropped to zero.
9679  */
9680 /* ARGSUSED */
9681 int
9682 ip_sioctl_prefix_restart(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
9683     ip_ioctl_cmd_t *ipip, void *ifreq)
9684 {
9685 	ip1dbg(("ip_sioctl_prefix_restart(%s:%u %p)\n",
9686 	    ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
9687 	return (ip_sioctl_addr_restart(ipif, sin, q, mp, ipip, ifreq));
9688 }
9689 
9690 /*
9691  * Set the local interface address.
9692  * Allow an address of all zero when the interface is down.
9693  */
9694 /* ARGSUSED */
9695 int
9696 ip_sioctl_addr(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
9697     ip_ioctl_cmd_t *dummy_ipip, void *dummy_ifreq)
9698 {
9699 	int err = 0;
9700 	in6_addr_t v6addr;
9701 	boolean_t need_up = B_FALSE;
9702 	ill_t *ill;
9703 	int i;
9704 
9705 	ip1dbg(("ip_sioctl_addr(%s:%u %p)\n",
9706 	    ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
9707 
9708 	ASSERT(IAM_WRITER_IPIF(ipif));
9709 
9710 	ill = ipif->ipif_ill;
9711 	if (ipif->ipif_isv6) {
9712 		sin6_t *sin6;
9713 		phyint_t *phyi;
9714 
9715 		if (sin->sin_family != AF_INET6)
9716 			return (EAFNOSUPPORT);
9717 
9718 		sin6 = (sin6_t *)sin;
9719 		v6addr = sin6->sin6_addr;
9720 		phyi = ill->ill_phyint;
9721 
9722 		/*
9723 		 * Enforce that true multicast interfaces have a link-local
9724 		 * address for logical unit 0.
9725 		 *
9726 		 * However for those ipif's for which link-local address was
9727 		 * not created by default, also allow setting :: as the address.
9728 		 * This scenario would arise, when we delete an address on ipif
9729 		 * with logical unit 0, we would want to set :: as the address.
9730 		 */
9731 		if (ipif->ipif_id == 0 &&
9732 		    (ill->ill_flags & ILLF_MULTICAST) &&
9733 		    !(ipif->ipif_flags & (IPIF_POINTOPOINT)) &&
9734 		    !(phyi->phyint_flags & (PHYI_LOOPBACK)) &&
9735 		    !IN6_IS_ADDR_LINKLOCAL(&v6addr)) {
9736 
9737 			/*
9738 			 * if default link-local was not created by kernel for
9739 			 * this ill, allow setting :: as the address on ipif:0.
9740 			 */
9741 			if (ill->ill_flags & ILLF_NOLINKLOCAL) {
9742 				if (!IN6_IS_ADDR_UNSPECIFIED(&v6addr))
9743 					return (EADDRNOTAVAIL);
9744 			} else {
9745 				return (EADDRNOTAVAIL);
9746 			}
9747 		}
9748 
9749 		/*
9750 		 * up interfaces shouldn't have the unspecified address
9751 		 * unless they also have the IPIF_NOLOCAL flags set and
9752 		 * have a subnet assigned.
9753 		 */
9754 		if ((ipif->ipif_flags & IPIF_UP) &&
9755 		    IN6_IS_ADDR_UNSPECIFIED(&v6addr) &&
9756 		    (!(ipif->ipif_flags & IPIF_NOLOCAL) ||
9757 		    IN6_IS_ADDR_UNSPECIFIED(&ipif->ipif_v6subnet))) {
9758 			return (EADDRNOTAVAIL);
9759 		}
9760 
9761 		if (!ip_local_addr_ok_v6(&v6addr, &ipif->ipif_v6net_mask))
9762 			return (EADDRNOTAVAIL);
9763 	} else {
9764 		ipaddr_t addr;
9765 
9766 		if (sin->sin_family != AF_INET)
9767 			return (EAFNOSUPPORT);
9768 
9769 		addr = sin->sin_addr.s_addr;
9770 
9771 		/* Allow INADDR_ANY as the local address. */
9772 		if (addr != INADDR_ANY &&
9773 		    !ip_addr_ok_v4(addr, ipif->ipif_net_mask))
9774 			return (EADDRNOTAVAIL);
9775 
9776 		IN6_IPADDR_TO_V4MAPPED(addr, &v6addr);
9777 	}
9778 	/*
9779 	 * verify that the address being configured is permitted by the
9780 	 * ill_allowed_ips[] for the interface.
9781 	 */
9782 	if (ill->ill_allowed_ips_cnt > 0) {
9783 		for (i = 0; i < ill->ill_allowed_ips_cnt; i++) {
9784 			if (IN6_ARE_ADDR_EQUAL(&ill->ill_allowed_ips[i],
9785 			    &v6addr))
9786 				break;
9787 		}
9788 		if (i == ill->ill_allowed_ips_cnt) {
9789 			pr_addr_dbg("!allowed addr %s\n", AF_INET6, &v6addr);
9790 			return (EPERM);
9791 		}
9792 	}
9793 	/*
9794 	 * Even if there is no change we redo things just to rerun
9795 	 * ipif_set_default.
9796 	 */
9797 	if (ipif->ipif_flags & IPIF_UP) {
9798 		/*
9799 		 * Setting a new local address, make sure
9800 		 * we have net and subnet bcast ire's for
9801 		 * the old address if we need them.
9802 		 */
9803 		/*
9804 		 * If the interface is already marked up,
9805 		 * we call ipif_down which will take care
9806 		 * of ditching any IREs that have been set
9807 		 * up based on the old interface address.
9808 		 */
9809 		err = ipif_logical_down(ipif, q, mp);
9810 		if (err == EINPROGRESS)
9811 			return (err);
9812 		(void) ipif_down_tail(ipif);
9813 		need_up = 1;
9814 	}
9815 
9816 	err = ip_sioctl_addr_tail(ipif, sin, q, mp, need_up);
9817 	return (err);
9818 }
9819 
9820 int
9821 ip_sioctl_addr_tail(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
9822     boolean_t need_up)
9823 {
9824 	in6_addr_t v6addr;
9825 	in6_addr_t ov6addr;
9826 	ipaddr_t addr;
9827 	sin6_t	*sin6;
9828 	int	sinlen;
9829 	int	err = 0;
9830 	ill_t	*ill = ipif->ipif_ill;
9831 	boolean_t need_dl_down;
9832 	boolean_t need_arp_down;
9833 	struct iocblk *iocp;
9834 
9835 	iocp = (mp != NULL) ? (struct iocblk *)mp->b_rptr : NULL;
9836 
9837 	ip1dbg(("ip_sioctl_addr_tail(%s:%u %p)\n",
9838 	    ill->ill_name, ipif->ipif_id, (void *)ipif));
9839 	ASSERT(IAM_WRITER_IPIF(ipif));
9840 
9841 	/* Must cancel any pending timer before taking the ill_lock */
9842 	if (ipif->ipif_recovery_id != 0)
9843 		(void) untimeout(ipif->ipif_recovery_id);
9844 	ipif->ipif_recovery_id = 0;
9845 
9846 	if (ipif->ipif_isv6) {
9847 		sin6 = (sin6_t *)sin;
9848 		v6addr = sin6->sin6_addr;
9849 		sinlen = sizeof (struct sockaddr_in6);
9850 	} else {
9851 		addr = sin->sin_addr.s_addr;
9852 		IN6_IPADDR_TO_V4MAPPED(addr, &v6addr);
9853 		sinlen = sizeof (struct sockaddr_in);
9854 	}
9855 	mutex_enter(&ill->ill_lock);
9856 	ov6addr = ipif->ipif_v6lcl_addr;
9857 	ipif->ipif_v6lcl_addr = v6addr;
9858 	sctp_update_ipif_addr(ipif, ov6addr);
9859 	ipif->ipif_addr_ready = 0;
9860 
9861 	ip_rts_newaddrmsg(RTM_CHGADDR, 0, ipif, RTSQ_DEFAULT);
9862 
9863 	/*
9864 	 * If the interface was previously marked as a duplicate, then since
9865 	 * we've now got a "new" address, it should no longer be considered a
9866 	 * duplicate -- even if the "new" address is the same as the old one.
9867 	 * Note that if all ipifs are down, we may have a pending ARP down
9868 	 * event to handle.  This is because we want to recover from duplicates
9869 	 * and thus delay tearing down ARP until the duplicates have been
9870 	 * removed or disabled.
9871 	 */
9872 	need_dl_down = need_arp_down = B_FALSE;
9873 	if (ipif->ipif_flags & IPIF_DUPLICATE) {
9874 		need_arp_down = !need_up;
9875 		ipif->ipif_flags &= ~IPIF_DUPLICATE;
9876 		if (--ill->ill_ipif_dup_count == 0 && !need_up &&
9877 		    ill->ill_ipif_up_count == 0 && ill->ill_dl_up) {
9878 			need_dl_down = B_TRUE;
9879 		}
9880 	}
9881 
9882 	ipif_set_default(ipif);
9883 
9884 	/*
9885 	 * If we've just manually set the IPv6 link-local address (0th ipif),
9886 	 * tag the ill so that future updates to the interface ID don't result
9887 	 * in this address getting automatically reconfigured from under the
9888 	 * administrator.
9889 	 */
9890 	if (ipif->ipif_isv6 && ipif->ipif_id == 0) {
9891 		if (iocp == NULL || (iocp->ioc_cmd == SIOCSLIFADDR &&
9892 		    !IN6_IS_ADDR_UNSPECIFIED(&v6addr)))
9893 			ill->ill_manual_linklocal = 1;
9894 	}
9895 
9896 	/*
9897 	 * When publishing an interface address change event, we only notify
9898 	 * the event listeners of the new address.  It is assumed that if they
9899 	 * actively care about the addresses assigned that they will have
9900 	 * already discovered the previous address assigned (if there was one.)
9901 	 *
9902 	 * Don't attach nic event message for SIOCLIFADDIF ioctl.
9903 	 */
9904 	if (iocp != NULL && iocp->ioc_cmd != SIOCLIFADDIF) {
9905 		ill_nic_event_dispatch(ill, MAP_IPIF_ID(ipif->ipif_id),
9906 		    NE_ADDRESS_CHANGE, sin, sinlen);
9907 	}
9908 
9909 	mutex_exit(&ill->ill_lock);
9910 
9911 	if (need_up) {
9912 		/*
9913 		 * Now bring the interface back up.  If this
9914 		 * is the only IPIF for the ILL, ipif_up
9915 		 * will have to re-bind to the device, so
9916 		 * we may get back EINPROGRESS, in which
9917 		 * case, this IOCTL will get completed in
9918 		 * ip_rput_dlpi when we see the DL_BIND_ACK.
9919 		 */
9920 		err = ipif_up(ipif, q, mp);
9921 	} else {
9922 		/* Perhaps ilgs should use this ill */
9923 		update_conn_ill(NULL, ill->ill_ipst);
9924 	}
9925 
9926 	if (need_dl_down)
9927 		ill_dl_down(ill);
9928 
9929 	if (need_arp_down && !ill->ill_isv6)
9930 		(void) ipif_arp_down(ipif);
9931 
9932 	/*
9933 	 * The default multicast interface might have changed (for
9934 	 * instance if the IPv6 scope of the address changed)
9935 	 */
9936 	ire_increment_multicast_generation(ill->ill_ipst, ill->ill_isv6);
9937 
9938 	return (err);
9939 }
9940 
9941 /*
9942  * Restart entry point to restart the address set operation after the
9943  * refcounts have dropped to zero.
9944  */
9945 /* ARGSUSED */
9946 int
9947 ip_sioctl_addr_restart(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
9948     ip_ioctl_cmd_t *ipip, void *ifreq)
9949 {
9950 	ip1dbg(("ip_sioctl_addr_restart(%s:%u %p)\n",
9951 	    ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
9952 	ASSERT(IAM_WRITER_IPIF(ipif));
9953 	(void) ipif_down_tail(ipif);
9954 	return (ip_sioctl_addr_tail(ipif, sin, q, mp, B_TRUE));
9955 }
9956 
9957 /* ARGSUSED */
9958 int
9959 ip_sioctl_get_addr(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
9960     ip_ioctl_cmd_t *ipip, void *if_req)
9961 {
9962 	sin6_t *sin6 = (struct sockaddr_in6 *)sin;
9963 	struct lifreq *lifr = (struct lifreq *)if_req;
9964 
9965 	ip1dbg(("ip_sioctl_get_addr(%s:%u %p)\n",
9966 	    ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
9967 	/*
9968 	 * The net mask and address can't change since we have a
9969 	 * reference to the ipif. So no lock is necessary.
9970 	 */
9971 	if (ipif->ipif_isv6) {
9972 		*sin6 = sin6_null;
9973 		sin6->sin6_family = AF_INET6;
9974 		sin6->sin6_addr = ipif->ipif_v6lcl_addr;
9975 		ASSERT(ipip->ipi_cmd_type == LIF_CMD);
9976 		lifr->lifr_addrlen =
9977 		    ip_mask_to_plen_v6(&ipif->ipif_v6net_mask);
9978 	} else {
9979 		*sin = sin_null;
9980 		sin->sin_family = AF_INET;
9981 		sin->sin_addr.s_addr = ipif->ipif_lcl_addr;
9982 		if (ipip->ipi_cmd_type == LIF_CMD) {
9983 			lifr->lifr_addrlen =
9984 			    ip_mask_to_plen(ipif->ipif_net_mask);
9985 		}
9986 	}
9987 	return (0);
9988 }
9989 
9990 /*
9991  * Set the destination address for a pt-pt interface.
9992  */
9993 /* ARGSUSED */
9994 int
9995 ip_sioctl_dstaddr(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
9996     ip_ioctl_cmd_t *ipip, void *if_req)
9997 {
9998 	int err = 0;
9999 	in6_addr_t v6addr;
10000 	boolean_t need_up = B_FALSE;
10001 
10002 	ip1dbg(("ip_sioctl_dstaddr(%s:%u %p)\n",
10003 	    ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
10004 	ASSERT(IAM_WRITER_IPIF(ipif));
10005 
10006 	if (ipif->ipif_isv6) {
10007 		sin6_t *sin6;
10008 
10009 		if (sin->sin_family != AF_INET6)
10010 			return (EAFNOSUPPORT);
10011 
10012 		sin6 = (sin6_t *)sin;
10013 		v6addr = sin6->sin6_addr;
10014 
10015 		if (!ip_remote_addr_ok_v6(&v6addr, &ipif->ipif_v6net_mask))
10016 			return (EADDRNOTAVAIL);
10017 	} else {
10018 		ipaddr_t addr;
10019 
10020 		if (sin->sin_family != AF_INET)
10021 			return (EAFNOSUPPORT);
10022 
10023 		addr = sin->sin_addr.s_addr;
10024 		if (addr != INADDR_ANY &&
10025 		    !ip_addr_ok_v4(addr, ipif->ipif_net_mask)) {
10026 			return (EADDRNOTAVAIL);
10027 		}
10028 
10029 		IN6_IPADDR_TO_V4MAPPED(addr, &v6addr);
10030 	}
10031 
10032 	if (IN6_ARE_ADDR_EQUAL(&ipif->ipif_v6pp_dst_addr, &v6addr))
10033 		return (0);	/* No change */
10034 
10035 	if (ipif->ipif_flags & IPIF_UP) {
10036 		/*
10037 		 * If the interface is already marked up,
10038 		 * we call ipif_down which will take care
10039 		 * of ditching any IREs that have been set
10040 		 * up based on the old pp dst address.
10041 		 */
10042 		err = ipif_logical_down(ipif, q, mp);
10043 		if (err == EINPROGRESS)
10044 			return (err);
10045 		(void) ipif_down_tail(ipif);
10046 		need_up = B_TRUE;
10047 	}
10048 	/*
10049 	 * could return EINPROGRESS. If so ioctl will complete in
10050 	 * ip_rput_dlpi_writer
10051 	 */
10052 	err = ip_sioctl_dstaddr_tail(ipif, sin, q, mp, need_up);
10053 	return (err);
10054 }
10055 
10056 static int
10057 ip_sioctl_dstaddr_tail(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
10058     boolean_t need_up)
10059 {
10060 	in6_addr_t v6addr;
10061 	ill_t	*ill = ipif->ipif_ill;
10062 	int	err = 0;
10063 	boolean_t need_dl_down;
10064 	boolean_t need_arp_down;
10065 
10066 	ip1dbg(("ip_sioctl_dstaddr_tail(%s:%u %p)\n", ill->ill_name,
10067 	    ipif->ipif_id, (void *)ipif));
10068 
10069 	/* Must cancel any pending timer before taking the ill_lock */
10070 	if (ipif->ipif_recovery_id != 0)
10071 		(void) untimeout(ipif->ipif_recovery_id);
10072 	ipif->ipif_recovery_id = 0;
10073 
10074 	if (ipif->ipif_isv6) {
10075 		sin6_t *sin6;
10076 
10077 		sin6 = (sin6_t *)sin;
10078 		v6addr = sin6->sin6_addr;
10079 	} else {
10080 		ipaddr_t addr;
10081 
10082 		addr = sin->sin_addr.s_addr;
10083 		IN6_IPADDR_TO_V4MAPPED(addr, &v6addr);
10084 	}
10085 	mutex_enter(&ill->ill_lock);
10086 	/* Set point to point destination address. */
10087 	if ((ipif->ipif_flags & IPIF_POINTOPOINT) == 0) {
10088 		/*
10089 		 * Allow this as a means of creating logical
10090 		 * pt-pt interfaces on top of e.g. an Ethernet.
10091 		 * XXX Undocumented HACK for testing.
10092 		 * pt-pt interfaces are created with NUD disabled.
10093 		 */
10094 		ipif->ipif_flags |= IPIF_POINTOPOINT;
10095 		ipif->ipif_flags &= ~IPIF_BROADCAST;
10096 		if (ipif->ipif_isv6)
10097 			ill->ill_flags |= ILLF_NONUD;
10098 	}
10099 
10100 	/*
10101 	 * If the interface was previously marked as a duplicate, then since
10102 	 * we've now got a "new" address, it should no longer be considered a
10103 	 * duplicate -- even if the "new" address is the same as the old one.
10104 	 * Note that if all ipifs are down, we may have a pending ARP down
10105 	 * event to handle.
10106 	 */
10107 	need_dl_down = need_arp_down = B_FALSE;
10108 	if (ipif->ipif_flags & IPIF_DUPLICATE) {
10109 		need_arp_down = !need_up;
10110 		ipif->ipif_flags &= ~IPIF_DUPLICATE;
10111 		if (--ill->ill_ipif_dup_count == 0 && !need_up &&
10112 		    ill->ill_ipif_up_count == 0 && ill->ill_dl_up) {
10113 			need_dl_down = B_TRUE;
10114 		}
10115 	}
10116 
10117 	/*
10118 	 * If we've just manually set the IPv6 destination link-local address
10119 	 * (0th ipif), tag the ill so that future updates to the destination
10120 	 * interface ID (as can happen with interfaces over IP tunnels) don't
10121 	 * result in this address getting automatically reconfigured from
10122 	 * under the administrator.
10123 	 */
10124 	if (ipif->ipif_isv6 && ipif->ipif_id == 0)
10125 		ill->ill_manual_dst_linklocal = 1;
10126 
10127 	/* Set the new address. */
10128 	ipif->ipif_v6pp_dst_addr = v6addr;
10129 	/* Make sure subnet tracks pp_dst */
10130 	ipif->ipif_v6subnet = ipif->ipif_v6pp_dst_addr;
10131 	mutex_exit(&ill->ill_lock);
10132 
10133 	if (need_up) {
10134 		/*
10135 		 * Now bring the interface back up.  If this
10136 		 * is the only IPIF for the ILL, ipif_up
10137 		 * will have to re-bind to the device, so
10138 		 * we may get back EINPROGRESS, in which
10139 		 * case, this IOCTL will get completed in
10140 		 * ip_rput_dlpi when we see the DL_BIND_ACK.
10141 		 */
10142 		err = ipif_up(ipif, q, mp);
10143 	}
10144 
10145 	if (need_dl_down)
10146 		ill_dl_down(ill);
10147 	if (need_arp_down && !ipif->ipif_isv6)
10148 		(void) ipif_arp_down(ipif);
10149 
10150 	return (err);
10151 }
10152 
10153 /*
10154  * Restart entry point to restart the dstaddress set operation after the
10155  * refcounts have dropped to zero.
10156  */
10157 /* ARGSUSED */
10158 int
10159 ip_sioctl_dstaddr_restart(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
10160     ip_ioctl_cmd_t *ipip, void *ifreq)
10161 {
10162 	ip1dbg(("ip_sioctl_dstaddr_restart(%s:%u %p)\n",
10163 	    ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
10164 	(void) ipif_down_tail(ipif);
10165 	return (ip_sioctl_dstaddr_tail(ipif, sin, q, mp, B_TRUE));
10166 }
10167 
10168 /* ARGSUSED */
10169 int
10170 ip_sioctl_get_dstaddr(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
10171     ip_ioctl_cmd_t *ipip, void *if_req)
10172 {
10173 	sin6_t	*sin6 = (struct sockaddr_in6 *)sin;
10174 
10175 	ip1dbg(("ip_sioctl_get_dstaddr(%s:%u %p)\n",
10176 	    ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
10177 	/*
10178 	 * Get point to point destination address. The addresses can't
10179 	 * change since we hold a reference to the ipif.
10180 	 */
10181 	if ((ipif->ipif_flags & IPIF_POINTOPOINT) == 0)
10182 		return (EADDRNOTAVAIL);
10183 
10184 	if (ipif->ipif_isv6) {
10185 		ASSERT(ipip->ipi_cmd_type == LIF_CMD);
10186 		*sin6 = sin6_null;
10187 		sin6->sin6_family = AF_INET6;
10188 		sin6->sin6_addr = ipif->ipif_v6pp_dst_addr;
10189 	} else {
10190 		*sin = sin_null;
10191 		sin->sin_family = AF_INET;
10192 		sin->sin_addr.s_addr = ipif->ipif_pp_dst_addr;
10193 	}
10194 	return (0);
10195 }
10196 
10197 /*
10198  * Check which flags will change by the given flags being set
10199  * silently ignore flags which userland is not allowed to control.
10200  * (Because these flags may change between SIOCGLIFFLAGS and
10201  * SIOCSLIFFLAGS, and that's outside of userland's control,
10202  * we need to silently ignore them rather than fail.)
10203  */
10204 static void
10205 ip_sioctl_flags_onoff(ipif_t *ipif, uint64_t flags, uint64_t *onp,
10206     uint64_t *offp)
10207 {
10208 	ill_t		*ill = ipif->ipif_ill;
10209 	phyint_t 	*phyi = ill->ill_phyint;
10210 	uint64_t	cantchange_flags, intf_flags;
10211 	uint64_t	turn_on, turn_off;
10212 
10213 	intf_flags = ipif->ipif_flags | ill->ill_flags | phyi->phyint_flags;
10214 	cantchange_flags = IFF_CANTCHANGE;
10215 	if (IS_IPMP(ill))
10216 		cantchange_flags |= IFF_IPMP_CANTCHANGE;
10217 	turn_on = (flags ^ intf_flags) & ~cantchange_flags;
10218 	turn_off = intf_flags & turn_on;
10219 	turn_on ^= turn_off;
10220 	*onp = turn_on;
10221 	*offp = turn_off;
10222 }
10223 
10224 /*
10225  * Set interface flags.  Many flags require special handling (e.g.,
10226  * bringing the interface down); see below for details.
10227  *
10228  * NOTE : We really don't enforce that ipif_id zero should be used
10229  *	  for setting any flags other than IFF_LOGINT_FLAGS. This
10230  *	  is because applications generally does SICGLIFFLAGS and
10231  *	  ORs in the new flags (that affects the logical) and does a
10232  *	  SIOCSLIFFLAGS. Thus, "flags" below could contain bits other
10233  *	  than IFF_LOGINT_FLAGS. One could check whether "turn_on" - the
10234  *	  flags that will be turned on is correct with respect to
10235  *	  ipif_id 0. For backward compatibility reasons, it is not done.
10236  */
10237 /* ARGSUSED */
10238 int
10239 ip_sioctl_flags(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
10240     ip_ioctl_cmd_t *ipip, void *if_req)
10241 {
10242 	uint64_t turn_on;
10243 	uint64_t turn_off;
10244 	int	err = 0;
10245 	phyint_t *phyi;
10246 	ill_t *ill;
10247 	conn_t *connp;
10248 	uint64_t intf_flags;
10249 	boolean_t phyint_flags_modified = B_FALSE;
10250 	uint64_t flags;
10251 	struct ifreq *ifr;
10252 	struct lifreq *lifr;
10253 	boolean_t set_linklocal = B_FALSE;
10254 
10255 	ip1dbg(("ip_sioctl_flags(%s:%u %p)\n",
10256 	    ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
10257 
10258 	ASSERT(IAM_WRITER_IPIF(ipif));
10259 
10260 	ill = ipif->ipif_ill;
10261 	phyi = ill->ill_phyint;
10262 
10263 	if (ipip->ipi_cmd_type == IF_CMD) {
10264 		ifr = (struct ifreq *)if_req;
10265 		flags =  (uint64_t)(ifr->ifr_flags & 0x0000ffff);
10266 	} else {
10267 		lifr = (struct lifreq *)if_req;
10268 		flags = lifr->lifr_flags;
10269 	}
10270 
10271 	intf_flags = ipif->ipif_flags | ill->ill_flags | phyi->phyint_flags;
10272 
10273 	/*
10274 	 * Have the flags been set correctly until now?
10275 	 */
10276 	ASSERT((phyi->phyint_flags & ~(IFF_PHYINT_FLAGS)) == 0);
10277 	ASSERT((ill->ill_flags & ~(IFF_PHYINTINST_FLAGS)) == 0);
10278 	ASSERT((ipif->ipif_flags & ~(IFF_LOGINT_FLAGS)) == 0);
10279 	/*
10280 	 * Compare the new flags to the old, and partition
10281 	 * into those coming on and those going off.
10282 	 * For the 16 bit command keep the bits above bit 16 unchanged.
10283 	 */
10284 	if (ipip->ipi_cmd == SIOCSIFFLAGS)
10285 		flags |= intf_flags & ~0xFFFF;
10286 
10287 	/*
10288 	 * Explicitly fail attempts to change flags that are always invalid on
10289 	 * an IPMP meta-interface.
10290 	 */
10291 	if (IS_IPMP(ill) && ((flags ^ intf_flags) & IFF_IPMP_INVALID))
10292 		return (EINVAL);
10293 
10294 	ip_sioctl_flags_onoff(ipif, flags, &turn_on, &turn_off);
10295 	if ((turn_on|turn_off) == 0)
10296 		return (0);	/* No change */
10297 
10298 	/*
10299 	 * All test addresses must be IFF_DEPRECATED (to ensure source address
10300 	 * selection avoids them) -- so force IFF_DEPRECATED on, and do not
10301 	 * allow it to be turned off.
10302 	 */
10303 	if ((turn_off & (IFF_DEPRECATED|IFF_NOFAILOVER)) == IFF_DEPRECATED &&
10304 	    (turn_on|intf_flags) & IFF_NOFAILOVER)
10305 		return (EINVAL);
10306 
10307 	if ((connp = Q_TO_CONN(q)) == NULL)
10308 		return (EINVAL);
10309 
10310 	/*
10311 	 * Only vrrp control socket is allowed to change IFF_UP and
10312 	 * IFF_NOACCEPT flags when IFF_VRRP is set.
10313 	 */
10314 	if ((intf_flags & IFF_VRRP) && ((turn_off | turn_on) & IFF_UP)) {
10315 		if (!connp->conn_isvrrp)
10316 			return (EINVAL);
10317 	}
10318 
10319 	/*
10320 	 * The IFF_NOACCEPT flag can only be set on an IFF_VRRP IP address by
10321 	 * VRRP control socket.
10322 	 */
10323 	if ((turn_off | turn_on) & IFF_NOACCEPT) {
10324 		if (!connp->conn_isvrrp || !(intf_flags & IFF_VRRP))
10325 			return (EINVAL);
10326 	}
10327 
10328 	if (turn_on & IFF_NOFAILOVER) {
10329 		turn_on |= IFF_DEPRECATED;
10330 		flags |= IFF_DEPRECATED;
10331 	}
10332 
10333 	/*
10334 	 * On underlying interfaces, only allow applications to manage test
10335 	 * addresses -- otherwise, they may get confused when the address
10336 	 * moves as part of being brought up.  Likewise, prevent an
10337 	 * application-managed test address from being converted to a data
10338 	 * address.  To prevent migration of administratively up addresses in
10339 	 * the kernel, we don't allow them to be converted either.
10340 	 */
10341 	if (IS_UNDER_IPMP(ill)) {
10342 		const uint64_t appflags = IFF_DHCPRUNNING | IFF_ADDRCONF;
10343 
10344 		if ((turn_on & appflags) && !(flags & IFF_NOFAILOVER))
10345 			return (EINVAL);
10346 
10347 		if ((turn_off & IFF_NOFAILOVER) &&
10348 		    (flags & (appflags | IFF_UP | IFF_DUPLICATE)))
10349 			return (EINVAL);
10350 	}
10351 
10352 	/*
10353 	 * Only allow IFF_TEMPORARY flag to be set on
10354 	 * IPv6 interfaces.
10355 	 */
10356 	if ((turn_on & IFF_TEMPORARY) && !(ipif->ipif_isv6))
10357 		return (EINVAL);
10358 
10359 	/*
10360 	 * cannot turn off IFF_NOXMIT on  VNI interfaces.
10361 	 */
10362 	if ((turn_off & IFF_NOXMIT) && IS_VNI(ipif->ipif_ill))
10363 		return (EINVAL);
10364 
10365 	/*
10366 	 * Don't allow the IFF_ROUTER flag to be turned on on loopback
10367 	 * interfaces.  It makes no sense in that context.
10368 	 */
10369 	if ((turn_on & IFF_ROUTER) && (phyi->phyint_flags & PHYI_LOOPBACK))
10370 		return (EINVAL);
10371 
10372 	/*
10373 	 * For IPv6 ipif_id 0, don't allow the interface to be up without
10374 	 * a link local address if IFF_NOLOCAL or IFF_ANYCAST are not set.
10375 	 * If the link local address isn't set, and can be set, it will get
10376 	 * set later on in this function.
10377 	 */
10378 	if (ipif->ipif_id == 0 && ipif->ipif_isv6 &&
10379 	    (flags & IFF_UP) && !(flags & (IFF_NOLOCAL|IFF_ANYCAST)) &&
10380 	    IN6_IS_ADDR_UNSPECIFIED(&ipif->ipif_v6lcl_addr)) {
10381 		if (ipif_cant_setlinklocal(ipif))
10382 			return (EINVAL);
10383 		set_linklocal = B_TRUE;
10384 	}
10385 
10386 	/*
10387 	 * If we modify physical interface flags, we'll potentially need to
10388 	 * send up two routing socket messages for the changes (one for the
10389 	 * IPv4 ill, and another for the IPv6 ill).  Note that here.
10390 	 */
10391 	if ((turn_on|turn_off) & IFF_PHYINT_FLAGS)
10392 		phyint_flags_modified = B_TRUE;
10393 
10394 	/*
10395 	 * All functioning PHYI_STANDBY interfaces start life PHYI_INACTIVE
10396 	 * (otherwise, we'd immediately use them, defeating standby).  Also,
10397 	 * since PHYI_INACTIVE has a separate meaning when PHYI_STANDBY is not
10398 	 * set, don't allow PHYI_STANDBY to be set if PHYI_INACTIVE is already
10399 	 * set, and clear PHYI_INACTIVE if PHYI_STANDBY is being cleared.  We
10400 	 * also don't allow PHYI_STANDBY if VNI is enabled since its semantics
10401 	 * will not be honored.
10402 	 */
10403 	if (turn_on & PHYI_STANDBY) {
10404 		/*
10405 		 * No need to grab ill_g_usesrc_lock here; see the
10406 		 * synchronization notes in ip.c.
10407 		 */
10408 		if (ill->ill_usesrc_grp_next != NULL ||
10409 		    intf_flags & PHYI_INACTIVE)
10410 			return (EINVAL);
10411 		if (!(flags & PHYI_FAILED)) {
10412 			flags |= PHYI_INACTIVE;
10413 			turn_on |= PHYI_INACTIVE;
10414 		}
10415 	}
10416 
10417 	if (turn_off & PHYI_STANDBY) {
10418 		flags &= ~PHYI_INACTIVE;
10419 		turn_off |= PHYI_INACTIVE;
10420 	}
10421 
10422 	/*
10423 	 * PHYI_FAILED and PHYI_INACTIVE are mutually exclusive; fail if both
10424 	 * would end up on.
10425 	 */
10426 	if ((flags & (PHYI_FAILED | PHYI_INACTIVE)) ==
10427 	    (PHYI_FAILED | PHYI_INACTIVE))
10428 		return (EINVAL);
10429 
10430 	/*
10431 	 * If ILLF_ROUTER changes, we need to change the ip forwarding
10432 	 * status of the interface.
10433 	 */
10434 	if ((turn_on | turn_off) & ILLF_ROUTER) {
10435 		err = ill_forward_set(ill, ((turn_on & ILLF_ROUTER) != 0));
10436 		if (err != 0)
10437 			return (err);
10438 	}
10439 
10440 	/*
10441 	 * If the interface is not UP and we are not going to
10442 	 * bring it UP, record the flags and return. When the
10443 	 * interface comes UP later, the right actions will be
10444 	 * taken.
10445 	 */
10446 	if (!(ipif->ipif_flags & IPIF_UP) &&
10447 	    !(turn_on & IPIF_UP)) {
10448 		/* Record new flags in their respective places. */
10449 		mutex_enter(&ill->ill_lock);
10450 		mutex_enter(&ill->ill_phyint->phyint_lock);
10451 		ipif->ipif_flags |= (turn_on & IFF_LOGINT_FLAGS);
10452 		ipif->ipif_flags &= (~turn_off & IFF_LOGINT_FLAGS);
10453 		ill->ill_flags |= (turn_on & IFF_PHYINTINST_FLAGS);
10454 		ill->ill_flags &= (~turn_off & IFF_PHYINTINST_FLAGS);
10455 		phyi->phyint_flags |= (turn_on & IFF_PHYINT_FLAGS);
10456 		phyi->phyint_flags &= (~turn_off & IFF_PHYINT_FLAGS);
10457 		mutex_exit(&ill->ill_lock);
10458 		mutex_exit(&ill->ill_phyint->phyint_lock);
10459 
10460 		/*
10461 		 * PHYI_FAILED, PHYI_INACTIVE, and PHYI_OFFLINE are all the
10462 		 * same to the kernel: if any of them has been set by
10463 		 * userland, the interface cannot be used for data traffic.
10464 		 */
10465 		if ((turn_on|turn_off) &
10466 		    (PHYI_FAILED | PHYI_INACTIVE | PHYI_OFFLINE)) {
10467 			ASSERT(!IS_IPMP(ill));
10468 			/*
10469 			 * It's possible the ill is part of an "anonymous"
10470 			 * IPMP group rather than a real group.  In that case,
10471 			 * there are no other interfaces in the group and thus
10472 			 * no need to call ipmp_phyint_refresh_active().
10473 			 */
10474 			if (IS_UNDER_IPMP(ill))
10475 				ipmp_phyint_refresh_active(phyi);
10476 		}
10477 
10478 		if (phyint_flags_modified) {
10479 			if (phyi->phyint_illv4 != NULL) {
10480 				ip_rts_ifmsg(phyi->phyint_illv4->
10481 				    ill_ipif, RTSQ_DEFAULT);
10482 			}
10483 			if (phyi->phyint_illv6 != NULL) {
10484 				ip_rts_ifmsg(phyi->phyint_illv6->
10485 				    ill_ipif, RTSQ_DEFAULT);
10486 			}
10487 		}
10488 		/* The default multicast interface might have changed */
10489 		ire_increment_multicast_generation(ill->ill_ipst,
10490 		    ill->ill_isv6);
10491 
10492 		return (0);
10493 	} else if (set_linklocal) {
10494 		mutex_enter(&ill->ill_lock);
10495 		if (set_linklocal)
10496 			ipif->ipif_state_flags |= IPIF_SET_LINKLOCAL;
10497 		mutex_exit(&ill->ill_lock);
10498 	}
10499 
10500 	/*
10501 	 * Disallow IPv6 interfaces coming up that have the unspecified address,
10502 	 * or point-to-point interfaces with an unspecified destination. We do
10503 	 * allow the address to be unspecified for IPIF_NOLOCAL interfaces that
10504 	 * have a subnet assigned, which is how in.ndpd currently manages its
10505 	 * onlink prefix list when no addresses are configured with those
10506 	 * prefixes.
10507 	 */
10508 	if (ipif->ipif_isv6 &&
10509 	    ((IN6_IS_ADDR_UNSPECIFIED(&ipif->ipif_v6lcl_addr) &&
10510 	    (!(ipif->ipif_flags & IPIF_NOLOCAL) && !(turn_on & IPIF_NOLOCAL) ||
10511 	    IN6_IS_ADDR_UNSPECIFIED(&ipif->ipif_v6subnet))) ||
10512 	    ((ipif->ipif_flags & IPIF_POINTOPOINT) &&
10513 	    IN6_IS_ADDR_UNSPECIFIED(&ipif->ipif_v6pp_dst_addr)))) {
10514 		return (EINVAL);
10515 	}
10516 
10517 	/*
10518 	 * Prevent IPv4 point-to-point interfaces with a 0.0.0.0 destination
10519 	 * from being brought up.
10520 	 */
10521 	if (!ipif->ipif_isv6 &&
10522 	    ((ipif->ipif_flags & IPIF_POINTOPOINT) &&
10523 	    ipif->ipif_pp_dst_addr == INADDR_ANY)) {
10524 		return (EINVAL);
10525 	}
10526 
10527 	/*
10528 	 * If we are going to change one or more of the flags that are
10529 	 * IPIF_UP, IPIF_DEPRECATED, IPIF_NOXMIT, IPIF_NOLOCAL, ILLF_NOARP,
10530 	 * ILLF_NONUD, IPIF_PRIVATE, IPIF_ANYCAST, IPIF_PREFERRED, and
10531 	 * IPIF_NOFAILOVER, we will take special action.  This is
10532 	 * done by bring the ipif down, changing the flags and bringing
10533 	 * it back up again.  For IPIF_NOFAILOVER, the act of bringing it
10534 	 * back up will trigger the address to be moved.
10535 	 *
10536 	 * If we are going to change IFF_NOACCEPT, we need to bring
10537 	 * all the ipifs down then bring them up again.	 The act of
10538 	 * bringing all the ipifs back up will trigger the local
10539 	 * ires being recreated with "no_accept" set/cleared.
10540 	 *
10541 	 * Note that ILLF_NOACCEPT is always set separately from the
10542 	 * other flags.
10543 	 */
10544 	if ((turn_on|turn_off) &
10545 	    (IPIF_UP|IPIF_DEPRECATED|IPIF_NOXMIT|IPIF_NOLOCAL|ILLF_NOARP|
10546 	    ILLF_NONUD|IPIF_PRIVATE|IPIF_ANYCAST|IPIF_PREFERRED|
10547 	    IPIF_NOFAILOVER)) {
10548 		/*
10549 		 * ipif_down() will ire_delete bcast ire's for the subnet,
10550 		 * while the ire_identical_ref tracks the case of IRE_BROADCAST
10551 		 * entries shared between multiple ipifs on the same subnet.
10552 		 */
10553 		if (((ipif->ipif_flags | turn_on) & IPIF_UP) &&
10554 		    !(turn_off & IPIF_UP)) {
10555 			if (ipif->ipif_flags & IPIF_UP)
10556 				ill->ill_logical_down = 1;
10557 			turn_on &= ~IPIF_UP;
10558 		}
10559 		err = ipif_down(ipif, q, mp);
10560 		ip1dbg(("ipif_down returns %d err ", err));
10561 		if (err == EINPROGRESS)
10562 			return (err);
10563 		(void) ipif_down_tail(ipif);
10564 	} else if ((turn_on|turn_off) & ILLF_NOACCEPT) {
10565 		/*
10566 		 * If we can quiesce the ill, then continue.  If not, then
10567 		 * ip_sioctl_flags_tail() will be called from
10568 		 * ipif_ill_refrele_tail().
10569 		 */
10570 		ill_down_ipifs(ill, B_TRUE);
10571 
10572 		mutex_enter(&connp->conn_lock);
10573 		mutex_enter(&ill->ill_lock);
10574 		if (!ill_is_quiescent(ill)) {
10575 			boolean_t success;
10576 
10577 			success = ipsq_pending_mp_add(connp, ill->ill_ipif,
10578 			    q, mp, ILL_DOWN);
10579 			mutex_exit(&ill->ill_lock);
10580 			mutex_exit(&connp->conn_lock);
10581 			return (success ? EINPROGRESS : EINTR);
10582 		}
10583 		mutex_exit(&ill->ill_lock);
10584 		mutex_exit(&connp->conn_lock);
10585 	}
10586 	return (ip_sioctl_flags_tail(ipif, flags, q, mp));
10587 }
10588 
10589 static int
10590 ip_sioctl_flags_tail(ipif_t *ipif, uint64_t flags, queue_t *q, mblk_t *mp)
10591 {
10592 	ill_t	*ill;
10593 	phyint_t *phyi;
10594 	uint64_t turn_on, turn_off;
10595 	boolean_t phyint_flags_modified = B_FALSE;
10596 	int	err = 0;
10597 	boolean_t set_linklocal = B_FALSE;
10598 
10599 	ip1dbg(("ip_sioctl_flags_tail(%s:%u)\n",
10600 	    ipif->ipif_ill->ill_name, ipif->ipif_id));
10601 
10602 	ASSERT(IAM_WRITER_IPIF(ipif));
10603 
10604 	ill = ipif->ipif_ill;
10605 	phyi = ill->ill_phyint;
10606 
10607 	ip_sioctl_flags_onoff(ipif, flags, &turn_on, &turn_off);
10608 
10609 	/*
10610 	 * IFF_UP is handled separately.
10611 	 */
10612 	turn_on &= ~IFF_UP;
10613 	turn_off &= ~IFF_UP;
10614 
10615 	if ((turn_on|turn_off) & IFF_PHYINT_FLAGS)
10616 		phyint_flags_modified = B_TRUE;
10617 
10618 	/*
10619 	 * Now we change the flags. Track current value of
10620 	 * other flags in their respective places.
10621 	 */
10622 	mutex_enter(&ill->ill_lock);
10623 	mutex_enter(&phyi->phyint_lock);
10624 	ipif->ipif_flags |= (turn_on & IFF_LOGINT_FLAGS);
10625 	ipif->ipif_flags &= (~turn_off & IFF_LOGINT_FLAGS);
10626 	ill->ill_flags |= (turn_on & IFF_PHYINTINST_FLAGS);
10627 	ill->ill_flags &= (~turn_off & IFF_PHYINTINST_FLAGS);
10628 	phyi->phyint_flags |= (turn_on & IFF_PHYINT_FLAGS);
10629 	phyi->phyint_flags &= (~turn_off & IFF_PHYINT_FLAGS);
10630 	if (ipif->ipif_state_flags & IPIF_SET_LINKLOCAL) {
10631 		set_linklocal = B_TRUE;
10632 		ipif->ipif_state_flags &= ~IPIF_SET_LINKLOCAL;
10633 	}
10634 
10635 	mutex_exit(&ill->ill_lock);
10636 	mutex_exit(&phyi->phyint_lock);
10637 
10638 	if (set_linklocal)
10639 		(void) ipif_setlinklocal(ipif);
10640 
10641 	/*
10642 	 * PHYI_FAILED, PHYI_INACTIVE, and PHYI_OFFLINE are all the same to
10643 	 * the kernel: if any of them has been set by userland, the interface
10644 	 * cannot be used for data traffic.
10645 	 */
10646 	if ((turn_on|turn_off) & (PHYI_FAILED | PHYI_INACTIVE | PHYI_OFFLINE)) {
10647 		ASSERT(!IS_IPMP(ill));
10648 		/*
10649 		 * It's possible the ill is part of an "anonymous" IPMP group
10650 		 * rather than a real group.  In that case, there are no other
10651 		 * interfaces in the group and thus no need for us to call
10652 		 * ipmp_phyint_refresh_active().
10653 		 */
10654 		if (IS_UNDER_IPMP(ill))
10655 			ipmp_phyint_refresh_active(phyi);
10656 	}
10657 
10658 	if ((turn_on|turn_off) & ILLF_NOACCEPT) {
10659 		/*
10660 		 * If the ILLF_NOACCEPT flag is changed, bring up all the
10661 		 * ipifs that were brought down.
10662 		 *
10663 		 * The routing sockets messages are sent as the result
10664 		 * of ill_up_ipifs(), further, SCTP's IPIF list was updated
10665 		 * as well.
10666 		 */
10667 		err = ill_up_ipifs(ill, q, mp);
10668 	} else if ((flags & IFF_UP) && !(ipif->ipif_flags & IPIF_UP)) {
10669 		/*
10670 		 * XXX ipif_up really does not know whether a phyint flags
10671 		 * was modified or not. So, it sends up information on
10672 		 * only one routing sockets message. As we don't bring up
10673 		 * the interface and also set PHYI_ flags simultaneously
10674 		 * it should be okay.
10675 		 */
10676 		err = ipif_up(ipif, q, mp);
10677 	} else {
10678 		/*
10679 		 * Make sure routing socket sees all changes to the flags.
10680 		 * ipif_up_done* handles this when we use ipif_up.
10681 		 */
10682 		if (phyint_flags_modified) {
10683 			if (phyi->phyint_illv4 != NULL) {
10684 				ip_rts_ifmsg(phyi->phyint_illv4->
10685 				    ill_ipif, RTSQ_DEFAULT);
10686 			}
10687 			if (phyi->phyint_illv6 != NULL) {
10688 				ip_rts_ifmsg(phyi->phyint_illv6->
10689 				    ill_ipif, RTSQ_DEFAULT);
10690 			}
10691 		} else {
10692 			ip_rts_ifmsg(ipif, RTSQ_DEFAULT);
10693 		}
10694 		/*
10695 		 * Update the flags in SCTP's IPIF list, ipif_up() will do
10696 		 * this in need_up case.
10697 		 */
10698 		sctp_update_ipif(ipif, SCTP_IPIF_UPDATE);
10699 	}
10700 
10701 	/* The default multicast interface might have changed */
10702 	ire_increment_multicast_generation(ill->ill_ipst, ill->ill_isv6);
10703 	return (err);
10704 }
10705 
10706 /*
10707  * Restart the flags operation now that the refcounts have dropped to zero.
10708  */
10709 /* ARGSUSED */
10710 int
10711 ip_sioctl_flags_restart(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
10712     ip_ioctl_cmd_t *ipip, void *if_req)
10713 {
10714 	uint64_t flags;
10715 	struct ifreq *ifr = if_req;
10716 	struct lifreq *lifr = if_req;
10717 	uint64_t turn_on, turn_off;
10718 
10719 	ip1dbg(("ip_sioctl_flags_restart(%s:%u %p)\n",
10720 	    ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
10721 
10722 	if (ipip->ipi_cmd_type == IF_CMD) {
10723 		/* cast to uint16_t prevents unwanted sign extension */
10724 		flags = (uint16_t)ifr->ifr_flags;
10725 	} else {
10726 		flags = lifr->lifr_flags;
10727 	}
10728 
10729 	/*
10730 	 * If this function call is a result of the ILLF_NOACCEPT flag
10731 	 * change, do not call ipif_down_tail(). See ip_sioctl_flags().
10732 	 */
10733 	ip_sioctl_flags_onoff(ipif, flags, &turn_on, &turn_off);
10734 	if (!((turn_on|turn_off) & ILLF_NOACCEPT))
10735 		(void) ipif_down_tail(ipif);
10736 
10737 	return (ip_sioctl_flags_tail(ipif, flags, q, mp));
10738 }
10739 
10740 /*
10741  * Can operate on either a module or a driver queue.
10742  */
10743 /* ARGSUSED */
10744 int
10745 ip_sioctl_get_flags(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
10746     ip_ioctl_cmd_t *ipip, void *if_req)
10747 {
10748 	/*
10749 	 * Has the flags been set correctly till now ?
10750 	 */
10751 	ill_t *ill = ipif->ipif_ill;
10752 	phyint_t *phyi = ill->ill_phyint;
10753 
10754 	ip1dbg(("ip_sioctl_get_flags(%s:%u %p)\n",
10755 	    ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
10756 	ASSERT((phyi->phyint_flags & ~(IFF_PHYINT_FLAGS)) == 0);
10757 	ASSERT((ill->ill_flags & ~(IFF_PHYINTINST_FLAGS)) == 0);
10758 	ASSERT((ipif->ipif_flags & ~(IFF_LOGINT_FLAGS)) == 0);
10759 
10760 	/*
10761 	 * Need a lock since some flags can be set even when there are
10762 	 * references to the ipif.
10763 	 */
10764 	mutex_enter(&ill->ill_lock);
10765 	if (ipip->ipi_cmd_type == IF_CMD) {
10766 		struct ifreq *ifr = (struct ifreq *)if_req;
10767 
10768 		/* Get interface flags (low 16 only). */
10769 		ifr->ifr_flags = ((ipif->ipif_flags |
10770 		    ill->ill_flags | phyi->phyint_flags) & 0xffff);
10771 	} else {
10772 		struct lifreq *lifr = (struct lifreq *)if_req;
10773 
10774 		/* Get interface flags. */
10775 		lifr->lifr_flags = ipif->ipif_flags |
10776 		    ill->ill_flags | phyi->phyint_flags;
10777 	}
10778 	mutex_exit(&ill->ill_lock);
10779 	return (0);
10780 }
10781 
10782 /*
10783  * We allow the MTU to be set on an ILL, but not have it be different
10784  * for different IPIFs since we don't actually send packets on IPIFs.
10785  */
10786 /* ARGSUSED */
10787 int
10788 ip_sioctl_mtu(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
10789     ip_ioctl_cmd_t *ipip, void *if_req)
10790 {
10791 	int mtu;
10792 	int ip_min_mtu;
10793 	struct ifreq	*ifr;
10794 	struct lifreq *lifr;
10795 	ill_t	*ill;
10796 
10797 	ip1dbg(("ip_sioctl_mtu(%s:%u %p)\n", ipif->ipif_ill->ill_name,
10798 	    ipif->ipif_id, (void *)ipif));
10799 	if (ipip->ipi_cmd_type == IF_CMD) {
10800 		ifr = (struct ifreq *)if_req;
10801 		mtu = ifr->ifr_metric;
10802 	} else {
10803 		lifr = (struct lifreq *)if_req;
10804 		mtu = lifr->lifr_mtu;
10805 	}
10806 	/* Only allow for logical unit zero i.e. not on "bge0:17" */
10807 	if (ipif->ipif_id != 0)
10808 		return (EINVAL);
10809 
10810 	ill = ipif->ipif_ill;
10811 	if (ipif->ipif_isv6)
10812 		ip_min_mtu = IPV6_MIN_MTU;
10813 	else
10814 		ip_min_mtu = IP_MIN_MTU;
10815 
10816 	mutex_enter(&ill->ill_lock);
10817 	if (mtu > ill->ill_max_frag || mtu < ip_min_mtu) {
10818 		mutex_exit(&ill->ill_lock);
10819 		return (EINVAL);
10820 	}
10821 	/* Avoid increasing ill_mc_mtu */
10822 	if (ill->ill_mc_mtu > mtu)
10823 		ill->ill_mc_mtu = mtu;
10824 
10825 	/*
10826 	 * The dce and fragmentation code can handle changes to ill_mtu
10827 	 * concurrent with sending/fragmenting packets.
10828 	 */
10829 	ill->ill_mtu = mtu;
10830 	ill->ill_flags |= ILLF_FIXEDMTU;
10831 	mutex_exit(&ill->ill_lock);
10832 
10833 	/*
10834 	 * Make sure all dce_generation checks find out
10835 	 * that ill_mtu/ill_mc_mtu has changed.
10836 	 */
10837 	dce_increment_all_generations(ill->ill_isv6, ill->ill_ipst);
10838 
10839 	/*
10840 	 * Refresh IPMP meta-interface MTU if necessary.
