1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License, Version 1.0 only 6 * (the "License"). You may not use this file except in compliance 7 * with the License. 8 * 9 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10 * or http://www.opensolaris.org/os/licensing. 11 * See the License for the specific language governing permissions 12 * and limitations under the License. 13 * 14 * When distributing Covered Code, include this CDDL HEADER in each 15 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16 * If applicable, add the following below this CDDL HEADER, with the 17 * fields enclosed by brackets "[]" replaced with your own identifying 18 * information: Portions Copyright [yyyy] [name of copyright owner] 19 * 20 * CDDL HEADER END 21 */ 22 /* 23 * Copyright 2005 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 /* 27 * Copyright (c) 1990 Mentat Inc. 28 */ 29 30 #pragma ident "%Z%%M% %I% %E% SMI" 31 32 #include <sys/types.h> 33 #include <sys/stream.h> 34 #include <sys/dlpi.h> 35 #include <sys/stropts.h> 36 #include <sys/sysmacros.h> 37 #include <sys/strsun.h> 38 #include <sys/strlog.h> 39 #include <sys/strsubr.h> 40 #define _SUN_TPI_VERSION 2 41 #include <sys/tihdr.h> 42 #include <sys/tiuser.h> 43 #include <sys/ddi.h> 44 #include <sys/sunddi.h> 45 #include <sys/cmn_err.h> 46 #include <sys/debug.h> 47 #include <sys/kobj.h> 48 #include <sys/zone.h> 49 50 #include <sys/kmem.h> 51 #include <sys/systm.h> 52 #include <sys/param.h> 53 #include <sys/socket.h> 54 #include <sys/vtrace.h> 55 #include <sys/isa_defs.h> 56 #include <sys/atomic.h> 57 #include <sys/iphada.h> 58 #include <sys/policy.h> 59 #include <net/if.h> 60 #include <net/if_arp.h> 61 #include <net/if_types.h> 62 #include <net/route.h> 63 #include <net/if_dl.h> 64 #include <sys/sockio.h> 65 #include <netinet/in.h> 66 #include <netinet/ip6.h> 67 #include <netinet/icmp6.h> 68 #include <netinet/sctp.h> 69 70 #include <inet/common.h> 71 #include <inet/mi.h> 72 #include <inet/mib2.h> 73 #include <inet/nd.h> 74 #include <inet/arp.h> 75 #include <inet/snmpcom.h> 76 77 #include <inet/ip.h> 78 #include <inet/ip_impl.h> 79 #include <inet/ip6.h> 80 #include <inet/ip6_asp.h> 81 #include <inet/tcp.h> 82 #include <inet/tcp_impl.h> 83 #include <inet/udp_impl.h> 84 #include <inet/ipp_common.h> 85 86 #include <inet/ip_multi.h> 87 #include <inet/ip_if.h> 88 #include <inet/ip_ire.h> 89 #include <inet/ip_rts.h> 90 #include <inet/optcom.h> 91 #include <inet/ip_ndp.h> 92 #include <net/pfkeyv2.h> 93 #include <inet/ipsec_info.h> 94 #include <inet/sadb.h> 95 #include <inet/ipsec_impl.h> 96 #include <inet/tun.h> 97 #include <inet/sctp_ip.h> 98 #include <sys/multidata.h> 99 #include <sys/pattr.h> 100 #include <inet/ipclassifier.h> 101 #include <inet/ipsecah.h> 102 #include <inet/udp_impl.h> 103 #include <sys/squeue.h> 104 105 extern squeue_func_t ip_input_proc; 106 107 /* 108 * IP statistics. 109 */ 110 #define IP6_STAT(x) (ip6_statistics.x.value.ui64++) 111 #define IP6_STAT_UPDATE(x, n) (ip6_statistics.x.value.ui64 += (n)) 112 113 typedef struct ip6_stat { 114 kstat_named_t ip6_udp_fast_path; 115 kstat_named_t ip6_udp_slow_path; 116 kstat_named_t ip6_udp_fannorm; 117 kstat_named_t ip6_udp_fanmb; 118 kstat_named_t ip6_out_sw_cksum; 119 kstat_named_t ip6_in_sw_cksum; 120 kstat_named_t ip6_tcp_in_full_hw_cksum_err; 121 kstat_named_t ip6_tcp_in_part_hw_cksum_err; 122 kstat_named_t ip6_tcp_in_sw_cksum_err; 123 kstat_named_t ip6_tcp_out_sw_cksum_bytes; 124 kstat_named_t ip6_udp_in_full_hw_cksum_err; 125 kstat_named_t ip6_udp_in_part_hw_cksum_err; 126 kstat_named_t ip6_udp_in_sw_cksum_err; 127 kstat_named_t ip6_udp_out_sw_cksum_bytes; 128 kstat_named_t ip6_frag_mdt_pkt_out; 129 kstat_named_t ip6_frag_mdt_discarded; 130 kstat_named_t ip6_frag_mdt_allocfail; 131 kstat_named_t ip6_frag_mdt_addpdescfail; 132 kstat_named_t ip6_frag_mdt_allocd; 133 } ip6_stat_t; 134 135 static ip6_stat_t ip6_statistics = { 136 { "ip6_udp_fast_path", KSTAT_DATA_UINT64 }, 137 { "ip6_udp_slow_path", KSTAT_DATA_UINT64 }, 138 { "ip6_udp_fannorm", KSTAT_DATA_UINT64 }, 139 { "ip6_udp_fanmb", KSTAT_DATA_UINT64 }, 140 { "ip6_out_sw_cksum", KSTAT_DATA_UINT64 }, 141 { "ip6_in_sw_cksum", KSTAT_DATA_UINT64 }, 142 { "ip6_tcp_in_full_hw_cksum_err", KSTAT_DATA_UINT64 }, 143 { "ip6_tcp_in_part_hw_cksum_err", KSTAT_DATA_UINT64 }, 144 { "ip6_tcp_in_sw_cksum_err", KSTAT_DATA_UINT64 }, 145 { "ip6_tcp_out_sw_cksum_bytes", KSTAT_DATA_UINT64 }, 146 { "ip6_udp_in_full_hw_cksum_err", KSTAT_DATA_UINT64 }, 147 { "ip6_udp_in_part_hw_cksum_err", KSTAT_DATA_UINT64 }, 148 { "ip6_udp_in_sw_cksum_err", KSTAT_DATA_UINT64 }, 149 { "ip6_udp_out_sw_cksum_bytes", KSTAT_DATA_UINT64 }, 150 { "ip6_frag_mdt_pkt_out", KSTAT_DATA_UINT64 }, 151 { "ip6_frag_mdt_discarded", KSTAT_DATA_UINT64 }, 152 { "ip6_frag_mdt_allocfail", KSTAT_DATA_UINT64 }, 153 { "ip6_frag_mdt_addpdescfail", KSTAT_DATA_UINT64 }, 154 { "ip6_frag_mdt_allocd", KSTAT_DATA_UINT64 }, 155 }; 156 157 static kstat_t *ip6_kstat; 158 159 /* 160 * Naming conventions: 161 * These rules should be judiciously applied 162 * if there is a need to identify something as IPv6 versus IPv4 163 * IPv6 funcions will end with _v6 in the ip module. 164 * IPv6 funcions will end with _ipv6 in the transport modules. 165 * IPv6 macros: 166 * Some macros end with _V6; e.g. ILL_FRAG_HASH_V6 167 * Some macros start with V6_; e.g. V6_OR_V4_INADDR_ANY 168 * And then there are ..V4_PART_OF_V6. 169 * The intent is that macros in the ip module end with _V6. 170 * IPv6 global variables will start with ipv6_ 171 * IPv6 structures will start with ipv6 172 * IPv6 defined constants should start with IPV6_ 173 * (but then there are NDP_DEFAULT_VERS_PRI_AND_FLOW, etc) 174 */ 175 176 /* 177 * IPv6 mibs when the interface (ill) is not known. 178 * When the ill is known the per-interface mib in the ill is used. 179 */ 180 mib2_ipv6IfStatsEntry_t ip6_mib; 181 mib2_ipv6IfIcmpEntry_t icmp6_mib; 182 183 uint_t ipv6_ire_default_count; /* Number of IPv6 IRE_DEFAULT entries */ 184 uint_t ipv6_ire_default_index; /* Walking IPv6 index used to mod in */ 185 186 const in6_addr_t ipv6_all_ones = 187 { 0xffffffffU, 0xffffffffU, 0xffffffffU, 0xffffffffU }; 188 const in6_addr_t ipv6_all_zeros = { 0, 0, 0, 0 }; 189 190 #ifdef _BIG_ENDIAN 191 const in6_addr_t ipv6_unspecified_group = { 0xff000000U, 0, 0, 0 }; 192 #else /* _BIG_ENDIAN */ 193 const in6_addr_t ipv6_unspecified_group = { 0x000000ffU, 0, 0, 0 }; 194 #endif /* _BIG_ENDIAN */ 195 196 #ifdef _BIG_ENDIAN 197 const in6_addr_t ipv6_loopback = { 0, 0, 0, 0x00000001U }; 198 #else /* _BIG_ENDIAN */ 199 const in6_addr_t ipv6_loopback = { 0, 0, 0, 0x01000000U }; 200 #endif /* _BIG_ENDIAN */ 201 202 #ifdef _BIG_ENDIAN 203 const in6_addr_t ipv6_all_hosts_mcast = { 0xff020000U, 0, 0, 0x00000001U }; 204 #else /* _BIG_ENDIAN */ 205 const in6_addr_t ipv6_all_hosts_mcast = { 0x000002ffU, 0, 0, 0x01000000U }; 206 #endif /* _BIG_ENDIAN */ 207 208 #ifdef _BIG_ENDIAN 209 const in6_addr_t ipv6_all_rtrs_mcast = { 0xff020000U, 0, 0, 0x00000002U }; 210 #else /* _BIG_ENDIAN */ 211 const in6_addr_t ipv6_all_rtrs_mcast = { 0x000002ffU, 0, 0, 0x02000000U }; 212 #endif /* _BIG_ENDIAN */ 213 214 #ifdef _BIG_ENDIAN 215 const in6_addr_t ipv6_all_v2rtrs_mcast = { 0xff020000U, 0, 0, 0x00000016U }; 216 #else /* _BIG_ENDIAN */ 217 const in6_addr_t ipv6_all_v2rtrs_mcast = { 0x000002ffU, 0, 0, 0x16000000U }; 218 #endif /* _BIG_ENDIAN */ 219 220 #ifdef _BIG_ENDIAN 221 const in6_addr_t ipv6_solicited_node_mcast = 222 { 0xff020000U, 0, 0x00000001U, 0xff000000U }; 223 #else /* _BIG_ENDIAN */ 224 const in6_addr_t ipv6_solicited_node_mcast = 225 { 0x000002ffU, 0, 0x01000000U, 0x000000ffU }; 226 #endif /* _BIG_ENDIAN */ 227 228 /* 229 * Used by icmp_send_redirect_v6 for picking random src. 230 */ 231 uint_t icmp_redirect_v6_src_index; 232 233 /* Leave room for ip_newroute to tack on the src and target addresses */ 234 #define OK_RESOLVER_MP_V6(mp) \ 235 ((mp) && ((mp)->b_wptr - (mp)->b_rptr) >= (2 * IPV6_ADDR_LEN)) 236 237 static void icmp_inbound_too_big_v6(queue_t *, mblk_t *, ill_t *ill, 238 boolean_t, zoneid_t); 239 static void icmp_pkt_v6(queue_t *, mblk_t *, void *, size_t, 240 const in6_addr_t *, boolean_t); 241 static void icmp_redirect_v6(queue_t *, mblk_t *, ill_t *ill); 242 static boolean_t icmp_redirect_ok_v6(ill_t *ill, mblk_t *mp); 243 static int ip_bind_connected_v6(conn_t *, mblk_t *, in6_addr_t *, 244 uint16_t, const in6_addr_t *, ip6_pkt_t *, uint16_t, 245 boolean_t, boolean_t, boolean_t, boolean_t); 246 static boolean_t ip_bind_insert_ire_v6(mblk_t *, ire_t *, const in6_addr_t *, 247 iulp_t *); 248 static int ip_bind_laddr_v6(conn_t *, mblk_t *, const in6_addr_t *, 249 uint16_t, boolean_t, boolean_t, boolean_t); 250 static void ip_fanout_proto_v6(queue_t *, mblk_t *, ip6_t *, ill_t *, 251 ill_t *, uint8_t, uint_t, uint_t, boolean_t, zoneid_t); 252 static void ip_fanout_tcp_v6(queue_t *, mblk_t *, ip6_t *, ill_t *, 253 ill_t *, uint_t, uint_t, boolean_t, zoneid_t); 254 static void ip_fanout_udp_v6(queue_t *, mblk_t *, ip6_t *, uint32_t, 255 ill_t *, ill_t *, uint_t, boolean_t, zoneid_t); 256 static int ip_process_options_v6(queue_t *, mblk_t *, ip6_t *, 257 uint8_t *, uint_t, uint8_t); 258 static mblk_t *ip_rput_frag_v6(queue_t *, mblk_t *, ip6_t *, 259 ip6_frag_t *, uint_t, uint_t *, uint32_t *, uint16_t *); 260 static boolean_t ip_source_routed_v6(ip6_t *, mblk_t *); 261 static void ip_wput_ire_v6(queue_t *, mblk_t *, ire_t *, int, int, 262 conn_t *, int, int, int); 263 static boolean_t ip_ulp_cando_pkt2big(int); 264 265 static void ip_rput_v6(queue_t *, mblk_t *); 266 static void ip_wput_v6(queue_t *, mblk_t *); 267 268 /* 269 * A template for an IPv6 AR_ENTRY_QUERY 270 */ 271 static areq_t ipv6_areq_template = { 272 AR_ENTRY_QUERY, /* cmd */ 273 sizeof (areq_t)+(2*IPV6_ADDR_LEN), /* name offset */ 274 sizeof (areq_t), /* name len (filled by ill_arp_alloc) */ 275 IP6_DL_SAP, /* protocol, from arps perspective */ 276 sizeof (areq_t), /* target addr offset */ 277 IPV6_ADDR_LEN, /* target addr_length */ 278 0, /* flags */ 279 sizeof (areq_t) + IPV6_ADDR_LEN, /* sender addr offset */ 280 IPV6_ADDR_LEN, /* sender addr length */ 281 6, /* xmit_count */ 282 1000, /* (re)xmit_interval in milliseconds */ 283 4 /* max # of requests to buffer */ 284 /* anything else filled in by the code */ 285 }; 286 287 struct qinit rinit_ipv6 = { 288 (pfi_t)ip_rput_v6, 289 NULL, 290 ip_open, 291 ip_close, 292 NULL, 293 &ip_mod_info 294 }; 295 296 struct qinit winit_ipv6 = { 297 (pfi_t)ip_wput_v6, 298 (pfi_t)ip_wsrv, 299 ip_open, 300 ip_close, 301 NULL, 302 &ip_mod_info 303 }; 304 305 /* 306 * Handle IPv6 ICMP packets sent to us. Consume the mblk passed in. 307 * The message has already been checksummed and if needed, 308 * a copy has been made to be sent any interested ICMP client (conn) 309 * Note that this is different than icmp_inbound() which does the fanout 310 * to conn's as well as local processing of the ICMP packets. 311 * 312 * All error messages are passed to the matching transport stream. 313 * 314 * Zones notes: 315 * The packet is only processed in the context of the specified zone: typically 316 * only this zone will reply to an echo request. This means that the caller must 317 * call icmp_inbound_v6() for each relevant zone. 318 */ 319 static void 320 icmp_inbound_v6(queue_t *q, mblk_t *mp, ill_t *ill, uint_t hdr_length, 321 boolean_t mctl_present, uint_t flags, zoneid_t zoneid) 322 { 323 icmp6_t *icmp6; 324 ip6_t *ip6h; 325 boolean_t interested; 326 ip6i_t *ip6i; 327 in6_addr_t origsrc; 328 ire_t *ire; 329 mblk_t *first_mp; 330 ipsec_in_t *ii; 331 332 ASSERT(ill != NULL); 333 first_mp = mp; 334 if (mctl_present) { 335 mp = first_mp->b_cont; 336 ASSERT(mp != NULL); 337 338 ii = (ipsec_in_t *)first_mp->b_rptr; 339 ASSERT(ii->ipsec_in_type == IPSEC_IN); 340 } 341 342 ip6h = (ip6_t *)mp->b_rptr; 343 344 BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpInMsgs); 345 346 if ((mp->b_wptr - mp->b_rptr) < (hdr_length + ICMP6_MINLEN)) { 347 if (!pullupmsg(mp, hdr_length + ICMP6_MINLEN)) { 348 ip1dbg(("icmp_inbound_v6: pullupmsg failed\n")); 349 BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpInErrors); 350 freemsg(first_mp); 351 return; 352 } 353 ip6h = (ip6_t *)mp->b_rptr; 354 } 355 if (icmp_accept_clear_messages == 0) { 356 first_mp = ipsec_check_global_policy(first_mp, NULL, 357 NULL, ip6h, mctl_present); 358 if (first_mp == NULL) 359 return; 360 } 361 362 icmp6 = (icmp6_t *)(&mp->b_rptr[hdr_length]); 363 ip2dbg(("icmp_inbound_v6: type %d code %d\n", icmp6->icmp6_type, 364 icmp6->icmp6_code)); 365 interested = !(icmp6->icmp6_type & ICMP6_INFOMSG_MASK); 366 367 /* Initiate IPPF processing here */ 368 if (IP6_IN_IPP(flags)) { 369 370 /* 371 * If the ifindex changes due to SIOCSLIFINDEX 372 * packet may return to IP on the wrong ill. 373 */ 374 ip_process(IPP_LOCAL_IN, &mp, ill->ill_phyint->phyint_ifindex); 375 if (mp == NULL) { 376 if (mctl_present) { 377 freeb(first_mp); 378 } 379 return; 380 } 381 } 382 383 switch (icmp6->icmp6_type) { 384 case ICMP6_DST_UNREACH: 385 BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpInDestUnreachs); 386 if (icmp6->icmp6_code == ICMP6_DST_UNREACH_ADMIN) 387 BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpInAdminProhibs); 388 break; 389 390 case ICMP6_TIME_EXCEEDED: 391 BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpInTimeExcds); 392 break; 393 394 case ICMP6_PARAM_PROB: 395 BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpInParmProblems); 396 break; 397 398 case ICMP6_PACKET_TOO_BIG: 399 icmp_inbound_too_big_v6(q, first_mp, ill, mctl_present, 400 zoneid); 401 return; 402 case ICMP6_ECHO_REQUEST: 403 BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpInEchos); 404 if (IN6_IS_ADDR_MULTICAST(&ip6h->ip6_dst) && 405 !ipv6_resp_echo_mcast) 406 break; 407 408 /* 409 * We must have exclusive use of the mblk to convert it to 410 * a response. 411 * If not, we copy it. 412 */ 413 if (mp->b_datap->db_ref > 1) { 414 mblk_t *mp1; 415 416 mp1 = copymsg(mp); 417 freemsg(mp); 418 if (mp1 == NULL) { 419 BUMP_MIB(ill->ill_ip6_mib, ipv6InDiscards); 420 if (mctl_present) 421 freeb(first_mp); 422 return; 423 } 424 mp = mp1; 425 ip6h = (ip6_t *)mp->b_rptr; 426 icmp6 = (icmp6_t *)(&mp->b_rptr[hdr_length]); 427 if (mctl_present) 428 first_mp->b_cont = mp; 429 else 430 first_mp = mp; 431 } 432 433 /* 434 * Turn the echo into an echo reply. 435 * Remove any extension headers (do not reverse a source route) 436 * and clear the flow id (keep traffic class for now). 437 */ 438 if (hdr_length != IPV6_HDR_LEN) { 439 int i; 440 441 for (i = 0; i < IPV6_HDR_LEN; i++) 442 mp->b_rptr[hdr_length - i - 1] = 443 mp->b_rptr[IPV6_HDR_LEN - i - 1]; 444 mp->b_rptr += (hdr_length - IPV6_HDR_LEN); 445 ip6h = (ip6_t *)mp->b_rptr; 446 ip6h->ip6_nxt = IPPROTO_ICMPV6; 447 hdr_length = IPV6_HDR_LEN; 448 } 449 ip6h->ip6_vcf &= ~IPV6_FLOWINFO_FLOWLABEL; 450 icmp6->icmp6_type = ICMP6_ECHO_REPLY; 451 452 ip6h->ip6_plen = 453 htons((uint16_t)(msgdsize(mp) - IPV6_HDR_LEN)); 454 origsrc = ip6h->ip6_src; 455 /* 456 * Reverse the source and destination addresses. 457 * If the return address is a multicast, zero out the source 458 * (ip_wput_v6 will set an address). 459 */ 460 if (IN6_IS_ADDR_MULTICAST(&ip6h->ip6_dst)) { 461 ip6h->ip6_src = ipv6_all_zeros; 462 ip6h->ip6_dst = origsrc; 463 } else { 464 ip6h->ip6_src = ip6h->ip6_dst; 465 ip6h->ip6_dst = origsrc; 466 } 467 468 /* set the hop limit */ 469 ip6h->ip6_hops = ipv6_def_hops; 470 471 /* 472 * Prepare for checksum by putting icmp length in the icmp 473 * checksum field. The checksum is calculated in ip_wput_v6. 474 */ 475 icmp6->icmp6_cksum = ip6h->ip6_plen; 476 /* 477 * ICMP echo replies should go out on the same interface 478 * the request came on as probes used by in.mpathd for 479 * detecting NIC failures are ECHO packets. We turn-off load 480 * spreading by allocating a ip6i and setting ip6i_attach_if 481 * to B_TRUE which is handled both by ip_wput_v6 and 482 * ip_newroute_v6. If we don't turnoff load spreading, 483 * the packets might get dropped if there are no 484 * non-FAILED/INACTIVE interfaces for it to go out on and 485 * in.mpathd would wrongly detect a failure or mis-detect 486 * a NIC failure as a link failure. As load spreading can 487 * happen only if ill_group is not NULL, we do only for 488 * that case and this does not affect the normal case. 489 * 490 * We force this only on echo packets that came from on-link 491 * hosts. We restrict this to link-local addresses which 492 * is used by in.mpathd for probing. In the IPv6 case, 493 * default routes typically have an ire_ipif pointer and 494 * hence a MATCH_IRE_ILL later in ip_newroute_v6/ip_wput_v6 495 * might work. As a default route out of this interface 496 * may not be present, enforcing this packet to go out in 497 * this case may not work. 498 */ 499 if (ill->ill_group != NULL && 500 IN6_IS_ADDR_LINKLOCAL(&origsrc)) { 501 /* 502 * If we are sending replies to ourselves, don't 503 * set ATTACH_IF as we may not be able to find 504 * the IRE_LOCAL on this ill i.e setting ATTACH_IF 505 * causes ip_wput_v6 to look for an IRE_LOCAL on 506 * "ill" which it may not find and will try to 507 * create an IRE_CACHE for our local address. Once 508 * we do this, we will try to forward all packets 509 * meant to our LOCAL address. 510 */ 511 ire = ire_cache_lookup_v6(&ip6h->ip6_dst, ALL_ZONES); 512 if (ire == NULL || ire->ire_type != IRE_LOCAL) { 513 mp = ip_add_info_v6(mp, NULL, &ip6h->ip6_dst); 514 if (mp == NULL) { 515 BUMP_MIB(ill->ill_icmp6_mib, 516 ipv6IfIcmpInErrors); 517 if (ire != NULL) 518 ire_refrele(ire); 519 if (mctl_present) 520 freeb(first_mp); 521 return; 522 } else if (mctl_present) { 523 first_mp->b_cont = mp; 524 } else { 525 first_mp = mp; 526 } 527 ip6i = (ip6i_t *)mp->b_rptr; 528 ip6i->ip6i_flags = IP6I_ATTACH_IF; 529 ip6i->ip6i_ifindex = 530 ill->ill_phyint->phyint_ifindex; 531 } 532 if (ire != NULL) 533 ire_refrele(ire); 534 } 535 536 if (!mctl_present) { 537 /* 538 * This packet should go out the same way as it 539 * came in i.e in clear. To make sure that global 540 * policy will not be applied to this in ip_wput, 541 * we attach a IPSEC_IN mp and clear ipsec_in_secure. 542 */ 543 ASSERT(first_mp == mp); 544 if ((first_mp = ipsec_in_alloc(B_FALSE)) == NULL) { 545 BUMP_MIB(ill->ill_ip6_mib, ipv6InDiscards); 546 freemsg(mp); 547 return; 548 } 549 ii = (ipsec_in_t *)first_mp->b_rptr; 550 551 /* This is not a secure packet */ 552 ii->ipsec_in_secure = B_FALSE; 553 first_mp->b_cont = mp; 554 } 555 ii->ipsec_in_zoneid = zoneid; 556 if (!ipsec_in_to_out(first_mp, NULL, ip6h)) { 557 BUMP_MIB(ill->ill_ip6_mib, ipv6InDiscards); 558 return; 559 } 560 put(WR(q), first_mp); 561 return; 562 563 case ICMP6_ECHO_REPLY: 564 BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpInEchoReplies); 565 break; 566 567 case ND_ROUTER_SOLICIT: 568 BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpInRouterSolicits); 569 break; 570 571 case ND_ROUTER_ADVERT: 572 BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpInRouterAdvertisements); 573 break; 574 575 case ND_NEIGHBOR_SOLICIT: 576 BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpInNeighborSolicits); 577 if (mctl_present) 578 freeb(first_mp); 579 /* XXX may wish to pass first_mp up to ndp_input someday. */ 580 ndp_input(ill, mp); 581 return; 582 583 case ND_NEIGHBOR_ADVERT: 584 BUMP_MIB(ill->ill_icmp6_mib, 585 ipv6IfIcmpInNeighborAdvertisements); 586 if (mctl_present) 587 freeb(first_mp); 588 /* XXX may wish to pass first_mp up to ndp_input someday. */ 589 ndp_input(ill, mp); 590 return; 591 592 case ND_REDIRECT: { 593 BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpInRedirects); 594 595 if (ipv6_ignore_redirect) 596 break; 597 598 /* 599 * As there is no upper client to deliver, we don't 600 * need the first_mp any more. 601 */ 602 if (mctl_present) 603 freeb(first_mp); 604 if (!pullupmsg(mp, -1) || 605 !icmp_redirect_ok_v6(ill, mp)) { 606 BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpInBadRedirects); 607 break; 608 } 609 icmp_redirect_v6(q, mp, ill); 610 return; 611 } 612 613 /* 614 * The next three icmp messages will be handled by MLD. 615 * Pass all valid MLD packets up to any process(es) 616 * listening on a raw ICMP socket. MLD messages are 617 * freed by mld_input function. 618 */ 619 case MLD_LISTENER_QUERY: 620 case MLD_LISTENER_REPORT: 621 case MLD_LISTENER_REDUCTION: 622 if (mctl_present) 623 freeb(first_mp); 624 mld_input(q, mp, ill); 625 return; 626 default: 627 break; 628 } 629 if (interested) { 630 icmp_inbound_error_fanout_v6(q, first_mp, ip6h, icmp6, ill, 631 mctl_present, zoneid); 632 } else { 633 freemsg(first_mp); 634 } 635 } 636 637 /* 638 * Process received IPv6 ICMP Packet too big. 639 * After updating any IRE it does the fanout to any matching transport streams. 640 * Assumes the IPv6 plus ICMPv6 headers have been pulled up but nothing else. 641 */ 642 /* ARGSUSED */ 643 static void 644 icmp_inbound_too_big_v6(queue_t *q, mblk_t *mp, ill_t *ill, 645 boolean_t mctl_present, zoneid_t zoneid) 646 { 647 ip6_t *ip6h; 648 ip6_t *inner_ip6h; 649 icmp6_t *icmp6; 650 uint16_t hdr_length; 651 uint32_t mtu; 652 ire_t *ire, *first_ire; 653 mblk_t *first_mp; 654 655 first_mp = mp; 656 if (mctl_present) 657 mp = first_mp->b_cont; 658 /* 659 * We must have exclusive use of the mblk to update the MTU 660 * in the packet. 661 * If not, we copy it. 662 * 663 * If there's an M_CTL present, we know that allocated first_mp 664 * earlier in this function, so we know first_mp has refcnt of one. 665 */ 666 ASSERT(!mctl_present || first_mp->b_datap->db_ref == 1); 667 if (mp->b_datap->db_ref > 1) { 668 mblk_t *mp1; 669 670 mp1 = copymsg(mp); 671 freemsg(mp); 672 if (mp1 == NULL) { 673 BUMP_MIB(ill->ill_ip6_mib, ipv6InDiscards); 674 if (mctl_present) 675 freeb(first_mp); 676 return; 677 } 678 mp = mp1; 679 if (mctl_present) 680 first_mp->b_cont = mp; 681 else 682 first_mp = mp; 683 } 684 ip6h = (ip6_t *)mp->b_rptr; 685 if (ip6h->ip6_nxt != IPPROTO_ICMPV6) 686 hdr_length = ip_hdr_length_v6(mp, ip6h); 687 else 688 hdr_length = IPV6_HDR_LEN; 689 690 icmp6 = (icmp6_t *)(&mp->b_rptr[hdr_length]); 691 ASSERT((size_t)(mp->b_wptr - mp->b_rptr) >= hdr_length + ICMP6_MINLEN); 692 inner_ip6h = (ip6_t *)&icmp6[1]; /* Packet in error */ 693 if ((uchar_t *)&inner_ip6h[1] > mp->b_wptr) { 694 if (!pullupmsg(mp, (uchar_t *)&inner_ip6h[1] - mp->b_rptr)) { 695 BUMP_MIB(ill->ill_ip6_mib, ipv6InDiscards); 696 freemsg(first_mp); 697 return; 698 } 699 ip6h = (ip6_t *)mp->b_rptr; 700 icmp6 = (icmp6_t *)&mp->b_rptr[hdr_length]; 701 inner_ip6h = (ip6_t *)&icmp6[1]; 702 } 703 704 /* 705 * For link local destinations matching simply on IRE type is not 706 * sufficient. Same link local addresses for different ILL's is 707 * possible. 708 */ 709 710 if (IN6_IS_ADDR_LINKLOCAL(&inner_ip6h->ip6_dst)) { 711 first_ire = ire_ctable_lookup_v6(&inner_ip6h->ip6_dst, NULL, 712 IRE_CACHE, ill->ill_ipif, ALL_ZONES, 713 MATCH_IRE_TYPE | MATCH_IRE_ILL_GROUP); 714 715 if (first_ire == NULL) { 716 if (ip_debug > 2) { 717 /* ip1dbg */ 718 pr_addr_dbg("icmp_inbound_too_big_v6:" 719 "no ire for dst %s\n", AF_INET6, 720 &inner_ip6h->ip6_dst); 721 } 722 freemsg(first_mp); 723 return; 724 } 725 726 mtu = ntohl(icmp6->icmp6_mtu); 727 rw_enter(&first_ire->ire_bucket->irb_lock, RW_READER); 728 for (ire = first_ire; ire != NULL && 729 IN6_ARE_ADDR_EQUAL(&ire->ire_addr_v6, &inner_ip6h->ip6_dst); 730 ire = ire->ire_next) { 731 mutex_enter(&ire->ire_lock); 732 if (mtu < IPV6_MIN_MTU) { 733 ip1dbg(("Received mtu less than IPv6 " 734 "min mtu %d: %d\n", IPV6_MIN_MTU, mtu)); 735 mtu = IPV6_MIN_MTU; 736 /* 737 * If an mtu less than IPv6 min mtu is received, 738 * we must include a fragment header in 739 * subsequent packets. 740 */ 741 ire->ire_frag_flag |= IPH_FRAG_HDR; 742 } 743 ip1dbg(("Received mtu from router: %d\n", mtu)); 744 ire->ire_max_frag = MIN(ire->ire_max_frag, mtu); 745 /* Record the new max frag size for the ULP. */ 746 if (ire->ire_frag_flag & IPH_FRAG_HDR) { 747 /* 748 * If we need a fragment header in every packet 749 * (above case or multirouting), make sure the 750 * ULP takes it into account when computing the 751 * payload size. 752 */ 753 icmp6->icmp6_mtu = htonl(ire->ire_max_frag - 754 sizeof (ip6_frag_t)); 755 } else { 756 icmp6->icmp6_mtu = htonl(ire->ire_max_frag); 757 } 758 mutex_exit(&ire->ire_lock); 759 } 760 rw_exit(&first_ire->ire_bucket->irb_lock); 761 ire_refrele(first_ire); 762 } else { 763 irb_t *irb = NULL; 764 /* 765 * for non-link local destinations we match only on the IRE type 766 */ 767 ire = ire_ctable_lookup_v6(&inner_ip6h->ip6_dst, NULL, 768 IRE_CACHE, ill->ill_ipif, ALL_ZONES, MATCH_IRE_TYPE); 769 if (ire == NULL) { 770 if (ip_debug > 2) { 771 /* ip1dbg */ 772 pr_addr_dbg("icmp_inbound_too_big_v6:" 773 "no ire for dst %s\n", 774 AF_INET6, &inner_ip6h->ip6_dst); 775 } 776 freemsg(first_mp); 777 return; 778 } 779 irb = ire->ire_bucket; 780 ire_refrele(ire); 781 rw_enter(&irb->irb_lock, RW_READER); 782 for (ire = irb->irb_ire; ire != NULL; ire = ire->ire_next) { 783 if (IN6_ARE_ADDR_EQUAL(&ire->ire_addr_v6, 784 &inner_ip6h->ip6_dst)) { 785 mtu = ntohl(icmp6->icmp6_mtu); 786 mutex_enter(&ire->ire_lock); 787 if (mtu < IPV6_MIN_MTU) { 788 ip1dbg(("Received mtu less than IPv6" 789 "min mtu %d: %d\n", 790 IPV6_MIN_MTU, mtu)); 791 mtu = IPV6_MIN_MTU; 792 /* 793 * If an mtu less than IPv6 min mtu is 794 * received, we must include a fragment 795 * header in subsequent packets. 796 */ 797 ire->ire_frag_flag |= IPH_FRAG_HDR; 798 } 799 800 ip1dbg(("Received mtu from router: %d\n", mtu)); 801 ire->ire_max_frag = MIN(ire->ire_max_frag, mtu); 802 /* Record the new max frag size for the ULP. */ 803 if (ire->ire_frag_flag & IPH_FRAG_HDR) { 804 /* 805 * If we need a fragment header in 806 * every packet (above case or 807 * multirouting), make sure the ULP 808 * takes it into account when computing 809 * the payload size. 810 */ 811 icmp6->icmp6_mtu = 812 htonl(ire->ire_max_frag - 813 sizeof (ip6_frag_t)); 814 } else { 815 icmp6->icmp6_mtu = 816 htonl(ire->ire_max_frag); 817 } 818 mutex_exit(&ire->ire_lock); 819 } 820 } 821 rw_exit(&irb->irb_lock); 822 } 823 icmp_inbound_error_fanout_v6(q, first_mp, ip6h, icmp6, ill, 824 mctl_present, zoneid); 825 } 826 827 static void 828 pkt_too_big(conn_t *connp, void *arg) 829 { 830 mblk_t *mp; 831 832 if (!connp->conn_ipv6_recvpathmtu) 833 return; 834 835 /* create message and drop it on this connections read queue */ 836 if ((mp = dupb((mblk_t *)arg)) == NULL) { 837 return; 838 } 839 mp->b_datap->db_type = M_CTL; 840 841 putnext(connp->conn_rq, mp); 842 } 843 844 /* 845 * Fanout received ICMPv6 error packets to the transports. 846 * Assumes the IPv6 plus ICMPv6 headers have been pulled up but nothing else. 847 */ 848 void 849 icmp_inbound_error_fanout_v6(queue_t *q, mblk_t *mp, ip6_t *ip6h, 850 icmp6_t *icmp6, ill_t *ill, boolean_t mctl_present, zoneid_t zoneid) 851 { 852 uint16_t *up; /* Pointer to ports in ULP header */ 853 uint32_t ports; /* reversed ports for fanout */ 854 ip6_t rip6h; /* With reversed addresses */ 855 uint16_t hdr_length; 856 uint8_t *nexthdrp; 857 uint8_t nexthdr; 858 mblk_t *first_mp; 859 ipsec_in_t *ii; 860 tcpha_t *tcpha; 861 conn_t *connp; 862 863 first_mp = mp; 864 if (mctl_present) { 865 mp = first_mp->b_cont; 866 ASSERT(mp != NULL); 867 868 ii = (ipsec_in_t *)first_mp->b_rptr; 869 ASSERT(ii->ipsec_in_type == IPSEC_IN); 870 } else { 871 ii = NULL; 872 } 873 874 hdr_length = (uint16_t)((uchar_t *)icmp6 - (uchar_t *)ip6h); 875 ASSERT((size_t)(mp->b_wptr - (uchar_t *)icmp6) >= ICMP6_MINLEN); 876 877 /* 878 * Need to pullup everything in order to use 879 * ip_hdr_length_nexthdr_v6() 880 */ 881 if (mp->b_cont != NULL) { 882 if (!pullupmsg(mp, -1)) { 883 ip1dbg(("icmp_inbound_error_fanout_v6: " 884 "pullupmsg failed\n")); 885 goto drop_pkt; 886 } 887 ip6h = (ip6_t *)mp->b_rptr; 888 icmp6 = (icmp6_t *)(&mp->b_rptr[hdr_length]); 889 } 890 891 ip6h = (ip6_t *)&icmp6[1]; /* Packet in error */ 892 if ((uchar_t *)&ip6h[1] > mp->b_wptr) 893 goto drop_pkt; 894 895 if (!ip_hdr_length_nexthdr_v6(mp, ip6h, &hdr_length, &nexthdrp)) 896 goto drop_pkt; 897 nexthdr = *nexthdrp; 898 899 /* Set message type, must be done after pullups */ 900 mp->b_datap->db_type = M_CTL; 901 902 if (icmp6->icmp6_type == ICMP6_PACKET_TOO_BIG) { 903 /* 904 * Deliver indication of ICMP6_PACKET_TOO_BIG to interested 905 * sockets. 906 * 907 * Note I don't like walking every connection to deliver 908 * this information to a set of listeners. A separate 909 * list could be kept to keep the cost of this down. 910 */ 911 ipcl_walk(pkt_too_big, (void *)mp); 912 } 913 914 /* Try to pass the ICMP message to clients who need it */ 915 switch (nexthdr) { 916 case IPPROTO_UDP: { 917 /* 918 * Verify we have at least ICMP_MIN_TP_HDR_LEN bytes of 919 * UDP header to get the port information. 920 */ 921 if ((uchar_t *)ip6h + hdr_length + ICMP_MIN_TP_HDR_LEN > 922 mp->b_wptr) { 923 break; 924 } 925 /* 926 * Attempt to find a client stream based on port. 927 * Note that we do a reverse lookup since the header is 928 * in the form we sent it out. 929 * The rip6h header is only used for the IPCL_UDP_MATCH_V6 930 * and we only set the src and dst addresses and nexthdr. 931 */ 932 up = (uint16_t *)((uchar_t *)ip6h + hdr_length); 933 rip6h.ip6_src = ip6h->ip6_dst; 934 rip6h.ip6_dst = ip6h->ip6_src; 935 rip6h.ip6_nxt = nexthdr; 936 ((uint16_t *)&ports)[0] = up[1]; 937 ((uint16_t *)&ports)[1] = up[0]; 938 939 ip_fanout_udp_v6(q, first_mp, &rip6h, ports, ill, ill, 940 IP6_NO_IPPOLICY, mctl_present, zoneid); 941 return; 942 } 943 case IPPROTO_TCP: { 944 /* 945 * Verify we have at least ICMP_MIN_TP_HDR_LEN bytes of 946 * the TCP header to get the port information. 947 */ 948 if ((uchar_t *)ip6h + hdr_length + ICMP_MIN_TP_HDR_LEN > 949 mp->b_wptr) { 950 break; 951 } 952 953 /* 954 * Attempt to find a client stream based on port. 955 * Note that we do a reverse lookup since the header is 956 * in the form we sent it out. 957 * The rip6h header is only used for the IP_TCP_*MATCH_V6 and 958 * we only set the src and dst addresses and nexthdr. 959 */ 960 961 tcpha = (tcpha_t *)((char *)ip6h + hdr_length); 962 connp = ipcl_tcp_lookup_reversed_ipv6(ip6h, tcpha, 963 TCPS_LISTEN, ill->ill_phyint->phyint_ifindex); 964 if (connp == NULL) { 965 goto drop_pkt; 966 } 967 968 squeue_fill(connp->conn_sqp, first_mp, tcp_input, 969 connp, SQTAG_TCP6_INPUT_ICMP_ERR); 970 return; 971 972 } 973 case IPPROTO_SCTP: 974 /* 975 * Verify we have at least ICMP_MIN_TP_HDR_LEN bytes of 976 * the SCTP header to get the port information. 977 */ 978 if ((uchar_t *)ip6h + hdr_length + ICMP_MIN_TP_HDR_LEN > 979 mp->b_wptr) { 980 break; 981 } 982 983 up = (uint16_t *)((uchar_t *)ip6h + hdr_length); 984 ((uint16_t *)&ports)[0] = up[1]; 985 ((uint16_t *)&ports)[1] = up[0]; 986 ip_fanout_sctp(mp, ill, (ipha_t *)ip6h, ports, 0, mctl_present, 987 IP6_NO_IPPOLICY, 0, zoneid); 988 return; 989 case IPPROTO_ESP: 990 case IPPROTO_AH: { 991 int ipsec_rc; 992 993 /* 994 * We need a IPSEC_IN in the front to fanout to AH/ESP. 995 * We will re-use the IPSEC_IN if it is already present as 996 * AH/ESP will not affect any fields in the IPSEC_IN for 997 * ICMP errors. If there is no IPSEC_IN, allocate a new 998 * one and attach it in the front. 999 */ 1000 if (ii != NULL) { 1001 /* 1002 * ip_fanout_proto_again converts the ICMP errors 1003 * that come back from AH/ESP to M_DATA so that 1004 * if it is non-AH/ESP and we do a pullupmsg in 1005 * this function, it would work. Convert it back 1006 * to M_CTL before we send up as this is a ICMP 1007 * error. This could have been generated locally or 1008 * by some router. Validate the inner IPSEC 1009 * headers. 1010 * 1011 * NOTE : ill_index is used by ip_fanout_proto_again 1012 * to locate the ill. 1013 */ 1014 ASSERT(ill != NULL); 1015 ii->ipsec_in_ill_index = 1016 ill->ill_phyint->phyint_ifindex; 1017 ii->ipsec_in_rill_index = ii->ipsec_in_ill_index; 1018 first_mp->b_cont->b_datap->db_type = M_CTL; 1019 } else { 1020 /* 1021 * IPSEC_IN is not present. We attach a ipsec_in 1022 * message and send up to IPSEC for validating 1023 * and removing the IPSEC headers. Clear 1024 * ipsec_in_secure so that when we return 1025 * from IPSEC, we don't mistakenly think that this 1026 * is a secure packet came from the network. 1027 * 1028 * NOTE : ill_index is used by ip_fanout_proto_again 1029 * to locate the ill. 1030 */ 1031 ASSERT(first_mp == mp); 1032 first_mp = ipsec_in_alloc(B_FALSE); 1033 if (first_mp == NULL) { 1034 freemsg(mp); 1035 BUMP_MIB(&ip_mib, ipInDiscards); 1036 return; 1037 } 1038 ii = (ipsec_in_t *)first_mp->b_rptr; 1039 1040 /* This is not a secure packet */ 1041 ii->ipsec_in_secure = B_FALSE; 1042 first_mp->b_cont = mp; 1043 mp->b_datap->db_type = M_CTL; 1044 ASSERT(ill != NULL); 1045 ii->ipsec_in_ill_index = 1046 ill->ill_phyint->phyint_ifindex; 1047 ii->ipsec_in_rill_index = ii->ipsec_in_ill_index; 1048 } 1049 1050 if (!ipsec_loaded()) { 1051 ip_proto_not_sup(q, first_mp, 0, zoneid); 1052 return; 1053 } 1054 1055 if (nexthdr == IPPROTO_ESP) 1056 ipsec_rc = ipsecesp_icmp_error(first_mp); 1057 else 1058 ipsec_rc = ipsecah_icmp_error(first_mp); 1059 if (ipsec_rc == IPSEC_STATUS_FAILED) 1060 return; 1061 1062 ip_fanout_proto_again(first_mp, ill, ill, NULL); 1063 return; 1064 } 1065 case IPPROTO_ENCAP: 1066 case IPPROTO_IPV6: 1067 if ((uint8_t *)ip6h + hdr_length + 1068 (nexthdr == IPPROTO_ENCAP ? sizeof (ipha_t) : 1069 sizeof (ip6_t)) > mp->b_wptr) 1070 goto drop_pkt; 1071 1072 if (nexthdr == IPPROTO_ENCAP || 1073 !IN6_ARE_ADDR_EQUAL( 1074 &((ip6_t *)(((uint8_t *)ip6h) + hdr_length))->ip6_src, 1075 &ip6h->ip6_src) || 1076 !IN6_ARE_ADDR_EQUAL( 1077 &((ip6_t *)(((uint8_t *)ip6h) + hdr_length))->ip6_dst, 1078 &ip6h->ip6_dst)) { 1079 /* 1080 * For tunnels that have used IPsec protection, 1081 * we need to adjust the MTU to take into account 1082 * the IPsec overhead. 1083 */ 1084 if (ii != NULL) 1085 icmp6->icmp6_mtu = htons( 1086 ntohs(icmp6->icmp6_mtu) - 1087 ipsec_in_extra_length(first_mp)); 1088 } else { 1089 /* 1090 * Self-encapsulated case. As in the ipv4 case, 1091 * we need to strip the 2nd IP header. Since mp 1092 * is already pulled-up, we can simply bcopy 1093 * the 3rd header + data over the 2nd header. 1094 */ 1095 uint16_t unused_len; 1096 ip6_t *inner_ip6h = (ip6_t *) 1097 ((uchar_t *)ip6h + hdr_length); 1098 1099 /* 1100 * Make sure we don't do recursion more than once. 1101 */ 1102 if (!ip_hdr_length_nexthdr_v6(mp, inner_ip6h, 1103 &unused_len, &nexthdrp) || 1104 *nexthdrp == IPPROTO_IPV6) { 1105 goto drop_pkt; 1106 } 1107 1108 /* 1109 * We are about to modify the packet. Make a copy if 1110 * someone else has a reference to it. 1111 */ 1112 if (DB_REF(mp) > 1) { 1113 mblk_t *mp1; 1114 uint16_t icmp6_offset; 1115 1116 mp1 = copymsg(mp); 1117 if (mp1 == NULL) { 1118 goto drop_pkt; 1119 } 1120 icmp6_offset = (uint16_t) 1121 ((uchar_t *)icmp6 - mp->b_rptr); 1122 freemsg(mp); 1123 mp = mp1; 1124 1125 icmp6 = (icmp6_t *)(mp->b_rptr + icmp6_offset); 1126 ip6h = (ip6_t *)&icmp6[1]; 1127 inner_ip6h = (ip6_t *) 1128 ((uchar_t *)ip6h + hdr_length); 1129 1130 if (mctl_present) 1131 first_mp->b_cont = mp; 1132 else 1133 first_mp = mp; 1134 } 1135 1136 /* 1137 * Need to set db_type back to M_DATA before 1138 * refeeding mp into this function. 1139 */ 1140 DB_TYPE(mp) = M_DATA; 1141 1142 /* 1143 * Copy the 3rd header + remaining data on top 1144 * of the 2nd header. 1145 */ 1146 bcopy(inner_ip6h, ip6h, 1147 mp->b_wptr - (uchar_t *)inner_ip6h); 1148 1149 /* 1150 * Subtract length of the 2nd header. 1151 */ 1152 mp->b_wptr -= hdr_length; 1153 1154 /* 1155 * Now recurse, and see what I _really_ should be 1156 * doing here. 1157 */ 1158 icmp_inbound_error_fanout_v6(q, first_mp, 1159 (ip6_t *)mp->b_rptr, icmp6, ill, mctl_present, 1160 zoneid); 1161 return; 1162 } 1163 /* FALLTHRU */ 1164 default: 1165 /* 1166 * The rip6h header is only used for the lookup and we 1167 * only set the src and dst addresses and nexthdr. 1168 */ 1169 rip6h.ip6_src = ip6h->ip6_dst; 1170 rip6h.ip6_dst = ip6h->ip6_src; 1171 rip6h.ip6_nxt = nexthdr; 1172 ip_fanout_proto_v6(q, first_mp, &rip6h, ill, ill, nexthdr, 0, 1173 IP6_NO_IPPOLICY, mctl_present, zoneid); 1174 return; 1175 } 1176 /* NOTREACHED */ 1177 drop_pkt: 1178 BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpInErrors); 1179 ip1dbg(("icmp_inbound_error_fanout_v6: drop pkt\n")); 1180 freemsg(first_mp); 1181 } 1182 1183 /* 1184 * Validate the incoming redirect message, if valid redirect 1185 * processing is done later. This is separated from the actual 1186 * redirect processing to avoid becoming single threaded when not 1187 * necessary. (i.e invalid packet) 1188 * Assumes that any AH or ESP headers have already been removed. 1189 * The mp has already been pulled up. 1190 */ 1191 boolean_t 1192 icmp_redirect_ok_v6(ill_t *ill, mblk_t *mp) 1193 { 1194 ip6_t *ip6h = (ip6_t *)mp->b_rptr; 1195 nd_redirect_t *rd; 1196 ire_t *ire; 1197 uint16_t len; 1198 uint16_t hdr_length; 1199 1200 ASSERT(mp->b_cont == NULL); 1201 if (ip6h->ip6_nxt != IPPROTO_ICMPV6) 1202 hdr_length = ip_hdr_length_v6(mp, ip6h); 1203 else 1204 hdr_length = IPV6_HDR_LEN; 1205 rd = (nd_redirect_t *)&mp->b_rptr[hdr_length]; 1206 len = mp->b_wptr - mp->b_rptr - hdr_length; 1207 if (!IN6_IS_ADDR_LINKLOCAL(&ip6h->ip6_src) || 1208 (ip6h->ip6_hops != IPV6_MAX_HOPS) || 1209 (rd->nd_rd_code != 0) || 1210 (len < sizeof (nd_redirect_t)) || 1211 (IN6_IS_ADDR_V4MAPPED(&rd->nd_rd_dst)) || 1212 (IN6_IS_ADDR_MULTICAST(&rd->nd_rd_dst))) { 1213 return (B_FALSE); 1214 } 1215 if (!(IN6_IS_ADDR_LINKLOCAL(&rd->nd_rd_target) || 1216 IN6_ARE_ADDR_EQUAL(&rd->nd_rd_target, &rd->nd_rd_dst))) { 1217 return (B_FALSE); 1218 } 1219 1220 /* 1221 * Verify that the IP source address of the redirect is 1222 * the same as the current first-hop router for the specified 1223 * ICMP destination address. Just to be cautious, this test 1224 * will be done again before we add the redirect, in case 1225 * router goes away between now and then. 1226 */ 1227 ire = ire_route_lookup_v6(&rd->nd_rd_dst, 0, 1228 &ip6h->ip6_src, 0, ill->ill_ipif, NULL, ALL_ZONES, 1229 MATCH_IRE_GW | MATCH_IRE_ILL_GROUP); 1230 if (ire == NULL) 1231 return (B_FALSE); 1232 ire_refrele(ire); 1233 if (len > sizeof (nd_redirect_t)) { 1234 if (!ndp_verify_optlen((nd_opt_hdr_t *)&rd[1], 1235 len - sizeof (nd_redirect_t))) 1236 return (B_FALSE); 1237 } 1238 return (B_TRUE); 1239 } 1240 1241 /* 1242 * Process received IPv6 ICMP Redirect messages. 1243 * Assumes that the icmp packet has already been verfied to be 1244 * valid, aligned and in a single mblk all done in icmp_redirect_ok_v6(). 1245 */ 1246 /* ARGSUSED */ 1247 static void 1248 icmp_redirect_v6(queue_t *q, mblk_t *mp, ill_t *ill) 1249 { 1250 ip6_t *ip6h; 1251 uint16_t hdr_length; 1252 nd_redirect_t *rd; 1253 ire_t *ire; 1254 ire_t *prev_ire; 1255 ire_t *redir_ire; 1256 in6_addr_t *src, *dst, *gateway; 1257 nd_opt_hdr_t *opt; 1258 nce_t *nce; 1259 int nce_flags = 0; 1260 int err = 0; 1261 boolean_t redirect_to_router = B_FALSE; 1262 int len; 1263 iulp_t ulp_info = { 0 }; 1264 ill_t *prev_ire_ill; 1265 ipif_t *ipif; 1266 1267 ip6h = (ip6_t *)mp->b_rptr; 1268 if (ip6h->ip6_nxt != IPPROTO_ICMPV6) 1269 hdr_length = ip_hdr_length_v6(mp, ip6h); 1270 else 1271 hdr_length = IPV6_HDR_LEN; 1272 1273 rd = (nd_redirect_t *)&mp->b_rptr[hdr_length]; 1274 src = &ip6h->ip6_src; 1275 dst = &rd->nd_rd_dst; 1276 gateway = &rd->nd_rd_target; 1277 if (!IN6_ARE_ADDR_EQUAL(gateway, dst)) { 1278 redirect_to_router = B_TRUE; 1279 nce_flags |= NCE_F_ISROUTER; 1280 } 1281 /* 1282 * Make sure we had a route for the dest in question and that 1283 * route was pointing to the old gateway (the source of the 1284 * redirect packet.) 1285 */ 1286 ipif = ipif_get_next_ipif(NULL, ill); 1287 if (ipif == NULL) { 1288 freemsg(mp); 1289 return; 1290 } 1291 prev_ire = ire_route_lookup_v6(dst, 0, src, 0, ipif, NULL, 1292 ALL_ZONES, MATCH_IRE_GW | MATCH_IRE_ILL_GROUP); 1293 ipif_refrele(ipif); 1294 /* 1295 * Check that 1296 * the redirect was not from ourselves 1297 * old gateway is still directly reachable 1298 */ 1299 if (prev_ire == NULL || 1300 prev_ire->ire_type == IRE_LOCAL) { 1301 BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpInBadRedirects); 1302 goto fail_redirect; 1303 } 1304 prev_ire_ill = ire_to_ill(prev_ire); 1305 ASSERT(prev_ire_ill != NULL); 1306 if (prev_ire_ill->ill_flags & ILLF_NONUD) 1307 nce_flags |= NCE_F_NONUD; 1308 1309 /* 1310 * Should we use the old ULP info to create the new gateway? From 1311 * a user's perspective, we should inherit the info so that it 1312 * is a "smooth" transition. If we do not do that, then new 1313 * connections going thru the new gateway will have no route metrics, 1314 * which is counter-intuitive to user. From a network point of 1315 * view, this may or may not make sense even though the new gateway 1316 * is still directly connected to us so the route metrics should not 1317 * change much. 1318 * 1319 * But if the old ire_uinfo is not initialized, we do another 1320 * recursive lookup on the dest using the new gateway. There may 1321 * be a route to that. If so, use it to initialize the redirect 1322 * route. 1323 */ 1324 if (prev_ire->ire_uinfo.iulp_set) { 1325 bcopy(&prev_ire->ire_uinfo, &ulp_info, sizeof (iulp_t)); 1326 } else if (redirect_to_router) { 1327 /* 1328 * Only do the following if the redirection is really to 1329 * a router. 1330 */ 1331 ire_t *tmp_ire; 1332 ire_t *sire; 1333 1334 tmp_ire = ire_ftable_lookup_v6(dst, 0, gateway, 0, NULL, &sire, 1335 ALL_ZONES, 0, 1336 (MATCH_IRE_RECURSIVE | MATCH_IRE_GW | MATCH_IRE_DEFAULT)); 1337 if (sire != NULL) { 1338 bcopy(&sire->ire_uinfo, &ulp_info, sizeof (iulp_t)); 1339 ASSERT(tmp_ire != NULL); 1340 ire_refrele(tmp_ire); 1341 ire_refrele(sire); 1342 } else if (tmp_ire != NULL) { 1343 bcopy(&tmp_ire->ire_uinfo, &ulp_info, 1344 sizeof (iulp_t)); 1345 ire_refrele(tmp_ire); 1346 } 1347 } 1348 1349 len = mp->b_wptr - mp->b_rptr - hdr_length - sizeof (nd_redirect_t); 1350 opt = (nd_opt_hdr_t *)&rd[1]; 1351 opt = ndp_get_option(opt, len, ND_OPT_TARGET_LINKADDR); 1352 if (opt != NULL) { 1353 err = ndp_lookup_then_add(ill, 1354 (uchar_t *)&opt[1], /* Link layer address */ 1355 gateway, 1356 &ipv6_all_ones, /* prefix mask */ 1357 &ipv6_all_zeros, /* Mapping mask */ 1358 0, 1359 nce_flags, 1360 ND_STALE, 1361 &nce); 1362 switch (err) { 1363 case 0: 1364 NCE_REFRELE(nce); 1365 break; 1366 case EEXIST: 1367 /* 1368 * Check to see if link layer address has changed and 1369 * process the nce_state accordingly. 