xref: /titanic_44/usr/src/uts/common/inet/ip/icmp.c (revision 1cb875ae88fb9463b368e725c2444776595895cb)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 /* Copyright (c) 1990 Mentat Inc. */
26 
27 #include <sys/types.h>
28 #include <sys/stream.h>
29 #include <sys/stropts.h>
30 #include <sys/strlog.h>
31 #include <sys/strsun.h>
32 #define	_SUN_TPI_VERSION 2
33 #include <sys/tihdr.h>
34 #include <sys/timod.h>
35 #include <sys/ddi.h>
36 #include <sys/sunddi.h>
37 #include <sys/strsubr.h>
38 #include <sys/suntpi.h>
39 #include <sys/xti_inet.h>
40 #include <sys/cmn_err.h>
41 #include <sys/kmem.h>
42 #include <sys/cred_impl.h>
43 #include <sys/policy.h>
44 #include <sys/priv.h>
45 #include <sys/ucred.h>
46 #include <sys/zone.h>
47 
48 #include <sys/sockio.h>
49 #include <sys/socket.h>
50 #include <sys/socketvar.h>
51 #include <sys/vtrace.h>
52 #include <sys/sdt.h>
53 #include <sys/debug.h>
54 #include <sys/isa_defs.h>
55 #include <sys/random.h>
56 #include <netinet/in.h>
57 #include <netinet/ip6.h>
58 #include <netinet/icmp6.h>
59 #include <netinet/udp.h>
60 
61 #include <inet/common.h>
62 #include <inet/ip.h>
63 #include <inet/ip_impl.h>
64 #include <inet/ipsec_impl.h>
65 #include <inet/ip6.h>
66 #include <inet/ip_ire.h>
67 #include <inet/ip_if.h>
68 #include <inet/ip_multi.h>
69 #include <inet/ip_ndp.h>
70 #include <inet/proto_set.h>
71 #include <inet/mib2.h>
72 #include <inet/nd.h>
73 #include <inet/optcom.h>
74 #include <inet/snmpcom.h>
75 #include <inet/kstatcom.h>
76 #include <inet/ipclassifier.h>
77 
78 #include <sys/tsol/label.h>
79 #include <sys/tsol/tnet.h>
80 
81 #include <inet/rawip_impl.h>
82 
83 #include <sys/disp.h>
84 
85 /*
86  * Synchronization notes:
87  *
88  * RAWIP is MT and uses the usual kernel synchronization primitives. We use
89  * conn_lock to protect the icmp_t.
90  *
91  * Plumbing notes:
92  * ICMP is always a device driver. For compatibility with mibopen() code
93  * it is possible to I_PUSH "icmp", but that results in pushing a passthrough
94  * dummy module.
95  */
96 
97 static void	icmp_addr_req(queue_t *q, mblk_t *mp);
98 static void	icmp_tpi_bind(queue_t *q, mblk_t *mp);
99 static void	icmp_bind_proto(icmp_t *icmp);
100 static int	icmp_build_hdr_template(conn_t *, const in6_addr_t *,
101     const in6_addr_t *, uint32_t);
102 static void	icmp_capability_req(queue_t *q, mblk_t *mp);
103 static int	icmp_close(queue_t *q, int flags);
104 static void	icmp_close_free(conn_t *);
105 static void	icmp_tpi_connect(queue_t *q, mblk_t *mp);
106 static void	icmp_tpi_disconnect(queue_t *q, mblk_t *mp);
107 static void	icmp_err_ack(queue_t *q, mblk_t *mp, t_scalar_t t_error,
108     int sys_error);
109 static void	icmp_err_ack_prim(queue_t *q, mblk_t *mp, t_scalar_t primitive,
110     t_scalar_t tlierr, int sys_error);
111 static void	icmp_icmp_input(void *arg1, mblk_t *mp, void *arg2,
112     ip_recv_attr_t *);
113 static void	icmp_icmp_error_ipv6(conn_t *connp, mblk_t *mp,
114     ip_recv_attr_t *);
115 static void	icmp_info_req(queue_t *q, mblk_t *mp);
116 static void	icmp_input(void *, mblk_t *, void *, ip_recv_attr_t *);
117 static conn_t 	*icmp_open(int family, cred_t *credp, int *err, int flags);
118 static int	icmp_openv4(queue_t *q, dev_t *devp, int flag, int sflag,
119 		    cred_t *credp);
120 static int	icmp_openv6(queue_t *q, dev_t *devp, int flag, int sflag,
121 		    cred_t *credp);
122 static boolean_t icmp_opt_allow_udr_set(t_scalar_t level, t_scalar_t name);
123 int		icmp_opt_set(conn_t *connp, uint_t optset_context,
124 		    int level, int name, uint_t inlen,
125 		    uchar_t *invalp, uint_t *outlenp, uchar_t *outvalp,
126 		    void *thisdg_attrs, cred_t *cr);
127 int		icmp_opt_get(conn_t *connp, int level, int name,
128 		    uchar_t *ptr);
129 static int	icmp_output_newdst(conn_t *connp, mblk_t *data_mp, sin_t *sin,
130 		    sin6_t *sin6, cred_t *cr, pid_t pid, ip_xmit_attr_t *ixa);
131 static int	icmp_param_get(queue_t *q, mblk_t *mp, caddr_t cp, cred_t *cr);
132 static boolean_t icmp_param_register(IDP *ndp, icmpparam_t *icmppa, int cnt);
133 static int	icmp_param_set(queue_t *q, mblk_t *mp, char *value,
134 		    caddr_t cp, cred_t *cr);
135 static mblk_t	*icmp_prepend_hdr(conn_t *, ip_xmit_attr_t *, const ip_pkt_t *,
136     const in6_addr_t *, const in6_addr_t *, uint32_t, mblk_t *, int *);
137 static mblk_t	*icmp_prepend_header_template(conn_t *, ip_xmit_attr_t *,
138     mblk_t *, const in6_addr_t *, uint32_t, int *);
139 static int	icmp_snmp_set(queue_t *q, t_scalar_t level, t_scalar_t name,
140 		    uchar_t *ptr, int len);
141 static void	icmp_ud_err(queue_t *q, mblk_t *mp, t_scalar_t err);
142 static void	icmp_tpi_unbind(queue_t *q, mblk_t *mp);
143 static void	icmp_wput(queue_t *q, mblk_t *mp);
144 static void	icmp_wput_fallback(queue_t *q, mblk_t *mp);
145 static void	icmp_wput_other(queue_t *q, mblk_t *mp);
146 static void	icmp_wput_iocdata(queue_t *q, mblk_t *mp);
147 static void	icmp_wput_restricted(queue_t *q, mblk_t *mp);
148 static void	icmp_ulp_recv(conn_t *, mblk_t *, uint_t);
149 
150 static void	*rawip_stack_init(netstackid_t stackid, netstack_t *ns);
151 static void	rawip_stack_fini(netstackid_t stackid, void *arg);
152 
153 static void	*rawip_kstat_init(netstackid_t stackid);
154 static void	rawip_kstat_fini(netstackid_t stackid, kstat_t *ksp);
155 static int	rawip_kstat_update(kstat_t *kp, int rw);
156 static void	rawip_stack_shutdown(netstackid_t stackid, void *arg);
157 
158 /* Common routines for TPI and socket module */
159 static conn_t	*rawip_do_open(int, cred_t *, int *, int);
160 static void	rawip_do_close(conn_t *);
161 static int	rawip_do_bind(conn_t *, struct sockaddr *, socklen_t);
162 static int	rawip_do_unbind(conn_t *);
163 static int	rawip_do_connect(conn_t *, const struct sockaddr *, socklen_t,
164     cred_t *, pid_t);
165 
166 int		rawip_getsockname(sock_lower_handle_t, struct sockaddr *,
167 		    socklen_t *, cred_t *);
168 int		rawip_getpeername(sock_lower_handle_t, struct sockaddr *,
169 		    socklen_t *, cred_t *);
170 
171 static struct module_info icmp_mod_info =  {
172 	5707, "icmp", 1, INFPSZ, 512, 128
173 };
174 
175 /*
176  * Entry points for ICMP as a device.
177  * We have separate open functions for the /dev/icmp and /dev/icmp6 devices.
178  */
179 static struct qinit icmprinitv4 = {
180 	NULL, NULL, icmp_openv4, icmp_close, NULL, &icmp_mod_info
181 };
182 
183 static struct qinit icmprinitv6 = {
184 	NULL, NULL, icmp_openv6, icmp_close, NULL, &icmp_mod_info
185 };
186 
187 static struct qinit icmpwinit = {
188 	(pfi_t)icmp_wput, (pfi_t)ip_wsrv, NULL, NULL, NULL, &icmp_mod_info
189 };
190 
191 /* ICMP entry point during fallback */
192 static struct qinit icmp_fallback_sock_winit = {
193 	(pfi_t)icmp_wput_fallback, NULL, NULL, NULL, NULL, &icmp_mod_info
194 };
195 
196 /* For AF_INET aka /dev/icmp */
197 struct streamtab icmpinfov4 = {
198 	&icmprinitv4, &icmpwinit
199 };
200 
201 /* For AF_INET6 aka /dev/icmp6 */
202 struct streamtab icmpinfov6 = {
203 	&icmprinitv6, &icmpwinit
204 };
205 
206 static sin_t	sin_null;	/* Zero address for quick clears */
207 static sin6_t	sin6_null;	/* Zero address for quick clears */
208 
209 /* Default structure copied into T_INFO_ACK messages */
210 static struct T_info_ack icmp_g_t_info_ack = {
211 	T_INFO_ACK,
212 	IP_MAXPACKET,	 /* TSDU_size.  icmp allows maximum size messages. */
213 	T_INVALID,	/* ETSDU_size.  icmp does not support expedited data. */
214 	T_INVALID,	/* CDATA_size. icmp does not support connect data. */
215 	T_INVALID,	/* DDATA_size. icmp does not support disconnect data. */
216 	0,		/* ADDR_size - filled in later. */
217 	0,		/* OPT_size - not initialized here */
218 	IP_MAXPACKET,	/* TIDU_size.  icmp allows maximum size messages. */
219 	T_CLTS,		/* SERV_type.  icmp supports connection-less. */
220 	TS_UNBND,	/* CURRENT_state.  This is set from icmp_state. */
221 	(XPG4_1|SENDZERO) /* PROVIDER_flag */
222 };
223 
224 /*
225  * Table of ND variables supported by icmp.  These are loaded into is_nd
226  * when the stack instance is created.
227  * All of these are alterable, within the min/max values given, at run time.
228  */
229 static icmpparam_t	icmp_param_arr[] = {
230 	/* min	max	value	name */
231 	{ 0,	128,	32,	"icmp_wroff_extra" },
232 	{ 1,	255,	255,	"icmp_ipv4_ttl" },
233 	{ 0, IPV6_MAX_HOPS, IPV6_DEFAULT_HOPS,	"icmp_ipv6_hoplimit"},
234 	{ 0,	1,	1,	"icmp_bsd_compat" },
235 	{ 4096,	65536,	8192,	"icmp_xmit_hiwat"},
236 	{ 0,	65536,	1024,	"icmp_xmit_lowat"},
237 	{ 4096,	65536,	8192,	"icmp_recv_hiwat"},
238 	{ 65536, 1024*1024*1024, 256*1024,	"icmp_max_buf"},
239 	{ 0,	1,	0,	"icmp_pmtu_discovery" },
240 	{ 0,	1,	0,	"icmp_sendto_ignerr" },
241 };
242 #define	is_wroff_extra			is_param_arr[0].icmp_param_value
243 #define	is_ipv4_ttl			is_param_arr[1].icmp_param_value
244 #define	is_ipv6_hoplimit		is_param_arr[2].icmp_param_value
245 #define	is_bsd_compat			is_param_arr[3].icmp_param_value
246 #define	is_xmit_hiwat			is_param_arr[4].icmp_param_value
247 #define	is_xmit_lowat			is_param_arr[5].icmp_param_value
248 #define	is_recv_hiwat			is_param_arr[6].icmp_param_value
249 #define	is_max_buf			is_param_arr[7].icmp_param_value
250 #define	is_pmtu_discovery		is_param_arr[8].icmp_param_value
251 #define	is_sendto_ignerr		is_param_arr[9].icmp_param_value
252 
253 typedef union T_primitives *t_primp_t;
254 
255 /*
256  * This routine is called to handle each O_T_BIND_REQ/T_BIND_REQ message
257  * passed to icmp_wput.
258  * It calls IP to verify the local IP address, and calls IP to insert
259  * the conn_t in the fanout table.
260  * If everything is ok it then sends the T_BIND_ACK back up.
261  */
262 static void
263 icmp_tpi_bind(queue_t *q, mblk_t *mp)
264 {
265 	int	error;
266 	struct sockaddr *sa;
267 	struct T_bind_req *tbr;
268 	socklen_t	len;
269 	sin_t	*sin;
270 	sin6_t	*sin6;
271 	icmp_t		*icmp;
272 	conn_t	*connp = Q_TO_CONN(q);
273 	mblk_t *mp1;
274 	cred_t *cr;
275 
276 	/*
277 	 * All Solaris components should pass a db_credp
278 	 * for this TPI message, hence we ASSERT.
279 	 * But in case there is some other M_PROTO that looks
280 	 * like a TPI message sent by some other kernel
281 	 * component, we check and return an error.
282 	 */
283 	cr = msg_getcred(mp, NULL);
284 	ASSERT(cr != NULL);
285 	if (cr == NULL) {
286 		icmp_err_ack(q, mp, TSYSERR, EINVAL);
287 		return;
288 	}
289 
290 	icmp = connp->conn_icmp;
291 	if ((mp->b_wptr - mp->b_rptr) < sizeof (*tbr)) {
292 		(void) mi_strlog(q, 1, SL_ERROR|SL_TRACE,
293 		    "icmp_bind: bad req, len %u",
294 		    (uint_t)(mp->b_wptr - mp->b_rptr));
295 		icmp_err_ack(q, mp, TPROTO, 0);
296 		return;
297 	}
298 
299 	if (icmp->icmp_state != TS_UNBND) {
300 		(void) mi_strlog(q, 1, SL_ERROR|SL_TRACE,
301 		    "icmp_bind: bad state, %u", icmp->icmp_state);
302 		icmp_err_ack(q, mp, TOUTSTATE, 0);
303 		return;
304 	}
305 
306 	/*
307 	 * Reallocate the message to make sure we have enough room for an
308 	 * address.
309 	 */
310 	mp1 = reallocb(mp, sizeof (struct T_bind_ack) + sizeof (sin6_t), 1);
311 	if (mp1 == NULL) {
312 		icmp_err_ack(q, mp, TSYSERR, ENOMEM);
313 		return;
314 	}
315 	mp = mp1;
316 
317 	/* Reset the message type in preparation for shipping it back. */
318 	DB_TYPE(mp) = M_PCPROTO;
319 	tbr = (struct T_bind_req *)mp->b_rptr;
320 	len = tbr->ADDR_length;
321 	switch (len) {
322 	case 0:	/* request for a generic port */
323 		tbr->ADDR_offset = sizeof (struct T_bind_req);
324 		if (connp->conn_family == AF_INET) {
325 			tbr->ADDR_length = sizeof (sin_t);
326 			sin = (sin_t *)&tbr[1];
327 			*sin = sin_null;
328 			sin->sin_family = AF_INET;
329 			mp->b_wptr = (uchar_t *)&sin[1];
330 			sa = (struct sockaddr *)sin;
331 			len = sizeof (sin_t);
332 		} else {
333 			ASSERT(connp->conn_family == AF_INET6);
334 			tbr->ADDR_length = sizeof (sin6_t);
335 			sin6 = (sin6_t *)&tbr[1];
336 			*sin6 = sin6_null;
337 			sin6->sin6_family = AF_INET6;
338 			mp->b_wptr = (uchar_t *)&sin6[1];
339 			sa = (struct sockaddr *)sin6;
340 			len = sizeof (sin6_t);
341 		}
342 		break;
343 
344 	case sizeof (sin_t):	/* Complete IPv4 address */
345 		sa = (struct sockaddr *)mi_offset_param(mp, tbr->ADDR_offset,
346 		    sizeof (sin_t));
347 		break;
348 
349 	case sizeof (sin6_t):	/* Complete IPv6 address */
350 		sa = (struct sockaddr *)mi_offset_param(mp,
351 		    tbr->ADDR_offset, sizeof (sin6_t));
352 		break;
353 
354 	default:
355 		(void) mi_strlog(q, 1, SL_ERROR|SL_TRACE,
356 		    "icmp_bind: bad ADDR_length %u", tbr->ADDR_length);
357 		icmp_err_ack(q, mp, TBADADDR, 0);
358 		return;
359 	}
360 
361 	error = rawip_do_bind(connp, sa, len);
362 	if (error != 0) {
363 		if (error > 0) {
364 			icmp_err_ack(q, mp, TSYSERR, error);
365 		} else {
366 			icmp_err_ack(q, mp, -error, 0);
367 		}
368 	} else {
369 		tbr->PRIM_type = T_BIND_ACK;
370 		qreply(q, mp);
371 	}
372 }
373 
374 static int
375 rawip_do_bind(conn_t *connp, struct sockaddr *sa, socklen_t len)
376 {
377 	sin_t		*sin;
378 	sin6_t		*sin6;
379 	icmp_t		*icmp = connp->conn_icmp;
380 	int		error = 0;
381 	ip_laddr_t	laddr_type = IPVL_UNICAST_UP;	/* INADDR_ANY */
382 	in_port_t	lport;		/* Network byte order */
383 	ipaddr_t	v4src;		/* Set if AF_INET */
384 	in6_addr_t	v6src;
385 	uint_t		scopeid = 0;
386 	zoneid_t	zoneid = IPCL_ZONEID(connp);
387 	ip_stack_t	*ipst = connp->conn_netstack->netstack_ip;
388 
389 	if (sa == NULL || !OK_32PTR((char *)sa)) {
390 		return (EINVAL);
391 	}
392 
393 	switch (len) {
394 	case sizeof (sin_t):    /* Complete IPv4 address */
395 		sin = (sin_t *)sa;
396 		if (sin->sin_family != AF_INET ||
397 		    connp->conn_family != AF_INET) {
398 			/* TSYSERR, EAFNOSUPPORT */
399 			return (EAFNOSUPPORT);
400 		}
401 		v4src = sin->sin_addr.s_addr;
402 		IN6_IPADDR_TO_V4MAPPED(v4src, &v6src);
403 		if (v4src != INADDR_ANY) {
404 			laddr_type = ip_laddr_verify_v4(v4src, zoneid, ipst,
405 			    B_TRUE);
406 		}
407 		lport = sin->sin_port;
408 		break;
409 	case sizeof (sin6_t): /* Complete IPv6 address */
410 		sin6 = (sin6_t *)sa;
411 		if (sin6->sin6_family != AF_INET6 ||
412 		    connp->conn_family != AF_INET6) {
413 			/* TSYSERR, EAFNOSUPPORT */
414 			return (EAFNOSUPPORT);
415 		}
416 		/* No support for mapped addresses on raw sockets */
417 		if (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) {
418 			/* TSYSERR, EADDRNOTAVAIL */
419 			return (EADDRNOTAVAIL);
420 		}
421 		v6src = sin6->sin6_addr;
422 		if (!IN6_IS_ADDR_UNSPECIFIED(&v6src)) {
423 			if (IN6_IS_ADDR_LINKSCOPE(&v6src))
424 				scopeid = sin6->sin6_scope_id;
425 			laddr_type = ip_laddr_verify_v6(&v6src, zoneid, ipst,
426 			    B_TRUE, scopeid);
427 		}
428 		lport = sin6->sin6_port;
429 		break;
430 
431 	default:
432 		/* TBADADDR */
433 		return (EADDRNOTAVAIL);
434 	}
435 
436 	/* Is the local address a valid unicast, multicast, or broadcast? */
437 	if (laddr_type == IPVL_BAD)
438 		return (EADDRNOTAVAIL);
439 
440 	/*
441 	 * The state must be TS_UNBND.
442 	 */
443 	mutex_enter(&connp->conn_lock);
444 	if (icmp->icmp_state != TS_UNBND) {
445 		mutex_exit(&connp->conn_lock);
446 		return (-TOUTSTATE);
447 	}
448 
449 	/*
450 	 * Copy the source address into our icmp structure.  This address
451 	 * may still be zero; if so, ip will fill in the correct address
452 	 * each time an outbound packet is passed to it.
453 	 * If we are binding to a broadcast or multicast address then
454 	 * we just set the conn_bound_addr since we don't want to use
455 	 * that as the source address when sending.
456 	 */
457 	connp->conn_bound_addr_v6 = v6src;
458 	connp->conn_laddr_v6 = v6src;
459 	if (scopeid != 0) {
460 		connp->conn_ixa->ixa_flags |= IXAF_SCOPEID_SET;
461 		connp->conn_ixa->ixa_scopeid = scopeid;
462 		connp->conn_incoming_ifindex = scopeid;
463 	} else {
464 		connp->conn_ixa->ixa_flags &= ~IXAF_SCOPEID_SET;
465 		connp->conn_incoming_ifindex = connp->conn_bound_if;
466 	}
467 
468 	switch (laddr_type) {
469 	case IPVL_UNICAST_UP:
470 	case IPVL_UNICAST_DOWN:
471 		connp->conn_saddr_v6 = v6src;
472 		connp->conn_mcbc_bind = B_FALSE;
473 		break;
474 	case IPVL_MCAST:
475 	case IPVL_BCAST:
476 		/* ip_set_destination will pick a source address later */
477 		connp->conn_saddr_v6 = ipv6_all_zeros;
478 		connp->conn_mcbc_bind = B_TRUE;
479 		break;
480 	}
481 
482 	/* Any errors after this point should use late_error */
483 
484 	/*
485 	 * Use sin_port/sin6_port since applications like psh use SOCK_RAW
486 	 * with IPPROTO_TCP.
487 	 */
488 	connp->conn_lport = lport;
489 	connp->conn_fport = 0;
490 
491 	if (connp->conn_family == AF_INET) {
492 		ASSERT(connp->conn_ipversion == IPV4_VERSION);
493 	} else {
494 		ASSERT(connp->conn_ipversion == IPV6_VERSION);
495 	}
496 
497 	icmp->icmp_state = TS_IDLE;
498 
499 	/*
500 	 * We create an initial header template here to make a subsequent
501 	 * sendto have a starting point. Since conn_last_dst is zero the
502 	 * first sendto will always follow the 'dst changed' code path.
503 	 * Note that we defer massaging options and the related checksum
504 	 * adjustment until we have a destination address.
505 	 */
506 	error = icmp_build_hdr_template(connp, &connp->conn_saddr_v6,
507 	    &connp->conn_faddr_v6, connp->conn_flowinfo);
508 	if (error != 0) {
509 		mutex_exit(&connp->conn_lock);
510 		goto late_error;
511 	}
512 	/* Just in case */
513 	connp->conn_faddr_v6 = ipv6_all_zeros;
514 	connp->conn_v6lastdst = ipv6_all_zeros;
515 	mutex_exit(&connp->conn_lock);
516 
517 	error = ip_laddr_fanout_insert(connp);
518 	if (error != 0)
519 		goto late_error;
520 
521 	/* Bind succeeded */
522 	return (0);
523 
524 late_error:
525 	mutex_enter(&connp->conn_lock);
526 	connp->conn_saddr_v6 = ipv6_all_zeros;
527 	connp->conn_bound_addr_v6 = ipv6_all_zeros;
528 	connp->conn_laddr_v6 = ipv6_all_zeros;
529 	if (scopeid != 0) {
530 		connp->conn_ixa->ixa_flags &= ~IXAF_SCOPEID_SET;
531 		connp->conn_incoming_ifindex = connp->conn_bound_if;
532 	}
533 	icmp->icmp_state = TS_UNBND;
534 	connp->conn_v6lastdst = ipv6_all_zeros;
535 	connp->conn_lport = 0;
536 
537 	/* Restore the header that was built above - different source address */
538 	(void) icmp_build_hdr_template(connp, &connp->conn_saddr_v6,
539 	    &connp->conn_faddr_v6, connp->conn_flowinfo);
540 	mutex_exit(&connp->conn_lock);
541 	return (error);
542 }
543 
544 /*
545  * Tell IP to just bind to the protocol.
546  */
547 static void
548 icmp_bind_proto(icmp_t *icmp)
549 {
550 	conn_t	*connp = icmp->icmp_connp;
551 
552 	mutex_enter(&connp->conn_lock);
553 	connp->conn_saddr_v6 = ipv6_all_zeros;
554 	connp->conn_laddr_v6 = ipv6_all_zeros;
555 	connp->conn_faddr_v6 = ipv6_all_zeros;
556 	connp->conn_v6lastdst = ipv6_all_zeros;
557 	mutex_exit(&connp->conn_lock);
558 
559 	(void) ip_laddr_fanout_insert(connp);
560 }
561 
562 /*
563  * This routine handles each T_CONN_REQ message passed to icmp.  It
564  * associates a default destination address with the stream.
565  *
566  * After various error checks are completed, icmp_connect() lays
567  * the target address and port into the composite header template.
568  * Then we ask IP for information, including a source address if we didn't
569  * already have one. Finally we send up the T_OK_ACK reply message.
570  */
571 static void
572 icmp_tpi_connect(queue_t *q, mblk_t *mp)
573 {
574 	conn_t	*connp = Q_TO_CONN(q);
575 	struct T_conn_req	*tcr;
576 	struct sockaddr *sa;
577 	socklen_t len;
578 	int error;
579 	cred_t *cr;
580 	pid_t pid;
581 	/*
582 	 * All Solaris components should pass a db_credp
583 	 * for this TPI message, hence we ASSERT.
584 	 * But in case there is some other M_PROTO that looks
585 	 * like a TPI message sent by some other kernel
586 	 * component, we check and return an error.
587 	 */
588 	cr = msg_getcred(mp, &pid);
589 	ASSERT(cr != NULL);
590 	if (cr == NULL) {
591 		icmp_err_ack(q, mp, TSYSERR, EINVAL);
592 		return;
593 	}
594 
595 	tcr = (struct T_conn_req *)mp->b_rptr;
596 	/* Sanity checks */
597 	if ((mp->b_wptr - mp->b_rptr) < sizeof (struct T_conn_req)) {
598 		icmp_err_ack(q, mp, TPROTO, 0);
599 		return;
600 	}
601 
602 	if (tcr->OPT_length != 0) {
603 		icmp_err_ack(q, mp, TBADOPT, 0);
604 		return;
605 	}
606 
607 	len = tcr->DEST_length;
608 
609 	switch (len) {
610 	default:
611 		icmp_err_ack(q, mp, TBADADDR, 0);
612 		return;
613 	case sizeof (sin_t):
614 		sa = (struct sockaddr *)mi_offset_param(mp, tcr->DEST_offset,
615 		    sizeof (sin_t));
616 		break;
617 	case sizeof (sin6_t):
618 		sa = (struct sockaddr *)mi_offset_param(mp,
619 		    tcr->DEST_offset, sizeof (sin6_t));
620 		break;
621 	}
622 
623 	error = proto_verify_ip_addr(connp->conn_family, sa, len);
624 	if (error != 0) {
625 		icmp_err_ack(q, mp, TSYSERR, error);
626 		return;
627 	}
628 
629 	error = rawip_do_connect(connp, sa, len, cr, pid);
630 	if (error != 0) {
631 		if (error < 0) {
632 			icmp_err_ack(q, mp, -error, 0);
633 		} else {
634 			icmp_err_ack(q, mp, 0, error);
635 		}
636 	} else {
637 		mblk_t *mp1;
638 
639 		/*
640 		 * We have to send a connection confirmation to
641 		 * keep TLI happy.
642 		 */
643 		if (connp->conn_family == AF_INET) {
644 			mp1 = mi_tpi_conn_con(NULL, (char *)sa,
645 			    sizeof (sin_t), NULL, 0);
646 		} else {
647 			ASSERT(connp->conn_family == AF_INET6);
648 			mp1 = mi_tpi_conn_con(NULL, (char *)sa,
649 			    sizeof (sin6_t), NULL, 0);
650 		}
651 		if (mp1 == NULL) {
652 			icmp_err_ack(q, mp, TSYSERR, ENOMEM);
653 			return;
654 		}
655 
656 		/*
657 		 * Send ok_ack for T_CONN_REQ
658 		 */
659 		mp = mi_tpi_ok_ack_alloc(mp);
660 		if (mp == NULL) {
661 			/* Unable to reuse the T_CONN_REQ for the ack. */
662 			icmp_err_ack_prim(q, mp1, T_CONN_REQ, TSYSERR, ENOMEM);
663 			return;
664 		}
665 		putnext(connp->conn_rq, mp);
666 		putnext(connp->conn_rq, mp1);
667 	}
668 }
669 
670 static int
671 rawip_do_connect(conn_t *connp, const struct sockaddr *sa, socklen_t len,
672     cred_t *cr, pid_t pid)
673 {
674 	icmp_t		*icmp;
675 	sin_t		*sin;
676 	sin6_t		*sin6;
677 	int		error;
678 	uint16_t 	dstport;
679 	ipaddr_t	v4dst;
680 	in6_addr_t	v6dst;
681 	uint32_t	flowinfo;
682 	ip_xmit_attr_t	*ixa;
683 	uint_t		scopeid = 0;
684 	uint_t		srcid = 0;
685 	in6_addr_t	v6src = connp->conn_saddr_v6;
686 
687 	icmp = connp->conn_icmp;
688 
689 	if (sa == NULL || !OK_32PTR((char *)sa)) {
690 		return (EINVAL);
691 	}
692 
693 	ASSERT(sa != NULL && len != 0);
694 
695 	/*
696 	 * Determine packet type based on type of address passed in
697 	 * the request should contain an IPv4 or IPv6 address.
698 	 * Make sure that address family matches the type of
699 	 * family of the address passed down.