10841 	 */
10842 	if (IS_UNDER_IPMP(ill))
10843 		ipmp_illgrp_refresh_mtu(ill->ill_grp);
10844 
10845 	/* Update the MTU in SCTP's list */
10846 	sctp_update_ipif(ipif, SCTP_IPIF_UPDATE);
10847 	return (0);
10848 }
10849 
10850 /* Get interface MTU. */
10851 /* ARGSUSED */
10852 int
10853 ip_sioctl_get_mtu(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
10854 	ip_ioctl_cmd_t *ipip, void *if_req)
10855 {
10856 	struct ifreq	*ifr;
10857 	struct lifreq	*lifr;
10858 
10859 	ip1dbg(("ip_sioctl_get_mtu(%s:%u %p)\n",
10860 	    ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
10861 
10862 	/*
10863 	 * We allow a get on any logical interface even though the set
10864 	 * can only be done on logical unit 0.
10865 	 */
10866 	if (ipip->ipi_cmd_type == IF_CMD) {
10867 		ifr = (struct ifreq *)if_req;
10868 		ifr->ifr_metric = ipif->ipif_ill->ill_mtu;
10869 	} else {
10870 		lifr = (struct lifreq *)if_req;
10871 		lifr->lifr_mtu = ipif->ipif_ill->ill_mtu;
10872 	}
10873 	return (0);
10874 }
10875 
10876 /* Set interface broadcast address. */
10877 /* ARGSUSED2 */
10878 int
10879 ip_sioctl_brdaddr(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
10880 	ip_ioctl_cmd_t *ipip, void *if_req)
10881 {
10882 	ipaddr_t addr;
10883 	ire_t	*ire;
10884 	ill_t		*ill = ipif->ipif_ill;
10885 	ip_stack_t	*ipst = ill->ill_ipst;
10886 
10887 	ip1dbg(("ip_sioctl_brdaddr(%s:%u)\n", ill->ill_name,
10888 	    ipif->ipif_id));
10889 
10890 	ASSERT(IAM_WRITER_IPIF(ipif));
10891 	if (!(ipif->ipif_flags & IPIF_BROADCAST))
10892 		return (EADDRNOTAVAIL);
10893 
10894 	ASSERT(!(ipif->ipif_isv6));	/* No IPv6 broadcast */
10895 
10896 	if (sin->sin_family != AF_INET)
10897 		return (EAFNOSUPPORT);
10898 
10899 	addr = sin->sin_addr.s_addr;
10900 
10901 	if (ipif->ipif_flags & IPIF_UP) {
10902 		/*
10903 		 * If we are already up, make sure the new
10904 		 * broadcast address makes sense.  If it does,
10905 		 * there should be an IRE for it already.
10906 		 */
10907 		ire = ire_ftable_lookup_v4(addr, 0, 0, IRE_BROADCAST,
10908 		    ill, ipif->ipif_zoneid, NULL,
10909 		    (MATCH_IRE_ILL | MATCH_IRE_TYPE), 0, ipst, NULL);
10910 		if (ire == NULL) {
10911 			return (EINVAL);
10912 		} else {
10913 			ire_refrele(ire);
10914 		}
10915 	}
10916 	/*
10917 	 * Changing the broadcast addr for this ipif. Since the IRE_BROADCAST
10918 	 * needs to already exist we never need to change the set of
10919 	 * IRE_BROADCASTs when we are UP.
10920 	 */
10921 	if (addr != ipif->ipif_brd_addr)
10922 		IN6_IPADDR_TO_V4MAPPED(addr, &ipif->ipif_v6brd_addr);
10923 
10924 	return (0);
10925 }
10926 
10927 /* Get interface broadcast address. */
10928 /* ARGSUSED */
10929 int
10930 ip_sioctl_get_brdaddr(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
10931     ip_ioctl_cmd_t *ipip, void *if_req)
10932 {
10933 	ip1dbg(("ip_sioctl_get_brdaddr(%s:%u %p)\n",
10934 	    ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
10935 	if (!(ipif->ipif_flags & IPIF_BROADCAST))
10936 		return (EADDRNOTAVAIL);
10937 
10938 	/* IPIF_BROADCAST not possible with IPv6 */
10939 	ASSERT(!ipif->ipif_isv6);
10940 	*sin = sin_null;
10941 	sin->sin_family = AF_INET;
10942 	sin->sin_addr.s_addr = ipif->ipif_brd_addr;
10943 	return (0);
10944 }
10945 
10946 /*
10947  * This routine is called to handle the SIOCS*IFNETMASK IOCTL.
10948  */
10949 /* ARGSUSED */
10950 int
10951 ip_sioctl_netmask(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
10952     ip_ioctl_cmd_t *ipip, void *if_req)
10953 {
10954 	int err = 0;
10955 	in6_addr_t v6mask;
10956 
10957 	ip1dbg(("ip_sioctl_netmask(%s:%u %p)\n",
10958 	    ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
10959 
10960 	ASSERT(IAM_WRITER_IPIF(ipif));
10961 
10962 	if (ipif->ipif_isv6) {
10963 		sin6_t *sin6;
10964 
10965 		if (sin->sin_family != AF_INET6)
10966 			return (EAFNOSUPPORT);
10967 
10968 		sin6 = (sin6_t *)sin;
10969 		v6mask = sin6->sin6_addr;
10970 	} else {
10971 		ipaddr_t mask;
10972 
10973 		if (sin->sin_family != AF_INET)
10974 			return (EAFNOSUPPORT);
10975 
10976 		mask = sin->sin_addr.s_addr;
10977 		if (!ip_contiguous_mask(ntohl(mask)))
10978 			return (ENOTSUP);
10979 		V4MASK_TO_V6(mask, v6mask);
10980 	}
10981 
10982 	/*
10983 	 * No big deal if the interface isn't already up, or the mask
10984 	 * isn't really changing, or this is pt-pt.
10985 	 */
10986 	if (!(ipif->ipif_flags & IPIF_UP) ||
10987 	    IN6_ARE_ADDR_EQUAL(&v6mask, &ipif->ipif_v6net_mask) ||
10988 	    (ipif->ipif_flags & IPIF_POINTOPOINT)) {
10989 		ipif->ipif_v6net_mask = v6mask;
10990 		if ((ipif->ipif_flags & IPIF_POINTOPOINT) == 0) {
10991 			V6_MASK_COPY(ipif->ipif_v6lcl_addr,
10992 			    ipif->ipif_v6net_mask,
10993 			    ipif->ipif_v6subnet);
10994 		}
10995 		return (0);
10996 	}
10997 	/*
10998 	 * Make sure we have valid net and subnet broadcast ire's
10999 	 * for the old netmask, if needed by other logical interfaces.
11000 	 */
11001 	err = ipif_logical_down(ipif, q, mp);
11002 	if (err == EINPROGRESS)
11003 		return (err);
11004 	(void) ipif_down_tail(ipif);
11005 	err = ip_sioctl_netmask_tail(ipif, sin, q, mp);
11006 	return (err);
11007 }
11008 
11009 static int
11010 ip_sioctl_netmask_tail(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp)
11011 {
11012 	in6_addr_t v6mask;
11013 	int err = 0;
11014 
11015 	ip1dbg(("ip_sioctl_netmask_tail(%s:%u %p)\n",
11016 	    ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
11017 
11018 	if (ipif->ipif_isv6) {
11019 		sin6_t *sin6;
11020 
11021 		sin6 = (sin6_t *)sin;
11022 		v6mask = sin6->sin6_addr;
11023 	} else {
11024 		ipaddr_t mask;
11025 
11026 		mask = sin->sin_addr.s_addr;
11027 		V4MASK_TO_V6(mask, v6mask);
11028 	}
11029 
11030 	ipif->ipif_v6net_mask = v6mask;
11031 	if ((ipif->ipif_flags & IPIF_POINTOPOINT) == 0) {
11032 		V6_MASK_COPY(ipif->ipif_v6lcl_addr, ipif->ipif_v6net_mask,
11033 		    ipif->ipif_v6subnet);
11034 	}
11035 	err = ipif_up(ipif, q, mp);
11036 
11037 	if (err == 0 || err == EINPROGRESS) {
11038 		/*
11039 		 * The interface must be DL_BOUND if this packet has to
11040 		 * go out on the wire. Since we only go through a logical
11041 		 * down and are bound with the driver during an internal
11042 		 * down/up that is satisfied.
11043 		 */
11044 		if (!ipif->ipif_isv6 && ipif->ipif_ill->ill_wq != NULL) {
11045 			/* Potentially broadcast an address mask reply. */
11046 			ipif_mask_reply(ipif);
11047 		}
11048 	}
11049 	return (err);
11050 }
11051 
11052 /* ARGSUSED */
11053 int
11054 ip_sioctl_netmask_restart(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
11055     ip_ioctl_cmd_t *ipip, void *if_req)
11056 {
11057 	ip1dbg(("ip_sioctl_netmask_restart(%s:%u %p)\n",
11058 	    ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
11059 	(void) ipif_down_tail(ipif);
11060 	return (ip_sioctl_netmask_tail(ipif, sin, q, mp));
11061 }
11062 
11063 /* Get interface net mask. */
11064 /* ARGSUSED */
11065 int
11066 ip_sioctl_get_netmask(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
11067     ip_ioctl_cmd_t *ipip, void *if_req)
11068 {
11069 	struct lifreq *lifr = (struct lifreq *)if_req;
11070 	struct sockaddr_in6 *sin6 = (sin6_t *)sin;
11071 
11072 	ip1dbg(("ip_sioctl_get_netmask(%s:%u %p)\n",
11073 	    ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
11074 
11075 	/*
11076 	 * net mask can't change since we have a reference to the ipif.
11077 	 */
11078 	if (ipif->ipif_isv6) {
11079 		ASSERT(ipip->ipi_cmd_type == LIF_CMD);
11080 		*sin6 = sin6_null;
11081 		sin6->sin6_family = AF_INET6;
11082 		sin6->sin6_addr = ipif->ipif_v6net_mask;
11083 		lifr->lifr_addrlen =
11084 		    ip_mask_to_plen_v6(&ipif->ipif_v6net_mask);
11085 	} else {
11086 		*sin = sin_null;
11087 		sin->sin_family = AF_INET;
11088 		sin->sin_addr.s_addr = ipif->ipif_net_mask;
11089 		if (ipip->ipi_cmd_type == LIF_CMD) {
11090 			lifr->lifr_addrlen =
11091 			    ip_mask_to_plen(ipif->ipif_net_mask);
11092 		}
11093 	}
11094 	return (0);
11095 }
11096 
11097 /* ARGSUSED */
11098 int
11099 ip_sioctl_metric(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
11100     ip_ioctl_cmd_t *ipip, void *if_req)
11101 {
11102 	ip1dbg(("ip_sioctl_metric(%s:%u %p)\n",
11103 	    ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
11104 
11105 	/*
11106 	 * Since no applications should ever be setting metrics on underlying
11107 	 * interfaces, we explicitly fail to smoke 'em out.
11108 	 */
11109 	if (IS_UNDER_IPMP(ipif->ipif_ill))
11110 		return (EINVAL);
11111 
11112 	/*
11113 	 * Set interface metric.  We don't use this for
11114 	 * anything but we keep track of it in case it is
11115 	 * important to routing applications or such.
11116 	 */
11117 	if (ipip->ipi_cmd_type == IF_CMD) {
11118 		struct ifreq    *ifr;
11119 
11120 		ifr = (struct ifreq *)if_req;
11121 		ipif->ipif_ill->ill_metric = ifr->ifr_metric;
11122 	} else {
11123 		struct lifreq   *lifr;
11124 
11125 		lifr = (struct lifreq *)if_req;
11126 		ipif->ipif_ill->ill_metric = lifr->lifr_metric;
11127 	}
11128 	return (0);
11129 }
11130 
11131 /* ARGSUSED */
11132 int
11133 ip_sioctl_get_metric(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
11134     ip_ioctl_cmd_t *ipip, void *if_req)
11135 {
11136 	/* Get interface metric. */
11137 	ip1dbg(("ip_sioctl_get_metric(%s:%u %p)\n",
11138 	    ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
11139 
11140 	if (ipip->ipi_cmd_type == IF_CMD) {
11141 		struct ifreq    *ifr;
11142 
11143 		ifr = (struct ifreq *)if_req;
11144 		ifr->ifr_metric = ipif->ipif_ill->ill_metric;
11145 	} else {
11146 		struct lifreq   *lifr;
11147 
11148 		lifr = (struct lifreq *)if_req;
11149 		lifr->lifr_metric = ipif->ipif_ill->ill_metric;
11150 	}
11151 
11152 	return (0);
11153 }
11154 
11155 /* ARGSUSED */
11156 int
11157 ip_sioctl_muxid(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
11158     ip_ioctl_cmd_t *ipip, void *if_req)
11159 {
11160 	int	arp_muxid;
11161 
11162 	ip1dbg(("ip_sioctl_muxid(%s:%u %p)\n",
11163 	    ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
11164 	/*
11165 	 * Set the muxid returned from I_PLINK.
11166 	 */
11167 	if (ipip->ipi_cmd_type == IF_CMD) {
11168 		struct ifreq *ifr = (struct ifreq *)if_req;
11169 
11170 		ipif->ipif_ill->ill_muxid = ifr->ifr_ip_muxid;
11171 		arp_muxid = ifr->ifr_arp_muxid;
11172 	} else {
11173 		struct lifreq *lifr = (struct lifreq *)if_req;
11174 
11175 		ipif->ipif_ill->ill_muxid = lifr->lifr_ip_muxid;
11176 		arp_muxid = lifr->lifr_arp_muxid;
11177 	}
11178 	arl_set_muxid(ipif->ipif_ill, arp_muxid);
11179 	return (0);
11180 }
11181 
11182 /* ARGSUSED */
11183 int
11184 ip_sioctl_get_muxid(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
11185     ip_ioctl_cmd_t *ipip, void *if_req)
11186 {
11187 	int	arp_muxid = 0;
11188 
11189 	ip1dbg(("ip_sioctl_get_muxid(%s:%u %p)\n",
11190 	    ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
11191 	/*
11192 	 * Get the muxid saved in ill for I_PUNLINK.
11193 	 */
11194 	arp_muxid = arl_get_muxid(ipif->ipif_ill);
11195 	if (ipip->ipi_cmd_type == IF_CMD) {
11196 		struct ifreq *ifr = (struct ifreq *)if_req;
11197 
11198 		ifr->ifr_ip_muxid = ipif->ipif_ill->ill_muxid;
11199 		ifr->ifr_arp_muxid = arp_muxid;
11200 	} else {
11201 		struct lifreq *lifr = (struct lifreq *)if_req;
11202 
11203 		lifr->lifr_ip_muxid = ipif->ipif_ill->ill_muxid;
11204 		lifr->lifr_arp_muxid = arp_muxid;
11205 	}
11206 	return (0);
11207 }
11208 
11209 /*
11210  * Set the subnet prefix. Does not modify the broadcast address.
11211  */
11212 /* ARGSUSED */
11213 int
11214 ip_sioctl_subnet(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
11215     ip_ioctl_cmd_t *ipip, void *if_req)
11216 {
11217 	int err = 0;
11218 	in6_addr_t v6addr;
11219 	in6_addr_t v6mask;
11220 	boolean_t need_up = B_FALSE;
11221 	int addrlen;
11222 
11223 	ip1dbg(("ip_sioctl_subnet(%s:%u %p)\n",
11224 	    ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
11225 
11226 	ASSERT(IAM_WRITER_IPIF(ipif));
11227 	addrlen = ((struct lifreq *)if_req)->lifr_addrlen;
11228 
11229 	if (ipif->ipif_isv6) {
11230 		sin6_t *sin6;
11231 
11232 		if (sin->sin_family != AF_INET6)
11233 			return (EAFNOSUPPORT);
11234 
11235 		sin6 = (sin6_t *)sin;
11236 		v6addr = sin6->sin6_addr;
11237 		if (!ip_remote_addr_ok_v6(&v6addr, &ipv6_all_ones))
11238 			return (EADDRNOTAVAIL);
11239 	} else {
11240 		ipaddr_t addr;
11241 
11242 		if (sin->sin_family != AF_INET)
11243 			return (EAFNOSUPPORT);
11244 
11245 		addr = sin->sin_addr.s_addr;
11246 		if (!ip_addr_ok_v4(addr, 0xFFFFFFFF))
11247 			return (EADDRNOTAVAIL);
11248 		IN6_IPADDR_TO_V4MAPPED(addr, &v6addr);
11249 		/* Add 96 bits */
11250 		addrlen += IPV6_ABITS - IP_ABITS;
11251 	}
11252 
11253 	if (ip_plen_to_mask_v6(addrlen, &v6mask) == NULL)
11254 		return (EINVAL);
11255 
11256 	/* Check if bits in the address is set past the mask */
11257 	if (!V6_MASK_EQ(v6addr, v6mask, v6addr))
11258 		return (EINVAL);
11259 
11260 	if (IN6_ARE_ADDR_EQUAL(&ipif->ipif_v6subnet, &v6addr) &&
11261 	    IN6_ARE_ADDR_EQUAL(&ipif->ipif_v6net_mask, &v6mask))
11262 		return (0);	/* No change */
11263 
11264 	if (ipif->ipif_flags & IPIF_UP) {
11265 		/*
11266 		 * If the interface is already marked up,
11267 		 * we call ipif_down which will take care
11268 		 * of ditching any IREs that have been set
11269 		 * up based on the old interface address.
11270 		 */
11271 		err = ipif_logical_down(ipif, q, mp);
11272 		if (err == EINPROGRESS)
11273 			return (err);
11274 		(void) ipif_down_tail(ipif);
11275 		need_up = B_TRUE;
11276 	}
11277 
11278 	err = ip_sioctl_subnet_tail(ipif, v6addr, v6mask, q, mp, need_up);
11279 	return (err);
11280 }
11281 
11282 static int
11283 ip_sioctl_subnet_tail(ipif_t *ipif, in6_addr_t v6addr, in6_addr_t v6mask,
11284     queue_t *q, mblk_t *mp, boolean_t need_up)
11285 {
11286 	ill_t	*ill = ipif->ipif_ill;
11287 	int	err = 0;
11288 
11289 	ip1dbg(("ip_sioctl_subnet_tail(%s:%u %p)\n",
11290 	    ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
11291 
11292 	/* Set the new address. */
11293 	mutex_enter(&ill->ill_lock);
11294 	ipif->ipif_v6net_mask = v6mask;
11295 	if ((ipif->ipif_flags & IPIF_POINTOPOINT) == 0) {
11296 		V6_MASK_COPY(v6addr, ipif->ipif_v6net_mask,
11297 		    ipif->ipif_v6subnet);
11298 	}
11299 	mutex_exit(&ill->ill_lock);
11300 
11301 	if (need_up) {
11302 		/*
11303 		 * Now bring the interface back up.  If this
11304 		 * is the only IPIF for the ILL, ipif_up
11305 		 * will have to re-bind to the device, so
11306 		 * we may get back EINPROGRESS, in which
11307 		 * case, this IOCTL will get completed in
11308 		 * ip_rput_dlpi when we see the DL_BIND_ACK.
11309 		 */
11310 		err = ipif_up(ipif, q, mp);
11311 		if (err == EINPROGRESS)
11312 			return (err);
11313 	}
11314 	return (err);
11315 }
11316 
11317 /* ARGSUSED */
11318 int
11319 ip_sioctl_subnet_restart(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
11320     ip_ioctl_cmd_t *ipip, void *if_req)
11321 {
11322 	int	addrlen;
11323 	in6_addr_t v6addr;
11324 	in6_addr_t v6mask;
11325 	struct lifreq *lifr = (struct lifreq *)if_req;
11326 
11327 	ip1dbg(("ip_sioctl_subnet_restart(%s:%u %p)\n",
11328 	    ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
11329 	(void) ipif_down_tail(ipif);
11330 
11331 	addrlen = lifr->lifr_addrlen;
11332 	if (ipif->ipif_isv6) {
11333 		sin6_t *sin6;
11334 
11335 		sin6 = (sin6_t *)sin;
11336 		v6addr = sin6->sin6_addr;
11337 	} else {
11338 		ipaddr_t addr;
11339 
11340 		addr = sin->sin_addr.s_addr;
11341 		IN6_IPADDR_TO_V4MAPPED(addr, &v6addr);
11342 		addrlen += IPV6_ABITS - IP_ABITS;
11343 	}
11344 	(void) ip_plen_to_mask_v6(addrlen, &v6mask);
11345 
11346 	return (ip_sioctl_subnet_tail(ipif, v6addr, v6mask, q, mp, B_TRUE));
11347 }
11348 
11349 /* ARGSUSED */
11350 int
11351 ip_sioctl_get_subnet(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
11352     ip_ioctl_cmd_t *ipip, void *if_req)
11353 {
11354 	struct lifreq *lifr = (struct lifreq *)if_req;
11355 	struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)sin;
11356 
11357 	ip1dbg(("ip_sioctl_get_subnet(%s:%u %p)\n",
11358 	    ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
11359 	ASSERT(ipip->ipi_cmd_type == LIF_CMD);
11360 
11361 	if (ipif->ipif_isv6) {
11362 		*sin6 = sin6_null;
11363 		sin6->sin6_family = AF_INET6;
11364 		sin6->sin6_addr = ipif->ipif_v6subnet;
11365 		lifr->lifr_addrlen =
11366 		    ip_mask_to_plen_v6(&ipif->ipif_v6net_mask);
11367 	} else {
11368 		*sin = sin_null;
11369 		sin->sin_family = AF_INET;
11370 		sin->sin_addr.s_addr = ipif->ipif_subnet;
11371 		lifr->lifr_addrlen = ip_mask_to_plen(ipif->ipif_net_mask);
11372 	}
11373 	return (0);
11374 }
11375 
11376 /*
11377  * Set the IPv6 address token.
11378  */
11379 /* ARGSUSED */
11380 int
11381 ip_sioctl_token(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
11382     ip_ioctl_cmd_t *ipi, void *if_req)
11383 {
11384 	ill_t *ill = ipif->ipif_ill;
11385 	int err;
11386 	in6_addr_t v6addr;
11387 	in6_addr_t v6mask;
11388 	boolean_t need_up = B_FALSE;
11389 	int i;
11390 	sin6_t *sin6 = (sin6_t *)sin;
11391 	struct lifreq *lifr = (struct lifreq *)if_req;
11392 	int addrlen;
11393 
11394 	ip1dbg(("ip_sioctl_token(%s:%u %p)\n",
11395 	    ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
11396 	ASSERT(IAM_WRITER_IPIF(ipif));
11397 
11398 	addrlen = lifr->lifr_addrlen;
11399 	/* Only allow for logical unit zero i.e. not on "le0:17" */
11400 	if (ipif->ipif_id != 0)
11401 		return (EINVAL);
11402 
11403 	if (!ipif->ipif_isv6)
11404 		return (EINVAL);
11405 
11406 	if (addrlen > IPV6_ABITS)
11407 		return (EINVAL);
11408 
11409 	v6addr = sin6->sin6_addr;
11410 
11411 	/*
11412 	 * The length of the token is the length from the end.  To get
11413 	 * the proper mask for this, compute the mask of the bits not
11414 	 * in the token; ie. the prefix, and then xor to get the mask.
11415 	 */
11416 	if (ip_plen_to_mask_v6(IPV6_ABITS - addrlen, &v6mask) == NULL)
11417 		return (EINVAL);
11418 	for (i = 0; i < 4; i++) {
11419 		v6mask.s6_addr32[i] ^= (uint32_t)0xffffffff;
11420 	}
11421 
11422 	if (V6_MASK_EQ(v6addr, v6mask, ill->ill_token) &&
11423 	    ill->ill_token_length == addrlen)
11424 		return (0);	/* No change */
11425 
11426 	if (ipif->ipif_flags & IPIF_UP) {
11427 		err = ipif_logical_down(ipif, q, mp);
11428 		if (err == EINPROGRESS)
11429 			return (err);
11430 		(void) ipif_down_tail(ipif);
11431 		need_up = B_TRUE;
11432 	}
11433 	err = ip_sioctl_token_tail(ipif, sin6, addrlen, q, mp, need_up);
11434 	return (err);
11435 }
11436 
11437 static int
11438 ip_sioctl_token_tail(ipif_t *ipif, sin6_t *sin6, int addrlen, queue_t *q,
11439     mblk_t *mp, boolean_t need_up)
11440 {
11441 	in6_addr_t v6addr;
11442 	in6_addr_t v6mask;
11443 	ill_t	*ill = ipif->ipif_ill;
11444 	int	i;
11445 	int	err = 0;
11446 
11447 	ip1dbg(("ip_sioctl_token_tail(%s:%u %p)\n",
11448 	    ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
11449 	v6addr = sin6->sin6_addr;
11450 	/*
11451 	 * The length of the token is the length from the end.  To get
11452 	 * the proper mask for this, compute the mask of the bits not
11453 	 * in the token; ie. the prefix, and then xor to get the mask.
11454 	 */
11455 	(void) ip_plen_to_mask_v6(IPV6_ABITS - addrlen, &v6mask);
11456 	for (i = 0; i < 4; i++)
11457 		v6mask.s6_addr32[i] ^= (uint32_t)0xffffffff;
11458 
11459 	mutex_enter(&ill->ill_lock);
11460 	V6_MASK_COPY(v6addr, v6mask, ill->ill_token);
11461 	ill->ill_token_length = addrlen;
11462 	ill->ill_manual_token = 1;
11463 
11464 	/* Reconfigure the link-local address based on this new token */
11465 	ipif_setlinklocal(ill->ill_ipif);
11466 
11467 	mutex_exit(&ill->ill_lock);
11468 
11469 	if (need_up) {
11470 		/*
11471 		 * Now bring the interface back up.  If this
11472 		 * is the only IPIF for the ILL, ipif_up
11473 		 * will have to re-bind to the device, so
11474 		 * we may get back EINPROGRESS, in which
11475 		 * case, this IOCTL will get completed in
11476 		 * ip_rput_dlpi when we see the DL_BIND_ACK.
11477 		 */
11478 		err = ipif_up(ipif, q, mp);
11479 		if (err == EINPROGRESS)
11480 			return (err);
11481 	}
11482 	return (err);
11483 }
11484 
11485 /* ARGSUSED */
11486 int
11487 ip_sioctl_get_token(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
11488     ip_ioctl_cmd_t *ipi, void *if_req)
11489 {
11490 	ill_t *ill;
11491 	sin6_t *sin6 = (sin6_t *)sin;
11492 	struct lifreq *lifr = (struct lifreq *)if_req;
11493 
11494 	ip1dbg(("ip_sioctl_get_token(%s:%u %p)\n",
11495 	    ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
11496 	if (ipif->ipif_id != 0)
11497 		return (EINVAL);
11498 
11499 	ill = ipif->ipif_ill;
11500 	if (!ill->ill_isv6)
11501 		return (ENXIO);
11502 
11503 	*sin6 = sin6_null;
11504 	sin6->sin6_family = AF_INET6;
11505 	ASSERT(!IN6_IS_ADDR_V4MAPPED(&ill->ill_token));
11506 	sin6->sin6_addr = ill->ill_token;
11507 	lifr->lifr_addrlen = ill->ill_token_length;
11508 	return (0);
11509 }
11510 
11511 /*
11512  * Set (hardware) link specific information that might override
11513  * what was acquired through the DL_INFO_ACK.
11514  */
11515 /* ARGSUSED */
11516 int
11517 ip_sioctl_lnkinfo(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
11518     ip_ioctl_cmd_t *ipi, void *if_req)
11519 {
11520 	ill_t		*ill = ipif->ipif_ill;
11521 	int		ip_min_mtu;
11522 	struct lifreq	*lifr = (struct lifreq *)if_req;
11523 	lif_ifinfo_req_t *lir;
11524 
11525 	ip1dbg(("ip_sioctl_lnkinfo(%s:%u %p)\n",
11526 	    ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
11527 	lir = &lifr->lifr_ifinfo;
11528 	ASSERT(IAM_WRITER_IPIF(ipif));
11529 
11530 	/* Only allow for logical unit zero i.e. not on "bge0:17" */
11531 	if (ipif->ipif_id != 0)
11532 		return (EINVAL);
11533 
11534 	/* Set interface MTU. */
11535 	if (ipif->ipif_isv6)
11536 		ip_min_mtu = IPV6_MIN_MTU;
11537 	else
11538 		ip_min_mtu = IP_MIN_MTU;
11539 
11540 	/*
11541 	 * Verify values before we set anything. Allow zero to
11542 	 * mean unspecified.
11543 	 *
11544 	 * XXX We should be able to set the user-defined lir_mtu to some value
11545 	 * that is greater than ill_current_frag but less than ill_max_frag- the
11546 	 * ill_max_frag value tells us the max MTU that can be handled by the
11547 	 * datalink, whereas the ill_current_frag is dynamically computed for
11548 	 * some link-types like tunnels, based on the tunnel PMTU. However,
11549 	 * since there is currently no way of distinguishing between
11550 	 * administratively fixed link mtu values (e.g., those set via
11551 	 * /sbin/dladm) and dynamically discovered MTUs (e.g., those discovered
11552 	 * for tunnels) we conservatively choose the  ill_current_frag as the
11553 	 * upper-bound.
11554 	 */
11555 	if (lir->lir_maxmtu != 0 &&
11556 	    (lir->lir_maxmtu > ill->ill_current_frag ||
11557 	    lir->lir_maxmtu < ip_min_mtu))
11558 		return (EINVAL);
11559 	if (lir->lir_reachtime != 0 &&
11560 	    lir->lir_reachtime > ND_MAX_REACHTIME)
11561 		return (EINVAL);
11562 	if (lir->lir_reachretrans != 0 &&
11563 	    lir->lir_reachretrans > ND_MAX_REACHRETRANSTIME)
11564 		return (EINVAL);
11565 
11566 	mutex_enter(&ill->ill_lock);
11567 	/*
11568 	 * The dce and fragmentation code can handle changes to ill_mtu
11569 	 * concurrent with sending/fragmenting packets.
11570 	 */
11571 	if (lir->lir_maxmtu != 0)
11572 		ill->ill_user_mtu = lir->lir_maxmtu;
11573 
11574 	if (lir->lir_reachtime != 0)
11575 		ill->ill_reachable_time = lir->lir_reachtime;
11576 
11577 	if (lir->lir_reachretrans != 0)
11578 		ill->ill_reachable_retrans_time = lir->lir_reachretrans;
11579 
11580 	ill->ill_max_hops = lir->lir_maxhops;
11581 	ill->ill_max_buf = ND_MAX_Q;
11582 	if (!(ill->ill_flags & ILLF_FIXEDMTU) && ill->ill_user_mtu != 0) {
11583 		/*
11584 		 * ill_mtu is the actual interface MTU, obtained as the min
11585 		 * of user-configured mtu and the value announced by the
11586 		 * driver (via DL_NOTE_SDU_SIZE/DL_INFO_ACK). Note that since
11587 		 * we have already made the choice of requiring
11588 		 * ill_user_mtu < ill_current_frag by the time we get here,
11589 		 * the ill_mtu effectively gets assigned to the ill_user_mtu
11590 		 * here.
11591 		 */
11592 		ill->ill_mtu = MIN(ill->ill_current_frag, ill->ill_user_mtu);
11593 		ill->ill_mc_mtu = MIN(ill->ill_mc_mtu, ill->ill_user_mtu);
11594 	}
11595 	mutex_exit(&ill->ill_lock);
11596 
11597 	/*
11598 	 * Make sure all dce_generation checks find out
11599 	 * that ill_mtu/ill_mc_mtu has changed.
11600 	 */
11601 	if (!(ill->ill_flags & ILLF_FIXEDMTU) && (lir->lir_maxmtu != 0))
11602 		dce_increment_all_generations(ill->ill_isv6, ill->ill_ipst);
11603 
11604 	/*
11605 	 * Refresh IPMP meta-interface MTU if necessary.
11606 	 */
11607 	if (IS_UNDER_IPMP(ill))
11608 		ipmp_illgrp_refresh_mtu(ill->ill_grp);
11609 
11610 	return (0);
11611 }
11612 
11613 /* ARGSUSED */
11614 int
11615 ip_sioctl_get_lnkinfo(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
11616     ip_ioctl_cmd_t *ipi, void *if_req)
11617 {
11618 	struct lif_ifinfo_req *lir;
11619 	ill_t *ill = ipif->ipif_ill;
11620 
11621 	ip1dbg(("ip_sioctl_get_lnkinfo(%s:%u %p)\n",
11622 	    ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
11623 	if (ipif->ipif_id != 0)
11624 		return (EINVAL);
11625 
11626 	lir = &((struct lifreq *)if_req)->lifr_ifinfo;
11627 	lir->lir_maxhops = ill->ill_max_hops;
11628 	lir->lir_reachtime = ill->ill_reachable_time;
11629 	lir->lir_reachretrans = ill->ill_reachable_retrans_time;
11630 	lir->lir_maxmtu = ill->ill_mtu;
11631 
11632 	return (0);
11633 }
11634 
11635 /*
11636  * Return best guess as to the subnet mask for the specified address.
11637  * Based on the subnet masks for all the configured interfaces.
11638  *
11639  * We end up returning a zero mask in the case of default, multicast or
11640  * experimental.
11641  */
11642 static ipaddr_t
11643 ip_subnet_mask(ipaddr_t addr, ipif_t **ipifp, ip_stack_t *ipst)
11644 {
11645 	ipaddr_t net_mask;
11646 	ill_t	*ill;
11647 	ipif_t	*ipif;
11648 	ill_walk_context_t ctx;
11649 	ipif_t	*fallback_ipif = NULL;
11650 
11651 	net_mask = ip_net_mask(addr);
11652 	if (net_mask == 0) {
11653 		*ipifp = NULL;
11654 		return (0);
11655 	}
11656 
11657 	/* Let's check to see if this is maybe a local subnet route. */
11658 	/* this function only applies to IPv4 interfaces */
11659 	rw_enter(&ipst->ips_ill_g_lock, RW_READER);
11660 	ill = ILL_START_WALK_V4(&ctx, ipst);
11661 	for (; ill != NULL; ill = ill_next(&ctx, ill)) {
11662 		mutex_enter(&ill->ill_lock);
11663 		for (ipif = ill->ill_ipif; ipif != NULL;
11664 		    ipif = ipif->ipif_next) {
11665 			if (IPIF_IS_CONDEMNED(ipif))
11666 				continue;
11667 			if (!(ipif->ipif_flags & IPIF_UP))
11668 				continue;
11669 			if ((ipif->ipif_subnet & net_mask) ==
11670 			    (addr & net_mask)) {
11671 				/*
11672 				 * Don't trust pt-pt interfaces if there are
11673 				 * other interfaces.
11674 				 */
11675 				if (ipif->ipif_flags & IPIF_POINTOPOINT) {
11676 					if (fallback_ipif == NULL) {
11677 						ipif_refhold_locked(ipif);
11678 						fallback_ipif = ipif;
11679 					}
11680 					continue;
11681 				}
11682 
11683 				/*
11684 				 * Fine. Just assume the same net mask as the
11685 				 * directly attached subnet interface is using.
11686 				 */
11687 				ipif_refhold_locked(ipif);
11688 				mutex_exit(&ill->ill_lock);
11689 				rw_exit(&ipst->ips_ill_g_lock);
11690 				if (fallback_ipif != NULL)
11691 					ipif_refrele(fallback_ipif);
11692 				*ipifp = ipif;
11693 				return (ipif->ipif_net_mask);
11694 			}
11695 		}
11696 		mutex_exit(&ill->ill_lock);
11697 	}
11698 	rw_exit(&ipst->ips_ill_g_lock);
11699 
11700 	*ipifp = fallback_ipif;
11701 	return ((fallback_ipif != NULL) ?
11702 	    fallback_ipif->ipif_net_mask : net_mask);
11703 }
11704 
11705 /*
11706  * ip_sioctl_copyin_setup calls ip_wput_ioctl to process the IP_IOCTL ioctl.
11707  */
11708 static void
11709 ip_wput_ioctl(queue_t *q, mblk_t *mp)
11710 {
11711 	IOCP	iocp;
11712 	ipft_t	*ipft;
11713 	ipllc_t	*ipllc;
11714 	mblk_t	*mp1;
11715 	cred_t	*cr;
11716 	int	error = 0;
11717 	conn_t	*connp;
11718 
11719 	ip1dbg(("ip_wput_ioctl"));
11720 	iocp = (IOCP)mp->b_rptr;
11721 	mp1 = mp->b_cont;
11722 	if (mp1 == NULL) {
11723 		iocp->ioc_error = EINVAL;
11724 		mp->b_datap->db_type = M_IOCNAK;
11725 		iocp->ioc_count = 0;
11726 		qreply(q, mp);
11727 		return;
11728 	}
11729 
11730 	/*
11731 	 * These IOCTLs provide various control capabilities to
11732 	 * upstream agents such as ULPs and processes.	There
11733 	 * are currently two such IOCTLs implemented.  They
11734 	 * are used by TCP to provide update information for
11735 	 * existing IREs and to forcibly delete an IRE for a
11736 	 * host that is not responding, thereby forcing an
11737 	 * attempt at a new route.
11738 	 */
11739 	iocp->ioc_error = EINVAL;
11740 	if (!pullupmsg(mp1, sizeof (ipllc->ipllc_cmd)))
11741 		goto done;
11742 
11743 	ipllc = (ipllc_t *)mp1->b_rptr;
11744 	for (ipft = ip_ioctl_ftbl; ipft->ipft_pfi; ipft++) {
11745 		if (ipllc->ipllc_cmd == ipft->ipft_cmd)
11746 			break;
11747 	}
11748 	/*
11749 	 * prefer credential from mblk over ioctl;
11750 	 * see ip_sioctl_copyin_setup
11751 	 */
11752 	cr = msg_getcred(mp, NULL);
11753 	if (cr == NULL)
11754 		cr = iocp->ioc_cr;
11755 
11756 	/*
11757 	 * Refhold the conn in case the request gets queued up in some lookup
11758 	 */
11759 	ASSERT(CONN_Q(q));
11760 	connp = Q_TO_CONN(q);
11761 	CONN_INC_REF(connp);
11762 	CONN_INC_IOCTLREF(connp);
11763 	if (ipft->ipft_pfi &&
11764 	    ((mp1->b_wptr - mp1->b_rptr) >= ipft->ipft_min_size ||
11765 	    pullupmsg(mp1, ipft->ipft_min_size))) {
11766 		error = (*ipft->ipft_pfi)(q,
11767 		    (ipft->ipft_flags & IPFT_F_SELF_REPLY) ? mp : mp1, cr);
11768 	}
11769 	if (ipft->ipft_flags & IPFT_F_SELF_REPLY) {
11770 		/*
11771 		 * CONN_OPER_PENDING_DONE happens in the function called
11772 		 * through ipft_pfi above.
11773 		 */
11774 		return;
11775 	}
11776 
11777 	CONN_DEC_IOCTLREF(connp);
11778 	CONN_OPER_PENDING_DONE(connp);
11779 	if (ipft->ipft_flags & IPFT_F_NO_REPLY) {
11780 		freemsg(mp);
11781 		return;
11782 	}
11783 	iocp->ioc_error = error;
11784 
11785 done:
11786 	mp->b_datap->db_type = M_IOCACK;
11787 	if (iocp->ioc_error)
11788 		iocp->ioc_count = 0;
11789 	qreply(q, mp);
11790 }
11791 
11792 /*
11793  * Assign a unique id for the ipif. This is used by sctp_addr.c
11794  * Note: remove if sctp_addr.c is redone to not shadow ill/ipif data structures.
11795  */
11796 static void
11797 ipif_assign_seqid(ipif_t *ipif)
11798 {
11799 	ip_stack_t	*ipst = ipif->ipif_ill->ill_ipst;
11800 
11801 	ipif->ipif_seqid = atomic_add_64_nv(&ipst->ips_ipif_g_seqid, 1);
11802 }
11803 
11804 /*
11805  * Clone the contents of `sipif' to `dipif'.  Requires that both ipifs are
11806  * administratively down (i.e., no DAD), of the same type, and locked.  Note
11807  * that the clone is complete -- including the seqid -- and the expectation is
11808  * that the caller will either free or overwrite `sipif' before it's unlocked.
11809  */
11810 static void
11811 ipif_clone(const ipif_t *sipif, ipif_t *dipif)
11812 {
11813 	ASSERT(MUTEX_HELD(&sipif->ipif_ill->ill_lock));
11814 	ASSERT(MUTEX_HELD(&dipif->ipif_ill->ill_lock));
11815 	ASSERT(!(sipif->ipif_flags & (IPIF_UP|IPIF_DUPLICATE)));
11816 	ASSERT(!(dipif->ipif_flags & (IPIF_UP|IPIF_DUPLICATE)));
11817 	ASSERT(sipif->ipif_ire_type == dipif->ipif_ire_type);
11818 
11819 	dipif->ipif_flags = sipif->ipif_flags;
11820 	dipif->ipif_zoneid = sipif->ipif_zoneid;
11821 	dipif->ipif_v6subnet = sipif->ipif_v6subnet;
11822 	dipif->ipif_v6lcl_addr = sipif->ipif_v6lcl_addr;
11823 	dipif->ipif_v6net_mask = sipif->ipif_v6net_mask;
11824 	dipif->ipif_v6brd_addr = sipif->ipif_v6brd_addr;
11825 	dipif->ipif_v6pp_dst_addr = sipif->ipif_v6pp_dst_addr;
11826 
11827 	/*
11828 	 * As per the comment atop the function, we assume that these sipif
11829 	 * fields will be changed before sipif is unlocked.
11830 	 */
11831 	dipif->ipif_seqid = sipif->ipif_seqid;
11832 	dipif->ipif_state_flags = sipif->ipif_state_flags;
11833 }
11834 
11835 /*
11836  * Transfer the contents of `sipif' to `dipif', and then free (if `virgipif'
11837  * is NULL) or overwrite `sipif' with `virgipif', which must be a virgin
11838  * (unreferenced) ipif.  Also, if `sipif' is used by the current xop, then
11839  * transfer the xop to `dipif'.  Requires that all ipifs are administratively
11840  * down (i.e., no DAD), of the same type, and unlocked.
11841  */
11842 static void
11843 ipif_transfer(ipif_t *sipif, ipif_t *dipif, ipif_t *virgipif)
11844 {
11845 	ipsq_t *ipsq = sipif->ipif_ill->ill_phyint->phyint_ipsq;
11846 	ipxop_t *ipx = ipsq->ipsq_xop;
11847 
11848 	ASSERT(sipif != dipif);
11849 	ASSERT(sipif != virgipif);
11850 
11851 	/*
11852 	 * Grab all of the locks that protect the ipif in a defined order.
11853 	 */
11854 	GRAB_ILL_LOCKS(sipif->ipif_ill, dipif->ipif_ill);
11855 
11856 	ipif_clone(sipif, dipif);
11857 	if (virgipif != NULL) {
11858 		ipif_clone(virgipif, sipif);
11859 		mi_free(virgipif);
11860 	}
11861 
11862 	RELEASE_ILL_LOCKS(sipif->ipif_ill, dipif->ipif_ill);
11863 
11864 	/*
11865 	 * Transfer ownership of the current xop, if necessary.
11866 	 */
11867 	if (ipx->ipx_current_ipif == sipif) {
11868 		ASSERT(ipx->ipx_pending_ipif == NULL);
11869 		mutex_enter(&ipx->ipx_lock);
11870 		ipx->ipx_current_ipif = dipif;
11871 		mutex_exit(&ipx->ipx_lock);
11872 	}
11873 
11874 	if (virgipif == NULL)
11875 		mi_free(sipif);
11876 }
11877 
11878 /*
11879  * checks if:
11880  *	- <ill_name>:<ipif_id> is at most LIFNAMSIZ - 1 and
11881  *	- logical interface is within the allowed range
11882  */
11883 static int
11884 is_lifname_valid(ill_t *ill, unsigned int ipif_id)
11885 {
11886 	if (snprintf(NULL, 0, "%s:%d", ill->ill_name, ipif_id) >= LIFNAMSIZ)
11887 		return (ENAMETOOLONG);
11888 
11889 	if (ipif_id >= ill->ill_ipst->ips_ip_addrs_per_if)
11890 		return (ERANGE);
11891 	return (0);
11892 }
11893 
11894 /*
11895  * Insert the ipif, so that the list of ipifs on the ill will be sorted
11896  * with respect to ipif_id. Note that an ipif with an ipif_id of -1 will
11897  * be inserted into the first space available in the list. The value of
11898  * ipif_id will then be set to the appropriate value for its position.
11899  */
11900 static int
11901 ipif_insert(ipif_t *ipif, boolean_t acquire_g_lock)
11902 {
11903 	ill_t *ill;
11904 	ipif_t *tipif;
11905 	ipif_t **tipifp;
11906 	int id, err;
11907 	ip_stack_t	*ipst;
11908 
11909 	ASSERT(ipif->ipif_ill->ill_net_type == IRE_LOOPBACK ||
11910 	    IAM_WRITER_IPIF(ipif));
11911 
11912 	ill = ipif->ipif_ill;
11913 	ASSERT(ill != NULL);
11914 	ipst = ill->ill_ipst;
11915 
11916 	/*
11917 	 * In the case of lo0:0 we already hold the ill_g_lock.
11918 	 * ill_lookup_on_name (acquires ill_g_lock) -> ipif_allocate ->
11919 	 * ipif_insert.
11920 	 */
11921 	if (acquire_g_lock)
11922 		rw_enter(&ipst->ips_ill_g_lock, RW_WRITER);
11923 	mutex_enter(&ill->ill_lock);
11924 	id = ipif->ipif_id;
11925 	tipifp = &(ill->ill_ipif);
11926 	if (id == -1) {	/* need to find a real id */
11927 		id = 0;
11928 		while ((tipif = *tipifp) != NULL) {
11929 			ASSERT(tipif->ipif_id >= id);
11930 			if (tipif->ipif_id != id)
11931 				break; /* non-consecutive id */
11932 			id++;
11933 			tipifp = &(tipif->ipif_next);
11934 		}
11935 		if ((err = is_lifname_valid(ill, id)) != 0) {
11936 			mutex_exit(&ill->ill_lock);
11937 			if (acquire_g_lock)
11938 				rw_exit(&ipst->ips_ill_g_lock);
11939 			return (err);
11940 		}
11941 		ipif->ipif_id = id; /* assign new id */
11942 	} else if ((err = is_lifname_valid(ill, id)) == 0) {
11943 		/* we have a real id; insert ipif in the right place */
11944 		while ((tipif = *tipifp) != NULL) {
11945 			ASSERT(tipif->ipif_id != id);
11946 			if (tipif->ipif_id > id)
11947 				break; /* found correct location */
11948 			tipifp = &(tipif->ipif_next);
11949 		}
11950 	} else {
11951 		mutex_exit(&ill->ill_lock);
11952 		if (acquire_g_lock)
11953 			rw_exit(&ipst->ips_ill_g_lock);
11954 		return (err);
11955 	}
11956 
11957 	ASSERT(tipifp != &(ill->ill_ipif) || id == 0);
11958 
11959 	ipif->ipif_next = tipif;
11960 	*tipifp = ipif;
11961 	mutex_exit(&ill->ill_lock);
11962 	if (acquire_g_lock)
11963 		rw_exit(&ipst->ips_ill_g_lock);
11964 
11965 	return (0);
11966 }
11967 
11968 static void
11969 ipif_remove(ipif_t *ipif)
11970 {
11971 	ipif_t	**ipifp;
11972 	ill_t	*ill = ipif->ipif_ill;
11973 
11974 	ASSERT(RW_WRITE_HELD(&ill->ill_ipst->ips_ill_g_lock));
11975 
11976 	mutex_enter(&ill->ill_lock);
11977 	ipifp = &ill->ill_ipif;
11978 	for (; *ipifp != NULL; ipifp = &ipifp[0]->ipif_next) {
11979 		if (*ipifp == ipif) {
11980 			*ipifp = ipif->ipif_next;
11981 			break;
11982 		}
11983 	}
11984 	mutex_exit(&ill->ill_lock);
11985 }
11986 
11987 /*
11988  * Allocate and initialize a new interface control structure.  (Always
11989  * called as writer.)
11990  * When ipif_allocate() is called from ip_ll_subnet_defaults, the ill
11991  * is not part of the global linked list of ills. ipif_seqid is unique
11992  * in the system and to preserve the uniqueness, it is assigned only
11993  * when ill becomes part of the global list. At that point ill will
11994  * have a name. If it doesn't get assigned here, it will get assigned
11995  * in ipif_set_values() as part of SIOCSLIFNAME processing.
11996  * Aditionally, if we come here from ip_ll_subnet_defaults, we don't set
11997  * the interface flags or any other information from the DL_INFO_ACK for
11998  * DL_STYLE2 drivers (initialize == B_FALSE), since we won't have them at
11999  * this point. The flags etc. will be set in ip_ll_subnet_defaults when the
12000  * second DL_INFO_ACK comes in from the driver.
12001  */
12002 static ipif_t *
12003 ipif_allocate(ill_t *ill, int id, uint_t ire_type, boolean_t initialize,
12004     boolean_t insert, int *errorp)
12005 {
12006 	int err;
12007 	ipif_t	*ipif;
12008 	ip_stack_t *ipst = ill->ill_ipst;
12009 
12010 	ip1dbg(("ipif_allocate(%s:%d ill %p)\n",
12011 	    ill->ill_name, id, (void *)ill));
12012 	ASSERT(ire_type == IRE_LOOPBACK || IAM_WRITER_ILL(ill));
12013 
12014 	if (errorp != NULL)
12015 		*errorp = 0;
12016 
12017 	if ((ipif = mi_alloc(sizeof (ipif_t), BPRI_MED)) == NULL) {
12018 		if (errorp != NULL)
12019 			*errorp = ENOMEM;
12020 		return (NULL);
12021 	}
12022 	*ipif = ipif_zero;	/* start clean */
12023 
12024 	ipif->ipif_ill = ill;
12025 	ipif->ipif_id = id;	/* could be -1 */
12026 	/*
12027 	 * Inherit the zoneid from the ill; for the shared stack instance
12028 	 * this is always the global zone
12029 	 */
12030 	ipif->ipif_zoneid = ill->ill_zoneid;
12031 
12032 	ipif->ipif_refcnt = 0;
12033 
12034 	if (insert) {
12035 		if ((err = ipif_insert(ipif, ire_type != IRE_LOOPBACK)) != 0) {
12036 			mi_free(ipif);
12037 			if (errorp != NULL)
12038 				*errorp = err;
12039 			return (NULL);
12040 		}
12041 		/* -1 id should have been replaced by real id */
12042 		id = ipif->ipif_id;
12043 		ASSERT(id >= 0);
12044 	}
12045 
12046 	if (ill->ill_name[0] != '\0')
12047 		ipif_assign_seqid(ipif);
12048 
12049 	/*
12050 	 * If this is the zeroth ipif on the IPMP ill, create the illgrp
12051 	 * (which must not exist yet because the zeroth ipif is created once
12052 	 * per ill).  However, do not not link it to the ipmp_grp_t until
12053 	 * I_PLINK is called; see ip_sioctl_plink_ipmp() for details.
12054 	 */
12055 	if (id == 0 && IS_IPMP(ill)) {
12056 		if (ipmp_illgrp_create(ill) == NULL) {
12057 			if (insert) {
12058 				rw_enter(&ipst->ips_ill_g_lock, RW_WRITER);
12059 				ipif_remove(ipif);
12060 				rw_exit(&ipst->ips_ill_g_lock);
12061 			}
12062 			mi_free(ipif);
12063 			if (errorp != NULL)
12064 				*errorp = ENOMEM;
12065 			return (NULL);
12066 		}
12067 	}
12068 
12069 	/*
12070 	 * We grab ill_lock to protect the flag changes.  The ipif is still
12071 	 * not up and can't be looked up until the ioctl completes and the
12072 	 * IPIF_CHANGING flag is cleared.