1370 */ 1371 ndp_process(nce, (uchar_t *)&opt[1], 0, B_FALSE); 1372 NCE_REFRELE(nce); 1373 break; 1374 default: 1375 ip1dbg(("icmp_redirect_v6: NCE create failed %d\n", 1376 err)); 1377 goto fail_redirect; 1378 } 1379 } 1380 if (redirect_to_router) { 1381 /* icmp_redirect_ok_v6() must have already verified this */ 1382 ASSERT(IN6_IS_ADDR_LINKLOCAL(gateway)); 1383 1384 /* 1385 * Create a Route Association. This will allow us to remember 1386 * a router told us to use the particular gateway. 1387 */ 1388 ire = ire_create_v6( 1389 dst, 1390 &ipv6_all_ones, /* mask */ 1391 &prev_ire->ire_src_addr_v6, /* source addr */ 1392 gateway, /* gateway addr */ 1393 &prev_ire->ire_max_frag, /* max frag */ 1394 NULL, /* Fast Path header */ 1395 NULL, /* no rfq */ 1396 NULL, /* no stq */ 1397 IRE_HOST_REDIRECT, 1398 NULL, 1399 prev_ire->ire_ipif, 1400 NULL, 1401 0, 1402 0, 1403 (RTF_DYNAMIC | RTF_GATEWAY | RTF_HOST), 1404 &ulp_info); 1405 } else { 1406 /* 1407 * Just create an on link entry, may or may not be a router 1408 * If there is no link layer address option ire_add() won't 1409 * add this. 1410 */ 1411 ire = ire_create_v6( 1412 dst, /* gateway == dst */ 1413 &ipv6_all_ones, /* mask */ 1414 &prev_ire->ire_src_addr_v6, /* source addr */ 1415 &ipv6_all_zeros, /* gateway addr */ 1416 &prev_ire->ire_max_frag, /* max frag */ 1417 NULL, /* Fast Path header */ 1418 prev_ire->ire_rfq, /* ire rfq */ 1419 prev_ire->ire_stq, /* ire stq */ 1420 IRE_CACHE, 1421 NULL, 1422 prev_ire->ire_ipif, 1423 &ipv6_all_ones, 1424 0, 1425 0, 1426 0, 1427 &ulp_info); 1428 } 1429 if (ire == NULL) 1430 goto fail_redirect; 1431 1432 /* 1433 * XXX If there is no nce i.e there is no target link layer address 1434 * option with the redirect message, ire_add will fail. In that 1435 * case we never add the IRE_CACHE/IRE_HOST_REDIRECT. We need 1436 * to fix this. 1437 */ 1438 if (ire_add(&ire, NULL, NULL, NULL) == 0) { 1439 1440 /* tell routing sockets that we received a redirect */ 1441 ip_rts_change_v6(RTM_REDIRECT, 1442 &rd->nd_rd_dst, 1443 &rd->nd_rd_target, 1444 &ipv6_all_ones, 0, &ire->ire_src_addr_v6, 1445 (RTF_DYNAMIC | RTF_GATEWAY | RTF_HOST), 0, 1446 (RTA_DST | RTA_GATEWAY | RTA_NETMASK | RTA_AUTHOR)); 1447 1448 /* 1449 * Delete any existing IRE_HOST_REDIRECT for this destination. 1450 * This together with the added IRE has the effect of 1451 * modifying an existing redirect. 1452 */ 1453 redir_ire = ire_ftable_lookup_v6(dst, 0, src, IRE_HOST_REDIRECT, 1454 ire->ire_ipif, NULL, ALL_ZONES, 0, 1455 (MATCH_IRE_GW | MATCH_IRE_TYPE | MATCH_IRE_ILL_GROUP)); 1456 1457 ire_refrele(ire); /* Held in ire_add_v6 */ 1458 1459 if (redir_ire != NULL) { 1460 ire_delete(redir_ire); 1461 ire_refrele(redir_ire); 1462 } 1463 } 1464 1465 if (prev_ire->ire_type == IRE_CACHE) 1466 ire_delete(prev_ire); 1467 ire_refrele(prev_ire); 1468 prev_ire = NULL; 1469 1470 fail_redirect: 1471 if (prev_ire != NULL) 1472 ire_refrele(prev_ire); 1473 freemsg(mp); 1474 } 1475 1476 static ill_t * 1477 ip_queue_to_ill_v6(queue_t *q) 1478 { 1479 ill_t *ill; 1480 1481 ASSERT(WR(q) == q); 1482 1483 if (q->q_next != NULL) { 1484 ill = (ill_t *)q->q_ptr; 1485 if (ILL_CAN_LOOKUP(ill)) 1486 ill_refhold(ill); 1487 else 1488 ill = NULL; 1489 } else { 1490 ill = ill_lookup_on_name(ipif_loopback_name, B_FALSE, B_TRUE, 1491 NULL, NULL, NULL, NULL, NULL); 1492 } 1493 if (ill == NULL) 1494 ip0dbg(("ip_queue_to_ill_v6: no ill\n")); 1495 return (ill); 1496 } 1497 1498 /* 1499 * Assigns an appropriate source address to the packet. 1500 * If origdst is one of our IP addresses that use it as the source. 1501 * If the queue is an ill queue then select a source from that ill. 1502 * Otherwise pick a source based on a route lookup back to the origsrc. 1503 * 1504 * src is the return parameter. Returns a pointer to src or NULL if failure. 1505 */ 1506 static in6_addr_t * 1507 icmp_pick_source_v6(queue_t *wq, in6_addr_t *origsrc, in6_addr_t *origdst, 1508 in6_addr_t *src) 1509 { 1510 ill_t *ill; 1511 ire_t *ire; 1512 ipif_t *ipif; 1513 zoneid_t zoneid; 1514 1515 ASSERT(!(wq->q_flag & QREADR)); 1516 if (wq->q_next != NULL) { 1517 ill = (ill_t *)wq->q_ptr; 1518 zoneid = GLOBAL_ZONEID; 1519 } else { 1520 ill = NULL; 1521 zoneid = Q_TO_CONN(wq)->conn_zoneid; 1522 } 1523 1524 ire = ire_route_lookup_v6(origdst, 0, 0, (IRE_LOCAL|IRE_LOOPBACK), 1525 NULL, NULL, zoneid, (MATCH_IRE_TYPE|MATCH_IRE_ZONEONLY)); 1526 if (ire != NULL) { 1527 /* Destined to one of our addresses */ 1528 *src = *origdst; 1529 ire_refrele(ire); 1530 return (src); 1531 } 1532 if (ire != NULL) { 1533 ire_refrele(ire); 1534 ire = NULL; 1535 } 1536 if (ill == NULL) { 1537 /* What is the route back to the original source? */ 1538 ire = ire_route_lookup_v6(origsrc, 0, 0, 0, 1539 NULL, NULL, zoneid, 1540 (MATCH_IRE_DEFAULT|MATCH_IRE_RECURSIVE)); 1541 if (ire == NULL) { 1542 BUMP_MIB(&ip6_mib, ipv6OutNoRoutes); 1543 return (NULL); 1544 } 1545 /* 1546 * Does not matter whether we use ire_stq or ire_ipif here. 1547 * Just pick an ill for ICMP replies. 1548 */ 1549 ASSERT(ire->ire_ipif != NULL); 1550 ill = ire->ire_ipif->ipif_ill; 1551 ire_refrele(ire); 1552 } 1553 ipif = ipif_select_source_v6(ill, origsrc, B_FALSE, 1554 IPV6_PREFER_SRC_DEFAULT, zoneid); 1555 if (ipif != NULL) { 1556 *src = ipif->ipif_v6src_addr; 1557 ipif_refrele(ipif); 1558 return (src); 1559 } 1560 /* 1561 * Unusual case - can't find a usable source address to reach the 1562 * original source. Use what in the route to the source. 1563 */ 1564 ire = ire_route_lookup_v6(origsrc, 0, 0, 0, 1565 NULL, NULL, zoneid, (MATCH_IRE_DEFAULT|MATCH_IRE_RECURSIVE)); 1566 if (ire == NULL) { 1567 BUMP_MIB(&ip6_mib, ipv6OutNoRoutes); 1568 return (NULL); 1569 } 1570 ASSERT(ire != NULL); 1571 *src = ire->ire_src_addr_v6; 1572 ire_refrele(ire); 1573 return (src); 1574 } 1575 1576 /* 1577 * Build and ship an IPv6 ICMP message using the packet data in mp, 1578 * and the ICMP header pointed to by "stuff". (May be called as 1579 * writer.) 1580 * Note: assumes that icmp_pkt_err_ok_v6 has been called to 1581 * verify that an icmp error packet can be sent. 1582 * 1583 * If q is an ill write side queue (which is the case when packets 1584 * arrive from ip_rput) then ip_wput code will ensure that packets to 1585 * link-local destinations are sent out that ill. 1586 * 1587 * If v6src_ptr is set use it as a source. Otherwise select a reasonable 1588 * source address (see above function). 1589 */ 1590 static void 1591 icmp_pkt_v6(queue_t *q, mblk_t *mp, void *stuff, size_t len, 1592 const in6_addr_t *v6src_ptr, boolean_t mctl_present) 1593 { 1594 ip6_t *ip6h; 1595 in6_addr_t v6dst; 1596 size_t len_needed; 1597 size_t msg_len; 1598 mblk_t *mp1; 1599 icmp6_t *icmp6; 1600 ill_t *ill; 1601 in6_addr_t v6src; 1602 mblk_t *ipsec_mp; 1603 ipsec_out_t *io; 1604 1605 ill = ip_queue_to_ill_v6(q); 1606 if (ill == NULL) { 1607 freemsg(mp); 1608 return; 1609 } 1610 1611 if (mctl_present) { 1612 /* 1613 * If it is : 1614 * 1615 * 1) a IPSEC_OUT, then this is caused by outbound 1616 * datagram originating on this host. IPSEC processing 1617 * may or may not have been done. Refer to comments above 1618 * icmp_inbound_error_fanout for details. 1619 * 1620 * 2) a IPSEC_IN if we are generating a icmp_message 1621 * for an incoming datagram destined for us i.e called 1622 * from ip_fanout_send_icmp. 1623 */ 1624 ipsec_info_t *in; 1625 1626 ipsec_mp = mp; 1627 mp = ipsec_mp->b_cont; 1628 1629 in = (ipsec_info_t *)ipsec_mp->b_rptr; 1630 ip6h = (ip6_t *)mp->b_rptr; 1631 1632 ASSERT(in->ipsec_info_type == IPSEC_OUT || 1633 in->ipsec_info_type == IPSEC_IN); 1634 1635 if (in->ipsec_info_type == IPSEC_IN) { 1636 /* 1637 * Convert the IPSEC_IN to IPSEC_OUT. 1638 */ 1639 if (!ipsec_in_to_out(ipsec_mp, NULL, ip6h)) { 1640 BUMP_MIB(ill->ill_ip6_mib, ipv6InDiscards); 1641 ill_refrele(ill); 1642 return; 1643 } 1644 } else { 1645 ASSERT(in->ipsec_info_type == IPSEC_OUT); 1646 io = (ipsec_out_t *)in; 1647 /* 1648 * Clear out ipsec_out_proc_begin, so we do a fresh 1649 * ire lookup. 1650 */ 1651 io->ipsec_out_proc_begin = B_FALSE; 1652 } 1653 } else { 1654 /* 1655 * This is in clear. The icmp message we are building 1656 * here should go out in clear. 1657 */ 1658 ipsec_in_t *ii; 1659 ASSERT(mp->b_datap->db_type == M_DATA); 1660 if ((ipsec_mp = ipsec_in_alloc(B_FALSE)) == NULL) { 1661 freemsg(mp); 1662 BUMP_MIB(ill->ill_ip6_mib, ipv6InDiscards); 1663 ill_refrele(ill); 1664 return; 1665 } 1666 ii = (ipsec_in_t *)ipsec_mp->b_rptr; 1667 1668 /* This is not a secure packet */ 1669 ii->ipsec_in_secure = B_FALSE; 1670 ipsec_mp->b_cont = mp; 1671 ip6h = (ip6_t *)mp->b_rptr; 1672 /* 1673 * Convert the IPSEC_IN to IPSEC_OUT. 1674 */ 1675 if (!ipsec_in_to_out(ipsec_mp, NULL, ip6h)) { 1676 BUMP_MIB(ill->ill_ip6_mib, ipv6InDiscards); 1677 ill_refrele(ill); 1678 return; 1679 } 1680 } 1681 io = (ipsec_out_t *)ipsec_mp->b_rptr; 1682 1683 if (v6src_ptr != NULL) { 1684 v6src = *v6src_ptr; 1685 } else { 1686 if (icmp_pick_source_v6(q, &ip6h->ip6_src, &ip6h->ip6_dst, 1687 &v6src) == NULL) { 1688 freemsg(ipsec_mp); 1689 ill_refrele(ill); 1690 return; 1691 } 1692 } 1693 v6dst = ip6h->ip6_src; 1694 len_needed = ipv6_icmp_return - IPV6_HDR_LEN - len; 1695 msg_len = msgdsize(mp); 1696 if (msg_len > len_needed) { 1697 if (!adjmsg(mp, len_needed - msg_len)) { 1698 BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpOutErrors); 1699 freemsg(ipsec_mp); 1700 ill_refrele(ill); 1701 return; 1702 } 1703 msg_len = len_needed; 1704 } 1705 mp1 = allocb(IPV6_HDR_LEN + len, BPRI_HI); 1706 if (mp1 == NULL) { 1707 BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpOutErrors); 1708 freemsg(ipsec_mp); 1709 ill_refrele(ill); 1710 return; 1711 } 1712 ill_refrele(ill); 1713 mp1->b_cont = mp; 1714 mp = mp1; 1715 ASSERT(ipsec_mp->b_datap->db_type == M_CTL && 1716 io->ipsec_out_type == IPSEC_OUT); 1717 ipsec_mp->b_cont = mp; 1718 1719 /* 1720 * Set ipsec_out_icmp_loopback so we can let the ICMP messages this 1721 * node generates be accepted in peace by all on-host destinations. 1722 * If we do NOT assume that all on-host destinations trust 1723 * self-generated ICMP messages, then rework here, ip.c, and spd.c. 1724 * (Look for ipsec_out_icmp_loopback). 1725 */ 1726 io->ipsec_out_icmp_loopback = B_TRUE; 1727 1728 ip6h = (ip6_t *)mp->b_rptr; 1729 mp1->b_wptr = (uchar_t *)ip6h + (IPV6_HDR_LEN + len); 1730 1731 ip6h->ip6_vcf = IPV6_DEFAULT_VERS_AND_FLOW; 1732 ip6h->ip6_nxt = IPPROTO_ICMPV6; 1733 ip6h->ip6_hops = ipv6_def_hops; 1734 ip6h->ip6_dst = v6dst; 1735 ip6h->ip6_src = v6src; 1736 msg_len += IPV6_HDR_LEN + len; 1737 if (msg_len > IP_MAXPACKET + IPV6_HDR_LEN) { 1738 (void) adjmsg(mp, IP_MAXPACKET + IPV6_HDR_LEN - msg_len); 1739 msg_len = IP_MAXPACKET + IPV6_HDR_LEN; 1740 } 1741 ip6h->ip6_plen = htons((uint16_t)(msgdsize(mp) - IPV6_HDR_LEN)); 1742 icmp6 = (icmp6_t *)&ip6h[1]; 1743 bcopy(stuff, (char *)icmp6, len); 1744 /* 1745 * Prepare for checksum by putting icmp length in the icmp 1746 * checksum field. The checksum is calculated in ip_wput_v6. 1747 */ 1748 icmp6->icmp6_cksum = ip6h->ip6_plen; 1749 if (icmp6->icmp6_type == ND_REDIRECT) { 1750 ip6h->ip6_hops = IPV6_MAX_HOPS; 1751 } 1752 /* Send to V6 writeside put routine */ 1753 put(q, ipsec_mp); 1754 } 1755 1756 /* 1757 * Update the output mib when ICMPv6 packets are sent. 1758 */ 1759 static void 1760 icmp_update_out_mib_v6(ill_t *ill, icmp6_t *icmp6) 1761 { 1762 BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpOutMsgs); 1763 1764 switch (icmp6->icmp6_type) { 1765 case ICMP6_DST_UNREACH: 1766 BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpOutDestUnreachs); 1767 if (icmp6->icmp6_code == ICMP6_DST_UNREACH_ADMIN) 1768 BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpOutAdminProhibs); 1769 break; 1770 1771 case ICMP6_TIME_EXCEEDED: 1772 BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpOutTimeExcds); 1773 break; 1774 1775 case ICMP6_PARAM_PROB: 1776 BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpOutParmProblems); 1777 break; 1778 1779 case ICMP6_PACKET_TOO_BIG: 1780 BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpOutPktTooBigs); 1781 break; 1782 1783 case ICMP6_ECHO_REQUEST: 1784 BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpOutEchos); 1785 break; 1786 1787 case ICMP6_ECHO_REPLY: 1788 BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpOutEchoReplies); 1789 break; 1790 1791 case ND_ROUTER_SOLICIT: 1792 BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpOutRouterSolicits); 1793 break; 1794 1795 case ND_ROUTER_ADVERT: 1796 BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpOutRouterAdvertisements); 1797 break; 1798 1799 case ND_NEIGHBOR_SOLICIT: 1800 BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpOutNeighborSolicits); 1801 break; 1802 1803 case ND_NEIGHBOR_ADVERT: 1804 BUMP_MIB(ill->ill_icmp6_mib, 1805 ipv6IfIcmpOutNeighborAdvertisements); 1806 break; 1807 1808 case ND_REDIRECT: 1809 BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpOutRedirects); 1810 break; 1811 1812 case MLD_LISTENER_QUERY: 1813 BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpOutGroupMembQueries); 1814 break; 1815 1816 case MLD_LISTENER_REPORT: 1817 case MLD_V2_LISTENER_REPORT: 1818 BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpOutGroupMembResponses); 1819 break; 1820 1821 case MLD_LISTENER_REDUCTION: 1822 BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpOutGroupMembReductions); 1823 break; 1824 } 1825 } 1826 1827 /* 1828 * Check if it is ok to send an ICMPv6 error packet in 1829 * response to the IP packet in mp. 1830 * Free the message and return null if no 1831 * ICMP error packet should be sent. 1832 */ 1833 static mblk_t * 1834 icmp_pkt_err_ok_v6(queue_t *q, mblk_t *mp, 1835 boolean_t llbcast, boolean_t mcast_ok) 1836 { 1837 ip6_t *ip6h; 1838 1839 if (!mp) 1840 return (NULL); 1841 1842 ip6h = (ip6_t *)mp->b_rptr; 1843 1844 /* Check if source address uniquely identifies the host */ 1845 1846 if (IN6_IS_ADDR_MULTICAST(&ip6h->ip6_src) || 1847 IN6_IS_ADDR_V4MAPPED(&ip6h->ip6_src) || 1848 IN6_IS_ADDR_UNSPECIFIED(&ip6h->ip6_src)) { 1849 freemsg(mp); 1850 return (NULL); 1851 } 1852 1853 if (ip6h->ip6_nxt == IPPROTO_ICMPV6) { 1854 size_t len_needed = IPV6_HDR_LEN + ICMP6_MINLEN; 1855 icmp6_t *icmp6; 1856 1857 if (mp->b_wptr - mp->b_rptr < len_needed) { 1858 if (!pullupmsg(mp, len_needed)) { 1859 ill_t *ill; 1860 1861 ill = ip_queue_to_ill_v6(q); 1862 if (ill == NULL) { 1863 BUMP_MIB(&icmp6_mib, 1864 ipv6IfIcmpInErrors); 1865 } else { 1866 BUMP_MIB(ill->ill_icmp6_mib, 1867 ipv6IfIcmpInErrors); 1868 ill_refrele(ill); 1869 } 1870 freemsg(mp); 1871 return (NULL); 1872 } 1873 ip6h = (ip6_t *)mp->b_rptr; 1874 } 1875 icmp6 = (icmp6_t *)&ip6h[1]; 1876 /* Explicitly do not generate errors in response to redirects */ 1877 if (ICMP6_IS_ERROR(icmp6->icmp6_type) || 1878 icmp6->icmp6_type == ND_REDIRECT) { 1879 freemsg(mp); 1880 return (NULL); 1881 } 1882 } 1883 /* 1884 * Check that the destination is not multicast and that the packet 1885 * was not sent on link layer broadcast or multicast. (Exception 1886 * is Packet too big message as per the draft - when mcast_ok is set.) 1887 */ 1888 if (!mcast_ok && 1889 (llbcast || IN6_IS_ADDR_MULTICAST(&ip6h->ip6_dst))) { 1890 freemsg(mp); 1891 return (NULL); 1892 } 1893 if (icmp_err_rate_limit()) { 1894 /* 1895 * Only send ICMP error packets every so often. 1896 * This should be done on a per port/source basis, 1897 * but for now this will suffice. 1898 */ 1899 freemsg(mp); 1900 return (NULL); 1901 } 1902 return (mp); 1903 } 1904 1905 /* 1906 * Generate an ICMPv6 redirect message. 1907 * Include target link layer address option if it exits. 1908 * Always include redirect header. 1909 */ 1910 static void 1911 icmp_send_redirect_v6(queue_t *q, mblk_t *mp, in6_addr_t *targetp, 1912 in6_addr_t *dest, ill_t *ill, boolean_t llbcast) 1913 { 1914 nd_redirect_t *rd; 1915 nd_opt_rd_hdr_t *rdh; 1916 uchar_t *buf; 1917 nce_t *nce = NULL; 1918 nd_opt_hdr_t *opt; 1919 int len; 1920 int ll_opt_len = 0; 1921 int max_redir_hdr_data_len; 1922 int pkt_len; 1923 in6_addr_t *srcp; 1924 1925 /* 1926 * We are called from ip_rput where we could 1927 * not have attached an IPSEC_IN. 1928 */ 1929 ASSERT(mp->b_datap->db_type == M_DATA); 1930 1931 mp = icmp_pkt_err_ok_v6(q, mp, llbcast, B_FALSE); 1932 if (mp == NULL) 1933 return; 1934 nce = ndp_lookup(ill, targetp, B_FALSE); 1935 if (nce != NULL && nce->nce_state != ND_INCOMPLETE) { 1936 ll_opt_len = (sizeof (nd_opt_hdr_t) + 1937 ill->ill_phys_addr_length + 7)/8 * 8; 1938 } 1939 len = sizeof (nd_redirect_t) + sizeof (nd_opt_rd_hdr_t) + ll_opt_len; 1940 ASSERT(len % 4 == 0); 1941 buf = kmem_alloc(len, KM_NOSLEEP); 1942 if (buf == NULL) { 1943 if (nce != NULL) 1944 NCE_REFRELE(nce); 1945 freemsg(mp); 1946 return; 1947 } 1948 1949 rd = (nd_redirect_t *)buf; 1950 rd->nd_rd_type = (uint8_t)ND_REDIRECT; 1951 rd->nd_rd_code = 0; 1952 rd->nd_rd_reserved = 0; 1953 rd->nd_rd_target = *targetp; 1954 rd->nd_rd_dst = *dest; 1955 1956 opt = (nd_opt_hdr_t *)(buf + sizeof (nd_redirect_t)); 1957 if (nce != NULL && ll_opt_len != 0) { 1958 opt->nd_opt_type = ND_OPT_TARGET_LINKADDR; 1959 opt->nd_opt_len = ll_opt_len/8; 1960 bcopy((char *)nce->nce_res_mp->b_rptr + 1961 NCE_LL_ADDR_OFFSET(ill), &opt[1], 1962 ill->ill_phys_addr_length); 1963 } 1964 if (nce != NULL) 1965 NCE_REFRELE(nce); 1966 rdh = (nd_opt_rd_hdr_t *)(buf + sizeof (nd_redirect_t) + ll_opt_len); 1967 rdh->nd_opt_rh_type = (uint8_t)ND_OPT_REDIRECTED_HEADER; 1968 /* max_redir_hdr_data_len and nd_opt_rh_len must be multiple of 8 */ 1969 max_redir_hdr_data_len = (ipv6_icmp_return - IPV6_HDR_LEN - len)/8*8; 1970 pkt_len = msgdsize(mp); 1971 /* Make sure mp is 8 byte aligned */ 1972 if (pkt_len > max_redir_hdr_data_len) { 1973 rdh->nd_opt_rh_len = (max_redir_hdr_data_len + 1974 sizeof (nd_opt_rd_hdr_t))/8; 1975 (void) adjmsg(mp, max_redir_hdr_data_len - pkt_len); 1976 } else { 1977 rdh->nd_opt_rh_len = (pkt_len + sizeof (nd_opt_rd_hdr_t))/8; 1978 (void) adjmsg(mp, -(pkt_len % 8)); 1979 } 1980 rdh->nd_opt_rh_reserved1 = 0; 1981 rdh->nd_opt_rh_reserved2 = 0; 1982 /* ipif_v6src_addr contains the link-local source address */ 1983 rw_enter(&ill_g_lock, RW_READER); 1984 if (ill->ill_group != NULL) { 1985 /* 1986 * The receiver of the redirect will verify whether it 1987 * had a route through us (srcp that we will use in 1988 * the redirect) or not. As we load spread even link-locals, 1989 * we don't know which source address the receiver of 1990 * redirect has in its route for communicating with us. 1991 * Thus we randomly choose a source here and finally we 1992 * should get to the right one and it will eventually 1993 * accept the redirect from us. We can't call 1994 * ip_lookup_scope_v6 because we don't have the right 1995 * link-local address here. Thus we randomly choose one. 1996 */ 1997 int cnt = ill->ill_group->illgrp_ill_count; 1998 1999 ill = ill->ill_group->illgrp_ill; 2000 cnt = ++icmp_redirect_v6_src_index % cnt; 2001 while (cnt--) 2002 ill = ill->ill_group_next; 2003 srcp = &ill->ill_ipif->ipif_v6src_addr; 2004 } else { 2005 srcp = &ill->ill_ipif->ipif_v6src_addr; 2006 } 2007 rw_exit(&ill_g_lock); 2008 icmp_pkt_v6(q, mp, buf, len, srcp, B_FALSE); 2009 kmem_free(buf, len); 2010 } 2011 2012 2013 /* Generate an ICMP time exceeded message. (May be called as writer.) */ 2014 void 2015 icmp_time_exceeded_v6(queue_t *q, mblk_t *mp, uint8_t code, 2016 boolean_t llbcast, boolean_t mcast_ok) 2017 { 2018 icmp6_t icmp6; 2019 boolean_t mctl_present; 2020 mblk_t *first_mp; 2021 2022 EXTRACT_PKT_MP(mp, first_mp, mctl_present); 2023 2024 mp = icmp_pkt_err_ok_v6(q, mp, llbcast, mcast_ok); 2025 if (mp == NULL) { 2026 if (mctl_present) 2027 freeb(first_mp); 2028 return; 2029 } 2030 bzero(&icmp6, sizeof (icmp6_t)); 2031 icmp6.icmp6_type = ICMP6_TIME_EXCEEDED; 2032 icmp6.icmp6_code = code; 2033 icmp_pkt_v6(q, first_mp, &icmp6, sizeof (icmp6_t), NULL, mctl_present); 2034 } 2035 2036 /* 2037 * Generate an ICMP unreachable message. 2038 */ 2039 void 2040 icmp_unreachable_v6(queue_t *q, mblk_t *mp, uint8_t code, 2041 boolean_t llbcast, boolean_t mcast_ok) 2042 { 2043 icmp6_t icmp6; 2044 boolean_t mctl_present; 2045 mblk_t *first_mp; 2046 2047 EXTRACT_PKT_MP(mp, first_mp, mctl_present); 2048 2049 mp = icmp_pkt_err_ok_v6(q, mp, llbcast, mcast_ok); 2050 if (mp == NULL) { 2051 if (mctl_present) 2052 freeb(first_mp); 2053 return; 2054 } 2055 bzero(&icmp6, sizeof (icmp6_t)); 2056 icmp6.icmp6_type = ICMP6_DST_UNREACH; 2057 icmp6.icmp6_code = code; 2058 icmp_pkt_v6(q, first_mp, &icmp6, sizeof (icmp6_t), NULL, mctl_present); 2059 } 2060 2061 /* 2062 * Generate an ICMP pkt too big message. 2063 */ 2064 static void 2065 icmp_pkt2big_v6(queue_t *q, mblk_t *mp, uint32_t mtu, 2066 boolean_t llbcast, boolean_t mcast_ok) 2067 { 2068 icmp6_t icmp6; 2069 mblk_t *first_mp; 2070 boolean_t mctl_present; 2071 2072 EXTRACT_PKT_MP(mp, first_mp, mctl_present); 2073 2074 mp = icmp_pkt_err_ok_v6(q, mp, llbcast, mcast_ok); 2075 if (mp == NULL) { 2076 if (mctl_present) 2077 freeb(first_mp); 2078 return; 2079 } 2080 bzero(&icmp6, sizeof (icmp6_t)); 2081 icmp6.icmp6_type = ICMP6_PACKET_TOO_BIG; 2082 icmp6.icmp6_code = 0; 2083 icmp6.icmp6_mtu = htonl(mtu); 2084 2085 icmp_pkt_v6(q, first_mp, &icmp6, sizeof (icmp6_t), NULL, mctl_present); 2086 } 2087 2088 /* 2089 * Generate an ICMP parameter problem message. (May be called as writer.) 2090 * 'offset' is the offset from the beginning of the packet in error. 2091 */ 2092 static void 2093 icmp_param_problem_v6(queue_t *q, mblk_t *mp, uint8_t code, 2094 uint32_t offset, boolean_t llbcast, boolean_t mcast_ok) 2095 { 2096 icmp6_t icmp6; 2097 boolean_t mctl_present; 2098 mblk_t *first_mp; 2099 2100 EXTRACT_PKT_MP(mp, first_mp, mctl_present); 2101 2102 mp = icmp_pkt_err_ok_v6(q, mp, llbcast, mcast_ok); 2103 if (mp == NULL) { 2104 if (mctl_present) 2105 freeb(first_mp); 2106 return; 2107 } 2108 bzero((char *)&icmp6, sizeof (icmp6_t)); 2109 icmp6.icmp6_type = ICMP6_PARAM_PROB; 2110 icmp6.icmp6_code = code; 2111 icmp6.icmp6_pptr = htonl(offset); 2112 icmp_pkt_v6(q, first_mp, &icmp6, sizeof (icmp6_t), NULL, mctl_present); 2113 } 2114 2115 /* 2116 * This code will need to take into account the possibility of binding 2117 * to a link local address on a multi-homed host, in which case the 2118 * outgoing interface (from the conn) will need to be used when getting 2119 * an ire for the dst. Going through proper outgoing interface and 2120 * choosing the source address corresponding to the outgoing interface 2121 * is necessary when the destination address is a link-local address and 2122 * IPV6_BOUND_IF or IPV6_PKTINFO or scope_id has been set. 2123 * This can happen when active connection is setup; thus ipp pointer 2124 * is passed here from tcp_connect_*() routines, in non-TCP cases NULL 2125 * pointer is passed as ipp pointer. 2126 */ 2127 mblk_t * 2128 ip_bind_v6(queue_t *q, mblk_t *mp, conn_t *connp, ip6_pkt_t *ipp) 2129 { 2130 ssize_t len; 2131 int protocol; 2132 struct T_bind_req *tbr; 2133 sin6_t *sin6; 2134 ipa6_conn_t *ac6; 2135 in6_addr_t *v6srcp; 2136 in6_addr_t *v6dstp; 2137 uint16_t lport; 2138 uint16_t fport; 2139 uchar_t *ucp; 2140 mblk_t *mp1; 2141 boolean_t ire_requested; 2142 boolean_t ipsec_policy_set; 2143 int error = 0; 2144 boolean_t local_bind; 2145 boolean_t orig_pkt_isv6 = connp->conn_pkt_isv6; 2146 ipa6_conn_x_t *acx6; 2147 boolean_t verify_dst; 2148 2149 ASSERT(connp->conn_af_isv6); 2150 len = mp->b_wptr - mp->b_rptr; 2151 if (len < (sizeof (*tbr) + 1)) { 2152 (void) mi_strlog(q, 1, SL_ERROR|SL_TRACE, 2153 "ip_bind_v6: bogus msg, len %ld", len); 2154 goto bad_addr; 2155 } 2156 /* Back up and extract the protocol identifier. */ 2157 mp->b_wptr--; 2158 tbr = (struct T_bind_req *)mp->b_rptr; 2159 /* Reset the message type in preparation for shipping it back. */ 2160 mp->b_datap->db_type = M_PCPROTO; 2161 2162 protocol = *mp->b_wptr & 0xFF; 2163 connp->conn_ulp = (uint8_t)protocol; 2164 2165 /* 2166 * Check for a zero length address. This is from a protocol that 2167 * wants to register to receive all packets of its type. 2168 */ 2169 if (tbr->ADDR_length == 0) { 2170 if ((protocol == IPPROTO_TCP || protocol == IPPROTO_SCTP || 2171 protocol == IPPROTO_ESP || protocol == IPPROTO_AH) && 2172 ipcl_proto_fanout_v6[protocol].connf_head != NULL) { 2173 /* 2174 * TCP, SCTP, AH, and ESP have single protocol fanouts. 2175 * Do not allow others to bind to these. 2176 */ 2177 goto bad_addr; 2178 } 2179 2180 connp->conn_srcv6 = ipv6_all_zeros; 2181 ipcl_proto_insert_v6(connp, protocol); 2182 2183 tbr->PRIM_type = T_BIND_ACK; 2184 return (mp); 2185 } 2186 2187 /* Extract the address pointer from the message. */ 2188 ucp = (uchar_t *)mi_offset_param(mp, tbr->ADDR_offset, 2189 tbr->ADDR_length); 2190 if (ucp == NULL) { 2191 ip1dbg(("ip_bind_v6: no address\n")); 2192 goto bad_addr; 2193 } 2194 if (!OK_32PTR(ucp)) { 2195 ip1dbg(("ip_bind_v6: unaligned address\n")); 2196 goto bad_addr; 2197 } 2198 mp1 = mp->b_cont; /* trailing mp if any */ 2199 ire_requested = (mp1 && mp1->b_datap->db_type == IRE_DB_REQ_TYPE); 2200 ipsec_policy_set = (mp1 && mp1->b_datap->db_type == IPSEC_POLICY_SET); 2201 2202 switch (tbr->ADDR_length) { 2203 default: 2204 ip1dbg(("ip_bind_v6: bad address length %d\n", 2205 (int)tbr->ADDR_length)); 2206 goto bad_addr; 2207 2208 case IPV6_ADDR_LEN: 2209 /* Verification of local address only */ 2210 v6srcp = (in6_addr_t *)ucp; 2211 lport = 0; 2212 local_bind = B_TRUE; 2213 break; 2214 2215 case sizeof (sin6_t): 2216 sin6 = (sin6_t *)ucp; 2217 v6srcp = &sin6->sin6_addr; 2218 lport = sin6->sin6_port; 2219 local_bind = B_TRUE; 2220 break; 2221 2222 case sizeof (ipa6_conn_t): 2223 /* 2224 * Verify that both the source and destination addresses 2225 * are valid. 2226 * Note that we allow connect to broadcast and multicast 2227 * addresses when ire_requested is set. Thus the ULP 2228 * has to check for IRE_BROADCAST and multicast. 2229 */ 2230 ac6 = (ipa6_conn_t *)ucp; 2231 v6srcp = &ac6->ac6_laddr; 2232 v6dstp = &ac6->ac6_faddr; 2233 fport = ac6->ac6_fport; 2234 /* For raw socket, the local port is not set. */ 2235 lport = ac6->ac6_lport != 0 ? ac6->ac6_lport : 2236 connp->conn_lport; 2237 local_bind = B_FALSE; 2238 /* Always verify destination reachability. */ 2239 verify_dst = B_TRUE; 2240 break; 2241 2242 case sizeof (ipa6_conn_x_t): 2243 /* 2244 * Verify that the source address is valid. 2245 * Note that we allow connect to broadcast and multicast 2246 * addresses when ire_requested is set. Thus the ULP 2247 * has to check for IRE_BROADCAST and multicast. 2248 */ 2249 acx6 = (ipa6_conn_x_t *)ucp; 2250 ac6 = &acx6->ac6x_conn; 2251 v6srcp = &ac6->ac6_laddr; 2252 v6dstp = &ac6->ac6_faddr; 2253 fport = ac6->ac6_fport; 2254 lport = ac6->ac6_lport; 2255 local_bind = B_FALSE; 2256 /* 2257 * Client that passed ipa6_conn_x_t to us specifies whether to 2258 * verify destination reachability. 2259 */ 2260 verify_dst = (acx6->ac6x_flags & ACX_VERIFY_DST) != 0; 2261 break; 2262 } 2263 if (local_bind) { 2264 if (IN6_IS_ADDR_V4MAPPED(v6srcp) && !connp->conn_ipv6_v6only) { 2265 /* Bind to IPv4 address */ 2266 ipaddr_t v4src; 2267 2268 IN6_V4MAPPED_TO_IPADDR(v6srcp, v4src); 2269 2270 error = ip_bind_laddr(connp, mp, v4src, lport, 2271 ire_requested, ipsec_policy_set, 2272 tbr->ADDR_length != IPV6_ADDR_LEN); 2273 if (error != 0) 2274 goto bad_addr; 2275 connp->conn_pkt_isv6 = B_FALSE; 2276 } else { 2277 if (IN6_IS_ADDR_V4MAPPED(v6srcp)) { 2278 error = 0; 2279 goto bad_addr; 2280 } 2281 error = ip_bind_laddr_v6(connp, mp, v6srcp, lport, 2282 ire_requested, ipsec_policy_set, 2283 (tbr->ADDR_length != IPV6_ADDR_LEN)); 2284 if (error != 0) 2285 goto bad_addr; 2286 connp->conn_pkt_isv6 = B_TRUE; 2287 } 2288 if (protocol == IPPROTO_TCP) 2289 connp->conn_recv = tcp_conn_request; 2290 } else { 2291 /* 2292 * Bind to local and remote address. Local might be 2293 * unspecified in which case it will be extracted from 2294 * ire_src_addr_v6 2295 */ 2296 if (IN6_IS_ADDR_V4MAPPED(v6dstp) && !connp->conn_ipv6_v6only) { 2297 /* Connect to IPv4 address */ 2298 ipaddr_t v4src; 2299 ipaddr_t v4dst; 2300 2301 /* Is the source unspecified or mapped? */ 2302 if (!IN6_IS_ADDR_V4MAPPED(v6srcp) && 2303 !IN6_IS_ADDR_UNSPECIFIED(v6srcp)) { 2304 ip1dbg(("ip_bind_v6: " 2305 "dst is mapped, but not the src\n")); 2306 goto bad_addr; 2307 } 2308 IN6_V4MAPPED_TO_IPADDR(v6srcp, v4src); 2309 IN6_V4MAPPED_TO_IPADDR(v6dstp, v4dst); 2310 2311 /* 2312 * XXX Fix needed. Need to pass ipsec_policy_set 2313 * instead of B_FALSE. 2314 */ 2315 2316 /* Always verify destination reachability. */ 2317 error = ip_bind_connected(connp, mp, &v4src, lport, 2318 v4dst, fport, ire_requested, ipsec_policy_set, 2319 B_TRUE, B_TRUE); 2320 if (error != 0) 2321 goto bad_addr; 2322 IN6_IPADDR_TO_V4MAPPED(v4src, v6srcp); 2323 connp->conn_pkt_isv6 = B_FALSE; 2324 } else if (IN6_IS_ADDR_V4MAPPED(v6srcp)) { 2325 ip1dbg(("ip_bind_v6: " 2326 "src is mapped, but not the dst\n")); 2327 goto bad_addr; 2328 } else { 2329 error = ip_bind_connected_v6(connp, mp, v6srcp, 2330 lport, v6dstp, ipp, fport, ire_requested, 2331 ipsec_policy_set, B_TRUE, verify_dst); 2332 if (error != 0) 2333 goto bad_addr; 2334 connp->conn_pkt_isv6 = B_TRUE; 2335 } 2336 if (protocol == IPPROTO_TCP) 2337 connp->conn_recv = tcp_input; 2338 } 2339 /* Update qinfo if v4/v6 changed */ 2340 if ((orig_pkt_isv6 != connp->conn_pkt_isv6) && 2341 !(IPCL_IS_TCP(connp) || IPCL_IS_UDP(connp))) { 2342 if (connp->conn_pkt_isv6) 2343 ip_setqinfo(RD(q), IPV6_MINOR, B_TRUE); 2344 else 2345 ip_setqinfo(RD(q), IPV4_MINOR, B_TRUE); 2346 } 2347 2348 /* 2349 * Pass the IPSEC headers size in ire_ipsec_overhead. 2350 * We can't do this in ip_bind_insert_ire because the policy 2351 * may not have been inherited at that point in time and hence 2352 * conn_out_enforce_policy may not be set. 2353 */ 2354 mp1 = mp->b_cont; 2355 if (ire_requested && connp->conn_out_enforce_policy && 2356 mp1 != NULL && DB_TYPE(mp1) == IRE_DB_REQ_TYPE) { 2357 ire_t *ire = (ire_t *)mp1->b_rptr; 2358 ASSERT(MBLKL(mp1) >= sizeof (ire_t)); 2359 ire->ire_ipsec_overhead = (conn_ipsec_length(connp)); 2360 } 2361 2362 /* Send it home. */ 2363 mp->b_datap->db_type = M_PCPROTO; 2364 tbr->PRIM_type = T_BIND_ACK; 2365 return (mp); 2366 2367 bad_addr: 2368 if (error == EINPROGRESS) 2369 return (NULL); 2370 if (error > 0) 2371 mp = mi_tpi_err_ack_alloc(mp, TSYSERR, error); 2372 else 2373 mp = mi_tpi_err_ack_alloc(mp, TBADADDR, 0); 2374 return (mp); 2375 } 2376 2377 /* 2378 * Here address is verified to be a valid local address. 2379 * If the IRE_DB_REQ_TYPE mp is present, a multicast 2380 * address is also considered a valid local address. 2381 * In the case of a multicast address, however, the 2382 * upper protocol is expected to reset the src address 2383 * to 0 if it sees an ire with IN6_IS_ADDR_MULTICAST returned so that 2384 * no packets are emitted with multicast address as 2385 * source address. 2386 * The addresses valid for bind are: 2387 * (1) - in6addr_any 2388 * (2) - IP address of an UP interface 2389 * (3) - IP address of a DOWN interface 2390 * (4) - a multicast address. In this case 2391 * the conn will only receive packets destined to 2392 * the specified multicast address. Note: the 2393 * application still has to issue an 2394 * IPV6_JOIN_GROUP socket option. 2395 * 2396 * In all the above cases, the bound address must be valid in the current zone. 2397 * When the address is loopback or multicast, there might be many matching IREs 2398 * so bind has to look up based on the zone. 2399 */ 2400 static int 2401 ip_bind_laddr_v6(conn_t *connp, mblk_t *mp, const in6_addr_t *v6src, 2402 uint16_t lport, boolean_t ire_requested, boolean_t ipsec_policy_set, 2403 boolean_t fanout_insert) 2404 { 2405 int error = 0; 2406 ire_t *src_ire = NULL; 2407 ipif_t *ipif = NULL; 2408 mblk_t *policy_mp; 2409 zoneid_t zoneid; 2410 2411 if (ipsec_policy_set) 2412 policy_mp = mp->b_cont; 2413 2414 /* 2415 * If it was previously connected, conn_fully_bound would have 2416 * been set. 2417 */ 2418 connp->conn_fully_bound = B_FALSE; 2419 2420 zoneid = connp->conn_zoneid; 2421 2422 if (!IN6_IS_ADDR_UNSPECIFIED(v6src)) { 2423 src_ire = ire_route_lookup_v6(v6src, 0, 0, 2424 0, NULL, NULL, zoneid, MATCH_IRE_ZONEONLY); 2425 /* 2426 * If an address other than in6addr_any is requested, 2427 * we verify that it is a valid address for bind 2428 * Note: Following code is in if-else-if form for 2429 * readability compared to a condition check. 2430 */ 2431 ASSERT(src_ire == NULL || !(src_ire->ire_type & IRE_BROADCAST)); 2432 /* LINTED - statement has no consequent */ 2433 if (IRE_IS_LOCAL(src_ire)) { 2434 /* 2435 * (2) Bind to address of local UP interface 2436 */ 2437 ipif = src_ire->ire_ipif; 2438 } else if (IN6_IS_ADDR_MULTICAST(v6src)) { 2439 ipif_t *multi_ipif = NULL; 2440 ire_t *save_ire; 2441 /* 2442 * (4) bind to multicast address. 2443 * Fake out the IRE returned to upper 2444 * layer to be a broadcast IRE in 2445 * ip_bind_insert_ire_v6(). 2446 * Pass other information that matches 2447 * the ipif (e.g. the source address). 2448 * conn_multicast_ill is only used for 2449 * IPv6 packets 2450 */ 2451 mutex_enter(&connp->conn_lock); 2452 if (connp->conn_multicast_ill != NULL) { 2453 (void) ipif_lookup_zoneid( 2454 connp->conn_multicast_ill, zoneid, 0, 2455 &multi_ipif); 2456 } else { 2457 /* 2458 * Look for default like 2459 * ip_wput_v6 2460 */ 2461 multi_ipif = ipif_lookup_group_v6( 2462 &ipv6_unspecified_group, zoneid); 2463 } 2464 mutex_exit(&connp->conn_lock); 2465 save_ire = src_ire; 2466 src_ire = NULL; 2467 if (multi_ipif == NULL || 2468 !ire_requested || (src_ire = 2469 ipif_to_ire_v6(multi_ipif)) == 2470 NULL) { 2471 src_ire = save_ire; 2472 error = EADDRNOTAVAIL; 2473 } else { 2474 ASSERT(src_ire != NULL); 2475 if (save_ire != NULL) 2476 ire_refrele(save_ire); 2477 } 2478 if (multi_ipif != NULL) 2479 ipif_refrele(multi_ipif); 2480 } else { 2481 *mp->b_wptr++ = (char)connp->conn_ulp; 2482 ipif = ipif_lookup_addr_v6(v6src, NULL, zoneid, 2483 CONNP_TO_WQ(connp), mp, ip_wput_nondata, &error); 2484 if (ipif == NULL) { 2485 if (error == EINPROGRESS) { 2486 if (src_ire != NULL) 2487 ire_refrele(src_ire); 2488 return (error); 2489 } 2490 /* 2491 * Not a valid address for bind 2492 */ 2493 error = EADDRNOTAVAIL; 2494 } else { 2495 ipif_refrele(ipif); 2496 } 2497 /* 2498 * Just to keep it consistent with the processing in 2499 * ip_bind_v6(). 2500 */ 2501 mp->b_wptr--; 2502 } 2503 2504 if (error != 0) { 2505 /* Red Alert! Attempting to be a bogon! */ 2506 if (ip_debug > 2) { 2507 /* ip1dbg */ 2508 pr_addr_dbg("ip_bind_laddr_v6: bad src" 2509 " address %s\n", AF_INET6, v6src); 2510 } 2511 goto bad_addr; 2512 } 2513 } 2514 2515 /* 2516 * Allow setting new policies. For example, disconnects come 2517 * down as ipa_t bind. As we would have set conn_policy_cached 2518 * to B_TRUE before, we should set it to B_FALSE, so that policy 2519 * can change after the disconnect. 2520 */ 2521 connp->conn_policy_cached = B_FALSE; 2522 2523 /* If not fanout_insert this was just an address verification */ 2524 if (fanout_insert) { 2525 /* 2526 * The addresses have been verified. Time to insert in 2527 * the correct fanout list. 2528 */ 2529 connp->conn_srcv6 = *v6src; 2530 connp->conn_remv6 = ipv6_all_zeros; 2531 connp->conn_lport = lport; 2532 connp->conn_fport = 0; 2533 error = ipcl_bind_insert_v6(connp, *mp->b_wptr, v6src, lport); 2534 } 2535 if (error == 0) { 2536 if (ire_requested) { 2537 if (!ip_bind_insert_ire_v6(mp, src_ire, v6src, NULL)) { 2538 error = -1; 2539 goto bad_addr; 2540 } 2541 } else if (ipsec_policy_set) { 2542 if (!ip_bind_ipsec_policy_set(connp, policy_mp)) { 2543 error = -1; 2544 goto bad_addr; 2545 } 2546 } 2547 } 2548 bad_addr: 2549 if (src_ire != NULL) 2550 ire_refrele(src_ire); 2551 2552 if (ipsec_policy_set) { 2553 ASSERT(policy_mp != NULL); 2554 freeb(policy_mp); 2555 /* 2556 * As of now assume that nothing else accompanies 2557 * IPSEC_POLICY_SET. 2558 */ 2559 mp->b_cont = NULL; 2560 } 2561 return (error); 2562 } 2563 2564 /* ARGSUSED */ 2565 static void 2566 ip_bind_connected_resume_v6(ipsq_t *ipsq, queue_t *q, mblk_t *mp, 2567 void *dummy_arg) 2568 { 2569 conn_t *connp = NULL; 2570 t_scalar_t prim; 2571 2572 ASSERT(DB_TYPE(mp) == M_PROTO || DB_TYPE(mp) == M_PCPROTO); 2573 2574 if (CONN_Q(q)) 2575 connp = Q_TO_CONN(q); 2576 ASSERT(connp != NULL); 2577 2578 prim = ((union T_primitives *)mp->b_rptr)->type; 2579 ASSERT(prim == O_T_BIND_REQ || prim == T_BIND_REQ); 2580 2581 if (IPCL_IS_TCP(connp)) { 2582 /* Pass sticky_ipp for scope_id and pktinfo */ 2583 mp = ip_bind_v6(q, mp, connp, &connp->conn_tcp->tcp_sticky_ipp); 2584 } else { 2585 /* For UDP and ICMP */ 2586 mp = ip_bind_v6(q, mp, connp, NULL); 2587 } 2588 if (mp != NULL) { 2589 if (IPCL_IS_TCP(connp)) { 2590 CONN_INC_REF(connp); 2591 squeue_fill(connp->conn_sqp, mp, ip_resume_tcp_bind, 2592 connp, SQTAG_TCP_RPUTOTHER); 2593 } else if (IPCL_IS_UDP(connp)) { 2594 udp_resume_bind(connp, mp); 2595 } else { 2596 qreply(q, mp); 2597 CONN_OPER_PENDING_DONE(connp); 2598 } 2599 } 2600 } 2601 2602 /* 2603 * Verify that both the source and destination addresses 2604 * are valid. If verify_dst, then destination address must also be reachable, 2605 * i.e. have a route. Protocols like TCP want this. Tunnels do not. 2606 * It takes ip6_pkt_t * as one of the arguments to determine correct 2607 * source address when IPV6_PKTINFO or scope_id is set along with a link-local 2608 * destination address. Note that parameter ipp is only useful for TCP connect 2609 * when scope_id is set or IPV6_PKTINFO option is set with an ifindex. For all 2610 * non-TCP cases, it is NULL and for all other tcp cases it is not useful. 2611 * 2612 */ 2613 static int 2614 ip_bind_connected_v6(conn_t *connp, mblk_t *mp, in6_addr_t *v6src, 2615 uint16_t lport, const in6_addr_t *v6dst, ip6_pkt_t *ipp, uint16_t fport, 2616 boolean_t ire_requested, boolean_t ipsec_policy_set, 2617 boolean_t fanout_insert, boolean_t verify_dst) 2618 { 2619 ire_t *src_ire; 2620 ire_t *dst_ire; 2621 int error = 0; 2622 int protocol; 2623 mblk_t *policy_mp; 2624 ire_t *sire = NULL; 2625 ire_t *md_dst_ire = NULL; 2626 ill_t *md_ill = NULL; 2627 ill_t *dst_ill = NULL; 2628 ipif_t *src_ipif = NULL; 2629 zoneid_t zoneid; 2630 boolean_t ill_held = B_FALSE; 2631 2632 src_ire = dst_ire = NULL; 2633 /* 2634 * NOTE: The protocol is beyond the wptr because that's how 2635 * the undocumented transport<-->IP T_BIND_REQ behavior works. 2636 */ 2637 protocol = *mp->b_wptr & 0xFF; 2638 2639 /* 2640 * If we never got a disconnect before, clear it now. 2641 */ 2642 connp->conn_fully_bound = B_FALSE; 2643 2644 if (ipsec_policy_set) { 2645 policy_mp = mp->b_cont; 2646 } 2647 2648 zoneid = connp->conn_zoneid; 2649 2650 if (IN6_IS_ADDR_MULTICAST(v6dst)) { 2651 ipif_t *ipif; 2652 2653 /* 2654 * Use an "emulated" IRE_BROADCAST to tell the transport it 2655 * is a multicast. 2656 * Pass other information that matches 2657 * the ipif (e.g. the source address). 2658 * 2659 * conn_multicast_ill is only used for IPv6 packets 2660 */ 2661 mutex_enter(&connp->conn_lock); 2662 if (connp->conn_multicast_ill != NULL) { 2663 (void) ipif_lookup_zoneid(connp->conn_multicast_ill, 2664 zoneid, 0, &ipif); 2665 } else { 2666 /* Look for default like ip_wput_v6 */ 2667 ipif = ipif_lookup_group_v6(v6dst, zoneid); 2668 } 2669 mutex_exit(&connp->conn_lock); 2670 if (ipif == NULL || !ire_requested || 2671 (dst_ire = ipif_to_ire_v6(ipif)) == NULL) { 2672 if (ipif != NULL) 2673 ipif_refrele(ipif); 2674 if (ip_debug > 2) { 2675 /* ip1dbg */ 2676 pr_addr_dbg("ip_bind_connected_v6: bad " 2677 "connected multicast %s\n", AF_INET6, 2678 v6dst); 2679 } 2680 error = ENETUNREACH; 2681 goto bad_addr; 2682 } 2683 if (ipif != NULL) 2684 ipif_refrele(ipif); 2685 } else { 2686 dst_ire = ire_route_lookup_v6(v6dst, NULL, NULL, 0, 2687 NULL, &sire, zoneid, 2688 MATCH_IRE_RECURSIVE | MATCH_IRE_DEFAULT | 2689 MATCH_IRE_PARENT | MATCH_IRE_RJ_BHOLE); 2690 /* 2691 * We also prevent ire's with src address INADDR_ANY to 2692 * be used, which are created temporarily for 2693 * sending out packets from endpoints that have 2694 * conn_unspec_src set. 2695 */ 2696 if (dst_ire == NULL || 2697 (dst_ire->ire_flags & (RTF_REJECT|RTF_BLACKHOLE)) || 2698 IN6_IS_ADDR_UNSPECIFIED(&dst_ire->ire_src_addr_v6)) { 2699 /* 2700 * When verifying destination reachability, we always 2701 * complain. 2702 * 2703 * When not verifying destination reachability but we 2704 * found an IRE, i.e. the destination is reachable, 2705 * then the other tests still apply and we complain. 2706 */ 2707 if (verify_dst || (dst_ire != NULL)) { 2708 if (ip_debug > 2) { 2709 /* ip1dbg */ 2710 pr_addr_dbg("ip_bind_connected_v6: bad" 2711 " connected dst %s\n", AF_INET6, 2712 v6dst); 2713 } 2714 if (dst_ire == NULL || 2715 !(dst_ire->ire_type & IRE_HOST)) { 2716 error = ENETUNREACH; 2717 } else { 2718 error = EHOSTUNREACH; 2719 } 2720 goto bad_addr; 2721 } 2722 } 2723 } 2724 2725 /* 2726 * If the app does a connect(), it means that it will most likely 2727 * send more than 1 packet to the destination. It makes sense 2728 * to clear the temporary flag. 2729 */ 2730 if (dst_ire != NULL && dst_ire->ire_type == IRE_CACHE && 2731 (dst_ire->ire_marks & IRE_MARK_TEMPORARY)) { 2732 irb_t *irb = dst_ire->ire_bucket; 2733 2734 rw_enter(&irb->irb_lock, RW_WRITER); 2735 dst_ire->ire_marks &= ~IRE_MARK_TEMPORARY; 2736 irb->irb_tmp_ire_cnt--; 2737 rw_exit(&irb->irb_lock); 2738 } 2739 2740 ASSERT(dst_ire == NULL || dst_ire->ire_ipversion == IPV6_VERSION); 2741 2742 /* 2743 * See if we should notify ULP about MDT; we do this whether or not 2744 * ire_requested is TRUE, in order to handle active connects; MDT 2745 * eligibility tests for passive connects are handled separately 2746 * through tcp_adapt_ire(). We do this before the source address 2747 * selection, because dst_ire may change after a call to 2748 * ipif_select_source_v6(). This is a best-effort check, as the 2749 * packet for this connection may not actually go through 2750 * dst_ire->ire_stq, and the exact IRE can only be known after 2751 * calling ip_newroute_v6(). This is why we further check on the 2752 * IRE during Multidata packet transmission in tcp_multisend(). 