700 	 */
701 	switch (len) {
702 	case sizeof (sin_t):
703 		sin = (sin_t *)sa;
704 
705 		v4dst = sin->sin_addr.s_addr;
706 		dstport = sin->sin_port;
707 		IN6_IPADDR_TO_V4MAPPED(v4dst, &v6dst);
708 		ASSERT(connp->conn_ipversion == IPV4_VERSION);
709 		break;
710 
711 	case sizeof (sin6_t):
712 		sin6 = (sin6_t *)sa;
713 
714 		/* No support for mapped addresses on raw sockets */
715 		if (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) {
716 			return (EADDRNOTAVAIL);
717 		}
718 		v6dst = sin6->sin6_addr;
719 		dstport = sin6->sin6_port;
720 		ASSERT(connp->conn_ipversion == IPV6_VERSION);
721 		flowinfo = sin6->sin6_flowinfo;
722 		if (IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr))
723 			scopeid = sin6->sin6_scope_id;
724 		srcid = sin6->__sin6_src_id;
725 		if (srcid != 0 && IN6_IS_ADDR_UNSPECIFIED(&v6src)) {
726 			ip_srcid_find_id(srcid, &v6src, IPCL_ZONEID(connp),
727 			    connp->conn_netstack);
728 		}
729 		break;
730 	}
731 
732 	/*
733 	 * If there is a different thread using conn_ixa then we get a new
734 	 * copy and cut the old one loose from conn_ixa. Otherwise we use
735 	 * conn_ixa and prevent any other thread from using/changing it.
736 	 * Once connect() is done other threads can use conn_ixa since the
737 	 * refcnt will be back at one.
738 	 */
739 	ixa = conn_get_ixa(connp, B_TRUE);
740 	if (ixa == NULL)
741 		return (ENOMEM);
742 
743 	ASSERT(ixa->ixa_refcnt >= 2);
744 	ASSERT(ixa == connp->conn_ixa);
745 
746 	mutex_enter(&connp->conn_lock);
747 	/*
748 	 * This icmp_t must have bound already before doing a connect.
749 	 * Reject if a connect is in progress (we drop conn_lock during
750 	 * rawip_do_connect).
751 	 */
752 	if (icmp->icmp_state == TS_UNBND || icmp->icmp_state == TS_WCON_CREQ) {
753 		mutex_exit(&connp->conn_lock);
754 		ixa_refrele(ixa);
755 		return (-TOUTSTATE);
756 	}
757 
758 	if (icmp->icmp_state == TS_DATA_XFER) {
759 		/* Already connected - clear out state */
760 		if (connp->conn_mcbc_bind)
761 			connp->conn_saddr_v6 = ipv6_all_zeros;
762 		else
763 			connp->conn_saddr_v6 = connp->conn_bound_addr_v6;
764 		connp->conn_laddr_v6 = connp->conn_bound_addr_v6;
765 		connp->conn_faddr_v6 = ipv6_all_zeros;
766 		icmp->icmp_state = TS_IDLE;
767 	}
768 
769 	/*
770 	 * Use sin_port/sin6_port since applications like psh use SOCK_RAW
771 	 * with IPPROTO_TCP.
772 	 */
773 	connp->conn_fport = dstport;
774 	if (connp->conn_ipversion == IPV4_VERSION) {
775 		/*
776 		 * Interpret a zero destination to mean loopback.
777 		 * Update the T_CONN_REQ (sin/sin6) since it is used to
778 		 * generate the T_CONN_CON.
779 		 */
780 		if (v4dst == INADDR_ANY) {
781 			v4dst = htonl(INADDR_LOOPBACK);
782 			IN6_IPADDR_TO_V4MAPPED(v4dst, &v6dst);
783 			ASSERT(connp->conn_family == AF_INET);
784 			sin->sin_addr.s_addr = v4dst;
785 		}
786 		connp->conn_faddr_v6 = v6dst;
787 		connp->conn_flowinfo = 0;
788 	} else {
789 		ASSERT(connp->conn_ipversion == IPV6_VERSION);
790 		/*
791 		 * Interpret a zero destination to mean loopback.
792 		 * Update the T_CONN_REQ (sin/sin6) since it is used to
793 		 * generate the T_CONN_CON.
794 		 */
795 		if (IN6_IS_ADDR_UNSPECIFIED(&v6dst)) {
796 			v6dst = ipv6_loopback;
797 			sin6->sin6_addr = v6dst;
798 		}
799 		connp->conn_faddr_v6 = v6dst;
800 		connp->conn_flowinfo = flowinfo;
801 	}
802 
803 	ixa->ixa_cred = cr;
804 	ixa->ixa_cpid = pid;
805 	if (is_system_labeled()) {
806 		/* We need to restart with a label based on the cred */
807 		ip_xmit_attr_restore_tsl(ixa, ixa->ixa_cred);
808 	}
809 
810 	if (scopeid != 0) {
811 		ixa->ixa_flags |= IXAF_SCOPEID_SET;
812 		ixa->ixa_scopeid = scopeid;
813 		connp->conn_incoming_ifindex = scopeid;
814 	} else {
815 		ixa->ixa_flags &= ~IXAF_SCOPEID_SET;
816 		connp->conn_incoming_ifindex = connp->conn_bound_if;
817 	}
818 
819 	/*
820 	 * conn_connect will drop conn_lock and reacquire it.
821 	 * To prevent a send* from messing with this icmp_t while the lock
822 	 * is dropped we set icmp_state and clear conn_v6lastdst.
823 	 * That will make all send* fail with EISCONN.
824 	 */
825 	connp->conn_v6lastdst = ipv6_all_zeros;
826 	icmp->icmp_state = TS_WCON_CREQ;
827 
828 	error = conn_connect(connp, NULL, IPDF_ALLOW_MCBC);
829 	mutex_exit(&connp->conn_lock);
830 	if (error != 0)
831 		goto connect_failed;
832 
833 	/*
834 	 * The addresses have been verified. Time to insert in
835 	 * the correct fanout list.
836 	 */
837 	error = ipcl_conn_insert(connp);
838 	if (error != 0)
839 		goto connect_failed;
840 
841 	mutex_enter(&connp->conn_lock);
842 	error = icmp_build_hdr_template(connp, &connp->conn_saddr_v6,
843 	    &connp->conn_faddr_v6, connp->conn_flowinfo);
844 	if (error != 0) {
845 		mutex_exit(&connp->conn_lock);
846 		goto connect_failed;
847 	}
848 
849 	icmp->icmp_state = TS_DATA_XFER;
850 	/* Record this as the "last" send even though we haven't sent any */
851 	connp->conn_v6lastdst = connp->conn_faddr_v6;
852 	connp->conn_lastipversion = connp->conn_ipversion;
853 	connp->conn_lastdstport = connp->conn_fport;
854 	connp->conn_lastflowinfo = connp->conn_flowinfo;
855 	connp->conn_lastscopeid = scopeid;
856 	connp->conn_lastsrcid = srcid;
857 	/* Also remember a source to use together with lastdst */
858 	connp->conn_v6lastsrc = v6src;
859 	mutex_exit(&connp->conn_lock);
860 
861 	ixa_refrele(ixa);
862 	return (0);
863 
864 connect_failed:
865 	if (ixa != NULL)
866 		ixa_refrele(ixa);
867 	mutex_enter(&connp->conn_lock);
868 	icmp->icmp_state = TS_IDLE;
869 	/* In case the source address was set above */
870 	if (connp->conn_mcbc_bind)
871 		connp->conn_saddr_v6 = ipv6_all_zeros;
872 	else
873 		connp->conn_saddr_v6 = connp->conn_bound_addr_v6;
874 	connp->conn_laddr_v6 = connp->conn_bound_addr_v6;
875 	connp->conn_faddr_v6 = ipv6_all_zeros;
876 	connp->conn_v6lastdst = ipv6_all_zeros;
877 	connp->conn_flowinfo = 0;
878 
879 	(void) icmp_build_hdr_template(connp, &connp->conn_saddr_v6,
880 	    &connp->conn_faddr_v6, connp->conn_flowinfo);
881 	mutex_exit(&connp->conn_lock);
882 	return (error);
883 }
884 
885 static void
886 rawip_do_close(conn_t *connp)
887 {
888 	ASSERT(connp != NULL && IPCL_IS_RAWIP(connp));
889 
890 	ip_quiesce_conn(connp);
891 
892 	if (!IPCL_IS_NONSTR(connp)) {
893 		qprocsoff(connp->conn_rq);
894 	}
895 
896 	icmp_close_free(connp);
897 
898 	/*
899 	 * Now we are truly single threaded on this stream, and can
900 	 * delete the things hanging off the connp, and finally the connp.
901 	 * We removed this connp from the fanout list, it cannot be
902 	 * accessed thru the fanouts, and we already waited for the
903 	 * conn_ref to drop to 0. We are already in close, so
904 	 * there cannot be any other thread from the top. qprocsoff
905 	 * has completed, and service has completed or won't run in
906 	 * future.
907 	 */
908 	ASSERT(connp->conn_ref == 1);
909 
910 	if (!IPCL_IS_NONSTR(connp)) {
911 		inet_minor_free(connp->conn_minor_arena, connp->conn_dev);
912 	} else {
913 		ip_free_helper_stream(connp);
914 	}
915 
916 	connp->conn_ref--;
917 	ipcl_conn_destroy(connp);
918 }
919 
920 static int
921 icmp_close(queue_t *q, int flags)
922 {
923 	conn_t  *connp;
924 
925 	if (flags & SO_FALLBACK) {
926 		/*
927 		 * stream is being closed while in fallback
928 		 * simply free the resources that were allocated
929 		 */
930 		inet_minor_free(WR(q)->q_ptr, (dev_t)(RD(q)->q_ptr));
931 		qprocsoff(q);
932 		goto done;
933 	}
934 
935 	connp = Q_TO_CONN(q);
936 	(void) rawip_do_close(connp);
937 done:
938 	q->q_ptr = WR(q)->q_ptr = NULL;
939 	return (0);
940 }
941 
942 static void
943 icmp_close_free(conn_t *connp)
944 {
945 	icmp_t *icmp = connp->conn_icmp;
946 
947 	if (icmp->icmp_filter != NULL) {
948 		kmem_free(icmp->icmp_filter, sizeof (icmp6_filter_t));
949 		icmp->icmp_filter = NULL;
950 	}
951 
952 	/*
953 	 * Clear any fields which the kmem_cache constructor clears.
954 	 * Only icmp_connp needs to be preserved.
955 	 * TBD: We should make this more efficient to avoid clearing
956 	 * everything.
957 	 */
958 	ASSERT(icmp->icmp_connp == connp);
959 	bzero(icmp, sizeof (icmp_t));
960 	icmp->icmp_connp = connp;
961 }
962 
963 /*
964  * This routine handles each T_DISCON_REQ message passed to icmp
965  * as an indicating that ICMP is no longer connected. This results
966  * in telling IP to restore the binding to just the local address.
967  */
968 static int
969 icmp_do_disconnect(conn_t *connp)
970 {
971 	icmp_t	*icmp = connp->conn_icmp;
972 	int	error;
973 
974 	mutex_enter(&connp->conn_lock);
975 	if (icmp->icmp_state != TS_DATA_XFER) {
976 		mutex_exit(&connp->conn_lock);
977 		return (-TOUTSTATE);
978 	}
979 	if (connp->conn_mcbc_bind)
980 		connp->conn_saddr_v6 = ipv6_all_zeros;
981 	else
982 		connp->conn_saddr_v6 = connp->conn_bound_addr_v6;
983 	connp->conn_laddr_v6 = connp->conn_bound_addr_v6;
984 	connp->conn_faddr_v6 = ipv6_all_zeros;
985 	icmp->icmp_state = TS_IDLE;
986 
987 	connp->conn_v6lastdst = ipv6_all_zeros;
988 	error = icmp_build_hdr_template(connp, &connp->conn_saddr_v6,
989 	    &connp->conn_faddr_v6, connp->conn_flowinfo);
990 	mutex_exit(&connp->conn_lock);
991 	if (error != 0)
992 		return (error);
993 
994 	/*
995 	 * Tell IP to remove the full binding and revert
996 	 * to the local address binding.
997 	 */
998 	return (ip_laddr_fanout_insert(connp));
999 }
1000 
1001 static void
1002 icmp_tpi_disconnect(queue_t *q, mblk_t *mp)
1003 {
1004 	conn_t	*connp = Q_TO_CONN(q);
1005 	int	error;
1006 
1007 	/*
1008 	 * Allocate the largest primitive we need to send back
1009 	 * T_error_ack is > than T_ok_ack
1010 	 */
1011 	mp = reallocb(mp, sizeof (struct T_error_ack), 1);
1012 	if (mp == NULL) {
1013 		/* Unable to reuse the T_DISCON_REQ for the ack. */
1014 		icmp_err_ack_prim(q, mp, T_DISCON_REQ, TSYSERR, ENOMEM);
1015 		return;
1016 	}
1017 
1018 	error = icmp_do_disconnect(connp);
1019 
1020 	if (error != 0) {
1021 		if (error > 0) {
1022 			icmp_err_ack(q, mp, 0, error);
1023 		} else {
1024 			icmp_err_ack(q, mp, -error, 0);
1025 		}
1026 	} else {
1027 		mp = mi_tpi_ok_ack_alloc(mp);
1028 		ASSERT(mp != NULL);
1029 		qreply(q, mp);
1030 	}
1031 }
1032 
1033 static int
1034 icmp_disconnect(conn_t *connp)
1035 {
1036 	int	error;
1037 
1038 	connp->conn_dgram_errind = B_FALSE;
1039 
1040 	error = icmp_do_disconnect(connp);
1041 
1042 	if (error < 0)
1043 		error = proto_tlitosyserr(-error);
1044 	return (error);
1045 }
1046 
1047 /* This routine creates a T_ERROR_ACK message and passes it upstream. */
1048 static void
1049 icmp_err_ack(queue_t *q, mblk_t *mp, t_scalar_t t_error, int sys_error)
1050 {
1051 	if ((mp = mi_tpi_err_ack_alloc(mp, t_error, sys_error)) != NULL)
1052 		qreply(q, mp);
1053 }
1054 
1055 /* Shorthand to generate and send TPI error acks to our client */
1056 static void
1057 icmp_err_ack_prim(queue_t *q, mblk_t *mp, t_scalar_t primitive,
1058     t_scalar_t t_error, int sys_error)
1059 {
1060 	struct T_error_ack	*teackp;
1061 
1062 	if ((mp = tpi_ack_alloc(mp, sizeof (struct T_error_ack),
1063 	    M_PCPROTO, T_ERROR_ACK)) != NULL) {
1064 		teackp = (struct T_error_ack *)mp->b_rptr;
1065 		teackp->ERROR_prim = primitive;
1066 		teackp->TLI_error = t_error;
1067 		teackp->UNIX_error = sys_error;
1068 		qreply(q, mp);
1069 	}
1070 }
1071 
1072 /*
1073  * icmp_icmp_input is called as conn_recvicmp to process ICMP messages.
1074  * Generates the appropriate T_UDERROR_IND for permanent (non-transient) errors.
1075  * Assumes that IP has pulled up everything up to and including the ICMP header.
1076  */
1077 /* ARGSUSED2 */
1078 static void
1079 icmp_icmp_input(void *arg1, mblk_t *mp, void *arg2, ip_recv_attr_t *ira)
1080 {
1081 	conn_t		*connp = (conn_t *)arg1;
1082 	icmp_t		*icmp = connp->conn_icmp;
1083 	icmph_t		*icmph;
1084 	ipha_t		*ipha;
1085 	int		iph_hdr_length;
1086 	sin_t		sin;
1087 	mblk_t		*mp1;
1088 	int		error = 0;
1089 
1090 	ipha = (ipha_t *)mp->b_rptr;
1091 
1092 	ASSERT(OK_32PTR(mp->b_rptr));
1093 
1094 	if (IPH_HDR_VERSION(ipha) != IPV4_VERSION) {
1095 		ASSERT(IPH_HDR_VERSION(ipha) == IPV6_VERSION);
1096 		icmp_icmp_error_ipv6(connp, mp, ira);
1097 		return;
1098 	}
1099 	ASSERT(IPH_HDR_VERSION(ipha) == IPV4_VERSION);
1100 
1101 	/* Skip past the outer IP and ICMP headers */
1102 	ASSERT(IPH_HDR_LENGTH(ipha) == ira->ira_ip_hdr_length);
1103 	iph_hdr_length = ira->ira_ip_hdr_length;
1104 	icmph = (icmph_t *)&mp->b_rptr[iph_hdr_length];
1105 	ipha = (ipha_t *)&icmph[1];	/* Inner IP header */
1106 
1107 	iph_hdr_length = IPH_HDR_LENGTH(ipha);
1108 
1109 	switch (icmph->icmph_type) {
1110 	case ICMP_DEST_UNREACHABLE:
1111 		switch (icmph->icmph_code) {
1112 		case ICMP_FRAGMENTATION_NEEDED: {
1113 			ipha_t		*ipha;
1114 			ip_xmit_attr_t	*ixa;
1115 			/*
1116 			 * IP has already adjusted the path MTU.
1117 			 * But we need to adjust DF for IPv4.
1118 			 */
1119 			if (connp->conn_ipversion != IPV4_VERSION)
1120 				break;
1121 
1122 			ixa = conn_get_ixa(connp, B_FALSE);
1123 			if (ixa == NULL || ixa->ixa_ire == NULL) {
1124 				/*
1125 				 * Some other thread holds conn_ixa. We will
1126 				 * redo this on the next ICMP too big.
1127 				 */
1128 				if (ixa != NULL)
1129 					ixa_refrele(ixa);
1130 				break;
1131 			}
1132 			(void) ip_get_pmtu(ixa);
1133 
1134 			mutex_enter(&connp->conn_lock);
1135 			ipha = (ipha_t *)connp->conn_ht_iphc;
1136 			if (ixa->ixa_flags & IXAF_PMTU_IPV4_DF) {
1137 				ipha->ipha_fragment_offset_and_flags |=
1138 				    IPH_DF_HTONS;
1139 			} else {
1140 				ipha->ipha_fragment_offset_and_flags &=
1141 				    ~IPH_DF_HTONS;
1142 			}
1143 			mutex_exit(&connp->conn_lock);
1144 			ixa_refrele(ixa);
1145 			break;
1146 		}
1147 		case ICMP_PORT_UNREACHABLE:
1148 		case ICMP_PROTOCOL_UNREACHABLE:
1149 			error = ECONNREFUSED;
1150 			break;
1151 		default:
1152 			/* Transient errors */
1153 			break;
1154 		}
1155 		break;
1156 	default:
1157 		/* Transient errors */
1158 		break;
1159 	}
1160 	if (error == 0) {
1161 		freemsg(mp);
1162 		return;
1163 	}
1164 
1165 	/*
1166 	 * Deliver T_UDERROR_IND when the application has asked for it.
1167 	 * The socket layer enables this automatically when connected.
1168 	 */
1169 	if (!connp->conn_dgram_errind) {
1170 		freemsg(mp);
1171 		return;
1172 	}
1173 
1174 	sin = sin_null;
1175 	sin.sin_family = AF_INET;
1176 	sin.sin_addr.s_addr = ipha->ipha_dst;
1177 
1178 	if (IPCL_IS_NONSTR(connp)) {
1179 		mutex_enter(&connp->conn_lock);
1180 		if (icmp->icmp_state == TS_DATA_XFER) {
1181 			if (sin.sin_addr.s_addr == connp->conn_faddr_v4) {
1182 				mutex_exit(&connp->conn_lock);
1183 				(*connp->conn_upcalls->su_set_error)
1184 				    (connp->conn_upper_handle, error);
1185 				goto done;
1186 			}
1187 		} else {
1188 			icmp->icmp_delayed_error = error;
1189 			*((sin_t *)&icmp->icmp_delayed_addr) = sin;
1190 		}
1191 		mutex_exit(&connp->conn_lock);
1192 	} else {
1193 		mp1 = mi_tpi_uderror_ind((char *)&sin, sizeof (sin_t), NULL, 0,
1194 		    error);
1195 		if (mp1 != NULL)
1196 			putnext(connp->conn_rq, mp1);
1197 	}
1198 done:
1199 	freemsg(mp);
1200 }
1201 
1202 /*
1203  * icmp_icmp_error_ipv6 is called by icmp_icmp_error to process ICMP for IPv6.
1204  * Generates the appropriate T_UDERROR_IND for permanent (non-transient) errors.
1205  * Assumes that IP has pulled up all the extension headers as well as the
1206  * ICMPv6 header.
1207  */
1208 static void
1209 icmp_icmp_error_ipv6(conn_t *connp, mblk_t *mp, ip_recv_attr_t *ira)
1210 {
1211 	icmp6_t		*icmp6;
1212 	ip6_t		*ip6h, *outer_ip6h;
1213 	uint16_t	iph_hdr_length;
1214 	uint8_t		*nexthdrp;
1215 	sin6_t		sin6;
1216 	mblk_t		*mp1;
1217 	int		error = 0;
1218 	icmp_t		*icmp = connp->conn_icmp;
1219 
1220 	outer_ip6h = (ip6_t *)mp->b_rptr;
1221 #ifdef DEBUG
1222 	if (outer_ip6h->ip6_nxt != IPPROTO_ICMPV6)
1223 		iph_hdr_length = ip_hdr_length_v6(mp, outer_ip6h);
1224 	else
1225 		iph_hdr_length = IPV6_HDR_LEN;
1226 	ASSERT(iph_hdr_length == ira->ira_ip_hdr_length);
1227 #endif
1228 	/* Skip past the outer IP and ICMP headers */
1229 	iph_hdr_length = ira->ira_ip_hdr_length;
1230 	icmp6 = (icmp6_t *)&mp->b_rptr[iph_hdr_length];
1231 
1232 	ip6h = (ip6_t *)&icmp6[1];	/* Inner IP header */
1233 	if (!ip_hdr_length_nexthdr_v6(mp, ip6h, &iph_hdr_length, &nexthdrp)) {
1234 		freemsg(mp);
1235 		return;
1236 	}
1237 
1238 	switch (icmp6->icmp6_type) {
1239 	case ICMP6_DST_UNREACH:
1240 		switch (icmp6->icmp6_code) {
1241 		case ICMP6_DST_UNREACH_NOPORT:
1242 			error = ECONNREFUSED;
1243 			break;
1244 		case ICMP6_DST_UNREACH_ADMIN:
1245 		case ICMP6_DST_UNREACH_NOROUTE:
1246 		case ICMP6_DST_UNREACH_BEYONDSCOPE:
1247 		case ICMP6_DST_UNREACH_ADDR:
1248 			/* Transient errors */
1249 			break;
1250 		default:
1251 			break;
1252 		}
1253 		break;
1254 	case ICMP6_PACKET_TOO_BIG: {
1255 		struct T_unitdata_ind	*tudi;
1256 		struct T_opthdr		*toh;
1257 		size_t			udi_size;
1258 		mblk_t			*newmp;
1259 		t_scalar_t		opt_length = sizeof (struct T_opthdr) +
1260 		    sizeof (struct ip6_mtuinfo);
1261 		sin6_t			*sin6;
1262 		struct ip6_mtuinfo	*mtuinfo;
1263 
1264 		/*
1265 		 * If the application has requested to receive path mtu
1266 		 * information, send up an empty message containing an
1267 		 * IPV6_PATHMTU ancillary data item.
1268 		 */
1269 		if (!connp->conn_ipv6_recvpathmtu)
1270 			break;
1271 
1272 		udi_size = sizeof (struct T_unitdata_ind) + sizeof (sin6_t) +
1273 		    opt_length;
1274 		if ((newmp = allocb(udi_size, BPRI_MED)) == NULL) {
1275 			BUMP_MIB(&icmp->icmp_is->is_rawip_mib, rawipInErrors);
1276 			break;
1277 		}
1278 
1279 		/*
1280 		 * newmp->b_cont is left to NULL on purpose.  This is an
1281 		 * empty message containing only ancillary data.
1282 		 */
1283 		newmp->b_datap->db_type = M_PROTO;
1284 		tudi = (struct T_unitdata_ind *)newmp->b_rptr;
1285 		newmp->b_wptr = (uchar_t *)tudi + udi_size;
1286 		tudi->PRIM_type = T_UNITDATA_IND;
1287 		tudi->SRC_length = sizeof (sin6_t);
1288 		tudi->SRC_offset = sizeof (struct T_unitdata_ind);
1289 		tudi->OPT_offset = tudi->SRC_offset + sizeof (sin6_t);
1290 		tudi->OPT_length = opt_length;
1291 
1292 		sin6 = (sin6_t *)&tudi[1];
1293 		bzero(sin6, sizeof (sin6_t));
1294 		sin6->sin6_family = AF_INET6;
1295 		sin6->sin6_addr = connp->conn_faddr_v6;
1296 
1297 		toh = (struct T_opthdr *)&sin6[1];
1298 		toh->level = IPPROTO_IPV6;
1299 		toh->name = IPV6_PATHMTU;
1300 		toh->len = opt_length;
1301 		toh->status = 0;
1302 
1303 		mtuinfo = (struct ip6_mtuinfo *)&toh[1];
1304 		bzero(mtuinfo, sizeof (struct ip6_mtuinfo));
1305 		mtuinfo->ip6m_addr.sin6_family = AF_INET6;
1306 		mtuinfo->ip6m_addr.sin6_addr = ip6h->ip6_dst;
1307 		mtuinfo->ip6m_mtu = icmp6->icmp6_mtu;
1308 		/*
1309 		 * We've consumed everything we need from the original
1310 		 * message.  Free it, then send our empty message.
1311 		 */
1312 		freemsg(mp);
1313 		icmp_ulp_recv(connp, newmp, msgdsize(newmp));
1314 		return;
1315 	}
1316 	case ICMP6_TIME_EXCEEDED:
1317 		/* Transient errors */
1318 		break;
1319 	case ICMP6_PARAM_PROB:
1320 		/* If this corresponds to an ICMP_PROTOCOL_UNREACHABLE */
1321 		if (icmp6->icmp6_code == ICMP6_PARAMPROB_NEXTHEADER &&
1322 		    (uchar_t *)ip6h + icmp6->icmp6_pptr ==
1323 		    (uchar_t *)nexthdrp) {
1324 			error = ECONNREFUSED;
1325 			break;
1326 		}
1327 		break;
1328 	}
1329 	if (error == 0) {
1330 		freemsg(mp);
1331 		return;
1332 	}
1333 
1334 	/*
1335 	 * Deliver T_UDERROR_IND when the application has asked for it.
1336 	 * The socket layer enables this automatically when connected.
1337 	 */
1338 	if (!connp->conn_dgram_errind) {
1339 		freemsg(mp);
1340 		return;
1341 	}
1342 
1343 	sin6 = sin6_null;
1344 	sin6.sin6_family = AF_INET6;
1345 	sin6.sin6_addr = ip6h->ip6_dst;
1346 	sin6.sin6_flowinfo = ip6h->ip6_vcf & ~IPV6_VERS_AND_FLOW_MASK;
1347 	if (IPCL_IS_NONSTR(connp)) {
1348 		mutex_enter(&connp->conn_lock);
1349 		if (icmp->icmp_state == TS_DATA_XFER) {
1350 			if (IN6_ARE_ADDR_EQUAL(&sin6.sin6_addr,
1351 			    &connp->conn_faddr_v6)) {
1352 				mutex_exit(&connp->conn_lock);
1353 				(*connp->conn_upcalls->su_set_error)
1354 				    (connp->conn_upper_handle, error);
1355 				goto done;
1356 			}
1357 		} else {
1358 			icmp->icmp_delayed_error = error;
1359 			*((sin6_t *)&icmp->icmp_delayed_addr) = sin6;
1360 		}
1361 		mutex_exit(&connp->conn_lock);
1362 	} else {
1363 		mp1 = mi_tpi_uderror_ind((char *)&sin6, sizeof (sin6_t),
1364 		    NULL, 0, error);
1365 		if (mp1 != NULL)
1366 			putnext(connp->conn_rq, mp1);
1367 	}
1368 done:
1369 	freemsg(mp);
1370 }
1371 
1372 /*
1373  * This routine responds to T_ADDR_REQ messages.  It is called by icmp_wput.
1374  * The local address is filled in if endpoint is bound. The remote address
1375  * is filled in if remote address has been precified ("connected endpoint")
1376  * (The concept of connected CLTS sockets is alien to published TPI
1377  *  but we support it anyway).
1378  */
1379 static void
1380 icmp_addr_req(queue_t *q, mblk_t *mp)
1381 {
1382 	struct sockaddr *sa;
1383 	mblk_t	*ackmp;
1384 	struct T_addr_ack *taa;
1385 	icmp_t	*icmp = Q_TO_ICMP(q);
1386 	conn_t	*connp = icmp->icmp_connp;
1387 	uint_t	addrlen;
1388 
1389 	/* Make it large enough for worst case */
1390 	ackmp = reallocb(mp, sizeof (struct T_addr_ack) +
1391 	    2 * sizeof (sin6_t), 1);
1392 	if (ackmp == NULL) {
1393 		icmp_err_ack(q, mp, TSYSERR, ENOMEM);
1394 		return;
1395 	}
1396 	taa = (struct T_addr_ack *)ackmp->b_rptr;
1397 
1398 	bzero(taa, sizeof (struct T_addr_ack));
1399 	ackmp->b_wptr = (uchar_t *)&taa[1];
1400 
1401 	taa->PRIM_type = T_ADDR_ACK;
1402 	ackmp->b_datap->db_type = M_PCPROTO;
1403 
1404 	if (connp->conn_family == AF_INET)
1405 		addrlen = sizeof (sin_t);
1406 	else
1407 		addrlen = sizeof (sin6_t);
1408 
1409 	mutex_enter(&connp->conn_lock);
1410 	/*
1411 	 * Note: Following code assumes 32 bit alignment of basic
1412 	 * data structures like sin_t and struct T_addr_ack.
