xref: /titanic_50/usr/src/uts/common/io/mac/mac_protect.c (revision 12240b1daf1d29749412cd4091e50e29cda86615)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
24  */
25 
26 #include <sys/strsun.h>
27 #include <sys/sdt.h>
28 #include <sys/mac.h>
29 #include <sys/mac_impl.h>
30 #include <sys/mac_client_impl.h>
31 #include <sys/mac_client_priv.h>
32 #include <sys/ethernet.h>
33 #include <sys/vlan.h>
34 #include <sys/dlpi.h>
35 #include <sys/avl.h>
36 #include <inet/ip.h>
37 #include <inet/ip6.h>
38 #include <inet/arp.h>
39 #include <netinet/arp.h>
40 #include <netinet/udp.h>
41 #include <netinet/dhcp.h>
42 #include <netinet/dhcp6.h>
43 
44 /*
45  * Implementation overview for DHCP address detection
46  *
47  * The purpose of DHCP address detection is to relieve the user of having to
48  * manually configure static IP addresses when ip-nospoof protection is turned
49  * on. To achieve this, the mac layer needs to intercept DHCP packets to
50  * determine the assigned IP addresses.
51  *
52  * A DHCP handshake between client and server typically requires at least
53  * 4 messages:
54  *
55  * 1. DISCOVER - client attempts to locate DHCP servers via a
56  *               broadcast message to its subnet.
57  * 2. OFFER    - server responds to client with an IP address and
58  *               other parameters.
59  * 3. REQUEST  - client requests the offered address.
60  * 4. ACK      - server verifies that the requested address matches
61  *               the one it offered.
62  *
63  * DHCPv6 behaves pretty much the same way aside from different message names.
64  *
65  * Address information is embedded in either the OFFER or REQUEST message.
66  * We chose to intercept REQUEST because this is at the last part of the
67  * handshake and it indicates that the client intends to keep the address.
68  * Intercepting OFFERs is unreliable because the client may receive multiple
69  * offers from different servers, and we can't tell which address the client
70  * will keep.
71  *
72  * Each DHCP message has a transaction ID. We use this transaction ID to match
73  * REQUESTs with ACKs received from servers.
74  *
75  * For IPv4, the process to acquire a DHCP-assigned address is as follows:
76  *
77  * 1. Client sends REQUEST. a new dhcpv4_txn_t object is created and inserted
78  *    in the the mci_v4_pending_txn table (keyed by xid). This object represents
79  *    a new transaction. It contains the xid, the client ID and requested IP
80  *    address.
81  *
82  * 2. Server responds with an ACK. The xid from this ACK is used to lookup the
83  *    pending transaction from the mci_v4_pending_txn table. Once the object is
84  *    found, it is removed from the pending table and inserted into the
85  *    completed table (mci_v4_completed_txn, keyed by client ID) and the dynamic
86  *    IP table (mci_v4_dyn_ip, keyed by IP address).
87  *
88  * 3. An outgoing packet that goes through the ip-nospoof path will be checked
89  *    against the dynamic IP table. Packets that have the assigned DHCP address
90  *    as the source IP address will pass the check and be admitted onto the
91  *    network.
92  *
93  * IPv4 notes:
94  *
95  * If the server never responds with an ACK, there is a timer that is set after
96  * the insertion of the transaction into the pending table. When the timer
97  * fires, it will check whether the transaction is old (by comparing current
98  * time and the txn's timestamp), if so the transaction will be freed. along
99  * with this, any transaction in the completed/dyn-ip tables matching the client
100  * ID of this stale transaction will also be freed. If the client fails to
101  * extend a lease, we want to stop the client from using any IP addresses that
102  * were granted previously.
103  *
104  * A RELEASE message from the client will not cause a transaction to be created.
105  * The client ID in the RELEASE message will be used for finding and removing
106  * transactions in the completed and dyn-ip tables.
107  *
108  *
109  * For IPv6, the process to acquire a DHCPv6-assigned address is as follows:
110  *
111  * 1. Client sends REQUEST. The DUID is extracted and stored into a dhcpv6_cid_t
112  *    structure. A new transaction structure (dhcpv6_txn_t) is also created and
113  *    it will point to the dhcpv6_cid_t. If an existing transaction with a
114  *    matching xid is not found, this dhcpv6_txn_t will be inserted into the
115  *    mci_v6_pending_txn table (keyed by xid).
116  *
117  * 2. Server responds with a REPLY. If a pending transaction is found, the
118  *    addresses in the reply will be placed into the dhcpv6_cid_t pointed to by
119  *    the transaction. The dhcpv6_cid_t will then be moved to the mci_v6_cid
120  *    table (keyed by cid). The associated addresses will be added to the
121  *    mci_v6_dyn_ip table (while still being pointed to by the dhcpv6_cid_t).
122  *
123  * 3. IPv6 ip-nospoof will now check mci_v6_dyn_ip for matching packets.
124  *    Packets with a source address matching one of the DHCPv6-assigned
125  *    addresses will be allowed through.
126  *
127  * IPv6 notes:
128  *
129  * The v6 code shares the same timer as v4 for scrubbing stale transactions.
130  * Just like v4, as part of removing an expired transaction, a RELEASE will be
131  * be triggered on the cid associated with the expired transaction.
132  *
133  * The data structures used for v6 are slightly different because a v6 client
134  * may have multiple addresses associated with it.
135  */
136 
137 /*
138  * These are just arbitrary limits meant for preventing abuse (e.g. a user
139  * flooding the network with bogus transactions). They are not meant to be
140  * user-modifiable so they are not exposed as linkprops.
141  */
142 static ulong_t	dhcp_max_pending_txn = 512;
143 static ulong_t	dhcp_max_completed_txn = 512;
144 static time_t	txn_cleanup_interval = 60;
145 
146 /*
147  * DHCPv4 transaction. It may be added to three different tables
148  * (keyed by different fields).
149  */
150 typedef struct dhcpv4_txn {
151 	uint32_t		dt_xid;
152 	time_t			dt_timestamp;
153 	uint8_t			dt_cid[DHCP_MAX_OPT_SIZE];
154 	uint8_t			dt_cid_len;
155 	ipaddr_t		dt_ipaddr;
156 	avl_node_t		dt_node;
157 	avl_node_t		dt_ipnode;
158 	struct dhcpv4_txn	*dt_next;
159 } dhcpv4_txn_t;
160 
161 /*
162  * DHCPv6 address. May be added to mci_v6_dyn_ip.
163  * It is always pointed to by its parent dhcpv6_cid_t structure.
164  */
165 typedef struct dhcpv6_addr {
166 	in6_addr_t		da_addr;
167 	avl_node_t		da_node;
168 	struct dhcpv6_addr	*da_next;
169 } dhcpv6_addr_t;
170 
171 /*
172  * DHCPv6 client ID. May be added to mci_v6_cid.
173  * No dhcpv6_txn_t should be pointing to it after it is added to mci_v6_cid.
174  */
175 typedef struct dhcpv6_cid {
176 	uchar_t			*dc_cid;
177 	uint_t			dc_cid_len;
178 	dhcpv6_addr_t		*dc_addr;
179 	uint_t			dc_addrcnt;
180 	avl_node_t		dc_node;
181 } dhcpv6_cid_t;
182 
183 /*
184  * DHCPv6 transaction. Unlike its v4 counterpart, this object gets freed up
185  * as soon as the transaction completes or expires.
186  */
187 typedef struct dhcpv6_txn {
188 	uint32_t		dt_xid;
189 	time_t			dt_timestamp;
190 	dhcpv6_cid_t		*dt_cid;
191 	avl_node_t		dt_node;
192 	struct dhcpv6_txn	*dt_next;
193 } dhcpv6_txn_t;
194 
195 static void	start_txn_cleanup_timer(mac_client_impl_t *);
196 static boolean_t allowed_ips_set(mac_resource_props_t *, uint32_t);
197 
198 #define	BUMP_STAT(m, s)	(m)->mci_misc_stat.mms_##s++
199 
200 /*
201  * Comparison functions for the 3 AVL trees used:
202  * mci_v4_pending_txn, mci_v4_completed_txn, mci_v4_dyn_ip
203  */
204 static int
205 compare_dhcpv4_xid(const void *arg1, const void *arg2)
206 {
207 	const dhcpv4_txn_t	*txn1 = arg1, *txn2 = arg2;
208 
209 	if (txn1->dt_xid < txn2->dt_xid)
210 		return (-1);
211 	else if (txn1->dt_xid > txn2->dt_xid)
212 		return (1);
213 	else
214 		return (0);
215 }
216 
217 static int
218 compare_dhcpv4_cid(const void *arg1, const void *arg2)
219 {
220 	const dhcpv4_txn_t	*txn1 = arg1, *txn2 = arg2;
221 	int			ret;
222 
223 	if (txn1->dt_cid_len < txn2->dt_cid_len)
224 		return (-1);
225 	else if (txn1->dt_cid_len > txn2->dt_cid_len)
226 		return (1);
227 
228 	if (txn1->dt_cid_len == 0)
229 		return (0);
230 
231 	ret = memcmp(txn1->dt_cid, txn2->dt_cid, txn1->dt_cid_len);
232 	if (ret < 0)
233 		return (-1);
234 	else if (ret > 0)
235 		return (1);
236 	else
237 		return (0);
238 }
239 
240 static int
241 compare_dhcpv4_ip(const void *arg1, const void *arg2)
242 {
243 	const dhcpv4_txn_t	*txn1 = arg1, *txn2 = arg2;
244 
245 	if (txn1->dt_ipaddr < txn2->dt_ipaddr)
246 		return (-1);
247 	else if (txn1->dt_ipaddr > txn2->dt_ipaddr)
248 		return (1);
249 	else
250 		return (0);
251 }
252 
253 /*
254  * Find the specified DHCPv4 option.
255  */
256 static int
257 get_dhcpv4_option(struct dhcp *dh4, uchar_t *end, uint8_t type,
258     uchar_t **opt, uint8_t *opt_len)
259 {
260 	uchar_t		*start = (uchar_t *)dh4->options;
261 	uint8_t		otype, olen;
262 
263 	while (start < end) {
264 		if (*start == CD_PAD) {
265 			start++;
266 			continue;
267 		}
268 		if (*start == CD_END)
269 			break;
270 
271 		otype = *start++;
272 		olen = *start++;
273 		if (otype == type && olen > 0) {
274 			*opt = start;
275 			*opt_len = olen;
276 			return (0);
277 		}
278 		start += olen;
279 	}
280 	return (ENOENT);
281 }
282 
283 /*
284  * Locate the start of a DHCPv4 header.
285  * The possible return values and associated meanings are:
286  * 0      - packet is DHCP and has a DHCP header.
287  * EINVAL - packet is not DHCP. the recommended action is to let it pass.
288  * ENOSPC - packet is a initial fragment that is DHCP or is unidentifiable.
289  *          the recommended action is to drop it.
290  */
291 static int
292 get_dhcpv4_info(ipha_t *ipha, uchar_t *end, struct dhcp **dh4)
293 {
294 	uint16_t	offset_and_flags, client, server;
295 	boolean_t	first_frag = B_FALSE;
296 	struct udphdr	*udph;
297 	uchar_t		*dh;
298 
299 	if (ipha->ipha_protocol != IPPROTO_UDP)
300 		return (EINVAL);
301 
302 	offset_and_flags = ntohs(ipha->ipha_fragment_offset_and_flags);
303 	if ((offset_and_flags & (IPH_MF | IPH_OFFSET)) != 0) {
304 		/*
305 		 * All non-initial fragments may pass because we cannot
306 		 * identify their type. It's safe to let them through
307 		 * because reassembly will fail if we decide to drop the
308 		 * initial fragment.