12073 	 */
12074 	mutex_enter(&ill->ill_lock);
12075 
12076 	ipif->ipif_ire_type = ire_type;
12077 
12078 	if (ipif->ipif_isv6) {
12079 		ill->ill_flags |= ILLF_IPV6;
12080 	} else {
12081 		ipaddr_t inaddr_any = INADDR_ANY;
12082 
12083 		ill->ill_flags |= ILLF_IPV4;
12084 
12085 		/* Keep the IN6_IS_ADDR_V4MAPPED assertions happy */
12086 		IN6_IPADDR_TO_V4MAPPED(inaddr_any,
12087 		    &ipif->ipif_v6lcl_addr);
12088 		IN6_IPADDR_TO_V4MAPPED(inaddr_any,
12089 		    &ipif->ipif_v6subnet);
12090 		IN6_IPADDR_TO_V4MAPPED(inaddr_any,
12091 		    &ipif->ipif_v6net_mask);
12092 		IN6_IPADDR_TO_V4MAPPED(inaddr_any,
12093 		    &ipif->ipif_v6brd_addr);
12094 		IN6_IPADDR_TO_V4MAPPED(inaddr_any,
12095 		    &ipif->ipif_v6pp_dst_addr);
12096 	}
12097 
12098 	/*
12099 	 * Don't set the interface flags etc. now, will do it in
12100 	 * ip_ll_subnet_defaults.
12101 	 */
12102 	if (!initialize)
12103 		goto out;
12104 
12105 	/*
12106 	 * NOTE: The IPMP meta-interface is special-cased because it starts
12107 	 * with no underlying interfaces (and thus an unknown broadcast
12108 	 * address length), but all interfaces that can be placed into an IPMP
12109 	 * group are required to be broadcast-capable.
12110 	 */
12111 	if (ill->ill_bcast_addr_length != 0 || IS_IPMP(ill)) {
12112 		/*
12113 		 * Later detect lack of DLPI driver multicast capability by
12114 		 * catching DL_ENABMULTI_REQ errors in ip_rput_dlpi().
12115 		 */
12116 		ill->ill_flags |= ILLF_MULTICAST;
12117 		if (!ipif->ipif_isv6)
12118 			ipif->ipif_flags |= IPIF_BROADCAST;
12119 	} else {
12120 		if (ill->ill_net_type != IRE_LOOPBACK) {
12121 			if (ipif->ipif_isv6)
12122 				/*
12123 				 * Note: xresolv interfaces will eventually need
12124 				 * NOARP set here as well, but that will require
12125 				 * those external resolvers to have some
12126 				 * knowledge of that flag and act appropriately.
12127 				 * Not to be changed at present.
12128 				 */
12129 				ill->ill_flags |= ILLF_NONUD;
12130 			else
12131 				ill->ill_flags |= ILLF_NOARP;
12132 		}
12133 		if (ill->ill_phys_addr_length == 0) {
12134 			if (IS_VNI(ill)) {
12135 				ipif->ipif_flags |= IPIF_NOXMIT;
12136 			} else {
12137 				/* pt-pt supports multicast. */
12138 				ill->ill_flags |= ILLF_MULTICAST;
12139 				if (ill->ill_net_type != IRE_LOOPBACK)
12140 					ipif->ipif_flags |= IPIF_POINTOPOINT;
12141 			}
12142 		}
12143 	}
12144 out:
12145 	mutex_exit(&ill->ill_lock);
12146 	return (ipif);
12147 }
12148 
12149 /*
12150  * Remove the neighbor cache entries associated with this logical
12151  * interface.
12152  */
12153 int
12154 ipif_arp_down(ipif_t *ipif)
12155 {
12156 	ill_t	*ill = ipif->ipif_ill;
12157 	int	err = 0;
12158 
12159 	ip1dbg(("ipif_arp_down(%s:%u)\n", ill->ill_name, ipif->ipif_id));
12160 	ASSERT(IAM_WRITER_IPIF(ipif));
12161 
12162 	DTRACE_PROBE3(ipif__downup, char *, "ipif_arp_down",
12163 	    ill_t *, ill, ipif_t *, ipif);
12164 	ipif_nce_down(ipif);
12165 
12166 	/*
12167 	 * If this is the last ipif that is going down and there are no
12168 	 * duplicate addresses we may yet attempt to re-probe, then we need to
12169 	 * clean up ARP completely.
12170 	 */
12171 	if (ill->ill_ipif_up_count == 0 && ill->ill_ipif_dup_count == 0 &&
12172 	    !ill->ill_logical_down && ill->ill_net_type == IRE_IF_RESOLVER) {
12173 		/*
12174 		 * If this was the last ipif on an IPMP interface, purge any
12175 		 * static ARP entries associated with it.
12176 		 */
12177 		if (IS_IPMP(ill))
12178 			ipmp_illgrp_refresh_arpent(ill->ill_grp);
12179 
12180 		/* UNBIND, DETACH */
12181 		err = arp_ll_down(ill);
12182 	}
12183 
12184 	return (err);
12185 }
12186 
12187 /*
12188  * Get the resolver set up for a new IP address.  (Always called as writer.)
12189  * Called both for IPv4 and IPv6 interfaces, though it only does some
12190  * basic DAD related initialization for IPv6. Honors ILLF_NOARP.
12191  *
12192  * The enumerated value res_act tunes the behavior:
12193  * 	* Res_act_initial: set up all the resolver structures for a new
12194  *	  IP address.
12195  *	* Res_act_defend: tell ARP that it needs to send a single gratuitous
12196  *	  ARP message in defense of the address.
12197  *	* Res_act_rebind: tell ARP to change the hardware address for an IP
12198  *	  address (and issue gratuitous ARPs).  Used by ipmp_ill_bind_ipif().
12199  *
12200  * Returns zero on success, or an errno upon failure.
12201  */
12202 int
12203 ipif_resolver_up(ipif_t *ipif, enum ip_resolver_action res_act)
12204 {
12205 	ill_t		*ill = ipif->ipif_ill;
12206 	int		err;
12207 	boolean_t	was_dup;
12208 
12209 	ip1dbg(("ipif_resolver_up(%s:%u) flags 0x%x\n",
12210 	    ill->ill_name, ipif->ipif_id, (uint_t)ipif->ipif_flags));
12211 	ASSERT(IAM_WRITER_IPIF(ipif));
12212 
12213 	was_dup = B_FALSE;
12214 	if (res_act == Res_act_initial) {
12215 		ipif->ipif_addr_ready = 0;
12216 		/*
12217 		 * We're bringing an interface up here.  There's no way that we
12218 		 * should need to shut down ARP now.
12219 		 */
12220 		mutex_enter(&ill->ill_lock);
12221 		if (ipif->ipif_flags & IPIF_DUPLICATE) {
12222 			ipif->ipif_flags &= ~IPIF_DUPLICATE;
12223 			ill->ill_ipif_dup_count--;
12224 			was_dup = B_TRUE;
12225 		}
12226 		mutex_exit(&ill->ill_lock);
12227 	}
12228 	if (ipif->ipif_recovery_id != 0)
12229 		(void) untimeout(ipif->ipif_recovery_id);
12230 	ipif->ipif_recovery_id = 0;
12231 	if (ill->ill_net_type != IRE_IF_RESOLVER) {
12232 		ipif->ipif_addr_ready = 1;
12233 		return (0);
12234 	}
12235 	/* NDP will set the ipif_addr_ready flag when it's ready */
12236 	if (ill->ill_isv6)
12237 		return (0);
12238 
12239 	err = ipif_arp_up(ipif, res_act, was_dup);
12240 	return (err);
12241 }
12242 
12243 /*
12244  * This routine restarts IPv4/IPv6 duplicate address detection (DAD)
12245  * when a link has just gone back up.
12246  */
12247 static void
12248 ipif_nce_start_dad(ipif_t *ipif)
12249 {
12250 	ncec_t *ncec;
12251 	ill_t *ill = ipif->ipif_ill;
12252 	boolean_t isv6 = ill->ill_isv6;
12253 
12254 	if (isv6) {
12255 		ncec = ncec_lookup_illgrp_v6(ipif->ipif_ill,
12256 		    &ipif->ipif_v6lcl_addr);
12257 	} else {
12258 		ipaddr_t v4addr;
12259 
12260 		if (ill->ill_net_type != IRE_IF_RESOLVER ||
12261 		    (ipif->ipif_flags & IPIF_UNNUMBERED) ||
12262 		    ipif->ipif_lcl_addr == INADDR_ANY) {
12263 			/*
12264 			 * If we can't contact ARP for some reason,
12265 			 * that's not really a problem.  Just send
12266 			 * out the routing socket notification that
12267 			 * DAD completion would have done, and continue.
12268 			 */
12269 			ipif_mask_reply(ipif);
12270 			ipif_up_notify(ipif);
12271 			ipif->ipif_addr_ready = 1;
12272 			return;
12273 		}
12274 
12275 		IN6_V4MAPPED_TO_IPADDR(&ipif->ipif_v6lcl_addr, v4addr);
12276 		ncec = ncec_lookup_illgrp_v4(ipif->ipif_ill, &v4addr);
12277 	}
12278 
12279 	if (ncec == NULL) {
12280 		ip1dbg(("couldn't find ncec for ipif %p leaving !ready\n",
12281 		    (void *)ipif));
12282 		return;
12283 	}
12284 	if (!nce_restart_dad(ncec)) {
12285 		/*
12286 		 * If we can't restart DAD for some reason, that's not really a
12287 		 * problem.  Just send out the routing socket notification that
12288 		 * DAD completion would have done, and continue.
12289 		 */
12290 		ipif_up_notify(ipif);
12291 		ipif->ipif_addr_ready = 1;
12292 	}
12293 	ncec_refrele(ncec);
12294 }
12295 
12296 /*
12297  * Restart duplicate address detection on all interfaces on the given ill.
12298  *
12299  * This is called when an interface transitions from down to up
12300  * (DL_NOTE_LINK_UP) or up to down (DL_NOTE_LINK_DOWN).
12301  *
12302  * Note that since the underlying physical link has transitioned, we must cause
12303  * at least one routing socket message to be sent here, either via DAD
12304  * completion or just by default on the first ipif.  (If we don't do this, then
12305  * in.mpathd will see long delays when doing link-based failure recovery.)
12306  */
12307 void
12308 ill_restart_dad(ill_t *ill, boolean_t went_up)
12309 {
12310 	ipif_t *ipif;
12311 
12312 	if (ill == NULL)
12313 		return;
12314 
12315 	/*
12316 	 * If layer two doesn't support duplicate address detection, then just
12317 	 * send the routing socket message now and be done with it.
12318 	 */
12319 	if (!ill->ill_isv6 && arp_no_defense) {
12320 		ip_rts_ifmsg(ill->ill_ipif, RTSQ_DEFAULT);
12321 		return;
12322 	}
12323 
12324 	for (ipif = ill->ill_ipif; ipif != NULL; ipif = ipif->ipif_next) {
12325 		if (went_up) {
12326 
12327 			if (ipif->ipif_flags & IPIF_UP) {
12328 				ipif_nce_start_dad(ipif);
12329 			} else if (ipif->ipif_flags & IPIF_DUPLICATE) {
12330 				/*
12331 				 * kick off the bring-up process now.
12332 				 */
12333 				ipif_do_recovery(ipif);
12334 			} else {
12335 				/*
12336 				 * Unfortunately, the first ipif is "special"
12337 				 * and represents the underlying ill in the
12338 				 * routing socket messages.  Thus, when this
12339 				 * one ipif is down, we must still notify so
12340 				 * that the user knows the IFF_RUNNING status
12341 				 * change.  (If the first ipif is up, then
12342 				 * we'll handle eventual routing socket
12343 				 * notification via DAD completion.)
12344 				 */
12345 				if (ipif == ill->ill_ipif) {
12346 					ip_rts_ifmsg(ill->ill_ipif,
12347 					    RTSQ_DEFAULT);
12348 				}
12349 			}
12350 		} else {
12351 			/*
12352 			 * After link down, we'll need to send a new routing
12353 			 * message when the link comes back, so clear
12354 			 * ipif_addr_ready.
12355 			 */
12356 			ipif->ipif_addr_ready = 0;
12357 		}
12358 	}
12359 
12360 	/*
12361 	 * If we've torn down links, then notify the user right away.
12362 	 */
12363 	if (!went_up)
12364 		ip_rts_ifmsg(ill->ill_ipif, RTSQ_DEFAULT);
12365 }
12366 
12367 static void
12368 ipsq_delete(ipsq_t *ipsq)
12369 {
12370 	ipxop_t *ipx = ipsq->ipsq_xop;
12371 
12372 	ipsq->ipsq_ipst = NULL;
12373 	ASSERT(ipsq->ipsq_phyint == NULL);
12374 	ASSERT(ipsq->ipsq_xop != NULL);
12375 	ASSERT(ipsq->ipsq_xopq_mphead == NULL && ipx->ipx_mphead == NULL);
12376 	ASSERT(ipx->ipx_pending_mp == NULL);
12377 	kmem_free(ipsq, sizeof (ipsq_t));
12378 }
12379 
12380 static int
12381 ill_up_ipifs_on_ill(ill_t *ill, queue_t *q, mblk_t *mp)
12382 {
12383 	int err = 0;
12384 	ipif_t *ipif;
12385 
12386 	if (ill == NULL)
12387 		return (0);
12388 
12389 	ASSERT(IAM_WRITER_ILL(ill));
12390 	ill->ill_up_ipifs = B_TRUE;
12391 	for (ipif = ill->ill_ipif; ipif != NULL; ipif = ipif->ipif_next) {
12392 		if (ipif->ipif_was_up) {
12393 			if (!(ipif->ipif_flags & IPIF_UP))
12394 				err = ipif_up(ipif, q, mp);
12395 			ipif->ipif_was_up = B_FALSE;
12396 			if (err != 0) {
12397 				ASSERT(err == EINPROGRESS);
12398 				return (err);
12399 			}
12400 		}
12401 	}
12402 	ill->ill_up_ipifs = B_FALSE;
12403 	return (0);
12404 }
12405 
12406 /*
12407  * This function is called to bring up all the ipifs that were up before
12408  * bringing the ill down via ill_down_ipifs().
12409  */
12410 int
12411 ill_up_ipifs(ill_t *ill, queue_t *q, mblk_t *mp)
12412 {
12413 	int err;
12414 
12415 	ASSERT(IAM_WRITER_ILL(ill));
12416 
12417 	if (ill->ill_replumbing) {
12418 		ill->ill_replumbing = 0;
12419 		/*
12420 		 * Send down REPLUMB_DONE notification followed by the
12421 		 * BIND_REQ on the arp stream.
12422 		 */
12423 		if (!ill->ill_isv6)
12424 			arp_send_replumb_conf(ill);
12425 	}
12426 	err = ill_up_ipifs_on_ill(ill->ill_phyint->phyint_illv4, q, mp);
12427 	if (err != 0)
12428 		return (err);
12429 
12430 	return (ill_up_ipifs_on_ill(ill->ill_phyint->phyint_illv6, q, mp));
12431 }
12432 
12433 /*
12434  * Bring down any IPIF_UP ipifs on ill. If "logical" is B_TRUE, we bring
12435  * down the ipifs without sending DL_UNBIND_REQ to the driver.
12436  */
12437 static void
12438 ill_down_ipifs(ill_t *ill, boolean_t logical)
12439 {
12440 	ipif_t *ipif;
12441 
12442 	ASSERT(IAM_WRITER_ILL(ill));
12443 
12444 	for (ipif = ill->ill_ipif; ipif != NULL; ipif = ipif->ipif_next) {
12445 		/*
12446 		 * We go through the ipif_down logic even if the ipif
12447 		 * is already down, since routes can be added based
12448 		 * on down ipifs. Going through ipif_down once again
12449 		 * will delete any IREs created based on these routes.
12450 		 */
12451 		if (ipif->ipif_flags & IPIF_UP)
12452 			ipif->ipif_was_up = B_TRUE;
12453 
12454 		if (logical) {
12455 			(void) ipif_logical_down(ipif, NULL, NULL);
12456 			ipif_non_duplicate(ipif);
12457 			(void) ipif_down_tail(ipif);
12458 		} else {
12459 			(void) ipif_down(ipif, NULL, NULL);
12460 		}
12461 	}
12462 }
12463 
12464 /*
12465  * Redo source address selection.  This makes IXAF_VERIFY_SOURCE take
12466  * a look again at valid source addresses.
12467  * This should be called each time after the set of source addresses has been
12468  * changed.
12469  */
12470 void
12471 ip_update_source_selection(ip_stack_t *ipst)
12472 {
12473 	/* We skip past SRC_GENERATION_VERIFY */
12474 	if (atomic_add_32_nv(&ipst->ips_src_generation, 1) ==
12475 	    SRC_GENERATION_VERIFY)
12476 		atomic_add_32(&ipst->ips_src_generation, 1);
12477 }
12478 
12479 /*
12480  * Finish the group join started in ip_sioctl_groupname().
12481  */
12482 /* ARGSUSED */
12483 static void
12484 ip_join_illgrps(ipsq_t *ipsq, queue_t *q, mblk_t *mp, void *dummy)
12485 {
12486 	ill_t		*ill = q->q_ptr;
12487 	phyint_t	*phyi = ill->ill_phyint;
12488 	ipmp_grp_t	*grp = phyi->phyint_grp;
12489 	ip_stack_t	*ipst = ill->ill_ipst;
12490 
12491 	/* IS_UNDER_IPMP() won't work until ipmp_ill_join_illgrp() is called */
12492 	ASSERT(!IS_IPMP(ill) && grp != NULL);
12493 	ASSERT(IAM_WRITER_IPSQ(ipsq));
12494 
12495 	if (phyi->phyint_illv4 != NULL) {
12496 		rw_enter(&ipst->ips_ipmp_lock, RW_WRITER);
12497 		VERIFY(grp->gr_pendv4-- > 0);
12498 		rw_exit(&ipst->ips_ipmp_lock);
12499 		ipmp_ill_join_illgrp(phyi->phyint_illv4, grp->gr_v4);
12500 	}
12501 	if (phyi->phyint_illv6 != NULL) {
12502 		rw_enter(&ipst->ips_ipmp_lock, RW_WRITER);
12503 		VERIFY(grp->gr_pendv6-- > 0);
12504 		rw_exit(&ipst->ips_ipmp_lock);
12505 		ipmp_ill_join_illgrp(phyi->phyint_illv6, grp->gr_v6);
12506 	}
12507 	freemsg(mp);
12508 }
12509 
12510 /*
12511  * Process an SIOCSLIFGROUPNAME request.
12512  */
12513 /* ARGSUSED */
12514 int
12515 ip_sioctl_groupname(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
12516     ip_ioctl_cmd_t *ipip, void *ifreq)
12517 {
12518 	struct lifreq	*lifr = ifreq;
12519 	ill_t		*ill = ipif->ipif_ill;
12520 	ip_stack_t	*ipst = ill->ill_ipst;
12521 	phyint_t	*phyi = ill->ill_phyint;
12522 	ipmp_grp_t	*grp = phyi->phyint_grp;
12523 	mblk_t		*ipsq_mp;
12524 	int		err = 0;
12525 
12526 	/*
12527 	 * Note that phyint_grp can only change here, where we're exclusive.
12528 	 */
12529 	ASSERT(IAM_WRITER_ILL(ill));
12530 
12531 	if (ipif->ipif_id != 0 || ill->ill_usesrc_grp_next != NULL ||
12532 	    (phyi->phyint_flags & PHYI_VIRTUAL))
12533 		return (EINVAL);
12534 
12535 	lifr->lifr_groupname[LIFGRNAMSIZ - 1] = '\0';
12536 
12537 	rw_enter(&ipst->ips_ipmp_lock, RW_WRITER);
12538 
12539 	/*
12540 	 * If the name hasn't changed, there's nothing to do.
12541 	 */
12542 	if (grp != NULL && strcmp(grp->gr_name, lifr->lifr_groupname) == 0)
12543 		goto unlock;
12544 
12545 	/*
12546 	 * Handle requests to rename an IPMP meta-interface.
12547 	 *
12548 	 * Note that creation of the IPMP meta-interface is handled in
12549 	 * userland through the standard plumbing sequence.  As part of the
12550 	 * plumbing the IPMP meta-interface, its initial groupname is set to
12551 	 * the name of the interface (see ipif_set_values_tail()).
12552 	 */
12553 	if (IS_IPMP(ill)) {
12554 		err = ipmp_grp_rename(grp, lifr->lifr_groupname);
12555 		goto unlock;
12556 	}
12557 
12558 	/*
12559 	 * Handle requests to add or remove an IP interface from a group.
12560 	 */
12561 	if (lifr->lifr_groupname[0] != '\0') {			/* add */
12562 		/*
12563 		 * Moves are handled by first removing the interface from
12564 		 * its existing group, and then adding it to another group.
12565 		 * So, fail if it's already in a group.
12566 		 */
12567 		if (IS_UNDER_IPMP(ill)) {
12568 			err = EALREADY;
12569 			goto unlock;
12570 		}
12571 
12572 		grp = ipmp_grp_lookup(lifr->lifr_groupname, ipst);
12573 		if (grp == NULL) {
12574 			err = ENOENT;
12575 			goto unlock;
12576 		}
12577 
12578 		/*
12579 		 * Check if the phyint and its ills are suitable for
12580 		 * inclusion into the group.
12581 		 */
12582 		if ((err = ipmp_grp_vet_phyint(grp, phyi)) != 0)
12583 			goto unlock;
12584 
12585 		/*
12586 		 * Checks pass; join the group, and enqueue the remaining
12587 		 * illgrp joins for when we've become part of the group xop
12588 		 * and are exclusive across its IPSQs.  Since qwriter_ip()
12589 		 * requires an mblk_t to scribble on, and since `mp' will be
12590 		 * freed as part of completing the ioctl, allocate another.
12591 		 */
12592 		if ((ipsq_mp = allocb(0, BPRI_MED)) == NULL) {
12593 			err = ENOMEM;
12594 			goto unlock;
12595 		}
12596 
12597 		/*
12598 		 * Before we drop ipmp_lock, bump gr_pend* to ensure that the
12599 		 * IPMP meta-interface ills needed by `phyi' cannot go away
12600 		 * before ip_join_illgrps() is called back.  See the comments
12601 		 * in ip_sioctl_plink_ipmp() for more.
12602 		 */
12603 		if (phyi->phyint_illv4 != NULL)
12604 			grp->gr_pendv4++;
12605 		if (phyi->phyint_illv6 != NULL)
12606 			grp->gr_pendv6++;
12607 
12608 		rw_exit(&ipst->ips_ipmp_lock);
12609 
12610 		ipmp_phyint_join_grp(phyi, grp);
12611 		ill_refhold(ill);
12612 		qwriter_ip(ill, ill->ill_rq, ipsq_mp, ip_join_illgrps,
12613 		    SWITCH_OP, B_FALSE);
12614 		return (0);
12615 	} else {
12616 		/*
12617 		 * Request to remove the interface from a group.  If the
12618 		 * interface is not in a group, this trivially succeeds.
12619 		 */
12620 		rw_exit(&ipst->ips_ipmp_lock);
12621 		if (IS_UNDER_IPMP(ill))
12622 			ipmp_phyint_leave_grp(phyi);
12623 		return (0);
12624 	}
12625 unlock:
12626 	rw_exit(&ipst->ips_ipmp_lock);
12627 	return (err);
12628 }
12629 
12630 /*
12631  * Process an SIOCGLIFBINDING request.
12632  */
12633 /* ARGSUSED */
12634 int
12635 ip_sioctl_get_binding(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
12636     ip_ioctl_cmd_t *ipip, void *ifreq)
12637 {
12638 	ill_t		*ill;
12639 	struct lifreq	*lifr = ifreq;
12640 	ip_stack_t	*ipst = ipif->ipif_ill->ill_ipst;
12641 
12642 	if (!IS_IPMP(ipif->ipif_ill))
12643 		return (EINVAL);
12644 
12645 	rw_enter(&ipst->ips_ipmp_lock, RW_READER);
12646 	if ((ill = ipif->ipif_bound_ill) == NULL)
12647 		lifr->lifr_binding[0] = '\0';
12648 	else
12649 		(void) strlcpy(lifr->lifr_binding, ill->ill_name, LIFNAMSIZ);
12650 	rw_exit(&ipst->ips_ipmp_lock);
12651 	return (0);
12652 }
12653 
12654 /*
12655  * Process an SIOCGLIFGROUPNAME request.
12656  */
12657 /* ARGSUSED */
12658 int
12659 ip_sioctl_get_groupname(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
12660     ip_ioctl_cmd_t *ipip, void *ifreq)
12661 {
12662 	ipmp_grp_t	*grp;
12663 	struct lifreq	*lifr = ifreq;
12664 	ip_stack_t	*ipst = ipif->ipif_ill->ill_ipst;
12665 
12666 	rw_enter(&ipst->ips_ipmp_lock, RW_READER);
12667 	if ((grp = ipif->ipif_ill->ill_phyint->phyint_grp) == NULL)
12668 		lifr->lifr_groupname[0] = '\0';
12669 	else
12670 		(void) strlcpy(lifr->lifr_groupname, grp->gr_name, LIFGRNAMSIZ);
12671 	rw_exit(&ipst->ips_ipmp_lock);
12672 	return (0);
12673 }
12674 
12675 /*
12676  * Process an SIOCGLIFGROUPINFO request.
12677  */
12678 /* ARGSUSED */
12679 int
12680 ip_sioctl_groupinfo(ipif_t *dummy_ipif, sin_t *sin, queue_t *q, mblk_t *mp,
12681     ip_ioctl_cmd_t *ipip, void *dummy)
12682 {
12683 	ipmp_grp_t	*grp;
12684 	lifgroupinfo_t	*lifgr;
12685 	ip_stack_t	*ipst = CONNQ_TO_IPST(q);
12686 
12687 	/* ip_wput_nondata() verified mp->b_cont->b_cont */
12688 	lifgr = (lifgroupinfo_t *)mp->b_cont->b_cont->b_rptr;
12689 	lifgr->gi_grname[LIFGRNAMSIZ - 1] = '\0';
12690 
12691 	rw_enter(&ipst->ips_ipmp_lock, RW_READER);
12692 	if ((grp = ipmp_grp_lookup(lifgr->gi_grname, ipst)) == NULL) {
12693 		rw_exit(&ipst->ips_ipmp_lock);
12694 		return (ENOENT);
12695 	}
12696 	ipmp_grp_info(grp, lifgr);
12697 	rw_exit(&ipst->ips_ipmp_lock);
12698 	return (0);
12699 }
12700 
12701 static void
12702 ill_dl_down(ill_t *ill)
12703 {
12704 	DTRACE_PROBE2(ill__downup, char *, "ill_dl_down", ill_t *, ill);
12705 
12706 	/*
12707 	 * The ill is down; unbind but stay attached since we're still
12708 	 * associated with a PPA. If we have negotiated DLPI capabilites
12709 	 * with the data link service provider (IDS_OK) then reset them.
12710 	 * The interval between unbinding and rebinding is potentially
12711 	 * unbounded hence we cannot assume things will be the same.
12712 	 * The DLPI capabilities will be probed again when the data link
12713 	 * is brought up.
12714 	 */
12715 	mblk_t	*mp = ill->ill_unbind_mp;
12716 
12717 	ip1dbg(("ill_dl_down(%s)\n", ill->ill_name));
12718 
12719 	if (!ill->ill_replumbing) {
12720 		/* Free all ilms for this ill */
12721 		update_conn_ill(ill, ill->ill_ipst);
12722 	} else {
12723 		ill_leave_multicast(ill);
12724 	}
12725 
12726 	ill->ill_unbind_mp = NULL;
12727 	if (mp != NULL) {
12728 		ip1dbg(("ill_dl_down: %s (%u) for %s\n",
12729 		    dl_primstr(*(int *)mp->b_rptr), *(int *)mp->b_rptr,
12730 		    ill->ill_name));
12731 		mutex_enter(&ill->ill_lock);
12732 		ill->ill_state_flags |= ILL_DL_UNBIND_IN_PROGRESS;
12733 		mutex_exit(&ill->ill_lock);
12734 		/*
12735 		 * ip_rput does not pass up normal (M_PROTO) DLPI messages
12736 		 * after ILL_CONDEMNED is set. So in the unplumb case, we call
12737 		 * ill_capability_dld_disable disable rightaway. If this is not
12738 		 * an unplumb operation then the disable happens on receipt of
12739 		 * the capab ack via ip_rput_dlpi_writer ->
12740 		 * ill_capability_ack_thr. In both cases the order of
12741 		 * the operations seen by DLD is capability disable followed
12742 		 * by DL_UNBIND. Also the DLD capability disable needs a
12743 		 * cv_wait'able context.
12744 		 */
12745 		if (ill->ill_state_flags & ILL_CONDEMNED)
12746 			ill_capability_dld_disable(ill);
12747 		ill_capability_reset(ill, B_FALSE);
12748 		ill_dlpi_send(ill, mp);
12749 	}
12750 	mutex_enter(&ill->ill_lock);
12751 	ill->ill_dl_up = 0;
12752 	ill_nic_event_dispatch(ill, 0, NE_DOWN, NULL, 0);
12753 	mutex_exit(&ill->ill_lock);
12754 }
12755 
12756 void
12757 ill_dlpi_dispatch(ill_t *ill, mblk_t *mp)
12758 {
12759 	union DL_primitives *dlp;
12760 	t_uscalar_t prim;
12761 	boolean_t waitack = B_FALSE;
12762 
12763 	ASSERT(DB_TYPE(mp) == M_PROTO || DB_TYPE(mp) == M_PCPROTO);
12764 
12765 	dlp = (union DL_primitives *)mp->b_rptr;
12766 	prim = dlp->dl_primitive;
12767 
12768 	ip1dbg(("ill_dlpi_dispatch: sending %s (%u) to %s\n",
12769 	    dl_primstr(prim), prim, ill->ill_name));
12770 
12771 	switch (prim) {
12772 	case DL_PHYS_ADDR_REQ:
12773 	{
12774 		dl_phys_addr_req_t *dlpap = (dl_phys_addr_req_t *)mp->b_rptr;
12775 		ill->ill_phys_addr_pend = dlpap->dl_addr_type;
12776 		break;
12777 	}
12778 	case DL_BIND_REQ:
12779 		mutex_enter(&ill->ill_lock);
12780 		ill->ill_state_flags &= ~ILL_DL_UNBIND_IN_PROGRESS;
12781 		mutex_exit(&ill->ill_lock);
12782 		break;
12783 	}
12784 
12785 	/*
12786 	 * Except for the ACKs for the M_PCPROTO messages, all other ACKs
12787 	 * are dropped by ip_rput() if ILL_CONDEMNED is set. Therefore
12788 	 * we only wait for the ACK of the DL_UNBIND_REQ.
12789 	 */
12790 	mutex_enter(&ill->ill_lock);
12791 	if (!(ill->ill_state_flags & ILL_CONDEMNED) ||
12792 	    (prim == DL_UNBIND_REQ)) {
12793 		ill->ill_dlpi_pending = prim;
12794 		waitack = B_TRUE;
12795 	}
12796 
12797 	mutex_exit(&ill->ill_lock);
12798 	DTRACE_PROBE3(ill__dlpi, char *, "ill_dlpi_dispatch",
12799 	    char *, dl_primstr(prim), ill_t *, ill);
12800 	putnext(ill->ill_wq, mp);
12801 
12802 	/*
12803 	 * There is no ack for DL_NOTIFY_CONF messages
12804 	 */
12805 	if (waitack && prim == DL_NOTIFY_CONF)
12806 		ill_dlpi_done(ill, prim);
12807 }
12808 
12809 /*
12810  * Helper function for ill_dlpi_send().
12811  */
12812 /* ARGSUSED */
12813 static void
12814 ill_dlpi_send_writer(ipsq_t *ipsq, queue_t *q, mblk_t *mp, void *arg)
12815 {
12816 	ill_dlpi_send(q->q_ptr, mp);
12817 }
12818 
12819 /*
12820  * Send a DLPI control message to the driver but make sure there
12821  * is only one outstanding message. Uses ill_dlpi_pending to tell
12822  * when it must queue. ip_rput_dlpi_writer calls ill_dlpi_done()
12823  * when an ACK or a NAK is received to process the next queued message.
12824  */
12825 void
12826 ill_dlpi_send(ill_t *ill, mblk_t *mp)
12827 {
12828 	mblk_t **mpp;
12829 
12830 	ASSERT(DB_TYPE(mp) == M_PROTO || DB_TYPE(mp) == M_PCPROTO);
12831 
12832 	/*
12833 	 * To ensure that any DLPI requests for current exclusive operation
12834 	 * are always completely sent before any DLPI messages for other
12835 	 * operations, require writer access before enqueuing.
12836 	 */
12837 	if (!IAM_WRITER_ILL(ill)) {
12838 		ill_refhold(ill);
12839 		/* qwriter_ip() does the ill_refrele() */
12840 		qwriter_ip(ill, ill->ill_wq, mp, ill_dlpi_send_writer,
12841 		    NEW_OP, B_TRUE);
12842 		return;
12843 	}
12844 
12845 	mutex_enter(&ill->ill_lock);
12846 	if (ill->ill_dlpi_pending != DL_PRIM_INVAL) {
12847 		/* Must queue message. Tail insertion */
12848 		mpp = &ill->ill_dlpi_deferred;
12849 		while (*mpp != NULL)
12850 			mpp = &((*mpp)->b_next);
12851 
12852 		ip1dbg(("ill_dlpi_send: deferring request for %s "
12853 		    "while %s pending\n", ill->ill_name,
12854 		    dl_primstr(ill->ill_dlpi_pending)));
12855 
12856 		*mpp = mp;
12857 		mutex_exit(&ill->ill_lock);
12858 		return;
12859 	}
12860 	mutex_exit(&ill->ill_lock);
12861 	ill_dlpi_dispatch(ill, mp);
12862 }
12863 
12864 void
12865 ill_capability_send(ill_t *ill, mblk_t *mp)
12866 {
12867 	ill->ill_capab_pending_cnt++;
12868 	ill_dlpi_send(ill, mp);
12869 }
12870 
12871 void
12872 ill_capability_done(ill_t *ill)
12873 {
12874 	ASSERT(ill->ill_capab_pending_cnt != 0);
12875 
12876 	ill_dlpi_done(ill, DL_CAPABILITY_REQ);
12877 
12878 	ill->ill_capab_pending_cnt--;
12879 	if (ill->ill_capab_pending_cnt == 0 &&
12880 	    ill->ill_dlpi_capab_state == IDCS_OK)
12881 		ill_capability_reset_alloc(ill);
12882 }
12883 
12884 /*
12885  * Send all deferred DLPI messages without waiting for their ACKs.
12886  */
12887 void
12888 ill_dlpi_send_deferred(ill_t *ill)
12889 {
12890 	mblk_t *mp, *nextmp;
12891 
12892 	/*
12893 	 * Clear ill_dlpi_pending so that the message is not queued in
12894 	 * ill_dlpi_send().
12895 	 */
12896 	mutex_enter(&ill->ill_lock);
12897 	ill->ill_dlpi_pending = DL_PRIM_INVAL;
12898 	mp = ill->ill_dlpi_deferred;
12899 	ill->ill_dlpi_deferred = NULL;
12900 	mutex_exit(&ill->ill_lock);
12901 
12902 	for (; mp != NULL; mp = nextmp) {
12903 		nextmp = mp->b_next;
12904 		mp->b_next = NULL;
12905 		ill_dlpi_send(ill, mp);
12906 	}
12907 }
12908 
12909 /*
12910  * Clear all the deferred DLPI messages. Called on receiving an M_ERROR
12911  * or M_HANGUP
12912  */
12913 static void
12914 ill_dlpi_clear_deferred(ill_t *ill)
12915 {
12916 	mblk_t	*mp, *nextmp;
12917 
12918 	mutex_enter(&ill->ill_lock);
12919 	ill->ill_dlpi_pending = DL_PRIM_INVAL;
12920 	mp = ill->ill_dlpi_deferred;
12921 	ill->ill_dlpi_deferred = NULL;
12922 	mutex_exit(&ill->ill_lock);
12923 
12924 	for (; mp != NULL; mp = nextmp) {
12925 		nextmp = mp->b_next;
12926 		inet_freemsg(mp);
12927 	}
12928 }
12929 
12930 /*
12931  * Check if the DLPI primitive `prim' is pending; print a warning if not.
12932  */
12933 boolean_t
12934 ill_dlpi_pending(ill_t *ill, t_uscalar_t prim)
12935 {
12936 	t_uscalar_t pending;
12937 
12938 	mutex_enter(&ill->ill_lock);
12939 	if (ill->ill_dlpi_pending == prim) {
12940 		mutex_exit(&ill->ill_lock);
12941 		return (B_TRUE);
12942 	}
12943 
12944 	/*
12945 	 * During teardown, ill_dlpi_dispatch() will send DLPI requests
12946 	 * without waiting, so don't print any warnings in that case.
12947 	 */
12948 	if (ill->ill_state_flags & ILL_CONDEMNED) {
12949 		mutex_exit(&ill->ill_lock);
12950 		return (B_FALSE);
12951 	}
12952 	pending = ill->ill_dlpi_pending;
12953 	mutex_exit(&ill->ill_lock);
12954 
12955 	if (pending == DL_PRIM_INVAL) {
12956 		(void) mi_strlog(ill->ill_rq, 1, SL_CONSOLE|SL_ERROR|SL_TRACE,
12957 		    "received unsolicited ack for %s on %s\n",
12958 		    dl_primstr(prim), ill->ill_name);
12959 	} else {
12960 		(void) mi_strlog(ill->ill_rq, 1, SL_CONSOLE|SL_ERROR|SL_TRACE,
12961 		    "received unexpected ack for %s on %s (expecting %s)\n",
12962 		    dl_primstr(prim), ill->ill_name, dl_primstr(pending));
12963 	}
12964 	return (B_FALSE);
12965 }
12966 
12967 /*
12968  * Complete the current DLPI operation associated with `prim' on `ill' and
12969  * start the next queued DLPI operation (if any).  If there are no queued DLPI
12970  * operations and the ill's current exclusive IPSQ operation has finished
12971  * (i.e., ipsq_current_finish() was called), then clear ipsq_current_ipif to
12972  * allow the next exclusive IPSQ operation to begin upon ipsq_exit().  See
12973  * the comments above ipsq_current_finish() for details.
12974  */
12975 void
12976 ill_dlpi_done(ill_t *ill, t_uscalar_t prim)
12977 {
12978 	mblk_t *mp;
12979 	ipsq_t *ipsq = ill->ill_phyint->phyint_ipsq;
12980 	ipxop_t *ipx = ipsq->ipsq_xop;
12981 
12982 	ASSERT(IAM_WRITER_IPSQ(ipsq));
12983 	mutex_enter(&ill->ill_lock);
12984 
12985 	ASSERT(prim != DL_PRIM_INVAL);
12986 	ASSERT(ill->ill_dlpi_pending == prim);
12987 
12988 	ip1dbg(("ill_dlpi_done: %s has completed %s (%u)\n", ill->ill_name,
12989 	    dl_primstr(ill->ill_dlpi_pending), ill->ill_dlpi_pending));
12990 
12991 	if ((mp = ill->ill_dlpi_deferred) == NULL) {
12992 		ill->ill_dlpi_pending = DL_PRIM_INVAL;
12993 		if (ipx->ipx_current_done) {
12994 			mutex_enter(&ipx->ipx_lock);
12995 			ipx->ipx_current_ipif = NULL;
12996 			mutex_exit(&ipx->ipx_lock);
12997 		}
12998 		cv_signal(&ill->ill_cv);
12999 		mutex_exit(&ill->ill_lock);
13000 		return;
13001 	}
13002 
13003 	ill->ill_dlpi_deferred = mp->b_next;
13004 	mp->b_next = NULL;
13005 	mutex_exit(&ill->ill_lock);
13006 
13007 	ill_dlpi_dispatch(ill, mp);
13008 }
13009 
13010 /*
13011  * Queue a (multicast) DLPI control message to be sent to the driver by
13012  * later calling ill_dlpi_send_queued.
13013  * We queue them while holding a lock (ill_mcast_lock) to ensure that they
13014  * are sent in order i.e., prevent a DL_DISABMULTI_REQ and DL_ENABMULTI_REQ
13015  * for the same group to race.
13016  * We send DLPI control messages in order using ill_lock.
13017  * For IPMP we should be called on the cast_ill.
13018  */
13019 void
13020 ill_dlpi_queue(ill_t *ill, mblk_t *mp)
13021 {
13022 	mblk_t **mpp;
13023 
13024 	ASSERT(DB_TYPE(mp) == M_PROTO || DB_TYPE(mp) == M_PCPROTO);
13025 
13026 	mutex_enter(&ill->ill_lock);
13027 	/* Must queue message. Tail insertion */
13028 	mpp = &ill->ill_dlpi_deferred;
13029 	while (*mpp != NULL)
13030 		mpp = &((*mpp)->b_next);
13031 
13032 	*mpp = mp;
13033 	mutex_exit(&ill->ill_lock);
13034 }
13035 
13036 /*
13037  * Send the messages that were queued. Make sure there is only
13038  * one outstanding message. ip_rput_dlpi_writer calls ill_dlpi_done()
13039  * when an ACK or a NAK is received to process the next queued message.
13040  * For IPMP we are called on the upper ill, but when send what is queued
13041  * on the cast_ill.
13042  */
13043 void
13044 ill_dlpi_send_queued(ill_t *ill)
13045 {
13046 	mblk_t	*mp;
13047 	union DL_primitives *dlp;
13048 	t_uscalar_t prim;
13049 	ill_t *release_ill = NULL;
13050 
13051 	if (IS_IPMP(ill)) {
13052 		/* On the upper IPMP ill. */
13053 		release_ill = ipmp_illgrp_hold_cast_ill(ill->ill_grp);
13054 		if (release_ill == NULL) {
13055 			/* Avoid ever sending anything down to the ipmpstub */
13056 			return;
13057 		}
13058 		ill = release_ill;
13059 	}
13060 	mutex_enter(&ill->ill_lock);
13061 	while ((mp = ill->ill_dlpi_deferred) != NULL) {
13062 		if (ill->ill_dlpi_pending != DL_PRIM_INVAL) {
13063 			/* Can't send. Somebody else will send it */
13064 			mutex_exit(&ill->ill_lock);
13065 			goto done;
13066 		}
13067 		ill->ill_dlpi_deferred = mp->b_next;
13068 		mp->b_next = NULL;
13069 		if (!ill->ill_dl_up) {
13070 			/*
13071 			 * Nobody there. All multicast addresses will be
13072 			 * re-joined when we get the DL_BIND_ACK bringing the
13073 			 * interface up.
13074 			 */
13075 			freemsg(mp);
13076 			continue;
13077 		}
13078 		dlp = (union DL_primitives *)mp->b_rptr;
13079 		prim = dlp->dl_primitive;
13080 
13081 		if (!(ill->ill_state_flags & ILL_CONDEMNED) ||
13082 		    (prim == DL_UNBIND_REQ)) {
13083 			ill->ill_dlpi_pending = prim;
13084 		}
13085 		mutex_exit(&ill->ill_lock);
13086 
13087 		DTRACE_PROBE3(ill__dlpi, char *, "ill_dlpi_send_queued",
13088 		    char *, dl_primstr(prim), ill_t *, ill);
13089 		putnext(ill->ill_wq, mp);
13090 		mutex_enter(&ill->ill_lock);
13091 	}
13092 	mutex_exit(&ill->ill_lock);
13093 done:
13094 	if (release_ill != NULL)
13095 		ill_refrele(release_ill);
13096 }
13097 
13098 /*
13099  * Queue an IP (IGMP/MLD) message to be sent by IP from
13100  * ill_mcast_send_queued
13101  * We queue them while holding a lock (ill_mcast_lock) to ensure that they
13102  * are sent in order i.e., prevent a IGMP leave and IGMP join for the same
13103  * group to race.
13104  * We send them in order using ill_lock.
13105  * For IPMP we are called on the upper ill, but we queue on the cast_ill.
13106  */
13107 void
13108 ill_mcast_queue(ill_t *ill, mblk_t *mp)
13109 {
13110 	mblk_t **mpp;
13111 	ill_t *release_ill = NULL;
13112 
13113 	ASSERT(RW_LOCK_HELD(&ill->ill_mcast_lock));
13114 
13115 	if (IS_IPMP(ill)) {
13116 		/* On the upper IPMP ill. */
13117 		release_ill = ipmp_illgrp_hold_cast_ill(ill->ill_grp);
13118 		if (release_ill == NULL) {
13119 			/* Discard instead of queuing for the ipmp interface */
13120 			BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
13121 			ip_drop_output("ipIfStatsOutDiscards - no cast_ill",
13122 			    mp, ill);
13123 			freemsg(mp);
13124 			return;
13125 		}
13126 		ill = release_ill;
13127 	}
13128 
13129 	mutex_enter(&ill->ill_lock);
13130 	/* Must queue message. Tail insertion */
13131 	mpp = &ill->ill_mcast_deferred;
13132 	while (*mpp != NULL)
13133 		mpp = &((*mpp)->b_next);
13134 
13135 	*mpp = mp;
13136 	mutex_exit(&ill->ill_lock);
13137 	if (release_ill != NULL)
13138 		ill_refrele(release_ill);
13139 }
13140 
13141 /*
13142  * Send the IP packets that were queued by ill_mcast_queue.
13143  * These are IGMP/MLD packets.
13144  *
13145  * For IPMP we are called on the upper ill, but when send what is queued
13146  * on the cast_ill.
13147  *
13148  * Request loopback of the report if we are acting as a multicast
13149  * router, so that the process-level routing demon can hear it.
13150  * This will run multiple times for the same group if there are members
13151  * on the same group for multiple ipif's on the same ill. The
13152  * igmp_input/mld_input code will suppress this due to the loopback thus we
13153  * always loopback membership report.
13154  *
13155  * We also need to make sure that this does not get load balanced
13156  * by IPMP. We do this by passing an ill to ip_output_simple.
13157  */
13158 void
13159 ill_mcast_send_queued(ill_t *ill)
13160 {
13161 	mblk_t	*mp;
13162 	ip_xmit_attr_t ixas;
13163 	ill_t *release_ill = NULL;
13164 
13165 	if (IS_IPMP(ill)) {
13166 		/* On the upper IPMP ill. */
13167 		release_ill = ipmp_illgrp_hold_cast_ill(ill->ill_grp);
13168 		if (release_ill == NULL) {
13169 			/*
13170 			 * We should have no messages on the ipmp interface
13171 			 * but no point in trying to send them.
13172 			 */
13173 			return;
13174 		}
13175 		ill = release_ill;
13176 	}
13177 	bzero(&ixas, sizeof (ixas));
13178 	ixas.ixa_zoneid = ALL_ZONES;
13179 	ixas.ixa_cred = kcred;
13180 	ixas.ixa_cpid = NOPID;
13181 	ixas.ixa_tsl = NULL;
13182 	/*
13183 	 * Here we set ixa_ifindex. If IPMP it will be the lower ill which
13184 	 * makes ip_select_route pick the IRE_MULTICAST for the cast_ill.
13185 	 * That is necessary to handle IGMP/MLD snooping switches.
13186 	 */
13187 	ixas.ixa_ifindex = ill->ill_phyint->phyint_ifindex;
13188 	ixas.ixa_ipst = ill->ill_ipst;
13189 
13190 	mutex_enter(&ill->ill_lock);
13191 	while ((mp = ill->ill_mcast_deferred) != NULL) {
13192 		ill->ill_mcast_deferred = mp->b_next;
13193 		mp->b_next = NULL;
13194 		if (!ill->ill_dl_up) {
13195 			/*
13196 			 * Nobody there. Just drop the ip packets.
13197 			 * IGMP/MLD will resend later, if this is a replumb.
13198 			 */
13199 			freemsg(mp);
13200 			continue;
13201 		}
13202 		mutex_enter(&ill->ill_phyint->phyint_lock);
13203 		if (IS_UNDER_IPMP(ill) && !ipmp_ill_is_active(ill)) {
13204 			/*
13205 			 * When the ill is getting deactivated, we only want to
13206 			 * send the DLPI messages, so drop IGMP/MLD packets.
13207 			 * DLPI messages are handled by ill_dlpi_send_queued()
13208 			 */
13209 			mutex_exit(&ill->ill_phyint->phyint_lock);
13210 			freemsg(mp);
13211 			continue;
13212 		}
13213 		mutex_exit(&ill->ill_phyint->phyint_lock);
13214 		mutex_exit(&ill->ill_lock);
13215 
13216 		/* Check whether we are sending IPv4 or IPv6. */
13217 		if (ill->ill_isv6) {
13218 			ip6_t  *ip6h = (ip6_t *)mp->b_rptr;
13219 
13220 			ixas.ixa_multicast_ttl = ip6h->ip6_hops;
13221 			ixas.ixa_flags = IXAF_BASIC_SIMPLE_V6;
13222 		} else {
13223 			ipha_t *ipha = (ipha_t *)mp->b_rptr;
13224 
13225 			ixas.ixa_multicast_ttl = ipha->ipha_ttl;
13226 			ixas.ixa_flags = IXAF_BASIC_SIMPLE_V4;
13227 			ixas.ixa_flags &= ~IXAF_SET_ULP_CKSUM;
13228 		}
13229 		ixas.ixa_flags &= ~IXAF_VERIFY_SOURCE;
13230 		ixas.ixa_flags |= IXAF_MULTICAST_LOOP | IXAF_SET_SOURCE;
13231 		(void) ip_output_simple(mp, &ixas);
13232 		ixa_cleanup(&ixas);
13233 
13234 		mutex_enter(&ill->ill_lock);
13235 	}
13236 	mutex_exit(&ill->ill_lock);
13237 
13238 done:
13239 	if (release_ill != NULL)
13240 		ill_refrele(release_ill);
13241 }
13242 
13243 /*
13244  * Take down a specific interface, but don't lose any information about it.
13245  * (Always called as writer.)
13246  * This function goes through the down sequence even if the interface is
13247  * already down. There are 2 reasons.
13248  * a. Currently we permit interface routes that depend on down interfaces
13249  *    to be added. This behaviour itself is questionable. However it appears
13250  *    that both Solaris and 4.3 BSD have exhibited this behaviour for a long
13251  *    time. We go thru the cleanup in order to remove these routes.
13252  * b. The bringup of the interface could fail in ill_dl_up i.e. we get
13253  *    DL_ERROR_ACK in response to the DL_BIND request. The interface is
13254  *    down, but we need to cleanup i.e. do ill_dl_down and
13255  *    ip_rput_dlpi_writer (DL_ERROR_ACK) -> ipif_down.
13256  *
13257  * IP-MT notes:
13258  *
13259  * Model of reference to interfaces.
13260  *
13261  * The following members in ipif_t track references to the ipif.
13262  *	int     ipif_refcnt;    Active reference count
13263  *
13264  * The following members in ill_t track references to the ill.
13265  *	int             ill_refcnt;     active refcnt
13266  *	uint_t          ill_ire_cnt;	Number of ires referencing ill
13267  *	uint_t          ill_ncec_cnt;	Number of ncecs referencing ill
13268  *	uint_t          ill_nce_cnt;	Number of nces referencing ill
13269  *	uint_t          ill_ilm_cnt;	Number of ilms referencing ill
13270  *
13271  * Reference to an ipif or ill can be obtained in any of the following ways.
13272  *
13273  * Through the lookup functions ipif_lookup_* / ill_lookup_* functions
13274  * Pointers to ipif / ill from other data structures viz ire and conn.
13275  * Implicit reference to the ipif / ill by holding a reference to the ire.
13276  *
13277  * The ipif/ill lookup functions return a reference held ipif / ill.
13278  * ipif_refcnt and ill_refcnt track the reference counts respectively.
13279  * This is a purely dynamic reference count associated with threads holding
13280  * references to the ipif / ill. Pointers from other structures do not
13281  * count towards this reference count.
13282  *
13283  * ill_ire_cnt is the number of ire's associated with the
13284  * ill. This is incremented whenever a new ire is created referencing the
13285  * ill. This is done atomically inside ire_add_v[46] where the ire is
13286  * actually added to the ire hash table. The count is decremented in
13287  * ire_inactive where the ire is destroyed.
13288  *
13289  * ill_ncec_cnt is the number of ncec's referencing the ill thru ncec_ill.
13290  * This is incremented atomically in
13291  * ndp_add_v4()/ndp_add_v6() where the nce is actually added to the
13292  * table. Similarly it is decremented in ncec_inactive() where the ncec
13293  * is destroyed.
13294  *
13295  * ill_nce_cnt is the number of nce's referencing the ill thru nce_ill. This is
13296  * incremented atomically in nce_add() where the nce is actually added to the
13297  * ill_nce. Similarly it is decremented in nce_inactive() where the nce
13298  * is destroyed.
13299  *
13300  * ill_ilm_cnt is the ilm's reference to the ill. It is incremented in
13301  * ilm_add() and decremented before the ilm is freed in ilm_delete().