1413 	 */
1414 	if (icmp->icmp_state != TS_UNBND) {
1415 		/*
1416 		 * Fill in local address first
1417 		 */
1418 		taa->LOCADDR_offset = sizeof (*taa);
1419 		taa->LOCADDR_length = addrlen;
1420 		sa = (struct sockaddr *)&taa[1];
1421 		(void) conn_getsockname(connp, sa, &addrlen);
1422 		ackmp->b_wptr += addrlen;
1423 	}
1424 	if (icmp->icmp_state == TS_DATA_XFER) {
1425 		/*
1426 		 * connected, fill remote address too
1427 		 */
1428 		taa->REMADDR_length = addrlen;
1429 		/* assumed 32-bit alignment */
1430 		taa->REMADDR_offset = taa->LOCADDR_offset + taa->LOCADDR_length;
1431 		sa = (struct sockaddr *)(ackmp->b_rptr + taa->REMADDR_offset);
1432 		(void) conn_getpeername(connp, sa, &addrlen);
1433 		ackmp->b_wptr += addrlen;
1434 	}
1435 	mutex_exit(&connp->conn_lock);
1436 	ASSERT(ackmp->b_wptr <= ackmp->b_datap->db_lim);
1437 	qreply(q, ackmp);
1438 }
1439 
1440 static void
1441 icmp_copy_info(struct T_info_ack *tap, icmp_t *icmp)
1442 {
1443 	conn_t		*connp = icmp->icmp_connp;
1444 
1445 	*tap = icmp_g_t_info_ack;
1446 
1447 	if (connp->conn_family == AF_INET6)
1448 		tap->ADDR_size = sizeof (sin6_t);
1449 	else
1450 		tap->ADDR_size = sizeof (sin_t);
1451 	tap->CURRENT_state = icmp->icmp_state;
1452 	tap->OPT_size = icmp_max_optsize;
1453 }
1454 
1455 static void
1456 icmp_do_capability_ack(icmp_t *icmp, struct T_capability_ack *tcap,
1457     t_uscalar_t cap_bits1)
1458 {
1459 	tcap->CAP_bits1 = 0;
1460 
1461 	if (cap_bits1 & TC1_INFO) {
1462 		icmp_copy_info(&tcap->INFO_ack, icmp);
1463 		tcap->CAP_bits1 |= TC1_INFO;
1464 	}
1465 }
1466 
1467 /*
1468  * This routine responds to T_CAPABILITY_REQ messages.  It is called by
1469  * icmp_wput.  Much of the T_CAPABILITY_ACK information is copied from
1470  * icmp_g_t_info_ack.  The current state of the stream is copied from
1471  * icmp_state.
1472  */
1473 static void
1474 icmp_capability_req(queue_t *q, mblk_t *mp)
1475 {
1476 	icmp_t			*icmp = Q_TO_ICMP(q);
1477 	t_uscalar_t		cap_bits1;
1478 	struct T_capability_ack	*tcap;
1479 
1480 	cap_bits1 = ((struct T_capability_req *)mp->b_rptr)->CAP_bits1;
1481 
1482 	mp = tpi_ack_alloc(mp, sizeof (struct T_capability_ack),
1483 	    mp->b_datap->db_type, T_CAPABILITY_ACK);
1484 	if (!mp)
1485 		return;
1486 
1487 	tcap = (struct T_capability_ack *)mp->b_rptr;
1488 
1489 	icmp_do_capability_ack(icmp, tcap, cap_bits1);
1490 
1491 	qreply(q, mp);
1492 }
1493 
1494 /*
1495  * This routine responds to T_INFO_REQ messages.  It is called by icmp_wput.
1496  * Most of the T_INFO_ACK information is copied from icmp_g_t_info_ack.
1497  * The current state of the stream is copied from icmp_state.
1498  */
1499 static void
1500 icmp_info_req(queue_t *q, mblk_t *mp)
1501 {
1502 	icmp_t	*icmp = Q_TO_ICMP(q);
1503 
1504 	/* Create a T_INFO_ACK message. */
1505 	mp = tpi_ack_alloc(mp, sizeof (struct T_info_ack), M_PCPROTO,
1506 	    T_INFO_ACK);
1507 	if (!mp)
1508 		return;
1509 	icmp_copy_info((struct T_info_ack *)mp->b_rptr, icmp);
1510 	qreply(q, mp);
1511 }
1512 
1513 static int
1514 icmp_tpi_open(queue_t *q, dev_t *devp, int flag, int sflag, cred_t *credp,
1515     int family)
1516 {
1517 	conn_t *connp;
1518 	dev_t	conn_dev;
1519 	int	error;
1520 
1521 	/* If the stream is already open, return immediately. */
1522 	if (q->q_ptr != NULL)
1523 		return (0);
1524 
1525 	if (sflag == MODOPEN)
1526 		return (EINVAL);
1527 
1528 	/*
1529 	 * Since ICMP is not used so heavily, allocating from the small
1530 	 * arena should be sufficient.
1531 	 */
1532 	if ((conn_dev = inet_minor_alloc(ip_minor_arena_sa)) == 0) {
1533 		return (EBUSY);
1534 	}
1535 
1536 	if (flag & SO_FALLBACK) {
1537 		/*
1538 		 * Non streams socket needs a stream to fallback to
1539 		 */
1540 		RD(q)->q_ptr = (void *)conn_dev;
1541 		WR(q)->q_qinfo = &icmp_fallback_sock_winit;
1542 		WR(q)->q_ptr = (void *)ip_minor_arena_sa;
1543 		qprocson(q);
1544 		return (0);
1545 	}
1546 
1547 	connp = rawip_do_open(family, credp, &error, KM_SLEEP);
1548 	if (connp == NULL) {
1549 		ASSERT(error != 0);
1550 		inet_minor_free(ip_minor_arena_sa, connp->conn_dev);
1551 		return (error);
1552 	}
1553 
1554 	*devp = makedevice(getemajor(*devp), (minor_t)conn_dev);
1555 	connp->conn_dev = conn_dev;
1556 	connp->conn_minor_arena = ip_minor_arena_sa;
1557 
1558 	/*
1559 	 * Initialize the icmp_t structure for this stream.
1560 	 */
1561 	q->q_ptr = connp;
1562 	WR(q)->q_ptr = connp;
1563 	connp->conn_rq = q;
1564 	connp->conn_wq = WR(q);
1565 
1566 	WR(q)->q_hiwat = connp->conn_sndbuf;
1567 	WR(q)->q_lowat = connp->conn_sndlowat;
1568 
1569 	qprocson(q);
1570 
1571 	/* Set the Stream head write offset. */
1572 	(void) proto_set_tx_wroff(q, connp, connp->conn_wroff);
1573 	(void) proto_set_rx_hiwat(connp->conn_rq, connp, connp->conn_rcvbuf);
1574 
1575 	mutex_enter(&connp->conn_lock);
1576 	connp->conn_state_flags &= ~CONN_INCIPIENT;
1577 	mutex_exit(&connp->conn_lock);
1578 
1579 	icmp_bind_proto(connp->conn_icmp);
1580 
1581 	return (0);
1582 }
1583 
1584 /* For /dev/icmp aka AF_INET open */
1585 static int
1586 icmp_openv4(queue_t *q, dev_t *devp, int flag, int sflag, cred_t *credp)
1587 {
1588 	return (icmp_tpi_open(q, devp, flag, sflag, credp, AF_INET));
1589 }
1590 
1591 /* For /dev/icmp6 aka AF_INET6 open */
1592 static int
1593 icmp_openv6(queue_t *q, dev_t *devp, int flag, int sflag, cred_t *credp)
1594 {
1595 	return (icmp_tpi_open(q, devp, flag, sflag, credp, AF_INET6));
1596 }
1597 
1598 /*
1599  * This is the open routine for icmp.  It allocates a icmp_t structure for
1600  * the stream and, on the first open of the module, creates an ND table.
1601  */
1602 static conn_t *
1603 rawip_do_open(int family, cred_t *credp, int *err, int flags)
1604 {
1605 	icmp_t	*icmp;
1606 	conn_t *connp;
1607 	zoneid_t zoneid;
1608 	netstack_t *ns;
1609 	icmp_stack_t *is;
1610 	int len;
1611 	boolean_t isv6 = B_FALSE;
1612 
1613 	*err = secpolicy_net_icmpaccess(credp);
1614 	if (*err != 0)
1615 		return (NULL);
1616 
1617 	if (family == AF_INET6)
1618 		isv6 = B_TRUE;
1619 
1620 	ns = netstack_find_by_cred(credp);
1621 	ASSERT(ns != NULL);
1622 	is = ns->netstack_icmp;
1623 	ASSERT(is != NULL);
1624 
1625 	/*
1626 	 * For exclusive stacks we set the zoneid to zero
1627 	 * to make ICMP operate as if in the global zone.
1628 	 */
1629 	if (ns->netstack_stackid != GLOBAL_NETSTACKID)
1630 		zoneid = GLOBAL_ZONEID;
1631 	else
1632 		zoneid = crgetzoneid(credp);
1633 
1634 	ASSERT(flags == KM_SLEEP || flags == KM_NOSLEEP);
1635 
1636 	connp = ipcl_conn_create(IPCL_RAWIPCONN, flags, ns);
1637 	icmp = connp->conn_icmp;
1638 
1639 	/*
1640 	 * ipcl_conn_create did a netstack_hold. Undo the hold that was
1641 	 * done by netstack_find_by_cred()
1642 	 */
1643 	netstack_rele(ns);
1644 
1645 	/*
1646 	 * Since this conn_t/icmp_t is not yet visible to anybody else we don't
1647 	 * need to lock anything.
1648 	 */
1649 	ASSERT(connp->conn_proto == IPPROTO_ICMP);
1650 	ASSERT(connp->conn_icmp == icmp);
1651 	ASSERT(icmp->icmp_connp == connp);
1652 
1653 	/* Set the initial state of the stream and the privilege status. */
1654 	icmp->icmp_state = TS_UNBND;
1655 	connp->conn_ixa->ixa_flags |= IXAF_VERIFY_SOURCE;
1656 	if (isv6) {
1657 		connp->conn_family = AF_INET6;
1658 		connp->conn_ipversion = IPV6_VERSION;
1659 		connp->conn_ixa->ixa_flags &= ~IXAF_IS_IPV4;
1660 		connp->conn_proto = IPPROTO_ICMPV6;
1661 		/* May be changed by a SO_PROTOTYPE socket option. */
1662 		connp->conn_proto = IPPROTO_ICMPV6;
1663 		connp->conn_ixa->ixa_protocol = connp->conn_proto;
1664 		connp->conn_ixa->ixa_raw_cksum_offset = 2;
1665 		connp->conn_default_ttl = is->is_ipv6_hoplimit;
1666 		len = sizeof (ip6_t);
1667 	} else {
1668 		connp->conn_family = AF_INET;
1669 		connp->conn_ipversion = IPV4_VERSION;
1670 		connp->conn_ixa->ixa_flags |= IXAF_IS_IPV4;
1671 		/* May be changed by a SO_PROTOTYPE socket option. */
1672 		connp->conn_proto = IPPROTO_ICMP;
1673 		connp->conn_ixa->ixa_protocol = connp->conn_proto;
1674 		connp->conn_default_ttl = is->is_ipv4_ttl;
1675 		len = sizeof (ipha_t);
1676 	}
1677 	connp->conn_xmit_ipp.ipp_unicast_hops = connp->conn_default_ttl;
1678 
1679 	connp->conn_ixa->ixa_multicast_ttl = IP_DEFAULT_MULTICAST_TTL;
1680 
1681 	/*
1682 	 * For the socket of protocol IPPROTO_RAW or when IP_HDRINCL is set,
1683 	 * the checksum is provided in the pre-built packet. We clear
1684 	 * IXAF_SET_ULP_CKSUM to tell IP that the application has sent a
1685 	 * complete IP header and not to compute the transport checksum.
1686 	 */
1687 	connp->conn_ixa->ixa_flags |= IXAF_MULTICAST_LOOP | IXAF_SET_ULP_CKSUM;
1688 	/* conn_allzones can not be set this early, hence no IPCL_ZONEID */
1689 	connp->conn_ixa->ixa_zoneid = zoneid;
1690 
1691 	connp->conn_zoneid = zoneid;
1692 
1693 	/*
1694 	 * If the caller has the process-wide flag set, then default to MAC
1695 	 * exempt mode.  This allows read-down to unlabeled hosts.
1696 	 */
1697 	if (getpflags(NET_MAC_AWARE, credp) != 0)
1698 		connp->conn_mac_mode = CONN_MAC_AWARE;
1699 
1700 	connp->conn_zone_is_global = (crgetzoneid(credp) == GLOBAL_ZONEID);
1701 
1702 	icmp->icmp_is = is;
1703 
1704 	connp->conn_rcvbuf = is->is_recv_hiwat;
1705 	connp->conn_sndbuf = is->is_xmit_hiwat;
1706 	connp->conn_sndlowat = is->is_xmit_lowat;
1707 	connp->conn_rcvlowat = icmp_mod_info.mi_lowat;
1708 
1709 	connp->conn_wroff = len + is->is_wroff_extra;
1710 	connp->conn_so_type = SOCK_RAW;
1711 
1712 	connp->conn_recv = icmp_input;
1713 	connp->conn_recvicmp = icmp_icmp_input;
1714 	crhold(credp);
1715 	connp->conn_cred = credp;
1716 	connp->conn_cpid = curproc->p_pid;
1717 	connp->conn_open_time = ddi_get_lbolt64();
1718 	/* Cache things in ixa without an extra refhold */
1719 	connp->conn_ixa->ixa_cred = connp->conn_cred;
1720 	connp->conn_ixa->ixa_cpid = connp->conn_cpid;
1721 	if (is_system_labeled())
1722 		connp->conn_ixa->ixa_tsl = crgetlabel(connp->conn_cred);
1723 
1724 	connp->conn_flow_cntrld = B_FALSE;
1725 
1726 	if (is->is_pmtu_discovery)
1727 		connp->conn_ixa->ixa_flags |= IXAF_PMTU_DISCOVERY;
1728 
1729 	return (connp);
1730 }
1731 
1732 /*
1733  * Which ICMP options OK to set through T_UNITDATA_REQ...
1734  */
1735 /* ARGSUSED */
1736 static boolean_t
1737 icmp_opt_allow_udr_set(t_scalar_t level, t_scalar_t name)
1738 {
1739 	return (B_TRUE);
1740 }
1741 
1742 /*
1743  * This routine gets default values of certain options whose default
1744  * values are maintained by protcol specific code
1745  */
1746 int
1747 icmp_opt_default(queue_t *q, t_scalar_t level, t_scalar_t name, uchar_t *ptr)
1748 {
1749 	icmp_t *icmp = Q_TO_ICMP(q);
1750 	icmp_stack_t *is = icmp->icmp_is;
1751 	int *i1 = (int *)ptr;
1752 
1753 	switch (level) {
1754 	case IPPROTO_IP:
1755 		switch (name) {
1756 		case IP_MULTICAST_TTL:
1757 			*ptr = (uchar_t)IP_DEFAULT_MULTICAST_TTL;
1758 			return (sizeof (uchar_t));
1759 		case IP_MULTICAST_LOOP:
1760 			*ptr = (uchar_t)IP_DEFAULT_MULTICAST_LOOP;
1761 			return (sizeof (uchar_t));
1762 		}
1763 		break;
1764 	case IPPROTO_IPV6:
1765 		switch (name) {
1766 		case IPV6_MULTICAST_HOPS:
1767 			*i1 = IP_DEFAULT_MULTICAST_TTL;
1768 			return (sizeof (int));
1769 		case IPV6_MULTICAST_LOOP:
1770 			*i1 = IP_DEFAULT_MULTICAST_LOOP;
1771 			return (sizeof (int));
1772 		case IPV6_UNICAST_HOPS:
1773 			*i1 = is->is_ipv6_hoplimit;
1774 			return (sizeof (int));
1775 		}
1776 		break;
1777 	case IPPROTO_ICMPV6:
1778 		switch (name) {
1779 		case ICMP6_FILTER:
1780 			/* Make it look like "pass all" */
1781 			ICMP6_FILTER_SETPASSALL((icmp6_filter_t *)ptr);
1782 			return (sizeof (icmp6_filter_t));
1783 		}
1784 		break;
1785 	}
1786 	return (-1);
1787 }
1788 
1789 /*
1790  * This routine retrieves the current status of socket options.
1791  * It returns the size of the option retrieved, or -1.
1792  */
1793 int
1794 icmp_opt_get(conn_t *connp, int level, int name, uchar_t *ptr)
1795 {
1796 	icmp_t		*icmp = connp->conn_icmp;
1797 	int		*i1 = (int *)ptr;
1798 	conn_opt_arg_t	coas;
1799 	int		retval;
1800 
1801 	coas.coa_connp = connp;
1802 	coas.coa_ixa = connp->conn_ixa;
1803 	coas.coa_ipp = &connp->conn_xmit_ipp;
1804 	coas.coa_ancillary = B_FALSE;
1805 	coas.coa_changed = 0;
1806 
1807 	/*
1808 	 * We assume that the optcom framework has checked for the set
1809 	 * of levels and names that are supported, hence we don't worry
1810 	 * about rejecting based on that.
1811 	 * First check for ICMP specific handling, then pass to common routine.
1812 	 */
1813 	switch (level) {
1814 	case IPPROTO_IP:
1815 		/*
1816 		 * Only allow IPv4 option processing on IPv4 sockets.
1817 		 */
1818 		if (connp->conn_family != AF_INET)
1819 			return (-1);
1820 
1821 		switch (name) {
1822 		case IP_OPTIONS:
1823 		case T_IP_OPTIONS:
1824 			/* Options are passed up with each packet */
1825 			return (0);
1826 		case IP_HDRINCL:
1827 			mutex_enter(&connp->conn_lock);
1828 			*i1 = (int)icmp->icmp_hdrincl;
1829 			mutex_exit(&connp->conn_lock);
1830 			return (sizeof (int));
1831 		}
1832 		break;
1833 
1834 	case IPPROTO_IPV6:
1835 		/*
1836 		 * Only allow IPv6 option processing on native IPv6 sockets.
1837 		 */
1838 		if (connp->conn_family != AF_INET6)
1839 			return (-1);
1840 
1841 		switch (name) {
1842 		case IPV6_CHECKSUM:
1843 			/*
1844 			 * Return offset or -1 if no checksum offset.
1845 			 * Does not apply to IPPROTO_ICMPV6
1846 			 */
1847 			if (connp->conn_proto == IPPROTO_ICMPV6)
1848 				return (-1);
1849 
1850 			mutex_enter(&connp->conn_lock);
1851 			if (connp->conn_ixa->ixa_flags & IXAF_SET_RAW_CKSUM)
1852 				*i1 = connp->conn_ixa->ixa_raw_cksum_offset;
1853 			else
1854 				*i1 = -1;
1855 			mutex_exit(&connp->conn_lock);
1856 			return (sizeof (int));
1857 		}
1858 		break;
1859 
1860 	case IPPROTO_ICMPV6:
1861 		/*
1862 		 * Only allow IPv6 option processing on native IPv6 sockets.
1863 		 */
1864 		if (connp->conn_family != AF_INET6)
1865 			return (-1);
1866 
1867 		if (connp->conn_proto != IPPROTO_ICMPV6)
1868 			return (-1);
1869 
1870 		switch (name) {
1871 		case ICMP6_FILTER:
1872 			mutex_enter(&connp->conn_lock);
1873 			if (icmp->icmp_filter == NULL) {
1874 				/* Make it look like "pass all" */
1875 				ICMP6_FILTER_SETPASSALL((icmp6_filter_t *)ptr);
1876 			} else {
1877 				(void) bcopy(icmp->icmp_filter, ptr,
1878 				    sizeof (icmp6_filter_t));
1879 			}
1880 			mutex_exit(&connp->conn_lock);
1881 			return (sizeof (icmp6_filter_t));
1882 		}
1883 	}
1884 	mutex_enter(&connp->conn_lock);
1885 	retval = conn_opt_get(&coas, level, name, ptr);
1886 	mutex_exit(&connp->conn_lock);
1887 	return (retval);
1888 }
1889 
1890 /*
1891  * This routine retrieves the current status of socket options.
1892  * It returns the size of the option retrieved, or -1.
1893  */
1894 int
1895 icmp_tpi_opt_get(queue_t *q, int level, int name, uchar_t *ptr)
1896 {
1897 	conn_t		*connp = Q_TO_CONN(q);
1898 	int 		err;
1899 
1900 	err = icmp_opt_get(connp, level, name, ptr);
1901 	return (err);
1902 }
1903 
1904 /*
1905  * This routine sets socket options.
1906  */
1907 int
1908 icmp_do_opt_set(conn_opt_arg_t *coa, int level, int name,
1909     uint_t inlen, uchar_t *invalp, cred_t *cr, boolean_t checkonly)
1910 {
1911 	conn_t		*connp = coa->coa_connp;
1912 	ip_xmit_attr_t	*ixa = coa->coa_ixa;
1913 	icmp_t		*icmp = connp->conn_icmp;
1914 	icmp_stack_t	*is = icmp->icmp_is;
1915 	int		*i1 = (int *)invalp;
1916 	boolean_t	onoff = (*i1 == 0) ? 0 : 1;
1917 	int		error;
1918 
1919 	ASSERT(MUTEX_NOT_HELD(&coa->coa_connp->conn_lock));
1920 
1921 	/*
1922 	 * For fixed length options, no sanity check
1923 	 * of passed in length is done. It is assumed *_optcom_req()
1924 	 * routines do the right thing.
1925 	 */
1926 
1927 	switch (level) {
1928 	case SOL_SOCKET:
1929 		switch (name) {
1930 		case SO_PROTOTYPE:
1931 			if ((*i1 & 0xFF) != IPPROTO_ICMP &&
1932 			    (*i1 & 0xFF) != IPPROTO_ICMPV6 &&
1933 			    secpolicy_net_rawaccess(cr) != 0) {
1934 				return (EACCES);
1935 			}
1936 			if (checkonly)
1937 				break;
1938 
1939 			mutex_enter(&connp->conn_lock);
1940 			connp->conn_proto = *i1 & 0xFF;
1941 			ixa->ixa_protocol = connp->conn_proto;
1942 			if ((connp->conn_proto == IPPROTO_RAW ||
1943 			    connp->conn_proto == IPPROTO_IGMP) &&
1944 			    connp->conn_family == AF_INET) {
1945 				icmp->icmp_hdrincl = 1;
1946 				ixa->ixa_flags &= ~IXAF_SET_ULP_CKSUM;
1947 			} else if (connp->conn_proto == IPPROTO_UDP ||
1948 			    connp->conn_proto == IPPROTO_TCP ||
1949 			    connp->conn_proto == IPPROTO_SCTP) {
1950 				/* Used by test applications like psh */
1951 				icmp->icmp_hdrincl = 0;
1952 				ixa->ixa_flags &= ~IXAF_SET_ULP_CKSUM;
1953 			} else {
1954 				icmp->icmp_hdrincl = 0;
1955 				ixa->ixa_flags |= IXAF_SET_ULP_CKSUM;
1956 			}
1957 
1958 			if (connp->conn_family == AF_INET6 &&
1959 			    connp->conn_proto == IPPROTO_ICMPV6) {
1960 				/* Set offset for icmp6_cksum */
1961 				ixa->ixa_flags &= ~IXAF_SET_RAW_CKSUM;
1962 				ixa->ixa_raw_cksum_offset = 2;
1963 			}
1964 			if (icmp->icmp_filter != NULL &&
1965 			    connp->conn_proto != IPPROTO_ICMPV6) {
1966 				kmem_free(icmp->icmp_filter,
1967 				    sizeof (icmp6_filter_t));
1968 				icmp->icmp_filter = NULL;
1969 			}
1970 			mutex_exit(&connp->conn_lock);
1971 
1972 			coa->coa_changed |= COA_HEADER_CHANGED;
1973 			/*
1974 			 * For SCTP, we don't use icmp_bind_proto() for
1975 			 * raw socket binding.
1976 			 */
1977 			if (connp->conn_proto == IPPROTO_SCTP)
1978 				return (0);
1979 
1980 			coa->coa_changed |= COA_ICMP_BIND_NEEDED;
1981 			return (0);
1982 
1983 		case SO_SNDBUF:
1984 			if (*i1 > is->is_max_buf) {
1985 				return (ENOBUFS);
1986 			}
1987 			break;
1988 		case SO_RCVBUF:
1989 			if (*i1 > is->is_max_buf) {
1990 				return (ENOBUFS);
1991 			}
1992 			break;
1993 		}
1994 		break;
1995 
1996 	case IPPROTO_IP:
1997 		/*
1998 		 * Only allow IPv4 option processing on IPv4 sockets.
1999 		 */
2000 		if (connp->conn_family != AF_INET)
2001 			return (EINVAL);
2002 
2003 		switch (name) {
2004 		case IP_HDRINCL:
2005 			if (!checkonly) {
2006 				mutex_enter(&connp->conn_lock);
2007 				icmp->icmp_hdrincl = onoff;
2008 				if (onoff)
2009 					ixa->ixa_flags &= ~IXAF_SET_ULP_CKSUM;
2010 				else
2011 					ixa->ixa_flags |= IXAF_SET_ULP_CKSUM;
2012 				mutex_exit(&connp->conn_lock);
2013 			}
2014 			break;
2015 		}
2016 		break;
2017 
2018 	case IPPROTO_IPV6:
2019 		if (connp->conn_family != AF_INET6)
2020 			return (EINVAL);
2021 
2022 		switch (name) {
2023 		case IPV6_CHECKSUM:
2024 			/*
2025 			 * Integer offset into the user data of where the
2026 			 * checksum is located.
2027 			 * Offset of -1 disables option.
2028 			 * Does not apply to IPPROTO_ICMPV6.
2029 			 */
2030 			if (connp->conn_proto == IPPROTO_ICMPV6 ||
2031 			    coa->coa_ancillary) {
2032 				return (EINVAL);
2033 			}
2034 			if ((*i1 != -1) && ((*i1 < 0) || (*i1 & 0x1) != 0)) {
2035 				/* Negative or not 16 bit aligned offset */
2036 				return (EINVAL);
2037 			}
2038 			if (checkonly)
2039 				break;
2040 
2041 			mutex_enter(&connp->conn_lock);
2042 			if (*i1 == -1) {
2043 				ixa->ixa_flags &= ~IXAF_SET_RAW_CKSUM;
2044 				ixa->ixa_raw_cksum_offset = 0;
2045 				ixa->ixa_flags &= ~IXAF_SET_ULP_CKSUM;
2046 			} else {
2047 				ixa->ixa_flags |= IXAF_SET_RAW_CKSUM;
2048 				ixa->ixa_raw_cksum_offset = *i1;
2049 				ixa->ixa_flags |= IXAF_SET_ULP_CKSUM;
2050 			}
2051 			mutex_exit(&connp->conn_lock);
2052 			break;
2053 		}
2054 		break;
2055 
2056 	case IPPROTO_ICMPV6:
2057 		/*
2058 		 * Only allow IPv6 option processing on IPv6 sockets.
2059 		 */
2060 		if (connp->conn_family != AF_INET6)
2061 			return (EINVAL);
2062 		if (connp->conn_proto != IPPROTO_ICMPV6)
2063 			return (EINVAL);
2064 
2065 		switch (name) {
2066 		case ICMP6_FILTER:
2067 			if (checkonly)
2068 				break;
2069 
2070 			if ((inlen != 0) &&
2071 			    (inlen != sizeof (icmp6_filter_t)))
2072 				return (EINVAL);
2073 
2074 			mutex_enter(&connp->conn_lock);
2075 			if (inlen == 0) {
2076 				if (icmp->icmp_filter != NULL) {
2077 					kmem_free(icmp->icmp_filter,
2078 					    sizeof (icmp6_filter_t));
2079 					icmp->icmp_filter = NULL;
2080 				}
2081 			} else {
2082 				if (icmp->icmp_filter == NULL) {
2083 					icmp->icmp_filter = kmem_alloc(
2084 					    sizeof (icmp6_filter_t),
2085 					    KM_NOSLEEP);
2086 					if (icmp->icmp_filter == NULL) {
2087 						mutex_exit(&connp->conn_lock);
2088 						return (ENOBUFS);
2089 					}
2090 				}
2091 				(void) bcopy(invalp, icmp->icmp_filter, inlen);
2092 			}
2093 			mutex_exit(&connp->conn_lock);
2094 			break;
2095 		}
2096 		break;
2097 	}
2098 	error = conn_opt_set(coa, level, name, inlen, invalp,
2099 	    checkonly, cr);
2100 	return (error);
2101 }
2102 
2103 /*
2104  * This routine sets socket options.
2105  */
2106 int
2107 icmp_opt_set(conn_t *connp, uint_t optset_context, int level, int name,
2108     uint_t inlen, uchar_t *invalp, uint_t *outlenp, uchar_t *outvalp,
2109     void *thisdg_attrs, cred_t *cr)
2110 {
2111 	icmp_t		*icmp = connp->conn_icmp;
2112 	int		err;
2113 	conn_opt_arg_t	coas, *coa;
2114 	boolean_t	checkonly;
2115 	icmp_stack_t	*is = icmp->icmp_is;
2116 
2117 	switch (optset_context) {
2118 	case SETFN_OPTCOM_CHECKONLY:
2119 		checkonly = B_TRUE;
2120 		/*
2121 		 * Note: Implies T_CHECK semantics for T_OPTCOM_REQ
2122 		 * inlen != 0 implies value supplied and
2123 		 * 	we have to "pretend" to set it.
2124 		 * inlen == 0 implies that there is no
2125 		 * 	value part in T_CHECK request and just validation
2126 		 * done elsewhere should be enough, we just return here.
2127 		 */
2128 		if (inlen == 0) {
2129 			*outlenp = 0;
2130 			return (0);
2131 		}
2132 		break;
2133 	case SETFN_OPTCOM_NEGOTIATE:
2134 		checkonly = B_FALSE;
2135 		break;
2136 	case SETFN_UD_NEGOTIATE:
2137 	case SETFN_CONN_NEGOTIATE:
2138 		checkonly = B_FALSE;
2139 		/*
2140 		 * Negotiating local and "association-related" options
2141 		 * through T_UNITDATA_REQ.