309 		 */
310 		if (((offset_and_flags << 3) & 0xffff) != 0)
311 			return (EINVAL);
312 		first_frag = B_TRUE;
313 	}
314 	/* drop packets without a udp header */
315 	udph = (struct udphdr *)((uchar_t *)ipha + IPH_HDR_LENGTH(ipha));
316 	if ((uchar_t *)&udph[1] > end)
317 		return (ENOSPC);
318 
319 	client = htons(IPPORT_BOOTPC);
320 	server = htons(IPPORT_BOOTPS);
321 	if (udph->uh_sport != client && udph->uh_sport != server &&
322 	    udph->uh_dport != client && udph->uh_dport != server)
323 		return (EINVAL);
324 
325 	/* drop dhcp fragments */
326 	if (first_frag)
327 		return (ENOSPC);
328 
329 	dh = (uchar_t *)&udph[1];
330 	if (dh + BASE_PKT_SIZE > end)
331 		return (EINVAL);
332 
333 	*dh4 = (struct dhcp *)dh;
334 	return (0);
335 }
336 
337 /*
338  * Wrappers for accesses to avl trees to improve readability.
339  * Their purposes are fairly self-explanatory.
340  */
341 static dhcpv4_txn_t *
342 find_dhcpv4_pending_txn(mac_client_impl_t *mcip, uint32_t xid)
343 {
344 	dhcpv4_txn_t	tmp_txn;
345 
346 	ASSERT(MUTEX_HELD(&mcip->mci_protect_lock));
347 	tmp_txn.dt_xid = xid;
348 	return (avl_find(&mcip->mci_v4_pending_txn, &tmp_txn, NULL));
349 }
350 
351 static int
352 insert_dhcpv4_pending_txn(mac_client_impl_t *mcip, dhcpv4_txn_t *txn)
353 {
354 	avl_index_t	where;
355 
356 	ASSERT(MUTEX_HELD(&mcip->mci_protect_lock));
357 	if (avl_find(&mcip->mci_v4_pending_txn, txn, &where) != NULL)
358 		return (EEXIST);
359 
360 	if (avl_numnodes(&mcip->mci_v4_pending_txn) >= dhcp_max_pending_txn) {
361 		BUMP_STAT(mcip, dhcpdropped);
362 		return (EAGAIN);
363 	}
364 	avl_insert(&mcip->mci_v4_pending_txn, txn, where);
365 	return (0);
366 }
367 
368 static void
369 remove_dhcpv4_pending_txn(mac_client_impl_t *mcip, dhcpv4_txn_t *txn)
370 {
371 	ASSERT(MUTEX_HELD(&mcip->mci_protect_lock));
372 	avl_remove(&mcip->mci_v4_pending_txn, txn);
373 }
374 
375 static dhcpv4_txn_t *
376 find_dhcpv4_completed_txn(mac_client_impl_t *mcip, uint8_t *cid,
377     uint8_t cid_len)
378 {
379 	dhcpv4_txn_t	tmp_txn;
380 
381 	ASSERT(MUTEX_HELD(&mcip->mci_protect_lock));
382 	if (cid_len > 0)
383 		bcopy(cid, tmp_txn.dt_cid, cid_len);
384 	tmp_txn.dt_cid_len = cid_len;
385 	return (avl_find(&mcip->mci_v4_completed_txn, &tmp_txn, NULL));
386 }
387 
388 /*
389  * After a pending txn is removed from the pending table, it is inserted
390  * into both the completed and dyn-ip tables. These two insertions are
391  * done together because a client ID must have 1:1 correspondence with
392  * an IP address and IP addresses must be unique in the dyn-ip table.
393  */
394 static int
395 insert_dhcpv4_completed_txn(mac_client_impl_t *mcip, dhcpv4_txn_t *txn)
396 {
397 	avl_index_t	where;
398 
399 	ASSERT(MUTEX_HELD(&mcip->mci_protect_lock));
400 	if (avl_find(&mcip->mci_v4_completed_txn, txn, &where) != NULL)
401 		return (EEXIST);
402 
403 	if (avl_numnodes(&mcip->mci_v4_completed_txn) >=
404 	    dhcp_max_completed_txn) {
405 		BUMP_STAT(mcip, dhcpdropped);
406 		return (EAGAIN);
407 	}
408 
409 	avl_insert(&mcip->mci_v4_completed_txn, txn, where);
410 	if (avl_find(&mcip->mci_v4_dyn_ip, txn, &where) != NULL) {
411 		avl_remove(&mcip->mci_v4_completed_txn, txn);
412 		return (EEXIST);
413 	}
414 	avl_insert(&mcip->mci_v4_dyn_ip, txn, where);
415 	return (0);
416 }
417 
418 static void
419 remove_dhcpv4_completed_txn(mac_client_impl_t *mcip, dhcpv4_txn_t *txn)
420 {
421 	dhcpv4_txn_t	*ctxn;
422 
423 	ASSERT(MUTEX_HELD(&mcip->mci_protect_lock));
424 	if ((ctxn = avl_find(&mcip->mci_v4_dyn_ip, txn, NULL)) != NULL &&
425 	    ctxn == txn)
426 		avl_remove(&mcip->mci_v4_dyn_ip, txn);
427 
428 	avl_remove(&mcip->mci_v4_completed_txn, txn);
429 }
430 
431 /*
432  * Check whether an IP address is in the dyn-ip table.
433  */
434 static boolean_t
435 check_dhcpv4_dyn_ip(mac_client_impl_t *mcip, ipaddr_t ipaddr)
436 {
437 	dhcpv4_txn_t	tmp_txn, *txn;
438 
439 	mutex_enter(&mcip->mci_protect_lock);
440 	tmp_txn.dt_ipaddr = ipaddr;
441 	txn = avl_find(&mcip->mci_v4_dyn_ip, &tmp_txn, NULL);
442 	mutex_exit(&mcip->mci_protect_lock);
443 	return (txn != NULL);
444 }
445 
446 /*
447  * Create/destroy a DHCPv4 transaction.
448  */
449 static dhcpv4_txn_t *
450 create_dhcpv4_txn(uint32_t xid, uint8_t *cid, uint8_t cid_len, ipaddr_t ipaddr)
451 {
452 	dhcpv4_txn_t	*txn;
453 
454 	if ((txn = kmem_zalloc(sizeof (*txn), KM_NOSLEEP)) == NULL)
455 		return (NULL);
456 
457 	txn->dt_xid = xid;
458 	txn->dt_timestamp = ddi_get_time();
459 	if (cid_len > 0)
460 		bcopy(cid, &txn->dt_cid, cid_len);
461 	txn->dt_cid_len = cid_len;
462 	txn->dt_ipaddr = ipaddr;
463 	return (txn);
464 }
465 
466 static void
467 free_dhcpv4_txn(dhcpv4_txn_t *txn)
468 {
469 	kmem_free(txn, sizeof (*txn));
470 }
471 
472 /*
473  * Clean up all v4 tables.
474  */
475 static void
476 flush_dhcpv4(mac_client_impl_t *mcip)
477 {
478 	void		*cookie = NULL;
479 	dhcpv4_txn_t	*txn;
480 
481 	ASSERT(MUTEX_HELD(&mcip->mci_protect_lock));
482 	while ((txn = avl_destroy_nodes(&mcip->mci_v4_dyn_ip,
483 	    &cookie)) != NULL) {
484 		/*
485 		 * No freeing needed here because the same txn exists
486 		 * in the mci_v4_completed_txn table as well.
487 		 */
488 	}
489 	cookie = NULL;
490 	while ((txn = avl_destroy_nodes(&mcip->mci_v4_completed_txn,
491 	    &cookie)) != NULL) {
492 		free_dhcpv4_txn(txn);
493 	}
494 	cookie = NULL;
495 	while ((txn = avl_destroy_nodes(&mcip->mci_v4_pending_txn,
496 	    &cookie)) != NULL) {
497 		free_dhcpv4_txn(txn);
498 	}
499 }
500 
501 /*
502  * Cleanup stale DHCPv4 transactions.
503  */
504 static void
505 txn_cleanup_v4(mac_client_impl_t *mcip)
506 {
507 	dhcpv4_txn_t		*txn, *ctxn, *next, *txn_list = NULL;
508 
509 	/*
510 	 * Find stale pending transactions and place them on a list
511 	 * to be removed.
512 	 */
513 	for (txn = avl_first(&mcip->mci_v4_pending_txn); txn != NULL;
514 	    txn = avl_walk(&mcip->mci_v4_pending_txn, txn, AVL_AFTER)) {
515 		if (ddi_get_time() - txn->dt_timestamp >
516 		    txn_cleanup_interval) {
517 			DTRACE_PROBE2(found__expired__txn,
518 			    mac_client_impl_t *, mcip,
519 			    dhcpv4_txn_t *, txn);
520 
521 			txn->dt_next = txn_list;
522 			txn_list = txn;
523 		}
524 	}
525 
526 	/*
527 	 * Remove and free stale pending transactions and completed
528 	 * transactions with the same client IDs as the stale transactions.
529 	 */
530 	for (txn = txn_list; txn != NULL; txn = next) {
531 		avl_remove(&mcip->mci_v4_pending_txn, txn);
532 
533 		ctxn = find_dhcpv4_completed_txn(mcip, txn->dt_cid,
534 		    txn->dt_cid_len);
535 		if (ctxn != NULL) {
536 			DTRACE_PROBE2(removing__completed__txn,
537 			    mac_client_impl_t *, mcip,
538 			    dhcpv4_txn_t *, ctxn);
539 
540 			remove_dhcpv4_completed_txn(mcip, ctxn);
541 			free_dhcpv4_txn(ctxn);
542 		}
543 		next = txn->dt_next;
544 		txn->dt_next = NULL;
545 
546 		DTRACE_PROBE2(freeing__txn, mac_client_impl_t *, mcip,
547 		    dhcpv4_txn_t *, txn);
548 		free_dhcpv4_txn(txn);
549 	}
550 }
551 
552 /*
553  * Core logic for intercepting outbound DHCPv4 packets.
554  */
555 static boolean_t
556 intercept_dhcpv4_outbound(mac_client_impl_t *mcip, ipha_t *ipha, uchar_t *end)
557 {
558 	struct dhcp		*dh4;
559 	uchar_t			*opt;
560 	dhcpv4_txn_t		*txn, *ctxn;
561 	ipaddr_t		ipaddr;
562 	uint8_t			opt_len, mtype, cid[DHCP_MAX_OPT_SIZE], cid_len;
563 	mac_resource_props_t	*mrp = MCIP_RESOURCE_PROPS(mcip);
564 
565 	if (get_dhcpv4_info(ipha, end, &dh4) != 0)
566 		return (B_TRUE);
567 
568 	/* ip_nospoof/allowed-ips and DHCP are mutually exclusive by default */
569 	if (allowed_ips_set(mrp, IPV4_VERSION))
570 		return (B_FALSE);
571 
572 	if (get_dhcpv4_option(dh4, end, CD_DHCP_TYPE, &opt, &opt_len) != 0 ||
573 	    opt_len != 1) {
574 		DTRACE_PROBE2(mtype__not__found, mac_client_impl_t *, mcip,
575 		    struct dhcp *, dh4);
576 		return (B_TRUE);
577 	}
578 	mtype = *opt;
579 	if (mtype != REQUEST && mtype != RELEASE) {
580 		DTRACE_PROBE3(ignored__mtype, mac_client_impl_t *, mcip,
581 		    struct dhcp *, dh4, uint8_t, mtype);
582 		return (B_TRUE);
583 	}
584 
585 	/* client ID is optional for IPv4 */
586 	if (get_dhcpv4_option(dh4, end, CD_CLIENT_ID, &opt, &opt_len) == 0 &&
587 	    opt_len >= 2) {
588 		bcopy(opt, cid, opt_len);
589 		cid_len = opt_len;
590 	} else {
591 		bzero(cid, DHCP_MAX_OPT_SIZE);
592 		cid_len = 0;
593 	}
594 
595 	mutex_enter(&mcip->mci_protect_lock);
596 	if (mtype == RELEASE) {
597 		DTRACE_PROBE2(release, mac_client_impl_t *, mcip,
598 		    struct dhcp *, dh4);
599 
600 		/* flush any completed txn with this cid */
601 		ctxn = find_dhcpv4_completed_txn(mcip, cid, cid_len);
602 		if (ctxn != NULL) {
603 			DTRACE_PROBE2(release__successful, mac_client_impl_t *,
604 			    mcip, struct dhcp *, dh4);
605 
606 			remove_dhcpv4_completed_txn(mcip, ctxn);
607 			free_dhcpv4_txn(ctxn);
608 		}
609 		goto done;
610 	}
611 
612 	/*
613 	 * If a pending txn already exists, we'll update its timestamp so
614 	 * it won't get flushed by the timer. We don't need to create new
615 	 * txns for retransmissions.