13302  *
13303  * Flow of ioctls involving interface down/up
13304  *
13305  * The following is the sequence of an attempt to set some critical flags on an
13306  * up interface.
13307  * ip_sioctl_flags
13308  * ipif_down
13309  * wait for ipif to be quiescent
13310  * ipif_down_tail
13311  * ip_sioctl_flags_tail
13312  *
13313  * All set ioctls that involve down/up sequence would have a skeleton similar
13314  * to the above. All the *tail functions are called after the refcounts have
13315  * dropped to the appropriate values.
13316  *
13317  * SIOC ioctls during the IPIF_CHANGING interval.
13318  *
13319  * Threads handling SIOC set ioctls serialize on the squeue, but this
13320  * is not done for SIOC get ioctls. Since a set ioctl can cause several
13321  * steps of internal changes to the state, some of which are visible in
13322  * ipif_flags (such as IFF_UP being cleared and later set), and we want
13323  * the set ioctl to be atomic related to the get ioctls, the SIOC get code
13324  * will wait and restart ioctls if IPIF_CHANGING is set. The mblk is then
13325  * enqueued in the ipsq and the operation is restarted by ipsq_exit() when
13326  * the current exclusive operation completes. The IPIF_CHANGING check
13327  * and enqueue is atomic using the ill_lock and ipsq_lock. The
13328  * lookup is done holding the ill_lock. Hence the ill/ipif state flags can't
13329  * change while the ill_lock is held. Before dropping the ill_lock we acquire
13330  * the ipsq_lock and call ipsq_enq. This ensures that ipsq_exit can't finish
13331  * until we release the ipsq_lock, even though the ill/ipif state flags
13332  * can change after we drop the ill_lock.
13333  */
13334 int
13335 ipif_down(ipif_t *ipif, queue_t *q, mblk_t *mp)
13336 {
13337 	ill_t		*ill = ipif->ipif_ill;
13338 	conn_t		*connp;
13339 	boolean_t	success;
13340 	boolean_t	ipif_was_up = B_FALSE;
13341 	ip_stack_t	*ipst = ill->ill_ipst;
13342 
13343 	ASSERT(IAM_WRITER_IPIF(ipif));
13344 
13345 	ip1dbg(("ipif_down(%s:%u)\n", ill->ill_name, ipif->ipif_id));
13346 
13347 	DTRACE_PROBE3(ipif__downup, char *, "ipif_down",
13348 	    ill_t *, ill, ipif_t *, ipif);
13349 
13350 	if (ipif->ipif_flags & IPIF_UP) {
13351 		mutex_enter(&ill->ill_lock);
13352 		ipif->ipif_flags &= ~IPIF_UP;
13353 		ASSERT(ill->ill_ipif_up_count > 0);
13354 		--ill->ill_ipif_up_count;
13355 		mutex_exit(&ill->ill_lock);
13356 		ipif_was_up = B_TRUE;
13357 		/* Update status in SCTP's list */
13358 		sctp_update_ipif(ipif, SCTP_IPIF_DOWN);
13359 		ill_nic_event_dispatch(ipif->ipif_ill,
13360 		    MAP_IPIF_ID(ipif->ipif_id), NE_LIF_DOWN, NULL, 0);
13361 	}
13362 
13363 	/*
13364 	 * Removal of the last ipif from an ill may result in a DL_UNBIND
13365 	 * being sent to the driver, and we must not send any data packets to
13366 	 * the driver after the DL_UNBIND_REQ. To ensure this, all the
13367 	 * ire and nce entries used in the data path will be cleaned
13368 	 * up, and we also set  the ILL_DOWN_IN_PROGRESS bit to make
13369 	 * sure on new entries will be added until the ill is bound
13370 	 * again. The ILL_DOWN_IN_PROGRESS bit is turned off upon
13371 	 * receipt of a DL_BIND_ACK.
13372 	 */
13373 	if (ill->ill_wq != NULL && !ill->ill_logical_down &&
13374 	    ill->ill_ipif_up_count == 0 && ill->ill_ipif_dup_count == 0 &&
13375 	    ill->ill_dl_up) {
13376 		ill->ill_state_flags |= ILL_DOWN_IN_PROGRESS;
13377 	}
13378 
13379 	/*
13380 	 * Blow away memberships we established in ipif_multicast_up().
13381 	 */
13382 	ipif_multicast_down(ipif);
13383 
13384 	/*
13385 	 * Remove from the mapping for __sin6_src_id. We insert only
13386 	 * when the address is not INADDR_ANY. As IPv4 addresses are
13387 	 * stored as mapped addresses, we need to check for mapped
13388 	 * INADDR_ANY also.
13389 	 */
13390 	if (ipif_was_up && !IN6_IS_ADDR_UNSPECIFIED(&ipif->ipif_v6lcl_addr) &&
13391 	    !IN6_IS_ADDR_V4MAPPED_ANY(&ipif->ipif_v6lcl_addr) &&
13392 	    !(ipif->ipif_flags & IPIF_NOLOCAL)) {
13393 		int err;
13394 
13395 		err = ip_srcid_remove(&ipif->ipif_v6lcl_addr,
13396 		    ipif->ipif_zoneid, ipst);
13397 		if (err != 0) {
13398 			ip0dbg(("ipif_down: srcid_remove %d\n", err));
13399 		}
13400 	}
13401 
13402 	if (ipif_was_up) {
13403 		/* only delete if we'd added ire's before */
13404 		if (ipif->ipif_isv6)
13405 			ipif_delete_ires_v6(ipif);
13406 		else
13407 			ipif_delete_ires_v4(ipif);
13408 	}
13409 
13410 	if (ipif_was_up && ill->ill_ipif_up_count == 0) {
13411 		/*
13412 		 * Since the interface is now down, it may have just become
13413 		 * inactive.  Note that this needs to be done even for a
13414 		 * lll_logical_down(), or ARP entries will not get correctly
13415 		 * restored when the interface comes back up.
13416 		 */
13417 		if (IS_UNDER_IPMP(ill))
13418 			ipmp_ill_refresh_active(ill);
13419 	}
13420 
13421 	/*
13422 	 * neighbor-discovery or arp entries for this interface. The ipif
13423 	 * has to be quiesced, so we walk all the nce's and delete those
13424 	 * that point at the ipif->ipif_ill. At the same time, we also
13425 	 * update IPMP so that ipifs for data addresses are unbound. We dont
13426 	 * call ipif_arp_down to DL_UNBIND the arp stream itself here, but defer
13427 	 * that for ipif_down_tail()
13428 	 */
13429 	ipif_nce_down(ipif);
13430 
13431 	/*
13432 	 * If this is the last ipif on the ill, we also need to remove
13433 	 * any IREs with ire_ill set. Otherwise ipif_is_quiescent() will
13434 	 * never succeed.
13435 	 */
13436 	if (ill->ill_ipif_up_count == 0 && ill->ill_ipif_dup_count == 0)
13437 		ire_walk_ill(0, 0, ill_downi, ill, ill);
13438 
13439 	/*
13440 	 * Walk all CONNs that can have a reference on an ire for this
13441 	 * ipif (we actually walk all that now have stale references).
13442 	 */
13443 	ipcl_walk(conn_ixa_cleanup, (void *)B_TRUE, ipst);
13444 
13445 	/*
13446 	 * If mp is NULL the caller will wait for the appropriate refcnt.
13447 	 * Eg. ip_sioctl_removeif -> ipif_free  -> ipif_down
13448 	 * and ill_delete -> ipif_free -> ipif_down
13449 	 */
13450 	if (mp == NULL) {
13451 		ASSERT(q == NULL);
13452 		return (0);
13453 	}
13454 
13455 	if (CONN_Q(q)) {
13456 		connp = Q_TO_CONN(q);
13457 		mutex_enter(&connp->conn_lock);
13458 	} else {
13459 		connp = NULL;
13460 	}
13461 	mutex_enter(&ill->ill_lock);
13462 	/*
13463 	 * Are there any ire's pointing to this ipif that are still active ?
13464 	 * If this is the last ipif going down, are there any ire's pointing
13465 	 * to this ill that are still active ?
13466 	 */
13467 	if (ipif_is_quiescent(ipif)) {
13468 		mutex_exit(&ill->ill_lock);
13469 		if (connp != NULL)
13470 			mutex_exit(&connp->conn_lock);
13471 		return (0);
13472 	}
13473 
13474 	ip1dbg(("ipif_down: need to wait, adding pending mp %s ill %p",
13475 	    ill->ill_name, (void *)ill));
13476 	/*
13477 	 * Enqueue the mp atomically in ipsq_pending_mp. When the refcount
13478 	 * drops down, the operation will be restarted by ipif_ill_refrele_tail
13479 	 * which in turn is called by the last refrele on the ipif/ill/ire.
13480 	 */
13481 	success = ipsq_pending_mp_add(connp, ipif, q, mp, IPIF_DOWN);
13482 	if (!success) {
13483 		/* The conn is closing. So just return */
13484 		ASSERT(connp != NULL);
13485 		mutex_exit(&ill->ill_lock);
13486 		mutex_exit(&connp->conn_lock);
13487 		return (EINTR);
13488 	}
13489 
13490 	mutex_exit(&ill->ill_lock);
13491 	if (connp != NULL)
13492 		mutex_exit(&connp->conn_lock);
13493 	return (EINPROGRESS);
13494 }
13495 
13496 int
13497 ipif_down_tail(ipif_t *ipif)
13498 {
13499 	ill_t	*ill = ipif->ipif_ill;
13500 	int	err = 0;
13501 
13502 	DTRACE_PROBE3(ipif__downup, char *, "ipif_down_tail",
13503 	    ill_t *, ill, ipif_t *, ipif);
13504 
13505 	/*
13506 	 * Skip any loopback interface (null wq).
13507 	 * If this is the last logical interface on the ill
13508 	 * have ill_dl_down tell the driver we are gone (unbind)
13509 	 * Note that lun 0 can ipif_down even though
13510 	 * there are other logical units that are up.
13511 	 * This occurs e.g. when we change a "significant" IFF_ flag.
13512 	 */
13513 	if (ill->ill_wq != NULL && !ill->ill_logical_down &&
13514 	    ill->ill_ipif_up_count == 0 && ill->ill_ipif_dup_count == 0 &&
13515 	    ill->ill_dl_up) {
13516 		ill_dl_down(ill);
13517 	}
13518 	if (!ipif->ipif_isv6)
13519 		err = ipif_arp_down(ipif);
13520 
13521 	ill->ill_logical_down = 0;
13522 
13523 	ip_rts_ifmsg(ipif, RTSQ_DEFAULT);
13524 	ip_rts_newaddrmsg(RTM_DELETE, 0, ipif, RTSQ_DEFAULT);
13525 	return (err);
13526 }
13527 
13528 /*
13529  * Bring interface logically down without bringing the physical interface
13530  * down e.g. when the netmask is changed. This avoids long lasting link
13531  * negotiations between an ethernet interface and a certain switches.
13532  */
13533 static int
13534 ipif_logical_down(ipif_t *ipif, queue_t *q, mblk_t *mp)
13535 {
13536 	DTRACE_PROBE3(ipif__downup, char *, "ipif_logical_down",
13537 	    ill_t *, ipif->ipif_ill, ipif_t *, ipif);
13538 
13539 	/*
13540 	 * The ill_logical_down flag is a transient flag. It is set here
13541 	 * and is cleared once the down has completed in ipif_down_tail.
13542 	 * This flag does not indicate whether the ill stream is in the
13543 	 * DL_BOUND state with the driver. Instead this flag is used by
13544 	 * ipif_down_tail to determine whether to DL_UNBIND the stream with
13545 	 * the driver. The state of the ill stream i.e. whether it is
13546 	 * DL_BOUND with the driver or not is indicated by the ill_dl_up flag.
13547 	 */
13548 	ipif->ipif_ill->ill_logical_down = 1;
13549 	return (ipif_down(ipif, q, mp));
13550 }
13551 
13552 /*
13553  * Initiate deallocate of an IPIF. Always called as writer. Called by
13554  * ill_delete or ip_sioctl_removeif.
13555  */
13556 static void
13557 ipif_free(ipif_t *ipif)
13558 {
13559 	ip_stack_t	*ipst = ipif->ipif_ill->ill_ipst;
13560 
13561 	ASSERT(IAM_WRITER_IPIF(ipif));
13562 
13563 	if (ipif->ipif_recovery_id != 0)
13564 		(void) untimeout(ipif->ipif_recovery_id);
13565 	ipif->ipif_recovery_id = 0;
13566 
13567 	/*
13568 	 * Take down the interface. We can be called either from ill_delete
13569 	 * or from ip_sioctl_removeif.
13570 	 */
13571 	(void) ipif_down(ipif, NULL, NULL);
13572 
13573 	/*
13574 	 * Now that the interface is down, there's no chance it can still
13575 	 * become a duplicate.  Cancel any timer that may have been set while
13576 	 * tearing down.
13577 	 */
13578 	if (ipif->ipif_recovery_id != 0)
13579 		(void) untimeout(ipif->ipif_recovery_id);
13580 	ipif->ipif_recovery_id = 0;
13581 
13582 	rw_enter(&ipst->ips_ill_g_lock, RW_WRITER);
13583 	/* Remove pointers to this ill in the multicast routing tables */
13584 	reset_mrt_vif_ipif(ipif);
13585 	/* If necessary, clear the cached source ipif rotor. */
13586 	if (ipif->ipif_ill->ill_src_ipif == ipif)
13587 		ipif->ipif_ill->ill_src_ipif = NULL;
13588 	rw_exit(&ipst->ips_ill_g_lock);
13589 }
13590 
13591 static void
13592 ipif_free_tail(ipif_t *ipif)
13593 {
13594 	ip_stack_t *ipst = ipif->ipif_ill->ill_ipst;
13595 
13596 	/*
13597 	 * Need to hold both ill_g_lock and ill_lock while
13598 	 * inserting or removing an ipif from the linked list
13599 	 * of ipifs hanging off the ill.
13600 	 */
13601 	rw_enter(&ipst->ips_ill_g_lock, RW_WRITER);
13602 
13603 #ifdef DEBUG
13604 	ipif_trace_cleanup(ipif);
13605 #endif
13606 
13607 	/* Ask SCTP to take it out of it list */
13608 	sctp_update_ipif(ipif, SCTP_IPIF_REMOVE);
13609 	ip_rts_newaddrmsg(RTM_FREEADDR, 0, ipif, RTSQ_DEFAULT);
13610 
13611 	/* Get it out of the ILL interface list. */
13612 	ipif_remove(ipif);
13613 	rw_exit(&ipst->ips_ill_g_lock);
13614 
13615 	ASSERT(!(ipif->ipif_flags & (IPIF_UP | IPIF_DUPLICATE)));
13616 	ASSERT(ipif->ipif_recovery_id == 0);
13617 	ASSERT(ipif->ipif_ire_local == NULL);
13618 	ASSERT(ipif->ipif_ire_if == NULL);
13619 
13620 	/* Free the memory. */
13621 	mi_free(ipif);
13622 }
13623 
13624 /*
13625  * Sets `buf' to an ipif name of the form "ill_name:id", or "ill_name" if "id"
13626  * is zero.
13627  */
13628 void
13629 ipif_get_name(const ipif_t *ipif, char *buf, int len)
13630 {
13631 	char	lbuf[LIFNAMSIZ];
13632 	char	*name;
13633 	size_t	name_len;
13634 
13635 	buf[0] = '\0';
13636 	name = ipif->ipif_ill->ill_name;
13637 	name_len = ipif->ipif_ill->ill_name_length;
13638 	if (ipif->ipif_id != 0) {
13639 		(void) sprintf(lbuf, "%s%c%d", name, IPIF_SEPARATOR_CHAR,
13640 		    ipif->ipif_id);
13641 		name = lbuf;
13642 		name_len = mi_strlen(name) + 1;
13643 	}
13644 	len -= 1;
13645 	buf[len] = '\0';
13646 	len = MIN(len, name_len);
13647 	bcopy(name, buf, len);
13648 }
13649 
13650 /*
13651  * Sets `buf' to an ill name.
13652  */
13653 void
13654 ill_get_name(const ill_t *ill, char *buf, int len)
13655 {
13656 	char	*name;
13657 	size_t	name_len;
13658 
13659 	name = ill->ill_name;
13660 	name_len = ill->ill_name_length;
13661 	len -= 1;
13662 	buf[len] = '\0';
13663 	len = MIN(len, name_len);
13664 	bcopy(name, buf, len);
13665 }
13666 
13667 /*
13668  * Find an IPIF based on the name passed in.  Names can be of the form <phys>
13669  * (e.g., le0) or <phys>:<#> (e.g., le0:1).  When there is no colon, the
13670  * implied unit id is zero. <phys> must correspond to the name of an ILL.
13671  * (May be called as writer.)
13672  */
13673 static ipif_t *
13674 ipif_lookup_on_name(char *name, size_t namelen, boolean_t do_alloc,
13675     boolean_t *exists, boolean_t isv6, zoneid_t zoneid, ip_stack_t *ipst)
13676 {
13677 	char	*cp;
13678 	char	*endp;
13679 	long	id;
13680 	ill_t	*ill;
13681 	ipif_t	*ipif;
13682 	uint_t	ire_type;
13683 	boolean_t did_alloc = B_FALSE;
13684 	char	last;
13685 
13686 	/*
13687 	 * If the caller wants to us to create the ipif, make sure we have a
13688 	 * valid zoneid
13689 	 */
13690 	ASSERT(!do_alloc || zoneid != ALL_ZONES);
13691 
13692 	if (namelen == 0) {
13693 		return (NULL);
13694 	}
13695 
13696 	*exists = B_FALSE;
13697 	/* Look for a colon in the name. */
13698 	endp = &name[namelen];
13699 	for (cp = endp; --cp > name; ) {
13700 		if (*cp == IPIF_SEPARATOR_CHAR)
13701 			break;
13702 	}
13703 
13704 	if (*cp == IPIF_SEPARATOR_CHAR) {
13705 		/*
13706 		 * Reject any non-decimal aliases for logical
13707 		 * interfaces. Aliases with leading zeroes
13708 		 * are also rejected as they introduce ambiguity
13709 		 * in the naming of the interfaces.
13710 		 * In order to confirm with existing semantics,
13711 		 * and to not break any programs/script relying
13712 		 * on that behaviour, if<0>:0 is considered to be
13713 		 * a valid interface.
13714 		 *
13715 		 * If alias has two or more digits and the first
13716 		 * is zero, fail.
13717 		 */
13718 		if (&cp[2] < endp && cp[1] == '0') {
13719 			return (NULL);
13720 		}
13721 	}
13722 
13723 	if (cp <= name) {
13724 		cp = endp;
13725 	}
13726 	last = *cp;
13727 	*cp = '\0';
13728 
13729 	/*
13730 	 * Look up the ILL, based on the portion of the name
13731 	 * before the slash. ill_lookup_on_name returns a held ill.
13732 	 * Temporary to check whether ill exists already. If so
13733 	 * ill_lookup_on_name will clear it.
13734 	 */
13735 	ill = ill_lookup_on_name(name, do_alloc, isv6,
13736 	    &did_alloc, ipst);
13737 	*cp = last;
13738 	if (ill == NULL)
13739 		return (NULL);
13740 
13741 	/* Establish the unit number in the name. */
13742 	id = 0;
13743 	if (cp < endp && *endp == '\0') {
13744 		/* If there was a colon, the unit number follows. */
13745 		cp++;
13746 		if (ddi_strtol(cp, NULL, 0, &id) != 0) {
13747 			ill_refrele(ill);
13748 			return (NULL);
13749 		}
13750 	}
13751 
13752 	mutex_enter(&ill->ill_lock);
13753 	/* Now see if there is an IPIF with this unit number. */
13754 	for (ipif = ill->ill_ipif; ipif != NULL; ipif = ipif->ipif_next) {
13755 		if (ipif->ipif_id == id) {
13756 			if (zoneid != ALL_ZONES &&
13757 			    zoneid != ipif->ipif_zoneid &&
13758 			    ipif->ipif_zoneid != ALL_ZONES) {
13759 				mutex_exit(&ill->ill_lock);
13760 				ill_refrele(ill);
13761 				return (NULL);
13762 			}
13763 			if (IPIF_CAN_LOOKUP(ipif)) {
13764 				ipif_refhold_locked(ipif);
13765 				mutex_exit(&ill->ill_lock);
13766 				if (!did_alloc)
13767 					*exists = B_TRUE;
13768 				/*
13769 				 * Drop locks before calling ill_refrele
13770 				 * since it can potentially call into
13771 				 * ipif_ill_refrele_tail which can end up
13772 				 * in trying to acquire any lock.
13773 				 */
13774 				ill_refrele(ill);
13775 				return (ipif);
13776 			}
13777 		}
13778 	}
13779 
13780 	if (!do_alloc) {
13781 		mutex_exit(&ill->ill_lock);
13782 		ill_refrele(ill);
13783 		return (NULL);
13784 	}
13785 
13786 	/*
13787 	 * If none found, atomically allocate and return a new one.
13788 	 * Historically, we used IRE_LOOPBACK only for lun 0, and IRE_LOCAL
13789 	 * to support "receive only" use of lo0:1 etc. as is still done
13790 	 * below as an initial guess.
13791 	 * However, this is now likely to be overriden later in ipif_up_done()
13792 	 * when we know for sure what address has been configured on the
13793 	 * interface, since we might have more than one loopback interface
13794 	 * with a loopback address, e.g. in the case of zones, and all the
13795 	 * interfaces with loopback addresses need to be marked IRE_LOOPBACK.
13796 	 */
13797 	if (ill->ill_net_type == IRE_LOOPBACK && id == 0)
13798 		ire_type = IRE_LOOPBACK;
13799 	else
13800 		ire_type = IRE_LOCAL;
13801 	ipif = ipif_allocate(ill, id, ire_type, B_TRUE, B_TRUE, NULL);
13802 	if (ipif != NULL)
13803 		ipif_refhold_locked(ipif);
13804 	mutex_exit(&ill->ill_lock);
13805 	ill_refrele(ill);
13806 	return (ipif);
13807 }
13808 
13809 /*
13810  * Variant of the above that queues the request on the ipsq when
13811  * IPIF_CHANGING is set.
13812  */
13813 static ipif_t *
13814 ipif_lookup_on_name_async(char *name, size_t namelen, boolean_t isv6,
13815     zoneid_t zoneid, queue_t *q, mblk_t *mp, ipsq_func_t func, int *error,
13816     ip_stack_t *ipst)
13817 {
13818 	char	*cp;
13819 	char	*endp;
13820 	long	id;
13821 	ill_t	*ill;
13822 	ipif_t	*ipif;
13823 	boolean_t did_alloc = B_FALSE;
13824 	ipsq_t	*ipsq;
13825 
13826 	if (error != NULL)
13827 		*error = 0;
13828 
13829 	if (namelen == 0) {
13830 		if (error != NULL)
13831 			*error = ENXIO;
13832 		return (NULL);
13833 	}
13834 
13835 	/* Look for a colon in the name. */
13836 	endp = &name[namelen];
13837 	for (cp = endp; --cp > name; ) {
13838 		if (*cp == IPIF_SEPARATOR_CHAR)
13839 			break;
13840 	}
13841 
13842 	if (*cp == IPIF_SEPARATOR_CHAR) {
13843 		/*
13844 		 * Reject any non-decimal aliases for logical
13845 		 * interfaces. Aliases with leading zeroes
13846 		 * are also rejected as they introduce ambiguity
13847 		 * in the naming of the interfaces.
13848 		 * In order to confirm with existing semantics,
13849 		 * and to not break any programs/script relying
13850 		 * on that behaviour, if<0>:0 is considered to be
13851 		 * a valid interface.
13852 		 *
13853 		 * If alias has two or more digits and the first
13854 		 * is zero, fail.
13855 		 */
13856 		if (&cp[2] < endp && cp[1] == '0') {
13857 			if (error != NULL)
13858 				*error = EINVAL;
13859 			return (NULL);
13860 		}
13861 	}
13862 
13863 	if (cp <= name) {
13864 		cp = endp;
13865 	} else {
13866 		*cp = '\0';
13867 	}
13868 
13869 	/*
13870 	 * Look up the ILL, based on the portion of the name
13871 	 * before the slash. ill_lookup_on_name returns a held ill.
13872 	 * Temporary to check whether ill exists already. If so
13873 	 * ill_lookup_on_name will clear it.
13874 	 */
13875 	ill = ill_lookup_on_name(name, B_FALSE, isv6, &did_alloc, ipst);
13876 	if (cp != endp)
13877 		*cp = IPIF_SEPARATOR_CHAR;
13878 	if (ill == NULL)
13879 		return (NULL);
13880 
13881 	/* Establish the unit number in the name. */
13882 	id = 0;
13883 	if (cp < endp && *endp == '\0') {
13884 		/* If there was a colon, the unit number follows. */
13885 		cp++;
13886 		if (ddi_strtol(cp, NULL, 0, &id) != 0) {
13887 			ill_refrele(ill);
13888 			if (error != NULL)
13889 				*error = ENXIO;
13890 			return (NULL);
13891 		}
13892 	}
13893 
13894 	GRAB_CONN_LOCK(q);
13895 	mutex_enter(&ill->ill_lock);
13896 	/* Now see if there is an IPIF with this unit number. */
13897 	for (ipif = ill->ill_ipif; ipif != NULL; ipif = ipif->ipif_next) {
13898 		if (ipif->ipif_id == id) {
13899 			if (zoneid != ALL_ZONES &&
13900 			    zoneid != ipif->ipif_zoneid &&
13901 			    ipif->ipif_zoneid != ALL_ZONES) {
13902 				mutex_exit(&ill->ill_lock);
13903 				RELEASE_CONN_LOCK(q);
13904 				ill_refrele(ill);
13905 				if (error != NULL)
13906 					*error = ENXIO;
13907 				return (NULL);
13908 			}
13909 
13910 			if (!(IPIF_IS_CHANGING(ipif) ||
13911 			    IPIF_IS_CONDEMNED(ipif)) ||
13912 			    IAM_WRITER_IPIF(ipif)) {
13913 				ipif_refhold_locked(ipif);
13914 				mutex_exit(&ill->ill_lock);
13915 				/*
13916 				 * Drop locks before calling ill_refrele
13917 				 * since it can potentially call into
13918 				 * ipif_ill_refrele_tail which can end up
13919 				 * in trying to acquire any lock.
13920 				 */
13921 				RELEASE_CONN_LOCK(q);
13922 				ill_refrele(ill);
13923 				return (ipif);
13924 			} else if (q != NULL && !IPIF_IS_CONDEMNED(ipif)) {
13925 				ipsq = ill->ill_phyint->phyint_ipsq;
13926 				mutex_enter(&ipsq->ipsq_lock);
13927 				mutex_enter(&ipsq->ipsq_xop->ipx_lock);
13928 				mutex_exit(&ill->ill_lock);
13929 				ipsq_enq(ipsq, q, mp, func, NEW_OP, ill);
13930 				mutex_exit(&ipsq->ipsq_xop->ipx_lock);
13931 				mutex_exit(&ipsq->ipsq_lock);
13932 				RELEASE_CONN_LOCK(q);
13933 				ill_refrele(ill);
13934 				if (error != NULL)
13935 					*error = EINPROGRESS;
13936 				return (NULL);
13937 			}
13938 		}
13939 	}
13940 	RELEASE_CONN_LOCK(q);
13941 	mutex_exit(&ill->ill_lock);
13942 	ill_refrele(ill);
13943 	if (error != NULL)
13944 		*error = ENXIO;
13945 	return (NULL);
13946 }
13947 
13948 /*
13949  * This routine is called whenever a new address comes up on an ipif.  If
13950  * we are configured to respond to address mask requests, then we are supposed
13951  * to broadcast an address mask reply at this time.  This routine is also
13952  * called if we are already up, but a netmask change is made.  This is legal
13953  * but might not make the system manager very popular.	(May be called
13954  * as writer.)
13955  */
13956 void
13957 ipif_mask_reply(ipif_t *ipif)
13958 {
13959 	icmph_t	*icmph;
13960 	ipha_t	*ipha;
13961 	mblk_t	*mp;
13962 	ip_stack_t	*ipst = ipif->ipif_ill->ill_ipst;
13963 	ip_xmit_attr_t ixas;
13964 
13965 #define	REPLY_LEN	(sizeof (icmp_ipha) + sizeof (icmph_t) + IP_ADDR_LEN)
13966 
13967 	if (!ipst->ips_ip_respond_to_address_mask_broadcast)
13968 		return;
13969 
13970 	/* ICMP mask reply is IPv4 only */
13971 	ASSERT(!ipif->ipif_isv6);
13972 	/* ICMP mask reply is not for a loopback interface */
13973 	ASSERT(ipif->ipif_ill->ill_wq != NULL);
13974 
13975 	if (ipif->ipif_lcl_addr == INADDR_ANY)
13976 		return;
13977 
13978 	mp = allocb(REPLY_LEN, BPRI_HI);
13979 	if (mp == NULL)
13980 		return;
13981 	mp->b_wptr = mp->b_rptr + REPLY_LEN;
13982 
13983 	ipha = (ipha_t *)mp->b_rptr;
13984 	bzero(ipha, REPLY_LEN);
13985 	*ipha = icmp_ipha;
13986 	ipha->ipha_ttl = ipst->ips_ip_broadcast_ttl;
13987 	ipha->ipha_src = ipif->ipif_lcl_addr;
13988 	ipha->ipha_dst = ipif->ipif_brd_addr;
13989 	ipha->ipha_length = htons(REPLY_LEN);
13990 	ipha->ipha_ident = 0;
13991 
13992 	icmph = (icmph_t *)&ipha[1];
13993 	icmph->icmph_type = ICMP_ADDRESS_MASK_REPLY;
13994 	bcopy(&ipif->ipif_net_mask, &icmph[1], IP_ADDR_LEN);
13995 	icmph->icmph_checksum = IP_CSUM(mp, sizeof (ipha_t), 0);
13996 
13997 	bzero(&ixas, sizeof (ixas));
13998 	ixas.ixa_flags = IXAF_BASIC_SIMPLE_V4;
13999 	ixas.ixa_zoneid = ALL_ZONES;
14000 	ixas.ixa_ifindex = 0;
14001 	ixas.ixa_ipst = ipst;
14002 	ixas.ixa_multicast_ttl = IP_DEFAULT_MULTICAST_TTL;
14003 	(void) ip_output_simple(mp, &ixas);
14004 	ixa_cleanup(&ixas);
14005 #undef	REPLY_LEN
14006 }
14007 
14008 /*
14009  * Join the ipif specific multicast groups.
14010  * Must be called after a mapping has been set up in the resolver.  (Always
14011  * called as writer.)
14012  */
14013 void
14014 ipif_multicast_up(ipif_t *ipif)
14015 {
14016 	int err;
14017 	ill_t *ill;
14018 	ilm_t *ilm;
14019 
14020 	ASSERT(IAM_WRITER_IPIF(ipif));
14021 
14022 	ill = ipif->ipif_ill;
14023 
14024 	ip1dbg(("ipif_multicast_up\n"));
14025 	if (!(ill->ill_flags & ILLF_MULTICAST) ||
14026 	    ipif->ipif_allhosts_ilm != NULL)
14027 		return;
14028 
14029 	if (ipif->ipif_isv6) {
14030 		in6_addr_t v6allmc = ipv6_all_hosts_mcast;
14031 		in6_addr_t v6solmc = ipv6_solicited_node_mcast;
14032 
14033 		v6solmc.s6_addr32[3] |= ipif->ipif_v6lcl_addr.s6_addr32[3];
14034 
14035 		if (IN6_IS_ADDR_UNSPECIFIED(&ipif->ipif_v6lcl_addr))
14036 			return;
14037 
14038 		ip1dbg(("ipif_multicast_up - addmulti\n"));
14039 
14040 		/*
14041 		 * Join the all hosts multicast address.  We skip this for
14042 		 * underlying IPMP interfaces since they should be invisible.
14043 		 */
14044 		if (!IS_UNDER_IPMP(ill)) {
14045 			ilm = ip_addmulti(&v6allmc, ill, ipif->ipif_zoneid,
14046 			    &err);
14047 			if (ilm == NULL) {
14048 				ASSERT(err != 0);
14049 				ip0dbg(("ipif_multicast_up: "
14050 				    "all_hosts_mcast failed %d\n", err));
14051 				return;
14052 			}
14053 			ipif->ipif_allhosts_ilm = ilm;
14054 		}
14055 
14056 		/*
14057 		 * Enable multicast for the solicited node multicast address.
14058 		 * If IPMP we need to put the membership on the upper ill.
14059 		 */
14060 		if (!(ipif->ipif_flags & IPIF_NOLOCAL)) {
14061 			ill_t *mcast_ill = NULL;
14062 			boolean_t need_refrele;
14063 
14064 			if (IS_UNDER_IPMP(ill) &&
14065 			    (mcast_ill = ipmp_ill_hold_ipmp_ill(ill)) != NULL) {
14066 				need_refrele = B_TRUE;
14067 			} else {
14068 				mcast_ill = ill;
14069 				need_refrele = B_FALSE;
14070 			}
14071 
14072 			ilm = ip_addmulti(&v6solmc, mcast_ill,
14073 			    ipif->ipif_zoneid, &err);
14074 			if (need_refrele)
14075 				ill_refrele(mcast_ill);
14076 
14077 			if (ilm == NULL) {
14078 				ASSERT(err != 0);
14079 				ip0dbg(("ipif_multicast_up: solicited MC"
14080 				    " failed %d\n", err));
14081 				if ((ilm = ipif->ipif_allhosts_ilm) != NULL) {
14082 					ipif->ipif_allhosts_ilm = NULL;
14083 					(void) ip_delmulti(ilm);
14084 				}
14085 				return;
14086 			}
14087 			ipif->ipif_solmulti_ilm = ilm;
14088 		}
14089 	} else {
14090 		in6_addr_t v6group;
14091 
14092 		if (ipif->ipif_lcl_addr == INADDR_ANY || IS_UNDER_IPMP(ill))
14093 			return;
14094 
14095 		/* Join the all hosts multicast address */
14096 		ip1dbg(("ipif_multicast_up - addmulti\n"));
14097 		IN6_IPADDR_TO_V4MAPPED(htonl(INADDR_ALLHOSTS_GROUP), &v6group);
14098 
14099 		ilm = ip_addmulti(&v6group, ill, ipif->ipif_zoneid, &err);
14100 		if (ilm == NULL) {
14101 			ASSERT(err != 0);
14102 			ip0dbg(("ipif_multicast_up: failed %d\n", err));
14103 			return;
14104 		}
14105 		ipif->ipif_allhosts_ilm = ilm;
14106 	}
14107 }
14108 
14109 /*
14110  * Blow away any multicast groups that we joined in ipif_multicast_up().
14111  * (ilms from explicit memberships are handled in conn_update_ill.)
14112  */
14113 void
14114 ipif_multicast_down(ipif_t *ipif)
14115 {
14116 	ASSERT(IAM_WRITER_IPIF(ipif));
14117 
14118 	ip1dbg(("ipif_multicast_down\n"));
14119 
14120 	if (ipif->ipif_allhosts_ilm != NULL) {
14121 		(void) ip_delmulti(ipif->ipif_allhosts_ilm);
14122 		ipif->ipif_allhosts_ilm = NULL;
14123 	}
14124 	if (ipif->ipif_solmulti_ilm != NULL) {
14125 		(void) ip_delmulti(ipif->ipif_solmulti_ilm);
14126 		ipif->ipif_solmulti_ilm = NULL;
14127 	}
14128 }
14129 
14130 /*
14131  * Used when an interface comes up to recreate any extra routes on this
14132  * interface.
14133  */
14134 int
14135 ill_recover_saved_ire(ill_t *ill)
14136 {
14137 	mblk_t		*mp;
14138 	ip_stack_t	*ipst = ill->ill_ipst;
14139 
14140 	ip1dbg(("ill_recover_saved_ire(%s)", ill->ill_name));
14141 
14142 	mutex_enter(&ill->ill_saved_ire_lock);
14143 	for (mp = ill->ill_saved_ire_mp; mp != NULL; mp = mp->b_cont) {
14144 		ire_t		*ire, *nire;
14145 		ifrt_t		*ifrt;
14146 
14147 		ifrt = (ifrt_t *)mp->b_rptr;
14148 		/*
14149 		 * Create a copy of the IRE with the saved address and netmask.
14150 		 */
14151 		if (ill->ill_isv6) {
14152 			ire = ire_create_v6(
14153 			    &ifrt->ifrt_v6addr,
14154 			    &ifrt->ifrt_v6mask,
14155 			    &ifrt->ifrt_v6gateway_addr,
14156 			    ifrt->ifrt_type,
14157 			    ill,
14158 			    ifrt->ifrt_zoneid,
14159 			    ifrt->ifrt_flags,
14160 			    NULL,
14161 			    ipst);
14162 		} else {
14163 			ire = ire_create(
14164 			    (uint8_t *)&ifrt->ifrt_addr,
14165 			    (uint8_t *)&ifrt->ifrt_mask,
14166 			    (uint8_t *)&ifrt->ifrt_gateway_addr,
14167 			    ifrt->ifrt_type,
14168 			    ill,
14169 			    ifrt->ifrt_zoneid,
14170 			    ifrt->ifrt_flags,
14171 			    NULL,
14172 			    ipst);
14173 		}
14174 		if (ire == NULL) {
14175 			mutex_exit(&ill->ill_saved_ire_lock);
14176 			return (ENOMEM);
14177 		}
14178 
14179 		if (ifrt->ifrt_flags & RTF_SETSRC) {
14180 			if (ill->ill_isv6) {
14181 				ire->ire_setsrc_addr_v6 =
14182 				    ifrt->ifrt_v6setsrc_addr;
14183 			} else {
14184 				ire->ire_setsrc_addr = ifrt->ifrt_setsrc_addr;
14185 			}
14186 		}
14187 
14188 		/*
14189 		 * Some software (for example, GateD and Sun Cluster) attempts
14190 		 * to create (what amount to) IRE_PREFIX routes with the
14191 		 * loopback address as the gateway.  This is primarily done to
14192 		 * set up prefixes with the RTF_REJECT flag set (for example,
14193 		 * when generating aggregate routes.)
14194 		 *
14195 		 * If the IRE type (as defined by ill->ill_net_type) is
14196 		 * IRE_LOOPBACK, then we map the request into a
14197 		 * IRE_IF_NORESOLVER.
14198 		 */
14199 		if (ill->ill_net_type == IRE_LOOPBACK)
14200 			ire->ire_type = IRE_IF_NORESOLVER;
14201 
14202 		/*
14203 		 * ire held by ire_add, will be refreled' towards the
14204 		 * the end of ipif_up_done
14205 		 */
14206 		nire = ire_add(ire);
14207 		/*
14208 		 * Check if it was a duplicate entry. This handles
14209 		 * the case of two racing route adds for the same route
14210 		 */
14211 		if (nire == NULL) {
14212 			ip1dbg(("ill_recover_saved_ire: FAILED\n"));
14213 		} else if (nire != ire) {
14214 			ip1dbg(("ill_recover_saved_ire: duplicate ire %p\n",
14215 			    (void *)nire));
14216 			ire_delete(nire);
14217 		} else {
14218 			ip1dbg(("ill_recover_saved_ire: added ire %p\n",
14219 			    (void *)nire));
14220 		}
14221 		if (nire != NULL)
14222 			ire_refrele(nire);
14223 	}
14224 	mutex_exit(&ill->ill_saved_ire_lock);
14225 	return (0);
14226 }
14227 
14228 /*
14229  * Used to set the netmask and broadcast address to default values when the
14230  * interface is brought up.  (Always called as writer.)
14231  */
14232 static void
14233 ipif_set_default(ipif_t *ipif)
14234 {
14235 	ASSERT(MUTEX_HELD(&ipif->ipif_ill->ill_lock));
14236 
14237 	if (!ipif->ipif_isv6) {
14238 		/*
14239 		 * Interface holds an IPv4 address. Default
14240 		 * mask is the natural netmask.
14241 		 */
14242 		if (!ipif->ipif_net_mask) {
14243 			ipaddr_t	v4mask;
14244 
14245 			v4mask = ip_net_mask(ipif->ipif_lcl_addr);
14246 			V4MASK_TO_V6(v4mask, ipif->ipif_v6net_mask);
14247 		}
14248 		if (ipif->ipif_flags & IPIF_POINTOPOINT) {
14249 			/* ipif_subnet is ipif_pp_dst_addr for pt-pt */
14250 			ipif->ipif_v6subnet = ipif->ipif_v6pp_dst_addr;
14251 		} else {
14252 			V6_MASK_COPY(ipif->ipif_v6lcl_addr,
14253 			    ipif->ipif_v6net_mask, ipif->ipif_v6subnet);
14254 		}
14255 		/*
14256 		 * NOTE: SunOS 4.X does this even if the broadcast address
14257 		 * has been already set thus we do the same here.
14258 		 */
14259 		if (ipif->ipif_flags & IPIF_BROADCAST) {
14260 			ipaddr_t	v4addr;
14261 
14262 			v4addr = ipif->ipif_subnet | ~ipif->ipif_net_mask;
14263 			IN6_IPADDR_TO_V4MAPPED(v4addr, &ipif->ipif_v6brd_addr);
14264 		}
14265 	} else {
14266 		/*
14267 		 * Interface holds an IPv6-only address.  Default
14268 		 * mask is all-ones.
14269 		 */
14270 		if (IN6_IS_ADDR_UNSPECIFIED(&ipif->ipif_v6net_mask))
14271 			ipif->ipif_v6net_mask = ipv6_all_ones;
14272 		if (ipif->ipif_flags & IPIF_POINTOPOINT) {
14273 			/* ipif_subnet is ipif_pp_dst_addr for pt-pt */
14274 			ipif->ipif_v6subnet = ipif->ipif_v6pp_dst_addr;
14275 		} else {
14276 			V6_MASK_COPY(ipif->ipif_v6lcl_addr,
14277 			    ipif->ipif_v6net_mask, ipif->ipif_v6subnet);
14278 		}
14279 	}
14280 }
14281 
14282 /*
14283  * Return 0 if this address can be used as local address without causing
14284  * duplicate address problems. Otherwise, return EADDRNOTAVAIL if the address
14285  * is already up on a different ill, and EADDRINUSE if it's up on the same ill.
14286  * Note that the same IPv6 link-local address is allowed as long as the ills
14287  * are not on the same link.
14288  */
14289 int
14290 ip_addr_availability_check(ipif_t *new_ipif)
14291 {
14292 	in6_addr_t our_v6addr;
14293 	ill_t *ill;
14294 	ipif_t *ipif;
14295 	ill_walk_context_t ctx;
14296 	ip_stack_t	*ipst = new_ipif->ipif_ill->ill_ipst;
14297 
14298 	ASSERT(IAM_WRITER_IPIF(new_ipif));
14299 	ASSERT(MUTEX_HELD(&ipst->ips_ip_addr_avail_lock));
14300 	ASSERT(RW_READ_HELD(&ipst->ips_ill_g_lock));
14301 
14302 	new_ipif->ipif_flags &= ~IPIF_UNNUMBERED;
14303 	if (IN6_IS_ADDR_UNSPECIFIED(&new_ipif->ipif_v6lcl_addr) ||
14304 	    IN6_IS_ADDR_V4MAPPED_ANY(&new_ipif->ipif_v6lcl_addr))
14305 		return (0);
14306 
14307 	our_v6addr = new_ipif->ipif_v6lcl_addr;
14308 
14309 	if (new_ipif->ipif_isv6)
14310 		ill = ILL_START_WALK_V6(&ctx, ipst);
14311 	else
14312 		ill = ILL_START_WALK_V4(&ctx, ipst);
14313 
14314 	for (; ill != NULL; ill = ill_next(&ctx, ill)) {
14315 		for (ipif = ill->ill_ipif; ipif != NULL;
14316 		    ipif = ipif->ipif_next) {
14317 			if ((ipif == new_ipif) ||
14318 			    !(ipif->ipif_flags & IPIF_UP) ||
14319 			    (ipif->ipif_flags & IPIF_UNNUMBERED) ||
14320 			    !IN6_ARE_ADDR_EQUAL(&ipif->ipif_v6lcl_addr,
14321 			    &our_v6addr))
14322 				continue;
14323 
14324 			if (new_ipif->ipif_flags & IPIF_POINTOPOINT)
14325 				new_ipif->ipif_flags |= IPIF_UNNUMBERED;
14326 			else if (ipif->ipif_flags & IPIF_POINTOPOINT)
14327 				ipif->ipif_flags |= IPIF_UNNUMBERED;
14328 			else if ((IN6_IS_ADDR_LINKLOCAL(&our_v6addr) ||
14329 			    IN6_IS_ADDR_SITELOCAL(&our_v6addr)) &&
14330 			    !IS_ON_SAME_LAN(ill, new_ipif->ipif_ill))
14331 				continue;
14332 			else if (new_ipif->ipif_zoneid != ipif->ipif_zoneid &&
14333 			    ipif->ipif_zoneid != ALL_ZONES && IS_LOOPBACK(ill))
14334 				continue;
14335 			else if (new_ipif->ipif_ill == ill)
14336 				return (EADDRINUSE);
14337 			else
14338 				return (EADDRNOTAVAIL);
14339 		}
14340 	}
14341 
14342 	return (0);
14343 }
14344 
14345 /*
14346  * Bring up an ipif: bring up arp/ndp, bring up the DLPI stream, and add
14347  * IREs for the ipif.
14348  * When the routine returns EINPROGRESS then mp has been consumed and
14349  * the ioctl will be acked from ip_rput_dlpi.
14350  */
14351 int
14352 ipif_up(ipif_t *ipif, queue_t *q, mblk_t *mp)
14353 {
14354 	ill_t		*ill = ipif->ipif_ill;
14355 	boolean_t 	isv6 = ipif->ipif_isv6;
14356 	int		err = 0;
14357 	boolean_t	success;
14358 	uint_t		ipif_orig_id;
14359 	ip_stack_t	*ipst = ill->ill_ipst;
14360 
14361 	ASSERT(IAM_WRITER_IPIF(ipif));
14362 
14363 	ip1dbg(("ipif_up(%s:%u)\n", ill->ill_name, ipif->ipif_id));
14364 	DTRACE_PROBE3(ipif__downup, char *, "ipif_up",
14365 	    ill_t *, ill, ipif_t *, ipif);
14366 
14367 	/* Shouldn't get here if it is already up. */
14368 	if (ipif->ipif_flags & IPIF_UP)
14369 		return (EALREADY);
14370 
14371 	/*
14372 	 * If this is a request to bring up a data address on an interface
14373 	 * under IPMP, then move the address to its IPMP meta-interface and
14374 	 * try to bring it up.  One complication is that the zeroth ipif for
14375 	 * an ill is special, in that every ill always has one, and that code
14376 	 * throughout IP deferences ill->ill_ipif without holding any locks.
14377 	 */
14378 	if (IS_UNDER_IPMP(ill) && ipmp_ipif_is_dataaddr(ipif) &&
14379 	    (!ipif->ipif_isv6 || !V6_IPIF_LINKLOCAL(ipif))) {
14380 		ipif_t	*stubipif = NULL, *moveipif = NULL;
14381 		ill_t	*ipmp_ill = ipmp_illgrp_ipmp_ill(ill->ill_grp);
14382 
14383 		/*
14384 		 * The ipif being brought up should be quiesced.  If it's not,
14385 		 * something has gone amiss and we need to bail out.  (If it's
14386 		 * quiesced, we know it will remain so via IPIF_CONDEMNED.)
14387 		 */
14388 		mutex_enter(&ill->ill_lock);
14389 		if (!ipif_is_quiescent(ipif)) {
14390 			mutex_exit(&ill->ill_lock);
14391 			return (EINVAL);
14392 		}
14393 		mutex_exit(&ill->ill_lock);
14394 
14395 		/*
14396 		 * If we're going to need to allocate ipifs, do it prior
14397 		 * to starting the move (and grabbing locks).
14398 		 */
14399 		if (ipif->ipif_id == 0) {
14400 			if ((moveipif = ipif_allocate(ill, 0, IRE_LOCAL, B_TRUE,
14401 			    B_FALSE, &err)) == NULL) {
14402 				return (err);
14403 			}
14404 			if ((stubipif = ipif_allocate(ill, 0, IRE_LOCAL, B_TRUE,
14405 			    B_FALSE, &err)) == NULL) {
14406 				mi_free(moveipif);
14407 				return (err);
14408 			}
14409 		}
14410 
14411 		/*
14412 		 * Grab or transfer the ipif to move.  During the move, keep
14413 		 * ill_g_lock held to prevent any ill walker threads from
14414 		 * seeing things in an inconsistent state.
14415 		 */
14416 		rw_enter(&ipst->ips_ill_g_lock, RW_WRITER);
14417 		if (ipif->ipif_id != 0) {
14418 			ipif_remove(ipif);
14419 		} else {
14420 			ipif_transfer(ipif, moveipif, stubipif);
14421 			ipif = moveipif;
14422 		}
14423 
14424 		/*
14425 		 * Place the ipif on the IPMP ill.  If the zeroth ipif on
14426 		 * the IPMP ill is a stub (0.0.0.0 down address) then we
14427 		 * replace that one.  Otherwise, pick the next available slot.
14428 		 */
14429 		ipif->ipif_ill = ipmp_ill;
14430 		ipif_orig_id = ipif->ipif_id;
14431 
14432 		if (ipmp_ipif_is_stubaddr(ipmp_ill->ill_ipif)) {
14433 			ipif_transfer(ipif, ipmp_ill->ill_ipif, NULL);
14434 			ipif = ipmp_ill->ill_ipif;
14435 		} else {
14436 			ipif->ipif_id = -1;
14437 			if ((err = ipif_insert(ipif, B_FALSE)) != 0) {
14438 				/*
14439 				 * No more available ipif_id's -- put it back
14440 				 * on the original ill and fail the operation.
14441 				 * Since we're writer on the ill, we can be
14442 				 * sure our old slot is still available.
14443 				 */
14444 				ipif->ipif_id = ipif_orig_id;
14445 				ipif->ipif_ill = ill;
14446 				if (ipif_orig_id == 0) {
14447 					ipif_transfer(ipif, ill->ill_ipif,
14448 					    NULL);
14449 				} else {
14450 					VERIFY(ipif_insert(ipif, B_FALSE) == 0);
14451 				}
14452 				rw_exit(&ipst->ips_ill_g_lock);
14453 				return (err);
14454 			}
14455 		}
14456 		rw_exit(&ipst->ips_ill_g_lock);
14457 
14458 		/*
14459 		 * Tell SCTP that the ipif has moved.  Note that even if we
14460 		 * had to allocate a new ipif, the original sequence id was
14461 		 * preserved and therefore SCTP won't know.
14462 		 */
14463 		sctp_move_ipif(ipif, ill, ipmp_ill);
14464 
14465 		/*
14466 		 * If the ipif being brought up was on slot zero, then we
14467 		 * first need to bring up the placeholder we stuck there.  In
14468 		 * ip_rput_dlpi_writer(), arp_bringup_done(), or the recursive
14469 		 * call to ipif_up() itself, if we successfully bring up the
14470 		 * placeholder, we'll check ill_move_ipif and bring it up too.
14471 		 */
14472 		if (ipif_orig_id == 0) {
14473 			ASSERT(ill->ill_move_ipif == NULL);
14474 			ill->ill_move_ipif = ipif;
14475 			if ((err = ipif_up(ill->ill_ipif, q, mp)) == 0)
14476 				ASSERT(ill->ill_move_ipif == NULL);
14477 			if (err != EINPROGRESS)
14478 				ill->ill_move_ipif = NULL;
14479 			return (err);
14480 		}
14481 
14482 		/*
14483 		 * Bring it up on the IPMP ill.
14484 		 */
14485 		return (ipif_up(ipif, q, mp));
14486 	}
14487 
14488 	/* Skip arp/ndp for any loopback interface. */
14489 	if (ill->ill_wq != NULL) {
14490 		conn_t *connp = CONN_Q(q) ? Q_TO_CONN(q) : NULL;
14491 		ipsq_t	*ipsq = ill->ill_phyint->phyint_ipsq;
14492 
14493 		if (!ill->ill_dl_up) {
14494 			/*
14495 			 * ill_dl_up is not yet set. i.e. we are yet to
14496 			 * DL_BIND with the driver and this is the first
14497 			 * logical interface on the ill to become "up".