2753 */ 2754 if (ip_multidata_outbound && !ipsec_policy_set && dst_ire != NULL && 2755 !(dst_ire->ire_type & (IRE_LOCAL | IRE_LOOPBACK | IRE_BROADCAST)) && 2756 (md_ill = ire_to_ill(dst_ire), md_ill != NULL) && 2757 ILL_MDT_CAPABLE(md_ill)) { 2758 md_dst_ire = dst_ire; 2759 IRE_REFHOLD(md_dst_ire); 2760 } 2761 2762 if (dst_ire != NULL && 2763 dst_ire->ire_type == IRE_LOCAL && 2764 dst_ire->ire_zoneid != zoneid) { 2765 src_ire = ire_ftable_lookup_v6(v6dst, 0, 0, 0, NULL, NULL, 2766 zoneid, 0, 2767 MATCH_IRE_RECURSIVE | MATCH_IRE_DEFAULT | 2768 MATCH_IRE_RJ_BHOLE); 2769 if (src_ire == NULL) { 2770 error = EHOSTUNREACH; 2771 goto bad_addr; 2772 } else if (src_ire->ire_flags & (RTF_REJECT|RTF_BLACKHOLE)) { 2773 if (!(src_ire->ire_type & IRE_HOST)) 2774 error = ENETUNREACH; 2775 else 2776 error = EHOSTUNREACH; 2777 goto bad_addr; 2778 } 2779 if (IN6_IS_ADDR_UNSPECIFIED(v6src)) { 2780 src_ipif = src_ire->ire_ipif; 2781 ipif_refhold(src_ipif); 2782 *v6src = src_ipif->ipif_v6lcl_addr; 2783 } 2784 ire_refrele(src_ire); 2785 src_ire = NULL; 2786 } else if (IN6_IS_ADDR_UNSPECIFIED(v6src) && dst_ire != NULL) { 2787 if ((sire != NULL) && (sire->ire_flags & RTF_SETSRC)) { 2788 *v6src = sire->ire_src_addr_v6; 2789 ire_refrele(dst_ire); 2790 dst_ire = sire; 2791 sire = NULL; 2792 } else if (dst_ire->ire_type == IRE_CACHE && 2793 (dst_ire->ire_flags & RTF_SETSRC)) { 2794 ASSERT(dst_ire->ire_zoneid == zoneid); 2795 *v6src = dst_ire->ire_src_addr_v6; 2796 } else { 2797 /* 2798 * Pick a source address so that a proper inbound load 2799 * spreading would happen. Use dst_ill specified by the 2800 * app. when socket option or scopeid is set. 2801 */ 2802 int err; 2803 2804 if (ipp != NULL && ipp->ipp_ifindex != 0) { 2805 uint_t if_index; 2806 2807 /* 2808 * Scope id or IPV6_PKTINFO 2809 */ 2810 2811 if_index = ipp->ipp_ifindex; 2812 dst_ill = ill_lookup_on_ifindex( 2813 if_index, B_TRUE, NULL, NULL, NULL, NULL); 2814 if (dst_ill == NULL) { 2815 ip1dbg(("ip_bind_connected_v6:" 2816 " bad ifindex %d\n", if_index)); 2817 error = EADDRNOTAVAIL; 2818 goto bad_addr; 2819 } 2820 ill_held = B_TRUE; 2821 } else if (connp->conn_outgoing_ill != NULL) { 2822 /* 2823 * For IPV6_BOUND_IF socket option, 2824 * conn_outgoing_ill should be set 2825 * already in TCP or UDP/ICMP. 2826 */ 2827 dst_ill = conn_get_held_ill(connp, 2828 &connp->conn_outgoing_ill, &err); 2829 if (err == ILL_LOOKUP_FAILED) { 2830 ip1dbg(("ip_bind_connected_v6:" 2831 "no ill for bound_if\n")); 2832 error = EADDRNOTAVAIL; 2833 goto bad_addr; 2834 } 2835 ill_held = B_TRUE; 2836 } else if (dst_ire->ire_stq != NULL) { 2837 /* No need to hold ill here */ 2838 dst_ill = (ill_t *)dst_ire->ire_stq->q_ptr; 2839 } else { 2840 /* No need to hold ill here */ 2841 dst_ill = dst_ire->ire_ipif->ipif_ill; 2842 } 2843 if (!ip6_asp_can_lookup()) { 2844 *mp->b_wptr++ = (char)protocol; 2845 ip6_asp_pending_op(CONNP_TO_WQ(connp), mp, 2846 ip_bind_connected_resume_v6); 2847 error = EINPROGRESS; 2848 goto refrele_and_quit; 2849 } 2850 src_ipif = ipif_select_source_v6(dst_ill, v6dst, 2851 B_FALSE, connp->conn_src_preferences, zoneid); 2852 ip6_asp_table_refrele(); 2853 if (src_ipif == NULL) { 2854 pr_addr_dbg("ip_bind_connected_v6: " 2855 "no usable source address for " 2856 "connection to %s\n", AF_INET6, v6dst); 2857 error = EADDRNOTAVAIL; 2858 goto bad_addr; 2859 } 2860 *v6src = src_ipif->ipif_v6lcl_addr; 2861 } 2862 } 2863 2864 /* 2865 * We do ire_route_lookup_v6() here (and not an interface lookup) 2866 * as we assert that v6src should only come from an 2867 * UP interface for hard binding. 2868 */ 2869 src_ire = ire_route_lookup_v6(v6src, 0, 0, 0, NULL, 2870 NULL, zoneid, MATCH_IRE_ZONEONLY); 2871 2872 /* src_ire must be a local|loopback */ 2873 if (!IRE_IS_LOCAL(src_ire)) { 2874 if (ip_debug > 2) { 2875 /* ip1dbg */ 2876 pr_addr_dbg("ip_bind_connected_v6: bad " 2877 "connected src %s\n", AF_INET6, v6src); 2878 } 2879 error = EADDRNOTAVAIL; 2880 goto bad_addr; 2881 } 2882 2883 /* 2884 * If the source address is a loopback address, the 2885 * destination had best be local or multicast. 2886 * The transports that can't handle multicast will reject 2887 * those addresses. 2888 */ 2889 if (src_ire->ire_type == IRE_LOOPBACK && 2890 !(IRE_IS_LOCAL(dst_ire) || IN6_IS_ADDR_MULTICAST(v6dst) || 2891 IN6_IS_ADDR_V4MAPPED_CLASSD(v6dst))) { 2892 ip1dbg(("ip_bind_connected_v6: bad connected loopback\n")); 2893 error = -1; 2894 goto bad_addr; 2895 } 2896 /* 2897 * Allow setting new policies. For example, disconnects come 2898 * down as ipa_t bind. As we would have set conn_policy_cached 2899 * to B_TRUE before, we should set it to B_FALSE, so that policy 2900 * can change after the disconnect. 2901 */ 2902 connp->conn_policy_cached = B_FALSE; 2903 2904 /* 2905 * The addresses have been verified. Initialize the conn 2906 * before calling the policy as they expect the conns 2907 * initialized. 2908 */ 2909 connp->conn_srcv6 = *v6src; 2910 connp->conn_remv6 = *v6dst; 2911 connp->conn_lport = lport; 2912 connp->conn_fport = fport; 2913 2914 ASSERT(!(ipsec_policy_set && ire_requested)); 2915 if (ire_requested) { 2916 iulp_t *ulp_info = NULL; 2917 2918 /* 2919 * Note that sire will not be NULL if this is an off-link 2920 * connection and there is not cache for that dest yet. 2921 * 2922 * XXX Because of an existing bug, if there are multiple 2923 * default routes, the IRE returned now may not be the actual 2924 * default route used (default routes are chosen in a 2925 * round robin fashion). So if the metrics for different 2926 * default routes are different, we may return the wrong 2927 * metrics. This will not be a problem if the existing 2928 * bug is fixed. 2929 */ 2930 if (sire != NULL) 2931 ulp_info = &(sire->ire_uinfo); 2932 2933 if (!ip_bind_insert_ire_v6(mp, dst_ire, v6dst, ulp_info)) { 2934 error = -1; 2935 goto bad_addr; 2936 } 2937 } else if (ipsec_policy_set) { 2938 if (!ip_bind_ipsec_policy_set(connp, policy_mp)) { 2939 error = -1; 2940 goto bad_addr; 2941 } 2942 } 2943 2944 /* 2945 * Cache IPsec policy in this conn. If we have per-socket policy, 2946 * we'll cache that. If we don't, we'll inherit global policy. 2947 * 2948 * We can't insert until the conn reflects the policy. Note that 2949 * conn_policy_cached is set by ipsec_conn_cache_policy() even for 2950 * connections where we don't have a policy. This is to prevent 2951 * global policy lookups in the inbound path. 2952 * 2953 * If we insert before we set conn_policy_cached, 2954 * CONN_INBOUND_POLICY_PRESENT_V6() check can still evaluate true 2955 * because global policy cound be non-empty. We normally call 2956 * ipsec_check_policy() for conn_policy_cached connections only if 2957 * conn_in_enforce_policy is set. But in this case, 2958 * conn_policy_cached can get set anytime since we made the 2959 * CONN_INBOUND_POLICY_PRESENT_V6() check and ipsec_check_policy() 2960 * is called, which will make the above assumption false. Thus, we 2961 * need to insert after we set conn_policy_cached. 2962 */ 2963 if ((error = ipsec_conn_cache_policy(connp, B_FALSE)) != 0) 2964 goto bad_addr; 2965 2966 /* If not fanout_insert this was just an address verification */ 2967 if (fanout_insert) { 2968 /* 2969 * The addresses have been verified. Time to insert in 2970 * the correct fanout list. 2971 */ 2972 error = ipcl_conn_insert_v6(connp, protocol, v6src, v6dst, 2973 connp->conn_ports, 2974 IPCL_IS_TCP(connp) ? connp->conn_tcp->tcp_bound_if : 0); 2975 } 2976 if (error == 0) { 2977 connp->conn_fully_bound = B_TRUE; 2978 /* 2979 * Our initial checks for MDT have passed; the IRE is not 2980 * LOCAL/LOOPBACK/BROADCAST, and the link layer seems to 2981 * be supporting MDT. Pass the IRE, IPC and ILL into 2982 * ip_mdinfo_return(), which performs further checks 2983 * against them and upon success, returns the MDT info 2984 * mblk which we will attach to the bind acknowledgment. 2985 */ 2986 if (md_dst_ire != NULL) { 2987 mblk_t *mdinfo_mp; 2988 2989 ASSERT(md_ill != NULL); 2990 ASSERT(md_ill->ill_mdt_capab != NULL); 2991 if ((mdinfo_mp = ip_mdinfo_return(md_dst_ire, connp, 2992 md_ill->ill_name, md_ill->ill_mdt_capab)) != NULL) 2993 linkb(mp, mdinfo_mp); 2994 } 2995 } 2996 bad_addr: 2997 if (ipsec_policy_set) { 2998 ASSERT(policy_mp != NULL); 2999 freeb(policy_mp); 3000 /* 3001 * As of now assume that nothing else accompanies 3002 * IPSEC_POLICY_SET. 3003 */ 3004 mp->b_cont = NULL; 3005 } 3006 refrele_and_quit: 3007 if (src_ire != NULL) 3008 IRE_REFRELE(src_ire); 3009 if (dst_ire != NULL) 3010 IRE_REFRELE(dst_ire); 3011 if (sire != NULL) 3012 IRE_REFRELE(sire); 3013 if (src_ipif != NULL) 3014 ipif_refrele(src_ipif); 3015 if (md_dst_ire != NULL) 3016 IRE_REFRELE(md_dst_ire); 3017 if (ill_held && dst_ill != NULL) 3018 ill_refrele(dst_ill); 3019 return (error); 3020 } 3021 3022 /* 3023 * Insert the ire in b_cont. Returns false if it fails (due to lack of space). 3024 * Makes the IRE be IRE_BROADCAST if dst is a multicast address. 3025 */ 3026 static boolean_t 3027 ip_bind_insert_ire_v6(mblk_t *mp, ire_t *ire, const in6_addr_t *dst, 3028 iulp_t *ulp_info) 3029 { 3030 mblk_t *mp1; 3031 ire_t *ret_ire; 3032 3033 mp1 = mp->b_cont; 3034 ASSERT(mp1 != NULL); 3035 3036 if (ire != NULL) { 3037 /* 3038 * mp1 initialized above to IRE_DB_REQ_TYPE 3039 * appended mblk. Its <upper protocol>'s 3040 * job to make sure there is room. 3041 */ 3042 if ((mp1->b_datap->db_lim - mp1->b_rptr) < sizeof (ire_t)) 3043 return (B_FALSE); 3044 3045 mp1->b_datap->db_type = IRE_DB_TYPE; 3046 mp1->b_wptr = mp1->b_rptr + sizeof (ire_t); 3047 bcopy(ire, mp1->b_rptr, sizeof (ire_t)); 3048 ret_ire = (ire_t *)mp1->b_rptr; 3049 if (IN6_IS_ADDR_MULTICAST(dst) || 3050 IN6_IS_ADDR_V4MAPPED_CLASSD(dst)) { 3051 ret_ire->ire_type = IRE_BROADCAST; 3052 ret_ire->ire_addr_v6 = *dst; 3053 } 3054 if (ulp_info != NULL) { 3055 bcopy(ulp_info, &(ret_ire->ire_uinfo), 3056 sizeof (iulp_t)); 3057 } 3058 ret_ire->ire_mp = mp1; 3059 } else { 3060 /* 3061 * No IRE was found. Remove IRE mblk. 3062 */ 3063 mp->b_cont = mp1->b_cont; 3064 freeb(mp1); 3065 } 3066 return (B_TRUE); 3067 } 3068 3069 /* 3070 * Add an ip6i_t header to the front of the mblk. 3071 * Inline if possible else allocate a separate mblk containing only the ip6i_t. 3072 * Returns NULL if allocation fails (and frees original message). 3073 * Used in outgoing path when going through ip_newroute_*v6(). 3074 * Used in incoming path to pass ifindex to transports. 3075 */ 3076 mblk_t * 3077 ip_add_info_v6(mblk_t *mp, ill_t *ill, const in6_addr_t *dst) 3078 { 3079 mblk_t *mp1; 3080 ip6i_t *ip6i; 3081 ip6_t *ip6h; 3082 3083 ip6h = (ip6_t *)mp->b_rptr; 3084 ip6i = (ip6i_t *)(mp->b_rptr - sizeof (ip6i_t)); 3085 if ((uchar_t *)ip6i < mp->b_datap->db_base || 3086 mp->b_datap->db_ref > 1) { 3087 mp1 = allocb(sizeof (ip6i_t), BPRI_MED); 3088 if (mp1 == NULL) { 3089 freemsg(mp); 3090 return (NULL); 3091 } 3092 mp1->b_wptr = mp1->b_rptr = mp1->b_datap->db_lim; 3093 mp1->b_cont = mp; 3094 mp = mp1; 3095 ip6i = (ip6i_t *)(mp->b_rptr - sizeof (ip6i_t)); 3096 } 3097 mp->b_rptr = (uchar_t *)ip6i; 3098 ip6i->ip6i_vcf = ip6h->ip6_vcf; 3099 ip6i->ip6i_nxt = IPPROTO_RAW; 3100 if (ill != NULL) { 3101 ip6i->ip6i_flags = IP6I_IFINDEX; 3102 ip6i->ip6i_ifindex = ill->ill_phyint->phyint_ifindex; 3103 } else { 3104 ip6i->ip6i_flags = 0; 3105 } 3106 ip6i->ip6i_nexthop = *dst; 3107 return (mp); 3108 } 3109 3110 /* 3111 * Handle protocols with which IP is less intimate. There 3112 * can be more than one stream bound to a particular 3113 * protocol. When this is the case, normally each one gets a copy 3114 * of any incoming packets. 3115 * However, if the packet was tunneled and not multicast we only send to it 3116 * the first match. 3117 * 3118 * Zones notes: 3119 * Packets will be distributed to streams in all zones. This is really only 3120 * useful for ICMPv6 as only applications in the global zone can create raw 3121 * sockets for other protocols. 3122 */ 3123 static void 3124 ip_fanout_proto_v6(queue_t *q, mblk_t *mp, ip6_t *ip6h, ill_t *ill, 3125 ill_t *inill, uint8_t nexthdr, uint_t nexthdr_offset, uint_t flags, 3126 boolean_t mctl_present, zoneid_t zoneid) 3127 { 3128 queue_t *rq; 3129 mblk_t *mp1, *first_mp1; 3130 in6_addr_t dst = ip6h->ip6_dst; 3131 in6_addr_t src = ip6h->ip6_src; 3132 boolean_t one_only; 3133 mblk_t *first_mp = mp; 3134 boolean_t secure; 3135 conn_t *connp, *first_connp, *next_connp; 3136 connf_t *connfp; 3137 3138 if (mctl_present) { 3139 mp = first_mp->b_cont; 3140 secure = ipsec_in_is_secure(first_mp); 3141 ASSERT(mp != NULL); 3142 } else { 3143 secure = B_FALSE; 3144 } 3145 3146 /* 3147 * If the packet was tunneled and not multicast we only send to it 3148 * the first match. 3149 */ 3150 one_only = ((nexthdr == IPPROTO_ENCAP || nexthdr == IPPROTO_IPV6) && 3151 !IN6_IS_ADDR_MULTICAST(&dst)); 3152 3153 connfp = &ipcl_proto_fanout_v6[nexthdr]; 3154 mutex_enter(&connfp->connf_lock); 3155 connp = connfp->connf_head; 3156 for (connp = connfp->connf_head; connp != NULL; 3157 connp = connp->conn_next) { 3158 if (IPCL_PROTO_MATCH_V6(connp, nexthdr, ip6h, ill, flags, 3159 zoneid)) 3160 break; 3161 } 3162 3163 if (connp == NULL || connp->conn_upq == NULL) { 3164 /* 3165 * No one bound to this port. Is 3166 * there a client that wants all 3167 * unclaimed datagrams? 3168 */ 3169 mutex_exit(&connfp->connf_lock); 3170 if (ip_fanout_send_icmp_v6(q, first_mp, flags, 3171 ICMP6_PARAM_PROB, ICMP6_PARAMPROB_NEXTHEADER, 3172 nexthdr_offset, mctl_present, zoneid)) { 3173 BUMP_MIB(ill->ill_ip6_mib, ipv6InUnknownProtos); 3174 } 3175 3176 return; 3177 } 3178 3179 CONN_INC_REF(connp); 3180 first_connp = connp; 3181 3182 /* 3183 * XXX: Fix the multiple protocol listeners case. We should not 3184 * be walking the conn->next list here. 3185 */ 3186 if (one_only) { 3187 /* 3188 * Only send message to one tunnel driver by immediately 3189 * terminating the loop. 3190 */ 3191 connp = NULL; 3192 } else { 3193 connp = connp->conn_next; 3194 3195 } 3196 for (;;) { 3197 while (connp != NULL) { 3198 if (IPCL_PROTO_MATCH_V6(connp, nexthdr, ip6h, ill, 3199 flags, zoneid)) 3200 break; 3201 connp = connp->conn_next; 3202 } 3203 3204 /* 3205 * Just copy the data part alone. The mctl part is 3206 * needed just for verifying policy and it is never 3207 * sent up. 3208 */ 3209 if (connp == NULL || connp->conn_upq == NULL || 3210 (((first_mp1 = dupmsg(first_mp)) == NULL) && 3211 ((first_mp1 = ip_copymsg(first_mp)) == NULL))) { 3212 /* 3213 * No more intested clients or memory 3214 * allocation failed 3215 */ 3216 connp = first_connp; 3217 break; 3218 } 3219 mp1 = mctl_present ? first_mp1->b_cont : first_mp1; 3220 CONN_INC_REF(connp); 3221 mutex_exit(&connfp->connf_lock); 3222 rq = connp->conn_rq; 3223 /* 3224 * For link-local always add ifindex so that transport can set 3225 * sin6_scope_id. Avoid it for ICMP error fanout. 3226 */ 3227 if ((connp->conn_ipv6_recvpktinfo || 3228 IN6_IS_ADDR_LINKLOCAL(&src)) && 3229 (flags & IP_FF_IP6INFO)) { 3230 /* Add header */ 3231 mp1 = ip_add_info_v6(mp1, inill, &dst); 3232 } 3233 if (mp1 == NULL) { 3234 BUMP_MIB(ill->ill_ip6_mib, ipv6InDiscards); 3235 } else if (!canputnext(rq)) { 3236 if (flags & IP_FF_RAWIP) { 3237 BUMP_MIB(ill->ill_ip6_mib, rawipInOverflows); 3238 } else { 3239 BUMP_MIB(ill->ill_icmp6_mib, 3240 ipv6IfIcmpInOverflows); 3241 } 3242 3243 freemsg(mp1); 3244 } else { 3245 if (CONN_INBOUND_POLICY_PRESENT_V6(connp) || secure) { 3246 first_mp1 = ipsec_check_inbound_policy 3247 (first_mp1, connp, NULL, ip6h, 3248 mctl_present); 3249 } 3250 if (first_mp1 != NULL) { 3251 if (mctl_present) 3252 freeb(first_mp1); 3253 BUMP_MIB(ill->ill_ip6_mib, ipv6InDelivers); 3254 putnext(rq, mp1); 3255 } 3256 } 3257 mutex_enter(&connfp->connf_lock); 3258 /* Follow the next pointer before releasing the conn. */ 3259 next_connp = connp->conn_next; 3260 CONN_DEC_REF(connp); 3261 connp = next_connp; 3262 } 3263 3264 /* Last one. Send it upstream. */ 3265 mutex_exit(&connfp->connf_lock); 3266 3267 /* Initiate IPPF processing */ 3268 if (IP6_IN_IPP(flags)) { 3269 uint_t ifindex; 3270 3271 mutex_enter(&ill->ill_lock); 3272 ifindex = ill->ill_phyint->phyint_ifindex; 3273 mutex_exit(&ill->ill_lock); 3274 ip_process(IPP_LOCAL_IN, &mp, ifindex); 3275 if (mp == NULL) { 3276 CONN_DEC_REF(connp); 3277 if (mctl_present) 3278 freeb(first_mp); 3279 return; 3280 } 3281 } 3282 3283 /* 3284 * For link-local always add ifindex so that transport can set 3285 * sin6_scope_id. Avoid it for ICMP error fanout. 3286 */ 3287 if ((connp->conn_ipv6_recvpktinfo || IN6_IS_ADDR_LINKLOCAL(&src)) && 3288 (flags & IP_FF_IP6INFO)) { 3289 /* Add header */ 3290 mp = ip_add_info_v6(mp, inill, &dst); 3291 if (mp == NULL) { 3292 BUMP_MIB(ill->ill_ip6_mib, ipv6InDiscards); 3293 CONN_DEC_REF(connp); 3294 if (mctl_present) 3295 freeb(first_mp); 3296 return; 3297 } else if (mctl_present) { 3298 first_mp->b_cont = mp; 3299 } else { 3300 first_mp = mp; 3301 } 3302 } 3303 3304 rq = connp->conn_rq; 3305 if (!canputnext(rq)) { 3306 if (flags & IP_FF_RAWIP) { 3307 BUMP_MIB(ill->ill_ip6_mib, rawipInOverflows); 3308 } else { 3309 BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpInOverflows); 3310 } 3311 3312 freemsg(first_mp); 3313 } else { 3314 if (CONN_INBOUND_POLICY_PRESENT_V6(connp) || secure) { 3315 first_mp = ipsec_check_inbound_policy(first_mp, connp, 3316 NULL, ip6h, mctl_present); 3317 if (first_mp == NULL) { 3318 CONN_DEC_REF(connp); 3319 return; 3320 } 3321 } 3322 BUMP_MIB(ill->ill_ip6_mib, ipv6InDelivers); 3323 putnext(rq, mp); 3324 if (mctl_present) 3325 freeb(first_mp); 3326 } 3327 CONN_DEC_REF(connp); 3328 } 3329 3330 /* 3331 * Send an ICMP error after patching up the packet appropriately. Returns 3332 * non-zero if the appropriate MIB should be bumped; zero otherwise. 3333 */ 3334 int 3335 ip_fanout_send_icmp_v6(queue_t *q, mblk_t *mp, uint_t flags, 3336 uint_t icmp_type, uint8_t icmp_code, uint_t nexthdr_offset, 3337 boolean_t mctl_present, zoneid_t zoneid) 3338 { 3339 ip6_t *ip6h; 3340 mblk_t *first_mp; 3341 boolean_t secure; 3342 unsigned char db_type; 3343 3344 first_mp = mp; 3345 if (mctl_present) { 3346 mp = mp->b_cont; 3347 secure = ipsec_in_is_secure(first_mp); 3348 ASSERT(mp != NULL); 3349 } else { 3350 /* 3351 * If this is an ICMP error being reported - which goes 3352 * up as M_CTLs, we need to convert them to M_DATA till 3353 * we finish checking with global policy because 3354 * ipsec_check_global_policy() assumes M_DATA as clear 3355 * and M_CTL as secure. 3356 */ 3357 db_type = mp->b_datap->db_type; 3358 mp->b_datap->db_type = M_DATA; 3359 secure = B_FALSE; 3360 } 3361 /* 3362 * We are generating an icmp error for some inbound packet. 3363 * Called from all ip_fanout_(udp, tcp, proto) functions. 3364 * Before we generate an error, check with global policy 3365 * to see whether this is allowed to enter the system. As 3366 * there is no "conn", we are checking with global policy. 3367 */ 3368 ip6h = (ip6_t *)mp->b_rptr; 3369 if (secure || ipsec_inbound_v6_policy_present) { 3370 first_mp = ipsec_check_global_policy(first_mp, NULL, 3371 NULL, ip6h, mctl_present); 3372 if (first_mp == NULL) 3373 return (0); 3374 } 3375 3376 if (!mctl_present) 3377 mp->b_datap->db_type = db_type; 3378 3379 if (flags & IP_FF_SEND_ICMP) { 3380 if (flags & IP_FF_HDR_COMPLETE) { 3381 if (ip_hdr_complete_v6(ip6h, zoneid)) { 3382 freemsg(first_mp); 3383 return (1); 3384 } 3385 } 3386 switch (icmp_type) { 3387 case ICMP6_DST_UNREACH: 3388 icmp_unreachable_v6(WR(q), first_mp, icmp_code, 3389 B_FALSE, B_FALSE); 3390 break; 3391 case ICMP6_PARAM_PROB: 3392 icmp_param_problem_v6(WR(q), first_mp, icmp_code, 3393 nexthdr_offset, B_FALSE, B_FALSE); 3394 break; 3395 default: 3396 #ifdef DEBUG 3397 panic("ip_fanout_send_icmp_v6: wrong type"); 3398 /*NOTREACHED*/ 3399 #else 3400 freemsg(first_mp); 3401 break; 3402 #endif 3403 } 3404 } else { 3405 freemsg(first_mp); 3406 return (0); 3407 } 3408 3409 return (1); 3410 } 3411 3412 3413 /* 3414 * Fanout for TCP packets 3415 * The caller puts <fport, lport> in the ports parameter. 3416 */ 3417 static void 3418 ip_fanout_tcp_v6(queue_t *q, mblk_t *mp, ip6_t *ip6h, ill_t *ill, ill_t *inill, 3419 uint_t flags, uint_t hdr_len, boolean_t mctl_present, zoneid_t zoneid) 3420 { 3421 mblk_t *first_mp; 3422 boolean_t secure; 3423 conn_t *connp; 3424 tcph_t *tcph; 3425 boolean_t syn_present = B_FALSE; 3426 3427 first_mp = mp; 3428 if (mctl_present) { 3429 mp = first_mp->b_cont; 3430 secure = ipsec_in_is_secure(first_mp); 3431 ASSERT(mp != NULL); 3432 } else { 3433 secure = B_FALSE; 3434 } 3435 3436 connp = ipcl_classify_v6(mp, IPPROTO_TCP, hdr_len, zoneid); 3437 3438 if (connp == NULL || 3439 !conn_wantpacket_v6(connp, ill, ip6h, flags, zoneid)) { 3440 /* 3441 * No hard-bound match. Send Reset. 3442 */ 3443 dblk_t *dp = mp->b_datap; 3444 uint32_t ill_index; 3445 3446 ASSERT((dp->db_struioflag & STRUIO_IP) == 0); 3447 3448 /* Initiate IPPf processing, if needed. */ 3449 if (IPP_ENABLED(IPP_LOCAL_IN) && (flags & IP6_NO_IPPOLICY)) { 3450 ill_index = ill->ill_phyint->phyint_ifindex; 3451 ip_process(IPP_LOCAL_IN, &first_mp, ill_index); 3452 if (first_mp == NULL) { 3453 if (connp != NULL) 3454 CONN_DEC_REF(connp); 3455 return; 3456 } 3457 } 3458 BUMP_MIB(ill->ill_ip6_mib, ipv6InDelivers); 3459 tcp_xmit_listeners_reset(first_mp, hdr_len); 3460 if (connp != NULL) 3461 CONN_DEC_REF(connp); 3462 return; 3463 } 3464 3465 tcph = (tcph_t *)&mp->b_rptr[hdr_len]; 3466 if ((tcph->th_flags[0] & (TH_SYN|TH_ACK|TH_RST|TH_URG)) == TH_SYN) { 3467 if (connp->conn_flags & IPCL_TCP) { 3468 squeue_t *sqp; 3469 3470 /* 3471 * For fused tcp loopback, assign the eager's 3472 * squeue to be that of the active connect's. 3473 */ 3474 if ((flags & IP_FF_LOOPBACK) && do_tcp_fusion && 3475 !CONN_INBOUND_POLICY_PRESENT_V6(connp) && !secure && 3476 !IP6_IN_IPP(flags)) { 3477 ASSERT(Q_TO_CONN(q) != NULL); 3478 sqp = Q_TO_CONN(q)->conn_sqp; 3479 } else { 3480 sqp = IP_SQUEUE_GET(lbolt); 3481 } 3482 3483 mp->b_datap->db_struioflag |= STRUIO_EAGER; 3484 DB_CKSUMSTART(mp) = (intptr_t)sqp; 3485 3486 /* 3487 * db_cksumstuff is unused in the incoming 3488 * path; Thus store the ifindex here. It will 3489 * be cleared in tcp_conn_create_v6(). 3490 */ 3491 DB_CKSUMSTUFF(mp) = 3492 (intptr_t)ill->ill_phyint->phyint_ifindex; 3493 syn_present = B_TRUE; 3494 } 3495 } 3496 3497 if (IPCL_IS_TCP(connp) && IPCL_IS_BOUND(connp) && !syn_present) { 3498 uint_t flags = (unsigned int)tcph->th_flags[0] & 0xFF; 3499 if ((flags & TH_RST) || (flags & TH_URG)) { 3500 CONN_DEC_REF(connp); 3501 freemsg(first_mp); 3502 return; 3503 } 3504 if (flags & TH_ACK) { 3505 tcp_xmit_listeners_reset(first_mp, hdr_len); 3506 CONN_DEC_REF(connp); 3507 return; 3508 } 3509 3510 CONN_DEC_REF(connp); 3511 freemsg(first_mp); 3512 return; 3513 } 3514 3515 if (CONN_INBOUND_POLICY_PRESENT_V6(connp) || secure) { 3516 first_mp = ipsec_check_inbound_policy(first_mp, connp, 3517 NULL, ip6h, mctl_present); 3518 if (first_mp == NULL) { 3519 CONN_DEC_REF(connp); 3520 return; 3521 } 3522 if (IPCL_IS_TCP(connp) && IPCL_IS_BOUND(connp)) { 3523 ASSERT(syn_present); 3524 if (mctl_present) { 3525 ASSERT(first_mp != mp); 3526 first_mp->b_datap->db_struioflag |= 3527 STRUIO_POLICY; 3528 } else { 3529 ASSERT(first_mp == mp); 3530 mp->b_datap->db_struioflag &= 3531 ~STRUIO_EAGER; 3532 mp->b_datap->db_struioflag |= 3533 STRUIO_POLICY; 3534 } 3535 } else { 3536 /* 3537 * Discard first_mp early since we're dealing with a 3538 * fully-connected conn_t and tcp doesn't do policy in 3539 * this case. Also, if someone is bound to IPPROTO_TCP 3540 * over raw IP, they don't expect to see a M_CTL. 3541 */ 3542 if (mctl_present) { 3543 freeb(first_mp); 3544 mctl_present = B_FALSE; 3545 } 3546 first_mp = mp; 3547 } 3548 } 3549 3550 /* Initiate IPPF processing */ 3551 if (IP6_IN_IPP(flags)) { 3552 uint_t ifindex; 3553 3554 mutex_enter(&ill->ill_lock); 3555 ifindex = ill->ill_phyint->phyint_ifindex; 3556 mutex_exit(&ill->ill_lock); 3557 ip_process(IPP_LOCAL_IN, &mp, ifindex); 3558 if (mp == NULL) { 3559 CONN_DEC_REF(connp); 3560 if (mctl_present) { 3561 freeb(first_mp); 3562 } 3563 return; 3564 } else if (mctl_present) { 3565 /* 3566 * ip_add_info_v6 might return a new mp. 3567 */ 3568 ASSERT(first_mp != mp); 3569 first_mp->b_cont = mp; 3570 } else { 3571 first_mp = mp; 3572 } 3573 } 3574 3575 /* 3576 * For link-local always add ifindex so that TCP can bind to that 3577 * interface. Avoid it for ICMP error fanout. 3578 */ 3579 if (!syn_present && ((connp->conn_ipv6_recvpktinfo || 3580 IN6_IS_ADDR_LINKLOCAL(&ip6h->ip6_src)) && 3581 (flags & IP_FF_IP6INFO))) { 3582 /* Add header */ 3583 mp = ip_add_info_v6(mp, inill, &ip6h->ip6_dst); 3584 if (mp == NULL) { 3585 BUMP_MIB(ill->ill_ip6_mib, ipv6InDiscards); 3586 CONN_DEC_REF(connp); 3587 if (mctl_present) 3588 freeb(first_mp); 3589 return; 3590 } else if (mctl_present) { 3591 ASSERT(first_mp != mp); 3592 first_mp->b_cont = mp; 3593 } else { 3594 first_mp = mp; 3595 } 3596 } 3597 3598 BUMP_MIB(ill->ill_ip6_mib, ipv6InDelivers); 3599 if (IPCL_IS_TCP(connp)) { 3600 (*ip_input_proc)(connp->conn_sqp, first_mp, 3601 connp->conn_recv, connp, SQTAG_IP6_TCP_INPUT); 3602 } else { 3603 putnext(connp->conn_rq, first_mp); 3604 CONN_DEC_REF(connp); 3605 } 3606 } 3607 3608 /* 3609 * Fanout for UDP packets. 3610 * The caller puts <fport, lport> in the ports parameter. 3611 * ire_type must be IRE_BROADCAST for multicast and broadcast packets. 3612 * 3613 * If SO_REUSEADDR is set all multicast and broadcast packets 3614 * will be delivered to all streams bound to the same port. 3615 * 3616 * Zones notes: 3617 * Multicast packets will be distributed to streams in all zones. 3618 */ 3619 static void 3620 ip_fanout_udp_v6(queue_t *q, mblk_t *mp, ip6_t *ip6h, uint32_t ports, 3621 ill_t *ill, ill_t *inill, uint_t flags, boolean_t mctl_present, 3622 zoneid_t zoneid) 3623 { 3624 uint32_t dstport, srcport; 3625 in6_addr_t dst; 3626 mblk_t *first_mp; 3627 boolean_t secure; 3628 conn_t *connp; 3629 connf_t *connfp; 3630 conn_t *first_conn; 3631 conn_t *next_conn; 3632 mblk_t *mp1, *first_mp1; 3633 in6_addr_t src; 3634 3635 first_mp = mp; 3636 if (mctl_present) { 3637 mp = first_mp->b_cont; 3638 secure = ipsec_in_is_secure(first_mp); 3639 ASSERT(mp != NULL); 3640 } else { 3641 secure = B_FALSE; 3642 } 3643 3644 /* Extract ports in net byte order */ 3645 dstport = htons(ntohl(ports) & 0xFFFF); 3646 srcport = htons(ntohl(ports) >> 16); 3647 dst = ip6h->ip6_dst; 3648 src = ip6h->ip6_src; 3649 3650 /* Attempt to find a client stream based on destination port. */ 3651 connfp = &ipcl_udp_fanout[IPCL_UDP_HASH(dstport)]; 3652 mutex_enter(&connfp->connf_lock); 3653 connp = connfp->connf_head; 3654 if (!IN6_IS_ADDR_MULTICAST(&dst)) { 3655 /* 3656 * Not multicast. Send to the one (first) client we find. 3657 */ 3658 while (connp != NULL) { 3659 if (IPCL_UDP_MATCH_V6(connp, dstport, dst, srcport, 3660 src) && connp->conn_zoneid == zoneid && 3661 conn_wantpacket_v6(connp, ill, ip6h, 3662 flags, zoneid)) { 3663 break; 3664 } 3665 connp = connp->conn_next; 3666 } 3667 if (connp == NULL || connp->conn_upq == NULL) 3668 goto notfound; 3669 3670 /* Found a client */ 3671 CONN_INC_REF(connp); 3672 mutex_exit(&connfp->connf_lock); 3673 3674 if (CONN_UDP_FLOWCTLD(connp)) { 3675 freemsg(first_mp); 3676 BUMP_MIB(ill->ill_ip6_mib, udpInOverflows); 3677 CONN_DEC_REF(connp); 3678 return; 3679 } 3680 if (CONN_INBOUND_POLICY_PRESENT_V6(connp) || secure) { 3681 first_mp = ipsec_check_inbound_policy(first_mp, 3682 connp, NULL, ip6h, mctl_present); 3683 if (first_mp == NULL) { 3684 CONN_DEC_REF(connp); 3685 return; 3686 } 3687 } 3688 /* Initiate IPPF processing */ 3689 if (IP6_IN_IPP(flags)) { 3690 uint_t ifindex; 3691 3692 mutex_enter(&ill->ill_lock); 3693 ifindex = ill->ill_phyint->phyint_ifindex; 3694 mutex_exit(&ill->ill_lock); 3695 ip_process(IPP_LOCAL_IN, &mp, ifindex); 3696 if (mp == NULL) { 3697 CONN_DEC_REF(connp); 3698 if (mctl_present) 3699 freeb(first_mp); 3700 return; 3701 } 3702 } 3703 /* 3704 * For link-local always add ifindex so that 3705 * transport can set sin6_scope_id. Avoid it for 3706 * ICMP error fanout. 3707 */ 3708 if ((connp->conn_ipv6_recvpktinfo || 3709 IN6_IS_ADDR_LINKLOCAL(&src)) && 3710 (flags & IP_FF_IP6INFO)) { 3711 /* Add header */ 3712 mp = ip_add_info_v6(mp, inill, &dst); 3713 if (mp == NULL) { 3714 BUMP_MIB(ill->ill_ip6_mib, ipv6InDiscards); 3715 CONN_DEC_REF(connp); 3716 if (mctl_present) 3717 freeb(first_mp); 3718 return; 3719 } else if (mctl_present) { 3720 first_mp->b_cont = mp; 3721 } else { 3722 first_mp = mp; 3723 } 3724 } 3725 BUMP_MIB(ill->ill_ip6_mib, ipv6InDelivers); 3726 3727 /* Send it upstream */ 3728 CONN_UDP_RECV(connp, mp); 3729 3730 IP6_STAT(ip6_udp_fannorm); 3731 CONN_DEC_REF(connp); 3732 if (mctl_present) 3733 freeb(first_mp); 3734 return; 3735 } 3736 3737 /* 3738 * The code is fine but we shouldn't be walking the conn_next 3739 * list in IPv6 (its a classifier private data struct). Maybe create 3740 * a classifier API to put a REF_HOLD on all matching conn in the 3741 * list and return an array. 3742 */ 3743 while (connp != NULL) { 3744 if ((IPCL_UDP_MATCH_V6(connp, dstport, dst, srcport, src)) && 3745 conn_wantpacket_v6(connp, ill, ip6h, flags, zoneid)) 3746 break; 3747 connp = connp->conn_next; 3748 } 3749 3750 if (connp == NULL || connp->conn_upq == NULL) 3751 goto notfound; 3752 3753 first_conn = connp; 3754 3755 CONN_INC_REF(connp); 3756 connp = connp->conn_next; 3757 for (;;) { 3758 while (connp != NULL) { 3759 if (IPCL_UDP_MATCH_V6(connp, dstport, dst, srcport, 3760 src) && conn_wantpacket_v6(connp, ill, ip6h, 3761 flags, zoneid)) 3762 break; 3763 connp = connp->conn_next; 3764 } 3765 /* 3766 * Just copy the data part alone. The mctl part is 3767 * needed just for verifying policy and it is never 3768 * sent up. 3769 */ 3770 if (connp == NULL || 3771 (((first_mp1 = dupmsg(first_mp)) == NULL) && 3772 ((first_mp1 = ip_copymsg(first_mp)) 3773 == NULL))) { 3774 /* 3775 * No more interested clients or memory 3776 * allocation failed 3777 */ 3778 connp = first_conn; 3779 break; 3780 } 3781 mp1 = mctl_present ? first_mp1->b_cont : first_mp1; 3782 CONN_INC_REF(connp); 3783 mutex_exit(&connfp->connf_lock); 3784 /* 3785 * For link-local always add ifindex so that transport 3786 * can set sin6_scope_id. Avoid it for ICMP error 3787 * fanout. 3788 */ 3789 if ((connp->conn_ipv6_recvpktinfo || 3790 IN6_IS_ADDR_LINKLOCAL(&src)) && 3791 (flags & IP_FF_IP6INFO)) { 3792 /* Add header */ 3793 mp1 = ip_add_info_v6(mp1, inill, &dst); 3794 } 3795 if (mp1 == NULL) { 3796 BUMP_MIB(ill->ill_ip6_mib, ipv6InDiscards); 3797 goto next_one; 3798 } 3799 if (CONN_UDP_FLOWCTLD(connp)) { 3800 BUMP_MIB(ill->ill_ip6_mib, udpInOverflows); 3801 freemsg(mp1); 3802 goto next_one; 3803 } 3804 3805 if (CONN_INBOUND_POLICY_PRESENT_V6(connp) || 3806 secure) { 3807 first_mp1 = ipsec_check_inbound_policy 3808 (first_mp1, connp, NULL, ip6h, 3809 mctl_present); 3810 } 3811 if (first_mp1 != NULL) { 3812 if (mctl_present) 3813 freeb(first_mp1); 3814 BUMP_MIB(ill->ill_ip6_mib, ipv6InDelivers); 3815 3816 /* Send it upstream */ 3817 CONN_UDP_RECV(connp, mp1); 3818 } 3819 next_one: 3820 mutex_enter(&connfp->connf_lock); 3821 /* Follow the next pointer before releasing the conn. */ 3822 next_conn = connp->conn_next; 3823 IP6_STAT(ip6_udp_fanmb); 3824 CONN_DEC_REF(connp); 3825 connp = next_conn; 3826 } 3827 3828 /* Last one. Send it upstream. */ 3829 mutex_exit(&connfp->connf_lock); 3830 3831 /* Initiate IPPF processing */ 3832 if (IP6_IN_IPP(flags)) { 3833 uint_t ifindex; 3834 3835 mutex_enter(&ill->ill_lock); 3836 ifindex = ill->ill_phyint->phyint_ifindex; 3837 mutex_exit(&ill->ill_lock); 3838 ip_process(IPP_LOCAL_IN, &mp, ifindex); 3839 if (mp == NULL) { 3840 CONN_DEC_REF(connp); 3841 if (mctl_present) { 3842 freeb(first_mp); 3843 } 3844 return; 3845 } 3846 } 3847 3848 /* 3849 * For link-local always add ifindex so that transport can set 3850 * sin6_scope_id. Avoid it for ICMP error fanout. 3851 */ 3852 if ((connp->conn_ipv6_recvpktinfo || 3853 IN6_IS_ADDR_LINKLOCAL(&src)) && (flags & IP_FF_IP6INFO)) { 3854 /* Add header */ 3855 mp = ip_add_info_v6(mp, inill, &dst); 3856 if (mp == NULL) { 3857 BUMP_MIB(ill->ill_ip6_mib, ipv6InDiscards); 3858 CONN_DEC_REF(connp); 3859 if (mctl_present) 3860 freeb(first_mp); 3861 return; 3862 } else if (mctl_present) { 3863 first_mp->b_cont = mp; 3864 } else { 3865 first_mp = mp; 3866 } 3867 } 3868 if (CONN_UDP_FLOWCTLD(connp)) { 3869 BUMP_MIB(ill->ill_ip6_mib, udpInOverflows); 3870 freemsg(mp); 3871 } else { 3872 if (CONN_INBOUND_POLICY_PRESENT_V6(connp) || secure) { 3873 first_mp = ipsec_check_inbound_policy(first_mp, 3874 connp, NULL, ip6h, mctl_present); 3875 if (first_mp == NULL) { 3876 BUMP_MIB(ill->ill_ip6_mib, ipv6InDiscards); 3877 CONN_DEC_REF(connp); 3878 return; 3879 } 3880 } 3881 BUMP_MIB(ill->ill_ip6_mib, ipv6InDelivers); 3882 3883 /* Send it upstream */ 3884 CONN_UDP_RECV(connp, mp); 3885 } 3886 IP6_STAT(ip6_udp_fanmb); 3887 CONN_DEC_REF(connp); 3888 if (mctl_present) 3889 freeb(first_mp); 3890 return; 3891 3892 notfound: 3893 mutex_exit(&connfp->connf_lock); 3894 /* 3895 * No one bound to this port. Is 3896 * there a client that wants all 3897 * unclaimed datagrams? 3898 */ 3899 if (ipcl_proto_fanout_v6[IPPROTO_UDP].connf_head != NULL) { 3900 ip_fanout_proto_v6(q, first_mp, ip6h, ill, inill, IPPROTO_UDP, 3901 0, flags | IP_FF_RAWIP | IP_FF_IP6INFO, mctl_present, 3902 zoneid); 3903 } else { 3904 if (ip_fanout_send_icmp_v6(q, first_mp, flags, 3905 ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_NOPORT, 0, 3906 mctl_present, zoneid)) { 3907 BUMP_MIB(&ip_mib, udpNoPorts); 3908 } 3909 } 3910 } 3911 3912 /* 3913 * int ip_find_hdr_v6() 3914 * 3915 * This routine is used by the upper layer protocols and the IP tunnel 3916 * module to: 3917 * - Set extension header pointers to appropriate locations 3918 * - Determine IPv6 header length and return it 3919 * - Return a pointer to the last nexthdr value 3920 * 3921 * The caller must initialize ipp_fields. 3922 * 3923 * NOTE: If multiple extension headers of the same type are present, 3924 * ip_find_hdr_v6() will set the respective extension header pointers 3925 * to the first one that it encounters in the IPv6 header. It also 3926 * skips fragment headers. This routine deals with malformed packets 3927 * of various sorts in which case the returned length is up to the 3928 * malformed part. 3929 */ 3930 int 3931 ip_find_hdr_v6(mblk_t *mp, ip6_t *ip6h, ip6_pkt_t *ipp, uint8_t *nexthdrp) 3932 { 3933 uint_t length, ehdrlen; 3934 uint8_t nexthdr; 3935 uint8_t *whereptr, *endptr; 3936 ip6_dest_t *tmpdstopts; 3937 ip6_rthdr_t *tmprthdr; 3938 ip6_hbh_t *tmphopopts; 3939 ip6_frag_t *tmpfraghdr; 3940 3941 length = IPV6_HDR_LEN; 3942 whereptr = ((uint8_t *)&ip6h[1]); /* point to next hdr */ 3943 endptr = mp->b_wptr; 3944 3945 nexthdr = ip6h->ip6_nxt; 3946 while (whereptr < endptr) { 3947 /* Is there enough left for len + nexthdr? */ 3948 if (whereptr + MIN_EHDR_LEN > endptr) 3949 goto done; 3950 3951 switch (nexthdr) { 3952 case IPPROTO_HOPOPTS: 3953 tmphopopts = (ip6_hbh_t *)whereptr; 3954 ehdrlen = 8 * (tmphopopts->ip6h_len + 1); 3955 if ((uchar_t *)tmphopopts + ehdrlen > endptr) 3956 goto done; 3957 nexthdr = tmphopopts->ip6h_nxt; 3958 /* return only 1st hbh */ 3959 if (!(ipp->ipp_fields & IPPF_HOPOPTS)) { 3960 ipp->ipp_fields |= IPPF_HOPOPTS; 3961 ipp->ipp_hopopts = tmphopopts; 3962 ipp->ipp_hopoptslen = ehdrlen; 3963 } 3964 break; 3965 case IPPROTO_DSTOPTS: 3966 tmpdstopts = (ip6_dest_t *)whereptr; 3967 ehdrlen = 8 * (tmpdstopts->ip6d_len + 1); 3968 if ((uchar_t *)tmpdstopts + ehdrlen > endptr) 3969 goto done; 3970 nexthdr = tmpdstopts->ip6d_nxt; 3971 /* 3972 * ipp_dstopts is set to the destination header after a 3973 * routing header. 3974 * Assume it is a post-rthdr destination header 3975 * and adjust when we find an rthdr. 3976 */ 3977 if (!(ipp->ipp_fields & IPPF_DSTOPTS)) { 3978 ipp->ipp_fields |= IPPF_DSTOPTS; 3979 ipp->ipp_dstopts = tmpdstopts; 3980 ipp->ipp_dstoptslen = ehdrlen; 3981 } 3982 break; 3983 case IPPROTO_ROUTING: 3984 tmprthdr = (ip6_rthdr_t *)whereptr; 3985 ehdrlen = 8 * (tmprthdr->ip6r_len + 1); 3986 if ((uchar_t *)tmprthdr + ehdrlen > endptr) 3987 goto done; 3988 nexthdr = tmprthdr->ip6r_nxt; 3989 /* return only 1st rthdr */ 3990 if (!(ipp->ipp_fields & IPPF_RTHDR)) { 3991 ipp->ipp_fields |= IPPF_RTHDR; 3992 ipp->ipp_rthdr = tmprthdr; 3993 ipp->ipp_rthdrlen = ehdrlen; 3994 } 3995 /* 3996 * Make any destination header we've seen be a 3997 * pre-rthdr destination header. 3998 */ 3999 if (ipp->ipp_fields & IPPF_DSTOPTS) { 4000 ipp->ipp_fields &= ~IPPF_DSTOPTS; 4001 ipp->ipp_fields |= IPPF_RTDSTOPTS; 4002 ipp->ipp_rtdstopts = ipp->ipp_dstopts; 4003 ipp->ipp_dstopts = NULL; 4004 ipp->ipp_rtdstoptslen = ipp->ipp_dstoptslen; 4005 ipp->ipp_dstoptslen = 0; 4006 } 4007 break; 4008 case IPPROTO_FRAGMENT: 4009 /* 4010 * Fragment headers are skipped. Currently, only 4011 * IP cares for their existence. If anyone other 4012 * than IP ever has the need to know about the 4013 * location of fragment headers, support can be 4014 * added to the ip6_pkt_t at that time. 4015 */ 4016 tmpfraghdr = (ip6_frag_t *)whereptr; 4017 ehdrlen = sizeof (ip6_frag_t); 4018 if ((uchar_t *)tmpfraghdr + ehdrlen > endptr) 4019 goto done; 4020 nexthdr = tmpfraghdr->ip6f_nxt; 4021 break; 4022 case IPPROTO_NONE: 4023 default: 4024 goto done; 4025 } 4026 length += ehdrlen; 4027 whereptr += ehdrlen; 4028 } 4029 done: 4030 if (nexthdrp != NULL) 4031 *nexthdrp = nexthdr; 4032 return (length); 4033 } 4034 4035 int 4036 ip_hdr_complete_v6(ip6_t *ip6h, zoneid_t zoneid) 4037 { 4038 ire_t *ire; 4039 4040 if (IN6_IS_ADDR_UNSPECIFIED(&ip6h->ip6_src)) { 4041 ire = ire_lookup_local_v6(zoneid); 4042 if (ire == NULL) { 4043 ip1dbg(("ip_hdr_complete_v6: no source IRE\n")); 4044 return (1); 4045 } 4046 ip6h->ip6_src = ire->ire_addr_v6; 4047 ire_refrele(ire); 4048 } 4049 ip6h->ip6_vcf = IPV6_DEFAULT_VERS_AND_FLOW; 4050 ip6h->ip6_hops = ipv6_def_hops; 4051 return (0); 4052 } 4053 4054 /* 4055 * Try to determine where and what are the IPv6 header length and 4056 * pointer to nexthdr value for the upper layer protocol (or an 4057 * unknown next hdr). 4058 * 4059 * Parameters returns a pointer to the nexthdr value; 4060 * Must handle malformed packets of various sorts. 4061 * Function returns failure for malformed cases. 4062 */ 4063 boolean_t 4064 ip_hdr_length_nexthdr_v6(mblk_t *mp, ip6_t *ip6h, uint16_t *hdr_length_ptr, 4065 uint8_t **nexthdrpp) 4066 { 4067 uint16_t length; 4068 uint_t ehdrlen; 4069 uint8_t *nexthdrp; 4070 uint8_t *whereptr; 4071 uint8_t *endptr; 4072 ip6_dest_t *desthdr; 4073 ip6_rthdr_t *rthdr; 4074 ip6_frag_t *fraghdr; 4075 4076 length = IPV6_HDR_LEN; 4077 whereptr = ((uint8_t *)&ip6h[1]); /* point to next hdr */ 4078 endptr = mp->b_wptr; 4079 4080 nexthdrp = &ip6h->ip6_nxt; 4081 while (whereptr < endptr) { 4082 /* Is there enough left for len + nexthdr? */ 4083 if (whereptr + MIN_EHDR_LEN > endptr) 4084 break; 4085 4086 switch (*nexthdrp) { 4087 case IPPROTO_HOPOPTS: 4088 case IPPROTO_DSTOPTS: 4089 /* Assumes the headers are identical for hbh and dst */ 4090 desthdr = (ip6_dest_t *)whereptr; 4091 ehdrlen = 8 * (desthdr->ip6d_len + 1); 4092 if ((uchar_t *)desthdr + ehdrlen > endptr) 4093 return (B_FALSE); 4094 nexthdrp = &desthdr->ip6d_nxt; 4095 break; 4096 case IPPROTO_ROUTING: 4097 rthdr = (ip6_rthdr_t *)whereptr; 4098 ehdrlen = 8 * (rthdr->ip6r_len + 1); 4099 if ((uchar_t *)rthdr + ehdrlen > endptr) 4100 return (B_FALSE); 4101 nexthdrp = &rthdr->ip6r_nxt; 4102 break; 4103 case IPPROTO_FRAGMENT: 4104 fraghdr = (ip6_frag_t *)whereptr; 4105 ehdrlen = sizeof (ip6_frag_t); 4106 if ((uchar_t *)&fraghdr[1] > endptr) 4107 return (B_FALSE); 4108 nexthdrp = &fraghdr->ip6f_nxt; 4109 break; 4110 case IPPROTO_NONE: 4111 /* No next header means we're finished */ 4112 default: 4113 *hdr_length_ptr = length; 4114 *nexthdrpp = nexthdrp; 4115 return (B_TRUE); 4116 } 4117 length += ehdrlen; 4118 whereptr += ehdrlen; 4119 *hdr_length_ptr = length; 4120 *nexthdrpp = nexthdrp; 4121 } 4122 switch (*nexthdrp) { 4123 case IPPROTO_HOPOPTS: 4124 case IPPROTO_DSTOPTS: 4125 case IPPROTO_ROUTING: 4126 case IPPROTO_FRAGMENT: 4127 /* 4128 * If any know extension headers are still to be processed, 4129 * the packet's malformed (or at least all the IP header(s) are 4130 * not in the same mblk - and that should never happen. 4131 */ 4132 return (B_FALSE); 4133 4134 default: 4135 /* 4136 * If we get here, we know that all of the IP headers were in 4137 * the same mblk, even if the ULP header is in the next mblk. 4138 */ 4139 *hdr_length_ptr = length; 4140 *nexthdrpp = nexthdrp; 4141 return (B_TRUE); 4142 } 4143 } 4144 4145 /* 4146 * Return the length of the IPv6 related headers (including extension headers) 4147 * Returns a length even if the packet is malformed. 4148 */ 4149 int 4150 ip_hdr_length_v6(mblk_t *mp, ip6_t *ip6h) 4151 { 4152 uint16_t hdr_len; 4153 uint8_t *nexthdrp; 4154 4155 (void) ip_hdr_length_nexthdr_v6(mp, ip6h, &hdr_len, &nexthdrp); 4156 return (hdr_len); 4157 } 4158 4159 /* 4160 * Select an ill for the packet by considering load spreading across 4161 * a different ill in the group if dst_ill is part of some group. 4162 */ 4163 static ill_t * 4164 ip_newroute_get_dst_ill_v6(ill_t *dst_ill) 4165 { 4166 ill_t *ill; 4167 4168 /* 4169 * We schedule irrespective of whether the source address is 4170 * INADDR_UNSPECIED or not. 4171 */ 4172 ill = illgrp_scheduler(dst_ill); 4173 if (ill == NULL) 4174 return (NULL); 4175 4176 /* 4177 * For groups with names ip_sioctl_groupname ensures that all 4178 * ills are of same type. For groups without names, ifgrp_insert 4179 * ensures this. 4180 */ 4181 ASSERT(dst_ill->ill_type == ill->ill_type); 4182 4183 return (ill); 4184 } 4185 4186 /* 4187 * IPv6 - 4188 * ip_newroute_v6 is called by ip_rput_data_v6 or ip_wput_v6 whenever we need 4189 * to send out a packet to a destination address for which we do not have 4190 * specific routing information. 