616 	 */
617 	if ((txn = find_dhcpv4_pending_txn(mcip, dh4->xid)) != NULL) {
618 		DTRACE_PROBE2(update, mac_client_impl_t *, mcip,
619 		    dhcpv4_txn_t *, txn);
620 		txn->dt_timestamp = ddi_get_time();
621 		goto done;
622 	}
623 
624 	if (get_dhcpv4_option(dh4, end, CD_REQUESTED_IP_ADDR,
625 	    &opt, &opt_len) != 0 || opt_len != sizeof (ipaddr)) {
626 		DTRACE_PROBE2(ipaddr__not__found, mac_client_impl_t *, mcip,
627 		    struct dhcp *, dh4);
628 		goto done;
629 	}
630 	bcopy(opt, &ipaddr, sizeof (ipaddr));
631 	if ((txn = create_dhcpv4_txn(dh4->xid, cid, cid_len, ipaddr)) == NULL)
632 		goto done;
633 
634 	if (insert_dhcpv4_pending_txn(mcip, txn) != 0) {
635 		DTRACE_PROBE2(insert__failed, mac_client_impl_t *, mcip,
636 		    dhcpv4_txn_t *, txn);
637 		free_dhcpv4_txn(txn);
638 		goto done;
639 	}
640 	start_txn_cleanup_timer(mcip);
641 
642 	DTRACE_PROBE2(txn__pending, mac_client_impl_t *, mcip,
643 	    dhcpv4_txn_t *, txn);
644 
645 done:
646 	mutex_exit(&mcip->mci_protect_lock);
647 	return (B_TRUE);
648 }
649 
650 /*
651  * Core logic for intercepting inbound DHCPv4 packets.
652  */
653 static void
654 intercept_dhcpv4_inbound(mac_client_impl_t *mcip, ipha_t *ipha, uchar_t *end)
655 {
656 	uchar_t		*opt;
657 	struct dhcp	*dh4;
658 	dhcpv4_txn_t	*txn, *ctxn;
659 	uint8_t		opt_len, mtype;
660 
661 	if (get_dhcpv4_info(ipha, end, &dh4) != 0)
662 		return;
663 
664 	if (get_dhcpv4_option(dh4, end, CD_DHCP_TYPE, &opt, &opt_len) != 0 ||
665 	    opt_len != 1) {
666 		DTRACE_PROBE2(mtype__not__found, mac_client_impl_t *, mcip,
667 		    struct dhcp *, dh4);
668 		return;
669 	}
670 	mtype = *opt;
671 	if (mtype != ACK && mtype != NAK) {
672 		DTRACE_PROBE3(ignored__mtype, mac_client_impl_t *, mcip,
673 		    struct dhcp *, dh4, uint8_t, mtype);
674 		return;
675 	}
676 
677 	mutex_enter(&mcip->mci_protect_lock);
678 	if ((txn = find_dhcpv4_pending_txn(mcip, dh4->xid)) == NULL) {
679 		DTRACE_PROBE2(txn__not__found, mac_client_impl_t *, mcip,
680 		    struct dhcp *, dh4);
681 		goto done;
682 	}
683 	remove_dhcpv4_pending_txn(mcip, txn);
684 
685 	/*
686 	 * We're about to move a txn from the pending table to the completed/
687 	 * dyn-ip tables. If there is an existing completed txn with the
688 	 * same cid as our txn, we need to remove and free it.
689 	 */
690 	ctxn = find_dhcpv4_completed_txn(mcip, txn->dt_cid, txn->dt_cid_len);
691 	if (ctxn != NULL) {
692 		DTRACE_PROBE2(replacing__old__txn, mac_client_impl_t *, mcip,
693 		    dhcpv4_txn_t *, ctxn);
694 		remove_dhcpv4_completed_txn(mcip, ctxn);
695 		free_dhcpv4_txn(ctxn);
696 	}
697 	if (mtype == NAK) {
698 		DTRACE_PROBE2(nak__received, mac_client_impl_t *, mcip,
699 		    dhcpv4_txn_t *, txn);
700 		free_dhcpv4_txn(txn);
701 		goto done;
702 	}
703 	if (insert_dhcpv4_completed_txn(mcip, txn) != 0) {
704 		DTRACE_PROBE2(insert__failed, mac_client_impl_t *, mcip,
705 		    dhcpv4_txn_t *, txn);
706 		free_dhcpv4_txn(txn);
707 		goto done;
708 	}
709 	DTRACE_PROBE2(txn__completed, mac_client_impl_t *, mcip,
710 	    dhcpv4_txn_t *, txn);
711 
712 done:
713 	mutex_exit(&mcip->mci_protect_lock);
714 }
715 
716 
717 /*
718  * Comparison functions for the DHCPv6 AVL trees.
719  */
720 static int
721 compare_dhcpv6_xid(const void *arg1, const void *arg2)
722 {
723 	const dhcpv6_txn_t	*txn1 = arg1, *txn2 = arg2;
724 
725 	if (txn1->dt_xid < txn2->dt_xid)
726 		return (-1);
727 	else if (txn1->dt_xid > txn2->dt_xid)
728 		return (1);
729 	else
730 		return (0);
731 }
732 
733 static int
734 compare_dhcpv6_ip(const void *arg1, const void *arg2)
735 {
736 	const dhcpv6_addr_t	*ip1 = arg1, *ip2 = arg2;
737 	int			ret;
738 
739 	ret = memcmp(&ip1->da_addr, &ip2->da_addr, sizeof (in6_addr_t));
740 	if (ret < 0)
741 		return (-1);
742 	else if (ret > 0)
743 		return (1);
744 	else
745 		return (0);
746 }
747 
748 static int
749 compare_dhcpv6_cid(const void *arg1, const void *arg2)
750 {
751 	const dhcpv6_cid_t	*cid1 = arg1, *cid2 = arg2;
752 	int			ret;
753 
754 	if (cid1->dc_cid_len < cid2->dc_cid_len)
755 		return (-1);
756 	else if (cid1->dc_cid_len > cid2->dc_cid_len)
757 		return (1);
758 
759 	if (cid1->dc_cid_len == 0)
760 		return (0);
761 
762 	ret = memcmp(cid1->dc_cid, cid2->dc_cid, cid1->dc_cid_len);
763 	if (ret < 0)
764 		return (-1);
765 	else if (ret > 0)
766 		return (1);
767 	else
768 		return (0);
769 }
770 
771 /*
772  * Locate the start of a DHCPv6 header.
773  * The possible return values and associated meanings are:
774  * 0      - packet is DHCP and has a DHCP header.
775  * EINVAL - packet is not DHCP. the recommended action is to let it pass.
776  * ENOSPC - packet is a initial fragment that is DHCP or is unidentifiable.
777  *          the recommended action is to drop it.
778  */
779 static int
780 get_dhcpv6_info(ip6_t *ip6h, uchar_t *end, dhcpv6_message_t **dh6)
781 {
782 	uint16_t	hdrlen, client, server;
783 	boolean_t	first_frag = B_FALSE;
784 	ip6_frag_t	*frag = NULL;
785 	uint8_t		proto;
786 	struct udphdr	*udph;
787 	uchar_t		*dh;
788 
789 	if (!mac_ip_hdr_length_v6(ip6h, end, &hdrlen, &proto, &frag))
790 		return (ENOSPC);
791 
792 	if (proto != IPPROTO_UDP)
793 		return (EINVAL);
794 
795 	if (frag != NULL) {
796 		/*
797 		 * All non-initial fragments may pass because we cannot
798 		 * identify their type. It's safe to let them through
799 		 * because reassembly will fail if we decide to drop the
800 		 * initial fragment.
801 		 */
802 		if ((ntohs(frag->ip6f_offlg) & ~7) != 0)
803 			return (EINVAL);
804 		first_frag = B_TRUE;
805 	}
806 	/* drop packets without a udp header */
807 	udph = (struct udphdr *)((uchar_t *)ip6h + hdrlen);
808 	if ((uchar_t *)&udph[1] > end)
809 		return (ENOSPC);
810 
811 	client = htons(IPPORT_DHCPV6C);
812 	server = htons(IPPORT_DHCPV6S);
813 	if (udph->uh_sport != client && udph->uh_sport != server &&
814 	    udph->uh_dport != client && udph->uh_dport != server)
815 		return (EINVAL);
816 
817 	/* drop dhcp fragments */
818 	if (first_frag)
819 		return (ENOSPC);
820 
821 	dh = (uchar_t *)&udph[1];
822 	if (dh + sizeof (dhcpv6_message_t) > end)
823 		return (EINVAL);
824 
825 	*dh6 = (dhcpv6_message_t *)dh;
826 	return (0);
827 }
828 
829 /*
830  * Find the specified DHCPv6 option.
831  */
832 static dhcpv6_option_t *
833 get_dhcpv6_option(void *buf, size_t buflen, dhcpv6_option_t *oldopt,
834     uint16_t codenum, uint_t *retlenp)
835 {
836 	uchar_t		*bp;
837 	dhcpv6_option_t	d6o;
838 	uint_t		olen;
839 
840 	codenum = htons(codenum);
841 	bp = buf;
842 	while (buflen >= sizeof (dhcpv6_option_t)) {
843 		bcopy(bp, &d6o, sizeof (d6o));
844 		olen = ntohs(d6o.d6o_len) + sizeof (d6o);
845 		if (olen > buflen)
846 			break;
847 		if (d6o.d6o_code != codenum || d6o.d6o_len == 0 ||
848 		    (oldopt != NULL && bp <= (uchar_t *)oldopt)) {
849 			bp += olen;
850 			buflen -= olen;
851 			continue;
852 		}
853 		if (retlenp != NULL)
854 			*retlenp = olen;
855 		/* LINTED : alignment */
856 		return ((dhcpv6_option_t *)bp);
857 	}
858 	return (NULL);
859 }
860 
861 /*
862  * Get the status code from a reply message.
863  */
864 static int
865 get_dhcpv6_status(dhcpv6_message_t *dh6, uchar_t *end, uint16_t *status)
866 {
867 	dhcpv6_option_t	*d6o;
868 	uint_t		olen;
869 	uint16_t	s;
870 
871 	d6o = get_dhcpv6_option(&dh6[1], end - (uchar_t *)&dh6[1], NULL,
872 	    DHCPV6_OPT_STATUS_CODE, &olen);
873 
874 	/* Success is implied if status code is missing */
875 	if (d6o == NULL) {
876 		*status = DHCPV6_STAT_SUCCESS;
877 		return (0);
878 	}
879 	if ((uchar_t *)d6o + olen > end)
880 		return (EINVAL);
881 
882 	olen -= sizeof (*d6o);
883 	if (olen < sizeof (s))
884 		return (EINVAL);
885 
886 	bcopy(&d6o[1], &s, sizeof (s));
887 	*status = ntohs(s);
888 	return (0);
889 }
890 
891 /*
892  * Get the addresses from a reply message.