2142 		 *
2143 		 * Following routine can filter out ones we do not
2144 		 * want to be "set" this way.
2145 		 */
2146 		if (!icmp_opt_allow_udr_set(level, name)) {
2147 			*outlenp = 0;
2148 			return (EINVAL);
2149 		}
2150 		break;
2151 	default:
2152 		/*
2153 		 * We should never get here
2154 		 */
2155 		*outlenp = 0;
2156 		return (EINVAL);
2157 	}
2158 
2159 	ASSERT((optset_context != SETFN_OPTCOM_CHECKONLY) ||
2160 	    (optset_context == SETFN_OPTCOM_CHECKONLY && inlen != 0));
2161 
2162 	if (thisdg_attrs != NULL) {
2163 		/* Options from T_UNITDATA_REQ */
2164 		coa = (conn_opt_arg_t *)thisdg_attrs;
2165 		ASSERT(coa->coa_connp == connp);
2166 		ASSERT(coa->coa_ixa != NULL);
2167 		ASSERT(coa->coa_ipp != NULL);
2168 		ASSERT(coa->coa_ancillary);
2169 	} else {
2170 		coa = &coas;
2171 		coas.coa_connp = connp;
2172 		/* Get a reference on conn_ixa to prevent concurrent mods */
2173 		coas.coa_ixa = conn_get_ixa(connp, B_TRUE);
2174 		if (coas.coa_ixa == NULL) {
2175 			*outlenp = 0;
2176 			return (ENOMEM);
2177 		}
2178 		coas.coa_ipp = &connp->conn_xmit_ipp;
2179 		coas.coa_ancillary = B_FALSE;
2180 		coas.coa_changed = 0;
2181 	}
2182 
2183 	err = icmp_do_opt_set(coa, level, name, inlen, invalp,
2184 	    cr, checkonly);
2185 	if (err != 0) {
2186 errout:
2187 		if (!coa->coa_ancillary)
2188 			ixa_refrele(coa->coa_ixa);
2189 		*outlenp = 0;
2190 		return (err);
2191 	}
2192 
2193 	/*
2194 	 * Common case of OK return with outval same as inval.
2195 	 */
2196 	if (invalp != outvalp) {
2197 		/* don't trust bcopy for identical src/dst */
2198 		(void) bcopy(invalp, outvalp, inlen);
2199 	}
2200 	*outlenp = inlen;
2201 
2202 	/*
2203 	 * If this was not ancillary data, then we rebuild the headers,
2204 	 * update the IRE/NCE, and IPsec as needed.
2205 	 * Since the label depends on the destination we go through
2206 	 * ip_set_destination first.
2207 	 */
2208 	if (coa->coa_ancillary) {
2209 		return (0);
2210 	}
2211 
2212 	if (coa->coa_changed & COA_ROUTE_CHANGED) {
2213 		in6_addr_t saddr, faddr, nexthop;
2214 		in_port_t fport;
2215 
2216 		/*
2217 		 * We clear lastdst to make sure we pick up the change
2218 		 * next time sending.
2219 		 * If we are connected we re-cache the information.
2220 		 * We ignore errors to preserve BSD behavior.
2221 		 * Note that we don't redo IPsec policy lookup here
2222 		 * since the final destination (or source) didn't change.
2223 		 */
2224 		mutex_enter(&connp->conn_lock);
2225 		connp->conn_v6lastdst = ipv6_all_zeros;
2226 
2227 		ip_attr_nexthop(coa->coa_ipp, coa->coa_ixa,
2228 		    &connp->conn_faddr_v6, &nexthop);
2229 		saddr = connp->conn_saddr_v6;
2230 		faddr = connp->conn_faddr_v6;
2231 		fport = connp->conn_fport;
2232 		mutex_exit(&connp->conn_lock);
2233 
2234 		if (!IN6_IS_ADDR_UNSPECIFIED(&faddr) &&
2235 		    !IN6_IS_ADDR_V4MAPPED_ANY(&faddr)) {
2236 			(void) ip_attr_connect(connp, coa->coa_ixa,
2237 			    &saddr, &faddr, &nexthop, fport, NULL, NULL,
2238 			    IPDF_ALLOW_MCBC | IPDF_VERIFY_DST);
2239 		}
2240 	}
2241 
2242 	ixa_refrele(coa->coa_ixa);
2243 
2244 	if (coa->coa_changed & COA_HEADER_CHANGED) {
2245 		/*
2246 		 * Rebuild the header template if we are connected.
2247 		 * Otherwise clear conn_v6lastdst so we rebuild the header
2248 		 * in the data path.
2249 		 */
2250 		mutex_enter(&connp->conn_lock);
2251 		if (!IN6_IS_ADDR_UNSPECIFIED(&connp->conn_faddr_v6) &&
2252 		    !IN6_IS_ADDR_V4MAPPED_ANY(&connp->conn_faddr_v6)) {
2253 			err = icmp_build_hdr_template(connp,
2254 			    &connp->conn_saddr_v6, &connp->conn_faddr_v6,
2255 			    connp->conn_flowinfo);
2256 			if (err != 0) {
2257 				mutex_exit(&connp->conn_lock);
2258 				return (err);
2259 			}
2260 		} else {
2261 			connp->conn_v6lastdst = ipv6_all_zeros;
2262 		}
2263 		mutex_exit(&connp->conn_lock);
2264 	}
2265 	if (coa->coa_changed & COA_RCVBUF_CHANGED) {
2266 		(void) proto_set_rx_hiwat(connp->conn_rq, connp,
2267 		    connp->conn_rcvbuf);
2268 	}
2269 	if ((coa->coa_changed & COA_SNDBUF_CHANGED) && !IPCL_IS_NONSTR(connp)) {
2270 		connp->conn_wq->q_hiwat = connp->conn_sndbuf;
2271 	}
2272 	if (coa->coa_changed & COA_WROFF_CHANGED) {
2273 		/* Increase wroff if needed */
2274 		uint_t wroff;
2275 
2276 		mutex_enter(&connp->conn_lock);
2277 		wroff = connp->conn_ht_iphc_allocated + is->is_wroff_extra;
2278 		if (wroff > connp->conn_wroff) {
2279 			connp->conn_wroff = wroff;
2280 			mutex_exit(&connp->conn_lock);
2281 			(void) proto_set_tx_wroff(connp->conn_rq, connp, wroff);
2282 		} else {
2283 			mutex_exit(&connp->conn_lock);
2284 		}
2285 	}
2286 	if (coa->coa_changed & COA_ICMP_BIND_NEEDED) {
2287 		icmp_bind_proto(icmp);
2288 	}
2289 	return (err);
2290 }
2291 
2292 /* This routine sets socket options. */
2293 int
2294 icmp_tpi_opt_set(queue_t *q, uint_t optset_context, int level, int name,
2295     uint_t inlen, uchar_t *invalp, uint_t *outlenp, uchar_t *outvalp,
2296     void *thisdg_attrs, cred_t *cr)
2297 {
2298 	conn_t	*connp = Q_TO_CONN(q);
2299 	int error;
2300 
2301 	error = icmp_opt_set(connp, optset_context, level, name, inlen, invalp,
2302 	    outlenp, outvalp, thisdg_attrs, cr);
2303 	return (error);
2304 }
2305 
2306 /*
2307  * Setup IP headers.
2308  *
2309  * Note that IP_HDRINCL has ipha_protocol that is different than conn_proto,
2310  * but icmp_output_hdrincl restores ipha_protocol once we return.
2311  */
2312 mblk_t *
2313 icmp_prepend_hdr(conn_t *connp, ip_xmit_attr_t *ixa, const ip_pkt_t *ipp,
2314     const in6_addr_t *v6src, const in6_addr_t *v6dst, uint32_t flowinfo,
2315     mblk_t *data_mp, int *errorp)
2316 {
2317 	mblk_t		*mp;
2318 	icmp_stack_t	*is = connp->conn_netstack->netstack_icmp;
2319 	uint_t		data_len;
2320 	uint32_t	cksum;
2321 
2322 	data_len = msgdsize(data_mp);
2323 	mp = conn_prepend_hdr(ixa, ipp, v6src, v6dst, connp->conn_proto,
2324 	    flowinfo, 0, data_mp, data_len, is->is_wroff_extra, &cksum, errorp);
2325 	if (mp == NULL) {
2326 		ASSERT(*errorp != 0);
2327 		return (NULL);
2328 	}
2329 
2330 	ixa->ixa_pktlen = data_len + ixa->ixa_ip_hdr_length;
2331 
2332 	/*
2333 	 * If there was a routing option/header then conn_prepend_hdr
2334 	 * has massaged it and placed the pseudo-header checksum difference
2335 	 * in the cksum argument.
2336 	 *
2337 	 * Prepare for ICMPv6 checksum done in IP.
2338 	 *
2339 	 * We make it easy for IP to include our pseudo header
2340 	 * by putting our length (and any routing header adjustment)
2341 	 * in the ICMPv6 checksum field.
2342 	 * The IP source, destination, and length have already been set by
2343 	 * conn_prepend_hdr.
2344 	 */
2345 	cksum += data_len;
2346 	cksum = (cksum >> 16) + (cksum & 0xFFFF);
2347 	ASSERT(cksum < 0x10000);
2348 
2349 	if (ixa->ixa_flags & IXAF_IS_IPV4) {
2350 		ipha_t	*ipha = (ipha_t *)mp->b_rptr;
2351 
2352 		ASSERT(ntohs(ipha->ipha_length) == ixa->ixa_pktlen);
2353 	} else {
2354 		ip6_t	*ip6h = (ip6_t *)mp->b_rptr;
2355 		uint_t	cksum_offset = 0;
2356 
2357 		ASSERT(ntohs(ip6h->ip6_plen) + IPV6_HDR_LEN == ixa->ixa_pktlen);
2358 
2359 		if (ixa->ixa_flags & IXAF_SET_ULP_CKSUM) {
2360 			if (connp->conn_proto == IPPROTO_ICMPV6) {
2361 				cksum_offset = ixa->ixa_ip_hdr_length +
2362 				    offsetof(icmp6_t, icmp6_cksum);
2363 			} else if (ixa->ixa_flags & IXAF_SET_RAW_CKSUM) {
2364 				cksum_offset = ixa->ixa_ip_hdr_length +
2365 				    ixa->ixa_raw_cksum_offset;
2366 			}
2367 		}
2368 		if (cksum_offset != 0) {
2369 			uint16_t *ptr;
2370 
2371 			/* Make sure the checksum fits in the first mblk */
2372 			if (cksum_offset + sizeof (short) > MBLKL(mp)) {
2373 				mblk_t *mp1;
2374 
2375 				mp1 = msgpullup(mp,
2376 				    cksum_offset + sizeof (short));
2377 				freemsg(mp);
2378 				if (mp1 == NULL) {
2379 					*errorp = ENOMEM;
2380 					return (NULL);
2381 				}
2382 				mp = mp1;
2383 				ip6h = (ip6_t *)mp->b_rptr;
2384 			}
2385 			ptr = (uint16_t *)(mp->b_rptr + cksum_offset);
2386 			*ptr = htons(cksum);
2387 		}
2388 	}
2389 
2390 	/* Note that we don't try to update wroff due to ancillary data */
2391 	return (mp);
2392 }
2393 
2394 static int
2395 icmp_build_hdr_template(conn_t *connp, const in6_addr_t *v6src,
2396     const in6_addr_t *v6dst, uint32_t flowinfo)
2397 {
2398 	int		error;
2399 
2400 	ASSERT(MUTEX_HELD(&connp->conn_lock));
2401 	/*
2402 	 * We clear lastdst to make sure we don't use the lastdst path
2403 	 * next time sending since we might not have set v6dst yet.
2404 	 */
2405 	connp->conn_v6lastdst = ipv6_all_zeros;
2406 
2407 	error = conn_build_hdr_template(connp, 0, 0, v6src, v6dst, flowinfo);
2408 	if (error != 0)
2409 		return (error);
2410 
2411 	/*
2412 	 * Any routing header/option has been massaged. The checksum difference
2413 	 * is stored in conn_sum.
2414 	 */
2415 	return (0);
2416 }
2417 
2418 /*
2419  * This routine retrieves the value of an ND variable in a icmpparam_t
2420  * structure.  It is called through nd_getset when a user reads the
2421  * variable.
2422  */
2423 /* ARGSUSED */
2424 static int
2425 icmp_param_get(queue_t *q, mblk_t *mp, caddr_t cp, cred_t *cr)
2426 {
2427 	icmpparam_t	*icmppa = (icmpparam_t *)cp;
2428 
2429 	(void) mi_mpprintf(mp, "%d", icmppa->icmp_param_value);
2430 	return (0);
2431 }
2432 
2433 /*
2434  * Walk through the param array specified registering each element with the
2435  * named dispatch (ND) handler.
2436  */
2437 static boolean_t
2438 icmp_param_register(IDP *ndp, icmpparam_t *icmppa, int cnt)
2439 {
2440 	for (; cnt-- > 0; icmppa++) {
2441 		if (icmppa->icmp_param_name && icmppa->icmp_param_name[0]) {
2442 			if (!nd_load(ndp, icmppa->icmp_param_name,
2443 			    icmp_param_get, icmp_param_set,
2444 			    (caddr_t)icmppa)) {
2445 				nd_free(ndp);
2446 				return (B_FALSE);
2447 			}
2448 		}
2449 	}
2450 	return (B_TRUE);
2451 }
2452 
2453 /* This routine sets an ND variable in a icmpparam_t structure. */
2454 /* ARGSUSED */
2455 static int
2456 icmp_param_set(queue_t *q, mblk_t *mp, char *value, caddr_t cp, cred_t *cr)
2457 {
2458 	long		new_value;
2459 	icmpparam_t	*icmppa = (icmpparam_t *)cp;
2460 
2461 	/*
2462 	 * Fail the request if the new value does not lie within the
2463 	 * required bounds.
2464 	 */
2465 	if (ddi_strtol(value, NULL, 10, &new_value) != 0 ||
2466 	    new_value < icmppa->icmp_param_min ||
2467 	    new_value > icmppa->icmp_param_max) {
2468 		return (EINVAL);
2469 	}
2470 	/* Set the new value */
2471 	icmppa->icmp_param_value = new_value;
2472 	return (0);
2473 }
2474 
2475 static mblk_t *
2476 icmp_queue_fallback(icmp_t *icmp, mblk_t *mp)
2477 {
2478 	ASSERT(MUTEX_HELD(&icmp->icmp_recv_lock));
2479 	if (IPCL_IS_NONSTR(icmp->icmp_connp)) {
2480 		/*
2481 		 * fallback has started but messages have not been moved yet
2482 		 */
2483 		if (icmp->icmp_fallback_queue_head == NULL) {
2484 			ASSERT(icmp->icmp_fallback_queue_tail == NULL);
2485 			icmp->icmp_fallback_queue_head = mp;
2486 			icmp->icmp_fallback_queue_tail = mp;
2487 		} else {
2488 			ASSERT(icmp->icmp_fallback_queue_tail != NULL);
2489 			icmp->icmp_fallback_queue_tail->b_next = mp;
2490 			icmp->icmp_fallback_queue_tail = mp;
2491 		}
2492 		return (NULL);
2493 	} else {
2494 		/*
2495 		 * Fallback completed, let the caller putnext() the mblk.
2496 		 */
2497 		return (mp);
2498 	}
2499 }
2500 
2501 /*
2502  * Deliver data to ULP. In case we have a socket, and it's falling back to
2503  * TPI, then we'll queue the mp for later processing.
2504  */
2505 static void
2506 icmp_ulp_recv(conn_t *connp, mblk_t *mp, uint_t len)
2507 {
2508 	if (IPCL_IS_NONSTR(connp)) {
2509 		icmp_t *icmp = connp->conn_icmp;
2510 		int error;
2511 
2512 		ASSERT(len == msgdsize(mp));
2513 		if ((*connp->conn_upcalls->su_recv)
2514 		    (connp->conn_upper_handle, mp, len, 0, &error, NULL) < 0) {
2515 			mutex_enter(&icmp->icmp_recv_lock);
2516 			if (error == ENOSPC) {
2517 				/*
2518 				 * let's confirm while holding the lock
2519 				 */
2520 				if ((*connp->conn_upcalls->su_recv)
2521 				    (connp->conn_upper_handle, NULL, 0, 0,
2522 				    &error, NULL) < 0) {
2523 					ASSERT(error == ENOSPC);
2524 					if (error == ENOSPC) {
2525 						connp->conn_flow_cntrld =
2526 						    B_TRUE;
2527 					}
2528 				}
2529 				mutex_exit(&icmp->icmp_recv_lock);
2530 			} else {
2531 				ASSERT(error == EOPNOTSUPP);
2532 				mp = icmp_queue_fallback(icmp, mp);
2533 				mutex_exit(&icmp->icmp_recv_lock);
2534 				if (mp != NULL)
2535 					putnext(connp->conn_rq, mp);
2536 			}
2537 		}
2538 		ASSERT(MUTEX_NOT_HELD(&icmp->icmp_recv_lock));
2539 	} else {
2540 		putnext(connp->conn_rq, mp);
2541 	}
2542 }
2543 
2544 /*
2545  * This is the inbound data path.
2546  * IP has already pulled up the IP headers and verified alignment
2547  * etc.
2548  */
2549 /* ARGSUSED2 */
2550 static void
2551 icmp_input(void *arg1, mblk_t *mp, void *arg2, ip_recv_attr_t *ira)
2552 {
2553 	conn_t			*connp = (conn_t *)arg1;
2554 	struct T_unitdata_ind	*tudi;
2555 	uchar_t			*rptr;		/* Pointer to IP header */
2556 	int			ip_hdr_length;
2557 	int			udi_size;	/* Size of T_unitdata_ind */
2558 	int			pkt_len;
2559 	icmp_t			*icmp;
2560 	ip_pkt_t		ipps;
2561 	ip6_t			*ip6h;
2562 	mblk_t			*mp1;
2563 	crb_t			recv_ancillary;
2564 	icmp_stack_t		*is;
2565 	sin_t			*sin;
2566 	sin6_t			*sin6;
2567 	ipha_t			*ipha;
2568 
2569 	ASSERT(connp->conn_flags & IPCL_RAWIPCONN);
2570 
2571 	icmp = connp->conn_icmp;
2572 	is = icmp->icmp_is;
2573 	rptr = mp->b_rptr;
2574 
2575 	ASSERT(DB_TYPE(mp) == M_DATA);
2576 	ASSERT(OK_32PTR(rptr));
2577 	ASSERT(ira->ira_pktlen == msgdsize(mp));
2578 	pkt_len = ira->ira_pktlen;
2579 
2580 	/*
2581 	 * Get a snapshot of these and allow other threads to change
2582 	 * them after that. We need the same recv_ancillary when determining
2583 	 * the size as when adding the ancillary data items.
2584 	 */
2585 	mutex_enter(&connp->conn_lock);
2586 	recv_ancillary = connp->conn_recv_ancillary;
2587 	mutex_exit(&connp->conn_lock);
2588 
2589 	ip_hdr_length = ira->ira_ip_hdr_length;
2590 	ASSERT(MBLKL(mp) >= ip_hdr_length);	/* IP did a pullup */
2591 
2592 	/* Initialize regardless of IP version */
2593 	ipps.ipp_fields = 0;
2594 
2595 	if (ira->ira_flags & IRAF_IS_IPV4) {
2596 		ASSERT(IPH_HDR_VERSION(rptr) == IPV4_VERSION);
2597 		ASSERT(MBLKL(mp) >= sizeof (ipha_t));
2598 		ASSERT(ira->ira_ip_hdr_length == IPH_HDR_LENGTH(rptr));
2599 
2600 		ipha = (ipha_t *)mp->b_rptr;
2601 		if (recv_ancillary.crb_all != 0)
2602 			(void) ip_find_hdr_v4(ipha, &ipps, B_FALSE);
2603 
2604 		/*
2605 		 * BSD for some reason adjusts ipha_length to exclude the
2606 		 * IP header length. We do the same.
2607 		 */
2608 		if (is->is_bsd_compat) {
2609 			ushort_t len;
2610 
2611 			len = ntohs(ipha->ipha_length);
2612 			if (mp->b_datap->db_ref > 1) {
2613 				/*
2614 				 * Allocate a new IP header so that we can
2615 				 * modify ipha_length.
2616 				 */
2617 				mblk_t	*mp1;
2618 
2619 				mp1 = allocb(ip_hdr_length, BPRI_MED);
2620 				if (mp1 == NULL) {
2621 					freemsg(mp);
2622 					BUMP_MIB(&is->is_rawip_mib,
2623 					    rawipInErrors);
2624 					return;
2625 				}
2626 				bcopy(rptr, mp1->b_rptr, ip_hdr_length);
2627 				mp->b_rptr = rptr + ip_hdr_length;
2628 				rptr = mp1->b_rptr;
2629 				ipha = (ipha_t *)rptr;
2630 				mp1->b_cont = mp;
2631 				mp1->b_wptr = rptr + ip_hdr_length;
2632 				mp = mp1;
2633 			}
2634 			len -= ip_hdr_length;
2635 			ipha->ipha_length = htons(len);
2636 		}
2637 
2638 		/*
2639 		 * For RAW sockets we not pass ICMP/IPv4 packets to AF_INET6
2640 		 * sockets. This is ensured by icmp_bind and the IP fanout code.
2641 		 */
2642 		ASSERT(connp->conn_family == AF_INET);
2643 
2644 		/*
2645 		 * This is the inbound data path.  Packets are passed upstream
2646 		 * as T_UNITDATA_IND messages with full IPv4 headers still
2647 		 * attached.
2648 		 */
2649 
2650 		/*
2651 		 * Normally only send up the source address.
2652 		 * If any ancillary data items are wanted we add those.
2653 		 */
2654 		udi_size = sizeof (struct T_unitdata_ind) + sizeof (sin_t);
2655 		if (recv_ancillary.crb_all != 0) {
2656 			udi_size += conn_recvancillary_size(connp,
2657 			    recv_ancillary, ira, mp, &ipps);
2658 		}
2659 
2660 		/* Allocate a message block for the T_UNITDATA_IND structure. */
2661 		mp1 = allocb(udi_size, BPRI_MED);
2662 		if (mp1 == NULL) {
2663 			freemsg(mp);
2664 			BUMP_MIB(&is->is_rawip_mib, rawipInErrors);
2665 			return;
2666 		}
2667 		mp1->b_cont = mp;
2668 		tudi = (struct T_unitdata_ind *)mp1->b_rptr;
2669 		mp1->b_datap->db_type = M_PROTO;
2670 		mp1->b_wptr = (uchar_t *)tudi + udi_size;
2671 		tudi->PRIM_type = T_UNITDATA_IND;
2672 		tudi->SRC_length = sizeof (sin_t);
2673 		tudi->SRC_offset = sizeof (struct T_unitdata_ind);
2674 		sin = (sin_t *)&tudi[1];
2675 		*sin = sin_null;
2676 		sin->sin_family = AF_INET;
2677 		sin->sin_addr.s_addr = ipha->ipha_src;
2678 		*(uint32_t *)&sin->sin_zero[0] = 0;
2679 		*(uint32_t *)&sin->sin_zero[4] = 0;
2680 		tudi->OPT_offset =  sizeof (struct T_unitdata_ind) +
2681 		    sizeof (sin_t);
2682 		udi_size -= (sizeof (struct T_unitdata_ind) + sizeof (sin_t));
2683 		tudi->OPT_length = udi_size;
2684 
2685 		/*
2686 		 * Add options if IP_RECVIF etc is set
2687 		 */
2688 		if (udi_size != 0) {
2689 			conn_recvancillary_add(connp, recv_ancillary, ira,
2690 			    &ipps, (uchar_t *)&sin[1], udi_size);
2691 		}
2692 		goto deliver;
2693 	}
2694 
2695 	ASSERT(IPH_HDR_VERSION(rptr) == IPV6_VERSION);
2696 	/*
2697 	 * IPv6 packets can only be received by applications
2698 	 * that are prepared to receive IPv6 addresses.
2699 	 * The IP fanout must ensure this.
2700 	 */
2701 	ASSERT(connp->conn_family == AF_INET6);
2702 
2703 	/*
2704 	 * Handle IPv6 packets. We don't pass up the IP headers with the
2705 	 * payload for IPv6.
2706 	 */
2707 
2708 	ip6h = (ip6_t *)rptr;
2709 	if (recv_ancillary.crb_all != 0) {
2710 		/*
2711 		 * Call on ip_find_hdr_v6 which gets individual lenghts of
2712 		 * extension headers (and pointers to them).
2713 		 */
2714 		uint8_t		nexthdr;
2715 
2716 		/* We don't care about the length or nextheader. */
2717 		(void) ip_find_hdr_v6(mp, ip6h, B_TRUE, &ipps, &nexthdr);
2718 
2719 		/*
2720 		 * We do not pass up hop-by-hop options or any other
2721 		 * extension header as part of the packet. Applications
2722 		 * that want to see them have to specify IPV6_RECV* socket
2723 		 * options. And conn_recvancillary_size/add explicitly
2724 		 * drops the TX option from IPV6_HOPOPTS as it does for UDP.
2725 		 *
2726 		 * If we had multilevel ICMP sockets, then we'd want to
2727 		 * modify conn_recvancillary_size/add to
2728 		 * allow the user to see the label.
2729 		 */
2730 	}
2731 
2732 	/*
2733 	 * Check a filter for ICMPv6 types if needed.
2734 	 * Verify raw checksums if needed.
2735 	 */
2736 	mutex_enter(&connp->conn_lock);
2737 	if (icmp->icmp_filter != NULL) {
2738 		int type;
2739 
2740 		/* Assumes that IP has done the pullupmsg */
2741 		type = mp->b_rptr[ip_hdr_length];
2742 
2743 		ASSERT(mp->b_rptr + ip_hdr_length <= mp->b_wptr);
2744 		if (ICMP6_FILTER_WILLBLOCK(type, icmp->icmp_filter)) {
2745 			mutex_exit(&connp->conn_lock);
2746 			freemsg(mp);
2747 			return;
2748 		}
2749 	}
2750 	if (connp->conn_ixa->ixa_flags & IXAF_SET_RAW_CKSUM) {
2751 		/* Checksum */
2752 		uint16_t	*up;
2753 		uint32_t	sum;
2754 		int		remlen;
2755 
2756 		up = (uint16_t *)&ip6h->ip6_src;
2757 
2758 		remlen = msgdsize(mp) - ip_hdr_length;
2759 		sum = htons(connp->conn_proto + remlen)
2760 		    + up[0] + up[1] + up[2] + up[3]
2761 		    + up[4] + up[5] + up[6] + up[7]
2762 		    + up[8] + up[9] + up[10] + up[11]
2763 		    + up[12] + up[13] + up[14] + up[15];
2764 		sum = (sum & 0xffff) + (sum >> 16);
2765 		sum = IP_CSUM(mp, ip_hdr_length, sum);
2766 		if (sum != 0) {
2767 			/* IPv6 RAW checksum failed */
2768 			ip0dbg(("icmp_rput: RAW checksum failed %x\n", sum));
2769 			mutex_exit(&connp->conn_lock);
2770 			freemsg(mp);
2771 			BUMP_MIB(&is->is_rawip_mib, rawipInCksumErrs);
2772 			return;
2773 		}
2774 	}
2775 	mutex_exit(&connp->conn_lock);
2776 
2777 	udi_size = sizeof (struct T_unitdata_ind) + sizeof (sin6_t);
2778 
2779 	if (recv_ancillary.crb_all != 0) {
2780 		udi_size += conn_recvancillary_size(connp,
2781 		    recv_ancillary, ira, mp, &ipps);
2782 	}
2783 
2784 	mp1 = allocb(udi_size, BPRI_MED);
2785 	if (mp1 == NULL) {
2786 		freemsg(mp);
2787 		BUMP_MIB(&is->is_rawip_mib, rawipInErrors);
2788 		return;
2789 	}
2790 	mp1->b_cont = mp;
2791 	mp1->b_datap->db_type = M_PROTO;
2792 	tudi = (struct T_unitdata_ind *)mp1->b_rptr;
2793 	mp1->b_wptr = (uchar_t *)tudi + udi_size;
2794 	tudi->PRIM_type = T_UNITDATA_IND;
2795 	tudi->SRC_length = sizeof (sin6_t);
2796 	tudi->SRC_offset = sizeof (struct T_unitdata_ind);
2797 	tudi->OPT_offset = sizeof (struct T_unitdata_ind) + sizeof (sin6_t);
2798 	udi_size -= (sizeof (struct T_unitdata_ind) + sizeof (sin6_t));
2799 	tudi->OPT_length = udi_size;
2800 	sin6 = (sin6_t *)&tudi[1];
2801 	*sin6 = sin6_null;
2802 	sin6->sin6_port = 0;
2803 	sin6->sin6_family = AF_INET6;
2804 
2805 	sin6->sin6_addr = ip6h->ip6_src;
2806 	/* No sin6_flowinfo per API */
2807 	sin6->sin6_flowinfo = 0;
2808 	/* For link-scope pass up scope id */
2809 	if (IN6_IS_ADDR_LINKSCOPE(&ip6h->ip6_src))
2810 		sin6->sin6_scope_id = ira->ira_ruifindex;
2811 	else
2812 		sin6->sin6_scope_id = 0;
2813 	sin6->__sin6_src_id = ip_srcid_find_addr(&ip6h->ip6_dst,
2814 	    IPCL_ZONEID(connp), is->is_netstack);
2815 
2816 	if (udi_size != 0) {
2817 		conn_recvancillary_add(connp, recv_ancillary, ira,
2818 		    &ipps, (uchar_t *)&sin6[1], udi_size);
2819 	}
2820 
2821 	/* Skip all the IPv6 headers per API */
2822 	mp->b_rptr += ip_hdr_length;
2823 	pkt_len -= ip_hdr_length;
2824 
2825 deliver:
2826 	BUMP_MIB(&is->is_rawip_mib, rawipInDatagrams);
2827 	icmp_ulp_recv(connp, mp1, pkt_len);
2828 }
2829 
2830 /*
2831  * return SNMP stuff in buffer in mpdata. We don't hold any lock and report
2832  * information that can be changing beneath us.