4191 * 4192 * Handle non-multicast packets. If ill is non-NULL the match is done 4193 * for that ill. 4194 * 4195 * When a specific ill is specified (using IPV6_PKTINFO, 4196 * IPV6_MULTICAST_IF, or IPV6_BOUND_IF) we will only match 4197 * on routing entries (ftable and ctable) that have a matching 4198 * ire->ire_ipif->ipif_ill. Thus this can only be used 4199 * for destinations that are on-link for the specific ill 4200 * and that can appear on multiple links. Thus it is useful 4201 * for multicast destinations, link-local destinations, and 4202 * at some point perhaps for site-local destinations (if the 4203 * node sits at a site boundary). 4204 * We create the cache entries in the regular ctable since 4205 * it can not "confuse" things for other destinations. 4206 * table. 4207 * 4208 * When ill is part of a ill group, we subject the packets 4209 * to load spreading even if the ill is specified by the 4210 * means described above. We disable only for IPV6_BOUND_PIF 4211 * and for the cases where IP6I_ATTACH_IF is set i.e NS/NA/ 4212 * Echo replies to link-local destinations have IP6I_ATTACH_IF 4213 * set. 4214 * 4215 * NOTE : These are the scopes of some of the variables that point at IRE, 4216 * which needs to be followed while making any future modifications 4217 * to avoid memory leaks. 4218 * 4219 * - ire and sire are the entries looked up initially by 4220 * ire_ftable_lookup_v6. 4221 * - ipif_ire is used to hold the interface ire associated with 4222 * the new cache ire. But it's scope is limited, so we always REFRELE 4223 * it before branching out to error paths. 4224 * - save_ire is initialized before ire_create, so that ire returned 4225 * by ire_create will not over-write the ire. We REFRELE save_ire 4226 * before breaking out of the switch. 4227 * 4228 * Thus on failures, we have to REFRELE only ire and sire, if they 4229 * are not NULL. 4230 * 4231 * v6srcp may be used in the future. Currently unused. 4232 */ 4233 /* ARGSUSED */ 4234 void 4235 ip_newroute_v6(queue_t *q, mblk_t *mp, const in6_addr_t *v6dstp, 4236 const in6_addr_t *v6srcp, ill_t *ill, zoneid_t zoneid) 4237 { 4238 in6_addr_t v6gw; 4239 in6_addr_t dst; 4240 ire_t *ire = NULL; 4241 ipif_t *src_ipif = NULL; 4242 ill_t *dst_ill = NULL; 4243 ire_t *sire = NULL; 4244 ire_t *save_ire; 4245 mblk_t *dlureq_mp; 4246 ip6_t *ip6h; 4247 int err = 0; 4248 mblk_t *first_mp; 4249 ipsec_out_t *io; 4250 ill_t *attach_ill = NULL; 4251 ushort_t ire_marks = 0; 4252 int match_flags; 4253 boolean_t ip6i_present; 4254 ire_t *first_sire = NULL; 4255 mblk_t *copy_mp = NULL; 4256 mblk_t *xmit_mp = NULL; 4257 in6_addr_t save_dst; 4258 uint32_t multirt_flags = 4259 MULTIRT_CACHEGW | MULTIRT_USESTAMP | MULTIRT_SETSTAMP; 4260 boolean_t multirt_is_resolvable; 4261 boolean_t multirt_resolve_next; 4262 boolean_t need_rele = B_FALSE; 4263 boolean_t do_attach_ill = B_FALSE; 4264 boolean_t ip6_asp_table_held = B_FALSE; 4265 4266 ASSERT(!IN6_IS_ADDR_MULTICAST(v6dstp)); 4267 4268 first_mp = mp; 4269 if (mp->b_datap->db_type == M_CTL) { 4270 mp = mp->b_cont; 4271 io = (ipsec_out_t *)first_mp->b_rptr; 4272 ASSERT(io->ipsec_out_type == IPSEC_OUT); 4273 } else { 4274 io = NULL; 4275 } 4276 4277 /* 4278 * If this end point is bound to IPIF_NOFAILOVER, set bnf_ill and 4279 * bind_to_nofailover B_TRUE. We can't use conn to determine as it 4280 * could be NULL. 4281 * 4282 * This information can appear either in an ip6i_t or an IPSEC_OUT 4283 * message. 4284 */ 4285 ip6h = (ip6_t *)mp->b_rptr; 4286 ip6i_present = (ip6h->ip6_nxt == IPPROTO_RAW); 4287 if (ip6i_present || (io != NULL && io->ipsec_out_attach_if)) { 4288 if (!ip6i_present || 4289 ((ip6i_t *)ip6h)->ip6i_flags & IP6I_ATTACH_IF) { 4290 attach_ill = ip_grab_attach_ill(ill, first_mp, 4291 (ip6i_present ? ((ip6i_t *)ip6h)->ip6i_ifindex : 4292 io->ipsec_out_ill_index), B_TRUE); 4293 /* Failure case frees things for us. */ 4294 if (attach_ill == NULL) 4295 return; 4296 4297 /* 4298 * Check if we need an ire that will not be 4299 * looked up by anybody else i.e. HIDDEN. 4300 */ 4301 if (ill_is_probeonly(attach_ill)) 4302 ire_marks = IRE_MARK_HIDDEN; 4303 } 4304 } 4305 4306 if (IN6_IS_ADDR_LOOPBACK(v6dstp)) { 4307 ip1dbg(("ip_newroute_v6: dst with loopback addr\n")); 4308 goto icmp_err_ret; 4309 } else if ((v6srcp != NULL) && IN6_IS_ADDR_LOOPBACK(v6srcp)) { 4310 ip1dbg(("ip_newroute_v6: src with loopback addr\n")); 4311 goto icmp_err_ret; 4312 } 4313 4314 /* 4315 * If this IRE is created for forwarding or it is not for 4316 * TCP traffic, mark it as temporary. 4317 * 4318 * Is it sufficient just to check the next header?? 4319 */ 4320 if (mp->b_prev != NULL || !IP_FLOW_CONTROLLED_ULP(ip6h->ip6_nxt)) 4321 ire_marks |= IRE_MARK_TEMPORARY; 4322 4323 /* 4324 * Get what we can from ire_ftable_lookup_v6 which will follow an IRE 4325 * chain until it gets the most specific information available. 4326 * For example, we know that there is no IRE_CACHE for this dest, 4327 * but there may be an IRE_OFFSUBNET which specifies a gateway. 4328 * ire_ftable_lookup_v6 will look up the gateway, etc. 4329 */ 4330 4331 if (ill == NULL) { 4332 match_flags = MATCH_IRE_RECURSIVE | MATCH_IRE_DEFAULT | 4333 MATCH_IRE_PARENT | MATCH_IRE_RJ_BHOLE; 4334 ire = ire_ftable_lookup_v6(v6dstp, 0, 0, 0, 4335 NULL, &sire, zoneid, 0, match_flags); 4336 /* 4337 * ire_add_then_send -> ip_newroute_v6 in the CGTP case passes 4338 * in a NULL ill, but the packet could be a neighbor 4339 * solicitation/advertisment and could have a valid attach_ill. 4340 */ 4341 if (attach_ill != NULL) 4342 ill_refrele(attach_ill); 4343 } else { 4344 if (attach_ill != NULL) { 4345 /* 4346 * attach_ill is set only for communicating with 4347 * on-link hosts. So, don't look for DEFAULT. 4348 * ip_wput_v6 passes the right ill in this case and 4349 * hence we can assert. 4350 */ 4351 ASSERT(ill == attach_ill); 4352 ill_refrele(attach_ill); 4353 do_attach_ill = B_TRUE; 4354 match_flags = MATCH_IRE_RJ_BHOLE | MATCH_IRE_ILL; 4355 } else { 4356 match_flags = MATCH_IRE_RECURSIVE | MATCH_IRE_DEFAULT | 4357 MATCH_IRE_RJ_BHOLE | MATCH_IRE_ILL_GROUP; 4358 } 4359 match_flags |= MATCH_IRE_PARENT; 4360 ire = ire_ftable_lookup_v6(v6dstp, 0, 0, 0, ill->ill_ipif, 4361 &sire, zoneid, 0, match_flags); 4362 } 4363 4364 ip3dbg(("ip_newroute_v6: ire_ftable_lookup_v6() " 4365 "returned ire %p, sire %p\n", (void *)ire, (void *)sire)); 4366 4367 if (zoneid == ALL_ZONES && ire != NULL) { 4368 /* 4369 * In the forwarding case, we can use a route from any zone 4370 * since we won't change the source address. We can easily 4371 * assert that the source address is already set when there's no 4372 * ip6_info header - otherwise we'd have to call pullupmsg(). 4373 */ 4374 ASSERT(ip6i_present || 4375 !IN6_IS_ADDR_UNSPECIFIED(&ip6h->ip6_src)); 4376 zoneid = ire->ire_zoneid; 4377 } 4378 4379 /* 4380 * We enter a loop that will be run only once in most cases. 4381 * The loop is re-entered in the case where the destination 4382 * can be reached through multiple RTF_MULTIRT-flagged routes. 4383 * The intention is to compute multiple routes to a single 4384 * destination in a single ip_newroute_v6 call. 4385 * The information is contained in sire->ire_flags. 4386 */ 4387 do { 4388 multirt_resolve_next = B_FALSE; 4389 4390 if (dst_ill != NULL) { 4391 ill_refrele(dst_ill); 4392 dst_ill = NULL; 4393 } 4394 if (src_ipif != NULL) { 4395 ipif_refrele(src_ipif); 4396 src_ipif = NULL; 4397 } 4398 if ((sire != NULL) && sire->ire_flags & RTF_MULTIRT) { 4399 ip3dbg(("ip_newroute_v6: starting new resolution " 4400 "with first_mp %p, tag %d\n", 4401 (void *)first_mp, MULTIRT_DEBUG_TAGGED(first_mp))); 4402 4403 /* 4404 * We check if there are trailing unresolved routes for 4405 * the destination contained in sire. 4406 */ 4407 multirt_is_resolvable = 4408 ire_multirt_lookup_v6(&ire, &sire, multirt_flags); 4409 4410 ip3dbg(("ip_newroute_v6: multirt_is_resolvable %d, " 4411 "ire %p, sire %p\n", 4412 multirt_is_resolvable, (void *)ire, (void *)sire)); 4413 4414 if (!multirt_is_resolvable) { 4415 /* 4416 * No more multirt routes to resolve; give up 4417 * (all routes resolved or no more resolvable 4418 * routes). 4419 */ 4420 if (ire != NULL) { 4421 ire_refrele(ire); 4422 ire = NULL; 4423 } 4424 } else { 4425 ASSERT(sire != NULL); 4426 ASSERT(ire != NULL); 4427 /* 4428 * We simply use first_sire as a flag that 4429 * indicates if a resolvable multirt route has 4430 * already been found during the preceding 4431 * loops. If it is not the case, we may have 4432 * to send an ICMP error to report that the 4433 * destination is unreachable. We do not 4434 * IRE_REFHOLD first_sire. 4435 */ 4436 if (first_sire == NULL) { 4437 first_sire = sire; 4438 } 4439 } 4440 } 4441 if ((ire == NULL) || (ire == sire)) { 4442 /* 4443 * either ire == NULL (the destination cannot be 4444 * resolved) or ire == sire (the gateway cannot be 4445 * resolved). At this point, there are no more routes 4446 * to resolve for the destination, thus we exit. 4447 */ 4448 if (ip_debug > 3) { 4449 /* ip2dbg */ 4450 pr_addr_dbg("ip_newroute_v6: " 4451 "can't resolve %s\n", AF_INET6, v6dstp); 4452 } 4453 ip3dbg(("ip_newroute_v6: " 4454 "ire %p, sire %p, first_sire %p\n", 4455 (void *)ire, (void *)sire, (void *)first_sire)); 4456 4457 if (sire != NULL) { 4458 ire_refrele(sire); 4459 sire = NULL; 4460 } 4461 4462 if (first_sire != NULL) { 4463 /* 4464 * At least one multirt route has been found 4465 * in the same ip_newroute() call; there is no 4466 * need to report an ICMP error. 4467 * first_sire was not IRE_REFHOLDed. 4468 */ 4469 MULTIRT_DEBUG_UNTAG(first_mp); 4470 freemsg(first_mp); 4471 return; 4472 } 4473 ip_rts_change_v6(RTM_MISS, v6dstp, 0, 0, 0, 0, 0, 0, 4474 RTA_DST); 4475 goto icmp_err_ret; 4476 } 4477 4478 ASSERT(ire->ire_ipversion == IPV6_VERSION); 4479 4480 /* 4481 * Verify that the returned IRE does not have either the 4482 * RTF_REJECT or RTF_BLACKHOLE flags set and that the IRE is 4483 * either an IRE_CACHE, IRE_IF_NORESOLVER or IRE_IF_RESOLVER. 4484 */ 4485 if ((ire->ire_flags & (RTF_REJECT | RTF_BLACKHOLE)) || 4486 (ire->ire_type & (IRE_CACHE | IRE_INTERFACE)) == 0) 4487 goto icmp_err_ret; 4488 4489 /* 4490 * Increment the ire_ob_pkt_count field for ire if it is an 4491 * INTERFACE (IF_RESOLVER or IF_NORESOLVER) IRE type, and 4492 * increment the same for the parent IRE, sire, if it is some 4493 * sort of prefix IRE (which includes DEFAULT, PREFIX, HOST 4494 * and HOST_REDIRECT). 4495 */ 4496 if ((ire->ire_type & IRE_INTERFACE) != 0) { 4497 UPDATE_OB_PKT_COUNT(ire); 4498 ire->ire_last_used_time = lbolt; 4499 } 4500 4501 if (sire != NULL) { 4502 mutex_enter(&sire->ire_lock); 4503 v6gw = sire->ire_gateway_addr_v6; 4504 mutex_exit(&sire->ire_lock); 4505 ASSERT((sire->ire_type & (IRE_CACHETABLE | 4506 IRE_INTERFACE)) == 0); 4507 UPDATE_OB_PKT_COUNT(sire); 4508 sire->ire_last_used_time = lbolt; 4509 } else { 4510 v6gw = ipv6_all_zeros; 4511 } 4512 4513 /* 4514 * We have a route to reach the destination. 4515 * 4516 * 1) If the interface is part of ill group, try to get a new 4517 * ill taking load spreading into account. 4518 * 4519 * 2) After selecting the ill, get a source address that might 4520 * create good inbound load spreading and that matches the 4521 * right scope. ipif_select_source_v6 does this for us. 4522 * 4523 * If the application specified the ill (ifindex), we still 4524 * load spread. Only if the packets needs to go out specifically 4525 * on a given ill e.g. bind to IPIF_NOFAILOVER address, 4526 * IPV6_BOUND_PIF we don't try to use a different ill for load 4527 * spreading. 4528 */ 4529 if (!do_attach_ill) { 4530 /* 4531 * If the interface belongs to an interface group, 4532 * make sure the next possible interface in the group 4533 * is used. This encourages load spreading among 4534 * peers in an interface group. However, in the case 4535 * of multirouting, load spreading is not used, as we 4536 * actually want to replicate outgoing packets through 4537 * particular interfaces. 4538 * 4539 * Note: While we pick a dst_ill we are really only 4540 * interested in the ill for load spreading. 4541 * The source ipif is determined by source address 4542 * selection below. 4543 */ 4544 if ((sire != NULL) && (sire->ire_flags & RTF_MULTIRT)) { 4545 dst_ill = ire->ire_ipif->ipif_ill; 4546 /* For uniformity do a refhold */ 4547 ill_refhold(dst_ill); 4548 } else { 4549 /* 4550 * If we are here trying to create an IRE_CACHE 4551 * for an offlink destination and have the 4552 * IRE_CACHE for the next hop and the latter is 4553 * using virtual IP source address selection i.e 4554 * it's ire->ire_ipif is pointing to a virtual 4555 * network interface (vni) then 4556 * ip_newroute_get_dst_ll() will return the vni 4557 * interface as the dst_ill. Since the vni is 4558 * virtual i.e not associated with any physical 4559 * interface, it cannot be the dst_ill, hence 4560 * in such a case call ip_newroute_get_dst_ll() 4561 * with the stq_ill instead of the ire_ipif ILL. 4562 * The function returns a refheld ill. 4563 */ 4564 if ((ire->ire_type == IRE_CACHE) && 4565 IS_VNI(ire->ire_ipif->ipif_ill)) 4566 dst_ill = ip_newroute_get_dst_ill_v6( 4567 ire->ire_stq->q_ptr); 4568 else 4569 dst_ill = ip_newroute_get_dst_ill_v6( 4570 ire->ire_ipif->ipif_ill); 4571 } 4572 if (dst_ill == NULL) { 4573 if (ip_debug > 2) { 4574 pr_addr_dbg("ip_newroute_v6 : no dst " 4575 "ill for dst %s\n", 4576 AF_INET6, v6dstp); 4577 } 4578 goto icmp_err_ret; 4579 } else if (dst_ill->ill_group == NULL && ill != NULL && 4580 dst_ill != ill) { 4581 /* 4582 * If "ill" is not part of any group, we should 4583 * have found a route matching "ill" as we 4584 * called ire_ftable_lookup_v6 with 4585 * MATCH_IRE_ILL_GROUP. 4586 * Rather than asserting when there is a 4587 * mismatch, we just drop the packet. 4588 */ 4589 ip0dbg(("ip_newroute_v6: BOUND_IF failed : " 4590 "dst_ill %s ill %s\n", 4591 dst_ill->ill_name, 4592 ill->ill_name)); 4593 goto icmp_err_ret; 4594 } 4595 } else { 4596 dst_ill = ire->ire_ipif->ipif_ill; 4597 /* For uniformity do refhold */ 4598 ill_refhold(dst_ill); 4599 /* 4600 * We should have found a route matching ill as we 4601 * called ire_ftable_lookup_v6 with MATCH_IRE_ILL. 4602 * Rather than asserting, while there is a mismatch, 4603 * we just drop the packet. 4604 */ 4605 if (dst_ill != ill) { 4606 ip0dbg(("ip_newroute_v6: Packet dropped as " 4607 "IP6I_ATTACH_IF ill is %s, " 4608 "ire->ire_ipif->ipif_ill is %s\n", 4609 ill->ill_name, 4610 dst_ill->ill_name)); 4611 goto icmp_err_ret; 4612 } 4613 } 4614 /* 4615 * Pick a source address which matches the scope of the 4616 * destination address. 4617 * For RTF_SETSRC routes, the source address is imposed by the 4618 * parent ire (sire). 4619 */ 4620 ASSERT(src_ipif == NULL); 4621 if (ire->ire_type == IRE_IF_RESOLVER && 4622 !IN6_IS_ADDR_UNSPECIFIED(&v6gw) && 4623 ip6_asp_can_lookup()) { 4624 /* 4625 * The ire cache entry we're adding is for the 4626 * gateway itself. The source address in this case 4627 * is relative to the gateway's address. 4628 */ 4629 ip6_asp_table_held = B_TRUE; 4630 src_ipif = ipif_select_source_v6(dst_ill, &v6gw, 4631 B_TRUE, IPV6_PREFER_SRC_DEFAULT, zoneid); 4632 if (src_ipif != NULL) 4633 ire_marks |= IRE_MARK_USESRC_CHECK; 4634 } else { 4635 if ((sire != NULL) && (sire->ire_flags & RTF_SETSRC)) { 4636 /* 4637 * Check that the ipif matching the requested 4638 * source address still exists. 4639 */ 4640 src_ipif = ipif_lookup_addr_v6( 4641 &sire->ire_src_addr_v6, NULL, zoneid, 4642 NULL, NULL, NULL, NULL); 4643 } 4644 if (src_ipif == NULL && ip6_asp_can_lookup()) { 4645 ip6_asp_table_held = B_TRUE; 4646 src_ipif = ipif_select_source_v6(dst_ill, 4647 v6dstp, B_FALSE, IPV6_PREFER_SRC_DEFAULT, 4648 zoneid); 4649 if (src_ipif != NULL) 4650 ire_marks |= IRE_MARK_USESRC_CHECK; 4651 } 4652 } 4653 4654 if (src_ipif == NULL) { 4655 if (ip_debug > 2) { 4656 /* ip1dbg */ 4657 pr_addr_dbg("ip_newroute_v6: no src for " 4658 "dst %s\n, ", AF_INET6, v6dstp); 4659 printf("ip_newroute_v6: interface name %s\n", 4660 dst_ill->ill_name); 4661 } 4662 goto icmp_err_ret; 4663 } 4664 4665 if (ip_debug > 3) { 4666 /* ip2dbg */ 4667 pr_addr_dbg("ip_newroute_v6: first hop %s\n", 4668 AF_INET6, &v6gw); 4669 } 4670 ip2dbg(("\tire type %s (%d)\n", 4671 ip_nv_lookup(ire_nv_tbl, ire->ire_type), ire->ire_type)); 4672 4673 /* 4674 * At this point in ip_newroute_v6(), ire is either the 4675 * IRE_CACHE of the next-hop gateway for an off-subnet 4676 * destination or an IRE_INTERFACE type that should be used 4677 * to resolve an on-subnet destination or an on-subnet 4678 * next-hop gateway. 4679 * 4680 * In the IRE_CACHE case, we have the following : 4681 * 4682 * 1) src_ipif - used for getting a source address. 4683 * 4684 * 2) dst_ill - from which we derive ire_stq/ire_rfq. This 4685 * means packets using this IRE_CACHE will go out on dst_ill. 4686 * 4687 * 3) The IRE sire will point to the prefix that is the longest 4688 * matching route for the destination. These prefix types 4689 * include IRE_DEFAULT, IRE_PREFIX, IRE_HOST, and 4690 * IRE_HOST_REDIRECT. 4691 * 4692 * The newly created IRE_CACHE entry for the off-subnet 4693 * destination is tied to both the prefix route and the 4694 * interface route used to resolve the next-hop gateway 4695 * via the ire_phandle and ire_ihandle fields, respectively. 4696 * 4697 * In the IRE_INTERFACE case, we have the following : 4698 * 4699 * 1) src_ipif - used for getting a source address. 4700 * 4701 * 2) dst_ill - from which we derive ire_stq/ire_rfq. This 4702 * means packets using the IRE_CACHE that we will build 4703 * here will go out on dst_ill. 4704 * 4705 * 3) sire may or may not be NULL. But, the IRE_CACHE that is 4706 * to be created will only be tied to the IRE_INTERFACE that 4707 * was derived from the ire_ihandle field. 4708 * 4709 * If sire is non-NULL, it means the destination is off-link 4710 * and we will first create the IRE_CACHE for the gateway. 4711 * Next time through ip_newroute_v6, we will create the 4712 * IRE_CACHE for the final destination as described above. 4713 */ 4714 save_ire = ire; 4715 switch (ire->ire_type) { 4716 case IRE_CACHE: { 4717 ire_t *ipif_ire; 4718 4719 ASSERT(sire != NULL); 4720 if (IN6_IS_ADDR_UNSPECIFIED(&v6gw)) { 4721 mutex_enter(&ire->ire_lock); 4722 v6gw = ire->ire_gateway_addr_v6; 4723 mutex_exit(&ire->ire_lock); 4724 } 4725 /* 4726 * We need 3 ire's to create a new cache ire for an 4727 * off-link destination from the cache ire of the 4728 * gateway. 4729 * 4730 * 1. The prefix ire 'sire' 4731 * 2. The cache ire of the gateway 'ire' 4732 * 3. The interface ire 'ipif_ire' 4733 * 4734 * We have (1) and (2). We lookup (3) below. 4735 * 4736 * If there is no interface route to the gateway, 4737 * it is a race condition, where we found the cache 4738 * but the inteface route has been deleted. 4739 */ 4740 ipif_ire = ire_ihandle_lookup_offlink_v6(ire, sire); 4741 if (ipif_ire == NULL) { 4742 ip1dbg(("ip_newroute_v6:" 4743 "ire_ihandle_lookup_offlink_v6 failed\n")); 4744 goto icmp_err_ret; 4745 } 4746 /* 4747 * Assume DL_UNITDATA_REQ is same for all physical 4748 * interfaces in the ifgrp. If it isn't, this code will 4749 * have to be seriously rewhacked to allow the 4750 * fastpath probing (such that I cache the link 4751 * header in the IRE_CACHE) to work over ifgrps. 4752 * We have what we need to build an IRE_CACHE. 4753 */ 4754 /* 4755 * Note: the new ire inherits RTF_SETSRC 4756 * and RTF_MULTIRT to propagate these flags from prefix 4757 * to cache. 4758 */ 4759 ire = ire_create_v6( 4760 v6dstp, /* dest address */ 4761 &ipv6_all_ones, /* mask */ 4762 &src_ipif->ipif_v6src_addr, /* source address */ 4763 &v6gw, /* gateway address */ 4764 &save_ire->ire_max_frag, 4765 NULL, /* Fast Path header */ 4766 dst_ill->ill_rq, /* recv-from queue */ 4767 dst_ill->ill_wq, /* send-to queue */ 4768 IRE_CACHE, 4769 NULL, 4770 src_ipif, 4771 &sire->ire_mask_v6, /* Parent mask */ 4772 sire->ire_phandle, /* Parent handle */ 4773 ipif_ire->ire_ihandle, /* Interface handle */ 4774 sire->ire_flags & /* flags if any */ 4775 (RTF_SETSRC | RTF_MULTIRT), 4776 &(sire->ire_uinfo)); 4777 4778 if (ire == NULL) { 4779 ire_refrele(save_ire); 4780 ire_refrele(ipif_ire); 4781 break; 4782 } 4783 ire->ire_marks |= ire_marks; 4784 4785 /* 4786 * Prevent sire and ipif_ire from getting deleted. The 4787 * newly created ire is tied to both of them via the 4788 * phandle and ihandle respectively. 4789 */ 4790 IRB_REFHOLD(sire->ire_bucket); 4791 /* Has it been removed already ? */ 4792 if (sire->ire_marks & IRE_MARK_CONDEMNED) { 4793 IRB_REFRELE(sire->ire_bucket); 4794 ire_refrele(ipif_ire); 4795 ire_refrele(save_ire); 4796 break; 4797 } 4798 4799 IRB_REFHOLD(ipif_ire->ire_bucket); 4800 /* Has it been removed already ? */ 4801 if (ipif_ire->ire_marks & IRE_MARK_CONDEMNED) { 4802 IRB_REFRELE(ipif_ire->ire_bucket); 4803 IRB_REFRELE(sire->ire_bucket); 4804 ire_refrele(ipif_ire); 4805 ire_refrele(save_ire); 4806 break; 4807 } 4808 4809 xmit_mp = first_mp; 4810 if (ire->ire_flags & RTF_MULTIRT) { 4811 copy_mp = copymsg(first_mp); 4812 if (copy_mp != NULL) { 4813 xmit_mp = copy_mp; 4814 MULTIRT_DEBUG_TAG(first_mp); 4815 } 4816 } 4817 ire_add_then_send(q, ire, xmit_mp); 4818 if (ip6_asp_table_held) { 4819 ip6_asp_table_refrele(); 4820 ip6_asp_table_held = B_FALSE; 4821 } 4822 ire_refrele(save_ire); 4823 4824 /* Assert that sire is not deleted yet. */ 4825 ASSERT(sire->ire_ptpn != NULL); 4826 IRB_REFRELE(sire->ire_bucket); 4827 4828 /* Assert that ipif_ire is not deleted yet. */ 4829 ASSERT(ipif_ire->ire_ptpn != NULL); 4830 IRB_REFRELE(ipif_ire->ire_bucket); 4831 ire_refrele(ipif_ire); 4832 4833 if (copy_mp != NULL) { 4834 /* 4835 * Search for the next unresolved 4836 * multirt route. 4837 */ 4838 copy_mp = NULL; 4839 ipif_ire = NULL; 4840 ire = NULL; 4841 /* re-enter the loop */ 4842 multirt_resolve_next = B_TRUE; 4843 continue; 4844 } 4845 ire_refrele(sire); 4846 ill_refrele(dst_ill); 4847 ipif_refrele(src_ipif); 4848 return; 4849 } 4850 case IRE_IF_NORESOLVER: 4851 /* 4852 * We have what we need to build an IRE_CACHE. 4853 * 4854 * Create a new dlureq_mp with the IPv6 gateway 4855 * address in destination address in the DLPI hdr 4856 * if the physical length is exactly 16 bytes. 4857 */ 4858 if (dst_ill->ill_phys_addr_length == IPV6_ADDR_LEN) { 4859 const in6_addr_t *addr; 4860 4861 if (!IN6_IS_ADDR_UNSPECIFIED(&v6gw)) 4862 addr = &v6gw; 4863 else 4864 addr = v6dstp; 4865 4866 dlureq_mp = ill_dlur_gen((uchar_t *)addr, 4867 dst_ill->ill_phys_addr_length, 4868 dst_ill->ill_sap, 4869 dst_ill->ill_sap_length); 4870 } else { 4871 dlureq_mp = ire->ire_dlureq_mp; 4872 } 4873 if (dlureq_mp == NULL) 4874 break; 4875 4876 /* 4877 * Note: the new ire inherits sire flags RTF_SETSRC 4878 * and RTF_MULTIRT to propagate those rules from prefix 4879 * to cache. 4880 */ 4881 ire = ire_create_v6( 4882 v6dstp, /* dest address */ 4883 &ipv6_all_ones, /* mask */ 4884 &src_ipif->ipif_v6src_addr, /* source address */ 4885 &v6gw, /* gateway address */ 4886 &save_ire->ire_max_frag, 4887 NULL, /* Fast Path header */ 4888 dst_ill->ill_rq, /* recv-from queue */ 4889 dst_ill->ill_wq, /* send-to queue */ 4890 IRE_CACHE, 4891 dlureq_mp, 4892 src_ipif, 4893 &save_ire->ire_mask_v6, /* Parent mask */ 4894 (sire != NULL) ? /* Parent handle */ 4895 sire->ire_phandle : 0, 4896 save_ire->ire_ihandle, /* Interface handle */ 4897 (sire != NULL) ? /* flags if any */ 4898 sire->ire_flags & 4899 (RTF_SETSRC | RTF_MULTIRT) : 0, 4900 &(save_ire->ire_uinfo)); 4901 4902 if (dst_ill->ill_phys_addr_length == IPV6_ADDR_LEN) 4903 freeb(dlureq_mp); 4904 4905 if (ire == NULL) { 4906 ire_refrele(save_ire); 4907 break; 4908 } 4909 4910 ire->ire_marks |= ire_marks; 4911 4912 if (!IN6_IS_ADDR_UNSPECIFIED(&v6gw)) 4913 dst = v6gw; 4914 else 4915 dst = *v6dstp; 4916 err = ndp_noresolver(dst_ill, &dst); 4917 if (err != 0) { 4918 ire_refrele(save_ire); 4919 break; 4920 } 4921 4922 /* Prevent save_ire from getting deleted */ 4923 IRB_REFHOLD(save_ire->ire_bucket); 4924 /* Has it been removed already ? */ 4925 if (save_ire->ire_marks & IRE_MARK_CONDEMNED) { 4926 IRB_REFRELE(save_ire->ire_bucket); 4927 ire_refrele(save_ire); 4928 break; 4929 } 4930 4931 xmit_mp = first_mp; 4932 /* 4933 * In case of MULTIRT, a copy of the current packet 4934 * to send is made to further re-enter the 4935 * loop and attempt another route resolution 4936 */ 4937 if ((sire != NULL) && sire->ire_flags & RTF_MULTIRT) { 4938 copy_mp = copymsg(first_mp); 4939 if (copy_mp != NULL) { 4940 xmit_mp = copy_mp; 4941 MULTIRT_DEBUG_TAG(first_mp); 4942 } 4943 } 4944 ire_add_then_send(q, ire, xmit_mp); 4945 if (ip6_asp_table_held) { 4946 ip6_asp_table_refrele(); 4947 ip6_asp_table_held = B_FALSE; 4948 } 4949 4950 /* Assert that it is not deleted yet. */ 4951 ASSERT(save_ire->ire_ptpn != NULL); 4952 IRB_REFRELE(save_ire->ire_bucket); 4953 ire_refrele(save_ire); 4954 4955 if (copy_mp != NULL) { 4956 /* 4957 * If we found a (no)resolver, we ignore any 4958 * trailing top priority IRE_CACHE in 4959 * further loops. This ensures that we do not 4960 * omit any (no)resolver despite the priority 4961 * in this call. 4962 * IRE_CACHE, if any, will be processed 4963 * by another thread entering ip_newroute(), 4964 * (on resolver response, for example). 4965 * We use this to force multiple parallel 4966 * resolution as soon as a packet needs to be 4967 * sent. The result is, after one packet 4968 * emission all reachable routes are generally 4969 * resolved. 4970 * Otherwise, complete resolution of MULTIRT 4971 * routes would require several emissions as 4972 * side effect. 4973 */ 4974 multirt_flags &= ~MULTIRT_CACHEGW; 4975 4976 /* 4977 * Search for the next unresolved multirt 4978 * route. 4979 */ 4980 copy_mp = NULL; 4981 save_ire = NULL; 4982 ire = NULL; 4983 /* re-enter the loop */ 4984 multirt_resolve_next = B_TRUE; 4985 continue; 4986 } 4987 4988 /* Don't need sire anymore */ 4989 if (sire != NULL) 4990 ire_refrele(sire); 4991 ill_refrele(dst_ill); 4992 ipif_refrele(src_ipif); 4993 return; 4994 4995 case IRE_IF_RESOLVER: 4996 /* 4997 * We can't build an IRE_CACHE yet, but at least we 4998 * found a resolver that can help. 4999 */ 5000 dst = *v6dstp; 5001 /* 5002 * To be at this point in the code with a non-zero gw 5003 * means that dst is reachable through a gateway that 5004 * we have never resolved. By changing dst to the gw 5005 * addr we resolve the gateway first. When 5006 * ire_add_then_send() tries to put the IP dg to dst, 5007 * it will reenter ip_newroute() at which time we will 5008 * find the IRE_CACHE for the gw and create another 5009 * IRE_CACHE above (for dst itself). 5010 */ 5011 if (!IN6_IS_ADDR_UNSPECIFIED(&v6gw)) { 5012 save_dst = dst; 5013 dst = v6gw; 5014 v6gw = ipv6_all_zeros; 5015 } 5016 if (dst_ill->ill_flags & ILLF_XRESOLV) { 5017 /* 5018 * Ask the external resolver to do its thing. 5019 * Make an mblk chain in the following form: 5020 * ARQ_REQ_MBLK-->IRE_MBLK-->packet 5021 */ 5022 mblk_t *ire_mp; 5023 mblk_t *areq_mp; 5024 areq_t *areq; 5025 in6_addr_t *addrp; 5026 5027 ip1dbg(("ip_newroute_v6:ILLF_XRESOLV\n")); 5028 if (ip6_asp_table_held) { 5029 ip6_asp_table_refrele(); 5030 ip6_asp_table_held = B_FALSE; 5031 } 5032 ire = ire_create_mp_v6( 5033 &dst, /* dest address */ 5034 &ipv6_all_ones, /* mask */ 5035 &src_ipif->ipif_v6src_addr, 5036 /* source address */ 5037 &v6gw, /* gateway address */ 5038 NULL, /* Fast Path header */ 5039 dst_ill->ill_rq, /* recv-from queue */ 5040 dst_ill->ill_wq, /* send-to queue */ 5041 IRE_CACHE, 5042 NULL, 5043 src_ipif, 5044 &save_ire->ire_mask_v6, 5045 /* Parent mask */ 5046 0, 5047 save_ire->ire_ihandle, 5048 /* Interface handle */ 5049 0, /* flags if any */ 5050 &(save_ire->ire_uinfo)); 5051 5052 ire_refrele(save_ire); 5053 if (ire == NULL) { 5054 ip1dbg(("ip_newroute_v6:" 5055 "ire is NULL\n")); 5056 break; 5057 } 5058 if ((sire != NULL) && 5059 (sire->ire_flags & RTF_MULTIRT)) { 5060 /* 5061 * processing a copy of the packet to 5062 * send for further resolution loops 5063 */ 5064 copy_mp = copymsg(first_mp); 5065 if (copy_mp != NULL) 5066 MULTIRT_DEBUG_TAG(copy_mp); 5067 } 5068 ire->ire_marks |= ire_marks; 5069 ire_mp = ire->ire_mp; 5070 /* 5071 * Now create or find an nce for this interface. 5072 * The hw addr will need to to be set from 5073 * the reply to the AR_ENTRY_QUERY that 5074 * we're about to send. This will be done in 5075 * ire_add_v6(). 5076 */ 5077 err = ndp_resolver(dst_ill, &dst, mp, zoneid); 5078 switch (err) { 5079 case 0: 5080 /* 5081 * New cache entry created. 5082 * Break, then ask the external 5083 * resolver. 5084 */ 5085 break; 5086 case EINPROGRESS: 5087 /* 5088 * Resolution in progress; 5089 * packet has been queued by 5090 * ndp_resolver(). 5091 */ 5092 ire_delete(ire); 5093 ire = NULL; 5094 /* 5095 * Check if another multirt 5096 * route must be resolved. 5097 */ 5098 if (copy_mp != NULL) { 5099 /* 5100 * If we found a resolver, we 5101 * ignore any trailing top 5102 * priority IRE_CACHE in 5103 * further loops. The reason is 5104 * the same as for noresolver. 5105 */ 5106 multirt_flags &= 5107 ~MULTIRT_CACHEGW; 5108 /* 5109 * Search for the next 5110 * unresolved multirt route. 5111 */ 5112 first_mp = copy_mp; 5113 copy_mp = NULL; 5114 mp = first_mp; 5115 if (mp->b_datap->db_type == 5116 M_CTL) { 5117 mp = mp->b_cont; 5118 } 5119 ASSERT(sire != NULL); 5120 dst = save_dst; 5121 /* 5122 * re-enter the loop 5123 */ 5124 multirt_resolve_next = 5125 B_TRUE; 5126 continue; 5127 } 5128 5129 if (sire != NULL) 5130 ire_refrele(sire); 5131 ill_refrele(dst_ill); 5132 ipif_refrele(src_ipif); 5133 return; 5134 default: 5135 /* 5136 * Transient error; packet will be 5137 * freed. 5138 */ 5139 ire_delete(ire); 5140 ire = NULL; 5141 break; 5142 } 5143 if (err != 0) 5144 break; 5145 /* 5146 * Now set up the AR_ENTRY_QUERY and send it. 5147 */ 5148 areq_mp = ill_arp_alloc(dst_ill, 5149 (uchar_t *)&ipv6_areq_template, 5150 (caddr_t)&dst); 5151 if (areq_mp == NULL) { 5152 ip1dbg(("ip_newroute_v6:" 5153 "areq_mp is NULL\n")); 5154 freemsg(ire_mp); 5155 break; 5156 } 5157 areq = (areq_t *)areq_mp->b_rptr; 5158 addrp = (in6_addr_t *)((char *)areq + 5159 areq->areq_target_addr_offset); 5160 *addrp = dst; 5161 addrp = (in6_addr_t *)((char *)areq + 5162 areq->areq_sender_addr_offset); 5163 *addrp = src_ipif->ipif_v6src_addr; 5164 /* 5165 * link the chain, then send up to the resolver. 5166 */ 5167 linkb(areq_mp, ire_mp); 5168 linkb(areq_mp, mp); 5169 ip1dbg(("ip_newroute_v6:" 5170 "putnext to resolver\n")); 5171 putnext(dst_ill->ill_rq, areq_mp); 5172 /* 5173 * Check if another multirt route 5174 * must be resolved. 5175 */ 5176 ire = NULL; 5177 if (copy_mp != NULL) { 5178 /* 5179 * If we find a resolver, we ignore any 5180 * trailing top priority IRE_CACHE in 5181 * further loops. The reason is the 5182 * same as for noresolver. 5183 */ 5184 multirt_flags &= ~MULTIRT_CACHEGW; 5185 /* 5186 * Search for the next unresolved 5187 * multirt route. 5188 */ 5189 first_mp = copy_mp; 5190 copy_mp = NULL; 5191 mp = first_mp; 5192 if (mp->b_datap->db_type == M_CTL) { 5193 mp = mp->b_cont; 5194 } 5195 ASSERT(sire != NULL); 5196 dst = save_dst; 5197 /* 5198 * re-enter the loop 5199 */ 5200 multirt_resolve_next = B_TRUE; 5201 continue; 5202 } 5203 5204 if (sire != NULL) 5205 ire_refrele(sire); 5206 ill_refrele(dst_ill); 5207 ipif_refrele(src_ipif); 5208 return; 5209 } 5210 /* 5211 * Non-external resolver case. 5212 */ 5213 ire = ire_create_v6( 5214 &dst, /* dest address */ 5215 &ipv6_all_ones, /* mask */ 5216 &src_ipif->ipif_v6src_addr, /* source address */ 5217 &v6gw, /* gateway address */ 5218 &save_ire->ire_max_frag, 5219 NULL, /* Fast Path header */ 5220 dst_ill->ill_rq, /* recv-from queue */ 5221 dst_ill->ill_wq, /* send-to queue */ 5222 IRE_CACHE, 5223 NULL, 5224 src_ipif, 5225 &save_ire->ire_mask_v6, /* Parent mask */ 5226 0, 5227 save_ire->ire_ihandle, /* Interface handle */ 5228 0, /* flags if any */ 5229 &(save_ire->ire_uinfo)); 5230 5231 if (ire == NULL) { 5232 ire_refrele(save_ire); 5233 break; 5234 } 5235 5236 if ((sire != NULL) && 5237 (sire->ire_flags & RTF_MULTIRT)) { 5238 copy_mp = copymsg(first_mp); 5239 if (copy_mp != NULL) 5240 MULTIRT_DEBUG_TAG(copy_mp); 5241 } 5242 5243 ire->ire_marks |= ire_marks; 5244 err = ndp_resolver(dst_ill, &dst, first_mp, zoneid); 5245 switch (err) { 5246 case 0: 5247 /* Prevent save_ire from getting deleted */ 5248 IRB_REFHOLD(save_ire->ire_bucket); 5249 /* Has it been removed already ? */ 5250 if (save_ire->ire_marks & IRE_MARK_CONDEMNED) { 5251 IRB_REFRELE(save_ire->ire_bucket); 5252 ire_refrele(save_ire); 5253 break; 5254 } 5255 5256 /* 5257 * We have a resolved cache entry, 5258 * add in the IRE. 5259 */ 5260 ire_add_then_send(q, ire, first_mp); 5261 if (ip6_asp_table_held) { 5262 ip6_asp_table_refrele(); 5263 ip6_asp_table_held = B_FALSE; 5264 } 5265 5266 /* Assert that it is not deleted yet. */ 5267 ASSERT(save_ire->ire_ptpn != NULL); 5268 IRB_REFRELE(save_ire->ire_bucket); 5269 ire_refrele(save_ire); 5270 /* 5271 * Check if another multirt route 5272 * must be resolved. 5273 */ 5274 ire = NULL; 5275 if (copy_mp != NULL) { 5276 /* 5277 * If we find a resolver, we ignore any 5278 * trailing top priority IRE_CACHE in 5279 * further loops. The reason is the 5280 * same as for noresolver. 5281 */ 5282 multirt_flags &= ~MULTIRT_CACHEGW; 5283 /* 5284 * Search for the next unresolved 5285 * multirt route. 5286 */ 5287 first_mp = copy_mp; 5288 copy_mp = NULL; 5289 mp = first_mp; 5290 if (mp->b_datap->db_type == M_CTL) { 5291 mp = mp->b_cont; 5292 } 5293 ASSERT(sire != NULL); 5294 dst = save_dst; 5295 /* 5296 * re-enter the loop 5297 */ 5298 multirt_resolve_next = B_TRUE; 5299 continue; 5300 } 5301 5302 if (sire != NULL) 5303 ire_refrele(sire); 5304 ill_refrele(dst_ill); 5305 ipif_refrele(src_ipif); 5306 return; 5307 5308 case EINPROGRESS: 5309 /* 5310 * mp was consumed - presumably queued. 5311 * No need for ire, presumably resolution is 5312 * in progress, and ire will be added when the 5313 * address is resolved. 5314 */ 5315 if (ip6_asp_table_held) { 5316 ip6_asp_table_refrele(); 5317 ip6_asp_table_held = B_FALSE; 5318 } 5319 ASSERT(ire->ire_nce == NULL); 5320 ire_delete(ire); 5321 ire_refrele(save_ire); 5322 /* 5323 * Check if another multirt route 5324 * must be resolved. 5325 */ 5326 ire = NULL; 5327 if (copy_mp != NULL) { 5328 /* 5329 * If we find a resolver, we ignore any 5330 * trailing top priority IRE_CACHE in 5331 * further loops. The reason is the 5332 * same as for noresolver. 5333 */ 5334 multirt_flags &= ~MULTIRT_CACHEGW; 5335 /* 5336 * Search for the next unresolved 5337 * multirt route. 5338 */ 5339 first_mp = copy_mp; 5340 copy_mp = NULL; 5341 mp = first_mp; 5342 if (mp->b_datap->db_type == M_CTL) { 5343 mp = mp->b_cont; 5344 } 5345 ASSERT(sire != NULL); 5346 dst = save_dst; 5347 /* 5348 * re-enter the loop 5349 */ 5350 multirt_resolve_next = B_TRUE; 5351 continue; 5352 } 5353 if (sire != NULL) 5354 ire_refrele(sire); 5355 ill_refrele(dst_ill); 5356 ipif_refrele(src_ipif); 5357 return; 5358 default: 5359 /* Some transient error */ 5360 ASSERT(ire->ire_nce == NULL); 5361 ire_refrele(save_ire); 5362 break; 5363 } 5364 break; 5365 default: 5366 break; 5367 } 5368 if (ip6_asp_table_held) { 5369 ip6_asp_table_refrele(); 5370 ip6_asp_table_held = B_FALSE; 5371 } 5372 } while (multirt_resolve_next); 5373 5374 err_ret: 5375 ip1dbg(("ip_newroute_v6: dropped\n")); 5376 if (src_ipif != NULL) 5377 ipif_refrele(src_ipif); 5378 if (dst_ill != NULL) { 5379 need_rele = B_TRUE; 5380 ill = dst_ill; 5381 } 5382 if (ill != NULL) { 5383 if (mp->b_prev != NULL) { 5384 BUMP_MIB(ill->ill_ip6_mib, ipv6InDiscards); 5385 } else { 5386 BUMP_MIB(ill->ill_ip6_mib, ipv6OutDiscards); 5387 } 5388 5389 if (need_rele) 5390 ill_refrele(ill); 5391 } else { 5392 if (mp->b_prev != NULL) { 5393 BUMP_MIB(&ip6_mib, ipv6InDiscards); 5394 } else { 5395 BUMP_MIB(&ip6_mib, ipv6OutDiscards); 5396 } 5397 } 5398 /* Did this packet originate externally? */ 5399 if (mp->b_prev) { 5400 mp->b_next = NULL; 5401 mp->b_prev = NULL; 5402 } 5403 if (copy_mp != NULL) { 5404 MULTIRT_DEBUG_UNTAG(copy_mp); 5405 freemsg(copy_mp); 5406 } 5407 MULTIRT_DEBUG_UNTAG(first_mp); 5408 freemsg(first_mp); 5409 if (ire != NULL) 5410 ire_refrele(ire); 5411 if (sire != NULL) 5412 ire_refrele(sire); 5413 return; 5414 5415 icmp_err_ret: 5416 if (ip6_asp_table_held) 5417 ip6_asp_table_refrele(); 5418 if (src_ipif != NULL) 5419 ipif_refrele(src_ipif); 5420 if (dst_ill != NULL) { 5421 need_rele = B_TRUE; 5422 ill = dst_ill; 5423 } 5424 ip1dbg(("ip_newroute_v6: no route\n")); 5425 if (sire != NULL) 5426 ire_refrele(sire); 5427 /* 5428 * We need to set sire to NULL to avoid double freeing if we 5429 * ever goto err_ret from below. 5430 */ 5431 sire = NULL; 5432 ip6h = (ip6_t *)mp->b_rptr; 5433 /* Skip ip6i_t header if present */ 5434 if (ip6h->ip6_nxt == IPPROTO_RAW) { 5435 /* Make sure the IPv6 header is present */ 5436 if ((mp->b_wptr - (uchar_t *)ip6h) < 5437 sizeof (ip6i_t) + IPV6_HDR_LEN) { 5438 if (!pullupmsg(mp, sizeof (ip6i_t) + IPV6_HDR_LEN)) { 5439 ip1dbg(("ip_newroute_v6: pullupmsg failed\n")); 5440 goto err_ret; 5441 } 5442 } 5443 mp->b_rptr += sizeof (ip6i_t); 5444 ip6h = (ip6_t *)mp->b_rptr; 5445 } 5446 /* Did this packet originate externally? */ 5447 if (mp->b_prev) { 5448 if (ill != NULL) { 5449 BUMP_MIB(ill->ill_ip6_mib, ipv6InNoRoutes); 5450 } else { 5451 BUMP_MIB(&ip6_mib, ipv6InNoRoutes); 5452 } 5453 mp->b_next = NULL; 5454 mp->b_prev = NULL; 5455 q = WR(q); 5456 } else { 5457 if (ill != NULL) { 5458 BUMP_MIB(ill->ill_ip6_mib, ipv6OutNoRoutes); 5459 } else { 5460 BUMP_MIB(&ip6_mib, ipv6OutNoRoutes); 5461 } 5462 if (ip_hdr_complete_v6(ip6h, zoneid)) { 5463 /* Failed */ 5464 if (copy_mp != NULL) { 5465 MULTIRT_DEBUG_UNTAG(copy_mp); 5466 freemsg(copy_mp); 5467 } 5468 MULTIRT_DEBUG_UNTAG(first_mp); 5469 freemsg(first_mp); 5470 if (ire != NULL) 5471 ire_refrele(ire); 5472 if (need_rele) 5473 ill_refrele(ill); 5474 return; 5475 } 5476 } 5477 5478 if (need_rele) 5479 ill_refrele(ill); 5480 5481 /* 5482 * At this point we will have ire only if RTF_BLACKHOLE 5483 * or RTF_REJECT flags are set on the IRE. It will not 5484 * generate ICMP6_DST_UNREACH_NOROUTE if RTF_BLACKHOLE is set. 5485 */ 5486 if (ire != NULL) { 5487 if (ire->ire_flags & RTF_BLACKHOLE) { 5488 ire_refrele(ire); 5489 if (copy_mp != NULL) { 5490 MULTIRT_DEBUG_UNTAG(copy_mp); 5491 freemsg(copy_mp); 5492 } 5493 MULTIRT_DEBUG_UNTAG(first_mp); 5494 freemsg(first_mp); 5495 return; 5496 } 5497 ire_refrele(ire); 5498 } 5499 if (ip_debug > 3) { 5500 /* ip2dbg */ 5501 pr_addr_dbg("ip_newroute_v6: no route to %s\n", 5502 AF_INET6, v6dstp); 5503 } 5504 icmp_unreachable_v6(WR(q), first_mp, ICMP6_DST_UNREACH_NOROUTE, 5505 B_FALSE, B_FALSE); 5506 } 5507 5508 /* 5509 * ip_newroute_ipif_v6 is called by ip_wput_v6 and ip_wput_ipsec_out_v6 whenever 5510 * we need to send out a packet to a destination address for which we do not 5511 * have specific routing information. It is only used for multicast packets. 5512 * 5513 * If unspec_src we allow creating an IRE with source address zero. 5514 * ire_send_v6() will delete it after the packet is sent. 5515 */ 5516 void 5517 ip_newroute_ipif_v6(queue_t *q, mblk_t *mp, ipif_t *ipif, 5518 in6_addr_t v6dst, int unspec_src, zoneid_t zoneid) 5519 { 5520 ire_t *ire = NULL; 5521 ipif_t *src_ipif = NULL; 5522 int err = 0; 5523 ill_t *dst_ill = NULL; 5524 ire_t *save_ire; 5525 ushort_t ire_marks = 0; 5526 ipsec_out_t *io; 5527 ill_t *attach_ill = NULL; 5528 ill_t *ill; 5529 ip6_t *ip6h; 5530 mblk_t *first_mp; 5531 boolean_t ip6i_present; 5532 ire_t *fire = NULL; 5533 mblk_t *copy_mp = NULL; 5534 boolean_t multirt_resolve_next; 5535 in6_addr_t *v6dstp = &v6dst; 5536 boolean_t ipif_held = B_FALSE; 5537 boolean_t ill_held = B_FALSE; 5538 boolean_t ip6_asp_table_held = B_FALSE; 5539 5540 /* 5541 * This loop is run only once in most cases. 5542 * We loop to resolve further routes only when the destination 5543 * can be reached through multiple RTF_MULTIRT-flagged ires. 5544 */ 5545 do { 5546 multirt_resolve_next = B_FALSE; 5547 if (dst_ill != NULL) { 5548 ill_refrele(dst_ill); 5549 dst_ill = NULL; 5550 } 5551 5552 if (src_ipif != NULL) { 5553 ipif_refrele(src_ipif); 5554 src_ipif = NULL; 5555 } 5556 ASSERT(ipif != NULL); 5557 ill = ipif->ipif_ill; 5558 5559 ASSERT(!IN6_IS_ADDR_V4MAPPED(v6dstp)); 5560 if (ip_debug > 2) { 5561 /* ip1dbg */ 5562 pr_addr_dbg("ip_newroute_ipif_v6: v6dst %s\n", 5563 AF_INET6, v6dstp); 5564 printf("ip_newroute_ipif_v6: if %s, v6 %d\n", 5565 ill->ill_name, ipif->ipif_isv6); 5566 } 5567 5568 first_mp = mp; 5569 if (mp->b_datap->db_type == M_CTL) { 5570 mp = mp->b_cont; 5571 io = (ipsec_out_t *)first_mp->b_rptr; 5572 ASSERT(io->ipsec_out_type == IPSEC_OUT); 5573 } else { 5574 io = NULL; 5575 } 5576 5577 /* 5578 * If the interface is a pt-pt interface we look for an 5579 * IRE_IF_RESOLVER or IRE_IF_NORESOLVER that matches both the 5580 * local_address and the pt-pt destination address. 5581 * Otherwise we just match the local address. 5582 */ 5583 if (!(ill->ill_flags & ILLF_MULTICAST)) { 5584 goto err_ret; 5585 } 5586 /* 5587 * If this end point is bound to IPIF_NOFAILOVER, set bnf_ill 5588 * and bind_to_nofailover B_TRUE. We can't use conn to determine 5589 * as it could be NULL. 5590 * 5591 * This information can appear either in an ip6i_t or an 5592 * IPSEC_OUT message. 5593 */ 5594 ip6h = (ip6_t *)mp->b_rptr; 5595 ip6i_present = (ip6h->ip6_nxt == IPPROTO_RAW); 5596 if (ip6i_present || (io != NULL && io->ipsec_out_attach_if)) { 5597 if (!ip6i_present || 5598 ((ip6i_t *)ip6h)->ip6i_flags & IP6I_ATTACH_IF) { 5599 attach_ill = ip_grab_attach_ill(ill, first_mp, 5600 (ip6i_present ? 5601 ((ip6i_t *)ip6h)->ip6i_ifindex : 5602 io->ipsec_out_ill_index), B_TRUE); 5603 /* Failure case frees things for us. */ 5604 if (attach_ill == NULL) 5605 return; 5606 5607 /* 5608 * Check if we need an ire that will not be 5609 * looked up by anybody else i.e. HIDDEN. 