14498 			 * Tell the driver to get going (via DL_BIND_REQ).
14499 			 * Note that changing "significant" IFF_ flags
14500 			 * address/netmask etc cause a down/up dance, but
14501 			 * does not cause an unbind (DL_UNBIND) with the driver
14502 			 */
14503 			return (ill_dl_up(ill, ipif, mp, q));
14504 		}
14505 
14506 		/*
14507 		 * ipif_resolver_up may end up needeing to bind/attach
14508 		 * the ARP stream, which in turn necessitates a
14509 		 * DLPI message exchange with the driver. ioctls are
14510 		 * serialized and so we cannot send more than one
14511 		 * interface up message at a time. If ipif_resolver_up
14512 		 * does need to wait for the DLPI handshake for the ARP stream,
14513 		 * we get EINPROGRESS and we will complete in arp_bringup_done.
14514 		 */
14515 
14516 		ASSERT(connp != NULL || !CONN_Q(q));
14517 		if (connp != NULL)
14518 			mutex_enter(&connp->conn_lock);
14519 		mutex_enter(&ill->ill_lock);
14520 		success = ipsq_pending_mp_add(connp, ipif, q, mp, 0);
14521 		mutex_exit(&ill->ill_lock);
14522 		if (connp != NULL)
14523 			mutex_exit(&connp->conn_lock);
14524 		if (!success)
14525 			return (EINTR);
14526 
14527 		/*
14528 		 * Crank up IPv6 neighbor discovery. Unlike ARP, this should
14529 		 * complete when ipif_ndp_up returns.
14530 		 */
14531 		err = ipif_resolver_up(ipif, Res_act_initial);
14532 		if (err == EINPROGRESS) {
14533 			/* We will complete it in arp_bringup_done() */
14534 			return (err);
14535 		}
14536 
14537 		if (isv6 && err == 0)
14538 			err = ipif_ndp_up(ipif, B_TRUE);
14539 
14540 		ASSERT(err != EINPROGRESS);
14541 		mp = ipsq_pending_mp_get(ipsq, &connp);
14542 		ASSERT(mp != NULL);
14543 		if (err != 0)
14544 			return (err);
14545 	} else {
14546 		/*
14547 		 * Interfaces without underlying hardware don't do duplicate
14548 		 * address detection.
14549 		 */
14550 		ASSERT(!(ipif->ipif_flags & IPIF_DUPLICATE));
14551 		ipif->ipif_addr_ready = 1;
14552 		err = ill_add_ires(ill);
14553 		/* allocation failure? */
14554 		if (err != 0)
14555 			return (err);
14556 	}
14557 
14558 	err = (isv6 ? ipif_up_done_v6(ipif) : ipif_up_done(ipif));
14559 	if (err == 0 && ill->ill_move_ipif != NULL) {
14560 		ipif = ill->ill_move_ipif;
14561 		ill->ill_move_ipif = NULL;
14562 		return (ipif_up(ipif, q, mp));
14563 	}
14564 	return (err);
14565 }
14566 
14567 /*
14568  * Add any IREs tied to the ill. For now this is just an IRE_MULTICAST.
14569  * The identical set of IREs need to be removed in ill_delete_ires().
14570  */
14571 int
14572 ill_add_ires(ill_t *ill)
14573 {
14574 	ire_t	*ire;
14575 	in6_addr_t dummy6 = {(uint32_t)V6_MCAST, 0, 0, 1};
14576 	in_addr_t dummy4 = htonl(INADDR_ALLHOSTS_GROUP);
14577 
14578 	if (ill->ill_ire_multicast != NULL)
14579 		return (0);
14580 
14581 	/*
14582 	 * provide some dummy ire_addr for creating the ire.
14583 	 */
14584 	if (ill->ill_isv6) {
14585 		ire = ire_create_v6(&dummy6, 0, 0, IRE_MULTICAST, ill,
14586 		    ALL_ZONES, RTF_UP, NULL, ill->ill_ipst);
14587 	} else {
14588 		ire = ire_create((uchar_t *)&dummy4, 0, 0, IRE_MULTICAST, ill,
14589 		    ALL_ZONES, RTF_UP, NULL, ill->ill_ipst);
14590 	}
14591 	if (ire == NULL)
14592 		return (ENOMEM);
14593 
14594 	ill->ill_ire_multicast = ire;
14595 	return (0);
14596 }
14597 
14598 void
14599 ill_delete_ires(ill_t *ill)
14600 {
14601 	if (ill->ill_ire_multicast != NULL) {
14602 		/*
14603 		 * BIND/ATTACH completed; Release the ref for ill_ire_multicast
14604 		 * which was taken without any th_tracing enabled.
14605 		 * We also mark it as condemned (note that it was never added)
14606 		 * so that caching conn's can move off of it.
14607 		 */
14608 		ire_make_condemned(ill->ill_ire_multicast);
14609 		ire_refrele_notr(ill->ill_ire_multicast);
14610 		ill->ill_ire_multicast = NULL;
14611 	}
14612 }
14613 
14614 /*
14615  * Perform a bind for the physical device.
14616  * When the routine returns EINPROGRESS then mp has been consumed and
14617  * the ioctl will be acked from ip_rput_dlpi.
14618  * Allocate an unbind message and save it until ipif_down.
14619  */
14620 static int
14621 ill_dl_up(ill_t *ill, ipif_t *ipif, mblk_t *mp, queue_t *q)
14622 {
14623 	mblk_t	*bind_mp = NULL;
14624 	mblk_t	*unbind_mp = NULL;
14625 	conn_t	*connp;
14626 	boolean_t success;
14627 	int	err;
14628 
14629 	DTRACE_PROBE2(ill__downup, char *, "ill_dl_up", ill_t *, ill);
14630 
14631 	ip1dbg(("ill_dl_up(%s)\n", ill->ill_name));
14632 	ASSERT(IAM_WRITER_ILL(ill));
14633 	ASSERT(mp != NULL);
14634 
14635 	/*
14636 	 * Make sure we have an IRE_MULTICAST in case we immediately
14637 	 * start receiving packets.
14638 	 */
14639 	err = ill_add_ires(ill);
14640 	if (err != 0)
14641 		goto bad;
14642 
14643 	bind_mp = ip_dlpi_alloc(sizeof (dl_bind_req_t) + sizeof (long),
14644 	    DL_BIND_REQ);
14645 	if (bind_mp == NULL)
14646 		goto bad;
14647 	((dl_bind_req_t *)bind_mp->b_rptr)->dl_sap = ill->ill_sap;
14648 	((dl_bind_req_t *)bind_mp->b_rptr)->dl_service_mode = DL_CLDLS;
14649 
14650 	/*
14651 	 * ill_unbind_mp would be non-null if the following sequence had
14652 	 * happened:
14653 	 * - send DL_BIND_REQ to driver, wait for response
14654 	 * - multiple ioctls that need to bring the ipif up are encountered,
14655 	 *   but they cannot enter the ipsq due to the outstanding DL_BIND_REQ.
14656 	 *   These ioctls will then be enqueued on the ipsq
14657 	 * - a DL_ERROR_ACK is returned for the DL_BIND_REQ
14658 	 * At this point, the pending ioctls in the ipsq will be drained, and
14659 	 * since ill->ill_dl_up was not set, ill_dl_up would be invoked with
14660 	 * a non-null ill->ill_unbind_mp
14661 	 */
14662 	if (ill->ill_unbind_mp == NULL) {
14663 		unbind_mp = ip_dlpi_alloc(sizeof (dl_unbind_req_t),
14664 		    DL_UNBIND_REQ);
14665 		if (unbind_mp == NULL)
14666 			goto bad;
14667 	}
14668 	/*
14669 	 * Record state needed to complete this operation when the
14670 	 * DL_BIND_ACK shows up.  Also remember the pre-allocated mblks.
14671 	 */
14672 	connp = CONN_Q(q) ? Q_TO_CONN(q) : NULL;
14673 	ASSERT(connp != NULL || !CONN_Q(q));
14674 	GRAB_CONN_LOCK(q);
14675 	mutex_enter(&ipif->ipif_ill->ill_lock);
14676 	success = ipsq_pending_mp_add(connp, ipif, q, mp, 0);
14677 	mutex_exit(&ipif->ipif_ill->ill_lock);
14678 	RELEASE_CONN_LOCK(q);
14679 	if (!success)
14680 		goto bad;
14681 
14682 	/*
14683 	 * Save the unbind message for ill_dl_down(); it will be consumed when
14684 	 * the interface goes down.
14685 	 */
14686 	if (ill->ill_unbind_mp == NULL)
14687 		ill->ill_unbind_mp = unbind_mp;
14688 
14689 	ill_dlpi_send(ill, bind_mp);
14690 	/* Send down link-layer capabilities probe if not already done. */
14691 	ill_capability_probe(ill);
14692 
14693 	/*
14694 	 * Sysid used to rely on the fact that netboots set domainname
14695 	 * and the like. Now that miniroot boots aren't strictly netboots
14696 	 * and miniroot network configuration is driven from userland
14697 	 * these things still need to be set. This situation can be detected
14698 	 * by comparing the interface being configured here to the one
14699 	 * dhcifname was set to reference by the boot loader. Once sysid is
14700 	 * converted to use dhcp_ipc_getinfo() this call can go away.
14701 	 */
14702 	if ((ipif->ipif_flags & IPIF_DHCPRUNNING) &&
14703 	    (strcmp(ill->ill_name, dhcifname) == 0) &&
14704 	    (strlen(srpc_domain) == 0)) {
14705 		if (dhcpinit() != 0)
14706 			cmn_err(CE_WARN, "no cached dhcp response");
14707 	}
14708 
14709 	/*
14710 	 * This operation will complete in ip_rput_dlpi with either
14711 	 * a DL_BIND_ACK or DL_ERROR_ACK.
14712 	 */
14713 	return (EINPROGRESS);
14714 bad:
14715 	ip1dbg(("ill_dl_up(%s) FAILED\n", ill->ill_name));
14716 
14717 	freemsg(bind_mp);
14718 	freemsg(unbind_mp);
14719 	return (ENOMEM);
14720 }
14721 
14722 /* Add room for tcp+ip headers */
14723 uint_t ip_loopback_mtuplus = IP_LOOPBACK_MTU + IP_SIMPLE_HDR_LENGTH + 20;
14724 
14725 /*
14726  * DLPI and ARP is up.
14727  * Create all the IREs associated with an interface. Bring up multicast.
14728  * Set the interface flag and finish other initialization
14729  * that potentially had to be deferred to after DL_BIND_ACK.
14730  */
14731 int
14732 ipif_up_done(ipif_t *ipif)
14733 {
14734 	ill_t		*ill = ipif->ipif_ill;
14735 	int		err = 0;
14736 	boolean_t	loopback = B_FALSE;
14737 	boolean_t	update_src_selection = B_TRUE;
14738 	ipif_t		*tmp_ipif;
14739 
14740 	ip1dbg(("ipif_up_done(%s:%u)\n",
14741 	    ipif->ipif_ill->ill_name, ipif->ipif_id));
14742 	DTRACE_PROBE3(ipif__downup, char *, "ipif_up_done",
14743 	    ill_t *, ill, ipif_t *, ipif);
14744 
14745 	/* Check if this is a loopback interface */
14746 	if (ipif->ipif_ill->ill_wq == NULL)
14747 		loopback = B_TRUE;
14748 
14749 	ASSERT(!MUTEX_HELD(&ipif->ipif_ill->ill_lock));
14750 
14751 	/*
14752 	 * If all other interfaces for this ill are down or DEPRECATED,
14753 	 * or otherwise unsuitable for source address selection,
14754 	 * reset the src generation numbers to make sure source
14755 	 * address selection gets to take this new ipif into account.
14756 	 * No need to hold ill_lock while traversing the ipif list since
14757 	 * we are writer
14758 	 */
14759 	for (tmp_ipif = ill->ill_ipif; tmp_ipif;
14760 	    tmp_ipif = tmp_ipif->ipif_next) {
14761 		if (((tmp_ipif->ipif_flags &
14762 		    (IPIF_NOXMIT|IPIF_ANYCAST|IPIF_NOLOCAL|IPIF_DEPRECATED)) ||
14763 		    !(tmp_ipif->ipif_flags & IPIF_UP)) ||
14764 		    (tmp_ipif == ipif))
14765 			continue;
14766 		/* first useable pre-existing interface */
14767 		update_src_selection = B_FALSE;
14768 		break;
14769 	}
14770 	if (update_src_selection)
14771 		ip_update_source_selection(ill->ill_ipst);
14772 
14773 	if (IS_LOOPBACK(ill) || ill->ill_net_type == IRE_IF_NORESOLVER) {
14774 		nce_t *loop_nce = NULL;
14775 		uint16_t flags = (NCE_F_MYADDR | NCE_F_AUTHORITY | NCE_F_NONUD);
14776 
14777 		/*
14778 		 * lo0:1 and subsequent ipifs were marked IRE_LOCAL in
14779 		 * ipif_lookup_on_name(), but in the case of zones we can have
14780 		 * several loopback addresses on lo0. So all the interfaces with
14781 		 * loopback addresses need to be marked IRE_LOOPBACK.
14782 		 */
14783 		if (V4_PART_OF_V6(ipif->ipif_v6lcl_addr) ==
14784 		    htonl(INADDR_LOOPBACK))
14785 			ipif->ipif_ire_type = IRE_LOOPBACK;
14786 		else
14787 			ipif->ipif_ire_type = IRE_LOCAL;
14788 		if (ill->ill_net_type != IRE_LOOPBACK)
14789 			flags |= NCE_F_PUBLISH;
14790 
14791 		/* add unicast nce for the local addr */
14792 		err = nce_lookup_then_add_v4(ill, NULL,
14793 		    ill->ill_phys_addr_length, &ipif->ipif_lcl_addr, flags,
14794 		    ND_REACHABLE, &loop_nce);
14795 		/* A shared-IP zone sees EEXIST for lo0:N */
14796 		if (err == 0 || err == EEXIST) {
14797 			ipif->ipif_added_nce = 1;
14798 			loop_nce->nce_ipif_cnt++;
14799 			nce_refrele(loop_nce);
14800 			err = 0;
14801 		} else {
14802 			ASSERT(loop_nce == NULL);
14803 			return (err);
14804 		}
14805 	}
14806 
14807 	/* Create all the IREs associated with this interface */
14808 	err = ipif_add_ires_v4(ipif, loopback);
14809 	if (err != 0) {
14810 		/*
14811 		 * see comments about return value from
14812 		 * ip_addr_availability_check() in ipif_add_ires_v4().
14813 		 */
14814 		if (err != EADDRINUSE) {
14815 			(void) ipif_arp_down(ipif);
14816 		} else {
14817 			/*
14818 			 * Make IPMP aware of the deleted ipif so that
14819 			 * the needed ipmp cleanup (e.g., of ipif_bound_ill)
14820 			 * can be completed. Note that we do not want to
14821 			 * destroy the nce that was created on the ipmp_ill
14822 			 * for the active copy of the duplicate address in
14823 			 * use.
14824 			 */
14825 			if (IS_IPMP(ill))
14826 				ipmp_illgrp_del_ipif(ill->ill_grp, ipif);
14827 			err = EADDRNOTAVAIL;
14828 		}
14829 		return (err);
14830 	}
14831 
14832 	if (ill->ill_ipif_up_count == 1 && !loopback) {
14833 		/* Recover any additional IREs entries for this ill */
14834 		(void) ill_recover_saved_ire(ill);
14835 	}
14836 
14837 	if (ill->ill_need_recover_multicast) {
14838 		/*
14839 		 * Need to recover all multicast memberships in the driver.
14840 		 * This had to be deferred until we had attached.  The same
14841 		 * code exists in ipif_up_done_v6() to recover IPv6
14842 		 * memberships.
14843 		 *
14844 		 * Note that it would be preferable to unconditionally do the
14845 		 * ill_recover_multicast() in ill_dl_up(), but we cannot do
14846 		 * that since ill_join_allmulti() depends on ill_dl_up being
14847 		 * set, and it is not set until we receive a DL_BIND_ACK after
14848 		 * having called ill_dl_up().
14849 		 */
14850 		ill_recover_multicast(ill);
14851 	}
14852 
14853 	if (ill->ill_ipif_up_count == 1) {
14854 		/*
14855 		 * Since the interface is now up, it may now be active.
14856 		 */
14857 		if (IS_UNDER_IPMP(ill))
14858 			ipmp_ill_refresh_active(ill);
14859 
14860 		/*
14861 		 * If this is an IPMP interface, we may now be able to
14862 		 * establish ARP entries.
14863 		 */
14864 		if (IS_IPMP(ill))
14865 			ipmp_illgrp_refresh_arpent(ill->ill_grp);
14866 	}
14867 
14868 	/* Join the allhosts multicast address */
14869 	ipif_multicast_up(ipif);
14870 
14871 	if (!loopback && !update_src_selection &&
14872 	    !(ipif->ipif_flags & (IPIF_NOLOCAL|IPIF_ANYCAST|IPIF_DEPRECATED)))
14873 		ip_update_source_selection(ill->ill_ipst);
14874 
14875 	if (!loopback && ipif->ipif_addr_ready) {
14876 		/* Broadcast an address mask reply. */
14877 		ipif_mask_reply(ipif);
14878 	}
14879 	/* Perhaps ilgs should use this ill */
14880 	update_conn_ill(NULL, ill->ill_ipst);
14881 
14882 	/*
14883 	 * This had to be deferred until we had bound.  Tell routing sockets and
14884 	 * others that this interface is up if it looks like the address has
14885 	 * been validated.  Otherwise, if it isn't ready yet, wait for
14886 	 * duplicate address detection to do its thing.
14887 	 */
14888 	if (ipif->ipif_addr_ready)
14889 		ipif_up_notify(ipif);
14890 	return (0);
14891 }
14892 
14893 /*
14894  * Add the IREs associated with the ipif.
14895  * Those MUST be explicitly removed in ipif_delete_ires_v4.
14896  */
14897 static int
14898 ipif_add_ires_v4(ipif_t *ipif, boolean_t loopback)
14899 {
14900 	ill_t		*ill = ipif->ipif_ill;
14901 	ip_stack_t	*ipst = ill->ill_ipst;
14902 	ire_t		*ire_array[20];
14903 	ire_t		**irep = ire_array;
14904 	ire_t		**irep1;
14905 	ipaddr_t	net_mask = 0;
14906 	ipaddr_t	subnet_mask, route_mask;
14907 	int		err;
14908 	ire_t		*ire_local = NULL;	/* LOCAL or LOOPBACK */
14909 	ire_t		*ire_if = NULL;
14910 	uchar_t		*gw;
14911 
14912 	if ((ipif->ipif_lcl_addr != INADDR_ANY) &&
14913 	    !(ipif->ipif_flags & IPIF_NOLOCAL)) {
14914 		/*
14915 		 * If we're on a labeled system then make sure that zone-
14916 		 * private addresses have proper remote host database entries.
14917 		 */
14918 		if (is_system_labeled() &&
14919 		    ipif->ipif_ire_type != IRE_LOOPBACK &&
14920 		    !tsol_check_interface_address(ipif))
14921 			return (EINVAL);
14922 
14923 		/* Register the source address for __sin6_src_id */
14924 		err = ip_srcid_insert(&ipif->ipif_v6lcl_addr,
14925 		    ipif->ipif_zoneid, ipst);
14926 		if (err != 0) {
14927 			ip0dbg(("ipif_add_ires: srcid_insert %d\n", err));
14928 			return (err);
14929 		}
14930 
14931 		if (loopback)
14932 			gw = (uchar_t *)&ipif->ipif_lcl_addr;
14933 		else
14934 			gw = NULL;
14935 
14936 		/* If the interface address is set, create the local IRE. */
14937 		ire_local = ire_create(
14938 		    (uchar_t *)&ipif->ipif_lcl_addr,	/* dest address */
14939 		    (uchar_t *)&ip_g_all_ones,		/* mask */
14940 		    gw,					/* gateway */
14941 		    ipif->ipif_ire_type,		/* LOCAL or LOOPBACK */
14942 		    ipif->ipif_ill,
14943 		    ipif->ipif_zoneid,
14944 		    ((ipif->ipif_flags & IPIF_PRIVATE) ?
14945 		    RTF_PRIVATE : 0) | RTF_KERNEL,
14946 		    NULL,
14947 		    ipst);
14948 		ip1dbg(("ipif_add_ires: 0x%p creating IRE %p type 0x%x"
14949 		    " for 0x%x\n", (void *)ipif, (void *)ire_local,
14950 		    ipif->ipif_ire_type,
14951 		    ntohl(ipif->ipif_lcl_addr)));
14952 		if (ire_local == NULL) {
14953 			ip1dbg(("ipif_up_done: NULL ire_local\n"));
14954 			err = ENOMEM;
14955 			goto bad;
14956 		}
14957 	} else {
14958 		ip1dbg((
14959 		    "ipif_add_ires: not creating IRE %d for 0x%x: flags 0x%x\n",
14960 		    ipif->ipif_ire_type,
14961 		    ntohl(ipif->ipif_lcl_addr),
14962 		    (uint_t)ipif->ipif_flags));
14963 	}
14964 	if ((ipif->ipif_lcl_addr != INADDR_ANY) &&
14965 	    !(ipif->ipif_flags & IPIF_NOLOCAL)) {
14966 		net_mask = ip_net_mask(ipif->ipif_lcl_addr);
14967 	} else {
14968 		net_mask = htonl(IN_CLASSA_NET);	/* fallback */
14969 	}
14970 
14971 	subnet_mask = ipif->ipif_net_mask;
14972 
14973 	/*
14974 	 * If mask was not specified, use natural netmask of
14975 	 * interface address. Also, store this mask back into the
14976 	 * ipif struct.
14977 	 */
14978 	if (subnet_mask == 0) {
14979 		subnet_mask = net_mask;
14980 		V4MASK_TO_V6(subnet_mask, ipif->ipif_v6net_mask);
14981 		V6_MASK_COPY(ipif->ipif_v6lcl_addr, ipif->ipif_v6net_mask,
14982 		    ipif->ipif_v6subnet);
14983 	}
14984 
14985 	/* Set up the IRE_IF_RESOLVER or IRE_IF_NORESOLVER, as appropriate. */
14986 	if (!loopback && !(ipif->ipif_flags & IPIF_NOXMIT) &&
14987 	    ipif->ipif_subnet != INADDR_ANY) {
14988 		/* ipif_subnet is ipif_pp_dst_addr for pt-pt */
14989 
14990 		if (ipif->ipif_flags & IPIF_POINTOPOINT) {
14991 			route_mask = IP_HOST_MASK;
14992 		} else {
14993 			route_mask = subnet_mask;
14994 		}
14995 
14996 		ip1dbg(("ipif_add_ires: ipif 0x%p ill 0x%p "
14997 		    "creating if IRE ill_net_type 0x%x for 0x%x\n",
14998 		    (void *)ipif, (void *)ill, ill->ill_net_type,
14999 		    ntohl(ipif->ipif_subnet)));
15000 		ire_if = ire_create(
15001 		    (uchar_t *)&ipif->ipif_subnet,
15002 		    (uchar_t *)&route_mask,
15003 		    (uchar_t *)&ipif->ipif_lcl_addr,
15004 		    ill->ill_net_type,
15005 		    ill,
15006 		    ipif->ipif_zoneid,
15007 		    ((ipif->ipif_flags & IPIF_PRIVATE) ?
15008 		    RTF_PRIVATE: 0) | RTF_KERNEL,
15009 		    NULL,
15010 		    ipst);
15011 		if (ire_if == NULL) {
15012 			ip1dbg(("ipif_up_done: NULL ire_if\n"));
15013 			err = ENOMEM;
15014 			goto bad;
15015 		}
15016 	}
15017 
15018 	/*
15019 	 * Create any necessary broadcast IREs.
15020 	 */
15021 	if ((ipif->ipif_flags & IPIF_BROADCAST) &&
15022 	    !(ipif->ipif_flags & IPIF_NOXMIT))
15023 		irep = ipif_create_bcast_ires(ipif, irep);
15024 
15025 	/* If an earlier ire_create failed, get out now */
15026 	for (irep1 = irep; irep1 > ire_array; ) {
15027 		irep1--;
15028 		if (*irep1 == NULL) {
15029 			ip1dbg(("ipif_up_done: NULL ire found in ire_array\n"));
15030 			err = ENOMEM;
15031 			goto bad;
15032 		}
15033 	}
15034 
15035 	/*
15036 	 * Need to atomically check for IP address availability under
15037 	 * ip_addr_avail_lock.  ill_g_lock is held as reader to ensure no new
15038 	 * ills or new ipifs can be added while we are checking availability.
15039 	 */
15040 	rw_enter(&ipst->ips_ill_g_lock, RW_READER);
15041 	mutex_enter(&ipst->ips_ip_addr_avail_lock);
15042 	/* Mark it up, and increment counters. */
15043 	ipif->ipif_flags |= IPIF_UP;
15044 	ill->ill_ipif_up_count++;
15045 	err = ip_addr_availability_check(ipif);
15046 	mutex_exit(&ipst->ips_ip_addr_avail_lock);
15047 	rw_exit(&ipst->ips_ill_g_lock);
15048 
15049 	if (err != 0) {
15050 		/*
15051 		 * Our address may already be up on the same ill. In this case,
15052 		 * the ARP entry for our ipif replaced the one for the other
15053 		 * ipif. So we don't want to delete it (otherwise the other ipif
15054 		 * would be unable to send packets).
15055 		 * ip_addr_availability_check() identifies this case for us and
15056 		 * returns EADDRINUSE; Caller should turn it into EADDRNOTAVAIL
15057 		 * which is the expected error code.
15058 		 */
15059 		ill->ill_ipif_up_count--;
15060 		ipif->ipif_flags &= ~IPIF_UP;
15061 		goto bad;
15062 	}
15063 
15064 	/*
15065 	 * Add in all newly created IREs.  ire_create_bcast() has
15066 	 * already checked for duplicates of the IRE_BROADCAST type.
15067 	 * We add the IRE_INTERFACE before the IRE_LOCAL to ensure
15068 	 * that lookups find the IRE_LOCAL even if the IRE_INTERFACE is
15069 	 * a /32 route.
15070 	 */
15071 	if (ire_if != NULL) {
15072 		ire_if = ire_add(ire_if);
15073 		if (ire_if == NULL) {
15074 			err = ENOMEM;
15075 			goto bad2;
15076 		}
15077 #ifdef DEBUG
15078 		ire_refhold_notr(ire_if);
15079 		ire_refrele(ire_if);
15080 #endif
15081 	}
15082 	if (ire_local != NULL) {
15083 		ire_local = ire_add(ire_local);
15084 		if (ire_local == NULL) {
15085 			err = ENOMEM;
15086 			goto bad2;
15087 		}
15088 #ifdef DEBUG
15089 		ire_refhold_notr(ire_local);
15090 		ire_refrele(ire_local);
15091 #endif
15092 	}
15093 	rw_enter(&ipst->ips_ill_g_lock, RW_WRITER);
15094 	if (ire_local != NULL)
15095 		ipif->ipif_ire_local = ire_local;
15096 	if (ire_if != NULL)
15097 		ipif->ipif_ire_if = ire_if;
15098 	rw_exit(&ipst->ips_ill_g_lock);
15099 	ire_local = NULL;
15100 	ire_if = NULL;
15101 
15102 	/*
15103 	 * We first add all of them, and if that succeeds we refrele the
15104 	 * bunch. That enables us to delete all of them should any of the
15105 	 * ire_adds fail.
15106 	 */
15107 	for (irep1 = irep; irep1 > ire_array; ) {
15108 		irep1--;
15109 		ASSERT(!MUTEX_HELD(&((*irep1)->ire_ill->ill_lock)));
15110 		*irep1 = ire_add(*irep1);
15111 		if (*irep1 == NULL) {
15112 			err = ENOMEM;
15113 			goto bad2;
15114 		}
15115 	}
15116 
15117 	for (irep1 = irep; irep1 > ire_array; ) {
15118 		irep1--;
15119 		/* refheld by ire_add. */
15120 		if (*irep1 != NULL) {
15121 			ire_refrele(*irep1);
15122 			*irep1 = NULL;
15123 		}
15124 	}
15125 
15126 	if (!loopback) {
15127 		/*
15128 		 * If the broadcast address has been set, make sure it makes
15129 		 * sense based on the interface address.
15130 		 * Only match on ill since we are sharing broadcast addresses.
15131 		 */
15132 		if ((ipif->ipif_brd_addr != INADDR_ANY) &&
15133 		    (ipif->ipif_flags & IPIF_BROADCAST)) {
15134 			ire_t	*ire;
15135 
15136 			ire = ire_ftable_lookup_v4(ipif->ipif_brd_addr, 0, 0,
15137 			    IRE_BROADCAST, ipif->ipif_ill, ALL_ZONES, NULL,
15138 			    (MATCH_IRE_TYPE | MATCH_IRE_ILL), 0, ipst, NULL);
15139 
15140 			if (ire == NULL) {
15141 				/*
15142 				 * If there isn't a matching broadcast IRE,
15143 				 * revert to the default for this netmask.
15144 				 */
15145 				ipif->ipif_v6brd_addr = ipv6_all_zeros;
15146 				mutex_enter(&ipif->ipif_ill->ill_lock);
15147 				ipif_set_default(ipif);
15148 				mutex_exit(&ipif->ipif_ill->ill_lock);
15149 			} else {
15150 				ire_refrele(ire);
15151 			}
15152 		}
15153 
15154 	}
15155 	return (0);
15156 
15157 bad2:
15158 	ill->ill_ipif_up_count--;
15159 	ipif->ipif_flags &= ~IPIF_UP;
15160 
15161 bad:
15162 	ip1dbg(("ipif_add_ires: FAILED \n"));
15163 	if (ire_local != NULL)
15164 		ire_delete(ire_local);
15165 	if (ire_if != NULL)
15166 		ire_delete(ire_if);
15167 
15168 	rw_enter(&ipst->ips_ill_g_lock, RW_WRITER);
15169 	ire_local = ipif->ipif_ire_local;
15170 	ipif->ipif_ire_local = NULL;
15171 	ire_if = ipif->ipif_ire_if;
15172 	ipif->ipif_ire_if = NULL;
15173 	rw_exit(&ipst->ips_ill_g_lock);
15174 	if (ire_local != NULL) {
15175 		ire_delete(ire_local);
15176 		ire_refrele_notr(ire_local);
15177 	}
15178 	if (ire_if != NULL) {
15179 		ire_delete(ire_if);
15180 		ire_refrele_notr(ire_if);
15181 	}
15182 
15183 	while (irep > ire_array) {
15184 		irep--;
15185 		if (*irep != NULL) {
15186 			ire_delete(*irep);
15187 		}
15188 	}
15189 	(void) ip_srcid_remove(&ipif->ipif_v6lcl_addr, ipif->ipif_zoneid, ipst);
15190 
15191 	return (err);
15192 }
15193 
15194 /* Remove all the IREs created by ipif_add_ires_v4 */
15195 void
15196 ipif_delete_ires_v4(ipif_t *ipif)
15197 {
15198 	ill_t		*ill = ipif->ipif_ill;
15199 	ip_stack_t	*ipst = ill->ill_ipst;
15200 	ire_t		*ire;
15201 
15202 	rw_enter(&ipst->ips_ill_g_lock, RW_WRITER);
15203 	ire = ipif->ipif_ire_local;
15204 	ipif->ipif_ire_local = NULL;
15205 	rw_exit(&ipst->ips_ill_g_lock);
15206 	if (ire != NULL) {
15207 		/*
15208 		 * Move count to ipif so we don't loose the count due to
15209 		 * a down/up dance.
15210 		 */
15211 		atomic_add_32(&ipif->ipif_ib_pkt_count, ire->ire_ib_pkt_count);
15212 
15213 		ire_delete(ire);
15214 		ire_refrele_notr(ire);
15215 	}
15216 	rw_enter(&ipst->ips_ill_g_lock, RW_WRITER);
15217 	ire = ipif->ipif_ire_if;
15218 	ipif->ipif_ire_if = NULL;
15219 	rw_exit(&ipst->ips_ill_g_lock);
15220 	if (ire != NULL) {
15221 		ire_delete(ire);
15222 		ire_refrele_notr(ire);
15223 	}
15224 
15225 	/*
15226 	 * Delete the broadcast IREs.
15227 	 */
15228 	if ((ipif->ipif_flags & IPIF_BROADCAST) &&
15229 	    !(ipif->ipif_flags & IPIF_NOXMIT))
15230 		ipif_delete_bcast_ires(ipif);
15231 }
15232 
15233 /*
15234  * Checks for availbility of a usable source address (if there is one) when the
15235  * destination ILL has the ill_usesrc_ifindex pointing to another ILL. Note
15236  * this selection is done regardless of the destination.
15237  */
15238 boolean_t
15239 ipif_zone_avail(uint_t ifindex, boolean_t isv6, zoneid_t zoneid,
15240     ip_stack_t *ipst)
15241 {
15242 	ipif_t		*ipif = NULL;
15243 	ill_t		*uill;
15244 
15245 	ASSERT(ifindex != 0);
15246 
15247 	uill = ill_lookup_on_ifindex(ifindex, isv6, ipst);
15248 	if (uill == NULL)
15249 		return (B_FALSE);
15250 
15251 	mutex_enter(&uill->ill_lock);
15252 	for (ipif = uill->ill_ipif; ipif != NULL; ipif = ipif->ipif_next) {
15253 		if (IPIF_IS_CONDEMNED(ipif))
15254 			continue;
15255 		if (ipif->ipif_flags & (IPIF_NOLOCAL|IPIF_ANYCAST))
15256 			continue;
15257 		if (!(ipif->ipif_flags & IPIF_UP))
15258 			continue;
15259 		if (ipif->ipif_zoneid != zoneid)
15260 			continue;
15261 		if (isv6 ? IN6_IS_ADDR_UNSPECIFIED(&ipif->ipif_v6lcl_addr) :
15262 		    ipif->ipif_lcl_addr == INADDR_ANY)
15263 			continue;
15264 		mutex_exit(&uill->ill_lock);
15265 		ill_refrele(uill);
15266 		return (B_TRUE);
15267 	}
15268 	mutex_exit(&uill->ill_lock);
15269 	ill_refrele(uill);
15270 	return (B_FALSE);
15271 }
15272 
15273 /*
15274  * Find an ipif with a good local address on the ill+zoneid.
15275  */
15276 ipif_t *
15277 ipif_good_addr(ill_t *ill, zoneid_t zoneid)
15278 {
15279 	ipif_t		*ipif;
15280 
15281 	mutex_enter(&ill->ill_lock);
15282 	for (ipif = ill->ill_ipif; ipif != NULL; ipif = ipif->ipif_next) {
15283 		if (IPIF_IS_CONDEMNED(ipif))
15284 			continue;
15285 		if (ipif->ipif_flags & (IPIF_NOLOCAL|IPIF_ANYCAST))
15286 			continue;
15287 		if (!(ipif->ipif_flags & IPIF_UP))
15288 			continue;
15289 		if (ipif->ipif_zoneid != zoneid &&
15290 		    ipif->ipif_zoneid != ALL_ZONES && zoneid != ALL_ZONES)
15291 			continue;
15292 		if (ill->ill_isv6 ?
15293 		    IN6_IS_ADDR_UNSPECIFIED(&ipif->ipif_v6lcl_addr) :
15294 		    ipif->ipif_lcl_addr == INADDR_ANY)
15295 			continue;
15296 		ipif_refhold_locked(ipif);
15297 		mutex_exit(&ill->ill_lock);
15298 		return (ipif);
15299 	}
15300 	mutex_exit(&ill->ill_lock);
15301 	return (NULL);
15302 }
15303 
15304 /*
15305  * IP source address type, sorted from worst to best.  For a given type,
15306  * always prefer IP addresses on the same subnet.  All-zones addresses are
15307  * suboptimal because they pose problems with unlabeled destinations.
15308  */
15309 typedef enum {
15310 	IPIF_NONE,
15311 	IPIF_DIFFNET_DEPRECATED, 	/* deprecated and different subnet */
15312 	IPIF_SAMENET_DEPRECATED, 	/* deprecated and same subnet */
15313 	IPIF_DIFFNET_ALLZONES,		/* allzones and different subnet */
15314 	IPIF_SAMENET_ALLZONES,		/* allzones and same subnet */
15315 	IPIF_DIFFNET,			/* normal and different subnet */
15316 	IPIF_SAMENET,			/* normal and same subnet */
15317 	IPIF_LOCALADDR			/* local loopback */
15318 } ipif_type_t;
15319 
15320 /*
15321  * Pick the optimal ipif on `ill' for sending to destination `dst' from zone
15322  * `zoneid'.  We rate usable ipifs from low -> high as per the ipif_type_t
15323  * enumeration, and return the highest-rated ipif.  If there's a tie, we pick
15324  * the first one, unless IPMP is used in which case we round-robin among them;
15325  * see below for more.
15326  *
15327  * Returns NULL if there is no suitable source address for the ill.
15328  * This only occurs when there is no valid source address for the ill.
15329  */
15330 ipif_t *
15331 ipif_select_source_v4(ill_t *ill, ipaddr_t dst, zoneid_t zoneid,
15332     boolean_t allow_usesrc, boolean_t *notreadyp)
15333 {
15334 	ill_t	*usill = NULL;
15335 	ill_t	*ipmp_ill = NULL;
15336 	ipif_t	*start_ipif, *next_ipif, *ipif, *best_ipif;
15337 	ipif_type_t type, best_type;
15338 	tsol_tpc_t *src_rhtp, *dst_rhtp;
15339 	ip_stack_t *ipst = ill->ill_ipst;
15340 	boolean_t samenet;
15341 
15342 	if (ill->ill_usesrc_ifindex != 0 && allow_usesrc) {
15343 		usill = ill_lookup_on_ifindex(ill->ill_usesrc_ifindex,
15344 		    B_FALSE, ipst);
15345 		if (usill != NULL)
15346 			ill = usill;	/* Select source from usesrc ILL */
15347 		else
15348 			return (NULL);
15349 	}
15350 
15351 	/*
15352 	 * Test addresses should never be used for source address selection,
15353 	 * so if we were passed one, switch to the IPMP meta-interface.
15354 	 */
15355 	if (IS_UNDER_IPMP(ill)) {
15356 		if ((ipmp_ill = ipmp_ill_hold_ipmp_ill(ill)) != NULL)
15357 			ill = ipmp_ill;	/* Select source from IPMP ill */
15358 		else
15359 			return (NULL);
15360 	}
15361 
15362 	/*
15363 	 * If we're dealing with an unlabeled destination on a labeled system,
15364 	 * make sure that we ignore source addresses that are incompatible with
15365 	 * the destination's default label.  That destination's default label
15366 	 * must dominate the minimum label on the source address.
15367 	 */
15368 	dst_rhtp = NULL;
15369 	if (is_system_labeled()) {
15370 		dst_rhtp = find_tpc(&dst, IPV4_VERSION, B_FALSE);
15371 		if (dst_rhtp == NULL)
15372 			return (NULL);
15373 		if (dst_rhtp->tpc_tp.host_type != UNLABELED) {
15374 			TPC_RELE(dst_rhtp);
15375 			dst_rhtp = NULL;
15376 		}
15377 	}
15378 
15379 	/*
15380 	 * Hold the ill_g_lock as reader. This makes sure that no ipif/ill
15381 	 * can be deleted. But an ipif/ill can get CONDEMNED any time.
15382 	 * After selecting the right ipif, under ill_lock make sure ipif is
15383 	 * not condemned, and increment refcnt. If ipif is CONDEMNED,
15384 	 * we retry. Inside the loop we still need to check for CONDEMNED,
15385 	 * but not under a lock.
15386 	 */
15387 	rw_enter(&ipst->ips_ill_g_lock, RW_READER);
15388 retry:
15389 	/*
15390 	 * For source address selection, we treat the ipif list as circular
15391 	 * and continue until we get back to where we started.  This allows
15392 	 * IPMP to vary source address selection (which improves inbound load
15393 	 * spreading) by caching its last ending point and starting from
15394 	 * there.  NOTE: we don't have to worry about ill_src_ipif changing
15395 	 * ills since that can't happen on the IPMP ill.
15396 	 */
15397 	start_ipif = ill->ill_ipif;
15398 	if (IS_IPMP(ill) && ill->ill_src_ipif != NULL)
15399 		start_ipif = ill->ill_src_ipif;
15400 
15401 	ipif = start_ipif;
15402 	best_ipif = NULL;
15403 	best_type = IPIF_NONE;
15404 	do {
15405 		if ((next_ipif = ipif->ipif_next) == NULL)
15406 			next_ipif = ill->ill_ipif;
15407 
15408 		if (IPIF_IS_CONDEMNED(ipif))
15409 			continue;
15410 		/* Always skip NOLOCAL and ANYCAST interfaces */
15411 		if (ipif->ipif_flags & (IPIF_NOLOCAL|IPIF_ANYCAST))
15412 			continue;
15413 		/* Always skip NOACCEPT interfaces */
15414 		if (ipif->ipif_ill->ill_flags & ILLF_NOACCEPT)
15415 			continue;
15416 		if (!(ipif->ipif_flags & IPIF_UP))
15417 			continue;
15418 
15419 		if (!ipif->ipif_addr_ready) {
15420 			if (notreadyp != NULL)
15421 				*notreadyp = B_TRUE;
15422 			continue;
15423 		}
15424 
15425 		if (zoneid != ALL_ZONES &&
15426 		    ipif->ipif_zoneid != zoneid &&
15427 		    ipif->ipif_zoneid != ALL_ZONES)
15428 			continue;
15429 
15430 		/*
15431 		 * Interfaces with 0.0.0.0 address are allowed to be UP, but
15432 		 * are not valid as source addresses.
15433 		 */
15434 		if (ipif->ipif_lcl_addr == INADDR_ANY)
15435 			continue;
15436 
15437 		/*
15438 		 * Check compatibility of local address for destination's
15439 		 * default label if we're on a labeled system.	Incompatible
15440 		 * addresses can't be used at all.
15441 		 */
15442 		if (dst_rhtp != NULL) {
15443 			boolean_t incompat;
15444 
15445 			src_rhtp = find_tpc(&ipif->ipif_lcl_addr,
15446 			    IPV4_VERSION, B_FALSE);
15447 			if (src_rhtp == NULL)
15448 				continue;
15449 			incompat = src_rhtp->tpc_tp.host_type != SUN_CIPSO ||
15450 			    src_rhtp->tpc_tp.tp_doi !=
15451 			    dst_rhtp->tpc_tp.tp_doi ||
15452 			    (!_blinrange(&dst_rhtp->tpc_tp.tp_def_label,
15453 			    &src_rhtp->tpc_tp.tp_sl_range_cipso) &&
15454 			    !blinlset(&dst_rhtp->tpc_tp.tp_def_label,
15455 			    src_rhtp->tpc_tp.tp_sl_set_cipso));
15456 			TPC_RELE(src_rhtp);
15457 			if (incompat)
15458 				continue;
15459 		}
15460 
15461 		samenet = ((ipif->ipif_net_mask & dst) == ipif->ipif_subnet);
15462 
15463 		if (ipif->ipif_lcl_addr == dst) {
15464 			type = IPIF_LOCALADDR;
15465 		} else if (ipif->ipif_flags & IPIF_DEPRECATED) {
15466 			type = samenet ? IPIF_SAMENET_DEPRECATED :
15467 			    IPIF_DIFFNET_DEPRECATED;
15468 		} else if (ipif->ipif_zoneid == ALL_ZONES) {
15469 			type = samenet ? IPIF_SAMENET_ALLZONES :
15470 			    IPIF_DIFFNET_ALLZONES;
15471 		} else {
15472 			type = samenet ? IPIF_SAMENET : IPIF_DIFFNET;
15473 		}
15474 
15475 		if (type > best_type) {
15476 			best_type = type;
15477 			best_ipif = ipif;
15478 			if (best_type == IPIF_LOCALADDR)
15479 				break; /* can't get better */
15480 		}
15481 	} while ((ipif = next_ipif) != start_ipif);
15482 
15483 	if ((ipif = best_ipif) != NULL) {
15484 		mutex_enter(&ipif->ipif_ill->ill_lock);
15485 		if (IPIF_IS_CONDEMNED(ipif)) {
15486 			mutex_exit(&ipif->ipif_ill->ill_lock);
15487 			goto retry;
15488 		}
15489 		ipif_refhold_locked(ipif);
15490 
15491 		/*
15492 		 * For IPMP, update the source ipif rotor to the next ipif,
15493 		 * provided we can look it up.  (We must not use it if it's
15494 		 * IPIF_CONDEMNED since we may have grabbed ill_g_lock after
15495 		 * ipif_free() checked ill_src_ipif.)
15496 		 */
15497 		if (IS_IPMP(ill) && ipif != NULL) {
15498 			next_ipif = ipif->ipif_next;
15499 			if (next_ipif != NULL && !IPIF_IS_CONDEMNED(next_ipif))
15500 				ill->ill_src_ipif = next_ipif;
15501 			else
15502 				ill->ill_src_ipif = NULL;
15503 		}
15504 		mutex_exit(&ipif->ipif_ill->ill_lock);
15505 	}
15506 
15507 	rw_exit(&ipst->ips_ill_g_lock);
15508 	if (usill != NULL)
15509 		ill_refrele(usill);
15510 	if (ipmp_ill != NULL)
15511 		ill_refrele(ipmp_ill);
15512 	if (dst_rhtp != NULL)
15513 		TPC_RELE(dst_rhtp);
15514 
15515 #ifdef DEBUG
15516 	if (ipif == NULL) {
15517 		char buf1[INET6_ADDRSTRLEN];
15518 
15519 		ip1dbg(("ipif_select_source_v4(%s, %s) -> NULL\n",
15520 		    ill->ill_name,
15521 		    inet_ntop(AF_INET, &dst, buf1, sizeof (buf1))));
15522 	} else {
15523 		char buf1[INET6_ADDRSTRLEN];
15524 		char buf2[INET6_ADDRSTRLEN];
15525 
15526 		ip1dbg(("ipif_select_source_v4(%s, %s) -> %s\n",
15527 		    ipif->ipif_ill->ill_name,
15528 		    inet_ntop(AF_INET, &dst, buf1, sizeof (buf1)),
15529 		    inet_ntop(AF_INET, &ipif->ipif_lcl_addr,
15530 		    buf2, sizeof (buf2))));
15531 	}
15532 #endif /* DEBUG */
15533 	return (ipif);
15534 }
15535 
15536 /*
15537  * Pick a source address based on the destination ill and an optional setsrc
15538  * address.
15539  * The result is stored in srcp. If generation is set, then put the source
15540  * generation number there before we look for the source address (to avoid
15541  * missing changes in the set of source addresses.
15542  * If flagsp is set, then us it to pass back ipif_flags.
15543  *
15544  * If the caller wants to cache the returned source address and detect when
15545  * that might be stale, the caller should pass in a generation argument,
15546  * which the caller can later compare against ips_src_generation
15547  *
15548  * The precedence order for selecting an IPv4 source address is:
15549  *  - RTF_SETSRC on the offlink ire always wins.
15550  *  - If usrsrc is set, swap the ill to be the usesrc one.
15551  *  - If IPMP is used on the ill, select a random address from the most
15552  *    preferred ones below:
15553  * 1. If onlink destination, same subnet and not deprecated, not ALL_ZONES
15554  * 2. Not deprecated, not ALL_ZONES
15555  * 3. If onlink destination, same subnet and not deprecated, ALL_ZONES
15556  * 4. Not deprecated, ALL_ZONES
15557  * 5. If onlink destination, same subnet and deprecated
15558  * 6. Deprecated.
15559  *
15560  * We have lower preference for ALL_ZONES IP addresses,
15561  * as they pose problems with unlabeled destinations.
15562  *
15563  * Note that when multiple IP addresses match e.g., #1 we pick
15564  * the first one if IPMP is not in use. With IPMP we randomize.
15565  */
15566 int
15567 ip_select_source_v4(ill_t *ill, ipaddr_t setsrc, ipaddr_t dst,
15568     ipaddr_t multicast_ifaddr,
15569     zoneid_t zoneid, ip_stack_t *ipst, ipaddr_t *srcp,
15570     uint32_t *generation, uint64_t *flagsp)
15571 {
15572 	ipif_t *ipif;
15573 	boolean_t notready = B_FALSE;	/* Set if !ipif_addr_ready found */
15574 
15575 	if (flagsp != NULL)
15576 		*flagsp = 0;
15577 
15578 	/*
15579 	 * Need to grab the generation number before we check to
15580 	 * avoid a race with a change to the set of local addresses.
15581 	 * No lock needed since the thread which updates the set of local
15582 	 * addresses use ipif/ill locks and exit those (hence a store memory
15583 	 * barrier) before doing the atomic increase of ips_src_generation.
15584 	 */
15585 	if (generation != NULL) {
15586 		*generation = ipst->ips_src_generation;
15587 	}
15588 
15589 	if (CLASSD(dst) && multicast_ifaddr != INADDR_ANY) {
15590 		*srcp = multicast_ifaddr;
15591 		return (0);
15592 	}
15593 
15594 	/* Was RTF_SETSRC set on the first IRE in the recursive lookup? */
15595 	if (setsrc != INADDR_ANY) {
15596 		*srcp = setsrc;
15597 		return (0);
15598 	}
15599 	ipif = ipif_select_source_v4(ill, dst, zoneid, B_TRUE, &notready);
15600 	if (ipif == NULL) {
15601 		if (notready)
15602 			return (ENETDOWN);
15603 		else
15604 			return (EADDRNOTAVAIL);
15605 	}
15606 	*srcp = ipif->ipif_lcl_addr;
15607 	if (flagsp != NULL)
15608 		*flagsp = ipif->ipif_flags;
15609 	ipif_refrele(ipif);
15610 	return (0);
15611 }
15612 
15613 /* ARGSUSED */
15614 int
15615 if_unitsel_restart(ipif_t *ipif, sin_t *dummy_sin, queue_t *q, mblk_t *mp,
15616 	ip_ioctl_cmd_t *ipip, void *dummy_ifreq)
15617 {
15618 	/*
15619 	 * ill_phyint_reinit merged the v4 and v6 into a single
15620 	 * ipsq.  We might not have been able to complete the
15621 	 * operation in ipif_set_values, if we could not become
15622 	 * exclusive.  If so restart it here.
15623 	 */
15624 	return (ipif_set_values_tail(ipif->ipif_ill, ipif, mp, q));
15625 }
15626 
15627 /*
15628  * Can operate on either a module or a driver queue.
15629  * Returns an error if not a module queue.
15630  */
15631 /* ARGSUSED */
15632 int
15633 if_unitsel(ipif_t *dummy_ipif, sin_t *dummy_sin, queue_t *q, mblk_t *mp,
15634     ip_ioctl_cmd_t *ipip, void *dummy_ifreq)
15635 {
15636 	queue_t		*q1 = q;
15637 	char 		*cp;
15638 	char		interf_name[LIFNAMSIZ];
15639 	uint_t		ppa = *(uint_t *)mp->b_cont->b_cont->b_rptr;
15640 
15641 	if (q->q_next == NULL) {
15642 		ip1dbg((
15643 		    "if_unitsel: IF_UNITSEL: no q_next\n"));
15644 		return (EINVAL);
15645 	}
15646 
15647 	if (((ill_t *)(q->q_ptr))->ill_name[0] != '\0')
15648 		return (EALREADY);
15649 
15650 	do {
15651 		q1 = q1->q_next;
15652 	} while (q1->q_next);
15653 	cp = q1->q_qinfo->qi_minfo->mi_idname;
15654 	(void) sprintf(interf_name, "%s%d", cp, ppa);
15655 
15656 	/*
15657 	 * Here we are not going to delay the ioack until after
15658 	 * ACKs from DL_ATTACH_REQ/DL_BIND_REQ. So no need to save the
15659 	 * original ioctl message before sending the requests.
15660 	 */
15661 	return (ipif_set_values(q, mp, interf_name, &ppa));
15662 }
15663 
15664 /* ARGSUSED */
15665 int
15666 ip_sioctl_sifname(ipif_t *dummy_ipif, sin_t *dummy_sin, queue_t *q, mblk_t *mp,
15667     ip_ioctl_cmd_t *ipip, void *dummy_ifreq)
15668 {
15669 	return (ENXIO);
15670 }
15671 
15672 /*
15673  * Create any IRE_BROADCAST entries for `ipif', and store those entries in
15674  * `irep'.  Returns a pointer to the next free `irep' entry
15675  * A mirror exists in ipif_delete_bcast_ires().