893  */
894 static int
895 get_dhcpv6_addrs(dhcpv6_message_t *dh6, uchar_t *end, dhcpv6_cid_t *cid)
896 {
897 	dhcpv6_option_t		*d6o;
898 	dhcpv6_addr_t		*next;
899 	uint_t			olen;
900 
901 	d6o = NULL;
902 	while ((d6o = get_dhcpv6_option(&dh6[1], end - (uchar_t *)&dh6[1],
903 	    d6o, DHCPV6_OPT_IA_NA, &olen)) != NULL) {
904 		dhcpv6_option_t		*d6so;
905 		dhcpv6_iaaddr_t		d6ia;
906 		dhcpv6_addr_t		**addrp;
907 		uchar_t			*obase;
908 		uint_t			solen;
909 
910 		if (olen < sizeof (dhcpv6_ia_na_t) ||
911 		    (uchar_t *)d6o + olen > end)
912 			goto fail;
913 
914 		obase = (uchar_t *)d6o + sizeof (dhcpv6_ia_na_t);
915 		olen -= sizeof (dhcpv6_ia_na_t);
916 		d6so = NULL;
917 		while ((d6so = get_dhcpv6_option(obase, olen, d6so,
918 		    DHCPV6_OPT_IAADDR, &solen)) != NULL) {
919 			if (solen < sizeof (dhcpv6_iaaddr_t) ||
920 			    (uchar_t *)d6so + solen > end)
921 				goto fail;
922 
923 			bcopy(d6so, &d6ia, sizeof (d6ia));
924 			for (addrp = &cid->dc_addr; *addrp != NULL;
925 			    addrp = &(*addrp)->da_next) {
926 				if (bcmp(&(*addrp)->da_addr, &d6ia.d6ia_addr,
927 				    sizeof (in6_addr_t)) == 0)
928 					goto fail;
929 			}
930 			if ((*addrp = kmem_zalloc(sizeof (dhcpv6_addr_t),
931 			    KM_NOSLEEP)) == NULL)
932 				goto fail;
933 
934 			bcopy(&d6ia.d6ia_addr, &(*addrp)->da_addr,
935 			    sizeof (in6_addr_t));
936 			cid->dc_addrcnt++;
937 		}
938 	}
939 	if (cid->dc_addrcnt == 0)
940 		return (ENOENT);
941 
942 	return (0);
943 
944 fail:
945 	for (; cid->dc_addr != NULL; cid->dc_addr = next) {
946 		next = cid->dc_addr->da_next;
947 		kmem_free(cid->dc_addr, sizeof (dhcpv6_addr_t));
948 		cid->dc_addrcnt--;
949 	}
950 	ASSERT(cid->dc_addrcnt == 0);
951 	return (EINVAL);
952 }
953 
954 /*
955  * Free a cid.
956  * Before this gets called the caller must ensure that all the
957  * addresses are removed from the mci_v6_dyn_ip table.
958  */
959 static void
960 free_dhcpv6_cid(dhcpv6_cid_t *cid)
961 {
962 	dhcpv6_addr_t	*addr, *next;
963 	uint_t		cnt = 0;
964 
965 	kmem_free(cid->dc_cid, cid->dc_cid_len);
966 	for (addr = cid->dc_addr; addr != NULL; addr = next) {
967 		next = addr->da_next;
968 		kmem_free(addr, sizeof (*addr));
969 		cnt++;
970 	}
971 	ASSERT(cnt == cid->dc_addrcnt);
972 	kmem_free(cid, sizeof (*cid));
973 }
974 
975 /*
976  * Extract the DUID from a message. The associated addresses will be
977  * extracted later from the reply message.
978  */
979 static dhcpv6_cid_t *
980 create_dhcpv6_cid(dhcpv6_message_t *dh6, uchar_t *end)
981 {
982 	dhcpv6_option_t		*d6o;
983 	dhcpv6_cid_t		*cid;
984 	uchar_t			*rawcid;
985 	uint_t			olen, rawcidlen;
986 
987 	d6o = get_dhcpv6_option(&dh6[1], end - (uchar_t *)&dh6[1], NULL,
988 	    DHCPV6_OPT_CLIENTID, &olen);
989 	if (d6o == NULL || (uchar_t *)d6o + olen > end)
990 		return (NULL);
991 
992 	rawcidlen = olen - sizeof (*d6o);
993 	if ((rawcid = kmem_zalloc(rawcidlen, KM_NOSLEEP)) == NULL)
994 		return (NULL);
995 	bcopy(d6o + 1, rawcid, rawcidlen);
996 
997 	if ((cid = kmem_zalloc(sizeof (*cid), KM_NOSLEEP)) == NULL) {
998 		kmem_free(rawcid, rawcidlen);
999 		return (NULL);
1000 	}
1001 	cid->dc_cid = rawcid;
1002 	cid->dc_cid_len = rawcidlen;
1003 	return (cid);
1004 }
1005 
1006 /*
1007  * Remove a cid from mci_v6_cid. The addresses owned by the cid
1008  * are also removed from mci_v6_dyn_ip.
1009  */
1010 static void
1011 remove_dhcpv6_cid(mac_client_impl_t *mcip, dhcpv6_cid_t *cid)
1012 {
1013 	dhcpv6_addr_t	*addr, *tmp_addr;
1014 
1015 	ASSERT(MUTEX_HELD(&mcip->mci_protect_lock));
1016 	avl_remove(&mcip->mci_v6_cid, cid);
1017 	for (addr = cid->dc_addr; addr != NULL; addr = addr->da_next) {
1018 		tmp_addr = avl_find(&mcip->mci_v6_dyn_ip, addr, NULL);
1019 		if (tmp_addr == addr)
1020 			avl_remove(&mcip->mci_v6_dyn_ip, addr);
1021 	}
1022 }
1023 
1024 /*
1025  * Find and remove a matching cid and associated addresses from
1026  * their respective tables.
1027  */
1028 static void
1029 release_dhcpv6_cid(mac_client_impl_t *mcip, dhcpv6_cid_t *cid)
1030 {
1031 	dhcpv6_cid_t	*oldcid;
1032 
1033 	ASSERT(MUTEX_HELD(&mcip->mci_protect_lock));
1034 	if ((oldcid = avl_find(&mcip->mci_v6_cid, cid, NULL)) == NULL)
1035 		return;
1036 
1037 	/*
1038 	 * Since cid belongs to a pending txn, it can't possibly be in
1039 	 * mci_v6_cid. Anything that's found must be an existing cid.
1040 	 */
1041 	ASSERT(oldcid != cid);
1042 	remove_dhcpv6_cid(mcip, oldcid);
1043 	free_dhcpv6_cid(oldcid);
1044 }
1045 
1046 /*
1047  * Insert cid into mci_v6_cid.
1048  */
1049 static int
1050 insert_dhcpv6_cid(mac_client_impl_t *mcip, dhcpv6_cid_t *cid)
1051 {
1052 	avl_index_t	where;
1053 	dhcpv6_addr_t	*addr;
1054 
1055 	ASSERT(MUTEX_HELD(&mcip->mci_protect_lock));
1056 	if (avl_find(&mcip->mci_v6_cid, cid, &where) != NULL)
1057 		return (EEXIST);
1058 
1059 	if (avl_numnodes(&mcip->mci_v6_cid) >= dhcp_max_completed_txn) {
1060 		BUMP_STAT(mcip, dhcpdropped);
1061 		return (EAGAIN);
1062 	}
1063 	avl_insert(&mcip->mci_v6_cid, cid, where);
1064 	for (addr = cid->dc_addr; addr != NULL; addr = addr->da_next) {
1065 		if (avl_find(&mcip->mci_v6_dyn_ip, addr, &where) != NULL)
1066 			goto fail;
1067 
1068 		avl_insert(&mcip->mci_v6_dyn_ip, addr, where);
1069 	}
1070 	return (0);
1071 
1072 fail:
1073 	remove_dhcpv6_cid(mcip, cid);
1074 	return (EEXIST);
1075 }
1076 
1077 /*
1078  * Check whether an IP address is in the dyn-ip table.
1079  */
1080 static boolean_t
1081 check_dhcpv6_dyn_ip(mac_client_impl_t *mcip, in6_addr_t *addr)
1082 {
1083 	dhcpv6_addr_t	tmp_addr, *a;
1084 
1085 	mutex_enter(&mcip->mci_protect_lock);
1086 	bcopy(addr, &tmp_addr.da_addr, sizeof (in6_addr_t));
1087 	a = avl_find(&mcip->mci_v6_dyn_ip, &tmp_addr, NULL);
1088 	mutex_exit(&mcip->mci_protect_lock);
1089 	return (a != NULL);
1090 }
1091 
1092 static dhcpv6_txn_t *
1093 find_dhcpv6_pending_txn(mac_client_impl_t *mcip, uint32_t xid)
1094 {
1095 	dhcpv6_txn_t	tmp_txn;
1096 
1097 	ASSERT(MUTEX_HELD(&mcip->mci_protect_lock));
1098 	tmp_txn.dt_xid = xid;
1099 	return (avl_find(&mcip->mci_v6_pending_txn, &tmp_txn, NULL));
1100 }
1101 
1102 static void
1103 remove_dhcpv6_pending_txn(mac_client_impl_t *mcip, dhcpv6_txn_t *txn)
1104 {
1105 	ASSERT(MUTEX_HELD(&mcip->mci_protect_lock));
1106 	avl_remove(&mcip->mci_v6_pending_txn, txn);
1107 }
1108 
1109 static dhcpv6_txn_t *
1110 create_dhcpv6_txn(uint32_t xid, dhcpv6_cid_t *cid)
1111 {
1112 	dhcpv6_txn_t	*txn;
1113 
1114 	if ((txn = kmem_zalloc(sizeof (dhcpv6_txn_t), KM_NOSLEEP)) == NULL)
1115 		return (NULL);
1116 
1117 	txn->dt_xid = xid;
1118 	txn->dt_cid = cid;
1119 	txn->dt_timestamp = ddi_get_time();
1120 	return (txn);
1121 }
1122 
1123 static void
1124 free_dhcpv6_txn(dhcpv6_txn_t *txn)
1125 {
1126 	if (txn->dt_cid != NULL)
1127 		free_dhcpv6_cid(txn->dt_cid);
1128 	kmem_free(txn, sizeof (dhcpv6_txn_t));
1129 }
1130 
1131 static int
1132 insert_dhcpv6_pending_txn(mac_client_impl_t *mcip, dhcpv6_txn_t *txn)
1133 {
1134 	avl_index_t	where;
1135 
1136 	ASSERT(MUTEX_HELD(&mcip->mci_protect_lock));
1137 	if (avl_find(&mcip->mci_v6_pending_txn, txn, &where) != NULL)
1138 		return (EEXIST);
1139 
1140 	if (avl_numnodes(&mcip->mci_v6_pending_txn) >= dhcp_max_pending_txn) {
1141 		BUMP_STAT(mcip, dhcpdropped);
1142 		return (EAGAIN);
1143 	}
1144 	avl_insert(&mcip->mci_v6_pending_txn, txn, where);
1145 	return (0);
1146 }
1147 
1148 /*
1149  * Clean up all v6 tables.
1150  */
1151 static void
1152 flush_dhcpv6(mac_client_impl_t *mcip)
1153 {
1154 	void		*cookie = NULL;
1155 	dhcpv6_cid_t	*cid;
1156 	dhcpv6_txn_t	*txn;
1157 
1158 	ASSERT(MUTEX_HELD(&mcip->mci_protect_lock));
1159 	while (avl_destroy_nodes(&mcip->mci_v6_dyn_ip, &cookie) != NULL) {
1160 	}
1161 	cookie = NULL;
1162 	while ((cid = avl_destroy_nodes(&mcip->mci_v6_cid, &cookie)) != NULL) {
1163 		free_dhcpv6_cid(cid);
1164 	}
1165 	cookie = NULL;
1166 	while ((txn = avl_destroy_nodes(&mcip->mci_v6_pending_txn,
1167 	    &cookie)) != NULL) {
1168 		free_dhcpv6_txn(txn);
1169 	}
1170 }
1171 
1172 /*
1173  * Cleanup stale DHCPv6 transactions.
1174  */
1175 static void
1176 txn_cleanup_v6(mac_client_impl_t *mcip)
1177 {
1178 	dhcpv6_txn_t		*txn, *next, *txn_list = NULL;
1179 
1180 	/*
1181 	 * Find stale pending transactions and place them on a list
1182 	 * to be removed.