5610 */ 5611 if (ill_is_probeonly(attach_ill)) 5612 ire_marks = IRE_MARK_HIDDEN; 5613 } 5614 } 5615 5616 /* 5617 * We check if an IRE_OFFSUBNET for the addr that goes through 5618 * ipif exists. We need it to determine if the RTF_SETSRC and/or 5619 * RTF_MULTIRT flags must be honored. 5620 */ 5621 fire = ipif_lookup_multi_ire_v6(ipif, v6dstp); 5622 ip2dbg(("ip_newroute_ipif_v6: " 5623 "ipif_lookup_multi_ire_v6(" 5624 "ipif %p, dst %08x) = fire %p\n", 5625 (void *)ipif, ntohl(V4_PART_OF_V6((*v6dstp))), 5626 (void *)fire)); 5627 5628 /* 5629 * If the application specified the ill (ifindex), we still 5630 * load spread. Only if the packets needs to go out specifically 5631 * on a given ill e.g. binding to IPIF_NOFAILOVER address or 5632 * IPV6_BOUND_PIF, or there is a parent ire entry that specified 5633 * multirouting, then we don't try to use a different ill for 5634 * load spreading. 5635 */ 5636 if (attach_ill == NULL) { 5637 /* 5638 * If the interface belongs to an interface group, 5639 * make sure the next possible interface in the group 5640 * is used. This encourages load spreading among peers 5641 * in an interface group. 5642 * 5643 * Note: While we pick a dst_ill we are really only 5644 * interested in the ill for load spreading. The source 5645 * ipif is determined by source address selection below. 5646 */ 5647 if ((fire != NULL) && (fire->ire_flags & RTF_MULTIRT)) { 5648 dst_ill = ipif->ipif_ill; 5649 /* For uniformity do a refhold */ 5650 ill_refhold(dst_ill); 5651 } else { 5652 /* refheld by ip_newroute_get_dst_ill_v6 */ 5653 dst_ill = 5654 ip_newroute_get_dst_ill_v6(ipif->ipif_ill); 5655 } 5656 if (dst_ill == NULL) { 5657 if (ip_debug > 2) { 5658 pr_addr_dbg("ip_newroute_ipif_v6: " 5659 "no dst ill for dst %s\n", 5660 AF_INET6, v6dstp); 5661 } 5662 goto err_ret; 5663 } 5664 } else { 5665 dst_ill = ipif->ipif_ill; 5666 /* 5667 * ip_wput_v6 passes the right ipif for IPIF_NOFAILOVER 5668 * and IPV6_BOUND_PIF case. 5669 */ 5670 ASSERT(dst_ill == attach_ill); 5671 /* attach_ill is already refheld */ 5672 } 5673 /* 5674 * Pick a source address which matches the scope of the 5675 * destination address. 5676 * For RTF_SETSRC routes, the source address is imposed by the 5677 * parent ire (fire). 5678 */ 5679 ASSERT(src_ipif == NULL); 5680 if ((fire != NULL) && (fire->ire_flags & RTF_SETSRC)) { 5681 /* 5682 * Check that the ipif matching the requested source 5683 * address still exists. 5684 */ 5685 src_ipif = 5686 ipif_lookup_addr_v6(&fire->ire_src_addr_v6, 5687 NULL, zoneid, NULL, NULL, NULL, NULL); 5688 } 5689 if (src_ipif == NULL && ip6_asp_can_lookup()) { 5690 ip6_asp_table_held = B_TRUE; 5691 src_ipif = ipif_select_source_v6(dst_ill, v6dstp, 5692 B_FALSE, IPV6_PREFER_SRC_DEFAULT, zoneid); 5693 } 5694 5695 if (src_ipif == NULL) { 5696 if (!unspec_src) { 5697 if (ip_debug > 2) { 5698 /* ip1dbg */ 5699 pr_addr_dbg("ip_newroute_ipif_v6: " 5700 "no src for dst %s\n,", 5701 AF_INET6, v6dstp); 5702 printf(" through interface %s\n", 5703 dst_ill->ill_name); 5704 } 5705 goto err_ret; 5706 } 5707 /* Use any ipif for source */ 5708 for (src_ipif = dst_ill->ill_ipif; src_ipif != NULL; 5709 src_ipif = src_ipif->ipif_next) { 5710 if ((src_ipif->ipif_flags & IPIF_UP) && 5711 IN6_IS_ADDR_UNSPECIFIED( 5712 &src_ipif->ipif_v6src_addr)) 5713 break; 5714 } 5715 if (src_ipif == NULL) { 5716 if (ip_debug > 2) { 5717 /* ip1dbg */ 5718 pr_addr_dbg("ip_newroute_ipif_v6: " 5719 "no src for dst %s\n ", 5720 AF_INET6, v6dstp); 5721 printf("ip_newroute_ipif_v6: if %s" 5722 "(UNSPEC_SRC)\n", 5723 dst_ill->ill_name); 5724 } 5725 goto err_ret; 5726 } 5727 src_ipif = ipif; 5728 ipif_refhold(src_ipif); 5729 } 5730 ire = ipif_to_ire_v6(ipif); 5731 if (ire == NULL) { 5732 if (ip_debug > 2) { 5733 /* ip1dbg */ 5734 pr_addr_dbg("ip_newroute_ipif_v6: v6src %s\n", 5735 AF_INET6, &ipif->ipif_v6lcl_addr); 5736 printf("ip_newroute_ipif_v6: " 5737 "if %s\n", dst_ill->ill_name); 5738 } 5739 goto err_ret; 5740 } 5741 if (ire->ire_flags & (RTF_REJECT | RTF_BLACKHOLE)) 5742 goto err_ret; 5743 5744 ASSERT(ire->ire_ipversion == IPV6_VERSION); 5745 5746 ip1dbg(("ip_newroute_ipif_v6: interface type %s (%d),", 5747 ip_nv_lookup(ire_nv_tbl, ire->ire_type), ire->ire_type)); 5748 if (ip_debug > 2) { 5749 /* ip1dbg */ 5750 pr_addr_dbg(" address %s\n", 5751 AF_INET6, &ire->ire_src_addr_v6); 5752 } 5753 save_ire = ire; 5754 ip2dbg(("ip_newroute_ipif: ire %p, ipif %p\n", 5755 (void *)ire, (void *)ipif)); 5756 5757 if ((fire != NULL) && (fire->ire_flags & RTF_MULTIRT)) { 5758 /* 5759 * an IRE_OFFSUBET was looked up 5760 * on that interface. 5761 * this ire has RTF_MULTIRT flag, 5762 * so the resolution loop 5763 * will be re-entered to resolve 5764 * additional routes on other 5765 * interfaces. For that purpose, 5766 * a copy of the packet is 5767 * made at this point. 5768 */ 5769 fire->ire_last_used_time = lbolt; 5770 copy_mp = copymsg(first_mp); 5771 if (copy_mp) { 5772 MULTIRT_DEBUG_TAG(copy_mp); 5773 } 5774 } 5775 5776 ASSERT((attach_ill == NULL) || (dst_ill == attach_ill)); 5777 switch (ire->ire_type) { 5778 case IRE_IF_NORESOLVER: { 5779 /* We have what we need to build an IRE_CACHE. */ 5780 mblk_t *dlureq_mp; 5781 5782 /* 5783 * Create a new dlureq_mp with the 5784 * IPv6 gateway address in destination address in the 5785 * DLPI hdr if the physical length is exactly 16 bytes. 5786 */ 5787 ASSERT(dst_ill->ill_isv6); 5788 if (dst_ill->ill_phys_addr_length == IPV6_ADDR_LEN) { 5789 dlureq_mp = ill_dlur_gen((uchar_t *)v6dstp, 5790 dst_ill->ill_phys_addr_length, 5791 dst_ill->ill_sap, 5792 dst_ill->ill_sap_length); 5793 } else { 5794 dlureq_mp = ire->ire_dlureq_mp; 5795 } 5796 5797 if (dlureq_mp == NULL) 5798 break; 5799 /* 5800 * The newly created ire will inherit the flags of the 5801 * parent ire, if any. 5802 */ 5803 ire = ire_create_v6( 5804 v6dstp, /* dest address */ 5805 &ipv6_all_ones, /* mask */ 5806 &src_ipif->ipif_v6src_addr, /* source address */ 5807 NULL, /* gateway address */ 5808 &save_ire->ire_max_frag, 5809 NULL, /* Fast Path header */ 5810 dst_ill->ill_rq, /* recv-from queue */ 5811 dst_ill->ill_wq, /* send-to queue */ 5812 IRE_CACHE, 5813 dlureq_mp, 5814 src_ipif, 5815 NULL, 5816 (fire != NULL) ? /* Parent handle */ 5817 fire->ire_phandle : 0, 5818 save_ire->ire_ihandle, /* Interface handle */ 5819 (fire != NULL) ? 5820 (fire->ire_flags & (RTF_SETSRC | RTF_MULTIRT)) : 5821 0, 5822 &ire_uinfo_null); 5823 5824 if (dst_ill->ill_phys_addr_length == IPV6_ADDR_LEN) 5825 freeb(dlureq_mp); 5826 5827 if (ire == NULL) { 5828 ire_refrele(save_ire); 5829 break; 5830 } 5831 5832 ire->ire_marks |= ire_marks; 5833 5834 err = ndp_noresolver(dst_ill, v6dstp); 5835 if (err != 0) { 5836 ire_refrele(save_ire); 5837 break; 5838 } 5839 5840 /* Prevent save_ire from getting deleted */ 5841 IRB_REFHOLD(save_ire->ire_bucket); 5842 /* Has it been removed already ? */ 5843 if (save_ire->ire_marks & IRE_MARK_CONDEMNED) { 5844 IRB_REFRELE(save_ire->ire_bucket); 5845 ire_refrele(save_ire); 5846 break; 5847 } 5848 5849 ire_add_then_send(q, ire, first_mp); 5850 if (ip6_asp_table_held) { 5851 ip6_asp_table_refrele(); 5852 ip6_asp_table_held = B_FALSE; 5853 } 5854 5855 /* Assert that it is not deleted yet. */ 5856 ASSERT(save_ire->ire_ptpn != NULL); 5857 IRB_REFRELE(save_ire->ire_bucket); 5858 ire_refrele(save_ire); 5859 if (fire != NULL) { 5860 ire_refrele(fire); 5861 fire = NULL; 5862 } 5863 5864 /* 5865 * The resolution loop is re-entered if we 5866 * actually are in a multirouting case. 5867 */ 5868 if (copy_mp != NULL) { 5869 boolean_t need_resolve = 5870 ire_multirt_need_resolve_v6(v6dstp); 5871 if (!need_resolve) { 5872 MULTIRT_DEBUG_UNTAG(copy_mp); 5873 freemsg(copy_mp); 5874 copy_mp = NULL; 5875 } else { 5876 /* 5877 * ipif_lookup_group_v6() calls 5878 * ire_lookup_multi_v6() that uses 5879 * ire_ftable_lookup_v6() to find 5880 * an IRE_INTERFACE for the group. 5881 * In the multirt case, 5882 * ire_lookup_multi_v6() then invokes 5883 * ire_multirt_lookup_v6() to find 5884 * the next resolvable ire. 5885 * As a result, we obtain a new 5886 * interface, derived from the 5887 * next ire. 5888 */ 5889 if (ipif_held) { 5890 ipif_refrele(ipif); 5891 ipif_held = B_FALSE; 5892 } 5893 ipif = ipif_lookup_group_v6(v6dstp, 5894 zoneid); 5895 ip2dbg(("ip_newroute_ipif: " 5896 "multirt dst %08x, ipif %p\n", 5897 ntohl(V4_PART_OF_V6((*v6dstp))), 5898 (void *)ipif)); 5899 if (ipif != NULL) { 5900 ipif_held = B_TRUE; 5901 mp = copy_mp; 5902 copy_mp = NULL; 5903 multirt_resolve_next = 5904 B_TRUE; 5905 continue; 5906 } else { 5907 freemsg(copy_mp); 5908 } 5909 } 5910 } 5911 ill_refrele(dst_ill); 5912 if (ipif_held) { 5913 ipif_refrele(ipif); 5914 ipif_held = B_FALSE; 5915 } 5916 if (src_ipif != NULL) 5917 ipif_refrele(src_ipif); 5918 return; 5919 } 5920 case IRE_IF_RESOLVER: { 5921 5922 ASSERT(dst_ill->ill_isv6); 5923 5924 /* 5925 * We obtain a partial IRE_CACHE which we will pass 5926 * along with the resolver query. When the response 5927 * comes back it will be there ready for us to add. 5928 */ 5929 /* 5930 * the newly created ire will inherit the flags of the 5931 * parent ire, if any. 5932 */ 5933 ire = ire_create_v6( 5934 v6dstp, /* dest address */ 5935 &ipv6_all_ones, /* mask */ 5936 &src_ipif->ipif_v6src_addr, /* source address */ 5937 NULL, /* gateway address */ 5938 &save_ire->ire_max_frag, 5939 NULL, /* Fast Path header */ 5940 dst_ill->ill_rq, /* recv-from queue */ 5941 dst_ill->ill_wq, /* send-to queue */ 5942 IRE_CACHE, 5943 NULL, 5944 src_ipif, 5945 NULL, 5946 (fire != NULL) ? /* Parent handle */ 5947 fire->ire_phandle : 0, 5948 save_ire->ire_ihandle, /* Interface handle */ 5949 (fire != NULL) ? 5950 (fire->ire_flags & (RTF_SETSRC | RTF_MULTIRT)) : 5951 0, 5952 &ire_uinfo_null); 5953 5954 if (ire == NULL) { 5955 ire_refrele(save_ire); 5956 break; 5957 } 5958 5959 ire->ire_marks |= ire_marks; 5960 5961 /* Resolve and add ire to the ctable */ 5962 err = ndp_resolver(dst_ill, v6dstp, first_mp, zoneid); 5963 switch (err) { 5964 case 0: 5965 /* Prevent save_ire from getting deleted */ 5966 IRB_REFHOLD(save_ire->ire_bucket); 5967 /* Has it been removed already ? */ 5968 if (save_ire->ire_marks & IRE_MARK_CONDEMNED) { 5969 IRB_REFRELE(save_ire->ire_bucket); 5970 ire_refrele(save_ire); 5971 break; 5972 } 5973 /* 5974 * We have a resolved cache entry, 5975 * add in the IRE. 5976 */ 5977 ire_add_then_send(q, ire, first_mp); 5978 if (ip6_asp_table_held) { 5979 ip6_asp_table_refrele(); 5980 ip6_asp_table_held = B_FALSE; 5981 } 5982 5983 /* Assert that it is not deleted yet. */ 5984 ASSERT(save_ire->ire_ptpn != NULL); 5985 IRB_REFRELE(save_ire->ire_bucket); 5986 ire_refrele(save_ire); 5987 if (fire != NULL) { 5988 ire_refrele(fire); 5989 fire = NULL; 5990 } 5991 5992 /* 5993 * The resolution loop is re-entered if we 5994 * actually are in a multirouting case. 5995 */ 5996 if (copy_mp != NULL) { 5997 boolean_t need_resolve = 5998 ire_multirt_need_resolve_v6(v6dstp); 5999 if (!need_resolve) { 6000 MULTIRT_DEBUG_UNTAG(copy_mp); 6001 freemsg(copy_mp); 6002 copy_mp = NULL; 6003 } else { 6004 /* 6005 * ipif_lookup_group_v6() calls 6006 * ire_lookup_multi_v6() that 6007 * uses ire_ftable_lookup_v6() 6008 * to find an IRE_INTERFACE for 6009 * the group. In the multirt 6010 * case, ire_lookup_multi_v6() 6011 * then invokes 6012 * ire_multirt_lookup_v6() to 6013 * find the next resolvable ire. 6014 * As a result, we obtain a new 6015 * interface, derived from the 6016 * next ire. 6017 */ 6018 if (ipif_held) { 6019 ipif_refrele(ipif); 6020 ipif_held = B_FALSE; 6021 } 6022 ipif = ipif_lookup_group_v6( 6023 v6dstp, zoneid); 6024 ip2dbg(("ip_newroute_ipif: " 6025 "multirt dst %08x, " 6026 "ipif %p\n", 6027 ntohl(V4_PART_OF_V6( 6028 (*v6dstp))), 6029 (void *)ipif)); 6030 if (ipif != NULL) { 6031 ipif_held = B_TRUE; 6032 mp = copy_mp; 6033 copy_mp = NULL; 6034 multirt_resolve_next = 6035 B_TRUE; 6036 continue; 6037 } else { 6038 freemsg(copy_mp); 6039 } 6040 } 6041 } 6042 ill_refrele(dst_ill); 6043 if (ipif_held) { 6044 ipif_refrele(ipif); 6045 ipif_held = B_FALSE; 6046 } 6047 if (src_ipif != NULL) 6048 ipif_refrele(src_ipif); 6049 return; 6050 6051 case EINPROGRESS: 6052 /* 6053 * mp was consumed - presumably queued. 6054 * No need for ire, presumably resolution is 6055 * in progress, and ire will be added when the 6056 * address is resolved. 6057 */ 6058 if (ip6_asp_table_held) { 6059 ip6_asp_table_refrele(); 6060 ip6_asp_table_held = B_FALSE; 6061 } 6062 ire_delete(ire); 6063 ire_refrele(save_ire); 6064 if (fire != NULL) { 6065 ire_refrele(fire); 6066 fire = NULL; 6067 } 6068 6069 /* 6070 * The resolution loop is re-entered if we 6071 * actually are in a multirouting case. 6072 */ 6073 if (copy_mp != NULL) { 6074 boolean_t need_resolve = 6075 ire_multirt_need_resolve_v6(v6dstp); 6076 if (!need_resolve) { 6077 MULTIRT_DEBUG_UNTAG(copy_mp); 6078 freemsg(copy_mp); 6079 copy_mp = NULL; 6080 } else { 6081 /* 6082 * ipif_lookup_group_v6() calls 6083 * ire_lookup_multi_v6() that 6084 * uses ire_ftable_lookup_v6() 6085 * to find an IRE_INTERFACE for 6086 * the group. In the multirt 6087 * case, ire_lookup_multi_v6() 6088 * then invokes 6089 * ire_multirt_lookup_v6() to 6090 * find the next resolvable ire. 6091 * As a result, we obtain a new 6092 * interface, derived from the 6093 * next ire. 6094 */ 6095 if (ipif_held) { 6096 ipif_refrele(ipif); 6097 ipif_held = B_FALSE; 6098 } 6099 ipif = ipif_lookup_group_v6( 6100 v6dstp, zoneid); 6101 ip2dbg(("ip_newroute_ipif: " 6102 "multirt dst %08x, " 6103 "ipif %p\n", 6104 ntohl(V4_PART_OF_V6( 6105 (*v6dstp))), 6106 (void *)ipif)); 6107 if (ipif != NULL) { 6108 ipif_held = B_TRUE; 6109 mp = copy_mp; 6110 copy_mp = NULL; 6111 multirt_resolve_next = 6112 B_TRUE; 6113 continue; 6114 } else { 6115 freemsg(copy_mp); 6116 } 6117 } 6118 } 6119 ill_refrele(dst_ill); 6120 if (ipif_held) { 6121 ipif_refrele(ipif); 6122 ipif_held = B_FALSE; 6123 } 6124 if (src_ipif != NULL) 6125 ipif_refrele(src_ipif); 6126 return; 6127 default: 6128 /* Some transient error */ 6129 ire_refrele(save_ire); 6130 break; 6131 } 6132 break; 6133 } 6134 default: 6135 break; 6136 } 6137 if (ip6_asp_table_held) { 6138 ip6_asp_table_refrele(); 6139 ip6_asp_table_held = B_FALSE; 6140 } 6141 } while (multirt_resolve_next); 6142 6143 err_ret: 6144 if (ip6_asp_table_held) 6145 ip6_asp_table_refrele(); 6146 if (ire != NULL) 6147 ire_refrele(ire); 6148 if (fire != NULL) 6149 ire_refrele(fire); 6150 if (ipif != NULL && ipif_held) 6151 ipif_refrele(ipif); 6152 if (src_ipif != NULL) 6153 ipif_refrele(src_ipif); 6154 /* Multicast - no point in trying to generate ICMP error */ 6155 ASSERT((attach_ill == NULL) || (dst_ill == attach_ill)); 6156 if (dst_ill != NULL) { 6157 ill = dst_ill; 6158 ill_held = B_TRUE; 6159 } 6160 if (mp->b_prev || mp->b_next) { 6161 BUMP_MIB(ill->ill_ip6_mib, ipv6InDiscards); 6162 } else { 6163 BUMP_MIB(ill->ill_ip6_mib, ipv6OutDiscards); 6164 } 6165 ip1dbg(("ip_newroute_ipif_v6: dropped\n")); 6166 mp->b_next = NULL; 6167 mp->b_prev = NULL; 6168 freemsg(first_mp); 6169 if (ill_held) 6170 ill_refrele(ill); 6171 } 6172 6173 /* 6174 * Parse and process any hop-by-hop or destination options. 6175 * 6176 * Assumes that q is an ill read queue so that ICMP errors for link-local 6177 * destinations are sent out the correct interface. 6178 * 6179 * Returns -1 if there was an error and mp has been consumed. 6180 * Returns 0 if no special action is needed. 6181 * Returns 1 if the packet contained a router alert option for this node 6182 * which is verified to be "interesting/known" for our implementation. 6183 * 6184 * XXX Note: In future as more hbh or dest options are defined, 6185 * it may be better to have different routines for hbh and dest 6186 * options as opt_type fields other than IP6OPT_PAD1 and IP6OPT_PADN 6187 * may have same value in different namespaces. Or is it same namespace ?? 6188 * Current code checks for each opt_type (other than pads) if it is in 6189 * the expected nexthdr (hbh or dest) 6190 */ 6191 static int 6192 ip_process_options_v6(queue_t *q, mblk_t *mp, ip6_t *ip6h, 6193 uint8_t *optptr, uint_t optlen, uint8_t hdr_type) 6194 { 6195 uint8_t opt_type; 6196 uint_t optused; 6197 int ret = 0; 6198 mblk_t *first_mp; 6199 6200 first_mp = mp; 6201 if (mp->b_datap->db_type == M_CTL) { 6202 mp = mp->b_cont; 6203 } 6204 6205 while (optlen != 0) { 6206 opt_type = *optptr; 6207 if (opt_type == IP6OPT_PAD1) { 6208 optused = 1; 6209 } else { 6210 if (optlen < 2) 6211 goto bad_opt; 6212 switch (opt_type) { 6213 case IP6OPT_PADN: 6214 /* 6215 * Note:We don't verify that (N-2) pad octets 6216 * are zero as required by spec. Adhere to 6217 * "be liberal in what you accept..." part of 6218 * implementation philosophy (RFC791,RFC1122) 6219 */ 6220 optused = 2 + optptr[1]; 6221 if (optused > optlen) 6222 goto bad_opt; 6223 break; 6224 6225 case IP6OPT_JUMBO: 6226 if (hdr_type != IPPROTO_HOPOPTS) 6227 goto opt_error; 6228 goto opt_error; /* XXX Not implemented! */ 6229 6230 case IP6OPT_ROUTER_ALERT: { 6231 struct ip6_opt_router *or; 6232 6233 if (hdr_type != IPPROTO_HOPOPTS) 6234 goto opt_error; 6235 optused = 2 + optptr[1]; 6236 if (optused > optlen) 6237 goto bad_opt; 6238 or = (struct ip6_opt_router *)optptr; 6239 /* Check total length and alignment */ 6240 if (optused != sizeof (*or) || 6241 ((uintptr_t)or->ip6or_value & 0x1) != 0) 6242 goto opt_error; 6243 /* Check value */ 6244 switch (*((uint16_t *)or->ip6or_value)) { 6245 case IP6_ALERT_MLD: 6246 case IP6_ALERT_RSVP: 6247 ret = 1; 6248 } 6249 break; 6250 } 6251 case IP6OPT_HOME_ADDRESS: { 6252 /* 6253 * Minimal support for the home address option 6254 * (which is required by all IPv6 nodes). 6255 * Implement by just swapping the home address 6256 * and source address. 6257 * XXX Note: this has IPsec implications since 6258 * AH needs to take this into account. 6259 * Also, when IPsec is used we need to ensure 6260 * that this is only processed once 6261 * in the received packet (to avoid swapping 6262 * back and forth). 6263 * NOTE:This option processing is considered 6264 * to be unsafe and prone to a denial of 6265 * service attack. 6266 * The current processing is not safe even with 6267 * IPsec secured IP packets. Since the home 6268 * address option processing requirement still 6269 * is in the IETF draft and in the process of 6270 * being redefined for its usage, it has been 6271 * decided to turn off the option by default. 6272 * If this section of code needs to be executed, 6273 * ndd variable ip6_ignore_home_address_opt 6274 * should be set to 0 at the user's own risk. 6275 */ 6276 struct ip6_opt_home_address *oh; 6277 in6_addr_t tmp; 6278 6279 if (ipv6_ignore_home_address_opt) 6280 goto opt_error; 6281 6282 if (hdr_type != IPPROTO_DSTOPTS) 6283 goto opt_error; 6284 optused = 2 + optptr[1]; 6285 if (optused > optlen) 6286 goto bad_opt; 6287 6288 /* 6289 * We did this dest. opt the first time 6290 * around (i.e. before AH processing). 6291 * If we've done AH... stop now. 6292 */ 6293 if (first_mp != mp) { 6294 ipsec_in_t *ii; 6295 6296 ii = (ipsec_in_t *)first_mp->b_rptr; 6297 if (ii->ipsec_in_ah_sa != NULL) 6298 break; 6299 } 6300 6301 oh = (struct ip6_opt_home_address *)optptr; 6302 /* Check total length and alignment */ 6303 if (optused < sizeof (*oh) || 6304 ((uintptr_t)oh->ip6oh_addr & 0x7) != 0) 6305 goto opt_error; 6306 /* Swap ip6_src and the home address */ 6307 tmp = ip6h->ip6_src; 6308 /* XXX Note: only 8 byte alignment option */ 6309 ip6h->ip6_src = *(in6_addr_t *)oh->ip6oh_addr; 6310 *(in6_addr_t *)oh->ip6oh_addr = tmp; 6311 break; 6312 } 6313 6314 case IP6OPT_TUNNEL_LIMIT: 6315 if (hdr_type != IPPROTO_DSTOPTS) { 6316 goto opt_error; 6317 } 6318 optused = 2 + optptr[1]; 6319 if (optused > optlen) { 6320 goto bad_opt; 6321 } 6322 if (optused != 3) { 6323 goto opt_error; 6324 } 6325 break; 6326 6327 default: 6328 opt_error: 6329 ip1dbg(("ip_process_options_v6: bad opt 0x%x\n", 6330 opt_type)); 6331 switch (IP6OPT_TYPE(opt_type)) { 6332 case IP6OPT_TYPE_SKIP: 6333 optused = 2 + optptr[1]; 6334 if (optused > optlen) 6335 goto bad_opt; 6336 break; 6337 case IP6OPT_TYPE_DISCARD: 6338 freemsg(first_mp); 6339 return (-1); 6340 case IP6OPT_TYPE_ICMP: 6341 icmp_param_problem_v6(WR(q), first_mp, 6342 ICMP6_PARAMPROB_OPTION, 6343 (uint32_t)(optptr - 6344 (uint8_t *)ip6h), 6345 B_FALSE, B_FALSE); 6346 return (-1); 6347 case IP6OPT_TYPE_FORCEICMP: 6348 icmp_param_problem_v6(WR(q), first_mp, 6349 ICMP6_PARAMPROB_OPTION, 6350 (uint32_t)(optptr - 6351 (uint8_t *)ip6h), 6352 B_FALSE, B_TRUE); 6353 return (-1); 6354 } 6355 } 6356 } 6357 optlen -= optused; 6358 optptr += optused; 6359 } 6360 return (ret); 6361 6362 bad_opt: 6363 icmp_param_problem_v6(WR(q), first_mp, ICMP6_PARAMPROB_OPTION, 6364 (uint32_t)(optptr - (uint8_t *)ip6h), 6365 B_FALSE, B_FALSE); 6366 return (-1); 6367 } 6368 6369 /* 6370 * Process a routing header that is not yet empty. 6371 * Only handles type 0 routing headers. 6372 */ 6373 static void 6374 ip_process_rthdr(queue_t *q, mblk_t *mp, ip6_t *ip6h, ip6_rthdr_t *rth, 6375 ill_t *ill, uint_t flags, mblk_t *hada_mp) 6376 { 6377 ip6_rthdr0_t *rthdr; 6378 uint_t ehdrlen; 6379 uint_t numaddr; 6380 in6_addr_t *addrptr; 6381 in6_addr_t tmp; 6382 6383 ASSERT(rth->ip6r_segleft != 0); 6384 6385 if (!ipv6_forward_src_routed) { 6386 /* XXX Check for source routed out same interface? */ 6387 BUMP_MIB(ill->ill_ip6_mib, ipv6ForwProhibits); 6388 BUMP_MIB(ill->ill_ip6_mib, ipv6InAddrErrors); 6389 freemsg(hada_mp); 6390 freemsg(mp); 6391 return; 6392 } 6393 6394 if (rth->ip6r_type != 0) { 6395 if (hada_mp != NULL) 6396 goto hada_drop; 6397 icmp_param_problem_v6(WR(q), mp, 6398 ICMP6_PARAMPROB_HEADER, 6399 (uint32_t)((uchar_t *)&rth->ip6r_type - (uchar_t *)ip6h), 6400 B_FALSE, B_FALSE); 6401 return; 6402 } 6403 rthdr = (ip6_rthdr0_t *)rth; 6404 ehdrlen = 8 * (rthdr->ip6r0_len + 1); 6405 ASSERT(mp->b_rptr + ehdrlen <= mp->b_wptr); 6406 addrptr = (in6_addr_t *)((char *)rthdr + sizeof (*rthdr)); 6407 /* rthdr->ip6r0_len is twice the number of addresses in the header */ 6408 if (rthdr->ip6r0_len & 0x1) { 6409 /* An odd length is impossible */ 6410 if (hada_mp != NULL) 6411 goto hada_drop; 6412 icmp_param_problem_v6(WR(q), mp, 6413 ICMP6_PARAMPROB_HEADER, 6414 (uint32_t)((uchar_t *)&rthdr->ip6r0_len - (uchar_t *)ip6h), 6415 B_FALSE, B_FALSE); 6416 return; 6417 } 6418 numaddr = rthdr->ip6r0_len / 2; 6419 if (rthdr->ip6r0_segleft > numaddr) { 6420 /* segleft exceeds number of addresses in routing header */ 6421 if (hada_mp != NULL) 6422 goto hada_drop; 6423 icmp_param_problem_v6(WR(q), mp, 6424 ICMP6_PARAMPROB_HEADER, 6425 (uint32_t)((uchar_t *)&rthdr->ip6r0_segleft - 6426 (uchar_t *)ip6h), 6427 B_FALSE, B_FALSE); 6428 return; 6429 } 6430 addrptr += (numaddr - rthdr->ip6r0_segleft); 6431 if (IN6_IS_ADDR_MULTICAST(&ip6h->ip6_dst) || 6432 IN6_IS_ADDR_MULTICAST(addrptr)) { 6433 BUMP_MIB(ill->ill_ip6_mib, ipv6InDiscards); 6434 freemsg(hada_mp); 6435 freemsg(mp); 6436 return; 6437 } 6438 /* Swap */ 6439 tmp = *addrptr; 6440 *addrptr = ip6h->ip6_dst; 6441 ip6h->ip6_dst = tmp; 6442 rthdr->ip6r0_segleft--; 6443 /* Don't allow any mapped addresses - ip_wput_v6 can't handle them */ 6444 if (IN6_IS_ADDR_V4MAPPED(&ip6h->ip6_dst)) { 6445 if (hada_mp != NULL) 6446 goto hada_drop; 6447 icmp_unreachable_v6(WR(q), mp, ICMP6_DST_UNREACH_NOROUTE, 6448 B_FALSE, B_FALSE); 6449 return; 6450 } 6451 ip_rput_data_v6(q, ill, mp, ip6h, flags, hada_mp); 6452 return; 6453 hada_drop: 6454 /* IPsec kstats: bean counter? */ 6455 freemsg(hada_mp); 6456 freemsg(mp); 6457 } 6458 6459 /* 6460 * Read side put procedure for IPv6 module. 6461 */ 6462 static void 6463 ip_rput_v6(queue_t *q, mblk_t *mp) 6464 { 6465 mblk_t *mp1, *first_mp, *hada_mp = NULL; 6466 ip6_t *ip6h; 6467 boolean_t ll_multicast = B_FALSE, mctl_present = B_FALSE; 6468 ill_t *ill; 6469 struct iocblk *iocp; 6470 uint_t flags = 0; 6471 6472 ill = (ill_t *)q->q_ptr; 6473 if (ill->ill_state_flags & ILL_CONDEMNED) { 6474 union DL_primitives *dl; 6475 6476 dl = (union DL_primitives *)mp->b_rptr; 6477 /* 6478 * Things are opening or closing - only accept DLPI 6479 * ack messages. If the stream is closing and ip_wsrv 6480 * has completed, ip_close is out of the qwait, but has 6481 * not yet completed qprocsoff. Don't proceed any further 6482 * because the ill has been cleaned up and things hanging 6483 * off the ill have been freed. 6484 */ 6485 if ((mp->b_datap->db_type != M_PCPROTO) || 6486 (dl->dl_primitive == DL_UNITDATA_IND)) { 6487 inet_freemsg(mp); 6488 return; 6489 } 6490 } 6491 6492 switch (mp->b_datap->db_type) { 6493 case M_DATA: 6494 break; 6495 6496 case M_PROTO: 6497 case M_PCPROTO: 6498 if (((dl_unitdata_ind_t *)mp->b_rptr)->dl_primitive != 6499 DL_UNITDATA_IND) { 6500 /* Go handle anything other than data elsewhere. */ 6501 ip_rput_dlpi(q, mp); 6502 return; 6503 } 6504 #define dlur ((dl_unitdata_ind_t *)mp->b_rptr) 6505 ll_multicast = dlur->dl_group_address; 6506 #undef dlur 6507 /* Ditch the DLPI header. */ 6508 mp1 = mp; 6509 mp = mp->b_cont; 6510 freeb(mp1); 6511 break; 6512 case M_BREAK: 6513 panic("ip_rput_v6: got an M_BREAK"); 6514 /*NOTREACHED*/ 6515 case M_IOCACK: 6516 iocp = (struct iocblk *)mp->b_rptr; 6517 switch (iocp->ioc_cmd) { 6518 case DL_IOC_HDR_INFO: 6519 ill = (ill_t *)q->q_ptr; 6520 ill_fastpath_ack(ill, mp); 6521 return; 6522 case SIOCSTUNPARAM: 6523 case SIOCGTUNPARAM: 6524 case OSIOCSTUNPARAM: 6525 case OSIOCGTUNPARAM: 6526 /* Go through qwriter */ 6527 break; 6528 default: 6529 putnext(q, mp); 6530 return; 6531 } 6532 /* FALLTHRU */ 6533 case M_ERROR: 6534 case M_HANGUP: 6535 mutex_enter(&ill->ill_lock); 6536 if (ill->ill_state_flags & ILL_CONDEMNED) { 6537 mutex_exit(&ill->ill_lock); 6538 freemsg(mp); 6539 return; 6540 } 6541 ill_refhold_locked(ill); 6542 mutex_exit(&ill->ill_lock); 6543 qwriter_ip(NULL, ill, q, mp, ip_rput_other, CUR_OP, B_FALSE); 6544 return; 6545 case M_CTL: { 6546 if ((MBLKL(mp) > sizeof (int)) && 6547 ((da_ipsec_t *)mp->b_rptr)->da_type == IPHADA_M_CTL) { 6548 ASSERT(MBLKL(mp) >= sizeof (da_ipsec_t)); 6549 mctl_present = B_TRUE; 6550 break; 6551 } 6552 putnext(q, mp); 6553 return; 6554 } 6555 case M_IOCNAK: 6556 iocp = (struct iocblk *)mp->b_rptr; 6557 switch (iocp->ioc_cmd) { 6558 case DL_IOC_HDR_INFO: 6559 case SIOCSTUNPARAM: 6560 case SIOCGTUNPARAM: 6561 case OSIOCSTUNPARAM: 6562 case OSIOCGTUNPARAM: 6563 mutex_enter(&ill->ill_lock); 6564 if (ill->ill_state_flags & ILL_CONDEMNED) { 6565 mutex_exit(&ill->ill_lock); 6566 freemsg(mp); 6567 return; 6568 } 6569 ill_refhold_locked(ill); 6570 mutex_exit(&ill->ill_lock); 6571 qwriter_ip(NULL, ill, q, mp, ip_rput_other, CUR_OP, 6572 B_FALSE); 6573 return; 6574 default: 6575 break; 6576 } 6577 /* FALLTHRU */ 6578 default: 6579 putnext(q, mp); 6580 return; 6581 } 6582 6583 BUMP_MIB(ill->ill_ip6_mib, ipv6InReceives); 6584 /* 6585 * if db_ref > 1 then copymsg and free original. Packet may be 6586 * changed and do not want other entity who has a reference to this 6587 * message to trip over the changes. This is a blind change because 6588 * trying to catch all places that might change packet is too 6589 * difficult (since it may be a module above this one). 6590 */ 6591 if (mp->b_datap->db_ref > 1) { 6592 mblk_t *mp1; 6593 6594 mp1 = copymsg(mp); 6595 freemsg(mp); 6596 if (mp1 == NULL) { 6597 BUMP_MIB(ill->ill_ip6_mib, ipv6InDiscards); 6598 return; 6599 } 6600 mp = mp1; 6601 } 6602 first_mp = mp; 6603 if (mctl_present) { 6604 hada_mp = first_mp; 6605 mp = first_mp->b_cont; 6606 } 6607 6608 ip6h = (ip6_t *)mp->b_rptr; 6609 6610 /* check for alignment and full IPv6 header */ 6611 if (!OK_32PTR((uchar_t *)ip6h) || 6612 (mp->b_wptr - (uchar_t *)ip6h) < IPV6_HDR_LEN) { 6613 if (!pullupmsg(mp, IPV6_HDR_LEN)) { 6614 BUMP_MIB(ill->ill_ip6_mib, ipv6InDiscards); 6615 ip1dbg(("ip_rput_v6: pullupmsg failed\n")); 6616 freemsg(first_mp); 6617 return; 6618 } 6619 ip6h = (ip6_t *)mp->b_rptr; 6620 } 6621 if ((ip6h->ip6_vcf & IPV6_VERS_AND_FLOW_MASK) == 6622 IPV6_DEFAULT_VERS_AND_FLOW) { 6623 /* 6624 * It may be a bit too expensive to do this mapped address 6625 * check here, but in the interest of robustness, it seems 6626 * like the correct place. 6627 * TODO: Avoid this check for e.g. connected TCP sockets 6628 */ 6629 if (IN6_IS_ADDR_V4MAPPED(&ip6h->ip6_src)) { 6630 BUMP_MIB(ill->ill_ip6_mib, ipv6InDiscards); 6631 ip1dbg(("ip_rput_v6: pkt with mapped src addr\n")); 6632 freemsg(first_mp); 6633 return; 6634 } 6635 6636 if (IN6_IS_ADDR_LOOPBACK(&ip6h->ip6_src)) { 6637 BUMP_MIB(ill->ill_ip6_mib, ipv6InDiscards); 6638 ip1dbg(("ip_rput_v6: pkt with loopback src")); 6639 freemsg(first_mp); 6640 return; 6641 } else if (IN6_IS_ADDR_LOOPBACK(&ip6h->ip6_dst)) { 6642 BUMP_MIB(ill->ill_ip6_mib, ipv6InDiscards); 6643 ip1dbg(("ip_rput_v6: pkt with loopback dst")); 6644 freemsg(first_mp); 6645 return; 6646 } 6647 6648 flags |= (ll_multicast ? IP6_IN_LLMCAST : 0); 6649 ip_rput_data_v6(q, ill, mp, ip6h, flags, hada_mp); 6650 } else { 6651 BUMP_MIB(ill->ill_ip6_mib, ipv6InIPv4); 6652 BUMP_MIB(ill->ill_ip6_mib, ipv6InDiscards); 6653 freemsg(first_mp); 6654 } 6655 } 6656 6657 /* 6658 * Walk through the IPv6 packet in mp and see if there's an AH header 6659 * in it. See if the AH header needs to get done before other headers in 6660 * the packet. (Worker function for ipsec_early_ah_v6().) 6661 */ 6662 #define IPSEC_HDR_DONT_PROCESS 0 6663 #define IPSEC_HDR_PROCESS 1 6664 #define IPSEC_MEMORY_ERROR 2 6665 static int 6666 ipsec_needs_processing_v6(mblk_t *mp, uint8_t *nexthdr) 6667 { 6668 uint_t length; 6669 uint_t ehdrlen; 6670 uint8_t *whereptr; 6671 uint8_t *endptr; 6672 uint8_t *nexthdrp; 6673 ip6_dest_t *desthdr; 6674 ip6_rthdr_t *rthdr; 6675 ip6_t *ip6h; 6676 6677 /* 6678 * For now just pullup everything. In general, the less pullups, 6679 * the better, but there's so much squirrelling through anyway, 6680 * it's just easier this way. 6681 */ 6682 if (!pullupmsg(mp, -1)) { 6683 return (IPSEC_MEMORY_ERROR); 6684 } 6685 6686 ip6h = (ip6_t *)mp->b_rptr; 6687 length = IPV6_HDR_LEN; 6688 whereptr = ((uint8_t *)&ip6h[1]); /* point to next hdr */ 6689 endptr = mp->b_wptr; 6690 6691 /* 6692 * We can't just use the argument nexthdr in the place 6693 * of nexthdrp becaue we don't dereference nexthdrp 6694 * till we confirm whether it is a valid address. 6695 */ 6696 nexthdrp = &ip6h->ip6_nxt; 6697 while (whereptr < endptr) { 6698 /* Is there enough left for len + nexthdr? */ 6699 if (whereptr + MIN_EHDR_LEN > endptr) 6700 return (IPSEC_MEMORY_ERROR); 6701 6702 switch (*nexthdrp) { 6703 case IPPROTO_HOPOPTS: 6704 case IPPROTO_DSTOPTS: 6705 /* Assumes the headers are identical for hbh and dst */ 6706 desthdr = (ip6_dest_t *)whereptr; 6707 ehdrlen = 8 * (desthdr->ip6d_len + 1); 6708 if ((uchar_t *)desthdr + ehdrlen > endptr) 6709 return (IPSEC_MEMORY_ERROR); 6710 /* 6711 * Return DONT_PROCESS because of potential Mobile IPv6 6712 * cruft for destination options. 6713 */ 6714 if (*nexthdrp == IPPROTO_DSTOPTS) 6715 return (IPSEC_HDR_DONT_PROCESS); 6716 nexthdrp = &desthdr->ip6d_nxt; 6717 break; 6718 case IPPROTO_ROUTING: 6719 rthdr = (ip6_rthdr_t *)whereptr; 6720 6721 /* 6722 * If there's more hops left on the routing header, 6723 * return now with DON'T PROCESS. 6724 */ 6725 if (rthdr->ip6r_segleft > 0) 6726 return (IPSEC_HDR_DONT_PROCESS); 6727 6728 ehdrlen = 8 * (rthdr->ip6r_len + 1); 6729 if ((uchar_t *)rthdr + ehdrlen > endptr) 6730 return (IPSEC_MEMORY_ERROR); 6731 nexthdrp = &rthdr->ip6r_nxt; 6732 break; 6733 case IPPROTO_FRAGMENT: 6734 /* Wait for reassembly */ 6735 return (IPSEC_HDR_DONT_PROCESS); 6736 case IPPROTO_AH: 6737 *nexthdr = IPPROTO_AH; 6738 return (IPSEC_HDR_PROCESS); 6739 case IPPROTO_NONE: 6740 /* No next header means we're finished */ 6741 default: 6742 return (IPSEC_HDR_DONT_PROCESS); 6743 } 6744 length += ehdrlen; 6745 whereptr += ehdrlen; 6746 } 6747 panic("ipsec_needs_processing_v6"); 6748 /*NOTREACHED*/ 6749 } 6750 6751 /* 6752 * Path for AH if options are present. If this is the first time we are 6753 * sending a datagram to AH, allocate a IPSEC_IN message and prepend it. 6754 * Otherwise, just fanout. Return value answers the boolean question: 6755 * "Did I consume the mblk you sent me?" 6756 * 6757 * Sometimes AH needs to be done before other IPv6 headers for security 6758 * reasons. This function (and its ipsec_needs_processing_v6() above) 6759 * indicates if that is so, and fans out to the appropriate IPsec protocol 6760 * for the datagram passed in. 6761 */ 6762 static boolean_t 6763 ipsec_early_ah_v6(queue_t *q, mblk_t *first_mp, boolean_t mctl_present, 6764 ill_t *ill, ire_t *ire, mblk_t *hada_mp, zoneid_t zoneid) 6765 { 6766 mblk_t *mp; 6767 uint8_t nexthdr; 6768 ipsec_in_t *ii = NULL; 6769 ah_t *ah; 6770 ipsec_status_t ipsec_rc; 6771 6772 ASSERT((hada_mp == NULL) || (!mctl_present)); 6773 6774 switch (ipsec_needs_processing_v6( 6775 (mctl_present ? first_mp->b_cont : first_mp), &nexthdr)) { 6776 case IPSEC_MEMORY_ERROR: 6777 BUMP_MIB(ill->ill_ip6_mib, ipv6InDiscards); 6778 freemsg(hada_mp); 6779 freemsg(first_mp); 6780 return (B_TRUE); 6781 case IPSEC_HDR_DONT_PROCESS: 6782 return (B_FALSE); 6783 } 6784 6785 /* Default means send it to AH! */ 6786 ASSERT(nexthdr == IPPROTO_AH); 6787 if (!mctl_present) { 6788 mp = first_mp; 6789 if ((first_mp = ipsec_in_alloc(B_FALSE)) == NULL) { 6790 ip1dbg(("ipsec_early_ah_v6: IPSEC_IN " 6791 "allocation failure.\n")); 6792 BUMP_MIB(ill->ill_ip6_mib, ipv6InDiscards); 6793 freemsg(hada_mp); 6794 freemsg(mp); 6795 return (B_TRUE); 6796 } 6797 /* 6798 * Store the ill_index so that when we come back 6799 * from IPSEC we ride on the same queue. 6800 */ 6801 ii = (ipsec_in_t *)first_mp->b_rptr; 6802 ii->ipsec_in_ill_index = ill->ill_phyint->phyint_ifindex; 6803 ii->ipsec_in_rill_index = ii->ipsec_in_ill_index; 6804 first_mp->b_cont = mp; 6805 } 6806 /* 6807 * Cache hardware acceleration info. 6808 */ 6809 if (hada_mp != NULL) { 6810 ASSERT(ii != NULL); 6811 IPSECHW_DEBUG(IPSECHW_PKT, ("ipsec_early_ah_v6: " 6812 "caching data attr.\n")); 6813 ii->ipsec_in_accelerated = B_TRUE; 6814 ii->ipsec_in_da = hada_mp; 6815 } 6816 6817 if (!ipsec_loaded()) { 6818 ip_proto_not_sup(q, first_mp, IP_FF_SEND_ICMP, zoneid); 6819 return (B_TRUE); 6820 } 6821 6822 ah = ipsec_inbound_ah_sa(first_mp); 6823 if (ah == NULL) 6824 return (B_TRUE); 6825 ASSERT(ii->ipsec_in_ah_sa != NULL); 6826 ASSERT(ii->ipsec_in_ah_sa->ipsa_input_func != NULL); 6827 ipsec_rc = ii->ipsec_in_ah_sa->ipsa_input_func(first_mp, ah); 6828 6829 switch (ipsec_rc) { 6830 case IPSEC_STATUS_SUCCESS: 6831 /* we're done with IPsec processing, send it up */ 6832 ip_fanout_proto_again(first_mp, ill, ill, ire); 6833 break; 6834 case IPSEC_STATUS_FAILED: 6835 BUMP_MIB(&ip6_mib, ipv6InDiscards); 6836 break; 6837 case IPSEC_STATUS_PENDING: 6838 /* no action needed */ 6839 break; 6840 } 6841 return (B_TRUE); 6842 } 6843 6844 /* 6845 * ip_rput_data_v6 -- received IPv6 packets in M_DATA messages show up here. 6846 * ip_rput_v6 has already verified alignment, the min length, the version, 6847 * and db_ref = 1. 6848 * 6849 * The ill passed in (the arg named inill) is the ill that the packet 6850 * actually arrived on. We need to remember this when saving the 6851 * input interface index into potential IPV6_PKTINFO data in 6852 * ip_add_info_v6(). 6853 */ 6854 void 6855 ip_rput_data_v6(queue_t *q, ill_t *inill, mblk_t *mp, ip6_t *ip6h, 6856 uint_t flags, mblk_t *hada_mp) 6857 { 6858 ire_t *ire = NULL; 6859 queue_t *rq; 6860 ill_t *ill = inill; 6861 ipif_t *ipif; 6862 uint8_t *whereptr; 6863 uint8_t nexthdr; 6864 uint16_t remlen; 6865 uint_t prev_nexthdr_offset; 6866 uint_t used; 6867 size_t pkt_len; 6868 uint16_t ip6_len; 6869 uint_t hdr_len; 6870 boolean_t mctl_present; 6871 mblk_t *first_mp; 6872 mblk_t *first_mp1; 6873 boolean_t no_forward; 6874 ip6_hbh_t *hbhhdr; 6875 boolean_t ll_multicast = (flags & IP6_IN_LLMCAST); 6876 conn_t *connp; 6877 ilm_t *ilm; 6878 uint32_t ports; 6879 uint_t ipif_id = 0; 6880 zoneid_t zoneid = GLOBAL_ZONEID; 6881 uint16_t hck_flags, reass_hck_flags; 6882 uint32_t reass_sum; 6883 boolean_t cksum_err; 6884 mblk_t *mp1; 6885 6886 EXTRACT_PKT_MP(mp, first_mp, mctl_present); 6887 6888 if (hada_mp != NULL) { 6889 /* 6890 * It's an IPsec accelerated packet. 6891 * Keep a pointer to the data attributes around until 6892 * we allocate the ipsecinfo structure. 6893 */ 6894 IPSECHW_DEBUG(IPSECHW_PKT, 6895 ("ip_rput_data_v6: inbound HW accelerated IPsec pkt\n")); 6896 hada_mp->b_cont = NULL; 6897 /* 6898 * Since it is accelerated, it came directly from 6899 * the ill. 6900 */ 6901 ASSERT(mctl_present == B_FALSE); 6902 ASSERT(mp->b_datap->db_type != M_CTL); 6903 } 6904 6905 ASSERT(OK_32PTR((uchar_t *)ip6h) && 6906 (mp->b_wptr - (uchar_t *)ip6h) >= IPV6_HDR_LEN); 6907 6908 if (mp->b_cont == NULL) 6909 pkt_len = mp->b_wptr - mp->b_rptr; 6910 else 6911 pkt_len = msgdsize(mp); 6912 ip6_len = ntohs(ip6h->ip6_plen) + IPV6_HDR_LEN; 6913 6914 /* 6915 * Check for bogus (too short packet) and packet which 6916 * was padded by the link layer. 6917 */ 6918 if (ip6_len != pkt_len) { 6919 ssize_t diff; 6920 6921 if (ip6_len > pkt_len) { 6922 ip1dbg(("ip_rput_data_v6: packet too short %d %lu\n", 6923 ip6_len, pkt_len)); 6924 BUMP_MIB(ill->ill_ip6_mib, ipv6InTruncatedPkts); 6925 freemsg(hada_mp); 6926 freemsg(first_mp); 6927 return; 6928 } 6929 diff = (ssize_t)(pkt_len - ip6_len); 6930 6931 if (!adjmsg(mp, -diff)) { 6932 ip1dbg(("ip_rput_data_v6: adjmsg failed\n")); 6933 BUMP_MIB(ill->ill_ip6_mib, ipv6InDiscards); 6934 freemsg(hada_mp); 6935 freemsg(first_mp); 6936 return; 6937 } 6938 pkt_len -= diff; 6939 } 6940 6941 if (ILL_HCKSUM_CAPABLE(ill) && !mctl_present && dohwcksum) 6942 hck_flags = DB_CKSUMFLAGS(mp); 6943 else 6944 hck_flags = 0; 6945 6946 /* Clear checksum flags in case we need to forward */ 6947 DB_CKSUMFLAGS(mp) = 0; 6948 reass_sum = reass_hck_flags = 0; 6949 6950 nexthdr = ip6h->ip6_nxt; 6951 6952 prev_nexthdr_offset = (uint_t)((uchar_t *)&ip6h->ip6_nxt - 6953 (uchar_t *)ip6h); 6954 whereptr = (uint8_t *)&ip6h[1]; 6955 remlen = pkt_len - IPV6_HDR_LEN; /* Track how much is left */ 6956 6957 /* Process hop by hop header options */ 6958 if (nexthdr == IPPROTO_HOPOPTS) { 6959 uint_t ehdrlen; 6960 uint8_t *optptr; 6961 6962 if (remlen < MIN_EHDR_LEN) 6963 goto pkt_too_short; 6964 if (mp->b_cont != NULL && 6965 whereptr + MIN_EHDR_LEN > mp->b_wptr) { 6966 if (!pullupmsg(mp, IPV6_HDR_LEN + MIN_EHDR_LEN)) { 6967 BUMP_MIB(ill->ill_ip6_mib, ipv6InDiscards); 6968 freemsg(hada_mp); 6969 freemsg(first_mp); 6970 return; 6971 } 6972 ip6h = (ip6_t *)mp->b_rptr; 6973 whereptr = (uint8_t *)ip6h + pkt_len - remlen; 6974 } 6975 hbhhdr = (ip6_hbh_t *)whereptr; 6976 nexthdr = hbhhdr->ip6h_nxt; 6977 prev_nexthdr_offset = (uint_t)(whereptr - (uint8_t *)ip6h); 6978 ehdrlen = 8 * (hbhhdr->ip6h_len + 1); 6979 6980 if (remlen < ehdrlen) 6981 goto pkt_too_short; 6982 if (mp->b_cont != NULL && 6983 whereptr + ehdrlen > mp->b_wptr) { 6984 if (!pullupmsg(mp, IPV6_HDR_LEN + ehdrlen)) { 6985 BUMP_MIB(ill->ill_ip6_mib, ipv6InDiscards); 6986 freemsg(hada_mp); 6987 freemsg(first_mp); 6988 return; 6989 } 6990 ip6h = (ip6_t *)mp->b_rptr; 6991 whereptr = (uint8_t *)ip6h + pkt_len - remlen; 6992 hbhhdr = (ip6_hbh_t *)whereptr; 6993 } 6994 6995 optptr = whereptr + 2; 6996 whereptr += ehdrlen; 6997 remlen -= ehdrlen; 6998 switch (ip_process_options_v6(q, first_mp, ip6h, optptr, 6999 ehdrlen - 2, IPPROTO_HOPOPTS)) { 7000 case -1: 7001 /* 7002 * Packet has been consumed and any 7003 * needed ICMP messages sent. 7004 */ 7005 BUMP_MIB(ill->ill_ip6_mib, ipv6InHdrErrors); 7006 freemsg(hada_mp); 7007 return; 7008 case 0: 7009 /* no action needed */ 7010 break; 7011 case 1: 7012 /* Known router alert */ 7013 goto ipv6forus; 7014 } 7015 } 7016 7017 /* 7018 * On incoming v6 multicast packets we will bypass the ire table, 7019 * and assume that the read queue corresponds to the targetted 7020 * interface. 7021 * 7022 * The effect of this is the same as the IPv4 original code, but is 7023 * much cleaner I think. See ip_rput for how that was done. 7024 */ 7025 if (IN6_IS_ADDR_MULTICAST(&ip6h->ip6_dst)) { 7026 BUMP_MIB(ill->ill_ip6_mib, ipv6InMcastPkts); 7027 /* 7028 * XXX TODO Give to mrouted to for multicast forwarding. 7029 */ 7030 ILM_WALKER_HOLD(ill); 7031 ilm = ilm_lookup_ill_v6(ill, &ip6h->ip6_dst, ALL_ZONES); 7032 ILM_WALKER_RELE(ill); 7033 if (ilm == NULL) { 7034 if (ip_debug > 3) { 7035 /* ip2dbg */ 7036 pr_addr_dbg("ip_rput_data_v6: got mcast packet" 7037 " which is not for us: %s\n", AF_INET6, 7038 &ip6h->ip6_dst); 7039 } 7040 BUMP_MIB(ill->ill_ip6_mib, ipv6InDiscards); 7041 freemsg(hada_mp); 7042 freemsg(first_mp); 7043 return; 7044 } 7045 if (ip_debug > 3) { 7046 /* ip2dbg */ 7047 pr_addr_dbg("ip_rput_data_v6: multicast for us: %s\n", 7048 AF_INET6, &ip6h->ip6_dst); 7049 } 7050 rq = ill->ill_rq; 7051 zoneid = GLOBAL_ZONEID; 7052 goto ipv6forus; 7053 } 7054 7055 ipif = ill->ill_ipif; 7056 7057 /* 7058 * If a packet was received on an interface that is a 6to4 tunnel, 7059 * incoming IPv6 packets, with a 6to4 addressed IPv6 destination, must 7060 * be checked to have a 6to4 prefix (2002:V4ADDR::/48) that is equal to 7061 * the 6to4 prefix of the address configured on the receiving interface. 7062 * Otherwise, the packet was delivered to this interface in error and 7063 * the packet must be dropped. 7064 */ 7065 if ((ill->ill_is_6to4tun) && IN6_IS_ADDR_6TO4(&ip6h->ip6_dst)) { 7066 7067 if (!IN6_ARE_6TO4_PREFIX_EQUAL(&ipif->ipif_v6lcl_addr, 7068 &ip6h->ip6_dst)) { 7069 if (ip_debug > 2) { 7070 /* ip1dbg */ 7071 pr_addr_dbg("ip_rput_data_v6: received 6to4 " 7072 "addressed packet which is not for us: " 7073 "%s\n", AF_INET6, &ip6h->ip6_dst); 7074 } 7075 BUMP_MIB(ill->ill_ip6_mib, ipv6InDiscards); 7076 freemsg(first_mp); 7077 return; 7078 } 7079 } 7080 7081 /* 7082 * Find an ire that matches destination. For link-local addresses 7083 * we have to match the ill. 7084 * TBD for site local addresses. 7085 */ 7086 if (IN6_IS_ADDR_LINKLOCAL(&ip6h->ip6_dst)) { 7087 ire = ire_ctable_lookup_v6(&ip6h->ip6_dst, NULL, 7088 IRE_CACHE|IRE_LOCAL, ill->ill_ipif, ALL_ZONES, 7089 MATCH_IRE_TYPE | MATCH_IRE_ILL_GROUP); 7090 } else { 7091 ire = ire_cache_lookup_v6(&ip6h->ip6_dst, ALL_ZONES); 7092 } 7093 if (ire == NULL) { 7094 /* 7095 * No matching IRE found. Mark this packet as having 7096 * originated externally. 