2833  */
2834 mblk_t *
2835 icmp_snmp_get(queue_t *q, mblk_t *mpctl)
2836 {
2837 	mblk_t			*mpdata;
2838 	struct opthdr		*optp;
2839 	conn_t			*connp = Q_TO_CONN(q);
2840 	icmp_stack_t		*is = connp->conn_netstack->netstack_icmp;
2841 	mblk_t			*mp2ctl;
2842 
2843 	/*
2844 	 * make a copy of the original message
2845 	 */
2846 	mp2ctl = copymsg(mpctl);
2847 
2848 	if (mpctl == NULL ||
2849 	    (mpdata = mpctl->b_cont) == NULL) {
2850 		freemsg(mpctl);
2851 		freemsg(mp2ctl);
2852 		return (0);
2853 	}
2854 
2855 	/* fixed length structure for IPv4 and IPv6 counters */
2856 	optp = (struct opthdr *)&mpctl->b_rptr[sizeof (struct T_optmgmt_ack)];
2857 	optp->level = EXPER_RAWIP;
2858 	optp->name = 0;
2859 	(void) snmp_append_data(mpdata, (char *)&is->is_rawip_mib,
2860 	    sizeof (is->is_rawip_mib));
2861 	optp->len = msgdsize(mpdata);
2862 	qreply(q, mpctl);
2863 
2864 	return (mp2ctl);
2865 }
2866 
2867 /*
2868  * Return 0 if invalid set request, 1 otherwise, including non-rawip requests.
2869  * TODO:  If this ever actually tries to set anything, it needs to be
2870  * to do the appropriate locking.
2871  */
2872 /* ARGSUSED */
2873 int
2874 icmp_snmp_set(queue_t *q, t_scalar_t level, t_scalar_t name,
2875     uchar_t *ptr, int len)
2876 {
2877 	switch (level) {
2878 	case EXPER_RAWIP:
2879 		return (0);
2880 	default:
2881 		return (1);
2882 	}
2883 }
2884 
2885 /*
2886  * This routine creates a T_UDERROR_IND message and passes it upstream.
2887  * The address and options are copied from the T_UNITDATA_REQ message
2888  * passed in mp.  This message is freed.
2889  */
2890 static void
2891 icmp_ud_err(queue_t *q, mblk_t *mp, t_scalar_t err)
2892 {
2893 	struct T_unitdata_req *tudr;
2894 	mblk_t	*mp1;
2895 	uchar_t *destaddr;
2896 	t_scalar_t destlen;
2897 	uchar_t	*optaddr;
2898 	t_scalar_t optlen;
2899 
2900 	if ((mp->b_wptr < mp->b_rptr) ||
2901 	    (MBLKL(mp)) < sizeof (struct T_unitdata_req)) {
2902 		goto done;
2903 	}
2904 	tudr = (struct T_unitdata_req *)mp->b_rptr;
2905 	destaddr = mp->b_rptr + tudr->DEST_offset;
2906 	if (destaddr < mp->b_rptr || destaddr >= mp->b_wptr ||
2907 	    destaddr + tudr->DEST_length < mp->b_rptr ||
2908 	    destaddr + tudr->DEST_length > mp->b_wptr) {
2909 		goto done;
2910 	}
2911 	optaddr = mp->b_rptr + tudr->OPT_offset;
2912 	if (optaddr < mp->b_rptr || optaddr >= mp->b_wptr ||
2913 	    optaddr + tudr->OPT_length < mp->b_rptr ||
2914 	    optaddr + tudr->OPT_length > mp->b_wptr) {
2915 		goto done;
2916 	}
2917 	destlen = tudr->DEST_length;
2918 	optlen = tudr->OPT_length;
2919 
2920 	mp1 = mi_tpi_uderror_ind((char *)destaddr, destlen,
2921 	    (char *)optaddr, optlen, err);
2922 	if (mp1 != NULL)
2923 		qreply(q, mp1);
2924 
2925 done:
2926 	freemsg(mp);
2927 }
2928 
2929 static int
2930 rawip_do_unbind(conn_t *connp)
2931 {
2932 	icmp_t	*icmp = connp->conn_icmp;
2933 
2934 	mutex_enter(&connp->conn_lock);
2935 	/* If a bind has not been done, we can't unbind. */
2936 	if (icmp->icmp_state == TS_UNBND) {
2937 		mutex_exit(&connp->conn_lock);
2938 		return (-TOUTSTATE);
2939 	}
2940 	connp->conn_saddr_v6 = ipv6_all_zeros;
2941 	connp->conn_bound_addr_v6 = ipv6_all_zeros;
2942 	connp->conn_laddr_v6 = ipv6_all_zeros;
2943 	connp->conn_mcbc_bind = B_FALSE;
2944 	connp->conn_lport = 0;
2945 	connp->conn_fport = 0;
2946 	/* In case we were also connected */
2947 	connp->conn_faddr_v6 = ipv6_all_zeros;
2948 	connp->conn_v6lastdst = ipv6_all_zeros;
2949 
2950 	icmp->icmp_state = TS_UNBND;
2951 
2952 	(void) icmp_build_hdr_template(connp, &connp->conn_saddr_v6,
2953 	    &connp->conn_faddr_v6, connp->conn_flowinfo);
2954 	mutex_exit(&connp->conn_lock);
2955 
2956 	ip_unbind(connp);
2957 	return (0);
2958 }
2959 
2960 /*
2961  * This routine is called by icmp_wput to handle T_UNBIND_REQ messages.
2962  * After some error checking, the message is passed downstream to ip.
2963  */
2964 static void
2965 icmp_tpi_unbind(queue_t *q, mblk_t *mp)
2966 {
2967 	conn_t	*connp = Q_TO_CONN(q);
2968 	int	error;
2969 
2970 	ASSERT(mp->b_cont == NULL);
2971 	error = rawip_do_unbind(connp);
2972 	if (error) {
2973 		if (error < 0) {
2974 			icmp_err_ack(q, mp, -error, 0);
2975 		} else {
2976 			icmp_err_ack(q, mp, 0, error);
2977 		}
2978 		return;
2979 	}
2980 
2981 	/*
2982 	 * Convert mp into a T_OK_ACK
2983 	 */
2984 
2985 	mp = mi_tpi_ok_ack_alloc(mp);
2986 
2987 	/*
2988 	 * should not happen in practice... T_OK_ACK is smaller than the
2989 	 * original message.
2990 	 */
2991 	ASSERT(mp != NULL);
2992 	ASSERT(((struct T_ok_ack *)mp->b_rptr)->PRIM_type == T_OK_ACK);
2993 	qreply(q, mp);
2994 }
2995 
2996 /*
2997  * Process IPv4 packets that already include an IP header.
2998  * Used when IP_HDRINCL has been set (implicit for IPPROTO_RAW and
2999  * IPPROTO_IGMP).
3000  * In this case we ignore the address and any options in the T_UNITDATA_REQ.
3001  *
3002  * The packet is assumed to have a base (20 byte) IP header followed
3003  * by the upper-layer protocol. We include any IP_OPTIONS including a
3004  * CIPSO label but otherwise preserve the base IP header.
3005  */
3006 static int
3007 icmp_output_hdrincl(conn_t *connp, mblk_t *mp, cred_t *cr, pid_t pid)
3008 {
3009 	icmp_t		*icmp = connp->conn_icmp;
3010 	icmp_stack_t	*is = icmp->icmp_is;
3011 	ipha_t		iphas;
3012 	ipha_t		*ipha;
3013 	int		ip_hdr_length;
3014 	int		tp_hdr_len;
3015 	ip_xmit_attr_t	*ixa;
3016 	ip_pkt_t	*ipp;
3017 	in6_addr_t	v6src;
3018 	in6_addr_t	v6dst;
3019 	in6_addr_t	v6nexthop;
3020 	int		error;
3021 	boolean_t	do_ipsec;
3022 
3023 	/*
3024 	 * We need an exclusive copy of conn_ixa since the included IP
3025 	 * header could have any destination.
3026 	 * That copy has no pointers hence we
3027 	 * need to set them up once we've parsed the ancillary data.
3028 	 */
3029 	ixa = conn_get_ixa_exclusive(connp);
3030 	if (ixa == NULL) {
3031 		BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
3032 		freemsg(mp);
3033 		return (ENOMEM);
3034 	}
3035 	ASSERT(cr != NULL);
3036 	/*
3037 	 * Caller has a reference on cr; from db_credp or because we
3038 	 * are running in process context.
3039 	 */
3040 	ixa->ixa_cred = cr;
3041 	ixa->ixa_cpid = pid;
3042 	if (is_system_labeled()) {
3043 		/* We need to restart with a label based on the cred */
3044 		ip_xmit_attr_restore_tsl(ixa, ixa->ixa_cred);
3045 	}
3046 
3047 	/* In case previous destination was multicast or multirt */
3048 	ip_attr_newdst(ixa);
3049 
3050 	/* Get a copy of conn_xmit_ipp since the TX label might change it */
3051 	ipp = kmem_zalloc(sizeof (*ipp), KM_NOSLEEP);
3052 	if (ipp == NULL) {
3053 		ixa_refrele(ixa);
3054 		BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
3055 		freemsg(mp);
3056 		return (ENOMEM);
3057 	}
3058 	mutex_enter(&connp->conn_lock);
3059 	error = ip_pkt_copy(&connp->conn_xmit_ipp, ipp, KM_NOSLEEP);
3060 	mutex_exit(&connp->conn_lock);
3061 	if (error != 0) {
3062 		BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
3063 		freemsg(mp);
3064 		goto done;
3065 	}
3066 
3067 	/* Sanity check length of packet */
3068 	ipha = (ipha_t *)mp->b_rptr;
3069 
3070 	ip_hdr_length = IP_SIMPLE_HDR_LENGTH;
3071 	if ((mp->b_wptr - mp->b_rptr) < IP_SIMPLE_HDR_LENGTH) {
3072 		if (!pullupmsg(mp, IP_SIMPLE_HDR_LENGTH)) {
3073 			BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
3074 			freemsg(mp);
3075 			goto done;
3076 		}
3077 		ipha = (ipha_t *)mp->b_rptr;
3078 	}
3079 	ipha->ipha_version_and_hdr_length =
3080 	    (IP_VERSION<<4) | (ip_hdr_length>>2);
3081 
3082 	/*
3083 	 * We set IXAF_DONTFRAG if the application set DF which makes
3084 	 * IP not fragment.
3085 	 */
3086 	ipha->ipha_fragment_offset_and_flags &= htons(IPH_DF);
3087 	if (ipha->ipha_fragment_offset_and_flags & htons(IPH_DF))
3088 		ixa->ixa_flags |= (IXAF_DONTFRAG | IXAF_PMTU_IPV4_DF);
3089 	else
3090 		ixa->ixa_flags &= ~(IXAF_DONTFRAG | IXAF_PMTU_IPV4_DF);
3091 
3092 	/* Even for multicast and broadcast we honor the apps ttl */
3093 	ixa->ixa_flags |= IXAF_NO_TTL_CHANGE;
3094 
3095 	if (ipha->ipha_dst == INADDR_ANY)
3096 		ipha->ipha_dst = htonl(INADDR_LOOPBACK);
3097 
3098 	IN6_IPADDR_TO_V4MAPPED(ipha->ipha_src, &v6src);
3099 	IN6_IPADDR_TO_V4MAPPED(ipha->ipha_dst, &v6dst);
3100 
3101 	/* Defer IPsec if it might need to look at ICMP type/code */
3102 	do_ipsec = ipha->ipha_protocol != IPPROTO_ICMP;
3103 	ixa->ixa_flags |= IXAF_IS_IPV4;
3104 
3105 	ip_attr_nexthop(ipp, ixa, &v6dst, &v6nexthop);
3106 	error = ip_attr_connect(connp, ixa, &v6src, &v6dst, &v6nexthop,
3107 	    connp->conn_fport, &v6src, NULL, IPDF_ALLOW_MCBC | IPDF_VERIFY_DST |
3108 	    (do_ipsec ? IPDF_IPSEC : 0));
3109 	switch (error) {
3110 	case 0:
3111 		break;
3112 	case EADDRNOTAVAIL:
3113 		/*
3114 		 * IXAF_VERIFY_SOURCE tells us to pick a better source.
3115 		 * Don't have the application see that errno
3116 		 */
3117 		error = ENETUNREACH;
3118 		goto failed;
3119 	case ENETDOWN:
3120 		/*
3121 		 * Have !ipif_addr_ready address; drop packet silently
3122 		 * until we can get applications to not send until we
3123 		 * are ready.
3124 		 */
3125 		error = 0;
3126 		goto failed;
3127 	case EHOSTUNREACH:
3128 	case ENETUNREACH:
3129 		if (ixa->ixa_ire != NULL) {
3130 			/*
3131 			 * Let conn_ip_output/ire_send_noroute return
3132 			 * the error and send any local ICMP error.
3133 			 */
3134 			error = 0;
3135 			break;
3136 		}
3137 		/* FALLTHRU */
3138 	default:
3139 	failed:
3140 		freemsg(mp);
3141 		BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
3142 		goto done;
3143 	}
3144 	if (ipha->ipha_src == INADDR_ANY)
3145 		IN6_V4MAPPED_TO_IPADDR(&v6src, ipha->ipha_src);
3146 
3147 	/*
3148 	 * We might be going to a different destination than last time,
3149 	 * thus check that TX allows the communication and compute any
3150 	 * needed label.
3151 	 *
3152 	 * TSOL Note: We have an exclusive ipp and ixa for this thread so we
3153 	 * don't have to worry about concurrent threads.
3154 	 */
3155 	if (is_system_labeled()) {
3156 		/*
3157 		 * Check whether Trusted Solaris policy allows communication
3158 		 * with this host, and pretend that the destination is
3159 		 * unreachable if not.
3160 		 * Compute any needed label and place it in ipp_label_v4/v6.
3161 		 *
3162 		 * Later conn_build_hdr_template/conn_prepend_hdr takes
3163 		 * ipp_label_v4/v6 to form the packet.
3164 		 *
3165 		 * Tsol note: We have ipp structure local to this thread so
3166 		 * no locking is needed.
3167 		 */
3168 		error = conn_update_label(connp, ixa, &v6dst, ipp);
3169 		if (error != 0) {
3170 			freemsg(mp);
3171 			BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
3172 			goto done;
3173 		}
3174 	}
3175 
3176 	/*
3177 	 * Save away a copy of the IPv4 header the application passed down
3178 	 * and then prepend an IPv4 header complete with any IP options
3179 	 * including label.
3180 	 * We need a struct copy since icmp_prepend_hdr will reuse the available
3181 	 * space in the mblk.
3182 	 */
3183 	iphas = *ipha;
3184 	mp->b_rptr += IP_SIMPLE_HDR_LENGTH;
3185 
3186 	mp = icmp_prepend_hdr(connp, ixa, ipp, &v6src, &v6dst, 0, mp, &error);
3187 	if (mp == NULL) {
3188 		BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
3189 		ASSERT(error != 0);
3190 		goto done;
3191 	}
3192 	if (ixa->ixa_pktlen > IP_MAXPACKET) {
3193 		error = EMSGSIZE;
3194 		BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
3195 		freemsg(mp);
3196 		goto done;
3197 	}
3198 	/* Restore key parts of the header that the application passed down */
3199 	ipha = (ipha_t *)mp->b_rptr;
3200 	ipha->ipha_type_of_service = iphas.ipha_type_of_service;
3201 	ipha->ipha_ident = iphas.ipha_ident;
3202 	ipha->ipha_fragment_offset_and_flags =
3203 	    iphas.ipha_fragment_offset_and_flags;
3204 	ipha->ipha_ttl = iphas.ipha_ttl;
3205 	ipha->ipha_protocol = iphas.ipha_protocol;
3206 	ipha->ipha_src = iphas.ipha_src;
3207 	ipha->ipha_dst = iphas.ipha_dst;
3208 
3209 	ixa->ixa_protocol = ipha->ipha_protocol;
3210 
3211 	/*
3212 	 * Make sure that the IP header plus any transport header that is
3213 	 * checksumed by ip_output is in the first mblk. (ip_output assumes
3214 	 * that at least the checksum field is in the first mblk.)
3215 	 */
3216 	switch (ipha->ipha_protocol) {
3217 	case IPPROTO_UDP:
3218 		tp_hdr_len = 8;
3219 		break;
3220 	case IPPROTO_TCP:
3221 		tp_hdr_len = 20;
3222 		break;
3223 	default:
3224 		tp_hdr_len = 0;
3225 		break;
3226 	}
3227 	ip_hdr_length = IPH_HDR_LENGTH(ipha);
3228 	if (mp->b_wptr - mp->b_rptr < ip_hdr_length + tp_hdr_len) {
3229 		if (!pullupmsg(mp, ip_hdr_length + tp_hdr_len)) {
3230 			BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
3231 			if (mp->b_cont == NULL)
3232 				error = EINVAL;
3233 			else
3234 				error = ENOMEM;
3235 			freemsg(mp);
3236 			goto done;
3237 		}
3238 	}
3239 
3240 	if (!do_ipsec) {
3241 		/* Policy might differ for different ICMP type/code */
3242 		if (ixa->ixa_ipsec_policy != NULL) {
3243 			IPPOL_REFRELE(ixa->ixa_ipsec_policy);
3244 			ixa->ixa_ipsec_policy = NULL;
3245 			ixa->ixa_flags &= ~IXAF_IPSEC_SECURE;
3246 		}
3247 		mp = ip_output_attach_policy(mp, ipha, NULL, connp, ixa);
3248 		if (mp == NULL) {
3249 			BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
3250 			error = EHOSTUNREACH;	/* IPsec policy failure */
3251 			goto done;
3252 		}
3253 	}
3254 
3255 	/* We're done.  Pass the packet to ip. */
3256 	BUMP_MIB(&is->is_rawip_mib, rawipOutDatagrams);
3257 
3258 	error = conn_ip_output(mp, ixa);
3259 	/* No rawipOutErrors if an error since IP increases its error counter */
3260 	switch (error) {
3261 	case 0:
3262 		break;
3263 	case EWOULDBLOCK:
3264 		(void) ixa_check_drain_insert(connp, ixa);
3265 		error = 0;
3266 		break;
3267 	case EADDRNOTAVAIL:
3268 		/*
3269 		 * IXAF_VERIFY_SOURCE tells us to pick a better source.
3270 		 * Don't have the application see that errno
3271 		 */
3272 		error = ENETUNREACH;
3273 		break;
3274 	}
3275 done:
3276 	ixa_refrele(ixa);
3277 	ip_pkt_free(ipp);
3278 	kmem_free(ipp, sizeof (*ipp));
3279 	return (error);
3280 }
3281 
3282 static mblk_t *
3283 icmp_output_attach_policy(mblk_t *mp, conn_t *connp, ip_xmit_attr_t *ixa)
3284 {
3285 	ipha_t	*ipha = NULL;
3286 	ip6_t	*ip6h = NULL;
3287 
3288 	if (ixa->ixa_flags & IXAF_IS_IPV4)
3289 		ipha = (ipha_t *)mp->b_rptr;
3290 	else
3291 		ip6h = (ip6_t *)mp->b_rptr;
3292 
3293 	if (ixa->ixa_ipsec_policy != NULL) {
3294 		IPPOL_REFRELE(ixa->ixa_ipsec_policy);
3295 		ixa->ixa_ipsec_policy = NULL;
3296 		ixa->ixa_flags &= ~IXAF_IPSEC_SECURE;
3297 	}
3298 	return (ip_output_attach_policy(mp, ipha, ip6h, connp, ixa));
3299 }
3300 
3301 /*
3302  * Handle T_UNITDATA_REQ with options. Both IPv4 and IPv6
3303  * Either tudr_mp or msg is set. If tudr_mp we take ancillary data from
3304  * the TPI options, otherwise we take them from msg_control.
3305  * If both sin and sin6 is set it is a connected socket and we use conn_faddr.
3306  * Always consumes mp; never consumes tudr_mp.
3307  */
3308 static int
3309 icmp_output_ancillary(conn_t *connp, sin_t *sin, sin6_t *sin6, mblk_t *mp,
3310     mblk_t *tudr_mp, struct nmsghdr *msg, cred_t *cr, pid_t pid)
3311 {
3312 	icmp_t		*icmp = connp->conn_icmp;
3313 	icmp_stack_t	*is = icmp->icmp_is;
3314 	int		error;
3315 	ip_xmit_attr_t	*ixa;
3316 	ip_pkt_t	*ipp;
3317 	in6_addr_t	v6src;
3318 	in6_addr_t	v6dst;
3319 	in6_addr_t	v6nexthop;
3320 	in_port_t	dstport;
3321 	uint32_t	flowinfo;
3322 	uint_t		srcid;
3323 	int		is_absreq_failure = 0;
3324 	conn_opt_arg_t	coas, *coa;
3325 
3326 	ASSERT(tudr_mp != NULL || msg != NULL);
3327 
3328 	/*
3329 	 * Get ixa before checking state to handle a disconnect race.
3330 	 *
3331 	 * We need an exclusive copy of conn_ixa since the ancillary data
3332 	 * options might modify it. That copy has no pointers hence we
3333 	 * need to set them up once we've parsed the ancillary data.
3334 	 */
3335 	ixa = conn_get_ixa_exclusive(connp);
3336 	if (ixa == NULL) {
3337 		BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
3338 		freemsg(mp);
3339 		return (ENOMEM);
3340 	}
3341 	ASSERT(cr != NULL);
3342 	ixa->ixa_cred = cr;
3343 	ixa->ixa_cpid = pid;
3344 	if (is_system_labeled()) {
3345 		/* We need to restart with a label based on the cred */
3346 		ip_xmit_attr_restore_tsl(ixa, ixa->ixa_cred);
3347 	}
3348 
3349 	/* In case previous destination was multicast or multirt */
3350 	ip_attr_newdst(ixa);
3351 
3352 	/* Get a copy of conn_xmit_ipp since the options might change it */
3353 	ipp = kmem_zalloc(sizeof (*ipp), KM_NOSLEEP);
3354 	if (ipp == NULL) {
3355 		ixa_refrele(ixa);
3356 		BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
3357 		freemsg(mp);
3358 		return (ENOMEM);
3359 	}
3360 	mutex_enter(&connp->conn_lock);
3361 	error = ip_pkt_copy(&connp->conn_xmit_ipp, ipp, KM_NOSLEEP);
3362 	mutex_exit(&connp->conn_lock);
3363 	if (error != 0) {
3364 		BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
3365 		freemsg(mp);
3366 		goto done;
3367 	}
3368 
3369 	/*
3370 	 * Parse the options and update ixa and ipp as a result.
3371 	 */
3372 
3373 	coa = &coas;
3374 	coa->coa_connp = connp;
3375 	coa->coa_ixa = ixa;
3376 	coa->coa_ipp = ipp;
3377 	coa->coa_ancillary = B_TRUE;
3378 	coa->coa_changed = 0;
3379 
3380 	if (msg != NULL) {
3381 		error = process_auxiliary_options(connp, msg->msg_control,
3382 		    msg->msg_controllen, coa, &icmp_opt_obj, icmp_opt_set, cr);
3383 	} else {
3384 		struct T_unitdata_req *tudr;
3385 
3386 		tudr = (struct T_unitdata_req *)tudr_mp->b_rptr;
3387 		ASSERT(tudr->PRIM_type == T_UNITDATA_REQ);
3388 		error = tpi_optcom_buf(connp->conn_wq, tudr_mp,
3389 		    &tudr->OPT_length, tudr->OPT_offset, cr, &icmp_opt_obj,
3390 		    coa, &is_absreq_failure);
3391 	}
3392 	if (error != 0) {
3393 		/*
3394 		 * Note: No special action needed in this
3395 		 * module for "is_absreq_failure"
3396 		 */
3397 		freemsg(mp);
3398 		BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
3399 		goto done;
3400 	}
3401 	ASSERT(is_absreq_failure == 0);
3402 
3403 	mutex_enter(&connp->conn_lock);
3404 	/*
3405 	 * If laddr is unspecified then we look at sin6_src_id.
3406 	 * We will give precedence to a source address set with IPV6_PKTINFO
3407 	 * (aka IPPF_ADDR) but that is handled in build_hdrs. However, we don't
3408 	 * want ip_attr_connect to select a source (since it can fail) when
3409 	 * IPV6_PKTINFO is specified.
3410 	 * If this doesn't result in a source address then we get a source
3411 	 * from ip_attr_connect() below.
3412 	 */
3413 	v6src = connp->conn_saddr_v6;
3414 	if (sin != NULL) {
3415 		IN6_IPADDR_TO_V4MAPPED(sin->sin_addr.s_addr, &v6dst);
3416 		dstport = sin->sin_port;
3417 		flowinfo = 0;
3418 		ixa->ixa_flags &= ~IXAF_SCOPEID_SET;
3419 		ixa->ixa_flags |= IXAF_IS_IPV4;
3420 	} else if (sin6 != NULL) {
3421 		v6dst = sin6->sin6_addr;
3422 		dstport = sin6->sin6_port;
3423 		flowinfo = sin6->sin6_flowinfo;
3424 		srcid = sin6->__sin6_src_id;
3425 		if (IN6_IS_ADDR_LINKSCOPE(&v6dst) && sin6->sin6_scope_id != 0) {
3426 			ixa->ixa_scopeid = sin6->sin6_scope_id;
3427 			ixa->ixa_flags |= IXAF_SCOPEID_SET;
3428 		} else {
3429 			ixa->ixa_flags &= ~IXAF_SCOPEID_SET;
3430 		}
3431 		if (srcid != 0 && IN6_IS_ADDR_UNSPECIFIED(&v6src)) {
3432 			ip_srcid_find_id(srcid, &v6src, IPCL_ZONEID(connp),
3433 			    connp->conn_netstack);
3434 		}
3435 		if (IN6_IS_ADDR_V4MAPPED(&v6dst))
3436 			ixa->ixa_flags |= IXAF_IS_IPV4;
3437 		else
3438 			ixa->ixa_flags &= ~IXAF_IS_IPV4;
3439 	} else {
3440 		/* Connected case */
3441 		v6dst = connp->conn_faddr_v6;
3442 		flowinfo = connp->conn_flowinfo;
3443 	}
3444 	mutex_exit(&connp->conn_lock);
3445 	/* Handle IPV6_PKTINFO setting source address. */
3446 	if (IN6_IS_ADDR_UNSPECIFIED(&v6src) &&
3447 	    (ipp->ipp_fields & IPPF_ADDR)) {
3448 		if (ixa->ixa_flags & IXAF_IS_IPV4) {
3449 			if (IN6_IS_ADDR_V4MAPPED(&ipp->ipp_addr))
3450 				v6src = ipp->ipp_addr;
3451 		} else {
3452 			if (!IN6_IS_ADDR_V4MAPPED(&ipp->ipp_addr))
3453 				v6src = ipp->ipp_addr;
3454 		}
3455 	}
3456 
3457 	ip_attr_nexthop(ipp, ixa, &v6dst, &v6nexthop);
3458 	error = ip_attr_connect(connp, ixa, &v6src, &v6dst, &v6nexthop, dstport,
3459 	    &v6src, NULL, IPDF_ALLOW_MCBC | IPDF_VERIFY_DST);
3460 
3461 	switch (error) {
3462 	case 0:
3463 		break;
3464 	case EADDRNOTAVAIL:
3465 		/*
3466 		 * IXAF_VERIFY_SOURCE tells us to pick a better source.
3467 		 * Don't have the application see that errno
3468 		 */
3469 		error = ENETUNREACH;
3470 		goto failed;
3471 	case ENETDOWN:
3472 		/*
3473 		 * Have !ipif_addr_ready address; drop packet silently
3474 		 * until we can get applications to not send until we
3475 		 * are ready.
3476 		 */
3477 		error = 0;
3478 		goto failed;
3479 	case EHOSTUNREACH:
3480 	case ENETUNREACH:
3481 		if (ixa->ixa_ire != NULL) {
3482 			/*
3483 			 * Let conn_ip_output/ire_send_noroute return
3484 			 * the error and send any local ICMP error.
3485 			 */
3486 			error = 0;
3487 			break;
3488 		}
3489 		/* FALLTHRU */
3490 	default:
3491 	failed:
3492 		freemsg(mp);
3493 		BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
3494 		goto done;
3495 	}
3496 
3497 	/*
3498 	 * We might be going to a different destination than last time,
3499 	 * thus check that TX allows the communication and compute any
3500 	 * needed label.
3501 	 *
3502 	 * TSOL Note: We have an exclusive ipp and ixa for this thread so we
3503 	 * don't have to worry about concurrent threads.
3504 	 */
3505 	if (is_system_labeled()) {
3506 		/*
3507 		 * Check whether Trusted Solaris policy allows communication
3508 		 * with this host, and pretend that the destination is
3509 		 * unreachable if not.
3510 		 * Compute any needed label and place it in ipp_label_v4/v6.
3511 		 *
3512 		 * Later conn_build_hdr_template/conn_prepend_hdr takes
3513 		 * ipp_label_v4/v6 to form the packet.
3514 		 *
3515 		 * Tsol note: We have ipp structure local to this thread so
3516 		 * no locking is needed.