1183 	 */
1184 	for (txn = avl_first(&mcip->mci_v6_pending_txn); txn != NULL;
1185 	    txn = avl_walk(&mcip->mci_v6_pending_txn, txn, AVL_AFTER)) {
1186 		if (ddi_get_time() - txn->dt_timestamp >
1187 		    txn_cleanup_interval) {
1188 			DTRACE_PROBE2(found__expired__txn,
1189 			    mac_client_impl_t *, mcip,
1190 			    dhcpv6_txn_t *, txn);
1191 
1192 			txn->dt_next = txn_list;
1193 			txn_list = txn;
1194 		}
1195 	}
1196 
1197 	/*
1198 	 * Remove and free stale pending transactions.
1199 	 * Release any existing cids matching the stale transactions.
1200 	 */
1201 	for (txn = txn_list; txn != NULL; txn = next) {
1202 		avl_remove(&mcip->mci_v6_pending_txn, txn);
1203 		release_dhcpv6_cid(mcip, txn->dt_cid);
1204 		next = txn->dt_next;
1205 		txn->dt_next = NULL;
1206 
1207 		DTRACE_PROBE2(freeing__txn, mac_client_impl_t *, mcip,
1208 		    dhcpv6_txn_t *, txn);
1209 		free_dhcpv6_txn(txn);
1210 	}
1211 
1212 }
1213 
1214 /*
1215  * Core logic for intercepting outbound DHCPv6 packets.
1216  */
1217 static boolean_t
1218 intercept_dhcpv6_outbound(mac_client_impl_t *mcip, ip6_t *ip6h, uchar_t *end)
1219 {
1220 	dhcpv6_message_t	*dh6;
1221 	dhcpv6_txn_t		*txn;
1222 	dhcpv6_cid_t		*cid = NULL;
1223 	uint32_t		xid;
1224 	uint8_t			mtype;
1225 	mac_resource_props_t *mrp = MCIP_RESOURCE_PROPS(mcip);
1226 
1227 	if (get_dhcpv6_info(ip6h, end, &dh6) != 0)
1228 		return (B_TRUE);
1229 
1230 	/* ip_nospoof/allowed-ips and DHCP are mutually exclusive by default */
1231 	if (allowed_ips_set(mrp, IPV6_VERSION))
1232 		return (B_FALSE);
1233 
1234 	mtype = dh6->d6m_msg_type;
1235 	if (mtype != DHCPV6_MSG_REQUEST && mtype != DHCPV6_MSG_RENEW &&
1236 	    mtype != DHCPV6_MSG_REBIND && mtype != DHCPV6_MSG_RELEASE)
1237 		return (B_TRUE);
1238 
1239 	if ((cid = create_dhcpv6_cid(dh6, end)) == NULL)
1240 		return (B_TRUE);
1241 
1242 	mutex_enter(&mcip->mci_protect_lock);
1243 	if (mtype == DHCPV6_MSG_RELEASE) {
1244 		release_dhcpv6_cid(mcip, cid);
1245 		goto done;
1246 	}
1247 	xid = DHCPV6_GET_TRANSID(dh6);
1248 	if ((txn = find_dhcpv6_pending_txn(mcip, xid)) != NULL) {
1249 		DTRACE_PROBE2(update, mac_client_impl_t *, mcip,
1250 		    dhcpv6_txn_t *, txn);
1251 		txn->dt_timestamp = ddi_get_time();
1252 		goto done;
1253 	}
1254 	if ((txn = create_dhcpv6_txn(xid, cid)) == NULL)
1255 		goto done;
1256 
1257 	cid = NULL;
1258 	if (insert_dhcpv6_pending_txn(mcip, txn) != 0) {
1259 		DTRACE_PROBE2(insert__failed, mac_client_impl_t *, mcip,
1260 		    dhcpv6_txn_t *, txn);
1261 		free_dhcpv6_txn(txn);
1262 		goto done;
1263 	}
1264 	start_txn_cleanup_timer(mcip);
1265 
1266 	DTRACE_PROBE2(txn__pending, mac_client_impl_t *, mcip,
1267 	    dhcpv6_txn_t *, txn);
1268 
1269 done:
1270 	if (cid != NULL)
1271 		free_dhcpv6_cid(cid);
1272 
1273 	mutex_exit(&mcip->mci_protect_lock);
1274 	return (B_TRUE);
1275 }
1276 
1277 /*
1278  * Core logic for intercepting inbound DHCPv6 packets.
1279  */
1280 static void
1281 intercept_dhcpv6_inbound(mac_client_impl_t *mcip, ip6_t *ip6h, uchar_t *end)
1282 {
1283 	dhcpv6_message_t	*dh6;
1284 	dhcpv6_txn_t		*txn;
1285 	uint32_t		xid;
1286 	uint8_t			mtype;
1287 	uint16_t		status;
1288 
1289 	if (get_dhcpv6_info(ip6h, end, &dh6) != 0)
1290 		return;
1291 
1292 	mtype = dh6->d6m_msg_type;
1293 	if (mtype != DHCPV6_MSG_REPLY)
1294 		return;
1295 
1296 	mutex_enter(&mcip->mci_protect_lock);
1297 	xid = DHCPV6_GET_TRANSID(dh6);
1298 	if ((txn = find_dhcpv6_pending_txn(mcip, xid)) == NULL) {
1299 		DTRACE_PROBE2(txn__not__found, mac_client_impl_t *, mcip,
1300 		    dhcpv6_message_t *, dh6);
1301 		goto done;
1302 	}
1303 	remove_dhcpv6_pending_txn(mcip, txn);
1304 	release_dhcpv6_cid(mcip, txn->dt_cid);
1305 
1306 	if (get_dhcpv6_status(dh6, end, &status) != 0 ||
1307 	    status != DHCPV6_STAT_SUCCESS) {
1308 		DTRACE_PROBE2(error__status, mac_client_impl_t *, mcip,
1309 		    dhcpv6_txn_t *, txn);
1310 		goto done;
1311 	}
1312 	if (get_dhcpv6_addrs(dh6, end, txn->dt_cid) != 0) {
1313 		DTRACE_PROBE2(no__addrs, mac_client_impl_t *, mcip,
1314 		    dhcpv6_txn_t *, txn);
1315 		goto done;
1316 	}
1317 	if (insert_dhcpv6_cid(mcip, txn->dt_cid) != 0) {
1318 		DTRACE_PROBE2(insert__failed, mac_client_impl_t *, mcip,
1319 		    dhcpv6_txn_t *, txn);
1320 		goto done;
1321 	}
1322 	DTRACE_PROBE2(txn__completed, mac_client_impl_t *, mcip,
1323 	    dhcpv6_txn_t *, txn);
1324 
1325 	txn->dt_cid = NULL;
1326 
1327 done:
1328 	if (txn != NULL)
1329 		free_dhcpv6_txn(txn);
1330 	mutex_exit(&mcip->mci_protect_lock);
1331 }
1332 
1333 /*
1334  * Timer for cleaning up stale transactions.
1335  */
1336 static void
1337 txn_cleanup_timer(void *arg)
1338 {
1339 	mac_client_impl_t	*mcip = arg;
1340 
1341 	mutex_enter(&mcip->mci_protect_lock);
1342 	if (mcip->mci_txn_cleanup_tid == 0) {
1343 		/* do nothing if timer got cancelled */
1344 		mutex_exit(&mcip->mci_protect_lock);
1345 		return;
1346 	}
1347 	mcip->mci_txn_cleanup_tid = 0;
1348 
1349 	txn_cleanup_v4(mcip);
1350 	txn_cleanup_v6(mcip);
1351 
1352 	/*
1353 	 * Restart timer if pending transactions still exist.
1354 	 */
1355 	if (!avl_is_empty(&mcip->mci_v4_pending_txn) ||
1356 	    !avl_is_empty(&mcip->mci_v6_pending_txn)) {
1357 		DTRACE_PROBE1(restarting__timer, mac_client_impl_t *, mcip);
1358 
1359 		mcip->mci_txn_cleanup_tid = timeout(txn_cleanup_timer, mcip,
1360 		    drv_usectohz(txn_cleanup_interval * 1000000));
1361 	}
1362 	mutex_exit(&mcip->mci_protect_lock);
1363 }
1364 
1365 static void
1366 start_txn_cleanup_timer(mac_client_impl_t *mcip)
1367 {
1368 	ASSERT(MUTEX_HELD(&mcip->mci_protect_lock));
1369 	if (mcip->mci_txn_cleanup_tid == 0) {
1370 		mcip->mci_txn_cleanup_tid = timeout(txn_cleanup_timer, mcip,
1371 		    drv_usectohz(txn_cleanup_interval * 1000000));
1372 	}
1373 }
1374 
1375 static void
1376 cancel_txn_cleanup_timer(mac_client_impl_t *mcip)
1377 {
1378 	timeout_id_t	tid;
1379 
1380 	ASSERT(MUTEX_HELD(&mcip->mci_protect_lock));
1381 
1382 	/*
1383 	 * This needs to be a while loop because the timer could get
1384 	 * rearmed during untimeout().
1385 	 */
1386 	while ((tid = mcip->mci_txn_cleanup_tid) != 0) {
1387 		mcip->mci_txn_cleanup_tid = 0;
1388 		mutex_exit(&mcip->mci_protect_lock);
1389 		(void) untimeout(tid);
1390 		mutex_enter(&mcip->mci_protect_lock);
1391 	}
1392 }
1393 
1394 /*
1395  * Get the start/end pointers of an L3 packet and also do pullup if needed.
1396  * pulled-up packet needs to be freed by the caller.
1397  */
1398 static int
1399 get_l3_info(mblk_t *mp, size_t hdrsize, uchar_t **start, uchar_t **end,
1400     mblk_t **nmp)
1401 {
1402 	uchar_t	*s, *e;
1403 	mblk_t	*newmp = NULL;
1404 
1405 	/*
1406 	 * Pullup if necessary but reject packets that do not have
1407 	 * a proper mac header.
1408 	 */
1409 	s = mp->b_rptr + hdrsize;
1410 	e = mp->b_wptr;
1411 
1412 	if (s > mp->b_wptr)
1413 		return (EINVAL);
1414 
1415 	if (!OK_32PTR(s) || mp->b_cont != NULL) {
1416 		/*
1417 		 * Temporarily adjust mp->b_rptr to ensure proper
1418 		 * alignment of IP header in newmp.
1419 		 */
1420 		DTRACE_PROBE1(pullup__needed, mblk_t *, mp);
1421 
1422 		mp->b_rptr += hdrsize;
1423 		newmp = msgpullup(mp, -1);
1424 		mp->b_rptr -= hdrsize;
1425 
1426 		if (newmp == NULL)
1427 			return (ENOMEM);
1428 
1429 		s = newmp->b_rptr;
1430 		e = newmp->b_wptr;
1431 	}
1432 
1433 	*start = s;
1434 	*end = e;
1435 	*nmp = newmp;
1436 	return (0);
1437 }
1438 
1439 void
1440 mac_protect_intercept_dhcp_one(mac_client_impl_t *mcip, mblk_t *mp)
1441 {
1442 	mac_impl_t		*mip = mcip->mci_mip;
1443 	uchar_t			*start, *end;
1444 	mblk_t			*nmp = NULL;
1445 	mac_header_info_t	mhi;
1446 	int			err;
1447 
1448 	err = mac_vlan_header_info((mac_handle_t)mip, mp, &mhi);
1449 	if (err != 0) {
1450 		DTRACE_PROBE2(invalid__header, mac_client_impl_t *, mcip,
1451 		    mblk_t *, mp);
1452 		return;
1453 	}
1454 
1455 	err = get_l3_info(mp, mhi.mhi_hdrsize, &start, &end, &nmp);
1456 	if (err != 0) {
1457 		DTRACE_PROBE2(invalid__l3, mac_client_impl_t *, mcip,
1458 		    mblk_t *, mp);
1459 		return;
1460 	}
1461 
1462 	switch (mhi.mhi_bindsap) {
1463 	case ETHERTYPE_IP: {
1464 		ipha_t	*ipha = (ipha_t *)start;
1465 
1466 		if (start + sizeof (ipha_t) > end)
1467 			return;
1468 
1469 		intercept_dhcpv4_inbound(mcip, ipha, end);
1470 		break;
1471 	}
1472 	case ETHERTYPE_IPV6: {
1473 		ip6_t		*ip6h = (ip6_t *)start;
1474 
1475 		if (start + sizeof (ip6_t) > end)
1476 			return;
1477 
1478 		intercept_dhcpv6_inbound(mcip, ip6h, end);
1479 		break;
1480 	}
1481 	}
1482 	freemsg(nmp);
1483 }
1484 
1485 void
1486 mac_protect_intercept_dhcp(mac_client_impl_t *mcip, mblk_t *mp)
1487 {
1488 	/*
1489 	 * Skip checks if we are part of an aggr.