15676  *
15677  * The management of any "extra" or seemingly duplicate IRE_BROADCASTs is
15678  * done in ire_add.
15679  */
15680 static ire_t **
15681 ipif_create_bcast_ires(ipif_t *ipif, ire_t **irep)
15682 {
15683 	ipaddr_t addr;
15684 	ipaddr_t netmask = ip_net_mask(ipif->ipif_lcl_addr);
15685 	ipaddr_t subnetmask = ipif->ipif_net_mask;
15686 	ill_t *ill = ipif->ipif_ill;
15687 	zoneid_t zoneid = ipif->ipif_zoneid;
15688 
15689 	ip1dbg(("ipif_create_bcast_ires: creating broadcast IREs\n"));
15690 
15691 	ASSERT(ipif->ipif_flags & IPIF_BROADCAST);
15692 	ASSERT(!(ipif->ipif_flags & IPIF_NOXMIT));
15693 
15694 	if (ipif->ipif_lcl_addr == INADDR_ANY ||
15695 	    (ipif->ipif_flags & IPIF_NOLOCAL))
15696 		netmask = htonl(IN_CLASSA_NET);		/* fallback */
15697 
15698 	irep = ire_create_bcast(ill, 0, zoneid, irep);
15699 	irep = ire_create_bcast(ill, INADDR_BROADCAST, zoneid, irep);
15700 
15701 	/*
15702 	 * For backward compatibility, we create net broadcast IREs based on
15703 	 * the old "IP address class system", since some old machines only
15704 	 * respond to these class derived net broadcast.  However, we must not
15705 	 * create these net broadcast IREs if the subnetmask is shorter than
15706 	 * the IP address class based derived netmask.  Otherwise, we may
15707 	 * create a net broadcast address which is the same as an IP address
15708 	 * on the subnet -- and then TCP will refuse to talk to that address.
15709 	 */
15710 	if (netmask < subnetmask) {
15711 		addr = netmask & ipif->ipif_subnet;
15712 		irep = ire_create_bcast(ill, addr, zoneid, irep);
15713 		irep = ire_create_bcast(ill, ~netmask | addr, zoneid, irep);
15714 	}
15715 
15716 	/*
15717 	 * Don't create IRE_BROADCAST IREs for the interface if the subnetmask
15718 	 * is 0xFFFFFFFF, as an IRE_LOCAL for that interface is already
15719 	 * created.  Creating these broadcast IREs will only create confusion
15720 	 * as `addr' will be the same as the IP address.
15721 	 */
15722 	if (subnetmask != 0xFFFFFFFF) {
15723 		addr = ipif->ipif_subnet;
15724 		irep = ire_create_bcast(ill, addr, zoneid, irep);
15725 		irep = ire_create_bcast(ill, ~subnetmask | addr, zoneid, irep);
15726 	}
15727 
15728 	return (irep);
15729 }
15730 
15731 /*
15732  * Mirror of ipif_create_bcast_ires()
15733  */
15734 static void
15735 ipif_delete_bcast_ires(ipif_t *ipif)
15736 {
15737 	ipaddr_t	addr;
15738 	ipaddr_t	netmask = ip_net_mask(ipif->ipif_lcl_addr);
15739 	ipaddr_t	subnetmask = ipif->ipif_net_mask;
15740 	ill_t		*ill = ipif->ipif_ill;
15741 	zoneid_t	zoneid = ipif->ipif_zoneid;
15742 	ire_t		*ire;
15743 
15744 	ASSERT(ipif->ipif_flags & IPIF_BROADCAST);
15745 	ASSERT(!(ipif->ipif_flags & IPIF_NOXMIT));
15746 
15747 	if (ipif->ipif_lcl_addr == INADDR_ANY ||
15748 	    (ipif->ipif_flags & IPIF_NOLOCAL))
15749 		netmask = htonl(IN_CLASSA_NET);		/* fallback */
15750 
15751 	ire = ire_lookup_bcast(ill, 0, zoneid);
15752 	ASSERT(ire != NULL);
15753 	ire_delete(ire); ire_refrele(ire);
15754 	ire = ire_lookup_bcast(ill, INADDR_BROADCAST, zoneid);
15755 	ASSERT(ire != NULL);
15756 	ire_delete(ire); ire_refrele(ire);
15757 
15758 	/*
15759 	 * For backward compatibility, we create net broadcast IREs based on
15760 	 * the old "IP address class system", since some old machines only
15761 	 * respond to these class derived net broadcast.  However, we must not
15762 	 * create these net broadcast IREs if the subnetmask is shorter than
15763 	 * the IP address class based derived netmask.  Otherwise, we may
15764 	 * create a net broadcast address which is the same as an IP address
15765 	 * on the subnet -- and then TCP will refuse to talk to that address.
15766 	 */
15767 	if (netmask < subnetmask) {
15768 		addr = netmask & ipif->ipif_subnet;
15769 		ire = ire_lookup_bcast(ill, addr, zoneid);
15770 		ASSERT(ire != NULL);
15771 		ire_delete(ire); ire_refrele(ire);
15772 		ire = ire_lookup_bcast(ill, ~netmask | addr, zoneid);
15773 		ASSERT(ire != NULL);
15774 		ire_delete(ire); ire_refrele(ire);
15775 	}
15776 
15777 	/*
15778 	 * Don't create IRE_BROADCAST IREs for the interface if the subnetmask
15779 	 * is 0xFFFFFFFF, as an IRE_LOCAL for that interface is already
15780 	 * created.  Creating these broadcast IREs will only create confusion
15781 	 * as `addr' will be the same as the IP address.
15782 	 */
15783 	if (subnetmask != 0xFFFFFFFF) {
15784 		addr = ipif->ipif_subnet;
15785 		ire = ire_lookup_bcast(ill, addr, zoneid);
15786 		ASSERT(ire != NULL);
15787 		ire_delete(ire); ire_refrele(ire);
15788 		ire = ire_lookup_bcast(ill, ~subnetmask | addr, zoneid);
15789 		ASSERT(ire != NULL);
15790 		ire_delete(ire); ire_refrele(ire);
15791 	}
15792 }
15793 
15794 /*
15795  * Extract both the flags (including IFF_CANTCHANGE) such as IFF_IPV*
15796  * from lifr_flags and the name from lifr_name.
15797  * Set IFF_IPV* and ill_isv6 prior to doing the lookup
15798  * since ipif_lookup_on_name uses the _isv6 flags when matching.
15799  * Returns EINPROGRESS when mp has been consumed by queueing it on
15800  * ipx_pending_mp and the ioctl will complete in ip_rput.
15801  *
15802  * Can operate on either a module or a driver queue.
15803  * Returns an error if not a module queue.
15804  */
15805 /* ARGSUSED */
15806 int
15807 ip_sioctl_slifname(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
15808     ip_ioctl_cmd_t *ipip, void *if_req)
15809 {
15810 	ill_t	*ill = q->q_ptr;
15811 	phyint_t *phyi;
15812 	ip_stack_t *ipst;
15813 	struct lifreq *lifr = if_req;
15814 	uint64_t new_flags;
15815 
15816 	ASSERT(ipif != NULL);
15817 	ip1dbg(("ip_sioctl_slifname %s\n", lifr->lifr_name));
15818 
15819 	if (q->q_next == NULL) {
15820 		ip1dbg(("if_sioctl_slifname: SIOCSLIFNAME: no q_next\n"));
15821 		return (EINVAL);
15822 	}
15823 
15824 	/*
15825 	 * If we are not writer on 'q' then this interface exists already
15826 	 * and previous lookups (ip_extract_lifreq()) found this ipif --
15827 	 * so return EALREADY.
15828 	 */
15829 	if (ill != ipif->ipif_ill)
15830 		return (EALREADY);
15831 
15832 	if (ill->ill_name[0] != '\0')
15833 		return (EALREADY);
15834 
15835 	/*
15836 	 * If there's another ill already with the requested name, ensure
15837 	 * that it's of the same type.  Otherwise, ill_phyint_reinit() will
15838 	 * fuse together two unrelated ills, which will cause chaos.
15839 	 */
15840 	ipst = ill->ill_ipst;
15841 	phyi = avl_find(&ipst->ips_phyint_g_list->phyint_list_avl_by_name,
15842 	    lifr->lifr_name, NULL);
15843 	if (phyi != NULL) {
15844 		ill_t *ill_mate = phyi->phyint_illv4;
15845 
15846 		if (ill_mate == NULL)
15847 			ill_mate = phyi->phyint_illv6;
15848 		ASSERT(ill_mate != NULL);
15849 
15850 		if (ill_mate->ill_media->ip_m_mac_type !=
15851 		    ill->ill_media->ip_m_mac_type) {
15852 			ip1dbg(("if_sioctl_slifname: SIOCSLIFNAME: attempt to "
15853 			    "use the same ill name on differing media\n"));
15854 			return (EINVAL);
15855 		}
15856 	}
15857 
15858 	/*
15859 	 * We start off as IFF_IPV4 in ipif_allocate and become
15860 	 * IFF_IPV4 or IFF_IPV6 here depending  on lifr_flags value.
15861 	 * The only flags that we read from user space are IFF_IPV4,
15862 	 * IFF_IPV6, and IFF_BROADCAST.
15863 	 *
15864 	 * This ill has not been inserted into the global list.
15865 	 * So we are still single threaded and don't need any lock
15866 	 *
15867 	 * Saniy check the flags.
15868 	 */
15869 
15870 	if ((lifr->lifr_flags & IFF_BROADCAST) &&
15871 	    ((lifr->lifr_flags & IFF_IPV6) ||
15872 	    (!ill->ill_needs_attach && ill->ill_bcast_addr_length == 0))) {
15873 		ip1dbg(("ip_sioctl_slifname: link not broadcast capable "
15874 		    "or IPv6 i.e., no broadcast \n"));
15875 		return (EINVAL);
15876 	}
15877 
15878 	new_flags =
15879 	    lifr->lifr_flags & (IFF_IPV6|IFF_IPV4|IFF_BROADCAST);
15880 
15881 	if ((new_flags ^ (IFF_IPV6|IFF_IPV4)) == 0) {
15882 		ip1dbg(("ip_sioctl_slifname: flags must be exactly one of "
15883 		    "IFF_IPV4 or IFF_IPV6\n"));
15884 		return (EINVAL);
15885 	}
15886 
15887 	/*
15888 	 * We always start off as IPv4, so only need to check for IPv6.
15889 	 */
15890 	if ((new_flags & IFF_IPV6) != 0) {
15891 		ill->ill_flags |= ILLF_IPV6;
15892 		ill->ill_flags &= ~ILLF_IPV4;
15893 
15894 		if (lifr->lifr_flags & IFF_NOLINKLOCAL)
15895 			ill->ill_flags |= ILLF_NOLINKLOCAL;
15896 	}
15897 
15898 	if ((new_flags & IFF_BROADCAST) != 0)
15899 		ipif->ipif_flags |= IPIF_BROADCAST;
15900 	else
15901 		ipif->ipif_flags &= ~IPIF_BROADCAST;
15902 
15903 	/* We started off as V4. */
15904 	if (ill->ill_flags & ILLF_IPV6) {
15905 		ill->ill_phyint->phyint_illv6 = ill;
15906 		ill->ill_phyint->phyint_illv4 = NULL;
15907 	}
15908 
15909 	return (ipif_set_values(q, mp, lifr->lifr_name, &lifr->lifr_ppa));
15910 }
15911 
15912 /* ARGSUSED */
15913 int
15914 ip_sioctl_slifname_restart(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
15915     ip_ioctl_cmd_t *ipip, void *if_req)
15916 {
15917 	/*
15918 	 * ill_phyint_reinit merged the v4 and v6 into a single
15919 	 * ipsq.  We might not have been able to complete the
15920 	 * slifname in ipif_set_values, if we could not become
15921 	 * exclusive.  If so restart it here
15922 	 */
15923 	return (ipif_set_values_tail(ipif->ipif_ill, ipif, mp, q));
15924 }
15925 
15926 /*
15927  * Return a pointer to the ipif which matches the index, IP version type and
15928  * zoneid.
15929  */
15930 ipif_t *
15931 ipif_lookup_on_ifindex(uint_t index, boolean_t isv6, zoneid_t zoneid,
15932     ip_stack_t *ipst)
15933 {
15934 	ill_t	*ill;
15935 	ipif_t	*ipif = NULL;
15936 
15937 	ill = ill_lookup_on_ifindex(index, isv6, ipst);
15938 	if (ill != NULL) {
15939 		mutex_enter(&ill->ill_lock);
15940 		for (ipif = ill->ill_ipif; ipif != NULL;
15941 		    ipif = ipif->ipif_next) {
15942 			if (!IPIF_IS_CONDEMNED(ipif) && (zoneid == ALL_ZONES ||
15943 			    zoneid == ipif->ipif_zoneid ||
15944 			    ipif->ipif_zoneid == ALL_ZONES)) {
15945 				ipif_refhold_locked(ipif);
15946 				break;
15947 			}
15948 		}
15949 		mutex_exit(&ill->ill_lock);
15950 		ill_refrele(ill);
15951 	}
15952 	return (ipif);
15953 }
15954 
15955 /*
15956  * Change an existing physical interface's index. If the new index
15957  * is acceptable we update the index and the phyint_list_avl_by_index tree.
15958  * Finally, we update other systems which may have a dependence on the
15959  * index value.
15960  */
15961 /* ARGSUSED */
15962 int
15963 ip_sioctl_slifindex(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
15964     ip_ioctl_cmd_t *ipip, void *ifreq)
15965 {
15966 	ill_t		*ill;
15967 	phyint_t	*phyi;
15968 	struct ifreq	*ifr = (struct ifreq *)ifreq;
15969 	struct lifreq	*lifr = (struct lifreq *)ifreq;
15970 	uint_t	old_index, index;
15971 	ip_stack_t	*ipst = ipif->ipif_ill->ill_ipst;
15972 	avl_index_t	where;
15973 
15974 	if (ipip->ipi_cmd_type == IF_CMD)
15975 		index = ifr->ifr_index;
15976 	else
15977 		index = lifr->lifr_index;
15978 
15979 	/*
15980 	 * Only allow on physical interface. Also, index zero is illegal.
15981 	 */
15982 	ill = ipif->ipif_ill;
15983 	phyi = ill->ill_phyint;
15984 	if (ipif->ipif_id != 0 || index == 0 || index > IF_INDEX_MAX) {
15985 		return (EINVAL);
15986 	}
15987 
15988 	/* If the index is not changing, no work to do */
15989 	if (phyi->phyint_ifindex == index)
15990 		return (0);
15991 
15992 	/*
15993 	 * Use phyint_exists() to determine if the new interface index
15994 	 * is already in use. If the index is unused then we need to
15995 	 * change the phyint's position in the phyint_list_avl_by_index
15996 	 * tree. If we do not do this, subsequent lookups (using the new
15997 	 * index value) will not find the phyint.
15998 	 */
15999 	rw_enter(&ipst->ips_ill_g_lock, RW_WRITER);
16000 	if (phyint_exists(index, ipst)) {
16001 		rw_exit(&ipst->ips_ill_g_lock);
16002 		return (EEXIST);
16003 	}
16004 
16005 	/*
16006 	 * The new index is unused. Set it in the phyint. However we must not
16007 	 * forget to trigger NE_IFINDEX_CHANGE event before the ifindex
16008 	 * changes. The event must be bound to old ifindex value.
16009 	 */
16010 	ill_nic_event_dispatch(ill, 0, NE_IFINDEX_CHANGE,
16011 	    &index, sizeof (index));
16012 
16013 	old_index = phyi->phyint_ifindex;
16014 	phyi->phyint_ifindex = index;
16015 
16016 	avl_remove(&ipst->ips_phyint_g_list->phyint_list_avl_by_index, phyi);
16017 	(void) avl_find(&ipst->ips_phyint_g_list->phyint_list_avl_by_index,
16018 	    &index, &where);
16019 	avl_insert(&ipst->ips_phyint_g_list->phyint_list_avl_by_index,
16020 	    phyi, where);
16021 	rw_exit(&ipst->ips_ill_g_lock);
16022 
16023 	/* Update SCTP's ILL list */
16024 	sctp_ill_reindex(ill, old_index);
16025 
16026 	/* Send the routing sockets message */
16027 	ip_rts_ifmsg(ipif, RTSQ_DEFAULT);
16028 	if (ILL_OTHER(ill))
16029 		ip_rts_ifmsg(ILL_OTHER(ill)->ill_ipif, RTSQ_DEFAULT);
16030 
16031 	/* Perhaps ilgs should use this ill */
16032 	update_conn_ill(NULL, ill->ill_ipst);
16033 	return (0);
16034 }
16035 
16036 /* ARGSUSED */
16037 int
16038 ip_sioctl_get_lifindex(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
16039     ip_ioctl_cmd_t *ipip, void *ifreq)
16040 {
16041 	struct ifreq	*ifr = (struct ifreq *)ifreq;
16042 	struct lifreq	*lifr = (struct lifreq *)ifreq;
16043 
16044 	ip1dbg(("ip_sioctl_get_lifindex(%s:%u %p)\n",
16045 	    ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
16046 	/* Get the interface index */
16047 	if (ipip->ipi_cmd_type == IF_CMD) {
16048 		ifr->ifr_index = ipif->ipif_ill->ill_phyint->phyint_ifindex;
16049 	} else {
16050 		lifr->lifr_index = ipif->ipif_ill->ill_phyint->phyint_ifindex;
16051 	}
16052 	return (0);
16053 }
16054 
16055 /* ARGSUSED */
16056 int
16057 ip_sioctl_get_lifzone(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
16058     ip_ioctl_cmd_t *ipip, void *ifreq)
16059 {
16060 	struct lifreq	*lifr = (struct lifreq *)ifreq;
16061 
16062 	ip1dbg(("ip_sioctl_get_lifzone(%s:%u %p)\n",
16063 	    ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
16064 	/* Get the interface zone */
16065 	ASSERT(ipip->ipi_cmd_type == LIF_CMD);
16066 	lifr->lifr_zoneid = ipif->ipif_zoneid;
16067 	return (0);
16068 }
16069 
16070 /*
16071  * Set the zoneid of an interface.
16072  */
16073 /* ARGSUSED */
16074 int
16075 ip_sioctl_slifzone(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
16076     ip_ioctl_cmd_t *ipip, void *ifreq)
16077 {
16078 	struct lifreq	*lifr = (struct lifreq *)ifreq;
16079 	int err = 0;
16080 	boolean_t need_up = B_FALSE;
16081 	zone_t *zptr;
16082 	zone_status_t status;
16083 	zoneid_t zoneid;
16084 
16085 	ASSERT(ipip->ipi_cmd_type == LIF_CMD);
16086 	if ((zoneid = lifr->lifr_zoneid) == ALL_ZONES) {
16087 		if (!is_system_labeled())
16088 			return (ENOTSUP);
16089 		zoneid = GLOBAL_ZONEID;
16090 	}
16091 
16092 	/* cannot assign instance zero to a non-global zone */
16093 	if (ipif->ipif_id == 0 && zoneid != GLOBAL_ZONEID)
16094 		return (ENOTSUP);
16095 
16096 	/*
16097 	 * Cannot assign to a zone that doesn't exist or is shutting down.  In
16098 	 * the event of a race with the zone shutdown processing, since IP
16099 	 * serializes this ioctl and SIOCGLIFCONF/SIOCLIFREMOVEIF, we know the
16100 	 * interface will be cleaned up even if the zone is shut down
16101 	 * immediately after the status check. If the interface can't be brought
16102 	 * down right away, and the zone is shut down before the restart
16103 	 * function is called, we resolve the possible races by rechecking the
16104 	 * zone status in the restart function.
16105 	 */
16106 	if ((zptr = zone_find_by_id(zoneid)) == NULL)
16107 		return (EINVAL);
16108 	status = zone_status_get(zptr);
16109 	zone_rele(zptr);
16110 
16111 	if (status != ZONE_IS_READY && status != ZONE_IS_RUNNING)
16112 		return (EINVAL);
16113 
16114 	if (ipif->ipif_flags & IPIF_UP) {
16115 		/*
16116 		 * If the interface is already marked up,
16117 		 * we call ipif_down which will take care
16118 		 * of ditching any IREs that have been set
16119 		 * up based on the old interface address.
16120 		 */
16121 		err = ipif_logical_down(ipif, q, mp);
16122 		if (err == EINPROGRESS)
16123 			return (err);
16124 		(void) ipif_down_tail(ipif);
16125 		need_up = B_TRUE;
16126 	}
16127 
16128 	err = ip_sioctl_slifzone_tail(ipif, lifr->lifr_zoneid, q, mp, need_up);
16129 	return (err);
16130 }
16131 
16132 static int
16133 ip_sioctl_slifzone_tail(ipif_t *ipif, zoneid_t zoneid,
16134     queue_t *q, mblk_t *mp, boolean_t need_up)
16135 {
16136 	int	err = 0;
16137 	ip_stack_t	*ipst;
16138 
16139 	ip1dbg(("ip_sioctl_zoneid_tail(%s:%u %p)\n",
16140 	    ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
16141 
16142 	if (CONN_Q(q))
16143 		ipst = CONNQ_TO_IPST(q);
16144 	else
16145 		ipst = ILLQ_TO_IPST(q);
16146 
16147 	/*
16148 	 * For exclusive stacks we don't allow a different zoneid than
16149 	 * global.
16150 	 */
16151 	if (ipst->ips_netstack->netstack_stackid != GLOBAL_NETSTACKID &&
16152 	    zoneid != GLOBAL_ZONEID)
16153 		return (EINVAL);
16154 
16155 	/* Set the new zone id. */
16156 	ipif->ipif_zoneid = zoneid;
16157 
16158 	/* Update sctp list */
16159 	sctp_update_ipif(ipif, SCTP_IPIF_UPDATE);
16160 
16161 	/* The default multicast interface might have changed */
16162 	ire_increment_multicast_generation(ipst, ipif->ipif_ill->ill_isv6);
16163 
16164 	if (need_up) {
16165 		/*
16166 		 * Now bring the interface back up.  If this
16167 		 * is the only IPIF for the ILL, ipif_up
16168 		 * will have to re-bind to the device, so
16169 		 * we may get back EINPROGRESS, in which
16170 		 * case, this IOCTL will get completed in
16171 		 * ip_rput_dlpi when we see the DL_BIND_ACK.
16172 		 */
16173 		err = ipif_up(ipif, q, mp);
16174 	}
16175 	return (err);
16176 }
16177 
16178 /* ARGSUSED */
16179 int
16180 ip_sioctl_slifzone_restart(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
16181     ip_ioctl_cmd_t *ipip, void *if_req)
16182 {
16183 	struct lifreq *lifr = (struct lifreq *)if_req;
16184 	zoneid_t zoneid;
16185 	zone_t *zptr;
16186 	zone_status_t status;
16187 
16188 	ASSERT(ipip->ipi_cmd_type == LIF_CMD);
16189 	if ((zoneid = lifr->lifr_zoneid) == ALL_ZONES)
16190 		zoneid = GLOBAL_ZONEID;
16191 
16192 	ip1dbg(("ip_sioctl_slifzone_restart(%s:%u %p)\n",
16193 	    ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
16194 
16195 	/*
16196 	 * We recheck the zone status to resolve the following race condition:
16197 	 * 1) process sends SIOCSLIFZONE to put hme0:1 in zone "myzone";
16198 	 * 2) hme0:1 is up and can't be brought down right away;
16199 	 * ip_sioctl_slifzone() returns EINPROGRESS and the request is queued;
16200 	 * 3) zone "myzone" is halted; the zone status switches to
16201 	 * 'shutting_down' and the zones framework sends SIOCGLIFCONF to list
16202 	 * the interfaces to remove - hme0:1 is not returned because it's not
16203 	 * yet in "myzone", so it won't be removed;
16204 	 * 4) the restart function for SIOCSLIFZONE is called; without the
16205 	 * status check here, we would have hme0:1 in "myzone" after it's been
16206 	 * destroyed.
16207 	 * Note that if the status check fails, we need to bring the interface
16208 	 * back to its state prior to ip_sioctl_slifzone(), hence the call to
16209 	 * ipif_up_done[_v6]().
16210 	 */
16211 	status = ZONE_IS_UNINITIALIZED;
16212 	if ((zptr = zone_find_by_id(zoneid)) != NULL) {
16213 		status = zone_status_get(zptr);
16214 		zone_rele(zptr);
16215 	}
16216 	if (status != ZONE_IS_READY && status != ZONE_IS_RUNNING) {
16217 		if (ipif->ipif_isv6) {
16218 			(void) ipif_up_done_v6(ipif);
16219 		} else {
16220 			(void) ipif_up_done(ipif);
16221 		}
16222 		return (EINVAL);
16223 	}
16224 
16225 	(void) ipif_down_tail(ipif);
16226 
16227 	return (ip_sioctl_slifzone_tail(ipif, lifr->lifr_zoneid, q, mp,
16228 	    B_TRUE));
16229 }
16230 
16231 /*
16232  * Return the number of addresses on `ill' with one or more of the values
16233  * in `set' set and all of the values in `clear' clear.
16234  */
16235 static uint_t
16236 ill_flagaddr_cnt(const ill_t *ill, uint64_t set, uint64_t clear)
16237 {
16238 	ipif_t	*ipif;
16239 	uint_t	cnt = 0;
16240 
16241 	ASSERT(IAM_WRITER_ILL(ill));
16242 
16243 	for (ipif = ill->ill_ipif; ipif != NULL; ipif = ipif->ipif_next)
16244 		if ((ipif->ipif_flags & set) && !(ipif->ipif_flags & clear))
16245 			cnt++;
16246 
16247 	return (cnt);
16248 }
16249 
16250 /*
16251  * Return the number of migratable addresses on `ill' that are under
16252  * application control.
16253  */
16254 uint_t
16255 ill_appaddr_cnt(const ill_t *ill)
16256 {
16257 	return (ill_flagaddr_cnt(ill, IPIF_DHCPRUNNING | IPIF_ADDRCONF,
16258 	    IPIF_NOFAILOVER));
16259 }
16260 
16261 /*
16262  * Return the number of point-to-point addresses on `ill'.
16263  */
16264 uint_t
16265 ill_ptpaddr_cnt(const ill_t *ill)
16266 {
16267 	return (ill_flagaddr_cnt(ill, IPIF_POINTOPOINT, 0));
16268 }
16269 
16270 /* ARGSUSED */
16271 int
16272 ip_sioctl_get_lifusesrc(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
16273 	ip_ioctl_cmd_t *ipip, void *ifreq)
16274 {
16275 	struct lifreq	*lifr = ifreq;
16276 
16277 	ASSERT(q->q_next == NULL);
16278 	ASSERT(CONN_Q(q));
16279 
16280 	ip1dbg(("ip_sioctl_get_lifusesrc(%s:%u %p)\n",
16281 	    ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
16282 	lifr->lifr_index = ipif->ipif_ill->ill_usesrc_ifindex;
16283 	ip1dbg(("ip_sioctl_get_lifusesrc:lifr_index = %d\n", lifr->lifr_index));
16284 
16285 	return (0);
16286 }
16287 
16288 /* Find the previous ILL in this usesrc group */
16289 static ill_t *
16290 ill_prev_usesrc(ill_t *uill)
16291 {
16292 	ill_t *ill;
16293 
16294 	for (ill = uill->ill_usesrc_grp_next;
16295 	    ASSERT(ill), ill->ill_usesrc_grp_next != uill;
16296 	    ill = ill->ill_usesrc_grp_next)
16297 		/* do nothing */;
16298 	return (ill);
16299 }
16300 
16301 /*
16302  * Release all members of the usesrc group. This routine is called
16303  * from ill_delete when the interface being unplumbed is the
16304  * group head.
16305  *
16306  * This silently clears the usesrc that ifconfig setup.
16307  * An alternative would be to keep that ifindex, and drop packets on the floor
16308  * since no source address can be selected.
16309  * Even if we keep the current semantics, don't need a lock and a linked list.
16310  * Can walk all the ills checking if they have a ill_usesrc_ifindex matching
16311  * the one that is being removed. Issue is how we return the usesrc users
16312  * (SIOCGLIFSRCOF). We want to be able to find the ills which have an
16313  * ill_usesrc_ifindex matching a target ill. We could also do that with an
16314  * ill walk, but the walker would need to insert in the ioctl response.
16315  */
16316 static void
16317 ill_disband_usesrc_group(ill_t *uill)
16318 {
16319 	ill_t *next_ill, *tmp_ill;
16320 	ip_stack_t	*ipst = uill->ill_ipst;
16321 
16322 	ASSERT(RW_WRITE_HELD(&ipst->ips_ill_g_usesrc_lock));
16323 	next_ill = uill->ill_usesrc_grp_next;
16324 
16325 	do {
16326 		ASSERT(next_ill != NULL);
16327 		tmp_ill = next_ill->ill_usesrc_grp_next;
16328 		ASSERT(tmp_ill != NULL);
16329 		next_ill->ill_usesrc_grp_next = NULL;
16330 		next_ill->ill_usesrc_ifindex = 0;
16331 		next_ill = tmp_ill;
16332 	} while (next_ill->ill_usesrc_ifindex != 0);
16333 	uill->ill_usesrc_grp_next = NULL;
16334 }
16335 
16336 /*
16337  * Remove the client usesrc ILL from the list and relink to a new list
16338  */
16339 int
16340 ill_relink_usesrc_ills(ill_t *ucill, ill_t *uill, uint_t ifindex)
16341 {
16342 	ill_t *ill, *tmp_ill;
16343 	ip_stack_t	*ipst = ucill->ill_ipst;
16344 
16345 	ASSERT((ucill != NULL) && (ucill->ill_usesrc_grp_next != NULL) &&
16346 	    (uill != NULL) && RW_WRITE_HELD(&ipst->ips_ill_g_usesrc_lock));
16347 
16348 	/*
16349 	 * Check if the usesrc client ILL passed in is not already
16350 	 * in use as a usesrc ILL i.e one whose source address is
16351 	 * in use OR a usesrc ILL is not already in use as a usesrc
16352 	 * client ILL
16353 	 */
16354 	if ((ucill->ill_usesrc_ifindex == 0) ||
16355 	    (uill->ill_usesrc_ifindex != 0)) {
16356 		return (-1);
16357 	}
16358 
16359 	ill = ill_prev_usesrc(ucill);
16360 	ASSERT(ill->ill_usesrc_grp_next != NULL);
16361 
16362 	/* Remove from the current list */
16363 	if (ill->ill_usesrc_grp_next->ill_usesrc_grp_next == ill) {
16364 		/* Only two elements in the list */
16365 		ASSERT(ill->ill_usesrc_ifindex == 0);
16366 		ill->ill_usesrc_grp_next = NULL;
16367 	} else {
16368 		ill->ill_usesrc_grp_next = ucill->ill_usesrc_grp_next;
16369 	}
16370 
16371 	if (ifindex == 0) {
16372 		ucill->ill_usesrc_ifindex = 0;
16373 		ucill->ill_usesrc_grp_next = NULL;
16374 		return (0);
16375 	}
16376 
16377 	ucill->ill_usesrc_ifindex = ifindex;
16378 	tmp_ill = uill->ill_usesrc_grp_next;
16379 	uill->ill_usesrc_grp_next = ucill;
16380 	ucill->ill_usesrc_grp_next =
16381 	    (tmp_ill != NULL) ? tmp_ill : uill;
16382 	return (0);
16383 }
16384 
16385 /*
16386  * Set the ill_usesrc and ill_usesrc_head fields. See synchronization notes in
16387  * ip.c for locking details.
16388  */
16389 /* ARGSUSED */
16390 int
16391 ip_sioctl_slifusesrc(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
16392     ip_ioctl_cmd_t *ipip, void *ifreq)
16393 {
16394 	struct lifreq *lifr = (struct lifreq *)ifreq;
16395 	boolean_t isv6 = B_FALSE, reset_flg = B_FALSE;
16396 	ill_t *usesrc_ill, *usesrc_cli_ill = ipif->ipif_ill;
16397 	int err = 0, ret;
16398 	uint_t ifindex;
16399 	ipsq_t *ipsq = NULL;
16400 	ip_stack_t	*ipst = ipif->ipif_ill->ill_ipst;
16401 
16402 	ASSERT(IAM_WRITER_IPIF(ipif));
16403 	ASSERT(q->q_next == NULL);
16404 	ASSERT(CONN_Q(q));
16405 
16406 	isv6 = (Q_TO_CONN(q))->conn_family == AF_INET6;
16407 
16408 	ifindex = lifr->lifr_index;
16409 	if (ifindex == 0) {
16410 		if (usesrc_cli_ill->ill_usesrc_grp_next == NULL) {
16411 			/* non usesrc group interface, nothing to reset */
16412 			return (0);
16413 		}
16414 		ifindex = usesrc_cli_ill->ill_usesrc_ifindex;
16415 		/* valid reset request */
16416 		reset_flg = B_TRUE;
16417 	}
16418 
16419 	usesrc_ill = ill_lookup_on_ifindex(ifindex, isv6, ipst);
16420 	if (usesrc_ill == NULL)
16421 		return (ENXIO);
16422 	if (usesrc_ill == ipif->ipif_ill) {
16423 		ill_refrele(usesrc_ill);
16424 		return (EINVAL);
16425 	}
16426 
16427 	ipsq = ipsq_try_enter(NULL, usesrc_ill, q, mp, ip_process_ioctl,
16428 	    NEW_OP, B_TRUE);
16429 	if (ipsq == NULL) {
16430 		err = EINPROGRESS;
16431 		/* Operation enqueued on the ipsq of the usesrc ILL */
16432 		goto done;
16433 	}
16434 
16435 	/* USESRC isn't currently supported with IPMP */
16436 	if (IS_IPMP(usesrc_ill) || IS_UNDER_IPMP(usesrc_ill)) {
16437 		err = ENOTSUP;
16438 		goto done;
16439 	}
16440 
16441 	/*
16442 	 * USESRC isn't compatible with the STANDBY flag.  (STANDBY is only
16443 	 * used by IPMP underlying interfaces, but someone might think it's
16444 	 * more general and try to use it independently with VNI.)
16445 	 */
16446 	if (usesrc_ill->ill_phyint->phyint_flags & PHYI_STANDBY) {
16447 		err = ENOTSUP;
16448 		goto done;
16449 	}
16450 
16451 	/*
16452 	 * If the client is already in use as a usesrc_ill or a usesrc_ill is
16453 	 * already a client then return EINVAL
16454 	 */
16455 	if (IS_USESRC_ILL(usesrc_cli_ill) || IS_USESRC_CLI_ILL(usesrc_ill)) {
16456 		err = EINVAL;
16457 		goto done;
16458 	}
16459 
16460 	/*
16461 	 * If the ill_usesrc_ifindex field is already set to what it needs to
16462 	 * be then this is a duplicate operation.
16463 	 */
16464 	if (!reset_flg && usesrc_cli_ill->ill_usesrc_ifindex == ifindex) {
16465 		err = 0;
16466 		goto done;
16467 	}
16468 
16469 	ip1dbg(("ip_sioctl_slifusesrc: usesrc_cli_ill %s, usesrc_ill %s,"
16470 	    " v6 = %d", usesrc_cli_ill->ill_name, usesrc_ill->ill_name,
16471 	    usesrc_ill->ill_isv6));
16472 
16473 	/*
16474 	 * ill_g_usesrc_lock global lock protects the ill_usesrc_grp_next
16475 	 * and the ill_usesrc_ifindex fields
16476 	 */
16477 	rw_enter(&ipst->ips_ill_g_usesrc_lock, RW_WRITER);
16478 
16479 	if (reset_flg) {
16480 		ret = ill_relink_usesrc_ills(usesrc_cli_ill, usesrc_ill, 0);
16481 		if (ret != 0) {
16482 			err = EINVAL;
16483 		}
16484 		rw_exit(&ipst->ips_ill_g_usesrc_lock);
16485 		goto done;
16486 	}
16487 
16488 	/*
16489 	 * Four possibilities to consider:
16490 	 * 1. Both usesrc_ill and usesrc_cli_ill are not part of any usesrc grp
16491 	 * 2. usesrc_ill is part of a group but usesrc_cli_ill isn't
16492 	 * 3. usesrc_cli_ill is part of a group but usesrc_ill isn't
16493 	 * 4. Both are part of their respective usesrc groups
16494 	 */
16495 	if ((usesrc_ill->ill_usesrc_grp_next == NULL) &&
16496 	    (usesrc_cli_ill->ill_usesrc_grp_next == NULL)) {
16497 		ASSERT(usesrc_ill->ill_usesrc_ifindex == 0);
16498 		usesrc_cli_ill->ill_usesrc_ifindex = ifindex;
16499 		usesrc_ill->ill_usesrc_grp_next = usesrc_cli_ill;
16500 		usesrc_cli_ill->ill_usesrc_grp_next = usesrc_ill;
16501 	} else if ((usesrc_ill->ill_usesrc_grp_next != NULL) &&
16502 	    (usesrc_cli_ill->ill_usesrc_grp_next == NULL)) {
16503 		usesrc_cli_ill->ill_usesrc_ifindex = ifindex;
16504 		/* Insert at head of list */
16505 		usesrc_cli_ill->ill_usesrc_grp_next =
16506 		    usesrc_ill->ill_usesrc_grp_next;
16507 		usesrc_ill->ill_usesrc_grp_next = usesrc_cli_ill;
16508 	} else {
16509 		ret = ill_relink_usesrc_ills(usesrc_cli_ill, usesrc_ill,
16510 		    ifindex);
16511 		if (ret != 0)
16512 			err = EINVAL;
16513 	}
16514 	rw_exit(&ipst->ips_ill_g_usesrc_lock);
16515 
16516 done:
16517 	if (ipsq != NULL)
16518 		ipsq_exit(ipsq);
16519 	/* The refrele on the lifr_name ipif is done by ip_process_ioctl */
16520 	ill_refrele(usesrc_ill);
16521 
16522 	/* Let conn_ixa caching know that source address selection changed */
16523 	ip_update_source_selection(ipst);
16524 
16525 	return (err);
16526 }
16527 
16528 /* ARGSUSED */
16529 int
16530 ip_sioctl_get_dadstate(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
16531     ip_ioctl_cmd_t *ipip, void *if_req)
16532 {
16533 	struct lifreq	*lifr = (struct lifreq *)if_req;
16534 	ill_t		*ill = ipif->ipif_ill;
16535 
16536 	/*
16537 	 * Need a lock since IFF_UP can be set even when there are
16538 	 * references to the ipif.
16539 	 */
16540 	mutex_enter(&ill->ill_lock);
16541 	if ((ipif->ipif_flags & IPIF_UP) && ipif->ipif_addr_ready == 0)
16542 		lifr->lifr_dadstate = DAD_IN_PROGRESS;
16543 	else
16544 		lifr->lifr_dadstate = DAD_DONE;
16545 	mutex_exit(&ill->ill_lock);
16546 	return (0);
16547 }
16548 
16549 /*
16550  * comparison function used by avl.
16551  */
16552 static int
16553 ill_phyint_compare_index(const void *index_ptr, const void *phyip)
16554 {
16555 
16556 	uint_t index;
16557 
16558 	ASSERT(phyip != NULL && index_ptr != NULL);
16559 
16560 	index = *((uint_t *)index_ptr);
16561 	/*
16562 	 * let the phyint with the lowest index be on top.
16563 	 */
16564 	if (((phyint_t *)phyip)->phyint_ifindex < index)
16565 		return (1);
16566 	if (((phyint_t *)phyip)->phyint_ifindex > index)
16567 		return (-1);
16568 	return (0);
16569 }
16570 
16571 /*
16572  * comparison function used by avl.
16573  */
16574 static int
16575 ill_phyint_compare_name(const void *name_ptr, const void *phyip)
16576 {
16577 	ill_t *ill;
16578 	int res = 0;
16579 
16580 	ASSERT(phyip != NULL && name_ptr != NULL);
16581 
16582 	if (((phyint_t *)phyip)->phyint_illv4)
16583 		ill = ((phyint_t *)phyip)->phyint_illv4;
16584 	else
16585 		ill = ((phyint_t *)phyip)->phyint_illv6;
16586 	ASSERT(ill != NULL);
16587 
16588 	res = strcmp(ill->ill_name, (char *)name_ptr);
16589 	if (res > 0)
16590 		return (1);
16591 	else if (res < 0)
16592 		return (-1);
16593 	return (0);
16594 }
16595 
16596 /*
16597  * This function is called on the unplumb path via ill_glist_delete() when
16598  * there are no ills left on the phyint and thus the phyint can be freed.
16599  */
16600 static void
16601 phyint_free(phyint_t *phyi)
16602 {
16603 	ip_stack_t *ipst = PHYINT_TO_IPST(phyi);
16604 
16605 	ASSERT(phyi->phyint_illv4 == NULL && phyi->phyint_illv6 == NULL);
16606 
16607 	/*
16608 	 * If this phyint was an IPMP meta-interface, blow away the group.
16609 	 * This is safe to do because all of the illgrps have already been
16610 	 * removed by I_PUNLINK, and thus SIOCSLIFGROUPNAME cannot find us.
16611 	 * If we're cleaning up as a result of failed initialization,
16612 	 * phyint_grp may be NULL.
16613 	 */
16614 	if ((phyi->phyint_flags & PHYI_IPMP) && (phyi->phyint_grp != NULL)) {
16615 		rw_enter(&ipst->ips_ipmp_lock, RW_WRITER);
16616 		ipmp_grp_destroy(phyi->phyint_grp);
16617 		phyi->phyint_grp = NULL;
16618 		rw_exit(&ipst->ips_ipmp_lock);
16619 	}
16620 
16621 	/*
16622 	 * If this interface was under IPMP, take it out of the group.
16623 	 */
16624 	if (phyi->phyint_grp != NULL)
16625 		ipmp_phyint_leave_grp(phyi);
16626 
16627 	/*
16628 	 * Delete the phyint and disassociate its ipsq.  The ipsq itself
16629 	 * will be freed in ipsq_exit().
16630 	 */
16631 	phyi->phyint_ipsq->ipsq_phyint = NULL;
16632 	phyi->phyint_name[0] = '\0';
16633 
16634 	mi_free(phyi);
16635 }
16636 
16637 /*
16638  * Attach the ill to the phyint structure which can be shared by both
16639  * IPv4 and IPv6 ill. ill_init allocates a phyint to just hold flags. This
16640  * function is called from ipif_set_values and ill_lookup_on_name (for
16641  * loopback) where we know the name of the ill. We lookup the ill and if
16642  * there is one present already with the name use that phyint. Otherwise
16643  * reuse the one allocated by ill_init.
16644  */
16645 static void
16646 ill_phyint_reinit(ill_t *ill)
16647 {
16648 	boolean_t isv6 = ill->ill_isv6;
16649 	phyint_t *phyi_old;
16650 	phyint_t *phyi;
16651 	avl_index_t where = 0;
16652 	ill_t	*ill_other = NULL;
16653 	ip_stack_t	*ipst = ill->ill_ipst;
16654 
16655 	ASSERT(RW_WRITE_HELD(&ipst->ips_ill_g_lock));
16656 
16657 	phyi_old = ill->ill_phyint;
16658 	ASSERT(isv6 || (phyi_old->phyint_illv4 == ill &&
16659 	    phyi_old->phyint_illv6 == NULL));
16660 	ASSERT(!isv6 || (phyi_old->phyint_illv6 == ill &&
16661 	    phyi_old->phyint_illv4 == NULL));
16662 	ASSERT(phyi_old->phyint_ifindex == 0);
16663 
16664 	/*
16665 	 * Now that our ill has a name, set it in the phyint.
16666 	 */
16667 	(void) strlcpy(ill->ill_phyint->phyint_name, ill->ill_name, LIFNAMSIZ);
16668 
16669 	phyi = avl_find(&ipst->ips_phyint_g_list->phyint_list_avl_by_name,
16670 	    ill->ill_name, &where);
16671 
16672 	/*
16673 	 * 1. We grabbed the ill_g_lock before inserting this ill into
16674 	 *    the global list of ills. So no other thread could have located
16675 	 *    this ill and hence the ipsq of this ill is guaranteed to be empty.
16676 	 * 2. Now locate the other protocol instance of this ill.
16677 	 * 3. Now grab both ill locks in the right order, and the phyint lock of
16678 	 *    the new ipsq. Holding ill locks + ill_g_lock ensures that the ipsq
16679 	 *    of neither ill can change.
16680 	 * 4. Merge the phyint and thus the ipsq as well of this ill onto the
16681 	 *    other ill.
16682 	 * 5. Release all locks.
16683 	 */
16684 
16685 	/*
16686 	 * Look for IPv4 if we are initializing IPv6 or look for IPv6 if
16687 	 * we are initializing IPv4.
16688 	 */
16689 	if (phyi != NULL) {
16690 		ill_other = (isv6) ? phyi->phyint_illv4 : phyi->phyint_illv6;
16691 		ASSERT(ill_other->ill_phyint != NULL);
16692 		ASSERT((isv6 && !ill_other->ill_isv6) ||
16693 		    (!isv6 && ill_other->ill_isv6));
16694 		GRAB_ILL_LOCKS(ill, ill_other);
16695 		/*
16696 		 * We are potentially throwing away phyint_flags which
16697 		 * could be different from the one that we obtain from
16698 		 * ill_other->ill_phyint. But it is okay as we are assuming
16699 		 * that the state maintained within IP is correct.
16700 		 */
16701 		mutex_enter(&phyi->phyint_lock);
16702 		if (isv6) {
16703 			ASSERT(phyi->phyint_illv6 == NULL);
16704 			phyi->phyint_illv6 = ill;
16705 		} else {
16706 			ASSERT(phyi->phyint_illv4 == NULL);
16707 			phyi->phyint_illv4 = ill;
16708 		}
16709 
16710 		/*
16711 		 * Delete the old phyint and make its ipsq eligible
16712 		 * to be freed in ipsq_exit().
16713 		 */
16714 		phyi_old->phyint_illv4 = NULL;
16715 		phyi_old->phyint_illv6 = NULL;
16716 		phyi_old->phyint_ipsq->ipsq_phyint = NULL;
16717 		phyi_old->phyint_name[0] = '\0';
16718 		mi_free(phyi_old);
16719 	} else {
16720 		mutex_enter(&ill->ill_lock);
16721 		/*
16722 		 * We don't need to acquire any lock, since
16723 		 * the ill is not yet visible globally  and we
16724 		 * have not yet released the ill_g_lock.
16725 		 */
16726 		phyi = phyi_old;
16727 		mutex_enter(&phyi->phyint_lock);
16728 		/* XXX We need a recovery strategy here. */
16729 		if (!phyint_assign_ifindex(phyi, ipst))
16730 			cmn_err(CE_PANIC, "phyint_assign_ifindex() failed");
16731 
16732 		avl_insert(&ipst->ips_phyint_g_list->phyint_list_avl_by_name,
16733 		    (void *)phyi, where);
16734 
16735 		(void) avl_find(&ipst->ips_phyint_g_list->
16736 		    phyint_list_avl_by_index,
16737 		    &phyi->phyint_ifindex, &where);
16738 		avl_insert(&ipst->ips_phyint_g_list->phyint_list_avl_by_index,
16739 		    (void *)phyi, where);
16740 	}
16741 
16742 	/*
16743 	 * Reassigning ill_phyint automatically reassigns the ipsq also.
16744 	 * pending mp is not affected because that is per ill basis.
16745 	 */
16746 	ill->ill_phyint = phyi;
16747 
16748 	/*
16749 	 * Now that the phyint's ifindex has been assigned, complete the
16750 	 * remaining
16751 	 */
16752 	ill->ill_ip_mib->ipIfStatsIfIndex = ill->ill_phyint->phyint_ifindex;
16753 	if (ill->ill_isv6) {
16754 		ill->ill_icmp6_mib->ipv6IfIcmpIfIndex =
16755 		    ill->ill_phyint->phyint_ifindex;
16756 		ill->ill_mcast_type = ipst->ips_mld_max_version;
16757 	} else {
16758 		ill->ill_mcast_type = ipst->ips_igmp_max_version;
16759 	}
16760 
16761 	/*
16762 	 * Generate an event within the hooks framework to indicate that
16763 	 * a new interface has just been added to IP.  For this event to
16764 	 * be generated, the network interface must, at least, have an
16765 	 * ifindex assigned to it.  (We don't generate the event for
16766 	 * loopback since ill_lookup_on_name() has its own NE_PLUMB event.)
16767 	 *
16768 	 * This needs to be run inside the ill_g_lock perimeter to ensure
16769 	 * that the ordering of delivered events to listeners matches the
16770 	 * order of them in the kernel.
16771 	 */
16772 	if (!IS_LOOPBACK(ill)) {
16773 		ill_nic_event_dispatch(ill, 0, NE_PLUMB, ill->ill_name,
16774 		    ill->ill_name_length);
16775 	}
16776 	RELEASE_ILL_LOCKS(ill, ill_other);
16777 	mutex_exit(&phyi->phyint_lock);
16778 }
16779 
16780 /*
16781  * Notify any downstream modules of the name of this interface.
16782  * An M_IOCTL is used even though we don't expect a successful reply.
16783  * Any reply message from the driver (presumably an M_IOCNAK) will
16784  * eventually get discarded somewhere upstream.  The message format is
16785  * simply an SIOCSLIFNAME ioctl just as might be sent from ifconfig
16786  * to IP.
16787  */
16788 static void
16789 ip_ifname_notify(ill_t *ill, queue_t *q)
16790 {
16791 	mblk_t *mp1, *mp2;
16792 	struct iocblk *iocp;
16793 	struct lifreq *lifr;
16794 
16795 	mp1 = mkiocb(SIOCSLIFNAME);
16796 	if (mp1 == NULL)
16797 		return;
16798 	mp2 = allocb(sizeof (struct lifreq), BPRI_HI);
16799 	if (mp2 == NULL) {
16800 		freeb(mp1);
16801 		return;
16802 	}
16803 
16804 	mp1->b_cont = mp2;
16805 	iocp = (struct iocblk *)mp1->b_rptr;
16806 	iocp->ioc_count = sizeof (struct lifreq);
16807 
16808 	lifr = (struct lifreq *)mp2->b_rptr;
16809 	mp2->b_wptr += sizeof (struct lifreq);
16810 	bzero(lifr, sizeof (struct lifreq));
16811 
16812 	(void) strncpy(lifr->lifr_name, ill->ill_name, LIFNAMSIZ);
16813 	lifr->lifr_ppa = ill->ill_ppa;
16814 	lifr->lifr_flags = (ill->ill_flags & (ILLF_IPV4|ILLF_IPV6));
16815 
16816 	DTRACE_PROBE3(ill__dlpi, char *, "ip_ifname_notify",
16817 	    char *, "SIOCSLIFNAME", ill_t *, ill);
16818 	putnext(q, mp1);
16819 }
16820 
16821 static int
16822 ipif_set_values_tail(ill_t *ill, ipif_t *ipif, mblk_t *mp, queue_t *q)
16823 {
16824 	int		err;
16825 	ip_stack_t	*ipst = ill->ill_ipst;
16826 	phyint_t	*phyi = ill->ill_phyint;
16827 
16828 	/*
16829 	 * Now that ill_name is set, the configuration for the IPMP
16830 	 * meta-interface can be performed.
16831 	 */
16832 	if (IS_IPMP(ill)) {
16833 		rw_enter(&ipst->ips_ipmp_lock, RW_WRITER);
16834 		/*
16835 		 * If phyi->phyint_grp is NULL, then this is the first IPMP
16836 		 * meta-interface and we need to create the IPMP group.
16837 		 */
16838 		if (phyi->phyint_grp == NULL) {
16839 			/*
16840 			 * If someone has renamed another IPMP group to have
16841 			 * the same name as our interface, bail.
16842 			 */
16843 			if (ipmp_grp_lookup(ill->ill_name, ipst) != NULL) {
16844 				rw_exit(&ipst->ips_ipmp_lock);
16845 				return (EEXIST);
16846 			}
16847 			phyi->phyint_grp = ipmp_grp_create(ill->ill_name, phyi);
16848 			if (phyi->phyint_grp == NULL) {
16849 				rw_exit(&ipst->ips_ipmp_lock);
16850 				return (ENOMEM);
16851 			}
16852 		}
16853 		rw_exit(&ipst->ips_ipmp_lock);
16854 	}
16855 
16856 	/* Tell downstream modules where they are. */
16857 	ip_ifname_notify(ill, q);
16858 
16859 	/*
16860 	 * ill_dl_phys returns EINPROGRESS in the usual case.