7097 */ 7098 if (!(ill->ill_flags & ILLF_ROUTER) || ll_multicast) { 7099 BUMP_MIB(ill->ill_ip6_mib, ipv6ForwProhibits); 7100 if (!(ill->ill_flags & ILLF_ROUTER)) 7101 BUMP_MIB(ill->ill_ip6_mib, ipv6InAddrErrors); 7102 freemsg(hada_mp); 7103 freemsg(first_mp); 7104 return; 7105 } 7106 if (ip6h->ip6_hops <= 1) { 7107 if (hada_mp != NULL) 7108 goto hada_drop; 7109 icmp_time_exceeded_v6(WR(q), first_mp, 7110 ICMP6_TIME_EXCEED_TRANSIT, ll_multicast, B_FALSE); 7111 return; 7112 } 7113 /* 7114 * Per RFC 3513 section 2.5.2, we must not forward packets with 7115 * an unspecified source address. 7116 */ 7117 if (IN6_IS_ADDR_UNSPECIFIED(&ip6h->ip6_src)) { 7118 BUMP_MIB(ill->ill_ip6_mib, ipv6ForwProhibits); 7119 freemsg(hada_mp); 7120 freemsg(first_mp); 7121 return; 7122 } 7123 mp->b_prev = (mblk_t *)(uintptr_t) 7124 ill->ill_phyint->phyint_ifindex; 7125 ip_newroute_v6(q, mp, &ip6h->ip6_dst, &ip6h->ip6_src, 7126 IN6_IS_ADDR_LINKLOCAL(&ip6h->ip6_dst) ? ill : NULL, 7127 ALL_ZONES); 7128 return; 7129 } 7130 ipif_id = ire->ire_ipif->ipif_seqid; 7131 /* we have a matching IRE */ 7132 if (ire->ire_stq != NULL) { 7133 ill_group_t *ill_group; 7134 ill_group_t *ire_group; 7135 7136 /* 7137 * To be quicker, we may wish not to chase pointers 7138 * (ire->ire_ipif->ipif_ill...) and instead store the 7139 * forwarding policy in the ire. An unfortunate side- 7140 * effect of this would be requiring an ire flush whenever 7141 * the ILLF_ROUTER flag changes. For now, chase pointers 7142 * once and store in the boolean no_forward. 7143 * 7144 * This appears twice to keep it out of the non-forwarding, 7145 * yes-it's-for-us-on-the-right-interface case. 7146 */ 7147 no_forward = ((ill->ill_flags & 7148 ire->ire_ipif->ipif_ill->ill_flags & ILLF_ROUTER) == 0); 7149 7150 7151 ASSERT(first_mp == mp); 7152 /* 7153 * This ire has a send-to queue - forward the packet. 7154 */ 7155 if (no_forward || ll_multicast || (hada_mp != NULL)) { 7156 freemsg(hada_mp); 7157 BUMP_MIB(ill->ill_ip6_mib, ipv6ForwProhibits); 7158 if (no_forward) 7159 BUMP_MIB(ill->ill_ip6_mib, ipv6InAddrErrors); 7160 freemsg(mp); 7161 ire_refrele(ire); 7162 return; 7163 } 7164 if (ip6h->ip6_hops <= 1) { 7165 ip1dbg(("ip_rput_data_v6: hop limit expired.\n")); 7166 icmp_time_exceeded_v6(WR(q), mp, 7167 ICMP6_TIME_EXCEED_TRANSIT, ll_multicast, B_FALSE); 7168 ire_refrele(ire); 7169 return; 7170 } 7171 /* 7172 * Per RFC 3513 section 2.5.2, we must not forward packets with 7173 * an unspecified source address. 7174 */ 7175 if (IN6_IS_ADDR_UNSPECIFIED(&ip6h->ip6_src)) { 7176 BUMP_MIB(ill->ill_ip6_mib, ipv6ForwProhibits); 7177 freemsg(hada_mp); 7178 freemsg(mp); 7179 ire_refrele(ire); 7180 return; 7181 } 7182 if (pkt_len > ire->ire_max_frag) { 7183 BUMP_MIB(ill->ill_ip6_mib, ipv6InTooBigErrors); 7184 icmp_pkt2big_v6(WR(q), mp, ire->ire_max_frag, 7185 ll_multicast, B_TRUE); 7186 ire_refrele(ire); 7187 return; 7188 } 7189 7190 /* 7191 * Check to see if we're forwarding the packet to a 7192 * different link from which it came. If so, check the 7193 * source and destination addresses since routers must not 7194 * forward any packets with link-local source or 7195 * destination addresses to other links. Otherwise (if 7196 * we're forwarding onto the same link), conditionally send 7197 * a redirect message. 7198 */ 7199 ill_group = ill->ill_group; 7200 ire_group = ((ill_t *)(ire->ire_rfq)->q_ptr)->ill_group; 7201 if (ire->ire_rfq != q && (ill_group == NULL || 7202 ill_group != ire_group)) { 7203 if (IN6_IS_ADDR_LINKLOCAL(&ip6h->ip6_dst) || 7204 IN6_IS_ADDR_LINKLOCAL(&ip6h->ip6_src)) { 7205 BUMP_MIB(ill->ill_ip6_mib, ipv6InAddrErrors); 7206 freemsg(mp); 7207 ire_refrele(ire); 7208 return; 7209 } 7210 /* TBD add site-local check at site boundary? */ 7211 } else if (ipv6_send_redirects) { 7212 in6_addr_t *v6targ; 7213 in6_addr_t gw_addr_v6; 7214 ire_t *src_ire_v6 = NULL; 7215 7216 /* 7217 * Don't send a redirect when forwarding a source 7218 * routed packet. 7219 */ 7220 if (ip_source_routed_v6(ip6h, mp)) 7221 goto forward; 7222 7223 mutex_enter(&ire->ire_lock); 7224 gw_addr_v6 = ire->ire_gateway_addr_v6; 7225 mutex_exit(&ire->ire_lock); 7226 if (!IN6_IS_ADDR_UNSPECIFIED(&gw_addr_v6)) { 7227 v6targ = &gw_addr_v6; 7228 /* 7229 * We won't send redirects to a router 7230 * that doesn't have a link local 7231 * address, but will forward. 7232 */ 7233 if (!IN6_IS_ADDR_LINKLOCAL(v6targ)) { 7234 BUMP_MIB(ill->ill_ip6_mib, 7235 ipv6InAddrErrors); 7236 goto forward; 7237 } 7238 } else { 7239 v6targ = &ip6h->ip6_dst; 7240 } 7241 7242 src_ire_v6 = ire_ftable_lookup_v6(&ip6h->ip6_src, 7243 NULL, NULL, IRE_INTERFACE, ire->ire_ipif, NULL, 7244 ALL_ZONES, 0, MATCH_IRE_IPIF | MATCH_IRE_TYPE); 7245 7246 if (src_ire_v6 != NULL) { 7247 /* 7248 * The source is directly connected. 7249 */ 7250 mp1 = copymsg(mp); 7251 if (mp1 != NULL) { 7252 icmp_send_redirect_v6(WR(q), 7253 mp1, v6targ, &ip6h->ip6_dst, 7254 ill, B_FALSE); 7255 } 7256 ire_refrele(src_ire_v6); 7257 } 7258 } 7259 7260 forward: 7261 /* Hoplimit verified above */ 7262 ip6h->ip6_hops--; 7263 UPDATE_IB_PKT_COUNT(ire); 7264 ire->ire_last_used_time = lbolt; 7265 BUMP_MIB(ill->ill_ip6_mib, ipv6OutForwDatagrams); 7266 ip_xmit_v6(mp, ire, 0, NULL, B_FALSE, NULL); 7267 IRE_REFRELE(ire); 7268 return; 7269 } 7270 rq = ire->ire_rfq; 7271 7272 /* 7273 * Need to put on correct queue for reassembly to find it. 7274 * No need to use put() since reassembly has its own locks. 7275 * Note: multicast packets and packets destined to addresses 7276 * assigned to loopback (ire_rfq is NULL) will be reassembled on 7277 * the arriving ill. 7278 */ 7279 if (rq != q) { 7280 boolean_t check_multi = B_TRUE; 7281 ill_group_t *ill_group = NULL; 7282 ill_group_t *ire_group = NULL; 7283 ill_t *ire_ill = NULL; 7284 uint_t ill_ifindex = ill->ill_usesrc_ifindex; 7285 7286 /* 7287 * To be quicker, we may wish not to chase pointers 7288 * (ire->ire_ipif->ipif_ill...) and instead store the 7289 * forwarding policy in the ire. An unfortunate side- 7290 * effect of this would be requiring an ire flush whenever 7291 * the ILLF_ROUTER flag changes. For now, chase pointers 7292 * once and store in the boolean no_forward. 7293 */ 7294 no_forward = ((ill->ill_flags & 7295 ire->ire_ipif->ipif_ill->ill_flags & ILLF_ROUTER) == 0); 7296 7297 ill_group = ill->ill_group; 7298 if (rq != NULL) { 7299 ire_ill = (ill_t *)(rq->q_ptr); 7300 ire_group = ire_ill->ill_group; 7301 } 7302 7303 /* 7304 * If it's part of the same IPMP group, or if it's a legal 7305 * address on the 'usesrc' interface, then bypass strict 7306 * checks. 7307 */ 7308 if (ill_group != NULL && ill_group == ire_group) { 7309 check_multi = B_FALSE; 7310 } else if (ill_ifindex != 0 && ire_ill != NULL && 7311 ill_ifindex == ire_ill->ill_phyint->phyint_ifindex) { 7312 check_multi = B_FALSE; 7313 } 7314 7315 ASSERT(!IN6_IS_ADDR_MULTICAST(&ip6h->ip6_dst)); 7316 if (check_multi && ipv6_strict_dst_multihoming && no_forward) { 7317 /* 7318 * This packet came in on an interface other than the 7319 * one associated with the destination address 7320 * and we are strict about matches. 7321 * 7322 * As long as the ills belong to the same group, 7323 * we don't consider them to arriving on the wrong 7324 * interface. Thus, when the switch is doing inbound 7325 * load spreading, we won't drop packets when we 7326 * are doing strict multihoming checks. 7327 */ 7328 BUMP_MIB(ill->ill_ip6_mib, ipv6ForwProhibits); 7329 freemsg(hada_mp); 7330 freemsg(first_mp); 7331 ire_refrele(ire); 7332 return; 7333 } 7334 7335 if (rq != NULL) 7336 q = rq; 7337 7338 ill = (ill_t *)q->q_ptr; 7339 ASSERT(ill); 7340 } 7341 7342 zoneid = ire->ire_zoneid; 7343 UPDATE_IB_PKT_COUNT(ire); 7344 ire->ire_last_used_time = lbolt; 7345 /* Don't use the ire after this point. */ 7346 ire_refrele(ire); 7347 ipv6forus: 7348 /* 7349 * Looks like this packet is for us one way or another. 7350 * This is where we'll process destination headers etc. 7351 */ 7352 for (; ; ) { 7353 switch (nexthdr) { 7354 case IPPROTO_TCP: { 7355 uint16_t *up; 7356 uint32_t sum; 7357 int offset; 7358 7359 hdr_len = pkt_len - remlen; 7360 7361 if (hada_mp != NULL) { 7362 ip0dbg(("tcp hada drop\n")); 7363 goto hada_drop; 7364 } 7365 7366 7367 /* TCP needs all of the TCP header */ 7368 if (remlen < TCP_MIN_HEADER_LENGTH) 7369 goto pkt_too_short; 7370 if (mp->b_cont != NULL && 7371 whereptr + TCP_MIN_HEADER_LENGTH > mp->b_wptr) { 7372 if (!pullupmsg(mp, 7373 hdr_len + TCP_MIN_HEADER_LENGTH)) { 7374 BUMP_MIB(ill->ill_ip6_mib, 7375 ipv6InDiscards); 7376 freemsg(first_mp); 7377 return; 7378 } 7379 hck_flags = 0; 7380 ip6h = (ip6_t *)mp->b_rptr; 7381 whereptr = (uint8_t *)ip6h + hdr_len; 7382 } 7383 /* 7384 * Extract the offset field from the TCP header. 7385 */ 7386 offset = ((uchar_t *)ip6h)[hdr_len + 12] >> 4; 7387 if (offset != 5) { 7388 if (offset < 5) { 7389 ip1dbg(("ip_rput_data_v6: short " 7390 "TCP data offset")); 7391 BUMP_MIB(ill->ill_ip6_mib, 7392 ipv6InDiscards); 7393 freemsg(first_mp); 7394 return; 7395 } 7396 /* 7397 * There must be TCP options. 7398 * Make sure we can grab them. 7399 */ 7400 offset <<= 2; 7401 if (remlen < offset) 7402 goto pkt_too_short; 7403 if (mp->b_cont != NULL && 7404 whereptr + offset > mp->b_wptr) { 7405 if (!pullupmsg(mp, 7406 hdr_len + offset)) { 7407 BUMP_MIB(ill->ill_ip6_mib, 7408 ipv6InDiscards); 7409 freemsg(first_mp); 7410 return; 7411 } 7412 hck_flags = 0; 7413 ip6h = (ip6_t *)mp->b_rptr; 7414 whereptr = (uint8_t *)ip6h + hdr_len; 7415 } 7416 } 7417 7418 up = (uint16_t *)&ip6h->ip6_src; 7419 /* 7420 * TCP checksum calculation. First sum up the 7421 * pseudo-header fields: 7422 * - Source IPv6 address 7423 * - Destination IPv6 address 7424 * - TCP payload length 7425 * - TCP protocol ID 7426 */ 7427 sum = htons(IPPROTO_TCP + remlen) + 7428 up[0] + up[1] + up[2] + up[3] + 7429 up[4] + up[5] + up[6] + up[7] + 7430 up[8] + up[9] + up[10] + up[11] + 7431 up[12] + up[13] + up[14] + up[15]; 7432 7433 /* Fold initial sum */ 7434 sum = (sum & 0xffff) + (sum >> 16); 7435 7436 mp1 = mp->b_cont; 7437 7438 if ((hck_flags & (HCK_FULLCKSUM|HCK_PARTIALCKSUM)) == 0) 7439 IP6_STAT(ip6_in_sw_cksum); 7440 7441 IP_CKSUM_RECV(hck_flags, sum, (uchar_t *) 7442 ((uchar_t *)mp->b_rptr + DB_CKSUMSTART(mp)), 7443 (int32_t)(whereptr - (uchar_t *)mp->b_rptr), 7444 mp, mp1, cksum_err); 7445 7446 if (cksum_err) { 7447 BUMP_MIB(&ip_mib, tcpInErrs); 7448 7449 if (hck_flags & HCK_FULLCKSUM) 7450 IP6_STAT(ip6_tcp_in_full_hw_cksum_err); 7451 else if (hck_flags & HCK_PARTIALCKSUM) 7452 IP6_STAT(ip6_tcp_in_part_hw_cksum_err); 7453 else 7454 IP6_STAT(ip6_tcp_in_sw_cksum_err); 7455 7456 freemsg(first_mp); 7457 return; 7458 } 7459 tcp_fanout: 7460 ip_fanout_tcp_v6(q, first_mp, ip6h, ill, inill, 7461 (flags|IP_FF_SEND_ICMP|IP_FF_SYN_ADDIRE| 7462 IP_FF_IP6INFO), hdr_len, mctl_present, zoneid); 7463 return; 7464 } 7465 case IPPROTO_SCTP: 7466 { 7467 sctp_hdr_t *sctph; 7468 uint32_t calcsum, pktsum; 7469 uint_t hdr_len = pkt_len - remlen; 7470 7471 /* SCTP needs all of the SCTP header */ 7472 if (remlen < sizeof (*sctph)) { 7473 goto pkt_too_short; 7474 } 7475 if (whereptr + sizeof (*sctph) > mp->b_wptr) { 7476 ASSERT(mp->b_cont != NULL); 7477 if (!pullupmsg(mp, hdr_len + sizeof (*sctph))) { 7478 BUMP_MIB(ill->ill_ip6_mib, 7479 ipv6InDiscards); 7480 freemsg(mp); 7481 return; 7482 } 7483 ip6h = (ip6_t *)mp->b_rptr; 7484 whereptr = (uint8_t *)ip6h + hdr_len; 7485 } 7486 7487 sctph = (sctp_hdr_t *)(mp->b_rptr + hdr_len); 7488 /* checksum */ 7489 pktsum = sctph->sh_chksum; 7490 sctph->sh_chksum = 0; 7491 calcsum = sctp_cksum(mp, hdr_len); 7492 if (calcsum != pktsum) { 7493 BUMP_MIB(&sctp_mib, sctpChecksumError); 7494 freemsg(mp); 7495 return; 7496 } 7497 sctph->sh_chksum = pktsum; 7498 ports = *(uint32_t *)(mp->b_rptr + hdr_len); 7499 if ((connp = sctp_find_conn(&ip6h->ip6_src, 7500 &ip6h->ip6_dst, ports, ipif_id, zoneid)) == NULL) { 7501 ip_fanout_sctp_raw(first_mp, ill, 7502 (ipha_t *)ip6h, B_FALSE, ports, 7503 mctl_present, 7504 (flags|IP_FF_SEND_ICMP|IP_FF_IP6INFO), 7505 B_TRUE, ipif_id, zoneid); 7506 return; 7507 } 7508 BUMP_MIB(&ip_mib, ipInDelivers); 7509 sctp_input(connp, (ipha_t *)ip6h, mp, first_mp, ill, 7510 B_FALSE, mctl_present); 7511 return; 7512 } 7513 case IPPROTO_UDP: { 7514 uint16_t *up; 7515 uint32_t sum; 7516 7517 hdr_len = pkt_len - remlen; 7518 7519 if (hada_mp != NULL) { 7520 ip0dbg(("udp hada drop\n")); 7521 goto hada_drop; 7522 } 7523 7524 /* Verify that at least the ports are present */ 7525 if (remlen < UDPH_SIZE) 7526 goto pkt_too_short; 7527 if (mp->b_cont != NULL && 7528 whereptr + UDPH_SIZE > mp->b_wptr) { 7529 if (!pullupmsg(mp, hdr_len + UDPH_SIZE)) { 7530 BUMP_MIB(ill->ill_ip6_mib, 7531 ipv6InDiscards); 7532 freemsg(first_mp); 7533 return; 7534 } 7535 hck_flags = 0; 7536 ip6h = (ip6_t *)mp->b_rptr; 7537 whereptr = (uint8_t *)ip6h + hdr_len; 7538 } 7539 7540 /* 7541 * Before going through the regular checksum 7542 * calculation, make sure the received checksum 7543 * is non-zero. RFC 2460 says, a 0x0000 checksum 7544 * in a UDP packet (within IPv6 packet) is invalid 7545 * and should be replaced by 0xffff. This makes 7546 * sense as regular checksum calculation will 7547 * pass for both the cases i.e. 0x0000 and 0xffff. 7548 * Removing one of the case makes error detection 7549 * stronger. 7550 */ 7551 7552 if (((udpha_t *)whereptr)->uha_checksum == 0) { 7553 /* 0x0000 checksum is invalid */ 7554 ip1dbg(("ip_rput_data_v6: Invalid UDP " 7555 "checksum value 0x0000\n")); 7556 BUMP_MIB(ill->ill_ip6_mib, udpInCksumErrs); 7557 freemsg(first_mp); 7558 return; 7559 } 7560 7561 up = (uint16_t *)&ip6h->ip6_src; 7562 7563 /* 7564 * UDP checksum calculation. First sum up the 7565 * pseudo-header fields: 7566 * - Source IPv6 address 7567 * - Destination IPv6 address 7568 * - UDP payload length 7569 * - UDP protocol ID 7570 */ 7571 7572 sum = htons(IPPROTO_UDP + remlen) + 7573 up[0] + up[1] + up[2] + up[3] + 7574 up[4] + up[5] + up[6] + up[7] + 7575 up[8] + up[9] + up[10] + up[11] + 7576 up[12] + up[13] + up[14] + up[15]; 7577 7578 /* Fold initial sum */ 7579 sum = (sum & 0xffff) + (sum >> 16); 7580 7581 if (reass_hck_flags != 0) { 7582 hck_flags = reass_hck_flags; 7583 7584 IP_CKSUM_RECV_REASS(hck_flags, 7585 (int32_t)(whereptr - (uchar_t *)mp->b_rptr), 7586 sum, reass_sum, cksum_err); 7587 } else { 7588 mp1 = mp->b_cont; 7589 7590 IP_CKSUM_RECV(hck_flags, sum, (uchar_t *) 7591 ((uchar_t *)mp->b_rptr + DB_CKSUMSTART(mp)), 7592 (int32_t)(whereptr - (uchar_t *)mp->b_rptr), 7593 mp, mp1, cksum_err); 7594 } 7595 7596 if ((hck_flags & (HCK_FULLCKSUM|HCK_PARTIALCKSUM)) == 0) 7597 IP6_STAT(ip6_in_sw_cksum); 7598 7599 if (cksum_err) { 7600 BUMP_MIB(ill->ill_ip6_mib, udpInCksumErrs); 7601 7602 if (hck_flags & HCK_FULLCKSUM) 7603 IP6_STAT(ip6_udp_in_full_hw_cksum_err); 7604 else if (hck_flags & HCK_PARTIALCKSUM) 7605 IP6_STAT(ip6_udp_in_part_hw_cksum_err); 7606 else 7607 IP6_STAT(ip6_udp_in_sw_cksum_err); 7608 7609 freemsg(first_mp); 7610 return; 7611 } 7612 goto udp_fanout; 7613 } 7614 case IPPROTO_ICMPV6: { 7615 uint16_t *up; 7616 uint32_t sum; 7617 uint_t hdr_len = pkt_len - remlen; 7618 7619 if (hada_mp != NULL) { 7620 ip0dbg(("icmp hada drop\n")); 7621 goto hada_drop; 7622 } 7623 7624 up = (uint16_t *)&ip6h->ip6_src; 7625 sum = htons(IPPROTO_ICMPV6 + remlen) + 7626 up[0] + up[1] + up[2] + up[3] + 7627 up[4] + up[5] + up[6] + up[7] + 7628 up[8] + up[9] + up[10] + up[11] + 7629 up[12] + up[13] + up[14] + up[15]; 7630 sum = (sum & 0xffff) + (sum >> 16); 7631 sum = IP_CSUM(mp, hdr_len, sum); 7632 if (sum != 0) { 7633 /* IPv6 ICMP checksum failed */ 7634 ip1dbg(("ip_rput_data_v6: ICMPv6 checksum " 7635 "failed %x\n", 7636 sum)); 7637 BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpInMsgs); 7638 BUMP_MIB(ill->ill_icmp6_mib, 7639 ipv6IfIcmpInErrors); 7640 freemsg(first_mp); 7641 return; 7642 } 7643 7644 icmp_fanout: 7645 /* Check variable for testing applications */ 7646 if (ipv6_drop_inbound_icmpv6) { 7647 freemsg(first_mp); 7648 return; 7649 } 7650 /* 7651 * Assume that there is always at least one conn for 7652 * ICMPv6 (in.ndpd) i.e. don't optimize the case 7653 * where there is no conn. 7654 */ 7655 if (IN6_IS_ADDR_MULTICAST(&ip6h->ip6_dst)) { 7656 ASSERT(!(ill->ill_phyint->phyint_flags & 7657 PHYI_LOOPBACK)); 7658 /* 7659 * In the multicast case, applications may have 7660 * joined the group from different zones, so we 7661 * need to deliver the packet to each of them. 7662 * Loop through the multicast memberships 7663 * structures (ilm) on the receive ill and send 7664 * a copy of the packet up each matching one. 7665 */ 7666 ILM_WALKER_HOLD(ill); 7667 for (ilm = ill->ill_ilm; ilm != NULL; 7668 ilm = ilm->ilm_next) { 7669 if (ilm->ilm_flags & ILM_DELETED) 7670 continue; 7671 if (!IN6_ARE_ADDR_EQUAL( 7672 &ilm->ilm_v6addr, &ip6h->ip6_dst)) 7673 continue; 7674 if (!ipif_lookup_zoneid(ill, 7675 ilm->ilm_zoneid, IPIF_UP, NULL)) 7676 continue; 7677 7678 first_mp1 = ip_copymsg(first_mp); 7679 if (first_mp1 == NULL) 7680 continue; 7681 icmp_inbound_v6(q, first_mp1, ill, 7682 hdr_len, mctl_present, 0, 7683 ilm->ilm_zoneid); 7684 } 7685 ILM_WALKER_RELE(ill); 7686 } else { 7687 first_mp1 = ip_copymsg(first_mp); 7688 if (first_mp1 != NULL) 7689 icmp_inbound_v6(q, first_mp1, ill, 7690 hdr_len, mctl_present, 0, zoneid); 7691 } 7692 } 7693 /* FALLTHRU */ 7694 default: { 7695 /* 7696 * Handle protocols with which IPv6 is less intimate. 7697 */ 7698 uint_t proto_flags = IP_FF_RAWIP|IP_FF_IP6INFO; 7699 7700 if (hada_mp != NULL) { 7701 ip0dbg(("default hada drop\n")); 7702 goto hada_drop; 7703 } 7704 7705 /* 7706 * Enable sending ICMP for "Unknown" nexthdr 7707 * case. i.e. where we did not FALLTHRU from 7708 * IPPROTO_ICMPV6 processing case above. 7709 * If we did FALLTHRU, then the packet has already been 7710 * processed for IPPF, don't process it again in 7711 * ip_fanout_proto_v6; set IP6_NO_IPPOLICY in the 7712 * flags 7713 */ 7714 if (nexthdr != IPPROTO_ICMPV6) 7715 proto_flags |= IP_FF_SEND_ICMP; 7716 else 7717 proto_flags |= IP6_NO_IPPOLICY; 7718 7719 ip_fanout_proto_v6(q, first_mp, ip6h, ill, inill, 7720 nexthdr, prev_nexthdr_offset, (flags|proto_flags), 7721 mctl_present, zoneid); 7722 return; 7723 } 7724 7725 case IPPROTO_DSTOPTS: { 7726 uint_t ehdrlen; 7727 uint8_t *optptr; 7728 ip6_dest_t *desthdr; 7729 7730 /* Check if AH is present. */ 7731 if (ipsec_early_ah_v6(q, first_mp, mctl_present, ill, 7732 ire, hada_mp, zoneid)) { 7733 ip0dbg(("dst early hada drop\n")); 7734 return; 7735 } 7736 7737 /* 7738 * Reinitialize pointers, as ipsec_early_ah_v6() does 7739 * complete pullups. We don't have to do more pullups 7740 * as a result. 7741 */ 7742 whereptr = (uint8_t *)((uintptr_t)mp->b_rptr + 7743 (uintptr_t)(whereptr - ((uint8_t *)ip6h))); 7744 ip6h = (ip6_t *)mp->b_rptr; 7745 7746 if (remlen < MIN_EHDR_LEN) 7747 goto pkt_too_short; 7748 7749 desthdr = (ip6_dest_t *)whereptr; 7750 nexthdr = desthdr->ip6d_nxt; 7751 prev_nexthdr_offset = (uint_t)(whereptr - 7752 (uint8_t *)ip6h); 7753 ehdrlen = 8 * (desthdr->ip6d_len + 1); 7754 if (remlen < ehdrlen) 7755 goto pkt_too_short; 7756 optptr = whereptr + 2; 7757 /* 7758 * Note: XXX This code does not seem to make 7759 * distinction between Destination Options Header 7760 * being before/after Routing Header which can 7761 * happen if we are at the end of source route. 7762 * This may become significant in future. 7763 * (No real significant Destination Options are 7764 * defined/implemented yet ). 7765 */ 7766 switch (ip_process_options_v6(q, first_mp, ip6h, optptr, 7767 ehdrlen - 2, IPPROTO_DSTOPTS)) { 7768 case -1: 7769 /* 7770 * Packet has been consumed and any needed 7771 * ICMP errors sent. 7772 */ 7773 BUMP_MIB(ill->ill_ip6_mib, ipv6InHdrErrors); 7774 freemsg(hada_mp); 7775 return; 7776 case 0: 7777 /* No action needed continue */ 7778 break; 7779 case 1: 7780 /* 7781 * Unnexpected return value 7782 * (Router alert is a Hop-by-Hop option) 7783 */ 7784 #ifdef DEBUG 7785 panic("ip_rput_data_v6: router " 7786 "alert hbh opt indication in dest opt"); 7787 /*NOTREACHED*/ 7788 #else 7789 freemsg(hada_mp); 7790 freemsg(first_mp); 7791 BUMP_MIB(ill->ill_ip6_mib, ipv6InDiscards); 7792 return; 7793 #endif 7794 } 7795 used = ehdrlen; 7796 break; 7797 } 7798 case IPPROTO_FRAGMENT: { 7799 ip6_frag_t *fraghdr; 7800 size_t no_frag_hdr_len; 7801 7802 if (hada_mp != NULL) { 7803 ip0dbg(("frag hada drop\n")); 7804 goto hada_drop; 7805 } 7806 7807 ASSERT(first_mp == mp); 7808 if (remlen < sizeof (ip6_frag_t)) 7809 goto pkt_too_short; 7810 7811 if (mp->b_cont != NULL && 7812 whereptr + sizeof (ip6_frag_t) > mp->b_wptr) { 7813 if (!pullupmsg(mp, 7814 pkt_len - remlen + sizeof (ip6_frag_t))) { 7815 BUMP_MIB(ill->ill_ip6_mib, 7816 ipv6InDiscards); 7817 freemsg(mp); 7818 return; 7819 } 7820 hck_flags = 0; 7821 ip6h = (ip6_t *)mp->b_rptr; 7822 whereptr = (uint8_t *)ip6h + pkt_len - remlen; 7823 } 7824 7825 fraghdr = (ip6_frag_t *)whereptr; 7826 used = (uint_t)sizeof (ip6_frag_t); 7827 BUMP_MIB(ill->ill_ip6_mib, ipv6ReasmReqds); 7828 7829 /* 7830 * Invoke the CGTP (multirouting) filtering module to 7831 * process the incoming packet. Packets identified as 7832 * duplicates must be discarded. Filtering is active 7833 * only if the the ip_cgtp_filter ndd variable is 7834 * non-zero. 7835 */ 7836 if (ip_cgtp_filter && (ip_cgtp_filter_ops != NULL)) { 7837 int cgtp_flt_pkt = 7838 ip_cgtp_filter_ops->cfo_filter_v6( 7839 inill->ill_rq, ip6h, fraghdr); 7840 if (cgtp_flt_pkt == CGTP_IP_PKT_DUPLICATE) { 7841 freemsg(mp); 7842 return; 7843 } 7844 } 7845 7846 /* Restore the flags */ 7847 DB_CKSUMFLAGS(mp) = hck_flags; 7848 7849 mp = ip_rput_frag_v6(q, mp, ip6h, fraghdr, 7850 remlen - used, &prev_nexthdr_offset, 7851 &reass_sum, &reass_hck_flags); 7852 if (mp == NULL) { 7853 /* Reassembly is still pending */ 7854 return; 7855 } 7856 /* The first mblk are the headers before the frag hdr */ 7857 BUMP_MIB(ill->ill_ip6_mib, ipv6ReasmOKs); 7858 7859 first_mp = mp; /* mp has most likely changed! */ 7860 no_frag_hdr_len = mp->b_wptr - mp->b_rptr; 7861 ip6h = (ip6_t *)mp->b_rptr; 7862 nexthdr = ((char *)ip6h)[prev_nexthdr_offset]; 7863 whereptr = mp->b_rptr + no_frag_hdr_len; 7864 remlen = ntohs(ip6h->ip6_plen) + 7865 (uint16_t)(IPV6_HDR_LEN - no_frag_hdr_len); 7866 pkt_len = msgdsize(mp); 7867 used = 0; 7868 break; 7869 } 7870 case IPPROTO_HOPOPTS: 7871 if (hada_mp != NULL) { 7872 ip0dbg(("hop hada drop\n")); 7873 goto hada_drop; 7874 } 7875 /* 7876 * Illegal header sequence. 7877 * (Hop-by-hop headers are processed above 7878 * and required to immediately follow IPv6 header) 7879 */ 7880 icmp_param_problem_v6(WR(q), first_mp, 7881 ICMP6_PARAMPROB_NEXTHEADER, 7882 prev_nexthdr_offset, 7883 B_FALSE, B_FALSE); 7884 return; 7885 7886 case IPPROTO_ROUTING: { 7887 uint_t ehdrlen; 7888 ip6_rthdr_t *rthdr; 7889 7890 /* Check if AH is present. */ 7891 if (ipsec_early_ah_v6(q, first_mp, mctl_present, ill, 7892 ire, hada_mp, zoneid)) { 7893 ip0dbg(("routing hada drop\n")); 7894 return; 7895 } 7896 7897 /* 7898 * Reinitialize pointers, as ipsec_early_ah_v6() does 7899 * complete pullups. We don't have to do more pullups 7900 * as a result. 7901 */ 7902 whereptr = (uint8_t *)((uintptr_t)mp->b_rptr + 7903 (uintptr_t)(whereptr - ((uint8_t *)ip6h))); 7904 ip6h = (ip6_t *)mp->b_rptr; 7905 7906 if (remlen < MIN_EHDR_LEN) 7907 goto pkt_too_short; 7908 rthdr = (ip6_rthdr_t *)whereptr; 7909 nexthdr = rthdr->ip6r_nxt; 7910 prev_nexthdr_offset = (uint_t)(whereptr - 7911 (uint8_t *)ip6h); 7912 ehdrlen = 8 * (rthdr->ip6r_len + 1); 7913 if (remlen < ehdrlen) 7914 goto pkt_too_short; 7915 if (rthdr->ip6r_segleft != 0) { 7916 /* Not end of source route */ 7917 if (ll_multicast) { 7918 BUMP_MIB(ill->ill_ip6_mib, 7919 ipv6ForwProhibits); 7920 freemsg(hada_mp); 7921 freemsg(mp); 7922 return; 7923 } 7924 ip_process_rthdr(q, mp, ip6h, rthdr, ill, 7925 flags, hada_mp); 7926 return; 7927 } 7928 used = ehdrlen; 7929 break; 7930 } 7931 case IPPROTO_AH: 7932 case IPPROTO_ESP: { 7933 /* 7934 * Fast path for AH/ESP. If this is the first time 7935 * we are sending a datagram to AH/ESP, allocate 7936 * a IPSEC_IN message and prepend it. Otherwise, 7937 * just fanout. 7938 */ 7939 7940 ipsec_in_t *ii; 7941 int ipsec_rc; 7942 7943 if (!mctl_present) { 7944 ASSERT(first_mp == mp); 7945 if ((first_mp = ipsec_in_alloc(B_FALSE)) == 7946 NULL) { 7947 ip1dbg(("ip_rput_data_v6: IPSEC_IN " 7948 "allocation failure.\n")); 7949 BUMP_MIB(ill->ill_ip6_mib, 7950 ipv6InDiscards); 7951 freemsg(mp); 7952 return; 7953 } 7954 /* 7955 * Store the ill_index so that when we come back 7956 * from IPSEC we ride on the same queue. 7957 */ 7958 ii = (ipsec_in_t *)first_mp->b_rptr; 7959 ii->ipsec_in_ill_index = 7960 ill->ill_phyint->phyint_ifindex; 7961 ii->ipsec_in_rill_index = 7962 ii->ipsec_in_ill_index; 7963 first_mp->b_cont = mp; 7964 /* 7965 * Cache hardware acceleration info. 7966 */ 7967 if (hada_mp != NULL) { 7968 IPSECHW_DEBUG(IPSECHW_PKT, 7969 ("ip_rput_data_v6: " 7970 "caching data attr.\n")); 7971 ii->ipsec_in_accelerated = B_TRUE; 7972 ii->ipsec_in_da = hada_mp; 7973 hada_mp = NULL; 7974 } 7975 } else { 7976 ii = (ipsec_in_t *)first_mp->b_rptr; 7977 } 7978 7979 if (!ipsec_loaded()) { 7980 ip_proto_not_sup(q, first_mp, IP_FF_SEND_ICMP, 7981 ire->ire_zoneid); 7982 return; 7983 } 7984 7985 /* select inbound SA and have IPsec process the pkt */ 7986 if (nexthdr == IPPROTO_ESP) { 7987 esph_t *esph = ipsec_inbound_esp_sa(first_mp); 7988 if (esph == NULL) 7989 return; 7990 ASSERT(ii->ipsec_in_esp_sa != NULL); 7991 ASSERT(ii->ipsec_in_esp_sa->ipsa_input_func != 7992 NULL); 7993 ipsec_rc = ii->ipsec_in_esp_sa->ipsa_input_func( 7994 first_mp, esph); 7995 } else { 7996 ah_t *ah = ipsec_inbound_ah_sa(first_mp); 7997 if (ah == NULL) 7998 return; 7999 ASSERT(ii->ipsec_in_ah_sa != NULL); 8000 ASSERT(ii->ipsec_in_ah_sa->ipsa_input_func != 8001 NULL); 8002 ipsec_rc = ii->ipsec_in_ah_sa->ipsa_input_func( 8003 first_mp, ah); 8004 } 8005 8006 switch (ipsec_rc) { 8007 case IPSEC_STATUS_SUCCESS: 8008 break; 8009 case IPSEC_STATUS_FAILED: 8010 BUMP_MIB(ill->ill_ip6_mib, ipv6InDiscards); 8011 /* FALLTHRU */ 8012 case IPSEC_STATUS_PENDING: 8013 return; 8014 } 8015 /* we're done with IPsec processing, send it up */ 8016 ip_fanout_proto_again(first_mp, ill, inill, ire); 8017 return; 8018 } 8019 case IPPROTO_NONE: 8020 /* All processing is done. Count as "delivered". */ 8021 freemsg(hada_mp); 8022 freemsg(first_mp); 8023 BUMP_MIB(ill->ill_ip6_mib, ipv6InDelivers); 8024 return; 8025 } 8026 whereptr += used; 8027 ASSERT(remlen >= used); 8028 remlen -= used; 8029 } 8030 /* NOTREACHED */ 8031 8032 pkt_too_short: 8033 ip1dbg(("ip_rput_data_v6: packet too short %d %lu %d\n", 8034 ip6_len, pkt_len, remlen)); 8035 BUMP_MIB(ill->ill_ip6_mib, ipv6InTruncatedPkts); 8036 freemsg(hada_mp); 8037 freemsg(first_mp); 8038 return; 8039 udp_fanout: 8040 if (mctl_present || IN6_IS_ADDR_MULTICAST(&ip6h->ip6_dst)) { 8041 connp = NULL; 8042 } else { 8043 connp = ipcl_classify_v6(mp, IPPROTO_UDP, hdr_len, zoneid); 8044 if ((connp != NULL) && (connp->conn_upq == NULL)) { 8045 CONN_DEC_REF(connp); 8046 connp = NULL; 8047 } 8048 } 8049 8050 if (connp == NULL) { 8051 uint32_t ports; 8052 8053 ports = *(uint32_t *)(mp->b_rptr + hdr_len + 8054 UDP_PORTS_OFFSET); 8055 IP6_STAT(ip6_udp_slow_path); 8056 ip_fanout_udp_v6(q, first_mp, ip6h, ports, ill, inill, 8057 (flags|IP_FF_SEND_ICMP|IP_FF_IP6INFO), mctl_present, 8058 zoneid); 8059 return; 8060 } 8061 8062 if (CONN_UDP_FLOWCTLD(connp)) { 8063 freemsg(first_mp); 8064 BUMP_MIB(ill->ill_ip6_mib, udpInOverflows); 8065 CONN_DEC_REF(connp); 8066 return; 8067 } 8068 8069 /* Initiate IPPF processing */ 8070 if (IP6_IN_IPP(flags)) { 8071 ip_process(IPP_LOCAL_IN, &mp, ill->ill_phyint->phyint_ifindex); 8072 if (mp == NULL) { 8073 BUMP_MIB(ill->ill_ip6_mib, ipv6InDiscards); 8074 CONN_DEC_REF(connp); 8075 return; 8076 } 8077 } 8078 8079 if (connp->conn_ipv6_recvpktinfo || 8080 IN6_IS_ADDR_LINKLOCAL(&ip6h->ip6_src)) { 8081 mp = ip_add_info_v6(mp, inill, &ip6h->ip6_dst); 8082 if (mp == NULL) { 8083 BUMP_MIB(ill->ill_ip6_mib, ipv6InDiscards); 8084 CONN_DEC_REF(connp); 8085 return; 8086 } 8087 } 8088 8089 IP6_STAT(ip6_udp_fast_path); 8090 BUMP_MIB(ill->ill_ip6_mib, ipv6InReceives); 8091 BUMP_MIB(ill->ill_ip6_mib, ipv6InDelivers); 8092 8093 /* Send it upstream */ 8094 CONN_UDP_RECV(connp, mp); 8095 8096 CONN_DEC_REF(connp); 8097 freemsg(hada_mp); 8098 return; 8099 8100 hada_drop: 8101 ip1dbg(("ip_rput_data_v6: malformed accelerated packet\n")); 8102 /* IPsec kstats: bump counter here */ 8103 freemsg(hada_mp); 8104 freemsg(first_mp); 8105 } 8106 8107 /* 8108 * Reassemble fragment. 8109 * When it returns a completed message the first mblk will only contain 8110 * the headers prior to the fragment header. 8111 * 8112 * prev_nexthdr_offset is an offset indication of where the nexthdr field is 8113 * of the preceding header. This is needed to patch the previous header's 8114 * nexthdr field when reassembly completes. 8115 */ 8116 static mblk_t * 8117 ip_rput_frag_v6(queue_t *q, mblk_t *mp, ip6_t *ip6h, 8118 ip6_frag_t *fraghdr, uint_t remlen, uint_t *prev_nexthdr_offset, 8119 uint32_t *cksum_val, uint16_t *cksum_flags) 8120 { 8121 ill_t *ill = (ill_t *)q->q_ptr; 8122 uint32_t ident = ntohl(fraghdr->ip6f_ident); 8123 uint16_t offset; 8124 boolean_t more_frags; 8125 uint8_t nexthdr = fraghdr->ip6f_nxt; 8126 in6_addr_t *v6dst_ptr; 8127 in6_addr_t *v6src_ptr; 8128 uint_t end; 8129 uint_t hdr_length; 8130 size_t count; 8131 ipf_t *ipf; 8132 ipf_t **ipfp; 8133 ipfb_t *ipfb; 8134 mblk_t *mp1; 8135 uint8_t ecn_info = 0; 8136 size_t msg_len; 8137 mblk_t *tail_mp; 8138 mblk_t *t_mp; 8139 boolean_t pruned = B_FALSE; 8140 uint32_t sum_val; 8141 uint16_t sum_flags; 8142 8143 8144 if (cksum_val != NULL) 8145 *cksum_val = 0; 8146 if (cksum_flags != NULL) 8147 *cksum_flags = 0; 8148 8149 /* 8150 * We utilize hardware computed checksum info only for UDP since 8151 * IP fragmentation is a normal occurence for the protocol. In 8152 * addition, checksum offload support for IP fragments carrying 8153 * UDP payload is commonly implemented across network adapters. 8154 */ 8155 ASSERT(ill != NULL); 8156 if (nexthdr == IPPROTO_UDP && dohwcksum && ILL_HCKSUM_CAPABLE(ill) && 8157 (DB_CKSUMFLAGS(mp) & (HCK_FULLCKSUM | HCK_PARTIALCKSUM))) { 8158 mblk_t *mp1 = mp->b_cont; 8159 int32_t len; 8160 8161 /* Record checksum information from the packet */ 8162 sum_val = (uint32_t)DB_CKSUM16(mp); 8163 sum_flags = DB_CKSUMFLAGS(mp); 8164 8165 /* fragmented payload offset from beginning of mblk */ 8166 offset = (uint16_t)((uchar_t *)&fraghdr[1] - mp->b_rptr); 8167 8168 if ((sum_flags & HCK_PARTIALCKSUM) && 8169 (mp1 == NULL || mp1->b_cont == NULL) && 8170 offset >= (uint16_t)DB_CKSUMSTART(mp) && 8171 ((len = offset - (uint16_t)DB_CKSUMSTART(mp)) & 1) == 0) { 8172 uint32_t adj; 8173 /* 8174 * Partial checksum has been calculated by hardware 8175 * and attached to the packet; in addition, any 8176 * prepended extraneous data is even byte aligned. 8177 * If any such data exists, we adjust the checksum; 8178 * this would also handle any postpended data. 8179 */ 8180 IP_ADJCKSUM_PARTIAL(mp->b_rptr + DB_CKSUMSTART(mp), 8181 mp, mp1, len, adj); 8182 8183 /* One's complement subtract extraneous checksum */ 8184 if (adj >= sum_val) 8185 sum_val = ~(adj - sum_val) & 0xFFFF; 8186 else 8187 sum_val -= adj; 8188 } 8189 } else { 8190 sum_val = 0; 8191 sum_flags = 0; 8192 } 8193 8194 /* Clear hardware checksumming flag */ 8195 DB_CKSUMFLAGS(mp) = 0; 8196 8197 /* 8198 * Note: Fragment offset in header is in 8-octet units. 8199 * Clearing least significant 3 bits not only extracts 8200 * it but also gets it in units of octets. 8201 */ 8202 offset = ntohs(fraghdr->ip6f_offlg) & ~7; 8203 more_frags = (fraghdr->ip6f_offlg & IP6F_MORE_FRAG); 8204 8205 /* 8206 * Is the more frags flag on and the payload length not a multiple 8207 * of eight? 8208 */ 8209 if (more_frags && (ntohs(ip6h->ip6_plen) & 7)) { 8210 BUMP_MIB(ill->ill_ip6_mib, ipv6InHdrErrors); 8211 icmp_param_problem_v6(WR(q), mp, ICMP6_PARAMPROB_HEADER, 8212 (uint32_t)((char *)&ip6h->ip6_plen - 8213 (char *)ip6h), B_FALSE, B_FALSE); 8214 return (NULL); 8215 } 8216 8217 v6src_ptr = &ip6h->ip6_src; 8218 v6dst_ptr = &ip6h->ip6_dst; 8219 end = remlen; 8220 8221 hdr_length = (uint_t)((char *)&fraghdr[1] - (char *)ip6h); 8222 end += offset; 8223 8224 /* 8225 * Would fragment cause reassembled packet to have a payload length 8226 * greater than IP_MAXPACKET - the max payload size? 8227 */ 8228 if (end > IP_MAXPACKET) { 8229 BUMP_MIB(ill->ill_ip6_mib, ipv6InHdrErrors); 8230 icmp_param_problem_v6(WR(q), mp, ICMP6_PARAMPROB_HEADER, 8231 (uint32_t)((char *)&fraghdr->ip6f_offlg - 8232 (char *)ip6h), B_FALSE, B_FALSE); 8233 return (NULL); 8234 } 8235 8236 /* 8237 * This packet just has one fragment. Reassembly not 8238 * needed. 8239 */ 8240 if (!more_frags && offset == 0) { 8241 goto reass_done; 8242 } 8243 8244 /* 8245 * Drop the fragmented as early as possible, if 8246 * we don't have resource(s) to re-assemble. 8247 */ 8248 if (ip_reass_queue_bytes == 0) { 8249 freemsg(mp); 8250 return (NULL); 8251 } 8252 8253 /* Record the ECN field info. */ 8254 ecn_info = (uint8_t)(ntohl(ip6h->ip6_vcf & htonl(~0xFFCFFFFF)) >> 20); 8255 /* 8256 * If this is not the first fragment, dump the unfragmentable 8257 * portion of the packet. 8258 */ 8259 if (offset) 8260 mp->b_rptr = (uchar_t *)&fraghdr[1]; 8261 8262 /* 8263 * Fragmentation reassembly. Each ILL has a hash table for 8264 * queueing packets undergoing reassembly for all IPIFs 8265 * associated with the ILL. The hash is based on the packet 8266 * IP ident field. The ILL frag hash table was allocated 8267 * as a timer block at the time the ILL was created. Whenever 8268 * there is anything on the reassembly queue, the timer will 8269 * be running. 8270 */ 8271 msg_len = MBLKSIZE(mp); 8272 tail_mp = mp; 8273 while (tail_mp->b_cont != NULL) { 8274 tail_mp = tail_mp->b_cont; 8275 msg_len += MBLKSIZE(tail_mp); 8276 } 8277 /* 8278 * If the reassembly list for this ILL will get too big 8279 * prune it. 8280 */ 8281 8282 if ((msg_len + sizeof (*ipf) + ill->ill_frag_count) >= 8283 ip_reass_queue_bytes) { 8284 ill_frag_prune(ill, (ip_reass_queue_bytes < msg_len) ? 0 8285 : (ip_reass_queue_bytes - msg_len)); 8286 pruned = B_TRUE; 8287 } 8288 8289 ipfb = &ill->ill_frag_hash_tbl[ILL_FRAG_HASH_V6(*v6src_ptr, ident)]; 8290 mutex_enter(&ipfb->ipfb_lock); 8291 8292 ipfp = &ipfb->ipfb_ipf; 8293 /* Try to find an existing fragment queue for this packet. */ 8294 for (;;) { 8295 ipf = ipfp[0]; 8296 if (ipf) { 8297 /* 8298 * It has to match on ident, source address, and 8299 * dest address. 8300 */ 8301 if (ipf->ipf_ident == ident && 8302 IN6_ARE_ADDR_EQUAL(&ipf->ipf_v6src, v6src_ptr) && 8303 IN6_ARE_ADDR_EQUAL(&ipf->ipf_v6dst, v6dst_ptr)) { 8304 8305 /* 8306 * If we have received too many 8307 * duplicate fragments for this packet 8308 * free it. 8309 */ 8310 if (ipf->ipf_num_dups > ip_max_frag_dups) { 8311 ill_frag_free_pkts(ill, ipfb, ipf, 1); 8312 freemsg(mp); 8313 mutex_exit(&ipfb->ipfb_lock); 8314 return (NULL); 8315 } 8316 8317 break; 8318 } 8319 ipfp = &ipf->ipf_hash_next; 8320 continue; 8321 } 8322 8323 8324 /* 8325 * If we pruned the list, do we want to store this new 8326 * fragment?. We apply an optimization here based on the 8327 * fact that most fragments will be received in order. 8328 * So if the offset of this incoming fragment is zero, 8329 * it is the first fragment of a new packet. We will 8330 * keep it. Otherwise drop the fragment, as we have 8331 * probably pruned the packet already (since the 8332 * packet cannot be found). 8333 */ 8334 8335 if (pruned && offset != 0) { 8336 mutex_exit(&ipfb->ipfb_lock); 8337 freemsg(mp); 8338 return (NULL); 8339 } 8340 8341 /* New guy. Allocate a frag message. */ 8342 mp1 = allocb(sizeof (*ipf), BPRI_MED); 8343 if (!mp1) { 8344 BUMP_MIB(ill->ill_ip6_mib, ipv6InDiscards); 8345 freemsg(mp); 8346 partial_reass_done: 8347 mutex_exit(&ipfb->ipfb_lock); 8348 return (NULL); 8349 } 8350 8351 if (ipfb->ipfb_frag_pkts >= MAX_FRAG_PKTS) { 8352 /* 8353 * Too many fragmented packets in this hash bucket. 8354 * Free the oldest. 8355 */ 8356 ill_frag_free_pkts(ill, ipfb, ipfb->ipfb_ipf, 1); 8357 } 8358 8359 mp1->b_cont = mp; 8360 8361 /* Initialize the fragment header. */ 8362 ipf = (ipf_t *)mp1->b_rptr; 8363 ipf->ipf_mp = mp1; 8364 ipf->ipf_ptphn = ipfp; 8365 ipfp[0] = ipf; 8366 ipf->ipf_hash_next = NULL; 8367 ipf->ipf_ident = ident; 8368 ipf->ipf_v6src = *v6src_ptr; 8369 ipf->ipf_v6dst = *v6dst_ptr; 8370 /* Record reassembly start time. */ 8371 ipf->ipf_timestamp = gethrestime_sec(); 8372 /* Record ipf generation and account for frag header */ 8373 ipf->ipf_gen = ill->ill_ipf_gen++; 8374 ipf->ipf_count = MBLKSIZE(mp1); 8375 ipf->ipf_protocol = nexthdr; 8376 ipf->ipf_nf_hdr_len = 0; 8377 ipf->ipf_prev_nexthdr_offset = 0; 8378 ipf->ipf_last_frag_seen = B_FALSE; 8379 ipf->ipf_ecn = ecn_info; 8380 ipf->ipf_num_dups = 0; 8381 ipfb->ipfb_frag_pkts++; 8382 ipf->ipf_checksum = 0; 8383 ipf->ipf_checksum_flags = 0; 8384 8385 /* Store checksum value in fragment header */ 8386 if (sum_flags != 0) { 8387 sum_val = (sum_val & 0xFFFF) + (sum_val >> 16); 8388 sum_val = (sum_val & 0xFFFF) + (sum_val >> 16); 8389 ipf->ipf_checksum = sum_val; 8390 ipf->ipf_checksum_flags = sum_flags; 8391 } 8392 8393 /* 8394 * We handle reassembly two ways. In the easy case, 8395 * where all the fragments show up in order, we do 8396 * minimal bookkeeping, and just clip new pieces on 8397 * the end. If we ever see a hole, then we go off 8398 * to ip_reassemble which has to mark the pieces and 8399 * keep track of the number of holes, etc. Obviously, 8400 * the point of having both mechanisms is so we can 8401 * handle the easy case as efficiently as possible. 8402 */ 8403 if (offset == 0) { 8404 /* Easy case, in-order reassembly so far. */ 8405 /* Update the byte count */ 8406 ipf->ipf_count += msg_len; 8407 ipf->ipf_tail_mp = tail_mp; 8408 /* 8409 * Keep track of next expected offset in 8410 * ipf_end. 8411 */ 8412 ipf->ipf_end = end; 8413 ipf->ipf_nf_hdr_len = hdr_length; 8414 ipf->ipf_prev_nexthdr_offset = *prev_nexthdr_offset; 8415 } else { 8416 /* Hard case, hole at the beginning. */ 8417 ipf->ipf_tail_mp = NULL; 8418 /* 8419 * ipf_end == 0 means that we have given up 8420 * on easy reassembly. 8421 */ 8422 ipf->ipf_end = 0; 8423 8424 /* Forget checksum offload from now on */ 8425 ipf->ipf_checksum_flags = 0; 8426 8427 /* 8428 * ipf_hole_cnt is set by ip_reassemble. 8429 * ipf_count is updated by ip_reassemble. 8430 * No need to check for return value here 8431 * as we don't expect reassembly to complete or 8432 * fail for the first fragment itself. 8433 */ 8434 (void) ip_reassemble(mp, ipf, offset, more_frags, ill, 8435 msg_len); 8436 } 8437 /* Update per ipfb and ill byte counts */ 8438 ipfb->ipfb_count += ipf->ipf_count; 8439 ASSERT(ipfb->ipfb_count > 0); /* Wraparound */ 8440 ill->ill_frag_count += ipf->ipf_count; 8441 ASSERT(ill->ill_frag_count > 0); /* Wraparound */ 8442 /* If the frag timer wasn't already going, start it. */ 8443 mutex_enter(&ill->ill_lock); 8444 ill_frag_timer_start(ill); 8445 mutex_exit(&ill->ill_lock); 8446 goto partial_reass_done; 8447 } 8448 8449 /* 8450 * If the packet's flag has changed (it could be coming up 8451 * from an interface different than the previous, therefore 8452 * possibly different checksum capability), then forget about 8453 * any stored checksum states. Otherwise add the value to 8454 * the existing one stored in the fragment header. 8455 */ 8456 if (sum_flags != 0 && sum_flags == ipf->ipf_checksum_flags) { 8457 sum_val += ipf->ipf_checksum; 8458 sum_val = (sum_val & 0xFFFF) + (sum_val >> 16); 8459 sum_val = (sum_val & 0xFFFF) + (sum_val >> 16); 8460 ipf->ipf_checksum = sum_val; 8461 } else if (ipf->ipf_checksum_flags != 0) { 8462 /* Forget checksum offload from now on */ 8463 ipf->ipf_checksum_flags = 0; 8464 } 8465 8466 /* 8467 * We have a new piece of a datagram which is already being 8468 * reassembled. Update the ECN info if all IP fragments 8469 * are ECN capable. If there is one which is not, clear 8470 * all the info. If there is at least one which has CE 8471 * code point, IP needs to report that up to transport. 8472 */ 8473 if (ecn_info != IPH_ECN_NECT && ipf->ipf_ecn != IPH_ECN_NECT) { 8474 if (ecn_info == IPH_ECN_CE) 8475 ipf->ipf_ecn = IPH_ECN_CE; 8476 } else { 8477 ipf->ipf_ecn = IPH_ECN_NECT; 8478 } 8479 8480 if (offset && ipf->ipf_end == offset) { 8481 /* The new fragment fits at the end */ 8482 ipf->ipf_tail_mp->b_cont = mp; 8483 /* Update the byte count */ 8484 ipf->ipf_count += msg_len; 8485 /* Update per ipfb and ill byte counts */ 8486 ipfb->ipfb_count += msg_len; 8487 ASSERT(ipfb->ipfb_count > 0); /* Wraparound */ 8488 ill->ill_frag_count += msg_len; 8489 ASSERT(ill->ill_frag_count > 0); /* Wraparound */ 8490 if (more_frags) { 8491 /* More to come. */ 8492 ipf->ipf_end = end; 8493 ipf->ipf_tail_mp = tail_mp; 8494 goto partial_reass_done; 8495 } 8496 } else { 8497 /* 8498 * Go do the hard cases. 8499 * Call ip_reassemble(). 8500 */ 8501 int ret; 8502 8503 if (offset == 0) { 8504 if (ipf->ipf_prev_nexthdr_offset == 0) { 8505 ipf->ipf_nf_hdr_len = hdr_length; 8506 ipf->ipf_prev_nexthdr_offset = 8507 *prev_nexthdr_offset; 8508 } 8509 } 8510 /* Save current byte count */ 8511 count = ipf->ipf_count; 8512 ret = ip_reassemble(mp, ipf, offset, more_frags, ill, msg_len); 8513 8514 /* Count of bytes added and subtracted (freeb()ed) */ 8515 count = ipf->ipf_count - count; 8516 if (count) { 8517 /* Update per ipfb and ill byte counts */ 8518 ipfb->ipfb_count += count; 8519 ASSERT(ipfb->ipfb_count > 0); /* Wraparound */ 8520 ill->ill_frag_count += count; 8521 ASSERT(ill->ill_frag_count > 0); /* Wraparound */ 8522 } 8523 if (ret == IP_REASS_PARTIAL) { 8524 goto partial_reass_done; 8525 } else if (ret == IP_REASS_FAILED) { 8526 /* Reassembly failed. Free up all resources */ 8527 ill_frag_free_pkts(ill, ipfb, ipf, 1); 8528 for (t_mp = mp; t_mp != NULL; t_mp = t_mp->b_cont) { 8529 IP_REASS_SET_START(t_mp, 0); 8530 IP_REASS_SET_END(t_mp, 0); 8531 } 8532 freemsg(mp); 8533 goto partial_reass_done; 8534 } 8535 8536 /* We will reach here iff 'ret' is IP_REASS_COMPLETE */ 8537 } 8538 /* 8539 * We have completed reassembly. Unhook the frag header from 8540 * the reassembly list. 8541 * 8542 * Grab the unfragmentable header length next header value out 8543 * of the first fragment 8544 */ 8545 ASSERT(ipf->ipf_nf_hdr_len != 0); 8546 hdr_length = ipf->ipf_nf_hdr_len; 8547 8548 /* 8549 * Before we free the frag header, record the ECN info 8550 * to report back to the transport. 