3517 		 */
3518 		error = conn_update_label(connp, ixa, &v6dst, ipp);
3519 		if (error != 0) {
3520 			freemsg(mp);
3521 			BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
3522 			goto done;
3523 		}
3524 	}
3525 	mp = icmp_prepend_hdr(connp, ixa, ipp, &v6src, &v6dst, flowinfo, mp,
3526 	    &error);
3527 	if (mp == NULL) {
3528 		BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
3529 		ASSERT(error != 0);
3530 		goto done;
3531 	}
3532 	if (ixa->ixa_pktlen > IP_MAXPACKET) {
3533 		error = EMSGSIZE;
3534 		BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
3535 		freemsg(mp);
3536 		goto done;
3537 	}
3538 
3539 	/* Policy might differ for different ICMP type/code */
3540 	mp = icmp_output_attach_policy(mp, connp, ixa);
3541 	if (mp == NULL) {
3542 		BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
3543 		error = EHOSTUNREACH;	/* IPsec policy failure */
3544 		goto done;
3545 	}
3546 
3547 	/* We're done.  Pass the packet to ip. */
3548 	BUMP_MIB(&is->is_rawip_mib, rawipOutDatagrams);
3549 
3550 	/* Allow source not assigned to the system? */
3551 	ixa->ixa_flags &= ~IXAF_VERIFY_SOURCE;
3552 	error = conn_ip_output(mp, ixa);
3553 	if (!connp->conn_unspec_src)
3554 		ixa->ixa_flags |= IXAF_VERIFY_SOURCE;
3555 	/* No rawipOutErrors if an error since IP increases its error counter */
3556 	switch (error) {
3557 	case 0:
3558 		break;
3559 	case EWOULDBLOCK:
3560 		(void) ixa_check_drain_insert(connp, ixa);
3561 		error = 0;
3562 		break;
3563 	case EADDRNOTAVAIL:
3564 		/*
3565 		 * IXAF_VERIFY_SOURCE tells us to pick a better source.
3566 		 * Don't have the application see that errno
3567 		 */
3568 		error = ENETUNREACH;
3569 		/* FALLTHRU */
3570 	default:
3571 		mutex_enter(&connp->conn_lock);
3572 		/*
3573 		 * Clear the source and v6lastdst so we call ip_attr_connect
3574 		 * for the next packet and try to pick a better source.
3575 		 */
3576 		if (connp->conn_mcbc_bind)
3577 			connp->conn_saddr_v6 = ipv6_all_zeros;
3578 		else
3579 			connp->conn_saddr_v6 = connp->conn_bound_addr_v6;
3580 		connp->conn_v6lastdst = ipv6_all_zeros;
3581 		mutex_exit(&connp->conn_lock);
3582 		break;
3583 	}
3584 done:
3585 	ixa_refrele(ixa);
3586 	ip_pkt_free(ipp);
3587 	kmem_free(ipp, sizeof (*ipp));
3588 	return (error);
3589 }
3590 
3591 /*
3592  * Handle sending an M_DATA for a connected socket.
3593  * Handles both IPv4 and IPv6.
3594  */
3595 int
3596 icmp_output_connected(conn_t *connp, mblk_t *mp, cred_t *cr, pid_t pid)
3597 {
3598 	icmp_t		*icmp = connp->conn_icmp;
3599 	icmp_stack_t	*is = icmp->icmp_is;
3600 	int		error;
3601 	ip_xmit_attr_t	*ixa;
3602 	boolean_t	do_ipsec;
3603 
3604 	/*
3605 	 * If no other thread is using conn_ixa this just gets a reference to
3606 	 * conn_ixa. Otherwise we get a safe copy of conn_ixa.
3607 	 */
3608 	ixa = conn_get_ixa(connp, B_FALSE);
3609 	if (ixa == NULL) {
3610 		BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
3611 		freemsg(mp);
3612 		return (ENOMEM);
3613 	}
3614 
3615 	ASSERT(cr != NULL);
3616 	ixa->ixa_cred = cr;
3617 	ixa->ixa_cpid = pid;
3618 
3619 	/* Defer IPsec if it might need to look at ICMP type/code */
3620 	switch (ixa->ixa_protocol) {
3621 	case IPPROTO_ICMP:
3622 	case IPPROTO_ICMPV6:
3623 		do_ipsec = B_FALSE;
3624 		break;
3625 	default:
3626 		do_ipsec = B_TRUE;
3627 	}
3628 
3629 	mutex_enter(&connp->conn_lock);
3630 	mp = icmp_prepend_header_template(connp, ixa, mp,
3631 	    &connp->conn_saddr_v6, connp->conn_flowinfo, &error);
3632 
3633 	if (mp == NULL) {
3634 		ASSERT(error != 0);
3635 		mutex_exit(&connp->conn_lock);
3636 		ixa_refrele(ixa);
3637 		BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
3638 		freemsg(mp);
3639 		return (error);
3640 	}
3641 
3642 	if (!do_ipsec) {
3643 		/* Policy might differ for different ICMP type/code */
3644 		mp = icmp_output_attach_policy(mp, connp, ixa);
3645 		if (mp == NULL) {
3646 			mutex_exit(&connp->conn_lock);
3647 			BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
3648 			ixa_refrele(ixa);
3649 			return (EHOSTUNREACH);	/* IPsec policy failure */
3650 		}
3651 	}
3652 
3653 	/*
3654 	 * In case we got a safe copy of conn_ixa, or if opt_set made us a new
3655 	 * safe copy, then we need to fill in any pointers in it.
3656 	 */
3657 	if (ixa->ixa_ire == NULL) {
3658 		in6_addr_t	faddr, saddr;
3659 		in6_addr_t	nexthop;
3660 		in_port_t	fport;
3661 
3662 		saddr = connp->conn_saddr_v6;
3663 		faddr = connp->conn_faddr_v6;
3664 		fport = connp->conn_fport;
3665 		ip_attr_nexthop(&connp->conn_xmit_ipp, ixa, &faddr, &nexthop);
3666 		mutex_exit(&connp->conn_lock);
3667 
3668 		error = ip_attr_connect(connp, ixa, &saddr, &faddr, &nexthop,
3669 		    fport, NULL, NULL, IPDF_ALLOW_MCBC | IPDF_VERIFY_DST |
3670 		    (do_ipsec ? IPDF_IPSEC : 0));
3671 		switch (error) {
3672 		case 0:
3673 			break;
3674 		case EADDRNOTAVAIL:
3675 			/*
3676 			 * IXAF_VERIFY_SOURCE tells us to pick a better source.
3677 			 * Don't have the application see that errno
3678 			 */
3679 			error = ENETUNREACH;
3680 			goto failed;
3681 		case ENETDOWN:
3682 			/*
3683 			 * Have !ipif_addr_ready address; drop packet silently
3684 			 * until we can get applications to not send until we
3685 			 * are ready.
3686 			 */
3687 			error = 0;
3688 			goto failed;
3689 		case EHOSTUNREACH:
3690 		case ENETUNREACH:
3691 			if (ixa->ixa_ire != NULL) {
3692 				/*
3693 				 * Let conn_ip_output/ire_send_noroute return
3694 				 * the error and send any local ICMP error.
3695 				 */
3696 				error = 0;
3697 				break;
3698 			}
3699 			/* FALLTHRU */
3700 		default:
3701 		failed:
3702 			ixa_refrele(ixa);
3703 			BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
3704 			freemsg(mp);
3705 			return (error);
3706 		}
3707 	} else {
3708 		/* Done with conn_t */
3709 		mutex_exit(&connp->conn_lock);
3710 	}
3711 
3712 	/* We're done.  Pass the packet to ip. */
3713 	BUMP_MIB(&is->is_rawip_mib, rawipOutDatagrams);
3714 
3715 	error = conn_ip_output(mp, ixa);
3716 	/* No rawipOutErrors if an error since IP increases its error counter */
3717 	switch (error) {
3718 	case 0:
3719 		break;
3720 	case EWOULDBLOCK:
3721 		(void) ixa_check_drain_insert(connp, ixa);
3722 		error = 0;
3723 		break;
3724 	case EADDRNOTAVAIL:
3725 		/*
3726 		 * IXAF_VERIFY_SOURCE tells us to pick a better source.
3727 		 * Don't have the application see that errno
3728 		 */
3729 		error = ENETUNREACH;
3730 		break;
3731 	}
3732 	ixa_refrele(ixa);
3733 	return (error);
3734 }
3735 
3736 /*
3737  * Handle sending an M_DATA to the last destination.
3738  * Handles both IPv4 and IPv6.
3739  *
3740  * NOTE: The caller must hold conn_lock and we drop it here.
3741  */
3742 int
3743 icmp_output_lastdst(conn_t *connp, mblk_t *mp, cred_t *cr, pid_t pid,
3744     ip_xmit_attr_t *ixa)
3745 {
3746 	icmp_t		*icmp = connp->conn_icmp;
3747 	icmp_stack_t	*is = icmp->icmp_is;
3748 	int		error;
3749 	boolean_t	do_ipsec;
3750 
3751 	ASSERT(MUTEX_HELD(&connp->conn_lock));
3752 	ASSERT(ixa != NULL);
3753 
3754 	ASSERT(cr != NULL);
3755 	ixa->ixa_cred = cr;
3756 	ixa->ixa_cpid = pid;
3757 
3758 	/* Defer IPsec if it might need to look at ICMP type/code */
3759 	switch (ixa->ixa_protocol) {
3760 	case IPPROTO_ICMP:
3761 	case IPPROTO_ICMPV6:
3762 		do_ipsec = B_FALSE;
3763 		break;
3764 	default:
3765 		do_ipsec = B_TRUE;
3766 	}
3767 
3768 
3769 	mp = icmp_prepend_header_template(connp, ixa, mp,
3770 	    &connp->conn_v6lastsrc, connp->conn_lastflowinfo, &error);
3771 
3772 	if (mp == NULL) {
3773 		ASSERT(error != 0);
3774 		mutex_exit(&connp->conn_lock);
3775 		ixa_refrele(ixa);
3776 		BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
3777 		freemsg(mp);
3778 		return (error);
3779 	}
3780 
3781 	if (!do_ipsec) {
3782 		/* Policy might differ for different ICMP type/code */
3783 		mp = icmp_output_attach_policy(mp, connp, ixa);
3784 		if (mp == NULL) {
3785 			mutex_exit(&connp->conn_lock);
3786 			BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
3787 			ixa_refrele(ixa);
3788 			return (EHOSTUNREACH);	/* IPsec policy failure */
3789 		}
3790 	}
3791 
3792 	/*
3793 	 * In case we got a safe copy of conn_ixa, or if opt_set made us a new
3794 	 * safe copy, then we need to fill in any pointers in it.
3795 	 */
3796 	if (ixa->ixa_ire == NULL) {
3797 		in6_addr_t	lastdst, lastsrc;
3798 		in6_addr_t	nexthop;
3799 		in_port_t	lastport;
3800 
3801 		lastsrc = connp->conn_v6lastsrc;
3802 		lastdst = connp->conn_v6lastdst;
3803 		lastport = connp->conn_lastdstport;
3804 		ip_attr_nexthop(&connp->conn_xmit_ipp, ixa, &lastdst, &nexthop);
3805 		mutex_exit(&connp->conn_lock);
3806 
3807 		error = ip_attr_connect(connp, ixa, &lastsrc, &lastdst,
3808 		    &nexthop, lastport, NULL, NULL, IPDF_ALLOW_MCBC |
3809 		    IPDF_VERIFY_DST | (do_ipsec ? IPDF_IPSEC : 0));
3810 		switch (error) {
3811 		case 0:
3812 			break;
3813 		case EADDRNOTAVAIL:
3814 			/*
3815 			 * IXAF_VERIFY_SOURCE tells us to pick a better source.
3816 			 * Don't have the application see that errno
3817 			 */
3818 			error = ENETUNREACH;
3819 			goto failed;
3820 		case ENETDOWN:
3821 			/*
3822 			 * Have !ipif_addr_ready address; drop packet silently
3823 			 * until we can get applications to not send until we
3824 			 * are ready.
3825 			 */
3826 			error = 0;
3827 			goto failed;
3828 		case EHOSTUNREACH:
3829 		case ENETUNREACH:
3830 			if (ixa->ixa_ire != NULL) {
3831 				/*
3832 				 * Let conn_ip_output/ire_send_noroute return
3833 				 * the error and send any local ICMP error.
3834 				 */
3835 				error = 0;
3836 				break;
3837 			}
3838 			/* FALLTHRU */
3839 		default:
3840 		failed:
3841 			ixa_refrele(ixa);
3842 			BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
3843 			freemsg(mp);
3844 			return (error);
3845 		}
3846 	} else {
3847 		/* Done with conn_t */
3848 		mutex_exit(&connp->conn_lock);
3849 	}
3850 
3851 	/* We're done.  Pass the packet to ip. */
3852 	BUMP_MIB(&is->is_rawip_mib, rawipOutDatagrams);
3853 	error = conn_ip_output(mp, ixa);
3854 	/* No rawipOutErrors if an error since IP increases its error counter */
3855 	switch (error) {
3856 	case 0:
3857 		break;
3858 	case EWOULDBLOCK:
3859 		(void) ixa_check_drain_insert(connp, ixa);
3860 		error = 0;
3861 		break;
3862 	case EADDRNOTAVAIL:
3863 		/*
3864 		 * IXAF_VERIFY_SOURCE tells us to pick a better source.
3865 		 * Don't have the application see that errno
3866 		 */
3867 		error = ENETUNREACH;
3868 		/* FALLTHRU */
3869 	default:
3870 		mutex_enter(&connp->conn_lock);
3871 		/*
3872 		 * Clear the source and v6lastdst so we call ip_attr_connect
3873 		 * for the next packet and try to pick a better source.
3874 		 */
3875 		if (connp->conn_mcbc_bind)
3876 			connp->conn_saddr_v6 = ipv6_all_zeros;
3877 		else
3878 			connp->conn_saddr_v6 = connp->conn_bound_addr_v6;
3879 		connp->conn_v6lastdst = ipv6_all_zeros;
3880 		mutex_exit(&connp->conn_lock);
3881 		break;
3882 	}
3883 	ixa_refrele(ixa);
3884 	return (error);
3885 }
3886 
3887 
3888 /*
3889  * Prepend the header template and then fill in the source and
3890  * flowinfo. The caller needs to handle the destination address since
3891  * it's setting is different if rthdr or source route.
3892  *
3893  * Returns NULL is allocation failed or if the packet would exceed IP_MAXPACKET.
3894  * When it returns NULL it sets errorp.
3895  */
3896 static mblk_t *
3897 icmp_prepend_header_template(conn_t *connp, ip_xmit_attr_t *ixa, mblk_t *mp,
3898     const in6_addr_t *v6src, uint32_t flowinfo, int *errorp)
3899 {
3900 	icmp_t		*icmp = connp->conn_icmp;
3901 	icmp_stack_t	*is = icmp->icmp_is;
3902 	uint_t		pktlen;
3903 	uint_t		copylen;
3904 	uint8_t		*iph;
3905 	uint_t		ip_hdr_length;
3906 	uint32_t	cksum;
3907 	ip_pkt_t	*ipp;
3908 
3909 	ASSERT(MUTEX_HELD(&connp->conn_lock));
3910 
3911 	/*
3912 	 * Copy the header template.
3913 	 */
3914 	copylen = connp->conn_ht_iphc_len;
3915 	pktlen = copylen + msgdsize(mp);
3916 	if (pktlen > IP_MAXPACKET) {
3917 		freemsg(mp);
3918 		*errorp = EMSGSIZE;
3919 		return (NULL);
3920 	}
3921 	ixa->ixa_pktlen = pktlen;
3922 
3923 	/* check/fix buffer config, setup pointers into it */
3924 	iph = mp->b_rptr - copylen;
3925 	if (DB_REF(mp) != 1 || iph < DB_BASE(mp) || !OK_32PTR(iph)) {
3926 		mblk_t *mp1;
3927 
3928 		mp1 = allocb(copylen + is->is_wroff_extra, BPRI_MED);
3929 		if (mp1 == NULL) {
3930 			freemsg(mp);
3931 			*errorp = ENOMEM;
3932 			return (NULL);
3933 		}
3934 		mp1->b_wptr = DB_LIM(mp1);
3935 		mp1->b_cont = mp;
3936 		mp = mp1;
3937 		iph = (mp->b_wptr - copylen);
3938 	}
3939 	mp->b_rptr = iph;
3940 	bcopy(connp->conn_ht_iphc, iph, copylen);
3941 	ip_hdr_length = (uint_t)(connp->conn_ht_ulp - connp->conn_ht_iphc);
3942 
3943 	ixa->ixa_ip_hdr_length = ip_hdr_length;
3944 
3945 	/*
3946 	 * Prepare for ICMPv6 checksum done in IP.
3947 	 *
3948 	 * icmp_build_hdr_template has already massaged any routing header
3949 	 * and placed the result in conn_sum.
3950 	 *
3951 	 * We make it easy for IP to include our pseudo header
3952 	 * by putting our length (and any routing header adjustment)
3953 	 * in the ICMPv6 checksum field.
3954 	 */
3955 	cksum = pktlen - ip_hdr_length;
3956 
3957 	cksum += connp->conn_sum;
3958 	cksum = (cksum >> 16) + (cksum & 0xFFFF);
3959 	ASSERT(cksum < 0x10000);
3960 
3961 	ipp = &connp->conn_xmit_ipp;
3962 	if (ixa->ixa_flags & IXAF_IS_IPV4) {
3963 		ipha_t	*ipha = (ipha_t *)iph;
3964 
3965 		ipha->ipha_length = htons((uint16_t)pktlen);
3966 
3967 		/* if IP_PKTINFO specified an addres it wins over bind() */
3968 		if ((ipp->ipp_fields & IPPF_ADDR) &&
3969 		    IN6_IS_ADDR_V4MAPPED(&ipp->ipp_addr)) {
3970 			ASSERT(ipp->ipp_addr_v4 != INADDR_ANY);
3971 			ipha->ipha_src = ipp->ipp_addr_v4;
3972 		} else {
3973 			IN6_V4MAPPED_TO_IPADDR(v6src, ipha->ipha_src);
3974 		}
3975 	} else {
3976 		ip6_t *ip6h = (ip6_t *)iph;
3977 		uint_t	cksum_offset = 0;
3978 
3979 		ip6h->ip6_plen =  htons((uint16_t)(pktlen - IPV6_HDR_LEN));
3980 
3981 		/* if IP_PKTINFO specified an addres it wins over bind() */
3982 		if ((ipp->ipp_fields & IPPF_ADDR) &&
3983 		    !IN6_IS_ADDR_V4MAPPED(&ipp->ipp_addr)) {
3984 			ASSERT(!IN6_IS_ADDR_UNSPECIFIED(&ipp->ipp_addr));
3985 			ip6h->ip6_src = ipp->ipp_addr;
3986 		} else {
3987 			ip6h->ip6_src = *v6src;
3988 		}
3989 		ip6h->ip6_vcf =
3990 		    (IPV6_DEFAULT_VERS_AND_FLOW & IPV6_VERS_AND_FLOW_MASK) |
3991 		    (flowinfo & ~IPV6_VERS_AND_FLOW_MASK);
3992 		if (ipp->ipp_fields & IPPF_TCLASS) {
3993 			/* Overrides the class part of flowinfo */
3994 			ip6h->ip6_vcf = IPV6_TCLASS_FLOW(ip6h->ip6_vcf,
3995 			    ipp->ipp_tclass);
3996 		}
3997 
3998 		if (ixa->ixa_flags & IXAF_SET_ULP_CKSUM) {
3999 			if (connp->conn_proto == IPPROTO_ICMPV6) {
4000 				cksum_offset = ixa->ixa_ip_hdr_length +
4001 				    offsetof(icmp6_t, icmp6_cksum);
4002 			} else if (ixa->ixa_flags & IXAF_SET_RAW_CKSUM) {
4003 				cksum_offset = ixa->ixa_ip_hdr_length +
4004 				    ixa->ixa_raw_cksum_offset;
4005 			}
4006 		}
4007 		if (cksum_offset != 0) {
4008 			uint16_t *ptr;
4009 
4010 			/* Make sure the checksum fits in the first mblk */
4011 			if (cksum_offset + sizeof (short) > MBLKL(mp)) {
4012 				mblk_t *mp1;
4013 
4014 				mp1 = msgpullup(mp,
4015 				    cksum_offset + sizeof (short));
4016 				freemsg(mp);
4017 				if (mp1 == NULL) {
4018 					*errorp = ENOMEM;
4019 					return (NULL);
4020 				}
4021 				mp = mp1;
4022 				iph = mp->b_rptr;
4023 				ip6h = (ip6_t *)iph;
4024 			}
4025 			ptr = (uint16_t *)(mp->b_rptr + cksum_offset);
4026 			*ptr = htons(cksum);
4027 		}
4028 	}
4029 
4030 	return (mp);
4031 }
4032 
4033 /*
4034  * This routine handles all messages passed downstream.  It either
4035  * consumes the message or passes it downstream; it never queues a
4036  * a message.
4037  */
4038 void
4039 icmp_wput(queue_t *q, mblk_t *mp)
4040 {
4041 	sin6_t		*sin6;
4042 	sin_t		*sin = NULL;
4043 	uint_t		srcid;
4044 	conn_t		*connp = Q_TO_CONN(q);
4045 	icmp_t		*icmp = connp->conn_icmp;
4046 	int		error = 0;
4047 	struct sockaddr	*addr = NULL;
4048 	socklen_t	addrlen;
4049 	icmp_stack_t	*is = icmp->icmp_is;
4050 	struct T_unitdata_req *tudr;
4051 	mblk_t		*data_mp;
4052 	cred_t		*cr;
4053 	pid_t		pid;
4054 
4055 	/*
4056 	 * We directly handle several cases here: T_UNITDATA_REQ message
4057 	 * coming down as M_PROTO/M_PCPROTO and M_DATA messages for connected
4058 	 * socket.
4059 	 */
4060 	switch (DB_TYPE(mp)) {
4061 	case M_DATA:
4062 		/* sockfs never sends down M_DATA */
4063 		BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
4064 		freemsg(mp);
4065 		return;
4066 
4067 	case M_PROTO:
4068 	case M_PCPROTO:
4069 		tudr = (struct T_unitdata_req *)mp->b_rptr;
4070 		if (MBLKL(mp) < sizeof (*tudr) ||
4071 		    ((t_primp_t)mp->b_rptr)->type != T_UNITDATA_REQ) {
4072 			icmp_wput_other(q, mp);
4073 			return;
4074 		}
4075 		break;
4076 
4077 	default:
4078 		icmp_wput_other(q, mp);
4079 		return;
4080 	}
4081 
4082 	/* Handle valid T_UNITDATA_REQ here */
4083 	data_mp = mp->b_cont;
4084 	if (data_mp == NULL) {
4085 		error = EPROTO;
4086 		goto ud_error2;
4087 	}
4088 	mp->b_cont = NULL;
4089 
4090 	if (!MBLKIN(mp, 0, tudr->DEST_offset + tudr->DEST_length)) {
4091 		error = EADDRNOTAVAIL;
4092 		goto ud_error2;
4093 	}
4094 
4095 	/*
4096 	 * All Solaris components should pass a db_credp
4097 	 * for this message, hence we ASSERT.
4098 	 * On production kernels we return an error to be robust against
4099 	 * random streams modules sitting on top of us.
4100 	 */
4101 	cr = msg_getcred(mp, &pid);
4102 	ASSERT(cr != NULL);
4103 	if (cr == NULL) {
4104 		error = EINVAL;
4105 		goto ud_error2;
4106 	}
4107 
4108 	/*
4109 	 * If a port has not been bound to the stream, fail.
4110 	 * This is not a problem when sockfs is directly
4111 	 * above us, because it will ensure that the socket
4112 	 * is first bound before allowing data to be sent.
4113 	 */
4114 	if (icmp->icmp_state == TS_UNBND) {
4115 		error = EPROTO;
4116 		goto ud_error2;
4117 	}
4118 	addr = (struct sockaddr *)&mp->b_rptr[tudr->DEST_offset];
4119 	addrlen = tudr->DEST_length;
4120 
4121 	switch (connp->conn_family) {
4122 	case AF_INET6:
4123 		sin6 = (sin6_t *)addr;
4124 		if (!OK_32PTR((char *)sin6) || (addrlen != sizeof (sin6_t)) ||
4125 		    (sin6->sin6_family != AF_INET6)) {
4126 			error = EADDRNOTAVAIL;
4127 			goto ud_error2;
4128 		}
4129 
4130 		/* No support for mapped addresses on raw sockets */
4131 		if (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) {
4132 			error = EADDRNOTAVAIL;
4133 			goto ud_error2;
4134 		}
4135 		srcid = sin6->__sin6_src_id;
4136 
4137 		/*
4138 		 * If the local address is a mapped address return
4139 		 * an error.
4140 		 * It would be possible to send an IPv6 packet but the
4141 		 * response would never make it back to the application
4142 		 * since it is bound to a mapped address.
4143 		 */
4144 		if (IN6_IS_ADDR_V4MAPPED(&connp->conn_saddr_v6)) {
4145 			error = EADDRNOTAVAIL;
4146 			goto ud_error2;
4147 		}
4148 
4149 		if (IN6_IS_ADDR_UNSPECIFIED(&sin6->sin6_addr))
4150 			sin6->sin6_addr = ipv6_loopback;
4151 
4152 		if (tudr->OPT_length != 0) {
4153 			/*
4154 			 * If we are connected then the destination needs to be
4155 			 * the same as the connected one.
4156 			 */
4157 			if (icmp->icmp_state == TS_DATA_XFER &&
4158 			    !conn_same_as_last_v6(connp, sin6)) {
4159 				error = EISCONN;
4160 				goto ud_error2;
4161 			}
4162 			error = icmp_output_ancillary(connp, NULL, sin6,
4163 			    data_mp, mp, NULL, cr, pid);
4164 		} else {
4165 			ip_xmit_attr_t *ixa;
4166 
4167 			/*
4168 			 * We have to allocate an ip_xmit_attr_t before we grab
4169 			 * conn_lock and we need to hold conn_lock once we've
4170 			 * checked conn_same_as_last_v6 to handle concurrent
4171 			 * send* calls on a socket.
4172 			 */
4173 			ixa = conn_get_ixa(connp, B_FALSE);
4174 			if (ixa == NULL) {
4175 				error = ENOMEM;
4176 				goto ud_error2;
4177 			}
4178 			mutex_enter(&connp->conn_lock);
4179 
4180 			if (conn_same_as_last_v6(connp, sin6) &&
4181 			    connp->conn_lastsrcid == srcid &&
4182 			    ipsec_outbound_policy_current(ixa)) {
4183 				/* icmp_output_lastdst drops conn_lock */
4184 				error = icmp_output_lastdst(connp, data_mp, cr,
4185 				    pid, ixa);
4186 			} else {
4187 				/* icmp_output_newdst drops conn_lock */
4188 				error = icmp_output_newdst(connp, data_mp, NULL,
4189 				    sin6, cr, pid, ixa);
4190 			}
4191 			ASSERT(MUTEX_NOT_HELD(&connp->conn_lock));
4192 		}
4193 		if (error == 0) {
4194 			freeb(mp);
4195 			return;
4196 		}
4197 		break;
4198 
4199 	case AF_INET:
4200 		sin = (sin_t *)addr;
4201 		if ((!OK_32PTR((char *)sin) || addrlen != sizeof (sin_t)) ||
4202 		    (sin->sin_family != AF_INET)) {
4203 			error = EADDRNOTAVAIL;
4204 			goto ud_error2;
4205 		}
4206 		if (sin->sin_addr.s_addr == INADDR_ANY)
4207 			sin->sin_addr.s_addr = htonl(INADDR_LOOPBACK);
4208 
4209 		/* Protocol 255 contains full IP headers */
4210 		/* Read without holding lock */
4211 		if (icmp->icmp_hdrincl) {
4212 			if (MBLKL(data_mp) < IP_SIMPLE_HDR_LENGTH) {
4213 				if (!pullupmsg(data_mp, IP_SIMPLE_HDR_LENGTH)) {
4214 					error = EINVAL;
4215 					goto ud_error2;
4216 				}
4217 			}
4218 			error = icmp_output_hdrincl(connp, data_mp, cr, pid);
4219 			if (error == 0) {
4220 				freeb(mp);
4221 				return;
4222 			}
4223 			/* data_mp consumed above */
4224 			data_mp = NULL;
4225 			goto ud_error2;
4226 		}
4227 
4228 		if (tudr->OPT_length != 0) {
4229 			/*
4230 			 * If we are connected then the destination needs to be
4231 			 * the same as the connected one.
4232 			 */
4233 			if (icmp->icmp_state == TS_DATA_XFER &&
4234 			    !conn_same_as_last_v4(connp, sin)) {
4235 				error = EISCONN;
4236 				goto ud_error2;
4237 			}
4238 			error = icmp_output_ancillary(connp, sin, NULL,
4239 			    data_mp, mp, NULL, cr, pid);
4240 		} else {
4241 			ip_xmit_attr_t *ixa;
4242 
4243 			/*
4244 			 * We have to allocate an ip_xmit_attr_t before we grab
4245 			 * conn_lock and we need to hold conn_lock once we've
4246 			 * checked conn_same_as_last_v4 to handle concurrent
4247 			 * send* calls on a socket.
4248 			 */
4249 			ixa = conn_get_ixa(connp, B_FALSE);
4250 			if (ixa == NULL) {
4251 				error = ENOMEM;
4252 				goto ud_error2;
4253 			}
4254 			mutex_enter(&connp->conn_lock);
4255 
4256 			if (conn_same_as_last_v4(connp, sin) &&
4257 			    ipsec_outbound_policy_current(ixa)) {
4258 				/* icmp_output_lastdst drops conn_lock */
4259 				error = icmp_output_lastdst(connp, data_mp, cr,
4260 				    pid, ixa);
4261 			} else {
4262 				/* icmp_output_newdst drops conn_lock */
4263 				error = icmp_output_newdst(connp, data_mp, sin,
4264 				    NULL, cr, pid, ixa);
4265 			}
4266 			ASSERT(MUTEX_NOT_HELD(&connp->conn_lock));
4267 		}
4268 		if (error == 0) {
4269 			freeb(mp);
4270 			return;
4271 		}
4272 		break;
4273 	}
4274 	ASSERT(mp != NULL);
4275 	/* mp is freed by the following routine */
4276 	icmp_ud_err(q, mp, (t_scalar_t)error);
4277 	return;
4278 
4279 ud_error2:
4280 	BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
4281 	freemsg(data_mp);
4282 	ASSERT(mp != NULL);
4283 	/* mp is freed by the following routine */
4284 	icmp_ud_err(q, mp, (t_scalar_t)error);
4285 }
4286 
4287 /*
4288  * Handle the case of the IP address or flow label being different
4289  * for both IPv4 and IPv6.