1490 	 */
1491 	if ((mcip->mci_state_flags & MCIS_IS_AGGR_PORT) != 0)
1492 		return;
1493 
1494 	for (; mp != NULL; mp = mp->b_next)
1495 		mac_protect_intercept_dhcp_one(mcip, mp);
1496 }
1497 
1498 void
1499 mac_protect_flush_dhcp(mac_client_impl_t *mcip)
1500 {
1501 	mutex_enter(&mcip->mci_protect_lock);
1502 	flush_dhcpv4(mcip);
1503 	flush_dhcpv6(mcip);
1504 	mutex_exit(&mcip->mci_protect_lock);
1505 }
1506 
1507 void
1508 mac_protect_cancel_timer(mac_client_impl_t *mcip)
1509 {
1510 	mutex_enter(&mcip->mci_protect_lock);
1511 	cancel_txn_cleanup_timer(mcip);
1512 	mutex_exit(&mcip->mci_protect_lock);
1513 }
1514 
1515 /*
1516  * Check if addr is in the 'allowed-ips' list.
1517  */
1518 
1519 /* ARGSUSED */
1520 static boolean_t
1521 ipnospoof_check_v4(mac_client_impl_t *mcip, mac_protect_t *protect,
1522     ipaddr_t *addr)
1523 {
1524 	uint_t	i;
1525 
1526 	/*
1527 	 * The unspecified address is allowed.
1528 	 */
1529 	if (*addr == INADDR_ANY)
1530 		return (B_TRUE);
1531 
1532 	for (i = 0; i < protect->mp_ipaddrcnt; i++) {
1533 		mac_ipaddr_t	*v4addr = &protect->mp_ipaddrs[i];
1534 
1535 		if (v4addr->ip_version == IPV4_VERSION &&
1536 		    V4_PART_OF_V6(v4addr->ip_addr) == *addr)
1537 			return (B_TRUE);
1538 	}
1539 	return (protect->mp_ipaddrcnt == 0 ?
1540 	    check_dhcpv4_dyn_ip(mcip, *addr) : B_FALSE);
1541 }
1542 
1543 static boolean_t
1544 ipnospoof_check_v6(mac_client_impl_t *mcip, mac_protect_t *protect,
1545     in6_addr_t *addr)
1546 {
1547 	uint_t	i;
1548 
1549 	/*
1550 	 * The unspecified address and the v6 link local address are allowed.
1551 	 */
1552 	if (IN6_IS_ADDR_UNSPECIFIED(addr) ||
1553 	    ((mcip->mci_protect_flags & MPT_FLAG_V6_LOCAL_ADDR_SET) != 0 &&
1554 	    IN6_ARE_ADDR_EQUAL(&mcip->mci_v6_local_addr, addr)))
1555 		return (B_TRUE);
1556 
1557 
1558 	for (i = 0; i < protect->mp_ipaddrcnt; i++) {
1559 		mac_ipaddr_t	*v6addr = &protect->mp_ipaddrs[i];
1560 
1561 		if (v6addr->ip_version == IPV6_VERSION &&
1562 		    IN6_ARE_ADDR_EQUAL(&v6addr->ip_addr, addr))
1563 			return (B_TRUE);
1564 	}
1565 	return (protect->mp_ipaddrcnt == 0 ?
1566 	    check_dhcpv6_dyn_ip(mcip, addr) : B_FALSE);
1567 }
1568 
1569 /*
1570  * Checks various fields within an IPv6 NDP packet.
1571  */
1572 static boolean_t
1573 ipnospoof_check_ndp(mac_client_impl_t *mcip, mac_protect_t *protect,
1574     ip6_t *ip6h, uchar_t *end)
1575 {
1576 	icmp6_t			*icmp_nd = (icmp6_t *)&ip6h[1];
1577 	int			hdrlen, optlen, opttype, len;
1578 	uint_t			addrlen, maclen;
1579 	uint8_t			type;
1580 	nd_opt_hdr_t		*opt;
1581 	struct nd_opt_lla	*lla = NULL;
1582 
1583 	/*
1584 	 * NDP packets do not have extension headers so the ICMPv6 header
1585 	 * must immediately follow the IPv6 header.
1586 	 */
1587 	if (ip6h->ip6_nxt != IPPROTO_ICMPV6)
1588 		return (B_TRUE);
1589 
1590 	/* ICMPv6 header missing */
1591 	if ((uchar_t *)&icmp_nd[1] > end)
1592 		return (B_FALSE);
1593 
1594 	len = end - (uchar_t *)icmp_nd;
1595 	type = icmp_nd->icmp6_type;
1596 
1597 	switch (type) {
1598 	case ND_ROUTER_SOLICIT:
1599 		hdrlen = sizeof (nd_router_solicit_t);
1600 		break;
1601 	case ND_ROUTER_ADVERT:
1602 		hdrlen = sizeof (nd_router_advert_t);
1603 		break;
1604 	case ND_NEIGHBOR_SOLICIT:
1605 		hdrlen = sizeof (nd_neighbor_solicit_t);
1606 		break;
1607 	case ND_NEIGHBOR_ADVERT:
1608 		hdrlen = sizeof (nd_neighbor_advert_t);
1609 		break;
1610 	case ND_REDIRECT:
1611 		hdrlen = sizeof (nd_redirect_t);
1612 		break;
1613 	default:
1614 		return (B_TRUE);
1615 	}
1616 
1617 	if (len < hdrlen)
1618 		return (B_FALSE);
1619 
1620 	/* SLLA option checking is needed for RS/RA/NS */
1621 	opttype = ND_OPT_SOURCE_LINKADDR;
1622 
1623 	switch (type) {
1624 	case ND_NEIGHBOR_ADVERT: {
1625 		nd_neighbor_advert_t	*na = (nd_neighbor_advert_t *)icmp_nd;
1626 
1627 		if (!ipnospoof_check_v6(mcip, protect, &na->nd_na_target)) {
1628 			DTRACE_PROBE2(ndp__na__fail,
1629 			    mac_client_impl_t *, mcip, ip6_t *, ip6h);
1630 			return (B_FALSE);
1631 		}
1632 
1633 		/* TLLA option for NA */
1634 		opttype = ND_OPT_TARGET_LINKADDR;
1635 		break;
1636 	}
1637 	case ND_REDIRECT: {
1638 		/* option checking not needed for RD */
1639 		return (B_TRUE);
1640 	}
1641 	default:
1642 		break;
1643 	}
1644 
1645 	if (len == hdrlen) {
1646 		/* no options, we're done */
1647 		return (B_TRUE);
1648 	}
1649 	opt = (nd_opt_hdr_t *)((uchar_t *)icmp_nd + hdrlen);
1650 	optlen = len - hdrlen;
1651 
1652 	/* find the option header we need */
1653 	while (optlen > sizeof (nd_opt_hdr_t)) {
1654 		if (opt->nd_opt_type == opttype) {
1655 			lla = (struct nd_opt_lla *)opt;
1656 			break;
1657 		}
1658 		optlen -= 8 * opt->nd_opt_len;
1659 		opt = (nd_opt_hdr_t *)
1660 		    ((uchar_t *)opt + 8 * opt->nd_opt_len);
1661 	}
1662 	if (lla == NULL)
1663 		return (B_TRUE);
1664 
1665 	addrlen = lla->nd_opt_lla_len * 8 - sizeof (nd_opt_hdr_t);
1666 	maclen = mcip->mci_mip->mi_info.mi_addr_length;
1667 
1668 	if (addrlen != maclen ||
1669 	    bcmp(mcip->mci_unicast->ma_addr,
1670 	    lla->nd_opt_lla_hdw_addr, maclen) != 0) {
1671 		DTRACE_PROBE2(ndp__lla__fail,
1672 		    mac_client_impl_t *, mcip, ip6_t *, ip6h);
1673 		return (B_FALSE);
1674 	}
1675 
1676 	DTRACE_PROBE2(ndp__lla__ok, mac_client_impl_t *, mcip, ip6_t *, ip6h);
1677 	return (B_TRUE);
1678 }
1679 
1680 /*
1681  * Enforce ip-nospoof protection.