8551 */ 8552 ecn_info = ipf->ipf_ecn; 8553 8554 /* 8555 * Store the nextheader field in the header preceding the fragment 8556 * header 8557 */ 8558 nexthdr = ipf->ipf_protocol; 8559 *prev_nexthdr_offset = ipf->ipf_prev_nexthdr_offset; 8560 ipfp = ipf->ipf_ptphn; 8561 8562 /* We need to supply these to caller */ 8563 if ((sum_flags = ipf->ipf_checksum_flags) != 0) 8564 sum_val = ipf->ipf_checksum; 8565 else 8566 sum_val = 0; 8567 8568 mp1 = ipf->ipf_mp; 8569 count = ipf->ipf_count; 8570 ipf = ipf->ipf_hash_next; 8571 if (ipf) 8572 ipf->ipf_ptphn = ipfp; 8573 ipfp[0] = ipf; 8574 ill->ill_frag_count -= count; 8575 ASSERT(ipfb->ipfb_count >= count); 8576 ipfb->ipfb_count -= count; 8577 ipfb->ipfb_frag_pkts--; 8578 mutex_exit(&ipfb->ipfb_lock); 8579 /* Ditch the frag header. */ 8580 mp = mp1->b_cont; 8581 freeb(mp1); 8582 8583 /* 8584 * Make sure the packet is good by doing some sanity 8585 * check. If bad we can silentely drop the packet. 8586 */ 8587 reass_done: 8588 if (hdr_length < sizeof (ip6_frag_t)) { 8589 BUMP_MIB(ill->ill_ip6_mib, ipv6InHdrErrors); 8590 ip1dbg(("ip_rput_frag_v6: bad packet\n")); 8591 freemsg(mp); 8592 return (NULL); 8593 } 8594 8595 /* 8596 * Remove the fragment header from the initial header by 8597 * splitting the mblk into the non-fragmentable header and 8598 * everthing after the fragment extension header. This has the 8599 * side effect of putting all the headers that need destination 8600 * processing into the b_cont block-- on return this fact is 8601 * used in order to avoid having to look at the extensions 8602 * already processed. 8603 * 8604 * Note that this code assumes that the unfragmentable portion 8605 * of the header is in the first mblk and increments 8606 * the read pointer past it. If this assumption is broken 8607 * this code fails badly. 8608 */ 8609 if (mp->b_rptr + hdr_length != mp->b_wptr) { 8610 mblk_t *nmp; 8611 8612 if (!(nmp = dupb(mp))) { 8613 BUMP_MIB(ill->ill_ip6_mib, ipv6InDiscards); 8614 ip1dbg(("ip_rput_frag_v6: dupb failed\n")); 8615 freemsg(mp); 8616 return (NULL); 8617 } 8618 nmp->b_cont = mp->b_cont; 8619 mp->b_cont = nmp; 8620 nmp->b_rptr += hdr_length; 8621 } 8622 mp->b_wptr = mp->b_rptr + hdr_length - sizeof (ip6_frag_t); 8623 8624 ip6h = (ip6_t *)mp->b_rptr; 8625 ((char *)ip6h)[*prev_nexthdr_offset] = nexthdr; 8626 8627 /* Restore original IP length in header. */ 8628 ip6h->ip6_plen = htons((uint16_t)(msgdsize(mp) - IPV6_HDR_LEN)); 8629 /* Record the ECN info. */ 8630 ip6h->ip6_vcf &= htonl(0xFFCFFFFF); 8631 ip6h->ip6_vcf |= htonl(ecn_info << 20); 8632 8633 /* Reassembly is successful; return checksum information if needed */ 8634 if (cksum_val != NULL) 8635 *cksum_val = sum_val; 8636 if (cksum_flags != NULL) 8637 *cksum_flags = sum_flags; 8638 8639 return (mp); 8640 } 8641 8642 /* 8643 * Walk through the options to see if there is a routing header. 8644 * If present get the destination which is the last address of 8645 * the option. 8646 */ 8647 in6_addr_t 8648 ip_get_dst_v6(ip6_t *ip6h, boolean_t *is_fragment) 8649 { 8650 uint8_t nexthdr; 8651 uint8_t *whereptr; 8652 ip6_hbh_t *hbhhdr; 8653 ip6_dest_t *dsthdr; 8654 ip6_rthdr0_t *rthdr; 8655 ip6_frag_t *fraghdr; 8656 int ehdrlen; 8657 int left; 8658 in6_addr_t *ap, rv; 8659 8660 if (is_fragment != NULL) 8661 *is_fragment = B_FALSE; 8662 8663 rv = ip6h->ip6_dst; 8664 8665 nexthdr = ip6h->ip6_nxt; 8666 whereptr = (uint8_t *)&ip6h[1]; 8667 for (;;) { 8668 8669 ASSERT(nexthdr != IPPROTO_RAW); 8670 switch (nexthdr) { 8671 case IPPROTO_HOPOPTS: 8672 hbhhdr = (ip6_hbh_t *)whereptr; 8673 nexthdr = hbhhdr->ip6h_nxt; 8674 ehdrlen = 8 * (hbhhdr->ip6h_len + 1); 8675 break; 8676 case IPPROTO_DSTOPTS: 8677 dsthdr = (ip6_dest_t *)whereptr; 8678 nexthdr = dsthdr->ip6d_nxt; 8679 ehdrlen = 8 * (dsthdr->ip6d_len + 1); 8680 break; 8681 case IPPROTO_ROUTING: 8682 rthdr = (ip6_rthdr0_t *)whereptr; 8683 nexthdr = rthdr->ip6r0_nxt; 8684 ehdrlen = 8 * (rthdr->ip6r0_len + 1); 8685 8686 left = rthdr->ip6r0_segleft; 8687 ap = (in6_addr_t *)((char *)rthdr + sizeof (*rthdr)); 8688 rv = *(ap + left - 1); 8689 /* 8690 * If the caller doesn't care whether the packet 8691 * is a fragment or not, we can stop here since 8692 * we have our destination. 8693 */ 8694 if (is_fragment == NULL) 8695 goto done; 8696 break; 8697 case IPPROTO_FRAGMENT: 8698 fraghdr = (ip6_frag_t *)whereptr; 8699 nexthdr = fraghdr->ip6f_nxt; 8700 ehdrlen = sizeof (ip6_frag_t); 8701 if (is_fragment != NULL) 8702 *is_fragment = B_TRUE; 8703 goto done; 8704 default : 8705 goto done; 8706 } 8707 whereptr += ehdrlen; 8708 } 8709 8710 done: 8711 return (rv); 8712 } 8713 8714 /* 8715 * ip_source_routed_v6: 8716 * This function is called by redirect code in ip_rput_data_v6 to 8717 * know whether this packet is source routed through this node i.e 8718 * whether this node (router) is part of the journey. This 8719 * function is called under two cases : 8720 * 8721 * case 1 : Routing header was processed by this node and 8722 * ip_process_rthdr replaced ip6_dst with the next hop 8723 * and we are forwarding the packet to the next hop. 8724 * 8725 * case 2 : Routing header was not processed by this node and we 8726 * are just forwarding the packet. 8727 * 8728 * For case (1) we don't want to send redirects. For case(2) we 8729 * want to send redirects. 8730 */ 8731 static boolean_t 8732 ip_source_routed_v6(ip6_t *ip6h, mblk_t *mp) 8733 { 8734 uint8_t nexthdr; 8735 in6_addr_t *addrptr; 8736 ip6_rthdr0_t *rthdr; 8737 uint8_t numaddr; 8738 ip6_hbh_t *hbhhdr; 8739 uint_t ehdrlen; 8740 uint8_t *byteptr; 8741 8742 ip2dbg(("ip_source_routed_v6\n")); 8743 nexthdr = ip6h->ip6_nxt; 8744 ehdrlen = IPV6_HDR_LEN; 8745 8746 /* if a routing hdr is preceeded by HOPOPT or DSTOPT */ 8747 while (nexthdr == IPPROTO_HOPOPTS || 8748 nexthdr == IPPROTO_DSTOPTS) { 8749 byteptr = (uint8_t *)ip6h + ehdrlen; 8750 /* 8751 * Check if we have already processed 8752 * packets or we are just a forwarding 8753 * router which only pulled up msgs up 8754 * to IPV6HDR and one HBH ext header 8755 */ 8756 if (byteptr + MIN_EHDR_LEN > mp->b_wptr) { 8757 ip2dbg(("ip_source_routed_v6: Extension" 8758 " headers not processed\n")); 8759 return (B_FALSE); 8760 } 8761 hbhhdr = (ip6_hbh_t *)byteptr; 8762 nexthdr = hbhhdr->ip6h_nxt; 8763 ehdrlen = ehdrlen + 8 * (hbhhdr->ip6h_len + 1); 8764 } 8765 switch (nexthdr) { 8766 case IPPROTO_ROUTING: 8767 byteptr = (uint8_t *)ip6h + ehdrlen; 8768 /* 8769 * If for some reason, we haven't pulled up 8770 * the routing hdr data mblk, then we must 8771 * not have processed it at all. So for sure 8772 * we are not part of the source routed journey. 8773 */ 8774 if (byteptr + MIN_EHDR_LEN > mp->b_wptr) { 8775 ip2dbg(("ip_source_routed_v6: Routing" 8776 " header not processed\n")); 8777 return (B_FALSE); 8778 } 8779 rthdr = (ip6_rthdr0_t *)byteptr; 8780 /* 8781 * Either we are an intermediate router or the 8782 * last hop before destination and we have 8783 * already processed the routing header. 8784 * If segment_left is greater than or equal to zero, 8785 * then we must be the (numaddr - segleft) entry 8786 * of the routing header. Although ip6r0_segleft 8787 * is a unit8_t variable, we still check for zero 8788 * or greater value, if in case the data type 8789 * is changed someday in future. 8790 */ 8791 if (rthdr->ip6r0_segleft > 0 || 8792 rthdr->ip6r0_segleft == 0) { 8793 ire_t *ire = NULL; 8794 8795 numaddr = rthdr->ip6r0_len / 2; 8796 addrptr = (in6_addr_t *)((char *)rthdr + 8797 sizeof (*rthdr)); 8798 addrptr += (numaddr - (rthdr->ip6r0_segleft + 1)); 8799 if (addrptr != NULL) { 8800 ire = ire_ctable_lookup_v6(addrptr, NULL, 8801 IRE_LOCAL, NULL, ALL_ZONES, MATCH_IRE_TYPE); 8802 if (ire != NULL) { 8803 ire_refrele(ire); 8804 return (B_TRUE); 8805 } 8806 ip1dbg(("ip_source_routed_v6: No ire found\n")); 8807 } 8808 } 8809 /* FALLTHRU */ 8810 default: 8811 ip2dbg(("ip_source_routed_v6: Not source routed here\n")); 8812 return (B_FALSE); 8813 } 8814 } 8815 8816 /* 8817 * ip_wput_v6 -- Packets sent down from transport modules show up here. 8818 * Assumes that the following set of headers appear in the first 8819 * mblk: 8820 * ip6i_t (if present) CAN also appear as a separate mblk. 8821 * ip6_t 8822 * Any extension headers 8823 * TCP/UDP/SCTP header (if present) 8824 * The routine can handle an ICMPv6 header that is not in the first mblk. 8825 * 8826 * The order to determine the outgoing interface is as follows: 8827 * 1. IPV6_BOUND_PIF is set, use that ill (conn_outgoing_pill) 8828 * 2. If conn_nofailover_ill is set then use that ill. 8829 * 3. If an ip6i_t with IP6I_IFINDEX set then use that ill. 8830 * 4. If q is an ill queue and (link local or multicast destination) then 8831 * use that ill. 8832 * 5. If IPV6_BOUND_IF has been set use that ill. 8833 * 6. For multicast: if IPV6_MULTICAST_IF has been set use it. Otherwise 8834 * look for the best IRE match for the unspecified group to determine 8835 * the ill. 8836 * 7. For unicast: Just do an IRE lookup for the best match. 8837 */ 8838 void 8839 ip_output_v6(void *arg, mblk_t *mp, void *arg2, int caller) 8840 { 8841 conn_t *connp = NULL; 8842 queue_t *q = (queue_t *)arg2; 8843 ire_t *ire = NULL; 8844 ire_t *sctp_ire = NULL; 8845 ip6_t *ip6h; 8846 in6_addr_t *v6dstp; 8847 ill_t *ill = NULL; 8848 ipif_t *ipif; 8849 ip6i_t *ip6i; 8850 int cksum_request; /* -1 => normal. */ 8851 /* 1 => Skip TCP/UDP/SCTP checksum */ 8852 /* Otherwise contains insert offset for checksum */ 8853 int unspec_src; 8854 boolean_t do_outrequests; /* Increment OutRequests? */ 8855 mib2_ipv6IfStatsEntry_t *mibptr; 8856 int match_flags = MATCH_IRE_ILL_GROUP; 8857 boolean_t attach_if = B_FALSE; 8858 mblk_t *first_mp; 8859 boolean_t mctl_present; 8860 ipsec_out_t *io; 8861 boolean_t drop_if_delayed = B_FALSE; 8862 boolean_t multirt_need_resolve = B_FALSE; 8863 mblk_t *copy_mp = NULL; 8864 int err; 8865 int ip6i_flags = 0; 8866 zoneid_t zoneid; 8867 ill_t *saved_ill = NULL; 8868 boolean_t conn_lock_held; 8869 boolean_t need_decref = B_FALSE; 8870 8871 /* 8872 * Highest bit in version field is Reachability Confirmation bit 8873 * used by NUD in ip_xmit_v6(). 8874 */ 8875 #ifdef _BIG_ENDIAN 8876 #define IPVER(ip6h) ((((uint32_t *)ip6h)[0] >> 28) & 0x7) 8877 #else 8878 #define IPVER(ip6h) ((((uint32_t *)ip6h)[0] >> 4) & 0x7) 8879 #endif 8880 8881 /* 8882 * M_CTL comes from 5 places 8883 * 8884 * 1) TCP sends down IPSEC_OUT(M_CTL) for detached connections 8885 * both V4 and V6 datagrams. 8886 * 8887 * 2) AH/ESP sends down M_CTL after doing their job with both 8888 * V4 and V6 datagrams. 8889 * 8890 * 3) NDP callbacks when nce is resolved and IPSEC_OUT has been 8891 * attached. 8892 * 8893 * 4) Notifications from an external resolver (for XRESOLV ifs) 8894 * 8895 * 5) AH/ESP send down IPSEC_CTL(M_CTL) to be relayed to hardware for 8896 * IPsec hardware acceleration support. 8897 * 8898 * We need to handle (1)'s IPv6 case and (3) here. For the 8899 * IPv4 case in (1), and (2), IPSEC processing has already 8900 * started. The code in ip_wput() already knows how to handle 8901 * continuing IPSEC processing (for IPv4 and IPv6). All other 8902 * M_CTLs (including case (4)) are passed on to ip_wput_nondata() 8903 * for handling. 8904 */ 8905 first_mp = mp; 8906 mctl_present = B_FALSE; 8907 io = NULL; 8908 8909 /* Multidata transmit? */ 8910 if (DB_TYPE(mp) == M_MULTIDATA) { 8911 /* 8912 * We should never get here, since all Multidata messages 8913 * originating from tcp should have been directed over to 8914 * tcp_multisend() in the first place. 8915 */ 8916 BUMP_MIB(&ip6_mib, ipv6OutDiscards); 8917 freemsg(mp); 8918 return; 8919 } else if (DB_TYPE(mp) == M_CTL) { 8920 uint32_t mctltype = 0; 8921 uint32_t mlen = MBLKL(first_mp); 8922 8923 mp = mp->b_cont; 8924 mctl_present = B_TRUE; 8925 io = (ipsec_out_t *)first_mp->b_rptr; 8926 8927 /* 8928 * Validate this M_CTL message. The only three types of 8929 * M_CTL messages we expect to see in this code path are 8930 * ipsec_out_t or ipsec_in_t structures (allocated as 8931 * ipsec_info_t unions), or ipsec_ctl_t structures. 8932 * The ipsec_out_type and ipsec_in_type overlap in the two 8933 * data structures, and they are either set to IPSEC_OUT 8934 * or IPSEC_IN depending on which data structure it is. 8935 * ipsec_ctl_t is an IPSEC_CTL. 8936 * 8937 * All other M_CTL messages are sent to ip_wput_nondata() 8938 * for handling. 8939 */ 8940 if (mlen >= sizeof (io->ipsec_out_type)) 8941 mctltype = io->ipsec_out_type; 8942 8943 if ((mlen == sizeof (ipsec_ctl_t)) && 8944 (mctltype == IPSEC_CTL)) { 8945 ip_output(Q_TO_CONN(q), first_mp, q, caller); 8946 return; 8947 } 8948 8949 if ((mlen < sizeof (ipsec_info_t)) || 8950 (mctltype != IPSEC_OUT && mctltype != IPSEC_IN) || 8951 mp == NULL) { 8952 ip_wput_nondata(NULL, q, first_mp, NULL); 8953 return; 8954 } 8955 /* NDP callbacks have q_next non-NULL. That's case #3. */ 8956 if (q->q_next == NULL) { 8957 ip6h = (ip6_t *)mp->b_rptr; 8958 /* 8959 * For a freshly-generated TCP dgram that needs IPV6 8960 * processing, don't call ip_wput immediately. We can 8961 * tell this by the ipsec_out_proc_begin. In-progress 8962 * IPSEC_OUT messages have proc_begin set to TRUE, 8963 * and we want to send all IPSEC_IN messages to 8964 * ip_wput() for IPsec processing or finishing. 8965 */ 8966 if (mctltype == IPSEC_IN || 8967 IPVER(ip6h) != IPV6_VERSION || 8968 io->ipsec_out_proc_begin) { 8969 mibptr = &ip6_mib; 8970 goto notv6; 8971 } 8972 } 8973 } else if (DB_TYPE(mp) != M_DATA) { 8974 ip_wput_nondata(NULL, q, mp, NULL); 8975 return; 8976 } 8977 8978 ip6h = (ip6_t *)mp->b_rptr; 8979 8980 if (IPVER(ip6h) != IPV6_VERSION) { 8981 mibptr = &ip6_mib; 8982 goto notv6; 8983 } 8984 8985 if (q->q_next != NULL) { 8986 ill = (ill_t *)q->q_ptr; 8987 /* 8988 * We don't know if this ill will be used for IPv6 8989 * until the ILLF_IPV6 flag is set via SIOCSLIFNAME. 8990 * ipif_set_values() sets the ill_isv6 flag to true if 8991 * ILLF_IPV6 is set. If the ill_isv6 flag isn't true, 8992 * just drop the packet. 8993 */ 8994 if (!ill->ill_isv6) { 8995 ip1dbg(("ip_wput_v6: Received an IPv6 packet before " 8996 "ILLF_IPV6 was set\n")); 8997 freemsg(first_mp); 8998 return; 8999 } 9000 /* For uniformity do a refhold */ 9001 mutex_enter(&ill->ill_lock); 9002 if (!ILL_CAN_LOOKUP(ill)) { 9003 mutex_exit(&ill->ill_lock); 9004 freemsg(first_mp); 9005 return; 9006 } 9007 ill_refhold_locked(ill); 9008 mutex_exit(&ill->ill_lock); 9009 mibptr = ill->ill_ip6_mib; 9010 /* 9011 * ill_ip6_mib is allocated by ipif_set_values() when 9012 * ill_isv6 is set. Thus if ill_isv6 is true, 9013 * ill_ip6_mib had better not be NULL. 9014 */ 9015 ASSERT(mibptr != NULL); 9016 unspec_src = 0; 9017 BUMP_MIB(mibptr, ipv6OutRequests); 9018 do_outrequests = B_FALSE; 9019 } else { 9020 connp = (conn_t *)arg; 9021 ASSERT(connp != NULL); 9022 9023 /* is queue flow controlled? */ 9024 if ((q->q_first || connp->conn_draining) && 9025 (caller == IP_WPUT)) { 9026 /* 9027 * 1) TCP sends down M_CTL for detached connections. 9028 * 2) AH/ESP sends down M_CTL. 9029 * 9030 * We don't flow control either of the above. Only 9031 * UDP and others are flow controlled for which we 9032 * can't have a M_CTL. 9033 */ 9034 ASSERT(first_mp == mp); 9035 (void) putq(q, mp); 9036 return; 9037 } 9038 mibptr = &ip6_mib; 9039 unspec_src = connp->conn_unspec_src; 9040 do_outrequests = B_TRUE; 9041 if (mp->b_flag & MSGHASREF) { 9042 mp->b_flag &= ~MSGHASREF; 9043 ASSERT(connp->conn_ulp == IPPROTO_SCTP); 9044 SCTP_EXTRACT_IPINFO(mp, sctp_ire); 9045 need_decref = B_TRUE; 9046 } 9047 9048 /* 9049 * If there is a policy, try to attach an ipsec_out in 9050 * the front. At the end, first_mp either points to a 9051 * M_DATA message or IPSEC_OUT message linked to a 9052 * M_DATA message. We have to do it now as we might 9053 * lose the "conn" if we go through ip_newroute. 9054 */ 9055 if (!mctl_present && 9056 (connp->conn_out_enforce_policy || 9057 connp->conn_latch != NULL)) { 9058 ASSERT(first_mp == mp); 9059 /* XXX Any better way to get the protocol fast ? */ 9060 if (((mp = ipsec_attach_ipsec_out(mp, connp, NULL, 9061 connp->conn_ulp)) == NULL)) { 9062 if (need_decref) 9063 CONN_DEC_REF(connp); 9064 return; 9065 } else { 9066 ASSERT(mp->b_datap->db_type == M_CTL); 9067 first_mp = mp; 9068 mp = mp->b_cont; 9069 mctl_present = B_TRUE; 9070 io = (ipsec_out_t *)first_mp->b_rptr; 9071 } 9072 } 9073 } 9074 9075 /* check for alignment and full IPv6 header */ 9076 if (!OK_32PTR((uchar_t *)ip6h) || 9077 (mp->b_wptr - (uchar_t *)ip6h) < IPV6_HDR_LEN) { 9078 ip0dbg(("ip_wput_v6: bad alignment or length\n")); 9079 if (do_outrequests) 9080 BUMP_MIB(mibptr, ipv6OutRequests); 9081 BUMP_MIB(mibptr, ipv6OutDiscards); 9082 freemsg(first_mp); 9083 if (ill != NULL) 9084 ill_refrele(ill); 9085 if (need_decref) 9086 CONN_DEC_REF(connp); 9087 return; 9088 } 9089 v6dstp = &ip6h->ip6_dst; 9090 cksum_request = -1; 9091 ip6i = NULL; 9092 9093 /* 9094 * Once neighbor discovery has completed, ndp_process() will provide 9095 * locally generated packets for which processing can be reattempted. 9096 * In these cases, connp is NULL and the original zone is part of a 9097 * prepended ipsec_out_t. 9098 */ 9099 if (io != NULL) { 9100 zoneid = io->ipsec_out_zoneid; 9101 ASSERT(zoneid != ALL_ZONES); 9102 } else { 9103 zoneid = (connp != NULL ? connp->conn_zoneid : ALL_ZONES); 9104 } 9105 9106 if (ip6h->ip6_nxt == IPPROTO_RAW) { 9107 /* 9108 * This is an ip6i_t header followed by an ip6_hdr. 9109 * Check which fields are set. 9110 * 9111 * When the packet comes from a transport we should have 9112 * all needed headers in the first mblk. However, when 9113 * going through ip_newroute*_v6 the ip6i might be in 9114 * a separate mblk when we return here. In that case 9115 * we pullup everything to ensure that extension and transport 9116 * headers "stay" in the first mblk. 9117 */ 9118 ip6i = (ip6i_t *)ip6h; 9119 ip6i_flags = ip6i->ip6i_flags; 9120 9121 ASSERT((mp->b_wptr - (uchar_t *)ip6i) == sizeof (ip6i_t) || 9122 ((mp->b_wptr - (uchar_t *)ip6i) >= 9123 sizeof (ip6i_t) + IPV6_HDR_LEN)); 9124 9125 if ((mp->b_wptr - (uchar_t *)ip6i) == sizeof (ip6i_t)) { 9126 if (!pullupmsg(mp, -1)) { 9127 ip1dbg(("ip_wput_v6: pullupmsg failed\n")); 9128 if (do_outrequests) 9129 BUMP_MIB(mibptr, ipv6OutRequests); 9130 BUMP_MIB(mibptr, ipv6OutDiscards); 9131 freemsg(first_mp); 9132 if (ill != NULL) 9133 ill_refrele(ill); 9134 if (need_decref) 9135 CONN_DEC_REF(connp); 9136 return; 9137 } 9138 ip6h = (ip6_t *)mp->b_rptr; 9139 v6dstp = &ip6h->ip6_dst; 9140 ip6i = (ip6i_t *)ip6h; 9141 } 9142 ip6h = (ip6_t *)&ip6i[1]; 9143 9144 /* 9145 * Advance rptr past the ip6i_t to get ready for 9146 * transmitting the packet. However, if the packet gets 9147 * passed to ip_newroute*_v6 then rptr is moved back so 9148 * that the ip6i_t header can be inspected when the 9149 * packet comes back here after passing through 9150 * ire_add_then_send. 9151 */ 9152 mp->b_rptr = (uchar_t *)ip6h; 9153 9154 /* 9155 * IP6I_ATTACH_IF is set in this function when we had a 9156 * conn and it was either bound to the IPFF_NOFAILOVER address 9157 * or IPV6_BOUND_PIF was set. These options override other 9158 * options that set the ifindex. We come here with 9159 * IP6I_ATTACH_IF set when we can't find the ire and 9160 * ip_newroute_v6 is feeding the packet for second time. 9161 */ 9162 if ((ip6i->ip6i_flags & IP6I_IFINDEX) || 9163 (ip6i->ip6i_flags & IP6I_ATTACH_IF)) { 9164 ASSERT(ip6i->ip6i_ifindex != 0); 9165 if (ill != NULL) 9166 ill_refrele(ill); 9167 ill = ill_lookup_on_ifindex(ip6i->ip6i_ifindex, 1, 9168 NULL, NULL, NULL, NULL); 9169 if (ill == NULL) { 9170 if (do_outrequests) 9171 BUMP_MIB(mibptr, ipv6OutRequests); 9172 BUMP_MIB(mibptr, ipv6OutDiscards); 9173 ip1dbg(("ip_wput_v6: bad ifindex %d\n", 9174 ip6i->ip6i_ifindex)); 9175 if (need_decref) 9176 CONN_DEC_REF(connp); 9177 freemsg(first_mp); 9178 return; 9179 } 9180 mibptr = ill->ill_ip6_mib; 9181 if (ip6i->ip6i_flags & IP6I_IFINDEX) { 9182 /* 9183 * Preserve the index so that when we return 9184 * from IPSEC processing, we know where to 9185 * send the packet. 9186 */ 9187 if (mctl_present) { 9188 ASSERT(io != NULL); 9189 io->ipsec_out_ill_index = 9190 ip6i->ip6i_ifindex; 9191 } 9192 } 9193 if (ip6i->ip6i_flags & IP6I_ATTACH_IF) { 9194 /* 9195 * This is a multipathing probe packet that has 9196 * been delayed in ND resolution. Drop the 9197 * packet for the reasons mentioned in 9198 * nce_queue_mp() 9199 */ 9200 if ((ip6i->ip6i_flags & IP6I_DROP_IFDELAYED) && 9201 (ip6i->ip6i_flags & IP6I_ND_DELAYED)) { 9202 freemsg(first_mp); 9203 ill_refrele(ill); 9204 if (need_decref) 9205 CONN_DEC_REF(connp); 9206 return; 9207 } 9208 } 9209 } 9210 if (ip6i->ip6i_flags & IP6I_VERIFY_SRC) { 9211 cred_t *cr = DB_CREDDEF(mp, GET_QUEUE_CRED(q)); 9212 9213 ASSERT(!IN6_IS_ADDR_UNSPECIFIED(&ip6h->ip6_src)); 9214 if (secpolicy_net_rawaccess(cr) != 0) { 9215 ire = ire_route_lookup_v6(&ip6h->ip6_src, 9216 0, 0, (IRE_LOCAL|IRE_LOOPBACK), NULL, 9217 NULL, zoneid, 9218 MATCH_IRE_TYPE | MATCH_IRE_ZONEONLY); 9219 if (ire == NULL) { 9220 if (do_outrequests) 9221 BUMP_MIB(mibptr, 9222 ipv6OutRequests); 9223 BUMP_MIB(mibptr, ipv6OutDiscards); 9224 ip1dbg(("ip_wput_v6: bad source " 9225 "addr\n")); 9226 freemsg(first_mp); 9227 if (ill != NULL) 9228 ill_refrele(ill); 9229 if (need_decref) 9230 CONN_DEC_REF(connp); 9231 return; 9232 } 9233 ire_refrele(ire); 9234 } 9235 /* No need to verify again when using ip_newroute */ 9236 ip6i->ip6i_flags &= ~IP6I_VERIFY_SRC; 9237 } 9238 if (!(ip6i->ip6i_flags & IP6I_NEXTHOP)) { 9239 /* 9240 * Make sure they match since ip_newroute*_v6 etc might 9241 * (unknown to them) inspect ip6i_nexthop when 9242 * they think they access ip6_dst. 9243 */ 9244 ip6i->ip6i_nexthop = ip6h->ip6_dst; 9245 } 9246 if (ip6i->ip6i_flags & IP6I_NO_ULP_CKSUM) 9247 cksum_request = 1; 9248 if (ip6i->ip6i_flags & IP6I_RAW_CHECKSUM) 9249 cksum_request = ip6i->ip6i_checksum_off; 9250 if (ip6i->ip6i_flags & IP6I_UNSPEC_SRC) 9251 unspec_src = 1; 9252 9253 if (do_outrequests && ill != NULL) { 9254 BUMP_MIB(mibptr, ipv6OutRequests); 9255 do_outrequests = B_FALSE; 9256 } 9257 /* 9258 * Store ip6i_t info that we need after we come back 9259 * from IPSEC processing. 9260 */ 9261 if (mctl_present) { 9262 ASSERT(io != NULL); 9263 io->ipsec_out_unspec_src = unspec_src; 9264 } 9265 } 9266 if (connp != NULL && connp->conn_dontroute) 9267 ip6h->ip6_hops = 1; 9268 9269 if (IN6_IS_ADDR_MULTICAST(v6dstp)) 9270 goto ipv6multicast; 9271 9272 /* 1. IPV6_BOUND_PIF takes precedence over all the ifindex settings. */ 9273 if (connp != NULL && connp->conn_outgoing_pill != NULL) { 9274 ill_t *conn_outgoing_pill; 9275 9276 conn_outgoing_pill = conn_get_held_ill(connp, 9277 &connp->conn_outgoing_pill, &err); 9278 if (err == ILL_LOOKUP_FAILED) { 9279 if (ill != NULL) 9280 ill_refrele(ill); 9281 if (need_decref) 9282 CONN_DEC_REF(connp); 9283 freemsg(first_mp); 9284 return; 9285 } 9286 if (conn_outgoing_pill != NULL) { 9287 if (ill != NULL) 9288 ill_refrele(ill); 9289 ill = conn_outgoing_pill; 9290 attach_if = B_TRUE; 9291 match_flags = MATCH_IRE_ILL; 9292 mibptr = ill->ill_ip6_mib; 9293 9294 /* 9295 * Check if we need an ire that will not be 9296 * looked up by anybody else i.e. HIDDEN. 9297 */ 9298 if (ill_is_probeonly(ill)) 9299 match_flags |= MATCH_IRE_MARK_HIDDEN; 9300 goto send_from_ill; 9301 } 9302 } 9303 9304 /* 2. If ipc_nofailover_ill is set then use that ill. */ 9305 if (connp != NULL && connp->conn_nofailover_ill != NULL) { 9306 ill_t *conn_nofailover_ill; 9307 9308 conn_nofailover_ill = conn_get_held_ill(connp, 9309 &connp->conn_nofailover_ill, &err); 9310 if (err == ILL_LOOKUP_FAILED) { 9311 if (ill != NULL) 9312 ill_refrele(ill); 9313 if (need_decref) 9314 CONN_DEC_REF(connp); 9315 freemsg(first_mp); 9316 return; 9317 } 9318 if (conn_nofailover_ill != NULL) { 9319 if (ill != NULL) 9320 ill_refrele(ill); 9321 ill = conn_nofailover_ill; 9322 attach_if = B_TRUE; 9323 /* 9324 * Assumes that ipc_nofailover_ill is used only for 9325 * multipathing probe packets. These packets are better 9326 * dropped, if they are delayed in ND resolution, for 9327 * the reasons described in nce_queue_mp(). 9328 * IP6I_DROP_IFDELAYED will be set later on in this 9329 * function for this packet. 9330 */ 9331 drop_if_delayed = B_TRUE; 9332 match_flags = MATCH_IRE_ILL; 9333 mibptr = ill->ill_ip6_mib; 9334 9335 /* 9336 * Check if we need an ire that will not be 9337 * looked up by anybody else i.e. HIDDEN. 9338 */ 9339 if (ill_is_probeonly(ill)) 9340 match_flags |= MATCH_IRE_MARK_HIDDEN; 9341 goto send_from_ill; 9342 } 9343 } 9344 9345 /* 9346 * Redo 1. If we did not find an IRE_CACHE the first time, we should 9347 * have an ip6i_t with IP6I_ATTACH_IF if IPV6_BOUND_PIF or 9348 * bind to the IPIF_NOFAILOVER address was used on this endpoint. 9349 */ 9350 if (ip6i != NULL && (ip6i->ip6i_flags & IP6I_ATTACH_IF)) { 9351 ASSERT(ip6i->ip6i_ifindex != 0); 9352 attach_if = B_TRUE; 9353 ASSERT(ill != NULL); 9354 match_flags = MATCH_IRE_ILL; 9355 9356 /* 9357 * Check if we need an ire that will not be 9358 * looked up by anybody else i.e. HIDDEN. 9359 */ 9360 if (ill_is_probeonly(ill)) 9361 match_flags |= MATCH_IRE_MARK_HIDDEN; 9362 goto send_from_ill; 9363 } 9364 9365 /* 3. If an ip6i_t with IP6I_IFINDEX set then use that ill. */ 9366 if (ip6i != NULL && (ip6i->ip6i_flags & IP6I_IFINDEX)) { 9367 ASSERT(ill != NULL); 9368 goto send_from_ill; 9369 } 9370 9371 /* 9372 * 4. If q is an ill queue and (link local or multicast destination) 9373 * then use that ill. 9374 */ 9375 if (ill != NULL && IN6_IS_ADDR_LINKLOCAL(v6dstp)) { 9376 goto send_from_ill; 9377 } 9378 9379 /* 5. If IPV6_BOUND_IF has been set use that ill. */ 9380 if (connp != NULL && connp->conn_outgoing_ill != NULL) { 9381 ill_t *conn_outgoing_ill; 9382 9383 conn_outgoing_ill = conn_get_held_ill(connp, 9384 &connp->conn_outgoing_ill, &err); 9385 if (err == ILL_LOOKUP_FAILED) { 9386 if (ill != NULL) 9387 ill_refrele(ill); 9388 if (need_decref) 9389 CONN_DEC_REF(connp); 9390 freemsg(first_mp); 9391 return; 9392 } 9393 if (ill != NULL) 9394 ill_refrele(ill); 9395 ill = conn_outgoing_ill; 9396 mibptr = ill->ill_ip6_mib; 9397 goto send_from_ill; 9398 } 9399 9400 /* 9401 * 6. For unicast: Just do an IRE lookup for the best match. 9402 * If we get here for a link-local address it is rather random 9403 * what interface we pick on a multihomed host. 9404 * *If* there is an IRE_CACHE (and the link-local address 9405 * isn't duplicated on multi links) this will find the IRE_CACHE. 9406 * Otherwise it will use one of the matching IRE_INTERFACE routes 9407 * for the link-local prefix. Hence, applications 9408 * *should* be encouraged to specify an outgoing interface when sending 9409 * to a link local address. 9410 */ 9411 if (connp == NULL || (IP_FLOW_CONTROLLED_ULP(connp->conn_ulp) && 9412 !connp->conn_fully_bound)) { 9413 /* 9414 * We cache IRE_CACHEs to avoid lookups. We don't do 9415 * this for the tcp global queue and listen end point 9416 * as it does not really have a real destination to 9417 * talk to. 9418 */ 9419 ire = ire_cache_lookup_v6(v6dstp, zoneid); 9420 } else { 9421 /* 9422 * IRE_MARK_CONDEMNED is marked in ire_delete. We don't 9423 * grab a lock here to check for CONDEMNED as it is okay 9424 * to send a packet or two with the IRE_CACHE that is going 9425 * away. 9426 */ 9427 mutex_enter(&connp->conn_lock); 9428 ire = sctp_ire != NULL ? sctp_ire : connp->conn_ire_cache; 9429 if (ire != NULL && 9430 IN6_ARE_ADDR_EQUAL(&ire->ire_addr_v6, v6dstp) && 9431 !(ire->ire_marks & IRE_MARK_CONDEMNED)) { 9432 9433 IRE_REFHOLD(ire); 9434 mutex_exit(&connp->conn_lock); 9435 9436 } else { 9437 boolean_t cached = B_FALSE; 9438 9439 connp->conn_ire_cache = NULL; 9440 mutex_exit(&connp->conn_lock); 9441 /* Release the old ire */ 9442 if (ire != NULL && sctp_ire == NULL) 9443 IRE_REFRELE_NOTR(ire); 9444 9445 ire = (ire_t *)ire_cache_lookup_v6(v6dstp, zoneid); 9446 if (ire != NULL) { 9447 IRE_REFHOLD_NOTR(ire); 9448 9449 mutex_enter(&connp->conn_lock); 9450 if (!(connp->conn_state_flags & CONN_CLOSING) && 9451 (connp->conn_ire_cache == NULL)) { 9452 rw_enter(&ire->ire_bucket->irb_lock, 9453 RW_READER); 9454 if (!(ire->ire_marks & 9455 IRE_MARK_CONDEMNED)) { 9456 connp->conn_ire_cache = ire; 9457 cached = B_TRUE; 9458 } 9459 rw_exit(&ire->ire_bucket->irb_lock); 9460 } 9461 mutex_exit(&connp->conn_lock); 9462 9463 /* 9464 * We can continue to use the ire but since it 9465 * was not cached, we should drop the extra 9466 * reference. 9467 */ 9468 if (!cached) 9469 IRE_REFRELE_NOTR(ire); 9470 } 9471 } 9472 } 9473 9474 if (ire != NULL) { 9475 if (do_outrequests) { 9476 /* Handle IRE_LOCAL's that might appear here */ 9477 if (ire->ire_type == IRE_CACHE) { 9478 mibptr = ((ill_t *)ire->ire_stq->q_ptr)-> 9479 ill_ip6_mib; 9480 } else { 9481 mibptr = ire->ire_ipif->ipif_ill->ill_ip6_mib; 9482 } 9483 BUMP_MIB(mibptr, ipv6OutRequests); 9484 } 9485 ASSERT(!attach_if); 9486 9487 /* 9488 * Check if the ire has the RTF_MULTIRT flag, inherited 9489 * from an IRE_OFFSUBNET ire entry in ip_newroute(). 9490 */ 9491 if (ire->ire_flags & RTF_MULTIRT) { 9492 /* 9493 * Force hop limit of multirouted packets if required. 9494 * The hop limit of such packets is bounded by the 9495 * ip_multirt_ttl ndd variable. 9496 * NDP packets must have a hop limit of 255; don't 9497 * change the hop limit in that case. 9498 */ 9499 if ((ip_multirt_ttl > 0) && 9500 (ip6h->ip6_hops > ip_multirt_ttl) && 9501 (ip6h->ip6_hops != IPV6_MAX_HOPS)) { 9502 if (ip_debug > 3) { 9503 ip2dbg(("ip_wput_v6: forcing multirt " 9504 "hop limit to %d (was %d) ", 9505 ip_multirt_ttl, ip6h->ip6_hops)); 9506 pr_addr_dbg("v6dst %s\n", AF_INET6, 9507 &ire->ire_addr_v6); 9508 } 9509 ip6h->ip6_hops = ip_multirt_ttl; 9510 } 9511 9512 /* 9513 * We look at this point if there are pending 9514 * unresolved routes. ire_multirt_need_resolve_v6() 9515 * checks in O(n) that all IRE_OFFSUBNET ire 9516 * entries for the packet's destination and 9517 * flagged RTF_MULTIRT are currently resolved. 9518 * If some remain unresolved, we do a copy 9519 * of the current message. It will be used 9520 * to initiate additional route resolutions. 9521 */ 9522 multirt_need_resolve = 9523 ire_multirt_need_resolve_v6(&ire->ire_addr_v6); 9524 ip2dbg(("ip_wput_v6: ire %p, " 9525 "multirt_need_resolve %d, first_mp %p\n", 9526 (void *)ire, multirt_need_resolve, 9527 (void *)first_mp)); 9528 if (multirt_need_resolve) { 9529 copy_mp = copymsg(first_mp); 9530 if (copy_mp != NULL) { 9531 MULTIRT_DEBUG_TAG(copy_mp); 9532 } 9533 } 9534 } 9535 ip_wput_ire_v6(q, first_mp, ire, unspec_src, cksum_request, 9536 connp, caller, 0, ip6i_flags); 9537 if (need_decref) { 9538 CONN_DEC_REF(connp); 9539 connp = NULL; 9540 } 9541 IRE_REFRELE(ire); 9542 9543 /* 9544 * Try to resolve another multiroute if 9545 * ire_multirt_need_resolve_v6() deemed it necessary. 9546 * copy_mp will be consumed (sent or freed) by 9547 * ip_newroute_v6(). 9548 */ 9549 if (copy_mp != NULL) { 9550 if (mctl_present) { 9551 ip6h = (ip6_t *)copy_mp->b_cont->b_rptr; 9552 } else { 9553 ip6h = (ip6_t *)copy_mp->b_rptr; 9554 } 9555 ip_newroute_v6(q, copy_mp, &ip6h->ip6_dst, 9556 &ip6h->ip6_src, NULL, zoneid); 9557 } 9558 if (ill != NULL) 9559 ill_refrele(ill); 9560 return; 9561 } 9562 9563 /* 9564 * No full IRE for this destination. Send it to 9565 * ip_newroute_v6 to see if anything else matches. 9566 * Mark this packet as having originated on this 9567 * machine. 9568 * Update rptr if there was an ip6i_t header. 9569 */ 9570 mp->b_prev = NULL; 9571 mp->b_next = NULL; 9572 if (ip6i != NULL) 9573 mp->b_rptr -= sizeof (ip6i_t); 9574 9575 if (unspec_src) { 9576 if (ip6i == NULL) { 9577 /* 9578 * Add ip6i_t header to carry unspec_src 9579 * until the packet comes back in ip_wput_v6. 9580 */ 9581 mp = ip_add_info_v6(mp, NULL, v6dstp); 9582 if (mp == NULL) { 9583 if (do_outrequests) 9584 BUMP_MIB(mibptr, ipv6OutRequests); 9585 BUMP_MIB(mibptr, ipv6OutDiscards); 9586 if (mctl_present) 9587 freeb(first_mp); 9588 if (ill != NULL) 9589 ill_refrele(ill); 9590 if (need_decref) 9591 CONN_DEC_REF(connp); 9592 return; 9593 } 9594 ip6i = (ip6i_t *)mp->b_rptr; 9595 9596 if (mctl_present) { 9597 ASSERT(first_mp != mp); 9598 first_mp->b_cont = mp; 9599 } else { 9600 first_mp = mp; 9601 } 9602 9603 if ((mp->b_wptr - (uchar_t *)ip6i) == 9604 sizeof (ip6i_t)) { 9605 /* 9606 * ndp_resolver called from ip_newroute_v6 9607 * expects pulled up message. 9608 */ 9609 if (!pullupmsg(mp, -1)) { 9610 ip1dbg(("ip_wput_v6: pullupmsg" 9611 " failed\n")); 9612 if (do_outrequests) { 9613 BUMP_MIB(mibptr, 9614 ipv6OutRequests); 9615 } 9616 BUMP_MIB(mibptr, ipv6OutDiscards); 9617 freemsg(first_mp); 9618 if (ill != NULL) 9619 ill_refrele(ill); 9620 if (need_decref) 9621 CONN_DEC_REF(connp); 9622 return; 9623 } 9624 ip6i = (ip6i_t *)mp->b_rptr; 9625 } 9626 ip6h = (ip6_t *)&ip6i[1]; 9627 v6dstp = &ip6h->ip6_dst; 9628 } 9629 ip6i->ip6i_flags |= IP6I_UNSPEC_SRC; 9630 if (mctl_present) { 9631 ASSERT(io != NULL); 9632 io->ipsec_out_unspec_src = unspec_src; 9633 } 9634 } 9635 if (do_outrequests) 9636 BUMP_MIB(mibptr, ipv6OutRequests); 9637 if (need_decref) 9638 CONN_DEC_REF(connp); 9639 ip_newroute_v6(q, first_mp, v6dstp, &ip6h->ip6_src, NULL, zoneid); 9640 if (ill != NULL) 9641 ill_refrele(ill); 9642 return; 9643 9644 9645 /* 9646 * Handle multicast packets with or without an conn. 9647 * Assumes that the transports set ip6_hops taking 9648 * IPV6_MULTICAST_HOPS (and the other ways to set the hoplimit) 9649 * into account. 9650 */ 9651 ipv6multicast: 9652 ip2dbg(("ip_wput_v6: multicast\n")); 9653 9654 /* 9655 * 1. IPV6_BOUND_PIF takes precedence over all the ifindex settings 9656 * 2. If conn_nofailover_ill is set then use that ill. 9657 * 9658 * Hold the conn_lock till we refhold the ill of interest that is 9659 * pointed to from the conn. Since we cannot do an ill/ipif_refrele 9660 * while holding any locks, postpone the refrele until after the 9661 * conn_lock is dropped. 9662 */ 9663 if (connp != NULL) { 9664 mutex_enter(&connp->conn_lock); 9665 conn_lock_held = B_TRUE; 9666 } else { 9667 conn_lock_held = B_FALSE; 9668 } 9669 if (connp != NULL && connp->conn_outgoing_pill != NULL) { 9670 err = ill_check_and_refhold(connp->conn_outgoing_pill); 9671 if (err == ILL_LOOKUP_FAILED) { 9672 ip1dbg(("ip_output_v6: multicast" 9673 " conn_outgoing_pill no ipif\n")); 9674 multicast_discard: 9675 ASSERT(saved_ill == NULL); 9676 if (conn_lock_held) 9677 mutex_exit(&connp->conn_lock); 9678 if (ill != NULL) 9679 ill_refrele(ill); 9680 freemsg(first_mp); 9681 if (do_outrequests) 9682 BUMP_MIB(mibptr, ipv6OutDiscards); 9683 if (need_decref) 9684 CONN_DEC_REF(connp); 9685 return; 9686 } 9687 saved_ill = ill; 9688 ill = connp->conn_outgoing_pill; 9689 attach_if = B_TRUE; 9690 match_flags = MATCH_IRE_ILL; 9691 mibptr = ill->ill_ip6_mib; 9692 9693 /* 9694 * Check if we need an ire that will not be 9695 * looked up by anybody else i.e. HIDDEN. 9696 */ 9697 if (ill_is_probeonly(ill)) 9698 match_flags |= MATCH_IRE_MARK_HIDDEN; 9699 } else if (connp != NULL && connp->conn_nofailover_ill != NULL) { 9700 err = ill_check_and_refhold(connp->conn_nofailover_ill); 9701 if (err == ILL_LOOKUP_FAILED) { 9702 ip1dbg(("ip_output_v6: multicast" 9703 " conn_nofailover_ill no ipif\n")); 9704 goto multicast_discard; 9705 } 9706 saved_ill = ill; 9707 ill = connp->conn_nofailover_ill; 9708 attach_if = B_TRUE; 9709 match_flags = MATCH_IRE_ILL; 9710 9711 /* 9712 * Check if we need an ire that will not be 9713 * looked up by anybody else i.e. HIDDEN. 9714 */ 9715 if (ill_is_probeonly(ill)) 9716 match_flags |= MATCH_IRE_MARK_HIDDEN; 9717 } else if (ip6i != NULL && (ip6i->ip6i_flags & IP6I_ATTACH_IF)) { 9718 /* 9719 * Redo 1. If we did not find an IRE_CACHE the first time, 9720 * we should have an ip6i_t with IP6I_ATTACH_IF if 9721 * IPV6_BOUND_PIF or bind to the IPIF_NOFAILOVER address was 9722 * used on this endpoint. 9723 */ 9724 ASSERT(ip6i->ip6i_ifindex != 0); 9725 attach_if = B_TRUE; 9726 ASSERT(ill != NULL); 9727 match_flags = MATCH_IRE_ILL; 9728 9729 /* 9730 * Check if we need an ire that will not be 9731 * looked up by anybody else i.e. HIDDEN. 9732 */ 9733 if (ill_is_probeonly(ill)) 9734 match_flags |= MATCH_IRE_MARK_HIDDEN; 9735 } else if (ip6i != NULL && (ip6i->ip6i_flags & IP6I_IFINDEX)) { 9736 /* 3. If an ip6i_t with IP6I_IFINDEX set then use that ill. */ 9737 9738 ASSERT(ill != NULL); 9739 } else if (ill != NULL) { 9740 /* 9741 * 4. If q is an ill queue and (link local or multicast 9742 * destination) then use that ill. 9743 * We don't need the ipif initialization here. 9744 * This useless assert below is just to prevent lint from 9745 * reporting a null body if statement. 9746 */ 9747 ASSERT(ill != NULL); 9748 } else if (connp != NULL) { 9749 /* 9750 * 5. If IPV6_BOUND_IF has been set use that ill. 9751 * 9752 * 6. For multicast: if IPV6_MULTICAST_IF has been set use it. 9753 * Otherwise look for the best IRE match for the unspecified 9754 * group to determine the ill. 9755 * 9756 * conn_multicast_ill is used for only IPv6 packets. 9757 * conn_multicast_ipif is used for only IPv4 packets. 9758 * Thus a PF_INET6 socket send both IPv4 and IPv6 9759 * multicast packets using different IP*_MULTICAST_IF 9760 * interfaces. 9761 */ 9762 if (connp->conn_outgoing_ill != NULL) { 9763 err = ill_check_and_refhold(connp->conn_outgoing_ill); 9764 if (err == ILL_LOOKUP_FAILED) { 9765 ip1dbg(("ip_output_v6: multicast" 9766 " conn_outgoing_ill no ipif\n")); 9767 goto multicast_discard; 9768 } 9769 ill = connp->conn_outgoing_ill; 9770 } else if (connp->conn_multicast_ill != NULL) { 9771 err = ill_check_and_refhold(connp->conn_multicast_ill); 9772 if (err == ILL_LOOKUP_FAILED) { 9773 ip1dbg(("ip_output_v6: multicast" 9774 " conn_multicast_ill no ipif\n")); 9775 goto multicast_discard; 9776 } 9777 ill = connp->conn_multicast_ill; 9778 } else { 9779 mutex_exit(&connp->conn_lock); 9780 conn_lock_held = B_FALSE; 9781 ipif = ipif_lookup_group_v6(v6dstp, zoneid); 9782 if (ipif == NULL) { 9783 ip1dbg(("ip_output_v6: multicast no ipif\n")); 9784 goto multicast_discard; 9785 } 9786 /* 9787 * We have a ref to this ipif, so we can safely 9788 * access ipif_ill. 9789 */ 9790 ill = ipif->ipif_ill; 9791 mutex_enter(&ill->ill_lock); 9792 if (!ILL_CAN_LOOKUP(ill)) { 9793 mutex_exit(&ill->ill_lock); 9794 ipif_refrele(ipif); 9795 ill = NULL; 9796 ip1dbg(("ip_output_v6: multicast no ipif\n")); 9797 goto multicast_discard; 9798 } 9799 ill_refhold_locked(ill); 9800 mutex_exit(&ill->ill_lock); 9801 ipif_refrele(ipif); 9802 /* 9803 * Save binding until IPV6_MULTICAST_IF 9804 * changes it 9805 */ 9806 mutex_enter(&connp->conn_lock); 9807 connp->conn_multicast_ill = ill; 9808 connp->conn_orig_multicast_ifindex = 9809 ill->ill_phyint->phyint_ifindex; 9810 mutex_exit(&connp->conn_lock); 9811 } 9812 } 9813 if (conn_lock_held) 9814 mutex_exit(&connp->conn_lock); 9815 9816 if (saved_ill != NULL) 9817 ill_refrele(saved_ill); 9818 9819 ASSERT(ill != NULL); 9820 /* 9821 * For multicast loopback interfaces replace the multicast address 9822 * with a unicast address for the ire lookup. 9823 */ 9824 if (ill->ill_phyint->phyint_flags & PHYI_LOOPBACK) 9825 v6dstp = &ill->ill_ipif->ipif_v6lcl_addr; 9826 9827 mibptr = ill->ill_ip6_mib; 9828 if (do_outrequests) { 9829 BUMP_MIB(mibptr, ipv6OutRequests); 9830 do_outrequests = B_FALSE; 9831 } 9832 BUMP_MIB(mibptr, ipv6OutMcastPkts); 9833 9834 /* 9835 * As we may lose the conn by the time we reach ip_wput_ire_v6 9836 * we copy conn_multicast_loop and conn_dontroute on to an 9837 * ipsec_out. In case if this datagram goes out secure, 9838 * we need the ill_index also. Copy that also into the 9839 * ipsec_out. 9840 */ 9841 if (mctl_present) { 9842 io = (ipsec_out_t *)first_mp->b_rptr; 9843 ASSERT(first_mp->b_datap->db_type == M_CTL); 9844 ASSERT(io->ipsec_out_type == IPSEC_OUT); 9845 } else { 9846 ASSERT(mp == first_mp); 9847 if ((first_mp = ipsec_alloc_ipsec_out()) == NULL) { 9848 BUMP_MIB(mibptr, ipv6OutDiscards); 9849 freemsg(mp); 9850 if (ill != NULL) 9851 ill_refrele(ill); 9852 if (need_decref) 9853 CONN_DEC_REF(connp); 9854 return; 9855 } 9856 io = (ipsec_out_t *)first_mp->b_rptr; 9857 /* This is not a secure packet */ 9858 io->ipsec_out_secure = B_FALSE; 9859 io->ipsec_out_use_global_policy = B_TRUE; 9860 io->ipsec_out_zoneid = 9861 (zoneid != ALL_ZONES ? zoneid : GLOBAL_ZONEID); 9862 first_mp->b_cont = mp; 9863 mctl_present = B_TRUE; 9864 } 9865 io->ipsec_out_ill_index = ill->ill_phyint->phyint_ifindex; 9866 io->ipsec_out_unspec_src = unspec_src; 9867 if (connp != NULL) 9868 io->ipsec_out_dontroute = connp->conn_dontroute; 9869 9870 send_from_ill: 9871 ASSERT(ill != NULL); 9872 ASSERT(mibptr == ill->ill_ip6_mib); 9873 if (do_outrequests) { 9874 BUMP_MIB(mibptr, ipv6OutRequests); 9875 do_outrequests = B_FALSE; 9876 } 9877 9878 if (io != NULL) 9879 io->ipsec_out_ill_index = ill->ill_phyint->phyint_ifindex; 9880 9881 /* 9882 * When a specific ill is specified (using IPV6_PKTINFO, 9883 * IPV6_MULTICAST_IF, or IPV6_BOUND_IF) we will only match 9884 * on routing entries (ftable and ctable) that have a matching 9885 * ire->ire_ipif->ipif_ill. Thus this can only be used 9886 * for destinations that are on-link for the specific ill 9887 * and that can appear on multiple links. Thus it is useful 9888 * for multicast destinations, link-local destinations, and 9889 * at some point perhaps for site-local destinations (if the 9890 * node sits at a site boundary). 9891 * We create the cache entries in the regular ctable since 9892 * it can not "confuse" things for other destinations. 9893 * table. 9894 * 9895 * NOTE : conn_ire_cache is not used for caching ire_ctable_lookups. 