4290  *
4291  * NOTE: The caller must hold conn_lock and we drop it here.
4292  */
4293 static int
4294 icmp_output_newdst(conn_t *connp, mblk_t *data_mp, sin_t *sin, sin6_t *sin6,
4295     cred_t *cr, pid_t pid, ip_xmit_attr_t *ixa)
4296 {
4297 	icmp_t		*icmp = connp->conn_icmp;
4298 	icmp_stack_t	*is = icmp->icmp_is;
4299 	int		error;
4300 	ip_xmit_attr_t	*oldixa;
4301 	boolean_t	do_ipsec;
4302 	uint_t		srcid;
4303 	uint32_t	flowinfo;
4304 	in6_addr_t	v6src;
4305 	in6_addr_t	v6dst;
4306 	in6_addr_t	v6nexthop;
4307 	in_port_t	dstport;
4308 
4309 	ASSERT(MUTEX_HELD(&connp->conn_lock));
4310 	ASSERT(ixa != NULL);
4311 
4312 	/*
4313 	 * We hold conn_lock across all the use and modifications of
4314 	 * the conn_lastdst, conn_ixa, and conn_xmit_ipp to ensure that they
4315 	 * stay consistent.
4316 	 */
4317 
4318 	ASSERT(cr != NULL);
4319 	ixa->ixa_cred = cr;
4320 	ixa->ixa_cpid = pid;
4321 	if (is_system_labeled()) {
4322 		/* We need to restart with a label based on the cred */
4323 		ip_xmit_attr_restore_tsl(ixa, ixa->ixa_cred);
4324 	}
4325 	/*
4326 	 * If we are connected then the destination needs to be the
4327 	 * same as the connected one, which is not the case here since we
4328 	 * checked for that above.
4329 	 */
4330 	if (icmp->icmp_state == TS_DATA_XFER) {
4331 		mutex_exit(&connp->conn_lock);
4332 		error = EISCONN;
4333 		goto ud_error;
4334 	}
4335 
4336 	/* In case previous destination was multicast or multirt */
4337 	ip_attr_newdst(ixa);
4338 
4339 	/*
4340 	 * If laddr is unspecified then we look at sin6_src_id.
4341 	 * We will give precedence to a source address set with IPV6_PKTINFO
4342 	 * (aka IPPF_ADDR) but that is handled in build_hdrs. However, we don't
4343 	 * want ip_attr_connect to select a source (since it can fail) when
4344 	 * IPV6_PKTINFO is specified.
4345 	 * If this doesn't result in a source address then we get a source
4346 	 * from ip_attr_connect() below.
4347 	 */
4348 	v6src = connp->conn_saddr_v6;
4349 	if (sin != NULL) {
4350 		IN6_IPADDR_TO_V4MAPPED(sin->sin_addr.s_addr, &v6dst);
4351 		dstport = sin->sin_port;
4352 		flowinfo = 0;
4353 		srcid = 0;
4354 		ixa->ixa_flags &= ~IXAF_SCOPEID_SET;
4355 		if (srcid != 0 && V4_PART_OF_V6(&v6src) == INADDR_ANY) {
4356 			ip_srcid_find_id(srcid, &v6src, IPCL_ZONEID(connp),
4357 			    connp->conn_netstack);
4358 		}
4359 		ixa->ixa_flags |= IXAF_IS_IPV4;
4360 	} else {
4361 		v6dst = sin6->sin6_addr;
4362 		dstport = sin6->sin6_port;
4363 		flowinfo = sin6->sin6_flowinfo;
4364 		srcid = sin6->__sin6_src_id;
4365 		if (IN6_IS_ADDR_LINKSCOPE(&v6dst) && sin6->sin6_scope_id != 0) {
4366 			ixa->ixa_scopeid = sin6->sin6_scope_id;
4367 			ixa->ixa_flags |= IXAF_SCOPEID_SET;
4368 		} else {
4369 			ixa->ixa_flags &= ~IXAF_SCOPEID_SET;
4370 		}
4371 		if (srcid != 0 && IN6_IS_ADDR_UNSPECIFIED(&v6src)) {
4372 			ip_srcid_find_id(srcid, &v6src, IPCL_ZONEID(connp),
4373 			    connp->conn_netstack);
4374 		}
4375 		if (IN6_IS_ADDR_V4MAPPED(&v6dst))
4376 			ixa->ixa_flags |= IXAF_IS_IPV4;
4377 		else
4378 			ixa->ixa_flags &= ~IXAF_IS_IPV4;
4379 	}
4380 	/* Handle IPV6_PKTINFO setting source address. */
4381 	if (IN6_IS_ADDR_UNSPECIFIED(&v6src) &&
4382 	    (connp->conn_xmit_ipp.ipp_fields & IPPF_ADDR)) {
4383 		ip_pkt_t *ipp = &connp->conn_xmit_ipp;
4384 
4385 		if (ixa->ixa_flags & IXAF_IS_IPV4) {
4386 			if (IN6_IS_ADDR_V4MAPPED(&ipp->ipp_addr))
4387 				v6src = ipp->ipp_addr;
4388 		} else {
4389 			if (!IN6_IS_ADDR_V4MAPPED(&ipp->ipp_addr))
4390 				v6src = ipp->ipp_addr;
4391 		}
4392 	}
4393 
4394 	/* Defer IPsec if it might need to look at ICMP type/code */
4395 	switch (ixa->ixa_protocol) {
4396 	case IPPROTO_ICMP:
4397 	case IPPROTO_ICMPV6:
4398 		do_ipsec = B_FALSE;
4399 		break;
4400 	default:
4401 		do_ipsec = B_TRUE;
4402 	}
4403 
4404 	ip_attr_nexthop(&connp->conn_xmit_ipp, ixa, &v6dst, &v6nexthop);
4405 	mutex_exit(&connp->conn_lock);
4406 
4407 	error = ip_attr_connect(connp, ixa, &v6src, &v6dst, &v6nexthop, dstport,
4408 	    &v6src, NULL, IPDF_ALLOW_MCBC | IPDF_VERIFY_DST |
4409 	    (do_ipsec ? IPDF_IPSEC : 0));
4410 	switch (error) {
4411 	case 0:
4412 		break;
4413 	case EADDRNOTAVAIL:
4414 		/*
4415 		 * IXAF_VERIFY_SOURCE tells us to pick a better source.
4416 		 * Don't have the application see that errno
4417 		 */
4418 		error = ENETUNREACH;
4419 		goto failed;
4420 	case ENETDOWN:
4421 		/*
4422 		 * Have !ipif_addr_ready address; drop packet silently
4423 		 * until we can get applications to not send until we
4424 		 * are ready.
4425 		 */
4426 		error = 0;
4427 		goto failed;
4428 	case EHOSTUNREACH:
4429 	case ENETUNREACH:
4430 		if (ixa->ixa_ire != NULL) {
4431 			/*
4432 			 * Let conn_ip_output/ire_send_noroute return
4433 			 * the error and send any local ICMP error.
4434 			 */
4435 			error = 0;
4436 			break;
4437 		}
4438 		/* FALLTHRU */
4439 	default:
4440 	failed:
4441 		goto ud_error;
4442 	}
4443 
4444 	mutex_enter(&connp->conn_lock);
4445 	/*
4446 	 * While we dropped the lock some other thread might have connected
4447 	 * this socket. If so we bail out with EISCONN to ensure that the
4448 	 * connecting thread is the one that updates conn_ixa, conn_ht_*
4449 	 * and conn_*last*.
4450 	 */
4451 	if (icmp->icmp_state == TS_DATA_XFER) {
4452 		mutex_exit(&connp->conn_lock);
4453 		error = EISCONN;
4454 		goto ud_error;
4455 	}
4456 
4457 	/*
4458 	 * We need to rebuild the headers if
4459 	 *  - we are labeling packets (could be different for different
4460 	 *    destinations)
4461 	 *  - we have a source route (or routing header) since we need to
4462 	 *    massage that to get the pseudo-header checksum
4463 	 *  - a socket option with COA_HEADER_CHANGED has been set which
4464 	 *    set conn_v6lastdst to zero.
4465 	 *
4466 	 * Otherwise the prepend function will just update the src, dst,
4467 	 * and flow label.
4468 	 */
4469 	if (is_system_labeled()) {
4470 		/* TX MLP requires SCM_UCRED and don't have that here */
4471 		if (connp->conn_mlp_type != mlptSingle) {
4472 			mutex_exit(&connp->conn_lock);
4473 			error = ECONNREFUSED;
4474 			goto ud_error;
4475 		}
4476 		/*
4477 		 * Check whether Trusted Solaris policy allows communication
4478 		 * with this host, and pretend that the destination is
4479 		 * unreachable if not.
4480 		 * Compute any needed label and place it in ipp_label_v4/v6.
4481 		 *
4482 		 * Later conn_build_hdr_template/conn_prepend_hdr takes
4483 		 * ipp_label_v4/v6 to form the packet.
4484 		 *
4485 		 * Tsol note: Since we hold conn_lock we know no other
4486 		 * thread manipulates conn_xmit_ipp.
4487 		 */
4488 		error = conn_update_label(connp, ixa, &v6dst,
4489 		    &connp->conn_xmit_ipp);
4490 		if (error != 0) {
4491 			mutex_exit(&connp->conn_lock);
4492 			goto ud_error;
4493 		}
4494 		/* Rebuild the header template */
4495 		error = icmp_build_hdr_template(connp, &v6src, &v6dst,
4496 		    flowinfo);
4497 		if (error != 0) {
4498 			mutex_exit(&connp->conn_lock);
4499 			goto ud_error;
4500 		}
4501 	} else if (connp->conn_xmit_ipp.ipp_fields &
4502 	    (IPPF_IPV4_OPTIONS|IPPF_RTHDR) ||
4503 	    IN6_IS_ADDR_UNSPECIFIED(&connp->conn_v6lastdst)) {
4504 		/* Rebuild the header template */
4505 		error = icmp_build_hdr_template(connp, &v6src, &v6dst,
4506 		    flowinfo);
4507 		if (error != 0) {
4508 			mutex_exit(&connp->conn_lock);
4509 			goto ud_error;
4510 		}
4511 	} else {
4512 		/* Simply update the destination address if no source route */
4513 		if (ixa->ixa_flags & IXAF_IS_IPV4) {
4514 			ipha_t	*ipha = (ipha_t *)connp->conn_ht_iphc;
4515 
4516 			IN6_V4MAPPED_TO_IPADDR(&v6dst, ipha->ipha_dst);
4517 			if (ixa->ixa_flags & IXAF_PMTU_IPV4_DF) {
4518 				ipha->ipha_fragment_offset_and_flags |=
4519 				    IPH_DF_HTONS;
4520 			} else {
4521 				ipha->ipha_fragment_offset_and_flags &=
4522 				    ~IPH_DF_HTONS;
4523 			}
4524 		} else {
4525 			ip6_t *ip6h = (ip6_t *)connp->conn_ht_iphc;
4526 			ip6h->ip6_dst = v6dst;
4527 		}
4528 	}
4529 
4530 	/*
4531 	 * Remember the dst etc which corresponds to the built header
4532 	 * template and conn_ixa.
4533 	 */
4534 	oldixa = conn_replace_ixa(connp, ixa);
4535 	connp->conn_v6lastdst = v6dst;
4536 	connp->conn_lastflowinfo = flowinfo;
4537 	connp->conn_lastscopeid = ixa->ixa_scopeid;
4538 	connp->conn_lastsrcid = srcid;
4539 	/* Also remember a source to use together with lastdst */
4540 	connp->conn_v6lastsrc = v6src;
4541 
4542 	data_mp = icmp_prepend_header_template(connp, ixa, data_mp, &v6src,
4543 	    flowinfo, &error);
4544 
4545 	/* Done with conn_t */
4546 	mutex_exit(&connp->conn_lock);
4547 	ixa_refrele(oldixa);
4548 
4549 	if (data_mp == NULL) {
4550 		ASSERT(error != 0);
4551 		goto ud_error;
4552 	}
4553 
4554 	if (!do_ipsec) {
4555 		/* Policy might differ for different ICMP type/code */
4556 		data_mp = icmp_output_attach_policy(data_mp, connp, ixa);
4557 		if (data_mp == NULL) {
4558 			BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
4559 			error = EHOSTUNREACH;	/* IPsec policy failure */
4560 			goto done;
4561 		}
4562 	}
4563 
4564 	/* We're done.  Pass the packet to ip. */
4565 	BUMP_MIB(&is->is_rawip_mib, rawipOutDatagrams);
4566 
4567 	error = conn_ip_output(data_mp, ixa);
4568 	/* No rawipOutErrors if an error since IP increases its error counter */
4569 	switch (error) {
4570 	case 0:
4571 		break;
4572 	case EWOULDBLOCK:
4573 		(void) ixa_check_drain_insert(connp, ixa);
4574 		error = 0;
4575 		break;
4576 	case EADDRNOTAVAIL:
4577 		/*
4578 		 * IXAF_VERIFY_SOURCE tells us to pick a better source.
4579 		 * Don't have the application see that errno
4580 		 */
4581 		error = ENETUNREACH;
4582 		/* FALLTHRU */
4583 	default:
4584 		mutex_enter(&connp->conn_lock);
4585 		/*
4586 		 * Clear the source and v6lastdst so we call ip_attr_connect
4587 		 * for the next packet and try to pick a better source.
4588 		 */
4589 		if (connp->conn_mcbc_bind)
4590 			connp->conn_saddr_v6 = ipv6_all_zeros;
4591 		else
4592 			connp->conn_saddr_v6 = connp->conn_bound_addr_v6;
4593 		connp->conn_v6lastdst = ipv6_all_zeros;
4594 		mutex_exit(&connp->conn_lock);
4595 		break;
4596 	}
4597 done:
4598 	ixa_refrele(ixa);
4599 	return (error);
4600 
4601 ud_error:
4602 	if (ixa != NULL)
4603 		ixa_refrele(ixa);
4604 
4605 	BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
4606 	freemsg(data_mp);
4607 	return (error);
4608 }
4609 
4610 /* ARGSUSED */
4611 static void
4612 icmp_wput_fallback(queue_t *q, mblk_t *mp)
4613 {
4614 #ifdef DEBUG
4615 	cmn_err(CE_CONT, "icmp_wput_fallback: Message during fallback \n");
4616 #endif
4617 	freemsg(mp);
4618 }
4619 
4620 static void
4621 icmp_wput_other(queue_t *q, mblk_t *mp)
4622 {
4623 	uchar_t	*rptr = mp->b_rptr;
4624 	struct iocblk *iocp;
4625 	conn_t	*connp = Q_TO_CONN(q);
4626 	icmp_t	*icmp = connp->conn_icmp;
4627 	icmp_stack_t *is = icmp->icmp_is;
4628 	cred_t *cr;
4629 
4630 	switch (mp->b_datap->db_type) {
4631 	case M_PROTO:
4632 	case M_PCPROTO:
4633 		if (mp->b_wptr - rptr < sizeof (t_scalar_t)) {
4634 			/*
4635 			 * If the message does not contain a PRIM_type,
4636 			 * throw it away.
4637 			 */
4638 			freemsg(mp);
4639 			return;
4640 		}
4641 		switch (((t_primp_t)rptr)->type) {
4642 		case T_ADDR_REQ:
4643 			icmp_addr_req(q, mp);
4644 			return;
4645 		case O_T_BIND_REQ:
4646 		case T_BIND_REQ:
4647 			icmp_tpi_bind(q, mp);
4648 			return;
4649 		case T_CONN_REQ:
4650 			icmp_tpi_connect(q, mp);
4651 			return;
4652 		case T_CAPABILITY_REQ:
4653 			icmp_capability_req(q, mp);
4654 			return;
4655 		case T_INFO_REQ:
4656 			icmp_info_req(q, mp);
4657 			return;
4658 		case T_UNITDATA_REQ:
4659 			/*
4660 			 * If a T_UNITDATA_REQ gets here, the address must
4661 			 * be bad.  Valid T_UNITDATA_REQs are handled
4662 			 * in icmp_wput.
4663 			 */
4664 			icmp_ud_err(q, mp, EADDRNOTAVAIL);
4665 			return;
4666 		case T_UNBIND_REQ:
4667 			icmp_tpi_unbind(q, mp);
4668 			return;
4669 		case T_SVR4_OPTMGMT_REQ:
4670 			/*
4671 			 * All Solaris components should pass a db_credp
4672 			 * for this TPI message, hence we ASSERT.
4673 			 * But in case there is some other M_PROTO that looks
4674 			 * like a TPI message sent by some other kernel
4675 			 * component, we check and return an error.
4676 			 */
4677 			cr = msg_getcred(mp, NULL);
4678 			ASSERT(cr != NULL);
4679 			if (cr == NULL) {
4680 				icmp_err_ack(q, mp, TSYSERR, EINVAL);
4681 				return;
4682 			}
4683 
4684 			if (!snmpcom_req(q, mp, icmp_snmp_set, ip_snmp_get,
4685 			    cr)) {
4686 				svr4_optcom_req(q, mp, cr, &icmp_opt_obj);
4687 			}
4688 			return;
4689 
4690 		case T_OPTMGMT_REQ:
4691 			/*
4692 			 * All Solaris components should pass a db_credp
4693 			 * for this TPI message, hence we ASSERT.
4694 			 * But in case there is some other M_PROTO that looks
4695 			 * like a TPI message sent by some other kernel
4696 			 * component, we check and return an error.
4697 			 */
4698 			cr = msg_getcred(mp, NULL);
4699 			ASSERT(cr != NULL);
4700 			if (cr == NULL) {
4701 				icmp_err_ack(q, mp, TSYSERR, EINVAL);
4702 				return;
4703 			}
4704 			tpi_optcom_req(q, mp, cr, &icmp_opt_obj);
4705 			return;
4706 
4707 		case T_DISCON_REQ:
4708 			icmp_tpi_disconnect(q, mp);
4709 			return;
4710 
4711 		/* The following TPI message is not supported by icmp. */
4712 		case O_T_CONN_RES:
4713 		case T_CONN_RES:
4714 			icmp_err_ack(q, mp, TNOTSUPPORT, 0);
4715 			return;
4716 
4717 		/* The following 3 TPI requests are illegal for icmp. */
4718 		case T_DATA_REQ:
4719 		case T_EXDATA_REQ:
4720 		case T_ORDREL_REQ:
4721 			icmp_err_ack(q, mp, TNOTSUPPORT, 0);
4722 			return;
4723 		default:
4724 			break;
4725 		}
4726 		break;
4727 	case M_FLUSH:
4728 		if (*rptr & FLUSHW)
4729 			flushq(q, FLUSHDATA);
4730 		break;
4731 	case M_IOCTL:
4732 		iocp = (struct iocblk *)mp->b_rptr;
4733 		switch (iocp->ioc_cmd) {
4734 		case TI_GETPEERNAME:
4735 			if (icmp->icmp_state != TS_DATA_XFER) {
4736 				/*
4737 				 * If a default destination address has not
4738 				 * been associated with the stream, then we
4739 				 * don't know the peer's name.
4740 				 */
4741 				iocp->ioc_error = ENOTCONN;
4742 				iocp->ioc_count = 0;
4743 				mp->b_datap->db_type = M_IOCACK;
4744 				qreply(q, mp);
4745 				return;
4746 			}
4747 			/* FALLTHRU */
4748 		case TI_GETMYNAME:
4749 			/*
4750 			 * For TI_GETPEERNAME and TI_GETMYNAME, we first
4751 			 * need to copyin the user's strbuf structure.
4752 			 * Processing will continue in the M_IOCDATA case
4753 			 * below.
4754 			 */
4755 			mi_copyin(q, mp, NULL,
4756 			    SIZEOF_STRUCT(strbuf, iocp->ioc_flag));
4757 			return;
4758 		case ND_SET:
4759 			/* nd_getset performs the necessary checking */
4760 		case ND_GET:
4761 			if (nd_getset(q, is->is_nd, mp)) {
4762 				qreply(q, mp);
4763 				return;
4764 			}
4765 			break;
4766 		default:
4767 			break;
4768 		}
4769 		break;
4770 	case M_IOCDATA:
4771 		icmp_wput_iocdata(q, mp);
4772 		return;
4773 	default:
4774 		/* Unrecognized messages are passed through without change. */
4775 		break;
4776 	}
4777 	ip_wput_nondata(q, mp);
4778 }
4779 
4780 /*
4781  * icmp_wput_iocdata is called by icmp_wput_other to handle all M_IOCDATA
4782  * messages.
4783  */
4784 static void
4785 icmp_wput_iocdata(queue_t *q, mblk_t *mp)
4786 {
4787 	mblk_t		*mp1;
4788 	STRUCT_HANDLE(strbuf, sb);
4789 	uint_t		addrlen;
4790 	conn_t		*connp = Q_TO_CONN(q);
4791 	icmp_t		*icmp = connp->conn_icmp;
4792 
4793 	/* Make sure it is one of ours. */
4794 	switch (((struct iocblk *)mp->b_rptr)->ioc_cmd) {
4795 	case TI_GETMYNAME:
4796 	case TI_GETPEERNAME:
4797 		break;
4798 	default:
4799 		ip_wput_nondata(q, mp);
4800 		return;
4801 	}
4802 
4803 	switch (mi_copy_state(q, mp, &mp1)) {
4804 	case -1:
4805 		return;
4806 	case MI_COPY_CASE(MI_COPY_IN, 1):
4807 		break;
4808 	case MI_COPY_CASE(MI_COPY_OUT, 1):
4809 		/*
4810 		 * The address has been copied out, so now
4811 		 * copyout the strbuf.
4812 		 */
4813 		mi_copyout(q, mp);
4814 		return;
4815 	case MI_COPY_CASE(MI_COPY_OUT, 2):
4816 		/*
4817 		 * The address and strbuf have been copied out.
4818 		 * We're done, so just acknowledge the original
4819 		 * M_IOCTL.
4820 		 */
4821 		mi_copy_done(q, mp, 0);
4822 		return;
4823 	default:
4824 		/*
4825 		 * Something strange has happened, so acknowledge
4826 		 * the original M_IOCTL with an EPROTO error.
4827 		 */
4828 		mi_copy_done(q, mp, EPROTO);
4829 		return;
4830 	}
4831 
4832 	/*
4833 	 * Now we have the strbuf structure for TI_GETMYNAME
4834 	 * and TI_GETPEERNAME.  Next we copyout the requested
4835 	 * address and then we'll copyout the strbuf.
4836 	 */
4837 	STRUCT_SET_HANDLE(sb, ((struct iocblk *)mp->b_rptr)->ioc_flag,
4838 	    (void *)mp1->b_rptr);
4839 
4840 	if (connp->conn_family == AF_INET)
4841 		addrlen = sizeof (sin_t);
4842 	else
4843 		addrlen = sizeof (sin6_t);
4844 
4845 	if (STRUCT_FGET(sb, maxlen) < addrlen) {
4846 		mi_copy_done(q, mp, EINVAL);
4847 		return;
4848 	}
4849 	switch (((struct iocblk *)mp->b_rptr)->ioc_cmd) {
4850 	case TI_GETMYNAME:
4851 		break;
4852 	case TI_GETPEERNAME:
4853 		if (icmp->icmp_state != TS_DATA_XFER) {
4854 			mi_copy_done(q, mp, ENOTCONN);
4855 			return;
4856 		}
4857 		break;
4858 	default:
4859 		mi_copy_done(q, mp, EPROTO);
4860 		return;
4861 	}
4862 	mp1 = mi_copyout_alloc(q, mp, STRUCT_FGETP(sb, buf), addrlen, B_TRUE);
4863 	if (!mp1)
4864 		return;
4865 
4866 	STRUCT_FSET(sb, len, addrlen);
4867 	switch (((struct iocblk *)mp->b_rptr)->ioc_cmd) {
4868 	case TI_GETMYNAME:
4869 		(void) conn_getsockname(connp, (struct sockaddr *)mp1->b_wptr,
4870 		    &addrlen);
4871 		break;
4872 	case TI_GETPEERNAME:
4873 		(void) conn_getpeername(connp, (struct sockaddr *)mp1->b_wptr,
4874 		    &addrlen);
4875 		break;
4876 	}
4877 	mp1->b_wptr += addrlen;
4878 	/* Copy out the address */
4879 	mi_copyout(q, mp);
4880 }
4881 
4882 void
4883 icmp_ddi_g_init(void)
4884 {
4885 	icmp_max_optsize = optcom_max_optsize(icmp_opt_obj.odb_opt_des_arr,
4886 	    icmp_opt_obj.odb_opt_arr_cnt);
4887 
4888 	/*
4889 	 * We want to be informed each time a stack is created or
4890 	 * destroyed in the kernel, so we can maintain the
4891 	 * set of icmp_stack_t's.
4892 	 */
4893 	netstack_register(NS_ICMP, rawip_stack_init, NULL, rawip_stack_fini);
4894 }
4895 
4896 void
4897 icmp_ddi_g_destroy(void)
4898 {
4899 	netstack_unregister(NS_ICMP);
4900 }
4901 
4902 #define	INET_NAME	"ip"
4903 
4904 /*
4905  * Initialize the ICMP stack instance.
4906  */
4907 static void *
4908 rawip_stack_init(netstackid_t stackid, netstack_t *ns)
4909 {
4910 	icmp_stack_t	*is;
4911 	icmpparam_t	*pa;
4912 	int		error = 0;
4913 	major_t		major;
4914 
4915 	is = (icmp_stack_t *)kmem_zalloc(sizeof (*is), KM_SLEEP);
4916 	is->is_netstack = ns;
4917 
4918 	pa = (icmpparam_t *)kmem_alloc(sizeof (icmp_param_arr), KM_SLEEP);
4919 	is->is_param_arr = pa;
4920 	bcopy(icmp_param_arr, is->is_param_arr, sizeof (icmp_param_arr));
4921 
4922 	(void) icmp_param_register(&is->is_nd,
4923 	    is->is_param_arr, A_CNT(icmp_param_arr));
4924 	is->is_ksp = rawip_kstat_init(stackid);
4925 
4926 	major = mod_name_to_major(INET_NAME);
4927 	error = ldi_ident_from_major(major, &is->is_ldi_ident);
4928 	ASSERT(error == 0);
4929 	return (is);
4930 }
4931 
4932 /*
4933  * Free the ICMP stack instance.