1682  */
1683 static int
1684 ipnospoof_check(mac_client_impl_t *mcip, mac_protect_t *protect,
1685     mblk_t *mp, mac_header_info_t *mhip)
1686 {
1687 	size_t		hdrsize = mhip->mhi_hdrsize;
1688 	uint32_t	sap = mhip->mhi_bindsap;
1689 	uchar_t		*start, *end;
1690 	mblk_t		*nmp = NULL;
1691 	int		err;
1692 
1693 	err = get_l3_info(mp, hdrsize, &start, &end, &nmp);
1694 	if (err != 0) {
1695 		DTRACE_PROBE2(invalid__l3, mac_client_impl_t *, mcip,
1696 		    mblk_t *, mp);
1697 		return (err);
1698 	}
1699 	err = EINVAL;
1700 
1701 	switch (sap) {
1702 	case ETHERTYPE_IP: {
1703 		ipha_t	*ipha = (ipha_t *)start;
1704 
1705 		if (start + sizeof (ipha_t) > end)
1706 			goto fail;
1707 
1708 		if (!ipnospoof_check_v4(mcip, protect, &ipha->ipha_src))
1709 			goto fail;
1710 
1711 		if (!intercept_dhcpv4_outbound(mcip, ipha, end))
1712 			goto fail;
1713 		break;
1714 	}
1715 	case ETHERTYPE_ARP: {
1716 		arh_t		*arh = (arh_t *)start;
1717 		uint32_t	maclen, hlen, plen, arplen;
1718 		ipaddr_t	spaddr;
1719 		uchar_t		*shaddr;
1720 
1721 		if (start + sizeof (arh_t) > end)
1722 			goto fail;
1723 
1724 		maclen = mcip->mci_mip->mi_info.mi_addr_length;
1725 		hlen = arh->arh_hlen;
1726 		plen = arh->arh_plen;
1727 		if ((hlen != 0 && hlen != maclen) ||
1728 		    plen != sizeof (ipaddr_t))
1729 			goto fail;
1730 
1731 		arplen = sizeof (arh_t) + 2 * hlen + 2 * plen;
1732 		if (start + arplen > end)
1733 			goto fail;
1734 
1735 		shaddr = start + sizeof (arh_t);
1736 		if (hlen != 0 &&
1737 		    bcmp(mcip->mci_unicast->ma_addr, shaddr, maclen) != 0)
1738 			goto fail;
1739 
1740 		bcopy(shaddr + hlen, &spaddr, sizeof (spaddr));
1741 		if (!ipnospoof_check_v4(mcip, protect, &spaddr))
1742 			goto fail;
1743 		break;
1744 	}
1745 	case ETHERTYPE_IPV6: {
1746 		ip6_t		*ip6h = (ip6_t *)start;
1747 
1748 		if (start + sizeof (ip6_t) > end)
1749 			goto fail;
1750 
1751 		if (!ipnospoof_check_v6(mcip, protect, &ip6h->ip6_src))
1752 			goto fail;
1753 
1754 		if (!ipnospoof_check_ndp(mcip, protect, ip6h, end))
1755 			goto fail;
1756 
1757 		if (!intercept_dhcpv6_outbound(mcip, ip6h, end))
1758 			goto fail;
1759 		break;
1760 	}
1761 	}
1762 	freemsg(nmp);
1763 	return (0);
1764 
1765 fail:
1766 	freemsg(nmp);
1767 	return (err);
1768 }
1769 
1770 static boolean_t
1771 dhcpnospoof_check_cid(mac_protect_t *p, uchar_t *cid, uint_t cidlen)
1772 {
1773 	int	i;
1774 
1775 	for (i = 0; i < p->mp_cidcnt; i++) {
1776 		mac_dhcpcid_t	*dcid = &p->mp_cids[i];
1777 
1778 		if (dcid->dc_len == cidlen &&
1779 		    bcmp(dcid->dc_id, cid, cidlen) == 0)
1780 			return (B_TRUE);
1781 	}
1782 	return (B_FALSE);
1783 }
1784 
1785 static boolean_t
1786 dhcpnospoof_check_v4(mac_client_impl_t *mcip, mac_protect_t *p,
1787     ipha_t *ipha, uchar_t *end)
1788 {
1789 	struct dhcp	*dh4;
1790 	uchar_t		*cid;
1791 	uint_t		maclen, cidlen = 0;
1792 	uint8_t		optlen;
1793 	int		err;
1794 
1795 	if ((err = get_dhcpv4_info(ipha, end, &dh4)) != 0)
1796 		return (err == EINVAL);
1797 
1798 	maclen = mcip->mci_mip->mi_info.mi_addr_length;
1799 	if (dh4->hlen == maclen &&
1800 	    bcmp(mcip->mci_unicast->ma_addr, dh4->chaddr, maclen) != 0) {
1801 		return (B_FALSE);
1802 	}
1803 	if (get_dhcpv4_option(dh4, end, CD_CLIENT_ID, &cid, &optlen) == 0)
1804 		cidlen = optlen;
1805 
1806 	if (cidlen == 0)
1807 		return (B_TRUE);
1808 
1809 	if (*cid == ARPHRD_ETHER && cidlen - 1 == maclen &&
1810 	    bcmp(mcip->mci_unicast->ma_addr, cid + 1, maclen) == 0)
1811 		return (B_TRUE);
1812 
1813 	return (dhcpnospoof_check_cid(p, cid, cidlen));
1814 }
1815 
1816 static boolean_t
1817 dhcpnospoof_check_v6(mac_client_impl_t *mcip, mac_protect_t *p,
1818     ip6_t *ip6h, uchar_t *end)
1819 {
1820 	dhcpv6_message_t	*dh6;
1821 	dhcpv6_option_t		*d6o;
1822 	uint8_t			mtype;
1823 	uchar_t			*cid, *lladdr = NULL;
1824 	uint_t			cidlen, maclen, addrlen = 0;
1825 	uint16_t		cidtype;
1826 	int			err;
1827 
1828 	if ((err = get_dhcpv6_info(ip6h, end, &dh6)) != 0)
1829 		return (err == EINVAL);
1830 
1831 	/*
1832 	 * We only check client-generated messages.
1833 	 */
1834 	mtype = dh6->d6m_msg_type;
1835 	if (mtype == DHCPV6_MSG_ADVERTISE || mtype == DHCPV6_MSG_REPLY ||
1836 	    mtype == DHCPV6_MSG_RECONFIGURE)
1837 		return (B_TRUE);
1838 
1839 	d6o = get_dhcpv6_option(&dh6[1], end - (uchar_t *)&dh6[1], NULL,
1840 	    DHCPV6_OPT_CLIENTID, &cidlen);
1841 	if (d6o == NULL || (uchar_t *)d6o + cidlen > end)
1842 		return (B_TRUE);
1843 
1844 	cid = (uchar_t *)&d6o[1];
1845 	cidlen -= sizeof (*d6o);
1846 	if (cidlen < sizeof (cidtype))
1847 		return (B_TRUE);
1848 
1849 	bcopy(cid, &cidtype, sizeof (cidtype));
1850 	cidtype = ntohs(cidtype);
1851 	if (cidtype == DHCPV6_DUID_LLT && cidlen >= sizeof (duid_llt_t)) {
1852 		lladdr = cid + sizeof (duid_llt_t);
1853 		addrlen = cidlen - sizeof (duid_llt_t);
1854 	}
1855 	if (cidtype == DHCPV6_DUID_LL && cidlen >= sizeof (duid_ll_t)) {
1856 		lladdr = cid + sizeof (duid_ll_t);
1857 		addrlen = cidlen - sizeof (duid_ll_t);
1858 	}
1859 	maclen = mcip->mci_mip->mi_info.mi_addr_length;
1860 	if (lladdr != NULL && addrlen == maclen &&
1861 	    bcmp(mcip->mci_unicast->ma_addr, lladdr, maclen) == 0) {
1862 		return (B_TRUE);
1863 	}
1864 	return (dhcpnospoof_check_cid(p, cid, cidlen));
1865 }
1866 
1867 /*
1868  * Enforce dhcp-nospoof protection.
1869  */
1870 static int
1871 dhcpnospoof_check(mac_client_impl_t *mcip, mac_protect_t *protect,
1872     mblk_t *mp, mac_header_info_t *mhip)
1873 {
1874 	size_t		hdrsize = mhip->mhi_hdrsize;
1875 	uint32_t	sap = mhip->mhi_bindsap;
1876 	uchar_t		*start, *end;
1877 	mblk_t		*nmp = NULL;
1878 	int		err;
1879 
1880 	err = get_l3_info(mp, hdrsize, &start, &end, &nmp);
1881 	if (err != 0) {
1882 		DTRACE_PROBE2(invalid__l3, mac_client_impl_t *, mcip,
1883 		    mblk_t *, mp);
1884 		return (err);
1885 	}
1886 	err = EINVAL;
1887 
1888 	switch (sap) {
1889 	case ETHERTYPE_IP: {
1890 		ipha_t	*ipha = (ipha_t *)start;
1891 
1892 		if (start + sizeof (ipha_t) > end)
1893 			goto fail;
1894 
1895 		if (!dhcpnospoof_check_v4(mcip, protect, ipha, end))
1896 			goto fail;
1897 
1898 		break;
1899 	}
1900 	case ETHERTYPE_IPV6: {
1901 		ip6_t		*ip6h = (ip6_t *)start;
1902 
1903 		if (start + sizeof (ip6_t) > end)
1904 			goto fail;
1905 
1906 		if (!dhcpnospoof_check_v6(mcip, protect, ip6h, end))
1907 			goto fail;
1908 
1909 		break;
1910 	}
1911 	}
1912 	freemsg(nmp);
1913 	return (0);
1914 
1915 fail:
1916 	/* increment dhcpnospoof stat here */
1917 	freemsg(nmp);
1918 	return (err);
1919 }
1920 
1921 /*
1922  * This needs to be called whenever the mac client's mac address changes.
1923  */
1924 void
1925 mac_protect_update_v6_local_addr(mac_client_impl_t *mcip)
1926 {
1927 	uint8_t		*p, *macaddr = mcip->mci_unicast->ma_addr;
1928 	uint_t		i, media = mcip->mci_mip->mi_info.mi_media;
1929 	in6_addr_t	token, *v6addr = &mcip->mci_v6_local_addr;
1930 	in6_addr_t	ll_template = {(uint32_t)V6_LINKLOCAL, 0x0, 0x0, 0x0};
1931 
1932 
1933 	bzero(&token, sizeof (token));
1934 	p = (uint8_t *)&token.s6_addr32[2];
1935 
1936 	switch (media) {
1937 	case DL_ETHER:
1938 		bcopy(macaddr, p, 3);
1939 		p[0] ^= 0x2;
1940 		p[3] = 0xff;
1941 		p[4] = 0xfe;
1942 		bcopy(macaddr + 3, p + 5, 3);
1943 		break;
1944 	case DL_IB:
1945 		ASSERT(mcip->mci_mip->mi_info.mi_addr_length == 20);
1946 		bcopy(macaddr + 12, p, 8);
1947 		p[0] |= 2;
1948 		break;
1949 	default:
1950 		/*
1951 		 * We do not need to generate the local address for link types
1952 		 * that do not support link protection. Wifi pretends to be
1953 		 * ethernet so it is covered by the DL_ETHER case (note the
1954 		 * use of mi_media instead of mi_nativemedia).
1955 		 */
1956 		return;
1957 	}
1958 
1959 	for (i = 0; i < 4; i++) {
1960 		v6addr->s6_addr32[i] = token.s6_addr32[i] |
1961 		    ll_template.s6_addr32[i];
1962 	}
1963 	mcip->mci_protect_flags |= MPT_FLAG_V6_LOCAL_ADDR_SET;
1964 }
1965 
1966 /*
1967  * Enforce link protection on one packet.
1968  */
1969 static int
1970 mac_protect_check_one(mac_client_impl_t *mcip, mblk_t *mp)
1971 {
1972 	mac_impl_t		*mip = mcip->mci_mip;
1973 	mac_resource_props_t	*mrp = MCIP_RESOURCE_PROPS(mcip);
1974 	mac_protect_t		*protect;
1975 	mac_header_info_t	mhi;
1976 	uint32_t		types;
1977 	int			err;
1978 
1979 	ASSERT(mp->b_next == NULL);
1980 	ASSERT(mrp != NULL);
1981 
1982 	err = mac_vlan_header_info((mac_handle_t)mip, mp, &mhi);
1983 	if (err != 0) {
1984 		DTRACE_PROBE2(invalid__header, mac_client_impl_t *, mcip,
1985 		    mblk_t *, mp);
1986 		return (err);
1987 	}
1988 	protect = &mrp->mrp_protect;
1989 	types = protect->mp_types;
1990 
1991 	if ((types & MPT_MACNOSPOOF) != 0) {
1992 		if (mhi.mhi_saddr != NULL &&
1993 		    bcmp(mcip->mci_unicast->ma_addr, mhi.mhi_saddr,
1994 		    mip->mi_info.mi_addr_length) != 0) {
1995 			BUMP_STAT(mcip, macspoofed);
1996 			DTRACE_PROBE2(mac__nospoof__fail,
1997 			    mac_client_impl_t *, mcip, mblk_t *, mp);
1998 			return (EINVAL);
1999 		}
2000 	}
2001 	if ((types & MPT_RESTRICTED) != 0) {
2002 		uint32_t	vid = VLAN_ID(mhi.mhi_tci);
2003 		uint32_t	sap = mhi.mhi_bindsap;
2004 
2005 		/*
2006 		 * ETHERTYPE_VLAN packets are allowed through, provided that
2007 		 * the vid is not spoofed.
2008 		 */
2009 		if (vid != 0 && !mac_client_check_flow_vid(mcip, vid)) {
2010 			BUMP_STAT(mcip, restricted);
2011 			DTRACE_PROBE2(restricted__vid__invalid,
2012 			    mac_client_impl_t *, mcip, mblk_t *, mp);
2013 			return (EINVAL);
2014 		}
2015 
2016 		if (sap != ETHERTYPE_IP && sap != ETHERTYPE_IPV6 &&
2017 		    sap != ETHERTYPE_ARP) {
2018 			BUMP_STAT(mcip, restricted);
2019 			DTRACE_PROBE2(restricted__fail,
2020 			    mac_client_impl_t *, mcip, mblk_t *, mp);
2021 			return (EINVAL);
2022 		}
2023 	}
2024 	if ((types & MPT_IPNOSPOOF) != 0) {
2025 		if ((err = ipnospoof_check(mcip, protect, mp, &mhi)) != 0) {
2026 			BUMP_STAT(mcip, ipspoofed);
2027 			DTRACE_PROBE2(ip__nospoof__fail,
2028 			    mac_client_impl_t *, mcip, mblk_t *, mp);
2029 			return (err);
2030 		}
2031 	}
2032 	if ((types & MPT_DHCPNOSPOOF) != 0) {
2033 		if ((err = dhcpnospoof_check(mcip, protect, mp, &mhi)) != 0) {
2034 			BUMP_STAT(mcip, dhcpspoofed);
2035 			DTRACE_PROBE2(dhcp__nospoof__fail,
2036 			    mac_client_impl_t *, mcip, mblk_t *, mp);
2037 			return (err);
2038 		}
2039 	}
2040 	return (0);
2041 }
2042 
2043 /*
2044  * Enforce link protection on a packet chain.