16861 	 * Error cases are ENOMEM ...
16862 	 */
16863 	err = ill_dl_phys(ill, ipif, mp, q);
16864 
16865 	if (ill->ill_isv6) {
16866 		mutex_enter(&ipst->ips_mld_slowtimeout_lock);
16867 		if (ipst->ips_mld_slowtimeout_id == 0) {
16868 			ipst->ips_mld_slowtimeout_id = timeout(mld_slowtimo,
16869 			    (void *)ipst,
16870 			    MSEC_TO_TICK(MCAST_SLOWTIMO_INTERVAL));
16871 		}
16872 		mutex_exit(&ipst->ips_mld_slowtimeout_lock);
16873 	} else {
16874 		mutex_enter(&ipst->ips_igmp_slowtimeout_lock);
16875 		if (ipst->ips_igmp_slowtimeout_id == 0) {
16876 			ipst->ips_igmp_slowtimeout_id = timeout(igmp_slowtimo,
16877 			    (void *)ipst,
16878 			    MSEC_TO_TICK(MCAST_SLOWTIMO_INTERVAL));
16879 		}
16880 		mutex_exit(&ipst->ips_igmp_slowtimeout_lock);
16881 	}
16882 
16883 	return (err);
16884 }
16885 
16886 /*
16887  * Common routine for ppa and ifname setting. Should be called exclusive.
16888  *
16889  * Returns EINPROGRESS when mp has been consumed by queueing it on
16890  * ipx_pending_mp and the ioctl will complete in ip_rput.
16891  *
16892  * NOTE : If ppa is UNIT_MAX, we assign the next valid ppa and return
16893  * the new name and new ppa in lifr_name and lifr_ppa respectively.
16894  * For SLIFNAME, we pass these values back to the userland.
16895  */
16896 static int
16897 ipif_set_values(queue_t *q, mblk_t *mp, char *interf_name, uint_t *new_ppa_ptr)
16898 {
16899 	ill_t	*ill;
16900 	ipif_t	*ipif;
16901 	ipsq_t	*ipsq;
16902 	char	*ppa_ptr;
16903 	char	*old_ptr;
16904 	char	old_char;
16905 	int	error;
16906 	ip_stack_t	*ipst;
16907 
16908 	ip1dbg(("ipif_set_values: interface %s\n", interf_name));
16909 	ASSERT(q->q_next != NULL);
16910 	ASSERT(interf_name != NULL);
16911 
16912 	ill = (ill_t *)q->q_ptr;
16913 	ipst = ill->ill_ipst;
16914 
16915 	ASSERT(ill->ill_ipst != NULL);
16916 	ASSERT(ill->ill_name[0] == '\0');
16917 	ASSERT(IAM_WRITER_ILL(ill));
16918 	ASSERT((mi_strlen(interf_name) + 1) <= LIFNAMSIZ);
16919 	ASSERT(ill->ill_ppa == UINT_MAX);
16920 
16921 	ill->ill_defend_start = ill->ill_defend_count = 0;
16922 	/* The ppa is sent down by ifconfig or is chosen */
16923 	if ((ppa_ptr = ill_get_ppa_ptr(interf_name)) == NULL) {
16924 		return (EINVAL);
16925 	}
16926 
16927 	/*
16928 	 * make sure ppa passed in is same as ppa in the name.
16929 	 * This check is not made when ppa == UINT_MAX in that case ppa
16930 	 * in the name could be anything. System will choose a ppa and
16931 	 * update new_ppa_ptr and inter_name to contain the choosen ppa.
16932 	 */
16933 	if (*new_ppa_ptr != UINT_MAX) {
16934 		/* stoi changes the pointer */
16935 		old_ptr = ppa_ptr;
16936 		/*
16937 		 * ifconfig passed in 0 for the ppa for DLPI 1 style devices
16938 		 * (they don't have an externally visible ppa).  We assign one
16939 		 * here so that we can manage the interface.  Note that in
16940 		 * the past this value was always 0 for DLPI 1 drivers.
16941 		 */
16942 		if (*new_ppa_ptr == 0)
16943 			*new_ppa_ptr = stoi(&old_ptr);
16944 		else if (*new_ppa_ptr != (uint_t)stoi(&old_ptr))
16945 			return (EINVAL);
16946 	}
16947 	/*
16948 	 * terminate string before ppa
16949 	 * save char at that location.
16950 	 */
16951 	old_char = ppa_ptr[0];
16952 	ppa_ptr[0] = '\0';
16953 
16954 	ill->ill_ppa = *new_ppa_ptr;
16955 	/*
16956 	 * Finish as much work now as possible before calling ill_glist_insert
16957 	 * which makes the ill globally visible and also merges it with the
16958 	 * other protocol instance of this phyint. The remaining work is
16959 	 * done after entering the ipsq which may happen sometime later.
16960 	 */
16961 	ipif = ill->ill_ipif;
16962 
16963 	/* We didn't do this when we allocated ipif in ip_ll_subnet_defaults */
16964 	ipif_assign_seqid(ipif);
16965 
16966 	if (!(ill->ill_flags & (ILLF_IPV4|ILLF_IPV6)))
16967 		ill->ill_flags |= ILLF_IPV4;
16968 
16969 	ASSERT(ipif->ipif_next == NULL);	/* Only one ipif on ill */
16970 	ASSERT((ipif->ipif_flags & IPIF_UP) == 0);
16971 
16972 	if (ill->ill_flags & ILLF_IPV6) {
16973 
16974 		ill->ill_isv6 = B_TRUE;
16975 		ill_set_inputfn(ill);
16976 		if (ill->ill_rq != NULL) {
16977 			ill->ill_rq->q_qinfo = &iprinitv6;
16978 		}
16979 
16980 		/* Keep the !IN6_IS_ADDR_V4MAPPED assertions happy */
16981 		ipif->ipif_v6lcl_addr = ipv6_all_zeros;
16982 		ipif->ipif_v6subnet = ipv6_all_zeros;
16983 		ipif->ipif_v6net_mask = ipv6_all_zeros;
16984 		ipif->ipif_v6brd_addr = ipv6_all_zeros;
16985 		ipif->ipif_v6pp_dst_addr = ipv6_all_zeros;
16986 		ill->ill_reachable_retrans_time = ND_RETRANS_TIMER;
16987 		/*
16988 		 * point-to-point or Non-mulicast capable
16989 		 * interfaces won't do NUD unless explicitly
16990 		 * configured to do so.
16991 		 */
16992 		if (ipif->ipif_flags & IPIF_POINTOPOINT ||
16993 		    !(ill->ill_flags & ILLF_MULTICAST)) {
16994 			ill->ill_flags |= ILLF_NONUD;
16995 		}
16996 		/* Make sure IPv4 specific flag is not set on IPv6 if */
16997 		if (ill->ill_flags & ILLF_NOARP) {
16998 			/*
16999 			 * Note: xresolv interfaces will eventually need
17000 			 * NOARP set here as well, but that will require
17001 			 * those external resolvers to have some
17002 			 * knowledge of that flag and act appropriately.
17003 			 * Not to be changed at present.
17004 			 */
17005 			ill->ill_flags &= ~ILLF_NOARP;
17006 		}
17007 		/*
17008 		 * Set the ILLF_ROUTER flag according to the global
17009 		 * IPv6 forwarding policy.
17010 		 */
17011 		if (ipst->ips_ipv6_forwarding != 0)
17012 			ill->ill_flags |= ILLF_ROUTER;
17013 	} else if (ill->ill_flags & ILLF_IPV4) {
17014 		ill->ill_isv6 = B_FALSE;
17015 		ill_set_inputfn(ill);
17016 		ill->ill_reachable_retrans_time = ARP_RETRANS_TIMER;
17017 		IN6_IPADDR_TO_V4MAPPED(INADDR_ANY, &ipif->ipif_v6lcl_addr);
17018 		IN6_IPADDR_TO_V4MAPPED(INADDR_ANY, &ipif->ipif_v6subnet);
17019 		IN6_IPADDR_TO_V4MAPPED(INADDR_ANY, &ipif->ipif_v6net_mask);
17020 		IN6_IPADDR_TO_V4MAPPED(INADDR_ANY, &ipif->ipif_v6brd_addr);
17021 		IN6_IPADDR_TO_V4MAPPED(INADDR_ANY, &ipif->ipif_v6pp_dst_addr);
17022 		/*
17023 		 * Set the ILLF_ROUTER flag according to the global
17024 		 * IPv4 forwarding policy.
17025 		 */
17026 		if (ipst->ips_ip_forwarding != 0)
17027 			ill->ill_flags |= ILLF_ROUTER;
17028 	}
17029 
17030 	ASSERT(ill->ill_phyint != NULL);
17031 
17032 	/*
17033 	 * The ipIfStatsIfindex and ipv6IfIcmpIfIndex assignments will
17034 	 * be completed in ill_glist_insert -> ill_phyint_reinit
17035 	 */
17036 	if (!ill_allocate_mibs(ill))
17037 		return (ENOMEM);
17038 
17039 	/*
17040 	 * Pick a default sap until we get the DL_INFO_ACK back from
17041 	 * the driver.
17042 	 */
17043 	ill->ill_sap = (ill->ill_isv6) ? ill->ill_media->ip_m_ipv6sap :
17044 	    ill->ill_media->ip_m_ipv4sap;
17045 
17046 	ill->ill_ifname_pending = 1;
17047 	ill->ill_ifname_pending_err = 0;
17048 
17049 	/*
17050 	 * When the first ipif comes up in ipif_up_done(), multicast groups
17051 	 * that were joined while this ill was not bound to the DLPI link need
17052 	 * to be recovered by ill_recover_multicast().
17053 	 */
17054 	ill->ill_need_recover_multicast = 1;
17055 
17056 	ill_refhold(ill);
17057 	rw_enter(&ipst->ips_ill_g_lock, RW_WRITER);
17058 	if ((error = ill_glist_insert(ill, interf_name,
17059 	    (ill->ill_flags & ILLF_IPV6) == ILLF_IPV6)) > 0) {
17060 		ill->ill_ppa = UINT_MAX;
17061 		ill->ill_name[0] = '\0';
17062 		/*
17063 		 * undo null termination done above.
17064 		 */
17065 		ppa_ptr[0] = old_char;
17066 		rw_exit(&ipst->ips_ill_g_lock);
17067 		ill_refrele(ill);
17068 		return (error);
17069 	}
17070 
17071 	ASSERT(ill->ill_name_length <= LIFNAMSIZ);
17072 
17073 	/*
17074 	 * When we return the buffer pointed to by interf_name should contain
17075 	 * the same name as in ill_name.
17076 	 * If a ppa was choosen by the system (ppa passed in was UINT_MAX)
17077 	 * the buffer pointed to by new_ppa_ptr would not contain the right ppa
17078 	 * so copy full name and update the ppa ptr.
17079 	 * When ppa passed in != UINT_MAX all values are correct just undo
17080 	 * null termination, this saves a bcopy.
17081 	 */
17082 	if (*new_ppa_ptr == UINT_MAX) {
17083 		bcopy(ill->ill_name, interf_name, ill->ill_name_length);
17084 		*new_ppa_ptr = ill->ill_ppa;
17085 	} else {
17086 		/*
17087 		 * undo null termination done above.
17088 		 */
17089 		ppa_ptr[0] = old_char;
17090 	}
17091 
17092 	/* Let SCTP know about this ILL */
17093 	sctp_update_ill(ill, SCTP_ILL_INSERT);
17094 
17095 	/*
17096 	 * ill_glist_insert has made the ill visible globally, and
17097 	 * ill_phyint_reinit could have changed the ipsq. At this point,
17098 	 * we need to hold the ips_ill_g_lock across the call to enter the
17099 	 * ipsq to enforce atomicity and prevent reordering. In the event
17100 	 * the ipsq has changed, and if the new ipsq is currently busy,
17101 	 * we need to make sure that this half-completed ioctl is ahead of
17102 	 * any subsequent ioctl. We achieve this by not dropping the
17103 	 * ips_ill_g_lock which prevents any ill lookup itself thereby
17104 	 * ensuring that new ioctls can't start.
17105 	 */
17106 	ipsq = ipsq_try_enter_internal(ill, q, mp, ip_reprocess_ioctl, NEW_OP,
17107 	    B_TRUE);
17108 
17109 	rw_exit(&ipst->ips_ill_g_lock);
17110 	ill_refrele(ill);
17111 	if (ipsq == NULL)
17112 		return (EINPROGRESS);
17113 
17114 	/*
17115 	 * If ill_phyint_reinit() changed our ipsq, then start on the new ipsq.
17116 	 */
17117 	if (ipsq->ipsq_xop->ipx_current_ipif == NULL)
17118 		ipsq_current_start(ipsq, ipif, SIOCSLIFNAME);
17119 	else
17120 		ASSERT(ipsq->ipsq_xop->ipx_current_ipif == ipif);
17121 
17122 	error = ipif_set_values_tail(ill, ipif, mp, q);
17123 	ipsq_exit(ipsq);
17124 	if (error != 0 && error != EINPROGRESS) {
17125 		/*
17126 		 * restore previous values
17127 		 */
17128 		ill->ill_isv6 = B_FALSE;
17129 		ill_set_inputfn(ill);
17130 	}
17131 	return (error);
17132 }
17133 
17134 void
17135 ipif_init(ip_stack_t *ipst)
17136 {
17137 	int i;
17138 
17139 	for (i = 0; i < MAX_G_HEADS; i++) {
17140 		ipst->ips_ill_g_heads[i].ill_g_list_head =
17141 		    (ill_if_t *)&ipst->ips_ill_g_heads[i];
17142 		ipst->ips_ill_g_heads[i].ill_g_list_tail =
17143 		    (ill_if_t *)&ipst->ips_ill_g_heads[i];
17144 	}
17145 
17146 	avl_create(&ipst->ips_phyint_g_list->phyint_list_avl_by_index,
17147 	    ill_phyint_compare_index,
17148 	    sizeof (phyint_t),
17149 	    offsetof(struct phyint, phyint_avl_by_index));
17150 	avl_create(&ipst->ips_phyint_g_list->phyint_list_avl_by_name,
17151 	    ill_phyint_compare_name,
17152 	    sizeof (phyint_t),
17153 	    offsetof(struct phyint, phyint_avl_by_name));
17154 }
17155 
17156 /*
17157  * Save enough information so that we can recreate the IRE if
17158  * the interface goes down and then up.
17159  */
17160 void
17161 ill_save_ire(ill_t *ill, ire_t *ire)
17162 {
17163 	mblk_t	*save_mp;
17164 
17165 	save_mp = allocb(sizeof (ifrt_t), BPRI_MED);
17166 	if (save_mp != NULL) {
17167 		ifrt_t	*ifrt;
17168 
17169 		save_mp->b_wptr += sizeof (ifrt_t);
17170 		ifrt = (ifrt_t *)save_mp->b_rptr;
17171 		bzero(ifrt, sizeof (ifrt_t));
17172 		ifrt->ifrt_type = ire->ire_type;
17173 		if (ire->ire_ipversion == IPV4_VERSION) {
17174 			ASSERT(!ill->ill_isv6);
17175 			ifrt->ifrt_addr = ire->ire_addr;
17176 			ifrt->ifrt_gateway_addr = ire->ire_gateway_addr;
17177 			ifrt->ifrt_setsrc_addr = ire->ire_setsrc_addr;
17178 			ifrt->ifrt_mask = ire->ire_mask;
17179 		} else {
17180 			ASSERT(ill->ill_isv6);
17181 			ifrt->ifrt_v6addr = ire->ire_addr_v6;
17182 			/* ire_gateway_addr_v6 can change due to RTM_CHANGE */
17183 			mutex_enter(&ire->ire_lock);
17184 			ifrt->ifrt_v6gateway_addr = ire->ire_gateway_addr_v6;
17185 			mutex_exit(&ire->ire_lock);
17186 			ifrt->ifrt_v6setsrc_addr = ire->ire_setsrc_addr_v6;
17187 			ifrt->ifrt_v6mask = ire->ire_mask_v6;
17188 		}
17189 		ifrt->ifrt_flags = ire->ire_flags;
17190 		ifrt->ifrt_zoneid = ire->ire_zoneid;
17191 		mutex_enter(&ill->ill_saved_ire_lock);
17192 		save_mp->b_cont = ill->ill_saved_ire_mp;
17193 		ill->ill_saved_ire_mp = save_mp;
17194 		ill->ill_saved_ire_cnt++;
17195 		mutex_exit(&ill->ill_saved_ire_lock);
17196 	}
17197 }
17198 
17199 /*
17200  * Remove one entry from ill_saved_ire_mp.
17201  */
17202 void
17203 ill_remove_saved_ire(ill_t *ill, ire_t *ire)
17204 {
17205 	mblk_t	**mpp;
17206 	mblk_t	*mp;
17207 	ifrt_t	*ifrt;
17208 
17209 	/* Remove from ill_saved_ire_mp list if it is there */
17210 	mutex_enter(&ill->ill_saved_ire_lock);
17211 	for (mpp = &ill->ill_saved_ire_mp; *mpp != NULL;
17212 	    mpp = &(*mpp)->b_cont) {
17213 		in6_addr_t	gw_addr_v6;
17214 
17215 		/*
17216 		 * On a given ill, the tuple of address, gateway, mask,
17217 		 * ire_type, and zoneid is unique for each saved IRE.
17218 		 */
17219 		mp = *mpp;
17220 		ifrt = (ifrt_t *)mp->b_rptr;
17221 		/* ire_gateway_addr_v6 can change - need lock */
17222 		mutex_enter(&ire->ire_lock);
17223 		gw_addr_v6 = ire->ire_gateway_addr_v6;
17224 		mutex_exit(&ire->ire_lock);
17225 
17226 		if (ifrt->ifrt_zoneid != ire->ire_zoneid ||
17227 		    ifrt->ifrt_type != ire->ire_type)
17228 			continue;
17229 
17230 		if (ill->ill_isv6 ?
17231 		    (IN6_ARE_ADDR_EQUAL(&ifrt->ifrt_v6addr,
17232 		    &ire->ire_addr_v6) &&
17233 		    IN6_ARE_ADDR_EQUAL(&ifrt->ifrt_v6gateway_addr,
17234 		    &gw_addr_v6) &&
17235 		    IN6_ARE_ADDR_EQUAL(&ifrt->ifrt_v6mask,
17236 		    &ire->ire_mask_v6)) :
17237 		    (ifrt->ifrt_addr == ire->ire_addr &&
17238 		    ifrt->ifrt_gateway_addr == ire->ire_gateway_addr &&
17239 		    ifrt->ifrt_mask == ire->ire_mask)) {
17240 			*mpp = mp->b_cont;
17241 			ill->ill_saved_ire_cnt--;
17242 			freeb(mp);
17243 			break;
17244 		}
17245 	}
17246 	mutex_exit(&ill->ill_saved_ire_lock);
17247 }
17248 
17249 /*
17250  * IP multirouting broadcast routes handling
17251  * Append CGTP broadcast IREs to regular ones created
17252  * at ifconfig time.
17253  * The usage is a route add <cgtp_bc> <nic_bc> -multirt i.e., both
17254  * the destination and the gateway are broadcast addresses.
17255  * The caller has verified that the destination is an IRE_BROADCAST and that
17256  * RTF_MULTIRT was set. Here if the gateway is a broadcast address, then
17257  * we create a MULTIRT IRE_BROADCAST.
17258  * Note that the IRE_HOST created by ire_rt_add doesn't get found by anything
17259  * since the IRE_BROADCAST takes precedence; ire_add_v4 does head insertion.
17260  */
17261 static void
17262 ip_cgtp_bcast_add(ire_t *ire, ip_stack_t *ipst)
17263 {
17264 	ire_t *ire_prim;
17265 
17266 	ASSERT(ire != NULL);
17267 
17268 	ire_prim = ire_ftable_lookup_v4(ire->ire_gateway_addr, 0, 0,
17269 	    IRE_BROADCAST, NULL, ALL_ZONES, NULL, MATCH_IRE_TYPE, 0, ipst,
17270 	    NULL);
17271 	if (ire_prim != NULL) {
17272 		/*
17273 		 * We are in the special case of broadcasts for
17274 		 * CGTP. We add an IRE_BROADCAST that holds
17275 		 * the RTF_MULTIRT flag, the destination
17276 		 * address and the low level
17277 		 * info of ire_prim. In other words, CGTP
17278 		 * broadcast is added to the redundant ipif.
17279 		 */
17280 		ill_t *ill_prim;
17281 		ire_t  *bcast_ire;
17282 
17283 		ill_prim = ire_prim->ire_ill;
17284 
17285 		ip2dbg(("ip_cgtp_filter_bcast_add: ire_prim %p, ill_prim %p\n",
17286 		    (void *)ire_prim, (void *)ill_prim));
17287 
17288 		bcast_ire = ire_create(
17289 		    (uchar_t *)&ire->ire_addr,
17290 		    (uchar_t *)&ip_g_all_ones,
17291 		    (uchar_t *)&ire->ire_gateway_addr,
17292 		    IRE_BROADCAST,
17293 		    ill_prim,
17294 		    GLOBAL_ZONEID,	/* CGTP is only for the global zone */
17295 		    ire->ire_flags | RTF_KERNEL,
17296 		    NULL,
17297 		    ipst);
17298 
17299 		/*
17300 		 * Here we assume that ire_add does head insertion so that
17301 		 * the added IRE_BROADCAST comes before the existing IRE_HOST.
17302 		 */
17303 		if (bcast_ire != NULL) {
17304 			if (ire->ire_flags & RTF_SETSRC) {
17305 				bcast_ire->ire_setsrc_addr =
17306 				    ire->ire_setsrc_addr;
17307 			}
17308 			bcast_ire = ire_add(bcast_ire);
17309 			if (bcast_ire != NULL) {
17310 				ip2dbg(("ip_cgtp_filter_bcast_add: "
17311 				    "added bcast_ire %p\n",
17312 				    (void *)bcast_ire));
17313 
17314 				ill_save_ire(ill_prim, bcast_ire);
17315 				ire_refrele(bcast_ire);
17316 			}
17317 		}
17318 		ire_refrele(ire_prim);
17319 	}
17320 }
17321 
17322 /*
17323  * IP multirouting broadcast routes handling
17324  * Remove the broadcast ire.
17325  * The usage is a route delete <cgtp_bc> <nic_bc> -multirt i.e., both
17326  * the destination and the gateway are broadcast addresses.
17327  * The caller has only verified that RTF_MULTIRT was set. We check
17328  * that the destination is broadcast and that the gateway is a broadcast
17329  * address, and if so delete the IRE added by ip_cgtp_bcast_add().
17330  */
17331 static void
17332 ip_cgtp_bcast_delete(ire_t *ire, ip_stack_t *ipst)
17333 {
17334 	ASSERT(ire != NULL);
17335 
17336 	if (ip_type_v4(ire->ire_addr, ipst) == IRE_BROADCAST) {
17337 		ire_t *ire_prim;
17338 
17339 		ire_prim = ire_ftable_lookup_v4(ire->ire_gateway_addr, 0, 0,
17340 		    IRE_BROADCAST, NULL, ALL_ZONES, NULL, MATCH_IRE_TYPE, 0,
17341 		    ipst, NULL);
17342 		if (ire_prim != NULL) {
17343 			ill_t *ill_prim;
17344 			ire_t  *bcast_ire;
17345 
17346 			ill_prim = ire_prim->ire_ill;
17347 
17348 			ip2dbg(("ip_cgtp_filter_bcast_delete: "
17349 			    "ire_prim %p, ill_prim %p\n",
17350 			    (void *)ire_prim, (void *)ill_prim));
17351 
17352 			bcast_ire = ire_ftable_lookup_v4(ire->ire_addr, 0,
17353 			    ire->ire_gateway_addr, IRE_BROADCAST,
17354 			    ill_prim, ALL_ZONES, NULL,
17355 			    MATCH_IRE_TYPE | MATCH_IRE_GW | MATCH_IRE_ILL |
17356 			    MATCH_IRE_MASK, 0, ipst, NULL);
17357 
17358 			if (bcast_ire != NULL) {
17359 				ip2dbg(("ip_cgtp_filter_bcast_delete: "
17360 				    "looked up bcast_ire %p\n",
17361 				    (void *)bcast_ire));
17362 				ill_remove_saved_ire(bcast_ire->ire_ill,
17363 				    bcast_ire);
17364 				ire_delete(bcast_ire);
17365 				ire_refrele(bcast_ire);
17366 			}
17367 			ire_refrele(ire_prim);
17368 		}
17369 	}
17370 }
17371 
17372 /*
17373  * Derive an interface id from the link layer address.
17374  * Knows about IEEE 802 and IEEE EUI-64 mappings.
17375  */
17376 static void
17377 ip_ether_v6intfid(ill_t *ill, in6_addr_t *v6addr)
17378 {
17379 	char		*addr;
17380 
17381 	/*
17382 	 * Note that some IPv6 interfaces get plumbed over links that claim to
17383 	 * be DL_ETHER, but don't actually have Ethernet MAC addresses (e.g.
17384 	 * PPP links).  The ETHERADDRL check here ensures that we only set the
17385 	 * interface ID on IPv6 interfaces above links that actually have real
17386 	 * Ethernet addresses.
17387 	 */
17388 	if (ill->ill_phys_addr_length == ETHERADDRL) {
17389 		/* Form EUI-64 like address */
17390 		addr = (char *)&v6addr->s6_addr32[2];
17391 		bcopy(ill->ill_phys_addr, addr, 3);
17392 		addr[0] ^= 0x2;		/* Toggle Universal/Local bit */
17393 		addr[3] = (char)0xff;
17394 		addr[4] = (char)0xfe;
17395 		bcopy(ill->ill_phys_addr + 3, addr + 5, 3);
17396 	}
17397 }
17398 
17399 /* ARGSUSED */
17400 static void
17401 ip_nodef_v6intfid(ill_t *ill, in6_addr_t *v6addr)
17402 {
17403 }
17404 
17405 typedef struct ipmp_ifcookie {
17406 	uint32_t	ic_hostid;
17407 	char		ic_ifname[LIFNAMSIZ];
17408 	char		ic_zonename[ZONENAME_MAX];
17409 } ipmp_ifcookie_t;
17410 
17411 /*
17412  * Construct a pseudo-random interface ID for the IPMP interface that's both
17413  * predictable and (almost) guaranteed to be unique.
17414  */
17415 static void
17416 ip_ipmp_v6intfid(ill_t *ill, in6_addr_t *v6addr)
17417 {
17418 	zone_t		*zp;
17419 	uint8_t		*addr;
17420 	uchar_t		hash[16];
17421 	ulong_t 	hostid;
17422 	MD5_CTX		ctx;
17423 	ipmp_ifcookie_t	ic = { 0 };
17424 
17425 	ASSERT(IS_IPMP(ill));
17426 
17427 	(void) ddi_strtoul(hw_serial, NULL, 10, &hostid);
17428 	ic.ic_hostid = htonl((uint32_t)hostid);
17429 
17430 	(void) strlcpy(ic.ic_ifname, ill->ill_name, LIFNAMSIZ);
17431 
17432 	if ((zp = zone_find_by_id(ill->ill_zoneid)) != NULL) {
17433 		(void) strlcpy(ic.ic_zonename, zp->zone_name, ZONENAME_MAX);
17434 		zone_rele(zp);
17435 	}
17436 
17437 	MD5Init(&ctx);
17438 	MD5Update(&ctx, &ic, sizeof (ic));
17439 	MD5Final(hash, &ctx);
17440 
17441 	/*
17442 	 * Map the hash to an interface ID per the basic approach in RFC3041.
17443 	 */
17444 	addr = &v6addr->s6_addr8[8];
17445 	bcopy(hash + 8, addr, sizeof (uint64_t));
17446 	addr[0] &= ~0x2;				/* set local bit */
17447 }
17448 
17449 /*
17450  * Map the multicast in6_addr_t in m_ip6addr to the physaddr for ethernet.
17451  */
17452 static void
17453 ip_ether_v6_mapping(ill_t *ill, uchar_t *m_ip6addr, uchar_t *m_physaddr)
17454 {
17455 	phyint_t *phyi = ill->ill_phyint;
17456 
17457 	/*
17458 	 * Check PHYI_MULTI_BCAST and length of physical
17459 	 * address to determine if we use the mapping or the
17460 	 * broadcast address.
17461 	 */
17462 	if ((phyi->phyint_flags & PHYI_MULTI_BCAST) != 0 ||
17463 	    ill->ill_phys_addr_length != ETHERADDRL) {
17464 		ip_mbcast_mapping(ill, m_ip6addr, m_physaddr);
17465 		return;
17466 	}
17467 	m_physaddr[0] = 0x33;
17468 	m_physaddr[1] = 0x33;
17469 	m_physaddr[2] = m_ip6addr[12];
17470 	m_physaddr[3] = m_ip6addr[13];
17471 	m_physaddr[4] = m_ip6addr[14];
17472 	m_physaddr[5] = m_ip6addr[15];
17473 }
17474 
17475 /*
17476  * Map the multicast ipaddr_t in m_ipaddr to the physaddr for ethernet.
17477  */
17478 static void
17479 ip_ether_v4_mapping(ill_t *ill, uchar_t *m_ipaddr, uchar_t *m_physaddr)
17480 {
17481 	phyint_t *phyi = ill->ill_phyint;
17482 
17483 	/*
17484 	 * Check PHYI_MULTI_BCAST and length of physical
17485 	 * address to determine if we use the mapping or the
17486 	 * broadcast address.
17487 	 */
17488 	if ((phyi->phyint_flags & PHYI_MULTI_BCAST) != 0 ||
17489 	    ill->ill_phys_addr_length != ETHERADDRL) {
17490 		ip_mbcast_mapping(ill, m_ipaddr, m_physaddr);
17491 		return;
17492 	}
17493 	m_physaddr[0] = 0x01;
17494 	m_physaddr[1] = 0x00;
17495 	m_physaddr[2] = 0x5e;
17496 	m_physaddr[3] = m_ipaddr[1] & 0x7f;
17497 	m_physaddr[4] = m_ipaddr[2];
17498 	m_physaddr[5] = m_ipaddr[3];
17499 }
17500 
17501 /* ARGSUSED */
17502 static void
17503 ip_mbcast_mapping(ill_t *ill, uchar_t *m_ipaddr, uchar_t *m_physaddr)
17504 {
17505 	/*
17506 	 * for the MULTI_BCAST case and other cases when we want to
17507 	 * use the link-layer broadcast address for multicast.
17508 	 */
17509 	uint8_t	*bphys_addr;
17510 	dl_unitdata_req_t *dlur;
17511 
17512 	dlur = (dl_unitdata_req_t *)ill->ill_bcast_mp->b_rptr;
17513 	if (ill->ill_sap_length < 0) {
17514 		bphys_addr = (uchar_t *)dlur +
17515 		    dlur->dl_dest_addr_offset;
17516 	} else  {
17517 		bphys_addr = (uchar_t *)dlur +
17518 		    dlur->dl_dest_addr_offset + ill->ill_sap_length;
17519 	}
17520 
17521 	bcopy(bphys_addr, m_physaddr, ill->ill_phys_addr_length);
17522 }
17523 
17524 /*
17525  * Derive IPoIB interface id from the link layer address.
17526  */
17527 static void
17528 ip_ib_v6intfid(ill_t *ill, in6_addr_t *v6addr)
17529 {
17530 	char		*addr;
17531 
17532 	ASSERT(ill->ill_phys_addr_length == 20);
17533 	addr = (char *)&v6addr->s6_addr32[2];
17534 	bcopy(ill->ill_phys_addr + 12, addr, 8);
17535 	/*
17536 	 * In IBA 1.1 timeframe, some vendors erroneously set the u/l bit
17537 	 * in the globally assigned EUI-64 GUID to 1, in violation of IEEE
17538 	 * rules. In these cases, the IBA considers these GUIDs to be in
17539 	 * "Modified EUI-64" format, and thus toggling the u/l bit is not
17540 	 * required; vendors are required not to assign global EUI-64's
17541 	 * that differ only in u/l bit values, thus guaranteeing uniqueness
17542 	 * of the interface identifier. Whether the GUID is in modified
17543 	 * or proper EUI-64 format, the ipv6 identifier must have the u/l
17544 	 * bit set to 1.
17545 	 */
17546 	addr[0] |= 2;			/* Set Universal/Local bit to 1 */
17547 }
17548 
17549 /*
17550  * Map the multicast ipaddr_t in m_ipaddr to the physaddr for InfiniBand.
17551  * Note on mapping from multicast IP addresses to IPoIB multicast link
17552  * addresses. IPoIB multicast link addresses are based on IBA link addresses.
17553  * The format of an IPoIB multicast address is:
17554  *
17555  *  4 byte QPN      Scope Sign.  Pkey
17556  * +--------------------------------------------+
17557  * | 00FFFFFF | FF | 1X | X01B | Pkey | GroupID |
17558  * +--------------------------------------------+
17559  *
17560  * The Scope and Pkey components are properties of the IBA port and
17561  * network interface. They can be ascertained from the broadcast address.
17562  * The Sign. part is the signature, and is 401B for IPv4 and 601B for IPv6.
17563  */
17564 static void
17565 ip_ib_v4_mapping(ill_t *ill, uchar_t *m_ipaddr, uchar_t *m_physaddr)
17566 {
17567 	static uint8_t ipv4_g_phys_ibmulti_addr[] = { 0x00, 0xff, 0xff, 0xff,
17568 	    0xff, 0x10, 0x40, 0x1b, 0x00, 0x00, 0x00, 0x00,
17569 	    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
17570 	uint8_t	*bphys_addr;
17571 	dl_unitdata_req_t *dlur;
17572 
17573 	bcopy(ipv4_g_phys_ibmulti_addr, m_physaddr, ill->ill_phys_addr_length);
17574 
17575 	/*
17576 	 * RFC 4391: IPv4 MGID is 28-bit long.
17577 	 */
17578 	m_physaddr[16] = m_ipaddr[0] & 0x0f;
17579 	m_physaddr[17] = m_ipaddr[1];
17580 	m_physaddr[18] = m_ipaddr[2];
17581 	m_physaddr[19] = m_ipaddr[3];
17582 
17583 
17584 	dlur = (dl_unitdata_req_t *)ill->ill_bcast_mp->b_rptr;
17585 	if (ill->ill_sap_length < 0) {
17586 		bphys_addr = (uchar_t *)dlur + dlur->dl_dest_addr_offset;
17587 	} else  {
17588 		bphys_addr = (uchar_t *)dlur + dlur->dl_dest_addr_offset +
17589 		    ill->ill_sap_length;
17590 	}
17591 	/*
17592 	 * Now fill in the IBA scope/Pkey values from the broadcast address.
17593 	 */
17594 	m_physaddr[5] = bphys_addr[5];
17595 	m_physaddr[8] = bphys_addr[8];
17596 	m_physaddr[9] = bphys_addr[9];
17597 }
17598 
17599 static void
17600 ip_ib_v6_mapping(ill_t *ill, uchar_t *m_ipaddr, uchar_t *m_physaddr)
17601 {
17602 	static uint8_t ipv4_g_phys_ibmulti_addr[] = { 0x00, 0xff, 0xff, 0xff,
17603 	    0xff, 0x10, 0x60, 0x1b, 0x00, 0x00, 0x00, 0x00,
17604 	    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
17605 	uint8_t	*bphys_addr;
17606 	dl_unitdata_req_t *dlur;
17607 
17608 	bcopy(ipv4_g_phys_ibmulti_addr, m_physaddr, ill->ill_phys_addr_length);
17609 
17610 	/*
17611 	 * RFC 4391: IPv4 MGID is 80-bit long.
17612 	 */
17613 	bcopy(&m_ipaddr[6], &m_physaddr[10], 10);
17614 
17615 	dlur = (dl_unitdata_req_t *)ill->ill_bcast_mp->b_rptr;
17616 	if (ill->ill_sap_length < 0) {
17617 		bphys_addr = (uchar_t *)dlur + dlur->dl_dest_addr_offset;
17618 	} else  {
17619 		bphys_addr = (uchar_t *)dlur + dlur->dl_dest_addr_offset +
17620 		    ill->ill_sap_length;
17621 	}
17622 	/*
17623 	 * Now fill in the IBA scope/Pkey values from the broadcast address.
17624 	 */
17625 	m_physaddr[5] = bphys_addr[5];
17626 	m_physaddr[8] = bphys_addr[8];
17627 	m_physaddr[9] = bphys_addr[9];
17628 }
17629 
17630 /*
17631  * Derive IPv6 interface id from an IPv4 link-layer address (e.g. from an IPv4
17632  * tunnel).  The IPv4 address simply get placed in the lower 4 bytes of the
17633  * IPv6 interface id.  This is a suggested mechanism described in section 3.7
17634  * of RFC4213.
17635  */
17636 static void
17637 ip_ipv4_genv6intfid(ill_t *ill, uint8_t *physaddr, in6_addr_t *v6addr)
17638 {
17639 	ASSERT(ill->ill_phys_addr_length == sizeof (ipaddr_t));
17640 	v6addr->s6_addr32[2] = 0;
17641 	bcopy(physaddr, &v6addr->s6_addr32[3], sizeof (ipaddr_t));
17642 }
17643 
17644 /*
17645  * Derive IPv6 interface id from an IPv6 link-layer address (e.g. from an IPv6
17646  * tunnel).  The lower 8 bytes of the IPv6 address simply become the interface
17647  * id.
17648  */
17649 static void
17650 ip_ipv6_genv6intfid(ill_t *ill, uint8_t *physaddr, in6_addr_t *v6addr)
17651 {
17652 	in6_addr_t *v6lladdr = (in6_addr_t *)physaddr;
17653 
17654 	ASSERT(ill->ill_phys_addr_length == sizeof (in6_addr_t));
17655 	bcopy(&v6lladdr->s6_addr32[2], &v6addr->s6_addr32[2], 8);
17656 }
17657 
17658 static void
17659 ip_ipv6_v6intfid(ill_t *ill, in6_addr_t *v6addr)
17660 {
17661 	ip_ipv6_genv6intfid(ill, ill->ill_phys_addr, v6addr);
17662 }
17663 
17664 static void
17665 ip_ipv6_v6destintfid(ill_t *ill, in6_addr_t *v6addr)
17666 {
17667 	ip_ipv6_genv6intfid(ill, ill->ill_dest_addr, v6addr);
17668 }
17669 
17670 static void
17671 ip_ipv4_v6intfid(ill_t *ill, in6_addr_t *v6addr)
17672 {
17673 	ip_ipv4_genv6intfid(ill, ill->ill_phys_addr, v6addr);
17674 }
17675 
17676 static void
17677 ip_ipv4_v6destintfid(ill_t *ill, in6_addr_t *v6addr)
17678 {
17679 	ip_ipv4_genv6intfid(ill, ill->ill_dest_addr, v6addr);
17680 }
17681 
17682 /*
17683  * Lookup an ill and verify that the zoneid has an ipif on that ill.
17684  * Returns an held ill, or NULL.
17685  */
17686 ill_t *
17687 ill_lookup_on_ifindex_zoneid(uint_t index, zoneid_t zoneid, boolean_t isv6,
17688     ip_stack_t *ipst)
17689 {
17690 	ill_t	*ill;
17691 	ipif_t	*ipif;
17692 
17693 	ill = ill_lookup_on_ifindex(index, isv6, ipst);
17694 	if (ill == NULL)
17695 		return (NULL);
17696 
17697 	mutex_enter(&ill->ill_lock);
17698 	for (ipif = ill->ill_ipif; ipif != NULL; ipif = ipif->ipif_next) {
17699 		if (IPIF_IS_CONDEMNED(ipif))
17700 			continue;
17701 		if (zoneid != ALL_ZONES && ipif->ipif_zoneid != zoneid &&
17702 		    ipif->ipif_zoneid != ALL_ZONES)
17703 			continue;
17704 
17705 		mutex_exit(&ill->ill_lock);
17706 		return (ill);
17707 	}
17708 	mutex_exit(&ill->ill_lock);
17709 	ill_refrele(ill);
17710 	return (NULL);
17711 }
17712 
17713 /*
17714  * Return a pointer to an ipif_t given a combination of (ill_idx,ipif_id)
17715  * If a pointer to an ipif_t is returned then the caller will need to do
17716  * an ill_refrele().
17717  */
17718 ipif_t *
17719 ipif_getby_indexes(uint_t ifindex, uint_t lifidx, boolean_t isv6,
17720     ip_stack_t *ipst)
17721 {
17722 	ipif_t *ipif;
17723 	ill_t *ill;
17724 
17725 	ill = ill_lookup_on_ifindex(ifindex, isv6, ipst);
17726 	if (ill == NULL)
17727 		return (NULL);
17728 
17729 	mutex_enter(&ill->ill_lock);
17730 	if (ill->ill_state_flags & ILL_CONDEMNED) {
17731 		mutex_exit(&ill->ill_lock);
17732 		ill_refrele(ill);
17733 		return (NULL);
17734 	}
17735 
17736 	for (ipif = ill->ill_ipif; ipif != NULL; ipif = ipif->ipif_next) {
17737 		if (!IPIF_CAN_LOOKUP(ipif))
17738 			continue;
17739 		if (lifidx == ipif->ipif_id) {
17740 			ipif_refhold_locked(ipif);
17741 			break;
17742 		}
17743 	}
17744 
17745 	mutex_exit(&ill->ill_lock);
17746 	ill_refrele(ill);
17747 	return (ipif);
17748 }
17749 
17750 /*
17751  * Set ill_inputfn based on the current know state.
17752  * This needs to be called when any of the factors taken into
17753  * account changes.
17754  */
17755 void
17756 ill_set_inputfn(ill_t *ill)
17757 {
17758 	ip_stack_t	*ipst = ill->ill_ipst;
17759 
17760 	if (ill->ill_isv6) {
17761 		if (is_system_labeled())
17762 			ill->ill_inputfn = ill_input_full_v6;
17763 		else
17764 			ill->ill_inputfn = ill_input_short_v6;
17765 	} else {
17766 		if (is_system_labeled())
17767 			ill->ill_inputfn = ill_input_full_v4;
17768 		else if (ill->ill_dhcpinit != 0)
17769 			ill->ill_inputfn = ill_input_full_v4;
17770 		else if (ipst->ips_ipcl_proto_fanout_v4[IPPROTO_RSVP].connf_head
17771 		    != NULL)
17772 			ill->ill_inputfn = ill_input_full_v4;
17773 		else if (ipst->ips_ip_cgtp_filter &&
17774 		    ipst->ips_ip_cgtp_filter_ops != NULL)
17775 			ill->ill_inputfn = ill_input_full_v4;
17776 		else
17777 			ill->ill_inputfn = ill_input_short_v4;
17778 	}
17779 }
17780 
17781 /*
17782  * Re-evaluate ill_inputfn for all the IPv4 ills.
17783  * Used when RSVP and CGTP comes and goes.
17784  */
17785 void
17786 ill_set_inputfn_all(ip_stack_t *ipst)
17787 {
17788 	ill_walk_context_t	ctx;
17789 	ill_t			*ill;
17790 
17791 	rw_enter(&ipst->ips_ill_g_lock, RW_READER);
17792 	ill = ILL_START_WALK_V4(&ctx, ipst);
17793 	for (; ill != NULL; ill = ill_next(&ctx, ill))
17794 		ill_set_inputfn(ill);
17795 
17796 	rw_exit(&ipst->ips_ill_g_lock);
17797 }
17798 
17799 /*
17800  * Set the physical address information for `ill' to the contents of the
17801  * dl_notify_ind_t pointed to by `mp'.  Must be called as writer, and will be
17802  * asynchronous if `ill' cannot immediately be quiesced -- in which case
17803  * EINPROGRESS will be returned.
17804  */
17805 int
17806 ill_set_phys_addr(ill_t *ill, mblk_t *mp)
17807 {
17808 	ipsq_t *ipsq = ill->ill_phyint->phyint_ipsq;
17809 	dl_notify_ind_t	*dlindp = (dl_notify_ind_t *)mp->b_rptr;
17810 
17811 	ASSERT(IAM_WRITER_IPSQ(ipsq));
17812 
17813 	if (dlindp->dl_data != DL_IPV6_LINK_LAYER_ADDR &&
17814 	    dlindp->dl_data != DL_CURR_DEST_ADDR &&
17815 	    dlindp->dl_data != DL_CURR_PHYS_ADDR) {
17816 		/* Changing DL_IPV6_TOKEN is not yet supported */
17817 		return (0);
17818 	}
17819 
17820 	/*
17821 	 * We need to store up to two copies of `mp' in `ill'.  Due to the
17822 	 * design of ipsq_pending_mp_add(), we can't pass them as separate
17823 	 * arguments to ill_set_phys_addr_tail().  Instead, chain them
17824 	 * together here, then pull 'em apart in ill_set_phys_addr_tail().
17825 	 */
17826 	if ((mp = copyb(mp)) == NULL || (mp->b_cont = copyb(mp)) == NULL) {
17827 		freemsg(mp);
17828 		return (ENOMEM);
17829 	}
17830 
17831 	ipsq_current_start(ipsq, ill->ill_ipif, 0);
17832 
17833 	/*
17834 	 * Since we'll only do a logical down, we can't rely on ipif_down
17835 	 * to turn on ILL_DOWN_IN_PROGRESS, or for the DL_BIND_ACK to reset
17836 	 * ILL_DOWN_IN_PROGRESS. We instead manage this separately for this
17837 	 * case, to quiesce ire's and nce's for ill_is_quiescent.
17838 	 */
17839 	mutex_enter(&ill->ill_lock);
17840 	ill->ill_state_flags |= ILL_DOWN_IN_PROGRESS;
17841 	/* no more ire/nce addition allowed */
17842 	mutex_exit(&ill->ill_lock);
17843 
17844 	/*
17845 	 * If we can quiesce the ill, then set the address.  If not, then
17846 	 * ill_set_phys_addr_tail() will be called from ipif_ill_refrele_tail().
17847 	 */
17848 	ill_down_ipifs(ill, B_TRUE);
17849 	mutex_enter(&ill->ill_lock);
17850 	if (!ill_is_quiescent(ill)) {
17851 		/* call cannot fail since `conn_t *' argument is NULL */
17852 		(void) ipsq_pending_mp_add(NULL, ill->ill_ipif, ill->ill_rq,
17853 		    mp, ILL_DOWN);
17854 		mutex_exit(&ill->ill_lock);
17855 		return (EINPROGRESS);
17856 	}
17857 	mutex_exit(&ill->ill_lock);
17858 
17859 	ill_set_phys_addr_tail(ipsq, ill->ill_rq, mp, NULL);
17860 	return (0);
17861 }
17862 
17863 /*
17864  * When the allowed-ips link property is set on the datalink, IP receives a
17865  * DL_NOTE_ALLOWED_IPS notification that is processed in ill_set_allowed_ips()
17866  * to initialize the ill_allowed_ips[] array in the ill_t. This array is then
17867  * used to vet addresses passed to ip_sioctl_addr() and to ensure that the
17868  * only IP addresses configured on the ill_t are those in the ill_allowed_ips[]
17869  * array.
17870  */
17871 void
17872 ill_set_allowed_ips(ill_t *ill, mblk_t *mp)
17873 {
17874 	ipsq_t *ipsq = ill->ill_phyint->phyint_ipsq;
17875 	dl_notify_ind_t	*dlip = (dl_notify_ind_t *)mp->b_rptr;
17876 	mac_protect_t *mrp;
17877 	int i;
17878 
17879 	ASSERT(IAM_WRITER_IPSQ(ipsq));
17880 	mrp = (mac_protect_t *)&dlip[1];
17881 
17882 	if (mrp->mp_ipaddrcnt == 0) { /* reset allowed-ips */
17883 		kmem_free(ill->ill_allowed_ips,
17884 		    ill->ill_allowed_ips_cnt * sizeof (in6_addr_t));
17885 		ill->ill_allowed_ips_cnt = 0;
17886 		ill->ill_allowed_ips = NULL;
17887 		mutex_enter(&ill->ill_phyint->phyint_lock);
17888 		ill->ill_phyint->phyint_flags &= ~PHYI_L3PROTECT;
17889 		mutex_exit(&ill->ill_phyint->phyint_lock);
17890 		return;
17891 	}
17892 
17893 	if (ill->ill_allowed_ips != NULL) {
17894 		kmem_free(ill->ill_allowed_ips,
17895 		    ill->ill_allowed_ips_cnt * sizeof (in6_addr_t));
17896 	}
17897 	ill->ill_allowed_ips_cnt = mrp->mp_ipaddrcnt;
17898 	ill->ill_allowed_ips = kmem_alloc(
17899 	    ill->ill_allowed_ips_cnt * sizeof (in6_addr_t), KM_SLEEP);
17900 	for (i = 0; i < mrp->mp_ipaddrcnt;  i++)
17901 		ill->ill_allowed_ips[i] = mrp->mp_ipaddrs[i].ip_addr;
17902 
17903 	mutex_enter(&ill->ill_phyint->phyint_lock);
17904 	ill->ill_phyint->phyint_flags |= PHYI_L3PROTECT;
17905 	mutex_exit(&ill->ill_phyint->phyint_lock);
17906 }
17907 
17908 /*
17909  * Once the ill associated with `q' has quiesced, set its physical address
17910  * information to the values in `addrmp'.  Note that two copies of `addrmp'
17911  * are passed (linked by b_cont), since we sometimes need to save two distinct
17912  * copies in the ill_t, and our context doesn't permit sleeping or allocation
17913  * failure (we'll free the other copy if it's not needed).  Since the ill_t
17914  * is quiesced, we know any stale nce's with the old address information have
17915  * already been removed, so we don't need to call nce_flush().
17916  */
17917 /* ARGSUSED */
17918 static void
17919 ill_set_phys_addr_tail(ipsq_t *ipsq, queue_t *q, mblk_t *addrmp, void *dummy)
17920 {
17921 	ill_t		*ill = q->q_ptr;
17922 	mblk_t		*addrmp2 = unlinkb(addrmp);
17923 	dl_notify_ind_t	*dlindp = (dl_notify_ind_t *)addrmp->b_rptr;
17924 	uint_t		addrlen, addroff;
17925 	int		status;
17926 
17927 	ASSERT(IAM_WRITER_IPSQ(ipsq));
17928 
17929 	addroff	= dlindp->dl_addr_offset;
17930 	addrlen = dlindp->dl_addr_length - ABS(ill->ill_sap_length);
17931 
17932 	switch (dlindp->dl_data) {
17933 	case DL_IPV6_LINK_LAYER_ADDR:
17934 		ill_set_ndmp(ill, addrmp, addroff, addrlen);
17935 		freemsg(addrmp2);
17936 		break;
17937 
17938 	case DL_CURR_DEST_ADDR:
17939 		freemsg(ill->ill_dest_addr_mp);
17940 		ill->ill_dest_addr = addrmp->b_rptr + addroff;
17941 		ill->ill_dest_addr_mp = addrmp;
17942 		if (ill->ill_isv6) {
17943 			ill_setdesttoken(ill);
17944 			ipif_setdestlinklocal(ill->ill_ipif);
17945 		}
17946 		freemsg(addrmp2);
17947 		break;
17948 
17949 	case DL_CURR_PHYS_ADDR:
17950 		freemsg(ill->ill_phys_addr_mp);
17951 		ill->ill_phys_addr = addrmp->b_rptr + addroff;
17952 		ill->ill_phys_addr_mp = addrmp;
17953 		ill->ill_phys_addr_length = addrlen;
17954 		if (ill->ill_isv6)
17955 			ill_set_ndmp(ill, addrmp2, addroff, addrlen);
17956 		else
17957 			freemsg(addrmp2);
17958 		if (ill->ill_isv6) {
17959 			ill_setdefaulttoken(ill);
17960 			ipif_setlinklocal(ill->ill_ipif);
17961 		}
17962 		break;
17963 	default:
17964 		ASSERT(0);
17965 	}
17966 
17967 	/*
17968 	 * reset ILL_DOWN_IN_PROGRESS so that we can successfully add ires
17969 	 * as we bring the ipifs up again.