4934  */
4935 static void
4936 rawip_stack_fini(netstackid_t stackid, void *arg)
4937 {
4938 	icmp_stack_t *is = (icmp_stack_t *)arg;
4939 
4940 	nd_free(&is->is_nd);
4941 	kmem_free(is->is_param_arr, sizeof (icmp_param_arr));
4942 	is->is_param_arr = NULL;
4943 
4944 	rawip_kstat_fini(stackid, is->is_ksp);
4945 	is->is_ksp = NULL;
4946 	ldi_ident_release(is->is_ldi_ident);
4947 	kmem_free(is, sizeof (*is));
4948 }
4949 
4950 static void *
4951 rawip_kstat_init(netstackid_t stackid) {
4952 	kstat_t	*ksp;
4953 
4954 	rawip_named_kstat_t template = {
4955 		{ "inDatagrams",	KSTAT_DATA_UINT32, 0 },
4956 		{ "inCksumErrs",	KSTAT_DATA_UINT32, 0 },
4957 		{ "inErrors",		KSTAT_DATA_UINT32, 0 },
4958 		{ "outDatagrams",	KSTAT_DATA_UINT32, 0 },
4959 		{ "outErrors",		KSTAT_DATA_UINT32, 0 },
4960 	};
4961 
4962 	ksp = kstat_create_netstack("icmp", 0, "rawip", "mib2",
4963 					KSTAT_TYPE_NAMED,
4964 					NUM_OF_FIELDS(rawip_named_kstat_t),
4965 					0, stackid);
4966 	if (ksp == NULL || ksp->ks_data == NULL)
4967 		return (NULL);
4968 
4969 	bcopy(&template, ksp->ks_data, sizeof (template));
4970 	ksp->ks_update = rawip_kstat_update;
4971 	ksp->ks_private = (void *)(uintptr_t)stackid;
4972 
4973 	kstat_install(ksp);
4974 	return (ksp);
4975 }
4976 
4977 static void
4978 rawip_kstat_fini(netstackid_t stackid, kstat_t *ksp)
4979 {
4980 	if (ksp != NULL) {
4981 		ASSERT(stackid == (netstackid_t)(uintptr_t)ksp->ks_private);
4982 		kstat_delete_netstack(ksp, stackid);
4983 	}
4984 }
4985 
4986 static int
4987 rawip_kstat_update(kstat_t *ksp, int rw)
4988 {
4989 	rawip_named_kstat_t *rawipkp;
4990 	netstackid_t	stackid = (netstackid_t)(uintptr_t)ksp->ks_private;
4991 	netstack_t	*ns;
4992 	icmp_stack_t	*is;
4993 
4994 	if ((ksp == NULL) || (ksp->ks_data == NULL))
4995 		return (EIO);
4996 
4997 	if (rw == KSTAT_WRITE)
4998 		return (EACCES);
4999 
5000 	rawipkp = (rawip_named_kstat_t *)ksp->ks_data;
5001 
5002 	ns = netstack_find_by_stackid(stackid);
5003 	if (ns == NULL)
5004 		return (-1);
5005 	is = ns->netstack_icmp;
5006 	if (is == NULL) {
5007 		netstack_rele(ns);
5008 		return (-1);
5009 	}
5010 	rawipkp->inDatagrams.value.ui32 =  is->is_rawip_mib.rawipInDatagrams;
5011 	rawipkp->inCksumErrs.value.ui32 =  is->is_rawip_mib.rawipInCksumErrs;
5012 	rawipkp->inErrors.value.ui32 =	   is->is_rawip_mib.rawipInErrors;
5013 	rawipkp->outDatagrams.value.ui32 = is->is_rawip_mib.rawipOutDatagrams;
5014 	rawipkp->outErrors.value.ui32 =	   is->is_rawip_mib.rawipOutErrors;
5015 	netstack_rele(ns);
5016 	return (0);
5017 }
5018 
5019 /* ARGSUSED */
5020 int
5021 rawip_accept(sock_lower_handle_t lproto_handle,
5022     sock_lower_handle_t eproto_handle, sock_upper_handle_t sock_handle,
5023     cred_t *cr)
5024 {
5025 	return (EOPNOTSUPP);
5026 }
5027 
5028 /* ARGSUSED */
5029 int
5030 rawip_bind(sock_lower_handle_t proto_handle, struct sockaddr *sa,
5031     socklen_t len, cred_t *cr)
5032 {
5033 	conn_t  *connp = (conn_t *)proto_handle;
5034 	int	error;
5035 
5036 	/* All Solaris components should pass a cred for this operation. */
5037 	ASSERT(cr != NULL);
5038 
5039 	/* Binding to a NULL address really means unbind */
5040 	if (sa == NULL)
5041 		error = rawip_do_unbind(connp);
5042 	else
5043 		error = rawip_do_bind(connp, sa, len);
5044 
5045 	if (error < 0) {
5046 		if (error == -TOUTSTATE)
5047 			error = EINVAL;
5048 		else
5049 			error = proto_tlitosyserr(-error);
5050 	}
5051 	return (error);
5052 }
5053 
5054 static int
5055 rawip_implicit_bind(conn_t *connp)
5056 {
5057 	sin6_t sin6addr;
5058 	sin_t *sin;
5059 	sin6_t *sin6;
5060 	socklen_t len;
5061 	int error;
5062 
5063 	if (connp->conn_family == AF_INET) {
5064 		len = sizeof (struct sockaddr_in);
5065 		sin = (sin_t *)&sin6addr;
5066 		*sin = sin_null;
5067 		sin->sin_family = AF_INET;
5068 		sin->sin_addr.s_addr = INADDR_ANY;
5069 	} else {
5070 		ASSERT(connp->conn_family == AF_INET6);
5071 		len = sizeof (sin6_t);
5072 		sin6 = (sin6_t *)&sin6addr;
5073 		*sin6 = sin6_null;
5074 		sin6->sin6_family = AF_INET6;
5075 		V6_SET_ZERO(sin6->sin6_addr);
5076 	}
5077 
5078 	error = rawip_do_bind(connp, (struct sockaddr *)&sin6addr, len);
5079 
5080 	return ((error < 0) ? proto_tlitosyserr(-error) : error);
5081 }
5082 
5083 static int
5084 rawip_unbind(conn_t *connp)
5085 {
5086 	int error;
5087 
5088 	error = rawip_do_unbind(connp);
5089 	if (error < 0) {
5090 		error = proto_tlitosyserr(-error);
5091 	}
5092 	return (error);
5093 }
5094 
5095 /* ARGSUSED */
5096 int
5097 rawip_listen(sock_lower_handle_t proto_handle, int backlog, cred_t *cr)
5098 {
5099 	return (EOPNOTSUPP);
5100 }
5101 
5102 int
5103 rawip_connect(sock_lower_handle_t proto_handle, const struct sockaddr *sa,
5104     socklen_t len, sock_connid_t *id, cred_t *cr)
5105 {
5106 	conn_t	*connp = (conn_t *)proto_handle;
5107 	icmp_t *icmp = connp->conn_icmp;
5108 	int	error;
5109 	boolean_t did_bind = B_FALSE;
5110 	pid_t	pid = curproc->p_pid;
5111 
5112 	/* All Solaris components should pass a cred for this operation. */
5113 	ASSERT(cr != NULL);
5114 
5115 	if (sa == NULL) {
5116 		/*
5117 		 * Disconnect
5118 		 * Make sure we are connected
5119 		 */
5120 		if (icmp->icmp_state != TS_DATA_XFER)
5121 			return (EINVAL);
5122 
5123 		error = icmp_disconnect(connp);
5124 		return (error);
5125 	}
5126 
5127 	error = proto_verify_ip_addr(connp->conn_family, sa, len);
5128 	if (error != 0)
5129 		return (error);
5130 
5131 	/* do an implicit bind if necessary */
5132 	if (icmp->icmp_state == TS_UNBND) {
5133 		error = rawip_implicit_bind(connp);
5134 		/*
5135 		 * We could be racing with an actual bind, in which case
5136 		 * we would see EPROTO. We cross our fingers and try
5137 		 * to connect.
5138 		 */
5139 		if (!(error == 0 || error == EPROTO))
5140 			return (error);
5141 		did_bind = B_TRUE;
5142 	}
5143 
5144 	/*
5145 	 * set SO_DGRAM_ERRIND
5146 	 */
5147 	connp->conn_dgram_errind = B_TRUE;
5148 
5149 	error = rawip_do_connect(connp, sa, len, cr, pid);
5150 	if (error != 0 && did_bind) {
5151 		int unbind_err;
5152 
5153 		unbind_err = rawip_unbind(connp);
5154 		ASSERT(unbind_err == 0);
5155 	}
5156 
5157 	if (error == 0) {
5158 		*id = 0;
5159 		(*connp->conn_upcalls->su_connected)(connp->conn_upper_handle,
5160 		    0, NULL, -1);
5161 	} else if (error < 0) {
5162 		error = proto_tlitosyserr(-error);
5163 	}
5164 	return (error);
5165 }
5166 
5167 /* ARGSUSED2 */
5168 int
5169 rawip_fallback(sock_lower_handle_t proto_handle, queue_t *q,
5170     boolean_t direct_sockfs, so_proto_quiesced_cb_t quiesced_cb)
5171 {
5172 	conn_t  *connp = (conn_t *)proto_handle;
5173 	icmp_t	*icmp;
5174 	struct T_capability_ack tca;
5175 	struct sockaddr_in6 laddr, faddr;
5176 	socklen_t laddrlen, faddrlen;
5177 	short opts;
5178 	struct stroptions *stropt;
5179 	mblk_t *stropt_mp;
5180 	int error;
5181 
5182 	icmp = connp->conn_icmp;
5183 
5184 	stropt_mp = allocb_wait(sizeof (*stropt), BPRI_HI, STR_NOSIG, NULL);
5185 
5186 	/*
5187 	 * setup the fallback stream that was allocated
5188 	 */
5189 	connp->conn_dev = (dev_t)RD(q)->q_ptr;
5190 	connp->conn_minor_arena = WR(q)->q_ptr;
5191 
5192 	RD(q)->q_ptr = WR(q)->q_ptr = connp;
5193 
5194 	WR(q)->q_qinfo = &icmpwinit;
5195 
5196 	connp->conn_rq = RD(q);
5197 	connp->conn_wq = WR(q);
5198 
5199 	/* Notify stream head about options before sending up data */
5200 	stropt_mp->b_datap->db_type = M_SETOPTS;
5201 	stropt_mp->b_wptr += sizeof (*stropt);
5202 	stropt = (struct stroptions *)stropt_mp->b_rptr;
5203 	stropt->so_flags = SO_WROFF | SO_HIWAT;
5204 	stropt->so_wroff = connp->conn_wroff;
5205 	stropt->so_hiwat = connp->conn_rcvbuf;
5206 	putnext(RD(q), stropt_mp);
5207 
5208 	/*
5209 	 * free helper stream
5210 	 */
5211 	ip_free_helper_stream(connp);
5212 
5213 	/*
5214 	 * Collect the information needed to sync with the sonode
5215 	 */
5216 	icmp_do_capability_ack(icmp, &tca, TC1_INFO);
5217 
5218 	laddrlen = faddrlen = sizeof (sin6_t);
5219 	(void) rawip_getsockname((sock_lower_handle_t)connp,
5220 	    (struct sockaddr *)&laddr, &laddrlen, CRED());
5221 	error = rawip_getpeername((sock_lower_handle_t)connp,
5222 	    (struct sockaddr *)&faddr, &faddrlen, CRED());
5223 	if (error != 0)
5224 		faddrlen = 0;
5225 	opts = 0;
5226 	if (connp->conn_dgram_errind)
5227 		opts |= SO_DGRAM_ERRIND;
5228 	if (connp->conn_ixa->ixa_flags & IXAF_DONTROUTE)
5229 		opts |= SO_DONTROUTE;
5230 
5231 	(*quiesced_cb)(connp->conn_upper_handle, q, &tca,
5232 	    (struct sockaddr *)&laddr, laddrlen,
5233 	    (struct sockaddr *)&faddr, faddrlen, opts);
5234 
5235 	/*
5236 	 * Attempts to send data up during fallback will result in it being
5237 	 * queued in icmp_t. Now we push up any queued packets.
5238 	 */
5239 	mutex_enter(&icmp->icmp_recv_lock);
5240 	while (icmp->icmp_fallback_queue_head != NULL) {
5241 		mblk_t	*mp;
5242 
5243 		mp = icmp->icmp_fallback_queue_head;
5244 		icmp->icmp_fallback_queue_head = mp->b_next;
5245 		mp->b_next = NULL;
5246 		mutex_exit(&icmp->icmp_recv_lock);
5247 		putnext(RD(q), mp);
5248 		mutex_enter(&icmp->icmp_recv_lock);
5249 	}
5250 	icmp->icmp_fallback_queue_tail = icmp->icmp_fallback_queue_head;
5251 
5252 	/*
5253 	 * No longer a streams less socket
5254 	 */
5255 	mutex_enter(&connp->conn_lock);
5256 	connp->conn_flags &= ~IPCL_NONSTR;
5257 	mutex_exit(&connp->conn_lock);
5258 
5259 	mutex_exit(&icmp->icmp_recv_lock);
5260 
5261 	ASSERT(icmp->icmp_fallback_queue_head == NULL &&
5262 	    icmp->icmp_fallback_queue_tail == NULL);
5263 
5264 	ASSERT(connp->conn_ref >= 1);
5265 
5266 	return (0);
5267 }
5268 
5269 /* ARGSUSED2 */
5270 sock_lower_handle_t
5271 rawip_create(int family, int type, int proto, sock_downcalls_t **sock_downcalls,
5272     uint_t *smodep, int *errorp, int flags, cred_t *credp)
5273 {
5274 	conn_t *connp;
5275 
5276 	if (type != SOCK_RAW || (family != AF_INET && family != AF_INET6)) {
5277 		*errorp = EPROTONOSUPPORT;
5278 		return (NULL);
5279 	}
5280 
5281 	connp = rawip_do_open(family, credp, errorp, flags);
5282 	if (connp != NULL) {
5283 		connp->conn_flags |= IPCL_NONSTR;
5284 
5285 		mutex_enter(&connp->conn_lock);
5286 		connp->conn_state_flags &= ~CONN_INCIPIENT;
5287 		mutex_exit(&connp->conn_lock);
5288 		*sock_downcalls = &sock_rawip_downcalls;
5289 		*smodep = SM_ATOMIC;
5290 	} else {
5291 		ASSERT(*errorp != 0);
5292 	}
5293 
5294 	return ((sock_lower_handle_t)connp);
5295 }
5296 
5297 /* ARGSUSED3 */
5298 void
5299 rawip_activate(sock_lower_handle_t proto_handle,
5300     sock_upper_handle_t sock_handle, sock_upcalls_t *sock_upcalls, int flags,
5301     cred_t *cr)
5302 {
5303 	conn_t 			*connp = (conn_t *)proto_handle;
5304 	struct sock_proto_props sopp;
5305 
5306 	/* All Solaris components should pass a cred for this operation. */
5307 	ASSERT(cr != NULL);
5308 
5309 	connp->conn_upcalls = sock_upcalls;
5310 	connp->conn_upper_handle = sock_handle;
5311 
5312 	sopp.sopp_flags = SOCKOPT_WROFF | SOCKOPT_RCVHIWAT | SOCKOPT_RCVLOWAT |
5313 	    SOCKOPT_MAXBLK | SOCKOPT_MAXPSZ | SOCKOPT_MINPSZ;
5314 	sopp.sopp_wroff = connp->conn_wroff;
5315 	sopp.sopp_rxhiwat = connp->conn_rcvbuf;
5316 	sopp.sopp_rxlowat = connp->conn_rcvlowat;
5317 	sopp.sopp_maxblk = INFPSZ;
5318 	sopp.sopp_maxpsz = IP_MAXPACKET;
5319 	sopp.sopp_minpsz = (icmp_mod_info.mi_minpsz == 1) ? 0 :
5320 	    icmp_mod_info.mi_minpsz;
5321 
5322 	(*connp->conn_upcalls->su_set_proto_props)
5323 	    (connp->conn_upper_handle, &sopp);
5324 
5325 	icmp_bind_proto(connp->conn_icmp);
5326 }
5327 
5328 /* ARGSUSED3 */
5329 int
5330 rawip_getpeername(sock_lower_handle_t proto_handle, struct sockaddr *sa,
5331     socklen_t *salenp, cred_t *cr)
5332 {
5333 	conn_t  *connp = (conn_t *)proto_handle;
5334 	icmp_t  *icmp = connp->conn_icmp;
5335 	int	error;
5336 
5337 	/* All Solaris components should pass a cred for this operation. */
5338 	ASSERT(cr != NULL);
5339 
5340 	mutex_enter(&connp->conn_lock);
5341 	if (icmp->icmp_state != TS_DATA_XFER)
5342 		error = ENOTCONN;
5343 	else
5344 		error = conn_getpeername(connp, sa, salenp);
5345 	mutex_exit(&connp->conn_lock);
5346 	return (error);
5347 }
5348 
5349 /* ARGSUSED3 */
5350 int
5351 rawip_getsockname(sock_lower_handle_t proto_handle, struct sockaddr *sa,
5352     socklen_t *salenp, cred_t *cr)
5353 {
5354 	conn_t  *connp = (conn_t *)proto_handle;
5355 	int	error;
5356 
5357 	/* All Solaris components should pass a cred for this operation. */
5358 	ASSERT(cr != NULL);
5359 
5360 	mutex_enter(&connp->conn_lock);
5361 	error = conn_getsockname(connp, sa, salenp);
5362 	mutex_exit(&connp->conn_lock);
5363 	return (error);
5364 }
5365 
5366 int
5367 rawip_setsockopt(sock_lower_handle_t proto_handle, int level, int option_name,
5368     const void *optvalp, socklen_t optlen, cred_t *cr)
5369 {
5370 	conn_t	*connp = (conn_t *)proto_handle;
5371 	int error;
5372 
5373 	/* All Solaris components should pass a cred for this operation. */
5374 	ASSERT(cr != NULL);
5375 
5376 	error = proto_opt_check(level, option_name, optlen, NULL,
5377 	    icmp_opt_obj.odb_opt_des_arr,
5378 	    icmp_opt_obj.odb_opt_arr_cnt,
5379 	    B_TRUE, B_FALSE, cr);
5380 
5381 	if (error != 0) {
5382 		/*
5383 		 * option not recognized
5384 		 */
5385 		if (error < 0) {
5386 			error = proto_tlitosyserr(-error);
5387 		}
5388 		return (error);
5389 	}
5390 
5391 	error = icmp_opt_set(connp, SETFN_OPTCOM_NEGOTIATE, level,
5392 	    option_name, optlen, (uchar_t *)optvalp, (uint_t *)&optlen,
5393 	    (uchar_t *)optvalp, NULL, cr);
5394 
5395 	ASSERT(error >= 0);
5396 
5397 	return (error);
5398 }
5399 
5400 int
5401 rawip_getsockopt(sock_lower_handle_t proto_handle, int level, int option_name,
5402     void *optvalp, socklen_t *optlen, cred_t *cr)
5403 {
5404 	int		error;
5405 	conn_t		*connp = (conn_t *)proto_handle;
5406 	t_uscalar_t	max_optbuf_len;
5407 	void		*optvalp_buf;
5408 	int		len;
5409 
5410 	/* All Solaris components should pass a cred for this operation. */
5411 	ASSERT(cr != NULL);
5412 
5413 	error = proto_opt_check(level, option_name, *optlen, &max_optbuf_len,
5414 	    icmp_opt_obj.odb_opt_des_arr,
5415 	    icmp_opt_obj.odb_opt_arr_cnt,
5416 	    B_FALSE, B_TRUE, cr);
5417 
5418 	if (error != 0) {
5419 		if (error < 0) {
5420 			error = proto_tlitosyserr(-error);
5421 		}
5422 		return (error);
5423 	}
5424 
5425 	optvalp_buf = kmem_alloc(max_optbuf_len, KM_SLEEP);
5426 	len = icmp_opt_get(connp, level, option_name, optvalp_buf);
5427 	if (len == -1) {
5428 		kmem_free(optvalp_buf, max_optbuf_len);
5429 		return (EINVAL);
5430 	}
5431 
5432 	/*
5433 	 * update optlen and copy option value
5434 	 */
5435 	t_uscalar_t size = MIN(len, *optlen);
5436 
5437 	bcopy(optvalp_buf, optvalp, size);
5438 	bcopy(&size, optlen, sizeof (size));
5439 
5440 	kmem_free(optvalp_buf, max_optbuf_len);
5441 	return (0);
5442 }
5443 
5444 /* ARGSUSED1 */
5445 int
5446 rawip_close(sock_lower_handle_t proto_handle, int flags, cred_t *cr)
5447 {
5448 	conn_t	*connp = (conn_t *)proto_handle;
5449 
5450 	/* All Solaris components should pass a cred for this operation. */
5451 	ASSERT(cr != NULL);
5452 
5453 	(void) rawip_do_close(connp);
5454 	return (0);
5455 }
5456 
5457 /* ARGSUSED2 */
5458 int
5459 rawip_shutdown(sock_lower_handle_t proto_handle, int how, cred_t *cr)
5460 {
5461 	conn_t  *connp = (conn_t *)proto_handle;
5462 
5463 	/* All Solaris components should pass a cred for this operation. */
5464 	ASSERT(cr != NULL);
5465 
5466 	/* shut down the send side */
5467 	if (how != SHUT_RD)
5468 		(*connp->conn_upcalls->su_opctl)(connp->conn_upper_handle,
5469 		    SOCK_OPCTL_SHUT_SEND, 0);
5470 	/* shut down the recv side */
5471 	if (how != SHUT_WR)
5472 		(*connp->conn_upcalls->su_opctl)(connp->conn_upper_handle,
5473 		    SOCK_OPCTL_SHUT_RECV, 0);
5474 	return (0);
5475 }
5476 
5477 void
5478 rawip_clr_flowctrl(sock_lower_handle_t proto_handle)
5479 {
5480 	conn_t  *connp = (conn_t *)proto_handle;
5481 	icmp_t	*icmp = connp->conn_icmp;
5482 
5483 	mutex_enter(&icmp->icmp_recv_lock);
5484 	connp->conn_flow_cntrld = B_FALSE;
5485 	mutex_exit(&icmp->icmp_recv_lock);
5486 }
5487 
5488 int
5489 rawip_ioctl(sock_lower_handle_t proto_handle, int cmd, intptr_t arg,
5490     int mode, int32_t *rvalp, cred_t *cr)
5491 {
5492 	conn_t  	*connp = (conn_t *)proto_handle;
5493 	int		error;
5494 
5495 	/* All Solaris components should pass a cred for this operation. */
5496 	ASSERT(cr != NULL);
5497 
5498 	/*
5499 	 * If we don't have a helper stream then create one.
5500 	 * ip_create_helper_stream takes care of locking the conn_t,
5501 	 * so this check for NULL is just a performance optimization.
5502 	 */
5503 	if (connp->conn_helper_info == NULL) {
5504 		icmp_stack_t *is = connp->conn_icmp->icmp_is;
5505 
5506 		ASSERT(is->is_ldi_ident != NULL);
5507 
5508 		/*
5509 		 * Create a helper stream for non-STREAMS socket.
5510 		 */
5511 		error = ip_create_helper_stream(connp, is->is_ldi_ident);
5512 		if (error != 0) {
5513 			ip0dbg(("rawip_ioctl: create of IP helper stream "
5514 			    "failed %d\n", error));
5515 			return (error);
5516 		}
5517 	}
5518 
5519 	switch (cmd) {
5520 	case ND_SET:
5521 	case ND_GET:
5522 	case _SIOCSOCKFALLBACK:
5523 	case TI_GETPEERNAME:
5524 	case TI_GETMYNAME:
5525 #ifdef DEBUG
5526 		cmn_err(CE_CONT, "icmp_ioctl cmd 0x%x on non streams"
5527 		    " socket", cmd);
5528 #endif
5529 		error = EINVAL;
5530 		break;
5531 	default:
5532 		/*
5533 		 * Pass on to IP using helper stream
5534 		 */
5535 		error = ldi_ioctl(connp->conn_helper_info->iphs_handle,
5536 		    cmd, arg, mode, cr, rvalp);
5537 		break;
5538 	}
5539 	return (error);
5540 }
5541 
5542 int
5543 rawip_send(sock_lower_handle_t proto_handle, mblk_t *mp, struct nmsghdr *msg,
5544     cred_t *cr)
5545 {
5546 	sin6_t		*sin6;
5547 	sin_t		*sin = NULL;
5548 	uint_t		srcid;
5549 	conn_t		*connp = (conn_t *)proto_handle;
5550 	icmp_t		*icmp = connp->conn_icmp;
5551 	int		error = 0;
5552 	icmp_stack_t	*is = icmp->icmp_is;
5553 	pid_t		pid = curproc->p_pid;
5554 	ip_xmit_attr_t	*ixa;
5555 
5556 	ASSERT(DB_TYPE(mp) == M_DATA);
5557 
5558 	/* All Solaris components should pass a cred for this operation. */
5559 	ASSERT(cr != NULL);
5560 
5561 	/* do an implicit bind if necessary */
5562 	if (icmp->icmp_state == TS_UNBND) {
5563 		error = rawip_implicit_bind(connp);
5564 		/*
5565 		 * We could be racing with an actual bind, in which case
5566 		 * we would see EPROTO. We cross our fingers and try
5567 		 * to connect.
5568 		 */
5569 		if (!(error == 0 || error == EPROTO)) {
5570 			freemsg(mp);
5571 			return (error);
5572 		}
5573 	}
5574 
5575 	/* Protocol 255 contains full IP headers */
5576 	/* Read without holding lock */
5577 	if (icmp->icmp_hdrincl) {
5578 		ASSERT(connp->conn_ipversion == IPV4_VERSION);
5579 		if (mp->b_wptr - mp->b_rptr < IP_SIMPLE_HDR_LENGTH) {
5580 			if (!pullupmsg(mp, IP_SIMPLE_HDR_LENGTH)) {
5581 				BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
5582 				freemsg(mp);
5583 				return (EINVAL);
5584 			}
5585 		}
5586 		error = icmp_output_hdrincl(connp, mp, cr, pid);
5587 		if (is->is_sendto_ignerr)
5588 			return (0);
5589 		else
5590 			return (error);
5591 	}
5592 
5593 	/* Connected? */
5594 	if (msg->msg_name == NULL) {
5595 		if (icmp->icmp_state != TS_DATA_XFER) {
5596 			BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
5597 			return (EDESTADDRREQ);
5598 		}
5599 		if (msg->msg_controllen != 0) {
5600 			error = icmp_output_ancillary(connp, NULL, NULL, mp,
5601 			    NULL, msg, cr, pid);
5602 		} else {
5603 			error = icmp_output_connected(connp, mp, cr, pid);
5604 		}
5605 		if (is->is_sendto_ignerr)
5606 			return (0);
5607 		else
5608 			return (error);
5609 	}
5610 	if (icmp->icmp_state == TS_DATA_XFER) {
5611 		BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
5612 		return (EISCONN);
5613 	}
5614 	error = proto_verify_ip_addr(connp->conn_family,
5615 	    (struct sockaddr *)msg->msg_name, msg->msg_namelen);
5616 	if (error != 0) {
5617 		BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
5618 		return (error);
5619 	}
5620 	switch (connp->conn_family) {
5621 	case AF_INET6:
5622 		sin6 = (sin6_t *)msg->msg_name;
5623 
5624 		/* No support for mapped addresses on raw sockets */
5625 		if (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) {
5626 			BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
5627 			return (EADDRNOTAVAIL);
5628 		}
5629 		srcid = sin6->__sin6_src_id;
5630 
5631 		/*
5632 		 * If the local address is a mapped address return
5633 		 * an error.
5634 		 * It would be possible to send an IPv6 packet but the
5635 		 * response would never make it back to the application
5636 		 * since it is bound to a mapped address.
5637 		 */
5638 		if (IN6_IS_ADDR_V4MAPPED(&connp->conn_saddr_v6)) {
5639 			BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
5640 			return (EADDRNOTAVAIL);
5641 		}
5642 
5643 		if (IN6_IS_ADDR_UNSPECIFIED(&sin6->sin6_addr))
5644 			sin6->sin6_addr = ipv6_loopback;
5645 
5646 		/*
5647 		 * We have to allocate an ip_xmit_attr_t before we grab
5648 		 * conn_lock and we need to hold conn_lock once we've check
5649 		 * conn_same_as_last_v6 to handle concurrent send* calls on a
5650 		 * socket.
5651 		 */
5652 		if (msg->msg_controllen == 0) {
5653 			ixa = conn_get_ixa(connp, B_FALSE);
5654 			if (ixa == NULL) {
5655 				BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
5656 				return (ENOMEM);
5657 			}
5658 		} else {
5659 			ixa = NULL;
5660 		}
5661 		mutex_enter(&connp->conn_lock);
5662 		if (icmp->icmp_delayed_error != 0) {
5663 			sin6_t  *sin2 = (sin6_t *)&icmp->icmp_delayed_addr;
5664 
5665 			error = icmp->icmp_delayed_error;
5666 			icmp->icmp_delayed_error = 0;
5667 
5668 			/* Compare IP address and family */
5669 
5670 			if (IN6_ARE_ADDR_EQUAL(&sin6->sin6_addr,
5671 			    &sin2->sin6_addr) &&
5672 			    sin6->sin6_family == sin2->sin6_family) {
5673 				mutex_exit(&connp->conn_lock);
5674 				BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
5675 				if (ixa != NULL)
5676 					ixa_refrele(ixa);
5677 				return (error);
5678 			}
5679 		}
5680 		if (msg->msg_controllen != 0) {
5681 			mutex_exit(&connp->conn_lock);
5682 			ASSERT(ixa == NULL);
5683 			error = icmp_output_ancillary(connp, NULL, sin6, mp,
5684 			    NULL, msg, cr, pid);
5685 		} else if (conn_same_as_last_v6(connp, sin6) &&
5686 		    connp->conn_lastsrcid == srcid &&
5687 		    ipsec_outbound_policy_current(ixa)) {
5688 			/* icmp_output_lastdst drops conn_lock */
5689 			error = icmp_output_lastdst(connp, mp, cr, pid, ixa);
5690 		} else {
5691 			/* icmp_output_newdst drops conn_lock */
5692 			error = icmp_output_newdst(connp, mp, NULL, sin6, cr,
5693 			    pid, ixa);
5694 		}
5695 		ASSERT(MUTEX_NOT_HELD(&connp->conn_lock));
5696 		if (is->is_sendto_ignerr)
5697 			return (0);
5698 		else
5699 			return (error);
5700 	case AF_INET:
5701 		sin = (sin_t *)msg->msg_name;
5702 
5703 		if (sin->sin_addr.s_addr == INADDR_ANY)
5704 			sin->sin_addr.s_addr = htonl(INADDR_LOOPBACK);
5705 
5706 		/*
5707 		 * We have to allocate an ip_xmit_attr_t before we grab
5708 		 * conn_lock and we need to hold conn_lock once we've check
5709 		 * conn_same_as_last_v6 to handle concurrent send* on a socket.
5710 		 */
5711 		if (msg->msg_controllen == 0) {
5712 			ixa = conn_get_ixa(connp, B_FALSE);
5713 			if (ixa == NULL) {
5714 				BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
5715 				return (ENOMEM);
5716 			}
5717 		} else {
5718 			ixa = NULL;
5719 		}
5720 		mutex_enter(&connp->conn_lock);
5721 		if (icmp->icmp_delayed_error != 0) {
5722 			sin_t  *sin2 = (sin_t *)&icmp->icmp_delayed_addr;
5723 
5724 			error = icmp->icmp_delayed_error;
5725 			icmp->icmp_delayed_error = 0;
5726 
5727 			/* Compare IP address */
5728 
5729 			if (sin->sin_addr.s_addr == sin2->sin_addr.s_addr) {
5730 				mutex_exit(&connp->conn_lock);
5731 				BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
5732 				if (ixa != NULL)
5733 					ixa_refrele(ixa);
5734 				return (error);
5735 			}
5736 		}
5737 
5738 		if (msg->msg_controllen != 0) {
5739 			mutex_exit(&connp->conn_lock);
5740 			ASSERT(ixa == NULL);
5741 			error = icmp_output_ancillary(connp, sin, NULL, mp,
5742 			    NULL, msg, cr, pid);
5743 		} else if (conn_same_as_last_v4(connp, sin) &&
5744 		    ipsec_outbound_policy_current(ixa)) {
5745 			/* icmp_output_lastdst drops conn_lock */
5746 			error = icmp_output_lastdst(connp, mp, cr, pid, ixa);
5747 		} else {
5748 			/* icmp_output_newdst drops conn_lock */
5749 			error = icmp_output_newdst(connp, mp, sin, NULL, cr,
5750 			    pid, ixa);
5751 		}
5752 		ASSERT(MUTEX_NOT_HELD(&connp->conn_lock));
5753 		if (is->is_sendto_ignerr)
5754 			return (0);
5755 		else
5756 			return (error);
5757 	default:
5758 		return (EINVAL);
5759 	}
5760 }
5761 
5762 sock_downcalls_t sock_rawip_downcalls = {
5763 	rawip_activate,
5764 	rawip_accept,
5765 	rawip_bind,
5766 	rawip_listen,
5767 	rawip_connect,
5768 	rawip_getpeername,
5769 	rawip_getsockname,
5770 	rawip_getsockopt,
5771 	rawip_setsockopt,
5772 	rawip_send,
5773 	NULL,
5774 	NULL,
5775 	NULL,
5776 	rawip_shutdown,
5777 	rawip_clr_flowctrl,
5778 	rawip_ioctl,
5779 	rawip_close
5780 };
5781