2045  * Packets that pass the checks are returned back to the caller.
2046  */
2047 mblk_t *
2048 mac_protect_check(mac_client_handle_t mch, mblk_t *mp)
2049 {
2050 	mac_client_impl_t	*mcip = (mac_client_impl_t *)mch;
2051 	mblk_t			*ret_mp = NULL, **tailp = &ret_mp, *next;
2052 
2053 	/*
2054 	 * Skip checks if we are part of an aggr.
2055 	 */
2056 	if ((mcip->mci_state_flags & MCIS_IS_AGGR_PORT) != 0)
2057 		return (mp);
2058 
2059 	for (; mp != NULL; mp = next) {
2060 		next = mp->b_next;
2061 		mp->b_next = NULL;
2062 
2063 		if (mac_protect_check_one(mcip, mp) == 0) {
2064 			*tailp = mp;
2065 			tailp = &mp->b_next;
2066 		} else {
2067 			freemsg(mp);
2068 		}
2069 	}
2070 	return (ret_mp);
2071 }
2072 
2073 /*
2074  * Check if a particular protection type is enabled.
2075  */
2076 boolean_t
2077 mac_protect_enabled(mac_client_handle_t mch, uint32_t type)
2078 {
2079 	return (MAC_PROTECT_ENABLED((mac_client_impl_t *)mch, type));
2080 }
2081 
2082 static int
2083 validate_ips(mac_protect_t *p)
2084 {
2085 	uint_t		i, j;
2086 
2087 	if (p->mp_ipaddrcnt == MPT_RESET)
2088 		return (0);
2089 
2090 	if (p->mp_ipaddrcnt > MPT_MAXIPADDR)
2091 		return (EINVAL);
2092 
2093 	for (i = 0; i < p->mp_ipaddrcnt; i++) {
2094 		mac_ipaddr_t	*addr = &p->mp_ipaddrs[i];
2095 
2096 		/*
2097 		 * The unspecified address is implicitly allowed
2098 		 * so there's no need to add it to the list.
2099 		 */
2100 		if (addr->ip_version == IPV4_VERSION) {
2101 			if (V4_PART_OF_V6(addr->ip_addr) == INADDR_ANY)
2102 				return (EINVAL);
2103 		} else if (addr->ip_version == IPV6_VERSION) {
2104 			if (IN6_IS_ADDR_UNSPECIFIED(&addr->ip_addr))
2105 				return (EINVAL);
2106 		} else {
2107 			/* invalid ip version */
2108 			return (EINVAL);
2109 		}
2110 
2111 		for (j = 0; j < p->mp_ipaddrcnt; j++) {
2112 			mac_ipaddr_t	*addr1 = &p->mp_ipaddrs[j];
2113 
2114 			if (i == j || addr->ip_version != addr1->ip_version)
2115 				continue;
2116 
2117 			/* found a duplicate */
2118 			if ((addr->ip_version == IPV4_VERSION &&
2119 			    V4_PART_OF_V6(addr->ip_addr) ==
2120 			    V4_PART_OF_V6(addr1->ip_addr)) ||
2121 			    IN6_ARE_ADDR_EQUAL(&addr->ip_addr,
2122 			    &addr1->ip_addr))
2123 				return (EINVAL);
2124 		}
2125 	}
2126 	return (0);
2127 }
2128 
2129 /* ARGSUSED */
2130 static int
2131 validate_cids(mac_protect_t *p)
2132 {
2133 	uint_t		i, j;
2134 
2135 	if (p->mp_cidcnt == MPT_RESET)
2136 		return (0);
2137 
2138 	if (p->mp_cidcnt > MPT_MAXCID)
2139 		return (EINVAL);
2140 
2141 	for (i = 0; i < p->mp_cidcnt; i++) {
2142 		mac_dhcpcid_t	*cid = &p->mp_cids[i];
2143 
2144 		if (cid->dc_len > MPT_MAXCIDLEN ||
2145 		    (cid->dc_form != CIDFORM_TYPED &&
2146 		    cid->dc_form != CIDFORM_HEX &&
2147 		    cid->dc_form != CIDFORM_STR))
2148 			return (EINVAL);
2149 
2150 		for (j = 0; j < p->mp_cidcnt; j++) {
2151 			mac_dhcpcid_t	*cid1 = &p->mp_cids[j];
2152 
2153 			if (i == j || cid->dc_len != cid1->dc_len)
2154 				continue;
2155 
2156 			/* found a duplicate */
2157 			if (bcmp(cid->dc_id, cid1->dc_id, cid->dc_len) == 0)
2158 				return (EINVAL);
2159 		}
2160 	}
2161 	return (0);
2162 }
2163 
2164 /*
2165  * Sanity-checks parameters given by userland.
2166  */
2167 int
2168 mac_protect_validate(mac_resource_props_t *mrp)
2169 {
2170 	mac_protect_t	*p = &mrp->mrp_protect;
2171 	int		err;
2172 
2173 	/* check for invalid types */
2174 	if (p->mp_types != MPT_RESET && (p->mp_types & ~MPT_ALL) != 0)
2175 		return (EINVAL);
2176 
2177 	if ((err = validate_ips(p)) != 0)
2178 		return (err);
2179 
2180 	if ((err = validate_cids(p)) != 0)
2181 		return (err);
2182 
2183 	return (0);
2184 }
2185 
2186 /*
2187  * Enable/disable link protection.
2188  */
2189 int
2190 mac_protect_set(mac_client_handle_t mch, mac_resource_props_t *mrp)
2191 {
2192 	mac_client_impl_t	*mcip = (mac_client_impl_t *)mch;
2193 	mac_impl_t		*mip = mcip->mci_mip;
2194 	uint_t			media = mip->mi_info.mi_nativemedia;
2195 	int			err;
2196 
2197 	ASSERT(MAC_PERIM_HELD((mac_handle_t)mip));
2198 
2199 	/* tunnels are not supported */
2200 	if (media == DL_IPV4 || media == DL_IPV6 || media == DL_6TO4)
2201 		return (ENOTSUP);
2202 
2203 	if ((err = mac_protect_validate(mrp)) != 0)
2204 		return (err);
2205 
2206 	if (err != 0)
2207 		return (err);
2208 
2209 	mac_update_resources(mrp, MCIP_RESOURCE_PROPS(mcip), B_FALSE);
2210 	i_mac_notify(((mcip->mci_state_flags & MCIS_IS_VNIC) != 0 ?
2211 	    mcip->mci_upper_mip : mip), MAC_NOTE_ALLOWED_IPS);
2212 	return (0);
2213 }
2214 
2215 void
2216 mac_protect_update(mac_resource_props_t *new, mac_resource_props_t *curr)
2217 {
2218 	mac_protect_t	*np = &new->mrp_protect;
2219 	mac_protect_t	*cp = &curr->mrp_protect;
2220 	uint32_t	types = np->mp_types;
2221 
2222 	if (types == MPT_RESET) {
2223 		cp->mp_types = 0;
2224 		curr->mrp_mask &= ~MRP_PROTECT;
2225 	} else {
2226 		if (types != 0) {
2227 			cp->mp_types = types;
2228 			curr->mrp_mask |= MRP_PROTECT;
2229 		}
2230 	}
2231 	if (np->mp_ipaddrcnt != 0) {
2232 		if (np->mp_ipaddrcnt <= MPT_MAXIPADDR) {
2233 			bcopy(np->mp_ipaddrs, cp->mp_ipaddrs,
2234 			    sizeof (cp->mp_ipaddrs));
2235 			cp->mp_ipaddrcnt = np->mp_ipaddrcnt;
2236 		} else if (np->mp_ipaddrcnt == MPT_RESET) {
2237 			bzero(cp->mp_ipaddrs, sizeof (cp->mp_ipaddrs));
2238 			cp->mp_ipaddrcnt = 0;
2239 		}
2240 	}
2241 	if (np->mp_cidcnt != 0) {
2242 		if (np->mp_cidcnt <= MPT_MAXCID) {
2243 			bcopy(np->mp_cids, cp->mp_cids, sizeof (cp->mp_cids));
2244 			cp->mp_cidcnt = np->mp_cidcnt;
2245 		} else if (np->mp_cidcnt == MPT_RESET) {
2246 			bzero(cp->mp_cids, sizeof (cp->mp_cids));
2247 			cp->mp_cidcnt = 0;
2248 		}
2249 	}
2250 }
2251 
2252 void
2253 mac_protect_init(mac_client_impl_t *mcip)
2254 {
2255 	mutex_init(&mcip->mci_protect_lock, NULL, MUTEX_DRIVER, NULL);
2256 	mcip->mci_protect_flags = 0;
2257 	mcip->mci_txn_cleanup_tid = 0;
2258 	avl_create(&mcip->mci_v4_pending_txn, compare_dhcpv4_xid,
2259 	    sizeof (dhcpv4_txn_t), offsetof(dhcpv4_txn_t, dt_node));
2260 	avl_create(&mcip->mci_v4_completed_txn, compare_dhcpv4_cid,
2261 	    sizeof (dhcpv4_txn_t), offsetof(dhcpv4_txn_t, dt_node));
2262 	avl_create(&mcip->mci_v4_dyn_ip, compare_dhcpv4_ip,
2263 	    sizeof (dhcpv4_txn_t), offsetof(dhcpv4_txn_t, dt_ipnode));
2264 	avl_create(&mcip->mci_v6_pending_txn, compare_dhcpv6_xid,
2265 	    sizeof (dhcpv6_txn_t), offsetof(dhcpv6_txn_t, dt_node));
2266 	avl_create(&mcip->mci_v6_cid, compare_dhcpv6_cid,
2267 	    sizeof (dhcpv6_cid_t), offsetof(dhcpv6_cid_t, dc_node));
2268 	avl_create(&mcip->mci_v6_dyn_ip, compare_dhcpv6_ip,
2269 	    sizeof (dhcpv6_addr_t), offsetof(dhcpv6_addr_t, da_node));
2270 }
2271 
2272 void
2273 mac_protect_fini(mac_client_impl_t *mcip)
2274 {
2275 	avl_destroy(&mcip->mci_v6_dyn_ip);
2276 	avl_destroy(&mcip->mci_v6_cid);
2277 	avl_destroy(&mcip->mci_v6_pending_txn);
2278 	avl_destroy(&mcip->mci_v4_dyn_ip);
2279 	avl_destroy(&mcip->mci_v4_completed_txn);
2280 	avl_destroy(&mcip->mci_v4_pending_txn);
2281 	mcip->mci_txn_cleanup_tid = 0;
2282 	mcip->mci_protect_flags = 0;
2283 	mutex_destroy(&mcip->mci_protect_lock);
2284 }
2285 
2286 static boolean_t
2287 allowed_ips_set(mac_resource_props_t *mrp, uint32_t af)
2288 {
2289 	int i;
2290 
2291 	for (i = 0; i < mrp->mrp_protect.mp_ipaddrcnt; i++) {
2292 		if (mrp->mrp_protect.mp_ipaddrs[i].ip_version == af)
2293 			return (B_TRUE);
2294 	}
2295 	return (B_FALSE);
2296 }
2297 
2298 mac_protect_t *
2299 mac_protect_get(mac_handle_t mh)
2300 {
2301 	mac_impl_t *mip = (mac_impl_t *)mh;
2302 
2303 	return (&mip->mi_resource_props.mrp_protect);
2304 }
2305