17970 	 */
17971 	mutex_enter(&ill->ill_lock);
17972 	ill->ill_state_flags &= ~ILL_DOWN_IN_PROGRESS;
17973 	mutex_exit(&ill->ill_lock);
17974 	/*
17975 	 * If there are ipifs to bring up, ill_up_ipifs() will return
17976 	 * EINPROGRESS, and ipsq_current_finish() will be called by
17977 	 * ip_rput_dlpi_writer() or arp_bringup_done() when the last ipif is
17978 	 * brought up.
17979 	 */
17980 	status = ill_up_ipifs(ill, q, addrmp);
17981 	if (status != EINPROGRESS)
17982 		ipsq_current_finish(ipsq);
17983 }
17984 
17985 /*
17986  * Helper routine for setting the ill_nd_lla fields.
17987  */
17988 void
17989 ill_set_ndmp(ill_t *ill, mblk_t *ndmp, uint_t addroff, uint_t addrlen)
17990 {
17991 	freemsg(ill->ill_nd_lla_mp);
17992 	ill->ill_nd_lla = ndmp->b_rptr + addroff;
17993 	ill->ill_nd_lla_mp = ndmp;
17994 	ill->ill_nd_lla_len = addrlen;
17995 }
17996 
17997 /*
17998  * Replumb the ill.
17999  */
18000 int
18001 ill_replumb(ill_t *ill, mblk_t *mp)
18002 {
18003 	ipsq_t *ipsq = ill->ill_phyint->phyint_ipsq;
18004 
18005 	ASSERT(IAM_WRITER_IPSQ(ipsq));
18006 
18007 	ipsq_current_start(ipsq, ill->ill_ipif, 0);
18008 
18009 	/*
18010 	 * If we can quiesce the ill, then continue.  If not, then
18011 	 * ill_replumb_tail() will be called from ipif_ill_refrele_tail().
18012 	 */
18013 	ill_down_ipifs(ill, B_FALSE);
18014 
18015 	mutex_enter(&ill->ill_lock);
18016 	if (!ill_is_quiescent(ill)) {
18017 		/* call cannot fail since `conn_t *' argument is NULL */
18018 		(void) ipsq_pending_mp_add(NULL, ill->ill_ipif, ill->ill_rq,
18019 		    mp, ILL_DOWN);
18020 		mutex_exit(&ill->ill_lock);
18021 		return (EINPROGRESS);
18022 	}
18023 	mutex_exit(&ill->ill_lock);
18024 
18025 	ill_replumb_tail(ipsq, ill->ill_rq, mp, NULL);
18026 	return (0);
18027 }
18028 
18029 /* ARGSUSED */
18030 static void
18031 ill_replumb_tail(ipsq_t *ipsq, queue_t *q, mblk_t *mp, void *dummy)
18032 {
18033 	ill_t *ill = q->q_ptr;
18034 	int err;
18035 	conn_t *connp = NULL;
18036 
18037 	ASSERT(IAM_WRITER_IPSQ(ipsq));
18038 	freemsg(ill->ill_replumb_mp);
18039 	ill->ill_replumb_mp = copyb(mp);
18040 
18041 	if (ill->ill_replumb_mp == NULL) {
18042 		/* out of memory */
18043 		ipsq_current_finish(ipsq);
18044 		return;
18045 	}
18046 
18047 	mutex_enter(&ill->ill_lock);
18048 	ill->ill_up_ipifs = ipsq_pending_mp_add(NULL, ill->ill_ipif,
18049 	    ill->ill_rq, ill->ill_replumb_mp, 0);
18050 	mutex_exit(&ill->ill_lock);
18051 
18052 	if (!ill->ill_up_ipifs) {
18053 		/* already closing */
18054 		ipsq_current_finish(ipsq);
18055 		return;
18056 	}
18057 	ill->ill_replumbing = 1;
18058 	err = ill_down_ipifs_tail(ill);
18059 
18060 	/*
18061 	 * Successfully quiesced and brought down the interface, now we send
18062 	 * the DL_NOTE_REPLUMB_DONE message down to the driver. Reuse the
18063 	 * DL_NOTE_REPLUMB message.
18064 	 */
18065 	mp = mexchange(NULL, mp, sizeof (dl_notify_conf_t), M_PROTO,
18066 	    DL_NOTIFY_CONF);
18067 	ASSERT(mp != NULL);
18068 	((dl_notify_conf_t *)mp->b_rptr)->dl_notification =
18069 	    DL_NOTE_REPLUMB_DONE;
18070 	ill_dlpi_send(ill, mp);
18071 
18072 	/*
18073 	 * For IPv4, we would usually get EINPROGRESS because the ETHERTYPE_ARP
18074 	 * streams have to be unbound. When all the DLPI exchanges are done,
18075 	 * ipsq_current_finish() will be called by arp_bringup_done(). The
18076 	 * remainder of ipif bringup via ill_up_ipifs() will also be done in
18077 	 * arp_bringup_done().
18078 	 */
18079 	ASSERT(ill->ill_replumb_mp != NULL);
18080 	if (err == EINPROGRESS)
18081 		return;
18082 	else
18083 		ill->ill_replumb_mp = ipsq_pending_mp_get(ipsq, &connp);
18084 	ASSERT(connp == NULL);
18085 	if (err == 0 && ill->ill_replumb_mp != NULL &&
18086 	    ill_up_ipifs(ill, q, ill->ill_replumb_mp) == EINPROGRESS) {
18087 		return;
18088 	}
18089 	ipsq_current_finish(ipsq);
18090 }
18091 
18092 /*
18093  * Issue ioctl `cmd' on `lh'; caller provides the initial payload in `buf'
18094  * which is `bufsize' bytes.  On success, zero is returned and `buf' updated
18095  * as per the ioctl.  On failure, an errno is returned.
18096  */
18097 static int
18098 ip_ioctl(ldi_handle_t lh, int cmd, void *buf, uint_t bufsize, cred_t *cr)
18099 {
18100 	int rval;
18101 	struct strioctl iocb;
18102 
18103 	iocb.ic_cmd = cmd;
18104 	iocb.ic_timout = 15;
18105 	iocb.ic_len = bufsize;
18106 	iocb.ic_dp = buf;
18107 
18108 	return (ldi_ioctl(lh, I_STR, (intptr_t)&iocb, FKIOCTL, cr, &rval));
18109 }
18110 
18111 /*
18112  * Issue an SIOCGLIFCONF for address family `af' and store the result into a
18113  * dynamically-allocated `lifcp' that will be `bufsizep' bytes on success.
18114  */
18115 static int
18116 ip_lifconf_ioctl(ldi_handle_t lh, int af, struct lifconf *lifcp,
18117     uint_t *bufsizep, cred_t *cr)
18118 {
18119 	int err;
18120 	struct lifnum lifn;
18121 
18122 	bzero(&lifn, sizeof (lifn));
18123 	lifn.lifn_family = af;
18124 	lifn.lifn_flags = LIFC_UNDER_IPMP;
18125 
18126 	if ((err = ip_ioctl(lh, SIOCGLIFNUM, &lifn, sizeof (lifn), cr)) != 0)
18127 		return (err);
18128 
18129 	/*
18130 	 * Pad the interface count to account for additional interfaces that
18131 	 * may have been configured between the SIOCGLIFNUM and SIOCGLIFCONF.
18132 	 */
18133 	lifn.lifn_count += 4;
18134 	bzero(lifcp, sizeof (*lifcp));
18135 	lifcp->lifc_flags = LIFC_UNDER_IPMP;
18136 	lifcp->lifc_family = af;
18137 	lifcp->lifc_len = *bufsizep = lifn.lifn_count * sizeof (struct lifreq);
18138 	lifcp->lifc_buf = kmem_zalloc(*bufsizep, KM_SLEEP);
18139 
18140 	err = ip_ioctl(lh, SIOCGLIFCONF, lifcp, sizeof (*lifcp), cr);
18141 	if (err != 0) {
18142 		kmem_free(lifcp->lifc_buf, *bufsizep);
18143 		return (err);
18144 	}
18145 
18146 	return (0);
18147 }
18148 
18149 /*
18150  * Helper for ip_interface_cleanup() that removes the loopback interface.
18151  */
18152 static void
18153 ip_loopback_removeif(ldi_handle_t lh, boolean_t isv6, cred_t *cr)
18154 {
18155 	int err;
18156 	struct lifreq lifr;
18157 
18158 	bzero(&lifr, sizeof (lifr));
18159 	(void) strcpy(lifr.lifr_name, ipif_loopback_name);
18160 
18161 	/*
18162 	 * Attempt to remove the interface.  It may legitimately not exist
18163 	 * (e.g. the zone administrator unplumbed it), so ignore ENXIO.
18164 	 */
18165 	err = ip_ioctl(lh, SIOCLIFREMOVEIF, &lifr, sizeof (lifr), cr);
18166 	if (err != 0 && err != ENXIO) {
18167 		ip0dbg(("ip_loopback_removeif: IP%s SIOCLIFREMOVEIF failed: "
18168 		    "error %d\n", isv6 ? "v6" : "v4", err));
18169 	}
18170 }
18171 
18172 /*
18173  * Helper for ip_interface_cleanup() that ensures no IP interfaces are in IPMP
18174  * groups and that IPMP data addresses are down.  These conditions must be met
18175  * so that IPMP interfaces can be I_PUNLINK'd, as per ip_sioctl_plink_ipmp().
18176  */
18177 static void
18178 ip_ipmp_cleanup(ldi_handle_t lh, boolean_t isv6, cred_t *cr)
18179 {
18180 	int af = isv6 ? AF_INET6 : AF_INET;
18181 	int i, nifs;
18182 	int err;
18183 	uint_t bufsize;
18184 	uint_t lifrsize = sizeof (struct lifreq);
18185 	struct lifconf lifc;
18186 	struct lifreq *lifrp;
18187 
18188 	if ((err = ip_lifconf_ioctl(lh, af, &lifc, &bufsize, cr)) != 0) {
18189 		cmn_err(CE_WARN, "ip_ipmp_cleanup: cannot get interface list "
18190 		    "(error %d); any IPMP interfaces cannot be shutdown", err);
18191 		return;
18192 	}
18193 
18194 	nifs = lifc.lifc_len / lifrsize;
18195 	for (lifrp = lifc.lifc_req, i = 0; i < nifs; i++, lifrp++) {
18196 		err = ip_ioctl(lh, SIOCGLIFFLAGS, lifrp, lifrsize, cr);
18197 		if (err != 0) {
18198 			cmn_err(CE_WARN, "ip_ipmp_cleanup: %s: cannot get "
18199 			    "flags: error %d", lifrp->lifr_name, err);
18200 			continue;
18201 		}
18202 
18203 		if (lifrp->lifr_flags & IFF_IPMP) {
18204 			if ((lifrp->lifr_flags & (IFF_UP|IFF_DUPLICATE)) == 0)
18205 				continue;
18206 
18207 			lifrp->lifr_flags &= ~IFF_UP;
18208 			err = ip_ioctl(lh, SIOCSLIFFLAGS, lifrp, lifrsize, cr);
18209 			if (err != 0) {
18210 				cmn_err(CE_WARN, "ip_ipmp_cleanup: %s: cannot "
18211 				    "bring down (error %d); IPMP interface may "
18212 				    "not be shutdown", lifrp->lifr_name, err);
18213 			}
18214 
18215 			/*
18216 			 * Check if IFF_DUPLICATE is still set -- and if so,
18217 			 * reset the address to clear it.
18218 			 */
18219 			err = ip_ioctl(lh, SIOCGLIFFLAGS, lifrp, lifrsize, cr);
18220 			if (err != 0 || !(lifrp->lifr_flags & IFF_DUPLICATE))
18221 				continue;
18222 
18223 			err = ip_ioctl(lh, SIOCGLIFADDR, lifrp, lifrsize, cr);
18224 			if (err != 0 || (err = ip_ioctl(lh, SIOCGLIFADDR,
18225 			    lifrp, lifrsize, cr)) != 0) {
18226 				cmn_err(CE_WARN, "ip_ipmp_cleanup: %s: cannot "
18227 				    "reset DAD (error %d); IPMP interface may "
18228 				    "not be shutdown", lifrp->lifr_name, err);
18229 			}
18230 			continue;
18231 		}
18232 
18233 		if (strchr(lifrp->lifr_name, IPIF_SEPARATOR_CHAR) == 0) {
18234 			lifrp->lifr_groupname[0] = '\0';
18235 			if ((err = ip_ioctl(lh, SIOCSLIFGROUPNAME, lifrp,
18236 			    lifrsize, cr)) != 0) {
18237 				cmn_err(CE_WARN, "ip_ipmp_cleanup: %s: cannot "
18238 				    "leave IPMP group (error %d); associated "
18239 				    "IPMP interface may not be shutdown",
18240 				    lifrp->lifr_name, err);
18241 				continue;
18242 			}
18243 		}
18244 	}
18245 
18246 	kmem_free(lifc.lifc_buf, bufsize);
18247 }
18248 
18249 #define	UDPDEV		"/devices/pseudo/udp@0:udp"
18250 #define	UDP6DEV		"/devices/pseudo/udp6@0:udp6"
18251 
18252 /*
18253  * Remove the loopback interfaces and prep the IPMP interfaces to be torn down.
18254  * Non-loopback interfaces are either I_LINK'd or I_PLINK'd; the former go away
18255  * when the user-level processes in the zone are killed and the latter are
18256  * cleaned up by str_stack_shutdown().
18257  */
18258 void
18259 ip_interface_cleanup(ip_stack_t *ipst)
18260 {
18261 	ldi_handle_t	lh;
18262 	ldi_ident_t	li;
18263 	cred_t		*cr;
18264 	int		err;
18265 	int		i;
18266 	char		*devs[] = { UDP6DEV, UDPDEV };
18267 	netstackid_t	stackid = ipst->ips_netstack->netstack_stackid;
18268 
18269 	if ((err = ldi_ident_from_major(ddi_name_to_major("ip"), &li)) != 0) {
18270 		cmn_err(CE_WARN, "ip_interface_cleanup: cannot get ldi ident:"
18271 		    " error %d", err);
18272 		return;
18273 	}
18274 
18275 	cr = zone_get_kcred(netstackid_to_zoneid(stackid));
18276 	ASSERT(cr != NULL);
18277 
18278 	/*
18279 	 * NOTE: loop executes exactly twice and is hardcoded to know that the
18280 	 * first iteration is IPv6.  (Unrolling yields repetitious code, hence
18281 	 * the loop.)
18282 	 */
18283 	for (i = 0; i < 2; i++) {
18284 		err = ldi_open_by_name(devs[i], FREAD|FWRITE, cr, &lh, li);
18285 		if (err != 0) {
18286 			cmn_err(CE_WARN, "ip_interface_cleanup: cannot open %s:"
18287 			    " error %d", devs[i], err);
18288 			continue;
18289 		}
18290 
18291 		ip_loopback_removeif(lh, i == 0, cr);
18292 		ip_ipmp_cleanup(lh, i == 0, cr);
18293 
18294 		(void) ldi_close(lh, FREAD|FWRITE, cr);
18295 	}
18296 
18297 	ldi_ident_release(li);
18298 	crfree(cr);
18299 }
18300 
18301 /*
18302  * This needs to be in-sync with nic_event_t definition
18303  */
18304 static const char *
18305 ill_hook_event2str(nic_event_t event)
18306 {
18307 	switch (event) {
18308 	case NE_PLUMB:
18309 		return ("PLUMB");
18310 	case NE_UNPLUMB:
18311 		return ("UNPLUMB");
18312 	case NE_UP:
18313 		return ("UP");
18314 	case NE_DOWN:
18315 		return ("DOWN");
18316 	case NE_ADDRESS_CHANGE:
18317 		return ("ADDRESS_CHANGE");
18318 	case NE_LIF_UP:
18319 		return ("LIF_UP");
18320 	case NE_LIF_DOWN:
18321 		return ("LIF_DOWN");
18322 	case NE_IFINDEX_CHANGE:
18323 		return ("IFINDEX_CHANGE");
18324 	default:
18325 		return ("UNKNOWN");
18326 	}
18327 }
18328 
18329 void
18330 ill_nic_event_dispatch(ill_t *ill, lif_if_t lif, nic_event_t event,
18331     nic_event_data_t data, size_t datalen)
18332 {
18333 	ip_stack_t		*ipst = ill->ill_ipst;
18334 	hook_nic_event_int_t	*info;
18335 	const char		*str = NULL;
18336 
18337 	/* create a new nic event info */
18338 	if ((info = kmem_alloc(sizeof (*info), KM_NOSLEEP)) == NULL)
18339 		goto fail;
18340 
18341 	info->hnei_event.hne_nic = ill->ill_phyint->phyint_ifindex;
18342 	info->hnei_event.hne_lif = lif;
18343 	info->hnei_event.hne_event = event;
18344 	info->hnei_event.hne_protocol = ill->ill_isv6 ?
18345 	    ipst->ips_ipv6_net_data : ipst->ips_ipv4_net_data;
18346 	info->hnei_event.hne_data = NULL;
18347 	info->hnei_event.hne_datalen = 0;
18348 	info->hnei_stackid = ipst->ips_netstack->netstack_stackid;
18349 
18350 	if (data != NULL && datalen != 0) {
18351 		info->hnei_event.hne_data = kmem_alloc(datalen, KM_NOSLEEP);
18352 		if (info->hnei_event.hne_data == NULL)
18353 			goto fail;
18354 		bcopy(data, info->hnei_event.hne_data, datalen);
18355 		info->hnei_event.hne_datalen = datalen;
18356 	}
18357 
18358 	if (ddi_taskq_dispatch(eventq_queue_nic, ip_ne_queue_func, info,
18359 	    DDI_NOSLEEP) == DDI_SUCCESS)
18360 		return;
18361 
18362 fail:
18363 	if (info != NULL) {
18364 		if (info->hnei_event.hne_data != NULL) {
18365 			kmem_free(info->hnei_event.hne_data,
18366 			    info->hnei_event.hne_datalen);
18367 		}
18368 		kmem_free(info, sizeof (hook_nic_event_t));
18369 	}
18370 	str = ill_hook_event2str(event);
18371 	ip2dbg(("ill_nic_event_dispatch: could not dispatch %s nic event "
18372 	    "information for %s (ENOMEM)\n", str, ill->ill_name));
18373 }
18374 
18375 static int
18376 ipif_arp_up_done_tail(ipif_t *ipif, enum ip_resolver_action res_act)
18377 {
18378 	int		err = 0;
18379 	const in_addr_t	*addr = NULL;
18380 	nce_t		*nce = NULL;
18381 	ill_t		*ill = ipif->ipif_ill;
18382 	ill_t		*bound_ill;
18383 	boolean_t	added_ipif = B_FALSE;
18384 	uint16_t	state;
18385 	uint16_t	flags;
18386 
18387 	DTRACE_PROBE3(ipif__downup, char *, "ipif_arp_up_done_tail",
18388 	    ill_t *, ill, ipif_t *, ipif);
18389 	if (ipif->ipif_lcl_addr != INADDR_ANY) {
18390 		addr = &ipif->ipif_lcl_addr;
18391 	}
18392 
18393 	if ((ipif->ipif_flags & IPIF_UNNUMBERED) || addr == NULL) {
18394 		if (res_act != Res_act_initial)
18395 			return (EINVAL);
18396 	}
18397 
18398 	if (addr != NULL) {
18399 		ipmp_illgrp_t	*illg = ill->ill_grp;
18400 
18401 		/* add unicast nce for the local addr */
18402 
18403 		if (IS_IPMP(ill)) {
18404 			/*
18405 			 * If we're here via ipif_up(), then the ipif
18406 			 * won't be bound yet -- add it to the group,
18407 			 * which will bind it if possible. (We would
18408 			 * add it in ipif_up(), but deleting on failure
18409 			 * there is gruesome.)  If we're here via
18410 			 * ipmp_ill_bind_ipif(), then the ipif has
18411 			 * already been added to the group and we
18412 			 * just need to use the binding.
18413 			 */
18414 			if ((bound_ill = ipmp_ipif_bound_ill(ipif)) == NULL) {
18415 				bound_ill  = ipmp_illgrp_add_ipif(illg, ipif);
18416 				if (bound_ill == NULL) {
18417 					/*
18418 					 * We couldn't bind the ipif to an ill
18419 					 * yet, so we have nothing to publish.
18420 					 * Mark the address as ready and return.
18421 					 */
18422 					ipif->ipif_addr_ready = 1;
18423 					return (0);
18424 				}
18425 				added_ipif = B_TRUE;
18426 			}
18427 		} else {
18428 			bound_ill = ill;
18429 		}
18430 
18431 		flags = (NCE_F_MYADDR | NCE_F_PUBLISH | NCE_F_AUTHORITY |
18432 		    NCE_F_NONUD);
18433 		/*
18434 		 * If this is an initial bring-up (or the ipif was never
18435 		 * completely brought up), do DAD.  Otherwise, we're here
18436 		 * because IPMP has rebound an address to this ill: send
18437 		 * unsolicited advertisements (ARP announcements) to
18438 		 * inform others.
18439 		 */
18440 		if (res_act == Res_act_initial || !ipif->ipif_addr_ready) {
18441 			state = ND_UNCHANGED; /* compute in nce_add_common() */
18442 		} else {
18443 			state = ND_REACHABLE;
18444 			flags |= NCE_F_UNSOL_ADV;
18445 		}
18446 
18447 retry:
18448 		err = nce_lookup_then_add_v4(ill,
18449 		    bound_ill->ill_phys_addr, bound_ill->ill_phys_addr_length,
18450 		    addr, flags, state, &nce);
18451 
18452 		/*
18453 		 * note that we may encounter EEXIST if we are moving
18454 		 * the nce as a result of a rebind operation.
18455 		 */
18456 		switch (err) {
18457 		case 0:
18458 			ipif->ipif_added_nce = 1;
18459 			nce->nce_ipif_cnt++;
18460 			break;
18461 		case EEXIST:
18462 			ip1dbg(("ipif_arp_up: NCE already exists for %s\n",
18463 			    ill->ill_name));
18464 			if (!NCE_MYADDR(nce->nce_common)) {
18465 				/*
18466 				 * A leftover nce from before this address
18467 				 * existed
18468 				 */
18469 				ncec_delete(nce->nce_common);
18470 				nce_refrele(nce);
18471 				nce = NULL;
18472 				goto retry;
18473 			}
18474 			if ((ipif->ipif_flags & IPIF_POINTOPOINT) == 0) {
18475 				nce_refrele(nce);
18476 				nce = NULL;
18477 				ip1dbg(("ipif_arp_up: NCE already exists "
18478 				    "for %s:%u\n", ill->ill_name,
18479 				    ipif->ipif_id));
18480 				goto arp_up_done;
18481 			}
18482 			/*
18483 			 * Duplicate local addresses are permissible for
18484 			 * IPIF_POINTOPOINT interfaces which will get marked
18485 			 * IPIF_UNNUMBERED later in
18486 			 * ip_addr_availability_check().
18487 			 *
18488 			 * The nce_ipif_cnt field tracks the number of
18489 			 * ipifs that have nce_addr as their local address.
18490 			 */
18491 			ipif->ipif_addr_ready = 1;
18492 			ipif->ipif_added_nce = 1;
18493 			nce->nce_ipif_cnt++;
18494 			err = 0;
18495 			break;
18496 		default:
18497 			ASSERT(nce == NULL);
18498 			goto arp_up_done;
18499 		}
18500 		if (arp_no_defense) {
18501 			if ((ipif->ipif_flags & IPIF_UP) &&
18502 			    !ipif->ipif_addr_ready)
18503 				ipif_up_notify(ipif);
18504 			ipif->ipif_addr_ready = 1;
18505 		}
18506 	} else {
18507 		/* zero address. nothing to publish */
18508 		ipif->ipif_addr_ready = 1;
18509 	}
18510 	if (nce != NULL)
18511 		nce_refrele(nce);
18512 arp_up_done:
18513 	if (added_ipif && err != 0)
18514 		ipmp_illgrp_del_ipif(ill->ill_grp, ipif);
18515 	return (err);
18516 }
18517 
18518 int
18519 ipif_arp_up(ipif_t *ipif, enum ip_resolver_action res_act, boolean_t was_dup)
18520 {
18521 	int 		err = 0;
18522 	ill_t 		*ill = ipif->ipif_ill;
18523 	boolean_t	first_interface, wait_for_dlpi = B_FALSE;
18524 
18525 	DTRACE_PROBE3(ipif__downup, char *, "ipif_arp_up",
18526 	    ill_t *, ill, ipif_t *, ipif);
18527 
18528 	/*
18529 	 * need to bring up ARP or setup mcast mapping only
18530 	 * when the first interface is coming UP.
18531 	 */
18532 	first_interface = (ill->ill_ipif_up_count == 0 &&
18533 	    ill->ill_ipif_dup_count == 0 && !was_dup);
18534 
18535 	if (res_act == Res_act_initial && first_interface) {
18536 		/*
18537 		 * Send ATTACH + BIND
18538 		 */
18539 		err = arp_ll_up(ill);
18540 		if (err != EINPROGRESS && err != 0)
18541 			return (err);
18542 
18543 		/*
18544 		 * Add NCE for local address. Start DAD.
18545 		 * we'll wait to hear that DAD has finished
18546 		 * before using the interface.
18547 		 */
18548 		if (err == EINPROGRESS)
18549 			wait_for_dlpi = B_TRUE;
18550 	}
18551 
18552 	if (!wait_for_dlpi)
18553 		(void) ipif_arp_up_done_tail(ipif, res_act);
18554 
18555 	return (!wait_for_dlpi ? 0 : EINPROGRESS);
18556 }
18557 
18558 /*
18559  * Finish processing of "arp_up" after all the DLPI message
18560  * exchanges have completed between arp and the driver.
18561  */
18562 void
18563 arp_bringup_done(ill_t *ill, int err)
18564 {
18565 	mblk_t	*mp1;
18566 	ipif_t  *ipif;
18567 	conn_t *connp = NULL;
18568 	ipsq_t	*ipsq;
18569 	queue_t *q;
18570 
18571 	ip1dbg(("arp_bringup_done(%s)\n", ill->ill_name));
18572 
18573 	ASSERT(IAM_WRITER_ILL(ill));
18574 
18575 	ipsq = ill->ill_phyint->phyint_ipsq;
18576 	ipif = ipsq->ipsq_xop->ipx_pending_ipif;
18577 	mp1 = ipsq_pending_mp_get(ipsq, &connp);
18578 	ASSERT(!((mp1 != NULL) ^ (ipif != NULL)));
18579 	if (mp1 == NULL) /* bringup was aborted by the user */
18580 		return;
18581 
18582 	/*
18583 	 * If an IOCTL is waiting on this (ipsq_current_ioctl != 0), then we
18584 	 * must have an associated conn_t.  Otherwise, we're bringing this
18585 	 * interface back up as part of handling an asynchronous event (e.g.,
18586 	 * physical address change).
18587 	 */
18588 	if (ipsq->ipsq_xop->ipx_current_ioctl != 0) {
18589 		ASSERT(connp != NULL);
18590 		q = CONNP_TO_WQ(connp);
18591 	} else {
18592 		ASSERT(connp == NULL);
18593 		q = ill->ill_rq;
18594 	}
18595 	if (err == 0) {
18596 		if (ipif->ipif_isv6) {
18597 			if ((err = ipif_up_done_v6(ipif)) != 0)
18598 				ip0dbg(("arp_bringup_done: init failed\n"));
18599 		} else {
18600 			err = ipif_arp_up_done_tail(ipif, Res_act_initial);
18601 			if (err != 0 ||
18602 			    (err = ipif_up_done(ipif)) != 0) {
18603 				ip0dbg(("arp_bringup_done: "
18604 				    "init failed err %x\n", err));
18605 				(void) ipif_arp_down(ipif);
18606 			}
18607 
18608 		}
18609 	} else {
18610 		ip0dbg(("arp_bringup_done: DL_BIND_REQ failed\n"));
18611 	}
18612 
18613 	if ((err == 0) && (ill->ill_up_ipifs)) {
18614 		err = ill_up_ipifs(ill, q, mp1);
18615 		if (err == EINPROGRESS)
18616 			return;
18617 	}
18618 
18619 	/*
18620 	 * If we have a moved ipif to bring up, and everything has succeeded
18621 	 * to this point, bring it up on the IPMP ill.  Otherwise, leave it
18622 	 * down -- the admin can try to bring it up by hand if need be.
18623 	 */
18624 	if (ill->ill_move_ipif != NULL) {
18625 		ipif = ill->ill_move_ipif;
18626 		ip1dbg(("bringing up ipif %p on ill %s\n", (void *)ipif,
18627 		    ipif->ipif_ill->ill_name));
18628 		ill->ill_move_ipif = NULL;
18629 		if (err == 0) {
18630 			err = ipif_up(ipif, q, mp1);
18631 			if (err == EINPROGRESS)
18632 				return;
18633 		}
18634 	}
18635 
18636 	/*
18637 	 * The operation must complete without EINPROGRESS since
18638 	 * ipsq_pending_mp_get() has removed the mblk from ipsq_pending_mp.
18639 	 * Otherwise, the operation will be stuck forever in the ipsq.
18640 	 */
18641 	ASSERT(err != EINPROGRESS);
18642 	if (ipsq->ipsq_xop->ipx_current_ioctl != 0) {
18643 		DTRACE_PROBE4(ipif__ioctl, char *, "arp_bringup_done finish",
18644 		    int, ipsq->ipsq_xop->ipx_current_ioctl,
18645 		    ill_t *, ill, ipif_t *, ipif);
18646 		ip_ioctl_finish(q, mp1, err, NO_COPYOUT, ipsq);
18647 	} else {
18648 		ipsq_current_finish(ipsq);
18649 	}
18650 }
18651 
18652 /*
18653  * Finish processing of arp replumb after all the DLPI message
18654  * exchanges have completed between arp and the driver.
18655  */
18656 void
18657 arp_replumb_done(ill_t *ill, int err)
18658 {
18659 	mblk_t	*mp1;
18660 	ipif_t  *ipif;
18661 	conn_t *connp = NULL;
18662 	ipsq_t	*ipsq;
18663 	queue_t *q;
18664 
18665 	ASSERT(IAM_WRITER_ILL(ill));
18666 
18667 	ipsq = ill->ill_phyint->phyint_ipsq;
18668 	ipif = ipsq->ipsq_xop->ipx_pending_ipif;
18669 	mp1 = ipsq_pending_mp_get(ipsq, &connp);
18670 	ASSERT(!((mp1 != NULL) ^ (ipif != NULL)));
18671 	if (mp1 == NULL) {
18672 		ip0dbg(("arp_replumb_done: bringup aborted ioctl %x\n",
18673 		    ipsq->ipsq_xop->ipx_current_ioctl));
18674 		/* bringup was aborted by the user */
18675 		return;
18676 	}
18677 	/*
18678 	 * If an IOCTL is waiting on this (ipsq_current_ioctl != 0), then we
18679 	 * must have an associated conn_t.  Otherwise, we're bringing this
18680 	 * interface back up as part of handling an asynchronous event (e.g.,
18681 	 * physical address change).
18682 	 */
18683 	if (ipsq->ipsq_xop->ipx_current_ioctl != 0) {
18684 		ASSERT(connp != NULL);
18685 		q = CONNP_TO_WQ(connp);
18686 	} else {
18687 		ASSERT(connp == NULL);
18688 		q = ill->ill_rq;
18689 	}
18690 	if ((err == 0) && (ill->ill_up_ipifs)) {
18691 		err = ill_up_ipifs(ill, q, mp1);
18692 		if (err == EINPROGRESS)
18693 			return;
18694 	}
18695 	/*
18696 	 * The operation must complete without EINPROGRESS since
18697 	 * ipsq_pending_mp_get() has removed the mblk from ipsq_pending_mp.
18698 	 * Otherwise, the operation will be stuck forever in the ipsq.
18699 	 */
18700 	ASSERT(err != EINPROGRESS);
18701 	if (ipsq->ipsq_xop->ipx_current_ioctl != 0) {
18702 		DTRACE_PROBE4(ipif__ioctl, char *,
18703 		    "arp_replumb_done finish",
18704 		    int, ipsq->ipsq_xop->ipx_current_ioctl,
18705 		    ill_t *, ill, ipif_t *, ipif);
18706 		ip_ioctl_finish(q, mp1, err, NO_COPYOUT, ipsq);
18707 	} else {
18708 		ipsq_current_finish(ipsq);
18709 	}
18710 }
18711 
18712 void
18713 ipif_up_notify(ipif_t *ipif)
18714 {
18715 	ip_rts_ifmsg(ipif, RTSQ_DEFAULT);
18716 	ip_rts_newaddrmsg(RTM_ADD, 0, ipif, RTSQ_DEFAULT);
18717 	sctp_update_ipif(ipif, SCTP_IPIF_UP);
18718 	ill_nic_event_dispatch(ipif->ipif_ill, MAP_IPIF_ID(ipif->ipif_id),
18719 	    NE_LIF_UP, NULL, 0);
18720 }
18721 
18722 /*
18723  * ILB ioctl uses cv_wait (such as deleting a rule or adding a server) and
18724  * this assumes the context is cv_wait'able.  Hence it shouldnt' be used on
18725  * TPI end points with STREAMS modules pushed above.  This is assured by not
18726  * having the IPI_MODOK flag for the ioctl.  And IP ensures the ILB ioctl
18727  * never ends up on an ipsq, otherwise we may end up processing the ioctl
18728  * while unwinding from the ispq and that could be a thread from the bottom.
18729  */
18730 /* ARGSUSED */
18731 int
18732 ip_sioctl_ilb_cmd(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
18733     ip_ioctl_cmd_t *ipip, void *arg)
18734 {
18735 	mblk_t *cmd_mp = mp->b_cont->b_cont;
18736 	ilb_cmd_t command = *((ilb_cmd_t *)cmd_mp->b_rptr);
18737 	int ret = 0;
18738 	int i;
18739 	size_t size;
18740 	ip_stack_t *ipst;
18741 	zoneid_t zoneid;
18742 	ilb_stack_t *ilbs;
18743 
18744 	ipst = CONNQ_TO_IPST(q);
18745 	ilbs = ipst->ips_netstack->netstack_ilb;
18746 	zoneid = Q_TO_CONN(q)->conn_zoneid;
18747 
18748 	switch (command) {
18749 	case ILB_CREATE_RULE: {
18750 		ilb_rule_cmd_t *cmd = (ilb_rule_cmd_t *)cmd_mp->b_rptr;
18751 
18752 		if (MBLKL(cmd_mp) != sizeof (ilb_rule_cmd_t)) {
18753 			ret = EINVAL;
18754 			break;
18755 		}
18756 
18757 		ret = ilb_rule_add(ilbs, zoneid, cmd);
18758 		break;
18759 	}
18760 	case ILB_DESTROY_RULE:
18761 	case ILB_ENABLE_RULE:
18762 	case ILB_DISABLE_RULE: {
18763 		ilb_name_cmd_t *cmd = (ilb_name_cmd_t *)cmd_mp->b_rptr;
18764 
18765 		if (MBLKL(cmd_mp) != sizeof (ilb_name_cmd_t)) {
18766 			ret = EINVAL;
18767 			break;
18768 		}
18769 
18770 		if (cmd->flags & ILB_RULE_ALLRULES) {
18771 			if (command == ILB_DESTROY_RULE) {
18772 				ilb_rule_del_all(ilbs, zoneid);
18773 				break;
18774 			} else if (command == ILB_ENABLE_RULE) {
18775 				ilb_rule_enable_all(ilbs, zoneid);
18776 				break;
18777 			} else if (command == ILB_DISABLE_RULE) {
18778 				ilb_rule_disable_all(ilbs, zoneid);
18779 				break;
18780 			}
18781 		} else {
18782 			if (command == ILB_DESTROY_RULE) {
18783 				ret = ilb_rule_del(ilbs, zoneid, cmd->name);
18784 			} else if (command == ILB_ENABLE_RULE) {
18785 				ret = ilb_rule_enable(ilbs, zoneid, cmd->name,
18786 				    NULL);
18787 			} else if (command == ILB_DISABLE_RULE) {
18788 				ret = ilb_rule_disable(ilbs, zoneid, cmd->name,
18789 				    NULL);
18790 			}
18791 		}
18792 		break;
18793 	}
18794 	case ILB_NUM_RULES: {
18795 		ilb_num_rules_cmd_t *cmd;
18796 
18797 		if (MBLKL(cmd_mp) != sizeof (ilb_num_rules_cmd_t)) {
18798 			ret = EINVAL;
18799 			break;
18800 		}
18801 		cmd = (ilb_num_rules_cmd_t *)cmd_mp->b_rptr;
18802 		ilb_get_num_rules(ilbs, zoneid, &(cmd->num));
18803 		break;
18804 	}
18805 	case ILB_RULE_NAMES: {
18806 		ilb_rule_names_cmd_t *cmd;
18807 
18808 		cmd = (ilb_rule_names_cmd_t *)cmd_mp->b_rptr;
18809 		if (MBLKL(cmd_mp) < sizeof (ilb_rule_names_cmd_t) ||
18810 		    cmd->num_names == 0) {
18811 			ret = EINVAL;
18812 			break;
18813 		}
18814 		size = cmd->num_names * ILB_RULE_NAMESZ;
18815 		if (cmd_mp->b_rptr + offsetof(ilb_rule_names_cmd_t, buf) +
18816 		    size != cmd_mp->b_wptr) {
18817 			ret = EINVAL;
18818 			break;
18819 		}
18820 		ilb_get_rulenames(ilbs, zoneid, &cmd->num_names, cmd->buf);
18821 		break;
18822 	}
18823 	case ILB_NUM_SERVERS: {
18824 		ilb_num_servers_cmd_t *cmd;
18825 
18826 		if (MBLKL(cmd_mp) != sizeof (ilb_num_servers_cmd_t)) {
18827 			ret = EINVAL;
18828 			break;
18829 		}
18830 		cmd = (ilb_num_servers_cmd_t *)cmd_mp->b_rptr;
18831 		ret = ilb_get_num_servers(ilbs, zoneid, cmd->name,
18832 		    &(cmd->num));
18833 		break;
18834 	}
18835 	case ILB_LIST_RULE: {
18836 		ilb_rule_cmd_t *cmd = (ilb_rule_cmd_t *)cmd_mp->b_rptr;
18837 
18838 		if (MBLKL(cmd_mp) != sizeof (ilb_rule_cmd_t)) {
18839 			ret = EINVAL;
18840 			break;
18841 		}
18842 		ret = ilb_rule_list(ilbs, zoneid, cmd);
18843 		break;
18844 	}
18845 	case ILB_LIST_SERVERS: {
18846 		ilb_servers_info_cmd_t *cmd;
18847 
18848 		cmd = (ilb_servers_info_cmd_t *)cmd_mp->b_rptr;
18849 		if (MBLKL(cmd_mp) < sizeof (ilb_servers_info_cmd_t) ||
18850 		    cmd->num_servers == 0) {
18851 			ret = EINVAL;
18852 			break;
18853 		}
18854 		size = cmd->num_servers * sizeof (ilb_server_info_t);
18855 		if (cmd_mp->b_rptr + offsetof(ilb_servers_info_cmd_t, servers) +
18856 		    size != cmd_mp->b_wptr) {
18857 			ret = EINVAL;
18858 			break;
18859 		}
18860 
18861 		ret = ilb_get_servers(ilbs, zoneid, cmd->name, cmd->servers,
18862 		    &cmd->num_servers);
18863 		break;
18864 	}
18865 	case ILB_ADD_SERVERS: {
18866 		ilb_servers_info_cmd_t *cmd;
18867 		ilb_rule_t *rule;
18868 
18869 		cmd = (ilb_servers_info_cmd_t *)cmd_mp->b_rptr;
18870 		if (MBLKL(cmd_mp) < sizeof (ilb_servers_info_cmd_t)) {
18871 			ret = EINVAL;
18872 			break;
18873 		}
18874 		size = cmd->num_servers * sizeof (ilb_server_info_t);
18875 		if (cmd_mp->b_rptr + offsetof(ilb_servers_info_cmd_t, servers) +
18876 		    size != cmd_mp->b_wptr) {
18877 			ret = EINVAL;
18878 			break;
18879 		}
18880 		rule = ilb_find_rule(ilbs, zoneid, cmd->name, &ret);
18881 		if (rule == NULL) {
18882 			ASSERT(ret != 0);
18883 			break;
18884 		}
18885 		for (i = 0; i < cmd->num_servers; i++) {
18886 			ilb_server_info_t *s;
18887 
18888 			s = &cmd->servers[i];
18889 			s->err = ilb_server_add(ilbs, rule, s);
18890 		}
18891 		ILB_RULE_REFRELE(rule);
18892 		break;
18893 	}
18894 	case ILB_DEL_SERVERS:
18895 	case ILB_ENABLE_SERVERS:
18896 	case ILB_DISABLE_SERVERS: {
18897 		ilb_servers_cmd_t *cmd;
18898 		ilb_rule_t *rule;
18899 		int (*f)();
18900 
18901 		cmd = (ilb_servers_cmd_t *)cmd_mp->b_rptr;
18902 		if (MBLKL(cmd_mp) < sizeof (ilb_servers_cmd_t)) {
18903 			ret = EINVAL;
18904 			break;
18905 		}
18906 		size = cmd->num_servers * sizeof (ilb_server_arg_t);
18907 		if (cmd_mp->b_rptr + offsetof(ilb_servers_cmd_t, servers) +
18908 		    size != cmd_mp->b_wptr) {
18909 			ret = EINVAL;
18910 			break;
18911 		}
18912 
18913 		if (command == ILB_DEL_SERVERS)
18914 			f = ilb_server_del;
18915 		else if (command == ILB_ENABLE_SERVERS)
18916 			f = ilb_server_enable;
18917 		else if (command == ILB_DISABLE_SERVERS)
18918 			f = ilb_server_disable;
18919 
18920 		rule = ilb_find_rule(ilbs, zoneid, cmd->name, &ret);
18921 		if (rule == NULL) {
18922 			ASSERT(ret != 0);
18923 			break;
18924 		}
18925 
18926 		for (i = 0; i < cmd->num_servers; i++) {
18927 			ilb_server_arg_t *s;
18928 
18929 			s = &cmd->servers[i];
18930 			s->err = f(ilbs, zoneid, NULL, rule, &s->addr);
18931 		}
18932 		ILB_RULE_REFRELE(rule);
18933 		break;
18934 	}
18935 	case ILB_LIST_NAT_TABLE: {
18936 		ilb_list_nat_cmd_t *cmd;
18937 
18938 		cmd = (ilb_list_nat_cmd_t *)cmd_mp->b_rptr;
18939 		if (MBLKL(cmd_mp) < sizeof (ilb_list_nat_cmd_t)) {
18940 			ret = EINVAL;
18941 			break;
18942 		}
18943 		size = cmd->num_nat * sizeof (ilb_nat_entry_t);
18944 		if (cmd_mp->b_rptr + offsetof(ilb_list_nat_cmd_t, entries) +
18945 		    size != cmd_mp->b_wptr) {
18946 			ret = EINVAL;
18947 			break;
18948 		}
18949 
18950 		ret = ilb_list_nat(ilbs, zoneid, cmd->entries, &cmd->num_nat,
18951 		    &cmd->flags);
18952 		break;
18953 	}
18954 	case ILB_LIST_STICKY_TABLE: {
18955 		ilb_list_sticky_cmd_t *cmd;
18956 
18957 		cmd = (ilb_list_sticky_cmd_t *)cmd_mp->b_rptr;
18958 		if (MBLKL(cmd_mp) < sizeof (ilb_list_sticky_cmd_t)) {
18959 			ret = EINVAL;
18960 			break;
18961 		}
18962 		size = cmd->num_sticky * sizeof (ilb_sticky_entry_t);
18963 		if (cmd_mp->b_rptr + offsetof(ilb_list_sticky_cmd_t, entries) +
18964 		    size != cmd_mp->b_wptr) {
18965 			ret = EINVAL;
18966 			break;
18967 		}
18968 
18969 		ret = ilb_list_sticky(ilbs, zoneid, cmd->entries,
18970 		    &cmd->num_sticky, &cmd->flags);
18971 		break;
18972 	}
18973 	default:
18974 		ret = EINVAL;
18975 		break;
18976 	}
18977 done:
18978 	return (ret);
18979 }
18980 
18981 /* Remove all cache entries for this logical interface */
18982 void
18983 ipif_nce_down(ipif_t *ipif)
18984 {
18985 	ill_t *ill = ipif->ipif_ill;
18986 	nce_t *nce;
18987 
18988 	DTRACE_PROBE3(ipif__downup, char *, "ipif_nce_down",
18989 	    ill_t *, ill, ipif_t *, ipif);
18990 	if (ipif->ipif_added_nce) {
18991 		if (ipif->ipif_isv6)
18992 			nce = nce_lookup_v6(ill, &ipif->ipif_v6lcl_addr);
18993 		else
18994 			nce = nce_lookup_v4(ill, &ipif->ipif_lcl_addr);
18995 		if (nce != NULL) {
18996 			if (--nce->nce_ipif_cnt == 0)
18997 				ncec_delete(nce->nce_common);
18998 			ipif->ipif_added_nce = 0;
18999 			nce_refrele(nce);
19000 		} else {
19001 			/*
19002 			 * nce may already be NULL because it was already
19003 			 * flushed, e.g., due to a call to nce_flush
19004 			 */
19005 			ipif->ipif_added_nce = 0;
19006 		}
19007 	}
19008 	/*
19009 	 * Make IPMP aware of the deleted data address.
19010 	 */
19011 	if (IS_IPMP(ill))
19012 		ipmp_illgrp_del_ipif(ill->ill_grp, ipif);
19013 
19014 	/*
19015 	 * Remove all other nces dependent on this ill when the last ipif
19016 	 * is going away.
19017 	 */
19018 	if (ill->ill_ipif_up_count == 0) {
19019 		ncec_walk(ill, (pfi_t)ncec_delete_per_ill,
19020 		    (uchar_t *)ill, ill->ill_ipst);
19021 		if (IS_UNDER_IPMP(ill))
19022 			nce_flush(ill, B_TRUE);
19023 	}
19024 }
19025 
19026 /*
19027  * find the first interface that uses usill for its source address.
19028  */
19029 ill_t *
19030 ill_lookup_usesrc(ill_t *usill)
19031 {
19032 	ip_stack_t *ipst = usill->ill_ipst;
19033 	ill_t *ill;
19034 
19035 	ASSERT(usill != NULL);
19036 
19037 	/* ill_g_usesrc_lock protects ill_usesrc_grp_next */
19038 	rw_enter(&ipst->ips_ill_g_usesrc_lock, RW_WRITER);
19039 	rw_enter(&ipst->ips_ill_g_lock, RW_READER);
19040 	for (ill = usill->ill_usesrc_grp_next; ill != NULL && ill != usill;
19041 	    ill = ill->ill_usesrc_grp_next) {
19042 		if (!IS_UNDER_IPMP(ill) && (ill->ill_flags & ILLF_MULTICAST) &&
19043 		    !ILL_IS_CONDEMNED(ill)) {
19044 			ill_refhold(ill);
19045 			break;
19046 		}
19047 	}
19048 	rw_exit(&ipst->ips_ill_g_lock);
19049 	rw_exit(&ipst->ips_ill_g_usesrc_lock);
19050 	return (ill);
19051 }
19052 
19053 /*
19054  * This comment applies to both ip_sioctl_get_ifhwaddr and
19055  * ip_sioctl_get_lifhwaddr as the basic function of these two functions
19056  * is the same.
19057  *
19058  * The goal here is to find an IP interface that corresponds to the name
19059  * provided by the caller in the ifreq/lifreq structure held in the mblk_t
19060  * chain and to fill out a sockaddr/sockaddr_storage structure with the
19061  * mac address.
19062  *
19063  * The SIOCGIFHWADDR/SIOCGLIFHWADDR ioctl may return an error for a number
19064  * of different reasons:
19065  * ENXIO - the device name is not known to IP.
19066  * EADDRNOTAVAIL - the device has no hardware address. This is indicated
19067  * by ill_phys_addr not pointing to an actual address.
19068  * EPFNOSUPPORT - this will indicate that a request is being made for a
19069  * mac address that will not fit in the data structure supplier (struct
19070  * sockaddr).
19071  *
19072  */
19073 /* ARGSUSED */
19074 int
19075 ip_sioctl_get_ifhwaddr(ipif_t *ipif, sin_t *dummy_sin, queue_t *q, mblk_t *mp,
19076     ip_ioctl_cmd_t *ipip, void *if_req)
19077 {
19078 	struct sockaddr *sock;
19079 	struct ifreq *ifr;
19080 	mblk_t *mp1;
19081 	ill_t *ill;
19082 
19083 	ASSERT(ipif != NULL);
19084 	ill = ipif->ipif_ill;
19085 
19086 	if (ill->ill_phys_addr == NULL) {
19087 		return (EADDRNOTAVAIL);
19088 	}
19089 	if (ill->ill_phys_addr_length > sizeof (sock->sa_data)) {
19090 		return (EPFNOSUPPORT);
19091 	}
19092 
19093 	ip1dbg(("ip_sioctl_get_hwaddr(%s)\n", ill->ill_name));
19094 
19095 	/* Existence of mp1 has been checked in ip_wput_nondata */
19096 	mp1 = mp->b_cont->b_cont;
19097 	ifr = (struct ifreq *)mp1->b_rptr;
19098 
19099 	sock = &ifr->ifr_addr;
19100 	/*
19101 	 * The "family" field in the returned structure is set to a value
19102 	 * that represents the type of device to which the address belongs.
19103 	 * The value returned may differ to that on Linux but it will still
19104 	 * represent the correct symbol on Solaris.
19105 	 */
19106 	sock->sa_family = arp_hw_type(ill->ill_mactype);
19107 	bcopy(ill->ill_phys_addr, &sock->sa_data, ill->ill_phys_addr_length);
19108 
19109 	return (0);
19110 }
19111 
19112 /*
19113  * The expection of applications using SIOCGIFHWADDR is that data will
19114  * be returned in the sa_data field of the sockaddr structure. With
19115  * SIOCGLIFHWADDR, we're breaking new ground as there is no Linux
19116  * equivalent. In light of this, struct sockaddr_dl is used as it
19117  * offers more space for address storage in sll_data.
19118  */
19119 /* ARGSUSED */
19120 int
19121 ip_sioctl_get_lifhwaddr(ipif_t *ipif, sin_t *dummy_sin, queue_t *q, mblk_t *mp,
19122     ip_ioctl_cmd_t *ipip, void *if_req)
19123 {
19124 	struct sockaddr_dl *sock;
19125 	struct lifreq *lifr;
19126 	mblk_t *mp1;
19127 	ill_t *ill;
19128 
19129 	ASSERT(ipif != NULL);
19130 	ill = ipif->ipif_ill;
19131 
19132 	if (ill->ill_phys_addr == NULL) {
19133 		return (EADDRNOTAVAIL);
19134 	}
19135 	if (ill->ill_phys_addr_length > sizeof (sock->sdl_data)) {
19136 		return (EPFNOSUPPORT);
19137 	}
19138 
19139 	ip1dbg(("ip_sioctl_get_lifhwaddr(%s)\n", ill->ill_name));
19140 
19141 	/* Existence of mp1 has been checked in ip_wput_nondata */
19142 	mp1 = mp->b_cont->b_cont;
19143 	lifr = (struct lifreq *)mp1->b_rptr;
19144 
19145 	/*
19146 	 * sockaddr_ll is used here because it is also the structure used in
19147 	 * responding to the same ioctl in sockpfp. The only other choice is
19148 	 * sockaddr_dl which contains fields that are not required here
19149 	 * because its purpose is different.
19150 	 */
19151 	lifr->lifr_type = ill->ill_type;
19152 	sock = (struct sockaddr_dl *)&lifr->lifr_addr;
19153 	sock->sdl_family = AF_LINK;
19154 	sock->sdl_index = ill->ill_phyint->phyint_ifindex;
19155 	sock->sdl_type = ill->ill_mactype;
19156 	sock->sdl_nlen = 0;
19157 	sock->sdl_slen = 0;
19158 	sock->sdl_alen = ill->ill_phys_addr_length;
19159 	bcopy(ill->ill_phys_addr, sock->sdl_data, ill->ill_phys_addr_length);
19160 
19161 	return (0);
19162 }
19163