9896 * It is used only when ire_cache_lookup is used above. 9897 */ 9898 ire = ire_ctable_lookup_v6(v6dstp, 0, 0, ill->ill_ipif, 9899 zoneid, match_flags); 9900 if (ire != NULL) { 9901 /* 9902 * Check if the ire has the RTF_MULTIRT flag, inherited 9903 * from an IRE_OFFSUBNET ire entry in ip_newroute(). 9904 */ 9905 if (ire->ire_flags & RTF_MULTIRT) { 9906 /* 9907 * Force hop limit of multirouted packets if required. 9908 * The hop limit of such packets is bounded by the 9909 * ip_multirt_ttl ndd variable. 9910 * NDP packets must have a hop limit of 255; don't 9911 * change the hop limit in that case. 9912 */ 9913 if ((ip_multirt_ttl > 0) && 9914 (ip6h->ip6_hops > ip_multirt_ttl) && 9915 (ip6h->ip6_hops != IPV6_MAX_HOPS)) { 9916 if (ip_debug > 3) { 9917 ip2dbg(("ip_wput_v6: forcing multirt " 9918 "hop limit to %d (was %d) ", 9919 ip_multirt_ttl, ip6h->ip6_hops)); 9920 pr_addr_dbg("v6dst %s\n", AF_INET6, 9921 &ire->ire_addr_v6); 9922 } 9923 ip6h->ip6_hops = ip_multirt_ttl; 9924 } 9925 9926 /* 9927 * We look at this point if there are pending 9928 * unresolved routes. ire_multirt_need_resolve_v6() 9929 * checks in O(n) that all IRE_OFFSUBNET ire 9930 * entries for the packet's destination and 9931 * flagged RTF_MULTIRT are currently resolved. 9932 * If some remain unresolved, we make a copy 9933 * of the current message. It will be used 9934 * to initiate additional route resolutions. 9935 */ 9936 multirt_need_resolve = 9937 ire_multirt_need_resolve_v6(&ire->ire_addr_v6); 9938 ip2dbg(("ip_wput_v6[send_from_ill]: ire %p, " 9939 "multirt_need_resolve %d, first_mp %p\n", 9940 (void *)ire, multirt_need_resolve, 9941 (void *)first_mp)); 9942 if (multirt_need_resolve) { 9943 copy_mp = copymsg(first_mp); 9944 if (copy_mp != NULL) { 9945 MULTIRT_DEBUG_TAG(copy_mp); 9946 } 9947 } 9948 } 9949 9950 ip1dbg(("ip_wput_v6: send on %s, ire = %p, ill index = %d\n", 9951 ill->ill_name, (void *)ire, 9952 ill->ill_phyint->phyint_ifindex)); 9953 ip_wput_ire_v6(q, first_mp, ire, unspec_src, cksum_request, 9954 connp, caller, 9955 (attach_if ? ill->ill_phyint->phyint_ifindex : 0), 9956 ip6i_flags); 9957 ire_refrele(ire); 9958 if (need_decref) { 9959 CONN_DEC_REF(connp); 9960 connp = NULL; 9961 } 9962 9963 /* 9964 * Try to resolve another multiroute if 9965 * ire_multirt_need_resolve_v6() deemed it necessary. 9966 * copy_mp will be consumed (sent or freed) by 9967 * ip_newroute_[ipif_]v6(). 9968 */ 9969 if (copy_mp != NULL) { 9970 if (mctl_present) { 9971 ip6h = (ip6_t *)copy_mp->b_cont->b_rptr; 9972 } else { 9973 ip6h = (ip6_t *)copy_mp->b_rptr; 9974 } 9975 if (IN6_IS_ADDR_MULTICAST(&ip6h->ip6_dst)) { 9976 ipif = ipif_lookup_group_v6(&ip6h->ip6_dst, 9977 zoneid); 9978 if (ipif == NULL) { 9979 ip1dbg(("ip_wput_v6: No ipif for " 9980 "multicast\n")); 9981 MULTIRT_DEBUG_UNTAG(copy_mp); 9982 freemsg(copy_mp); 9983 return; 9984 } 9985 ip_newroute_ipif_v6(q, copy_mp, ipif, 9986 ip6h->ip6_dst, unspec_src, zoneid); 9987 ipif_refrele(ipif); 9988 } else { 9989 ip_newroute_v6(q, copy_mp, &ip6h->ip6_dst, 9990 &ip6h->ip6_src, ill, zoneid); 9991 } 9992 } 9993 if (ill != NULL) 9994 ill_refrele(ill); 9995 return; 9996 } 9997 if (need_decref) { 9998 CONN_DEC_REF(connp); 9999 connp = NULL; 10000 } 10001 10002 /* Update rptr if there was an ip6i_t header. */ 10003 if (ip6i != NULL) 10004 mp->b_rptr -= sizeof (ip6i_t); 10005 if (unspec_src || attach_if) { 10006 if (ip6i == NULL) { 10007 /* 10008 * Add ip6i_t header to carry unspec_src 10009 * or attach_if until the packet comes back in 10010 * ip_wput_v6. 10011 */ 10012 if (mctl_present) { 10013 first_mp->b_cont = 10014 ip_add_info_v6(mp, NULL, v6dstp); 10015 mp = first_mp->b_cont; 10016 if (mp == NULL) 10017 freeb(first_mp); 10018 } else { 10019 first_mp = mp = ip_add_info_v6(mp, NULL, 10020 v6dstp); 10021 } 10022 if (mp == NULL) { 10023 BUMP_MIB(mibptr, ipv6OutDiscards); 10024 if (ill != NULL) 10025 ill_refrele(ill); 10026 return; 10027 } 10028 ip6i = (ip6i_t *)mp->b_rptr; 10029 if ((mp->b_wptr - (uchar_t *)ip6i) == 10030 sizeof (ip6i_t)) { 10031 /* 10032 * ndp_resolver called from ip_newroute_v6 10033 * expects a pulled up message. 10034 */ 10035 if (!pullupmsg(mp, -1)) { 10036 ip1dbg(("ip_wput_v6: pullupmsg" 10037 " failed\n")); 10038 BUMP_MIB(mibptr, ipv6OutDiscards); 10039 freemsg(first_mp); 10040 return; 10041 } 10042 ip6i = (ip6i_t *)mp->b_rptr; 10043 } 10044 ip6h = (ip6_t *)&ip6i[1]; 10045 v6dstp = &ip6h->ip6_dst; 10046 } 10047 if (unspec_src) 10048 ip6i->ip6i_flags |= IP6I_UNSPEC_SRC; 10049 if (attach_if) { 10050 /* 10051 * Bind to nofailover/BOUND_PIF overrides ifindex. 10052 */ 10053 ip6i->ip6i_flags |= IP6I_ATTACH_IF; 10054 ip6i->ip6i_flags &= ~IP6I_IFINDEX; 10055 ip6i->ip6i_ifindex = ill->ill_phyint->phyint_ifindex; 10056 if (drop_if_delayed) { 10057 /* This is a multipathing probe packet */ 10058 ip6i->ip6i_flags |= IP6I_DROP_IFDELAYED; 10059 } 10060 } 10061 if (mctl_present) { 10062 ASSERT(io != NULL); 10063 io->ipsec_out_unspec_src = unspec_src; 10064 } 10065 } 10066 if (IN6_IS_ADDR_MULTICAST(v6dstp)) { 10067 ip_newroute_ipif_v6(q, first_mp, ill->ill_ipif, *v6dstp, 10068 unspec_src, zoneid); 10069 } else { 10070 ip_newroute_v6(q, first_mp, v6dstp, &ip6h->ip6_src, ill, 10071 zoneid); 10072 } 10073 if (ill != NULL) 10074 ill_refrele(ill); 10075 return; 10076 10077 notv6: 10078 /* 10079 * XXX implement a IPv4 and IPv6 packet counter per conn and 10080 * switch when ratio exceeds e.g. 10:1 10081 */ 10082 if (q->q_next == NULL) { 10083 connp = Q_TO_CONN(q); 10084 10085 if (IPCL_IS_TCP(connp)) { 10086 /* change conn_send for the tcp_v4_connections */ 10087 connp->conn_send = ip_output; 10088 } else if (connp->conn_ulp == IPPROTO_SCTP) { 10089 /* The 'q' is the default SCTP queue */ 10090 connp = (conn_t *)arg; 10091 } else { 10092 ip_setqinfo(RD(q), IPV4_MINOR, B_TRUE); 10093 } 10094 } 10095 BUMP_MIB(mibptr, ipv6OutIPv4); 10096 (void) ip_output(connp, first_mp, q, caller); 10097 if (ill != NULL) 10098 ill_refrele(ill); 10099 } 10100 10101 static void 10102 ip_wput_v6(queue_t *q, mblk_t *mp) 10103 { 10104 ip_output_v6(Q_TO_CONN(q), mp, q, IP_WPUT); 10105 } 10106 10107 static void 10108 ipsec_out_attach_if(ipsec_out_t *io, int attach_index) 10109 { 10110 ASSERT(io->ipsec_out_type == IPSEC_OUT); 10111 io->ipsec_out_attach_if = B_TRUE; 10112 io->ipsec_out_ill_index = attach_index; 10113 } 10114 10115 /* 10116 * NULL send-to queue - packet is to be delivered locally. 10117 */ 10118 void 10119 ip_wput_local_v6(queue_t *q, ill_t *ill, ip6_t *ip6h, mblk_t *first_mp, 10120 ire_t *ire, int fanout_flags) 10121 { 10122 uint32_t ports; 10123 mblk_t *mp = first_mp, *first_mp1; 10124 boolean_t mctl_present; 10125 uint8_t nexthdr; 10126 uint16_t hdr_length = IPV6_HDR_LEN; 10127 ipsec_out_t *io; 10128 mib2_ipv6IfStatsEntry_t *mibptr; 10129 ilm_t *ilm; 10130 10131 if (DB_TYPE(mp) == M_CTL) { 10132 io = (ipsec_out_t *)mp->b_rptr; 10133 if (!io->ipsec_out_secure) { 10134 mp = mp->b_cont; 10135 freeb(first_mp); 10136 first_mp = mp; 10137 mctl_present = B_FALSE; 10138 } else { 10139 mctl_present = B_TRUE; 10140 mp = first_mp->b_cont; 10141 ipsec_out_to_in(first_mp); 10142 } 10143 } else { 10144 mctl_present = B_FALSE; 10145 } 10146 10147 nexthdr = ip6h->ip6_nxt; 10148 mibptr = ill->ill_ip6_mib; 10149 10150 UPDATE_OB_PKT_COUNT(ire); 10151 ire->ire_last_used_time = lbolt; 10152 10153 /* 10154 * Remove reacability confirmation bit from version field 10155 * before looping back the packet. 10156 */ 10157 if (ip6h->ip6_vcf & IP_FORWARD_PROG) { 10158 ip6h->ip6_vcf &= ~IP_FORWARD_PROG; 10159 } 10160 10161 switch (nexthdr) { 10162 case IPPROTO_TCP: 10163 if (DB_TYPE(mp) == M_DATA) { 10164 /* 10165 * M_DATA mblk, so init mblk (chain) for 10166 * no struio(). 10167 */ 10168 mblk_t *mp1 = mp; 10169 10170 do { 10171 mp1->b_datap->db_struioflag = 0; 10172 } while ((mp1 = mp1->b_cont) != NULL); 10173 } 10174 ports = *(uint32_t *)(mp->b_rptr + hdr_length + 10175 TCP_PORTS_OFFSET); 10176 ip_fanout_tcp_v6(q, first_mp, ip6h, ill, ill, 10177 fanout_flags|IP_FF_SEND_ICMP|IP_FF_SYN_ADDIRE| 10178 IP_FF_IP6INFO|IP6_NO_IPPOLICY|IP_FF_LOOPBACK, 10179 hdr_length, mctl_present, ire->ire_zoneid); 10180 return; 10181 10182 case IPPROTO_UDP: 10183 ports = *(uint32_t *)(mp->b_rptr + hdr_length + 10184 UDP_PORTS_OFFSET); 10185 ip_fanout_udp_v6(q, first_mp, ip6h, ports, ill, ill, 10186 fanout_flags|IP_FF_SEND_ICMP|IP_FF_IP6INFO| 10187 IP6_NO_IPPOLICY, mctl_present, ire->ire_zoneid); 10188 return; 10189 10190 case IPPROTO_SCTP: 10191 { 10192 uint_t ipif_seqid = ire->ire_ipif->ipif_seqid; 10193 10194 ports = *(uint32_t *)(mp->b_rptr + hdr_length); 10195 ip_fanout_sctp(mp, ill, (ipha_t *)ip6h, ports, 10196 fanout_flags|IP_FF_SEND_ICMP|IP_FF_IP6INFO, 10197 mctl_present, IP6_NO_IPPOLICY, ipif_seqid, 10198 ire->ire_zoneid); 10199 return; 10200 } 10201 case IPPROTO_ICMPV6: { 10202 icmp6_t *icmp6; 10203 10204 /* check for full IPv6+ICMPv6 header */ 10205 if ((mp->b_wptr - mp->b_rptr) < 10206 (hdr_length + ICMP6_MINLEN)) { 10207 if (!pullupmsg(mp, hdr_length + ICMP6_MINLEN)) { 10208 ip1dbg(("ip_wput_v6: ICMP hdr pullupmsg" 10209 " failed\n")); 10210 BUMP_MIB(mibptr, ipv6OutDiscards); 10211 freemsg(first_mp); 10212 return; 10213 } 10214 ip6h = (ip6_t *)mp->b_rptr; 10215 } 10216 icmp6 = (icmp6_t *)((uchar_t *)ip6h + hdr_length); 10217 10218 /* Update output mib stats */ 10219 icmp_update_out_mib_v6(ill, icmp6); 10220 10221 /* Check variable for testing applications */ 10222 if (ipv6_drop_inbound_icmpv6) { 10223 freemsg(first_mp); 10224 return; 10225 } 10226 /* 10227 * Assume that there is always at least one conn for 10228 * ICMPv6 (in.ndpd) i.e. don't optimize the case 10229 * where there is no conn. 10230 */ 10231 if (IN6_IS_ADDR_MULTICAST(&ip6h->ip6_dst) && 10232 !(ill->ill_phyint->phyint_flags & PHYI_LOOPBACK)) { 10233 /* 10234 * In the multicast case, applications may have 10235 * joined the group from different zones, so we 10236 * need to deliver the packet to each of them. 10237 * Loop through the multicast memberships 10238 * structures (ilm) on the receive ill and send 10239 * a copy of the packet up each matching one. 10240 * However, we don't do this for multicasts sent 10241 * on the loopback interface (PHYI_LOOPBACK flag 10242 * set) as they must stay in the sender's zone. 10243 */ 10244 ILM_WALKER_HOLD(ill); 10245 for (ilm = ill->ill_ilm; ilm != NULL; 10246 ilm = ilm->ilm_next) { 10247 if (ilm->ilm_flags & ILM_DELETED) 10248 continue; 10249 if (!IN6_ARE_ADDR_EQUAL( 10250 &ilm->ilm_v6addr, &ip6h->ip6_dst)) 10251 continue; 10252 if ((fanout_flags & 10253 IP_FF_NO_MCAST_LOOP) && 10254 ilm->ilm_zoneid == ire->ire_zoneid) 10255 continue; 10256 if (!ipif_lookup_zoneid(ill, 10257 ilm->ilm_zoneid, IPIF_UP, NULL)) 10258 continue; 10259 10260 first_mp1 = ip_copymsg(first_mp); 10261 if (first_mp1 == NULL) 10262 continue; 10263 icmp_inbound_v6(q, first_mp1, ill, 10264 hdr_length, mctl_present, 10265 IP6_NO_IPPOLICY, ilm->ilm_zoneid); 10266 } 10267 ILM_WALKER_RELE(ill); 10268 } else { 10269 first_mp1 = ip_copymsg(first_mp); 10270 if (first_mp1 != NULL) 10271 icmp_inbound_v6(q, first_mp1, ill, 10272 hdr_length, mctl_present, 10273 IP6_NO_IPPOLICY, ire->ire_zoneid); 10274 } 10275 } 10276 /* FALLTHRU */ 10277 default: { 10278 /* 10279 * Handle protocols with which IPv6 is less intimate. 10280 */ 10281 uint8_t *nexthdrp; 10282 uint_t nexthdr_offset; 10283 10284 fanout_flags |= IP_FF_RAWIP|IP_FF_IP6INFO; 10285 10286 if (!ip_hdr_length_nexthdr_v6(mp, ip6h, 10287 &hdr_length, &nexthdrp)) { 10288 /* Malformed packet */ 10289 BUMP_MIB(mibptr, ipv6OutDiscards); 10290 freemsg(first_mp); 10291 return; 10292 } 10293 nexthdr = *nexthdrp; 10294 nexthdr_offset = nexthdrp - (uint8_t *)ip6h; 10295 10296 /* 10297 * Enable sending ICMP for "Unknown" nexthdr 10298 * case. i.e. where we did not FALLTHRU from 10299 * IPPROTO_ICMPV6 processing case above. 10300 */ 10301 if (nexthdr != IPPROTO_ICMPV6) 10302 fanout_flags |= IP_FF_SEND_ICMP; 10303 /* 10304 * Note: There can be more than one stream bound 10305 * to a particular protocol. When this is the case, 10306 * each one gets a copy of any incoming packets. 10307 */ 10308 ip_fanout_proto_v6(q, first_mp, ip6h, ill, ill, nexthdr, 10309 nexthdr_offset, fanout_flags|IP6_NO_IPPOLICY, 10310 mctl_present, ire->ire_zoneid); 10311 return; 10312 } 10313 } 10314 } 10315 10316 /* 10317 * Send packet using IRE. 10318 * Checksumming is controlled by cksum_request: 10319 * -1 => normal i.e. TCP/UDP/SCTP/ICMPv6 are checksummed and nothing else. 10320 * 1 => Skip TCP/UDP/SCTP checksum 10321 * Otherwise => checksum_request contains insert offset for checksum 10322 * 10323 * Assumes that the following set of headers appear in the first 10324 * mblk: 10325 * ip6_t 10326 * Any extension headers 10327 * TCP/UDP/SCTP header (if present) 10328 * The routine can handle an ICMPv6 header that is not in the first mblk. 10329 * 10330 * NOTE : This function does not ire_refrele the ire passed in as the 10331 * argument unlike ip_wput_ire where the REFRELE is done. 10332 * Refer to ip_wput_ire for more on this. 10333 */ 10334 static void 10335 ip_wput_ire_v6(queue_t *q, mblk_t *mp, ire_t *ire, int unspec_src, 10336 int cksum_request, conn_t *connp, int caller, int attach_index, int flags) 10337 { 10338 ip6_t *ip6h; 10339 uint8_t nexthdr; 10340 uint16_t hdr_length; 10341 uint_t reachable = 0x0; 10342 ill_t *ill; 10343 mib2_ipv6IfStatsEntry_t *mibptr; 10344 mblk_t *first_mp; 10345 boolean_t mctl_present; 10346 ipsec_out_t *io; 10347 boolean_t conn_dontroute; /* conn value for multicast */ 10348 boolean_t conn_multicast_loop; /* conn value for multicast */ 10349 boolean_t multicast_forward; /* Should we forward ? */ 10350 int max_frag; 10351 zoneid_t zoneid; 10352 10353 zoneid = (connp != NULL ? connp->conn_zoneid : ALL_ZONES); 10354 ill = ire_to_ill(ire); 10355 first_mp = mp; 10356 multicast_forward = B_FALSE; 10357 10358 if (mp->b_datap->db_type != M_CTL) { 10359 ip6h = (ip6_t *)first_mp->b_rptr; 10360 } else { 10361 io = (ipsec_out_t *)first_mp->b_rptr; 10362 ASSERT(io->ipsec_out_type == IPSEC_OUT); 10363 /* 10364 * Grab the zone id now because the M_CTL can be discarded by 10365 * ip_wput_ire_parse_ipsec_out() below. 10366 */ 10367 zoneid = io->ipsec_out_zoneid; 10368 ASSERT(zoneid != ALL_ZONES); 10369 ip6h = (ip6_t *)first_mp->b_cont->b_rptr; 10370 /* 10371 * For the multicast case, ipsec_out carries conn_dontroute and 10372 * conn_multicast_loop as conn may not be available here. We 10373 * need this for multicast loopback and forwarding which is done 10374 * later in the code. 10375 */ 10376 if (IN6_IS_ADDR_MULTICAST(&ip6h->ip6_dst)) { 10377 conn_dontroute = io->ipsec_out_dontroute; 10378 conn_multicast_loop = io->ipsec_out_multicast_loop; 10379 /* 10380 * If conn_dontroute is not set or conn_multicast_loop 10381 * is set, we need to do forwarding/loopback. For 10382 * datagrams from ip_wput_multicast, conn_dontroute is 10383 * set to B_TRUE and conn_multicast_loop is set to 10384 * B_FALSE so that we neither do forwarding nor 10385 * loopback. 10386 */ 10387 if (!conn_dontroute || conn_multicast_loop) 10388 multicast_forward = B_TRUE; 10389 } 10390 } 10391 10392 /* 10393 * If the sender didn't supply the hop limit and there is a default 10394 * unicast hop limit associated with the output interface, we use 10395 * that if the packet is unicast. Interface specific unicast hop 10396 * limits as set via the SIOCSLIFLNKINFO ioctl. 10397 */ 10398 if (ill->ill_max_hops != 0 && !(flags & IP6I_HOPLIMIT) && 10399 !(IN6_IS_ADDR_MULTICAST(&ip6h->ip6_dst))) { 10400 ip6h->ip6_hops = ill->ill_max_hops; 10401 } 10402 10403 if (ire->ire_type == IRE_LOCAL && ire->ire_zoneid != zoneid) { 10404 /* 10405 * When a zone sends a packet to another zone, we try to deliver 10406 * the packet under the same conditions as if the destination 10407 * was a real node on the network. To do so, we look for a 10408 * matching route in the forwarding table. 10409 * RTF_REJECT and RTF_BLACKHOLE are handled just like 10410 * ip_newroute_v6() does. 10411 */ 10412 ire_t *src_ire = ire_ftable_lookup_v6(&ip6h->ip6_dst, 0, 0, 0, 10413 NULL, NULL, zoneid, 0, (MATCH_IRE_RECURSIVE | 10414 MATCH_IRE_DEFAULT | MATCH_IRE_RJ_BHOLE)); 10415 if (src_ire != NULL && 10416 !(src_ire->ire_flags & (RTF_REJECT | RTF_BLACKHOLE))) { 10417 if (IN6_IS_ADDR_UNSPECIFIED(&ip6h->ip6_src) && 10418 !unspec_src) { 10419 ip6h->ip6_src = src_ire->ire_src_addr_v6; 10420 } 10421 ire_refrele(src_ire); 10422 } else { 10423 BUMP_MIB(ill->ill_ip6_mib, ipv6OutNoRoutes); 10424 if (src_ire != NULL) { 10425 if (src_ire->ire_flags & RTF_BLACKHOLE) { 10426 ire_refrele(src_ire); 10427 freemsg(first_mp); 10428 return; 10429 } 10430 ire_refrele(src_ire); 10431 } 10432 if (ip_hdr_complete_v6(ip6h, zoneid)) { 10433 /* Failed */ 10434 freemsg(first_mp); 10435 return; 10436 } 10437 icmp_unreachable_v6(q, first_mp, 10438 ICMP6_DST_UNREACH_NOROUTE, B_FALSE, B_FALSE); 10439 return; 10440 } 10441 } 10442 10443 if (mp->b_datap->db_type == M_CTL || ipsec_outbound_v6_policy_present) { 10444 mp = ip_wput_ire_parse_ipsec_out(first_mp, NULL, ip6h, ire, 10445 connp, unspec_src); 10446 if (mp == NULL) { 10447 return; 10448 } 10449 } 10450 10451 first_mp = mp; 10452 if (mp->b_datap->db_type == M_CTL) { 10453 io = (ipsec_out_t *)mp->b_rptr; 10454 ASSERT(io->ipsec_out_type == IPSEC_OUT); 10455 mp = mp->b_cont; 10456 mctl_present = B_TRUE; 10457 } else { 10458 mctl_present = B_FALSE; 10459 } 10460 10461 ip6h = (ip6_t *)mp->b_rptr; 10462 nexthdr = ip6h->ip6_nxt; 10463 mibptr = ill->ill_ip6_mib; 10464 10465 if (IN6_IS_ADDR_UNSPECIFIED(&ip6h->ip6_src) && !unspec_src) { 10466 /* 10467 * The ire_src_addr_v6 always contains a useable source address 10468 * for the destination (based on source address selection rules 10469 * with respect to address scope as well as deprecated vs. 10470 * preferred addresses). 10471 */ 10472 ip6h->ip6_src = ire->ire_src_addr_v6; 10473 } 10474 if (IN6_IS_ADDR_MULTICAST(&ip6h->ip6_dst)) { 10475 if ((connp != NULL && connp->conn_multicast_loop) || 10476 !(ill->ill_phyint->phyint_flags & PHYI_LOOPBACK)) { 10477 ilm_t *ilm; 10478 10479 ILM_WALKER_HOLD(ill); 10480 ilm = ilm_lookup_ill_v6(ill, &ip6h->ip6_dst, ALL_ZONES); 10481 ILM_WALKER_RELE(ill); 10482 if (ilm != NULL) { 10483 mblk_t *nmp; 10484 int fanout_flags = 0; 10485 10486 if (connp != NULL && 10487 !connp->conn_multicast_loop) { 10488 fanout_flags |= IP_FF_NO_MCAST_LOOP; 10489 } 10490 ip1dbg(("ip_wput_ire_v6: " 10491 "Loopback multicast\n")); 10492 nmp = ip_copymsg(first_mp); 10493 if (nmp != NULL) { 10494 ip6_t *nip6h; 10495 10496 if (mctl_present) { 10497 nip6h = (ip6_t *) 10498 nmp->b_cont->b_rptr; 10499 } else { 10500 nip6h = (ip6_t *)nmp->b_rptr; 10501 } 10502 /* 10503 * Deliver locally and to every local 10504 * zone, except the sending zone when 10505 * IPV6_MULTICAST_LOOP is disabled. 10506 */ 10507 ip_wput_local_v6(RD(q), ill, nip6h, nmp, 10508 ire, fanout_flags); 10509 } else { 10510 BUMP_MIB(mibptr, ipv6OutDiscards); 10511 ip1dbg(("ip_wput_ire_v6: " 10512 "copymsg failed\n")); 10513 } 10514 } 10515 } 10516 if (ip6h->ip6_hops == 0 || 10517 IN6_IS_ADDR_MC_NODELOCAL(&ip6h->ip6_dst) || 10518 (ill->ill_phyint->phyint_flags & PHYI_LOOPBACK)) { 10519 /* 10520 * Local multicast or just loopback on loopback 10521 * interface. 10522 */ 10523 BUMP_MIB(mibptr, ipv6OutMcastPkts); 10524 ip1dbg(("ip_wput_ire_v6: local multicast only\n")); 10525 freemsg(first_mp); 10526 return; 10527 } 10528 } 10529 10530 /* Fastpath */ 10531 switch (nexthdr) { 10532 case IPPROTO_TCP: 10533 case IPPROTO_UDP: 10534 case IPPROTO_ICMPV6: 10535 case IPPROTO_SCTP: 10536 hdr_length = IPV6_HDR_LEN; 10537 break; 10538 default: { 10539 uint8_t *nexthdrp; 10540 10541 if (!ip_hdr_length_nexthdr_v6(mp, ip6h, 10542 &hdr_length, &nexthdrp)) { 10543 /* Malformed packet */ 10544 BUMP_MIB(mibptr, ipv6OutDiscards); 10545 freemsg(first_mp); 10546 return; 10547 } 10548 nexthdr = *nexthdrp; 10549 break; 10550 } 10551 } 10552 10553 if (ire->ire_stq != NULL) { 10554 uint32_t sum; 10555 uint_t ill_index = ((ill_t *)ire->ire_stq->q_ptr)-> 10556 ill_phyint->phyint_ifindex; 10557 queue_t *dev_q = ire->ire_stq->q_next; 10558 10559 /* 10560 * non-NULL send-to queue - packet is to be sent 10561 * out an interface. 10562 */ 10563 10564 /* Driver is flow-controlling? */ 10565 if (!IP_FLOW_CONTROLLED_ULP(nexthdr) && 10566 ((dev_q->q_next || dev_q->q_first) && !canput(dev_q))) { 10567 /* 10568 * Queue packet if we have an conn to give back 10569 * pressure. We can't queue packets intended for 10570 * hardware acceleration since we've tossed that 10571 * state already. If the packet is being fed back 10572 * from ire_send_v6, we don't know the position in 10573 * the queue to enqueue the packet and we discard 10574 * the packet. 10575 */ 10576 ASSERT(mp == first_mp); 10577 if (ip_output_queue && connp != NULL && 10578 !mctl_present && caller != IRE_SEND) { 10579 if (caller == IP_WSRV) { 10580 connp->conn_did_putbq = 1; 10581 (void) putbq(connp->conn_wq, mp); 10582 conn_drain_insert(connp); 10583 /* 10584 * caller == IP_WSRV implies we are 10585 * the service thread, and the 10586 * queue is already noenabled. 10587 * The check for canput and 10588 * the putbq is not atomic. 10589 * So we need to check again. 10590 */ 10591 if (canput(dev_q)) 10592 connp->conn_did_putbq = 0; 10593 } else { 10594 (void) putq(connp->conn_wq, mp); 10595 } 10596 return; 10597 } 10598 BUMP_MIB(mibptr, ipv6OutDiscards); 10599 freemsg(mp); 10600 return; 10601 } 10602 10603 /* 10604 * Look for reachability confirmations from the transport. 10605 */ 10606 if (ip6h->ip6_vcf & IP_FORWARD_PROG) { 10607 reachable |= IPV6_REACHABILITY_CONFIRMATION; 10608 ip6h->ip6_vcf &= ~IP_FORWARD_PROG; 10609 if (mctl_present) 10610 io->ipsec_out_reachable = B_TRUE; 10611 } 10612 if (cksum_request != -1 && nexthdr != IPPROTO_ICMPV6) { 10613 uint16_t *up; 10614 uint16_t *insp; 10615 10616 /* 10617 * The packet header is processed once for all, even 10618 * in the multirouting case. We disable hardware 10619 * checksum if the packet is multirouted, as it will be 10620 * replicated via several interfaces, and not all of 10621 * them may have this capability. 10622 */ 10623 if (cksum_request == 1 && 10624 !(ire->ire_flags & RTF_MULTIRT)) { 10625 /* Skip the transport checksum */ 10626 goto cksum_done; 10627 } 10628 /* 10629 * Do user-configured raw checksum. 10630 * Compute checksum and insert at offset "cksum_request" 10631 */ 10632 10633 /* check for enough headers for checksum */ 10634 cksum_request += hdr_length; /* offset from rptr */ 10635 if ((mp->b_wptr - mp->b_rptr) < 10636 (cksum_request + sizeof (int16_t))) { 10637 if (!pullupmsg(mp, 10638 cksum_request + sizeof (int16_t))) { 10639 ip1dbg(("ip_wput_v6: ICMP hdr pullupmsg" 10640 " failed\n")); 10641 BUMP_MIB(mibptr, ipv6OutDiscards); 10642 freemsg(first_mp); 10643 return; 10644 } 10645 ip6h = (ip6_t *)mp->b_rptr; 10646 } 10647 insp = (uint16_t *)((uchar_t *)ip6h + cksum_request); 10648 ASSERT(((uintptr_t)insp & 0x1) == 0); 10649 up = (uint16_t *)&ip6h->ip6_src; 10650 /* 10651 * icmp has placed length and routing 10652 * header adjustment in *insp. 10653 */ 10654 sum = htons(nexthdr) + 10655 up[0] + up[1] + up[2] + up[3] + 10656 up[4] + up[5] + up[6] + up[7] + 10657 up[8] + up[9] + up[10] + up[11] + 10658 up[12] + up[13] + up[14] + up[15]; 10659 sum = (sum & 0xffff) + (sum >> 16); 10660 *insp = IP_CSUM(mp, hdr_length, sum); 10661 if (*insp == 0) 10662 *insp = 0xFFFF; 10663 } else if (nexthdr == IPPROTO_TCP) { 10664 uint16_t *up; 10665 10666 /* 10667 * Check for full IPv6 header + enough TCP header 10668 * to get at the checksum field. 10669 */ 10670 if ((mp->b_wptr - mp->b_rptr) < 10671 (hdr_length + TCP_CHECKSUM_OFFSET + 10672 TCP_CHECKSUM_SIZE)) { 10673 if (!pullupmsg(mp, hdr_length + 10674 TCP_CHECKSUM_OFFSET + TCP_CHECKSUM_SIZE)) { 10675 ip1dbg(("ip_wput_v6: TCP hdr pullupmsg" 10676 " failed\n")); 10677 BUMP_MIB(mibptr, ipv6OutDiscards); 10678 freemsg(first_mp); 10679 return; 10680 } 10681 ip6h = (ip6_t *)mp->b_rptr; 10682 } 10683 10684 up = (uint16_t *)&ip6h->ip6_src; 10685 /* 10686 * Note: The TCP module has stored the length value 10687 * into the tcp checksum field, so we don't 10688 * need to explicitly sum it in here. 10689 */ 10690 sum = up[0] + up[1] + up[2] + up[3] + 10691 up[4] + up[5] + up[6] + up[7] + 10692 up[8] + up[9] + up[10] + up[11] + 10693 up[12] + up[13] + up[14] + up[15]; 10694 10695 /* Fold the initial sum */ 10696 sum = (sum & 0xffff) + (sum >> 16); 10697 10698 up = (uint16_t *)(((uchar_t *)ip6h) + 10699 hdr_length + TCP_CHECKSUM_OFFSET); 10700 10701 IP_CKSUM_XMIT(ill, ire, mp, ip6h, up, IPPROTO_TCP, 10702 hdr_length, ntohs(ip6h->ip6_plen) + IPV6_HDR_LEN, 10703 ire->ire_max_frag, mctl_present, sum); 10704 10705 /* Software checksum? */ 10706 if (DB_CKSUMFLAGS(mp) == 0) { 10707 IP6_STAT(ip6_out_sw_cksum); 10708 IP6_STAT_UPDATE(ip6_tcp_out_sw_cksum_bytes, 10709 (ntohs(ip6h->ip6_plen) + IPV6_HDR_LEN) - 10710 hdr_length); 10711 } 10712 } else if (nexthdr == IPPROTO_UDP) { 10713 uint16_t *up; 10714 10715 /* 10716 * check for full IPv6 header + enough UDP header 10717 * to get at the UDP checksum field 10718 */ 10719 if ((mp->b_wptr - mp->b_rptr) < (hdr_length + 10720 UDP_CHECKSUM_OFFSET + UDP_CHECKSUM_SIZE)) { 10721 if (!pullupmsg(mp, hdr_length + 10722 UDP_CHECKSUM_OFFSET + UDP_CHECKSUM_SIZE)) { 10723 ip1dbg(("ip_wput_v6: UDP hdr pullupmsg" 10724 " failed\n")); 10725 BUMP_MIB(mibptr, ipv6OutDiscards); 10726 freemsg(first_mp); 10727 return; 10728 } 10729 ip6h = (ip6_t *)mp->b_rptr; 10730 } 10731 up = (uint16_t *)&ip6h->ip6_src; 10732 /* 10733 * Note: The UDP module has stored the length value 10734 * into the udp checksum field, so we don't 10735 * need to explicitly sum it in here. 10736 */ 10737 sum = up[0] + up[1] + up[2] + up[3] + 10738 up[4] + up[5] + up[6] + up[7] + 10739 up[8] + up[9] + up[10] + up[11] + 10740 up[12] + up[13] + up[14] + up[15]; 10741 10742 /* Fold the initial sum */ 10743 sum = (sum & 0xffff) + (sum >> 16); 10744 10745 up = (uint16_t *)(((uchar_t *)ip6h) + 10746 hdr_length + UDP_CHECKSUM_OFFSET); 10747 10748 IP_CKSUM_XMIT(ill, ire, mp, ip6h, up, IPPROTO_UDP, 10749 hdr_length, ntohs(ip6h->ip6_plen) + IPV6_HDR_LEN, 10750 ire->ire_max_frag, mctl_present, sum); 10751 10752 /* Software checksum? */ 10753 if (DB_CKSUMFLAGS(mp) == 0) { 10754 IP6_STAT(ip6_out_sw_cksum); 10755 IP6_STAT_UPDATE(ip6_udp_out_sw_cksum_bytes, 10756 (ntohs(ip6h->ip6_plen) + IPV6_HDR_LEN) - 10757 hdr_length); 10758 } 10759 } else if (nexthdr == IPPROTO_ICMPV6) { 10760 uint16_t *up; 10761 icmp6_t *icmp6; 10762 10763 /* check for full IPv6+ICMPv6 header */ 10764 if ((mp->b_wptr - mp->b_rptr) < 10765 (hdr_length + ICMP6_MINLEN)) { 10766 if (!pullupmsg(mp, hdr_length + ICMP6_MINLEN)) { 10767 ip1dbg(("ip_wput_v6: ICMP hdr pullupmsg" 10768 " failed\n")); 10769 BUMP_MIB(mibptr, ipv6OutDiscards); 10770 freemsg(first_mp); 10771 return; 10772 } 10773 ip6h = (ip6_t *)mp->b_rptr; 10774 } 10775 icmp6 = (icmp6_t *)((uchar_t *)ip6h + hdr_length); 10776 up = (uint16_t *)&ip6h->ip6_src; 10777 /* 10778 * icmp has placed length and routing 10779 * header adjustment in icmp6_cksum. 10780 */ 10781 sum = htons(IPPROTO_ICMPV6) + 10782 up[0] + up[1] + up[2] + up[3] + 10783 up[4] + up[5] + up[6] + up[7] + 10784 up[8] + up[9] + up[10] + up[11] + 10785 up[12] + up[13] + up[14] + up[15]; 10786 sum = (sum & 0xffff) + (sum >> 16); 10787 icmp6->icmp6_cksum = IP_CSUM(mp, hdr_length, sum); 10788 if (icmp6->icmp6_cksum == 0) 10789 icmp6->icmp6_cksum = 0xFFFF; 10790 10791 /* Update output mib stats */ 10792 icmp_update_out_mib_v6(ill, icmp6); 10793 } else if (nexthdr == IPPROTO_SCTP) { 10794 sctp_hdr_t *sctph; 10795 10796 if (MBLKL(mp) < (hdr_length + sizeof (*sctph))) { 10797 if (!pullupmsg(mp, hdr_length + 10798 sizeof (*sctph))) { 10799 ip1dbg(("ip_wput_v6: SCTP hdr pullupmsg" 10800 " failed\n")); 10801 BUMP_MIB(ill->ill_ip6_mib, 10802 ipv6OutDiscards); 10803 freemsg(mp); 10804 return; 10805 } 10806 ip6h = (ip6_t *)mp->b_rptr; 10807 } 10808 sctph = (sctp_hdr_t *)(mp->b_rptr + hdr_length); 10809 sctph->sh_chksum = 0; 10810 sctph->sh_chksum = sctp_cksum(mp, hdr_length); 10811 } 10812 10813 cksum_done: 10814 /* 10815 * We force the insertion of a fragment header using the 10816 * IPH_FRAG_HDR flag in two cases: 10817 * - after reception of an ICMPv6 "packet too big" message 10818 * with a MTU < 1280 (cf. RFC 2460 section 5) 10819 * - for multirouted IPv6 packets, so that the receiver can 10820 * discard duplicates according to their fragment identifier 10821 * 10822 * Two flags modifed from the API can modify this behavior. 10823 * The first is IPV6_USE_MIN_MTU. With this API the user 10824 * can specify how to manage PMTUD for unicast and multicast. 10825 * 10826 * IPV6_DONTFRAG disallows fragmentation. 10827 */ 10828 max_frag = ire->ire_max_frag; 10829 switch (IP6I_USE_MIN_MTU_API(flags)) { 10830 case IPV6_USE_MIN_MTU_DEFAULT: 10831 case IPV6_USE_MIN_MTU_UNICAST: 10832 if (IN6_IS_ADDR_MULTICAST(&ip6h->ip6_dst)) { 10833 max_frag = IPV6_MIN_MTU; 10834 } 10835 break; 10836 10837 case IPV6_USE_MIN_MTU_NEVER: 10838 max_frag = IPV6_MIN_MTU; 10839 break; 10840 } 10841 if (ntohs(ip6h->ip6_plen) + IPV6_HDR_LEN > max_frag || 10842 (ire->ire_frag_flag & IPH_FRAG_HDR)) { 10843 if (connp != NULL && (flags & IP6I_DONTFRAG)) { 10844 icmp_pkt2big_v6(ire->ire_stq, first_mp, 10845 max_frag, B_FALSE, B_TRUE); 10846 return; 10847 } 10848 10849 if (ntohs(ip6h->ip6_plen) + IPV6_HDR_LEN != 10850 (mp->b_cont ? msgdsize(mp) : 10851 mp->b_wptr - (uchar_t *)ip6h)) { 10852 ip0dbg(("Packet length mismatch: %d, %ld\n", 10853 ntohs(ip6h->ip6_plen) + IPV6_HDR_LEN, 10854 msgdsize(mp))); 10855 freemsg(first_mp); 10856 return; 10857 } 10858 /* Do IPSEC processing first */ 10859 if (mctl_present) { 10860 if (attach_index != 0) 10861 ipsec_out_attach_if(io, attach_index); 10862 ipsec_out_process(q, first_mp, ire, ill_index); 10863 return; 10864 } 10865 ASSERT(mp->b_prev == NULL); 10866 ip2dbg(("Fragmenting Size = %d, mtu = %d\n", 10867 ntohs(ip6h->ip6_plen) + 10868 IPV6_HDR_LEN, max_frag)); 10869 ASSERT(mp == first_mp); 10870 /* Initiate IPPF processing */ 10871 if (IPP_ENABLED(IPP_LOCAL_OUT)) { 10872 ip_process(IPP_LOCAL_OUT, &mp, ill_index); 10873 if (mp == NULL) { 10874 return; 10875 } 10876 } 10877 ip_wput_frag_v6(mp, ire, reachable, connp, 10878 caller, max_frag); 10879 return; 10880 } 10881 /* Do IPSEC processing first */ 10882 if (mctl_present) { 10883 int extra_len = ipsec_out_extra_length(first_mp); 10884 10885 if (ntohs(ip6h->ip6_plen) + IPV6_HDR_LEN + extra_len > 10886 max_frag && ip_ulp_cando_pkt2big(nexthdr)) { 10887 /* 10888 * IPsec headers will push the packet over the 10889 * MTU limit. Issue an ICMPv6 Packet Too Big 10890 * message for this packet if the upper-layer 10891 * that issued this packet will be able to 10892 * react to the icmp_pkt2big_v6() that we'll 10893 * generate. 10894 */ 10895 icmp_pkt2big_v6(ire->ire_stq, first_mp, 10896 max_frag, B_FALSE, B_TRUE); 10897 return; 10898 } 10899 if (attach_index != 0) 10900 ipsec_out_attach_if(io, attach_index); 10901 ipsec_out_process(q, first_mp, ire, ill_index); 10902 return; 10903 } 10904 /* 10905 * XXX multicast: add ip_mforward_v6() here. 10906 * Check conn_dontroute 10907 */ 10908 #ifdef lint 10909 /* 10910 * XXX The only purpose of this statement is to avoid lint 10911 * errors. See the above "XXX multicast". When that gets 10912 * fixed, remove this whole #ifdef lint section. 10913 */ 10914 ip3dbg(("multicast forward is %s.\n", 10915 (multicast_forward ? "TRUE" : "FALSE"))); 10916 #endif 10917 10918 UPDATE_OB_PKT_COUNT(ire); 10919 ire->ire_last_used_time = lbolt; 10920 ASSERT(mp == first_mp); 10921 ip_xmit_v6(mp, ire, reachable, connp, caller, NULL); 10922 } else { 10923 ip_wput_local_v6(RD(q), ill, ip6h, first_mp, ire, 0); 10924 } 10925 } 10926 10927 /* 10928 * Outbound IPv6 fragmentation routine using MDT. 10929 */ 10930 static void 10931 ip_wput_frag_mdt_v6(mblk_t *mp, ire_t *ire, size_t max_chunk, 10932 size_t unfragmentable_len, uint8_t nexthdr, uint_t prev_nexthdr_offset) 10933 { 10934 ip6_t *ip6h = (ip6_t *)mp->b_rptr; 10935 uint_t pkts, wroff, hdr_chunk_len, pbuf_idx; 10936 mblk_t *hdr_mp, *md_mp = NULL; 10937 int i1; 10938 multidata_t *mmd; 10939 unsigned char *hdr_ptr, *pld_ptr; 10940 ip_pdescinfo_t pdi; 10941 uint32_t ident; 10942 size_t len; 10943 uint16_t offset; 10944 queue_t *stq = ire->ire_stq; 10945 ill_t *ill = (ill_t *)stq->q_ptr; 10946 10947 ASSERT(DB_TYPE(mp) == M_DATA); 10948 ASSERT(MBLKL(mp) > unfragmentable_len); 10949 10950 /* 10951 * Move read ptr past unfragmentable portion, we don't want this part 10952 * of the data in our fragments. 10953 */ 10954 mp->b_rptr += unfragmentable_len; 10955 10956 /* Calculate how many packets we will send out */ 10957 i1 = (mp->b_cont == NULL) ? MBLKL(mp) : msgsize(mp); 10958 pkts = (i1 + max_chunk - 1) / max_chunk; 10959 ASSERT(pkts > 1); 10960 10961 /* Allocate a message block which will hold all the IP Headers. */ 10962 wroff = ip_wroff_extra; 10963 hdr_chunk_len = wroff + unfragmentable_len + sizeof (ip6_frag_t); 10964 10965 i1 = pkts * hdr_chunk_len; 10966 /* 10967 * Create the header buffer, Multidata and destination address 10968 * and SAP attribute that should be associated with it. 10969 */ 10970 if ((hdr_mp = allocb(i1, BPRI_HI)) == NULL || 10971 ((hdr_mp->b_wptr += i1), 10972 (mmd = mmd_alloc(hdr_mp, &md_mp, KM_NOSLEEP)) == NULL) || 10973 !ip_md_addr_attr(mmd, NULL, ire->ire_nce->nce_res_mp)) { 10974 freemsg(mp); 10975 if (md_mp == NULL) { 10976 freemsg(hdr_mp); 10977 } else { 10978 free_mmd: IP6_STAT(ip6_frag_mdt_discarded); 10979 freemsg(md_mp); 10980 } 10981 IP6_STAT(ip6_frag_mdt_allocfail); 10982 BUMP_MIB(ill->ill_ip6_mib, ipv6OutFragFails); 10983 UPDATE_MIB(ill->ill_ip6_mib, ipv6OutDiscards, pkts); 10984 return; 10985 } 10986 IP6_STAT(ip6_frag_mdt_allocd); 10987 10988 /* 10989 * Add a payload buffer to the Multidata; this operation must not 10990 * fail, or otherwise our logic in this routine is broken. There 10991 * is no memory allocation done by the routine, so any returned 10992 * failure simply tells us that we've done something wrong. 10993 * 10994 * A failure tells us that either we're adding the same payload 10995 * buffer more than once, or we're trying to add more buffers than 10996 * allowed. None of the above cases should happen, and we panic 10997 * because either there's horrible heap corruption, and/or 10998 * programming mistake. 10999 */ 11000 if ((pbuf_idx = mmd_addpldbuf(mmd, mp)) < 0) { 11001 goto pbuf_panic; 11002 } 11003 11004 hdr_ptr = hdr_mp->b_rptr; 11005 pld_ptr = mp->b_rptr; 11006 11007 pdi.flags = PDESC_HBUF_REF | PDESC_PBUF_REF; 11008 11009 ident = htonl(atomic_add_32_nv(&ire->ire_ident, 1)); 11010 11011 /* 11012 * len is the total length of the fragmentable data in this 11013 * datagram. For each fragment sent, we will decrement len 11014 * by the amount of fragmentable data sent in that fragment 11015 * until len reaches zero. 11016 */ 11017 len = ntohs(ip6h->ip6_plen) - (unfragmentable_len - IPV6_HDR_LEN); 11018 11019 offset = 0; 11020 prev_nexthdr_offset += wroff; 11021 11022 while (len != 0) { 11023 size_t mlen; 11024 ip6_t *fip6h; 11025 ip6_frag_t *fraghdr; 11026 int error; 11027 11028 ASSERT((hdr_ptr + hdr_chunk_len) <= hdr_mp->b_wptr); 11029 mlen = MIN(len, max_chunk); 11030 len -= mlen; 11031 11032 fip6h = (ip6_t *)(hdr_ptr + wroff); 11033 ASSERT(OK_32PTR(fip6h)); 11034 bcopy(ip6h, fip6h, unfragmentable_len); 11035 hdr_ptr[prev_nexthdr_offset] = IPPROTO_FRAGMENT; 11036 11037 fip6h->ip6_plen = htons((uint16_t)(mlen + 11038 unfragmentable_len - IPV6_HDR_LEN + sizeof (ip6_frag_t))); 11039 11040 fraghdr = (ip6_frag_t *)((unsigned char *)fip6h + 11041 unfragmentable_len); 11042 fraghdr->ip6f_nxt = nexthdr; 11043 fraghdr->ip6f_reserved = 0; 11044 fraghdr->ip6f_offlg = htons(offset) | 11045 ((len != 0) ? IP6F_MORE_FRAG : 0); 11046 fraghdr->ip6f_ident = ident; 11047 11048 /* 11049 * Record offset and size of header and data of the next packet 11050 * in the multidata message. 11051 */ 11052 PDESC_HDR_ADD(&pdi, hdr_ptr, wroff, 11053 unfragmentable_len + sizeof (ip6_frag_t), 0); 11054 PDESC_PLD_INIT(&pdi); 11055 i1 = MIN(mp->b_wptr - pld_ptr, mlen); 11056 ASSERT(i1 > 0); 11057 PDESC_PLD_SPAN_ADD(&pdi, pbuf_idx, pld_ptr, i1); 11058 if (i1 == mlen) { 11059 pld_ptr += mlen; 11060 } else { 11061 i1 = mlen - i1; 11062 mp = mp->b_cont; 11063 ASSERT(mp != NULL); 11064 ASSERT(MBLKL(mp) >= i1); 11065 /* 11066 * Attach the next payload message block to the 11067 * multidata message. 11068 */ 11069 if ((pbuf_idx = mmd_addpldbuf(mmd, mp)) < 0) 11070 goto pbuf_panic; 11071 PDESC_PLD_SPAN_ADD(&pdi, pbuf_idx, mp->b_rptr, i1); 11072 pld_ptr = mp->b_rptr + i1; 11073 } 11074 11075 if ((mmd_addpdesc(mmd, (pdescinfo_t *)&pdi, &error, 11076 KM_NOSLEEP)) == NULL) { 11077 /* 11078 * Any failure other than ENOMEM indicates that we 11079 * have passed in invalid pdesc info or parameters 11080 * to mmd_addpdesc, which must not happen. 11081 * 11082 * EINVAL is a result of failure on boundary checks 11083 * against the pdesc info contents. It should not 11084 * happen, and we panic because either there's 11085 * horrible heap corruption, and/or programming 11086 * mistake. 11087 */ 11088 if (error != ENOMEM) { 11089 cmn_err(CE_PANIC, "ip_wput_frag_mdt_v6: " 11090 "pdesc logic error detected for " 11091 "mmd %p pinfo %p (%d)\n", 11092 (void *)mmd, (void *)&pdi, error); 11093 /* NOTREACHED */ 11094 } 11095 IP6_STAT(ip6_frag_mdt_addpdescfail); 11096 /* Free unattached payload message blocks as well */ 11097 md_mp->b_cont = mp->b_cont; 11098 goto free_mmd; 11099 } 11100 11101 /* Advance fragment offset. */ 11102 offset += mlen; 11103 11104 /* Advance to location for next header in the buffer. */ 11105 hdr_ptr += hdr_chunk_len; 11106 11107 /* Did we reach the next payload message block? */ 11108 if (pld_ptr == mp->b_wptr && mp->b_cont != NULL) { 11109 mp = mp->b_cont; 11110 /* 11111 * Attach the next message block with payload 11112 * data to the multidata message. 11113 */ 11114 if ((pbuf_idx = mmd_addpldbuf(mmd, mp)) < 0) 11115 goto pbuf_panic; 11116 pld_ptr = mp->b_rptr; 11117 } 11118 } 11119 11120 ASSERT(hdr_mp->b_wptr == hdr_ptr); 11121 ASSERT(mp->b_wptr == pld_ptr); 11122 11123 /* Update IP statistics */ 11124 UPDATE_MIB(ill->ill_ip6_mib, ipv6OutFragCreates, pkts); 11125 BUMP_MIB(ill->ill_ip6_mib, ipv6OutFragOKs); 11126 IP6_STAT_UPDATE(ip6_frag_mdt_pkt_out, pkts); 11127 11128 ire->ire_ob_pkt_count += pkts; 11129 if (ire->ire_ipif != NULL) 11130 atomic_add_32(&ire->ire_ipif->ipif_ob_pkt_count, pkts); 11131 11132 ire->ire_last_used_time = lbolt; 11133 /* Send it down */ 11134 putnext(stq, md_mp); 11135 return; 11136 11137 pbuf_panic: 11138 cmn_err(CE_PANIC, "ip_wput_frag_mdt_v6: payload buffer logic " 11139 "error for mmd %p pbuf %p (%d)", (void *)mmd, (void *)mp, 11140 pbuf_idx); 11141 /* NOTREACHED */ 11142 } 11143 11144 /* 11145 * IPv6 fragmentation. Essentially the same as IPv4 fragmentation. 11146 * We have not optimized this in terms of number of mblks 11147 * allocated. For instance, for each fragment sent we always allocate a 11148 * mblk to hold the IPv6 header and fragment header. 11149 * 11150 * Assumes that all the extension headers are contained in the first mblk. 11151 * 11152 * The fragment header is inserted after an hop-by-hop options header 11153 * and after [an optional destinations header followed by] a routing header. 11154 * 11155 * NOTE : This function does not ire_refrele the ire passed in as 11156 * the argument. 11157 */ 11158 void 11159 ip_wput_frag_v6(mblk_t *mp, ire_t *ire, uint_t reachable, conn_t *connp, 11160 int caller, int max_frag) 11161 { 11162 ip6_t *ip6h = (ip6_t *)mp->b_rptr; 11163 ip6_t *fip6h; 11164 mblk_t *hmp; 11165 mblk_t *hmp0; 11166 mblk_t *dmp; 11167 ip6_frag_t *fraghdr; 11168 size_t unfragmentable_len; 11169 size_t len; 11170 size_t mlen; 11171 size_t max_chunk; 11172 uint32_t ident; 11173 uint16_t off_flags; 11174 uint16_t offset = 0; 11175 ill_t *ill; 11176 uint8_t nexthdr; 11177 uint_t prev_nexthdr_offset; 11178 uint8_t *ptr; 11179 11180 ASSERT(ire->ire_type == IRE_CACHE); 11181 ill = (ill_t *)ire->ire_stq->q_ptr; 11182 11183 /* 11184 * Determine the length of the unfragmentable portion of this 11185 * datagram. This consists of the IPv6 header, a potential 11186 * hop-by-hop options header, a potential pre-routing-header 11187 * destination options header, and a potential routing header. 11188 */ 11189 nexthdr = ip6h->ip6_nxt; 11190 prev_nexthdr_offset = (uint8_t *)&ip6h->ip6_nxt - (uint8_t *)ip6h; 11191 ptr = (uint8_t *)&ip6h[1]; 11192 11193 if (nexthdr == IPPROTO_HOPOPTS) { 11194 ip6_hbh_t *hbh_hdr; 11195 uint_t hdr_len; 11196 11197 hbh_hdr = (ip6_hbh_t *)ptr; 11198 hdr_len = 8 * (hbh_hdr->ip6h_len + 1); 11199 nexthdr = hbh_hdr->ip6h_nxt; 11200 prev_nexthdr_offset = (uint8_t *)&hbh_hdr->ip6h_nxt 11201 - (uint8_t *)ip6h; 11202 ptr += hdr_len; 11203 } 11204 if (nexthdr == IPPROTO_DSTOPTS) { 11205 ip6_dest_t *dest_hdr; 11206 uint_t hdr_len; 11207 11208 dest_hdr = (ip6_dest_t *)ptr; 11209 if (dest_hdr->ip6d_nxt == IPPROTO_ROUTING) { 11210 hdr_len = 8 * (dest_hdr->ip6d_len + 1); 11211 nexthdr = dest_hdr->ip6d_nxt; 11212 prev_nexthdr_offset = (uint8_t *)&dest_hdr->ip6d_nxt 11213 - (uint8_t *)ip6h; 11214 ptr += hdr_len; 11215 } 11216 } 11217 if (nexthdr == IPPROTO_ROUTING) { 11218 ip6_rthdr_t *rthdr; 11219 uint_t hdr_len; 11220 11221 rthdr = (ip6_rthdr_t *)ptr; 11222 nexthdr = rthdr->ip6r_nxt; 11223 prev_nexthdr_offset = (uint8_t *)&rthdr->ip6r_nxt 11224 - (uint8_t *)ip6h; 11225 hdr_len = 8 * (rthdr->ip6r_len + 1); 11226 ptr += hdr_len; 11227 } 11228 unfragmentable_len = (uint_t)(ptr - (uint8_t *)ip6h); 11229 11230 max_chunk = (min(max_frag, ire->ire_max_frag) - unfragmentable_len - 11231 sizeof (ip6_frag_t)) & ~7; 11232 11233 /* Check if we can use MDT to send out the frags. */ 11234 ASSERT(!IRE_IS_LOCAL(ire)); 11235 if (ip_multidata_outbound && reachable == 0 && 11236 !(ire->ire_flags & RTF_MULTIRT) && ILL_MDT_CAPABLE(ill) && 11237 IP_CAN_FRAG_MDT(mp, unfragmentable_len, max_chunk)) { 11238 ip_wput_frag_mdt_v6(mp, ire, max_chunk, unfragmentable_len, 11239 nexthdr, prev_nexthdr_offset); 11240 return; 11241 } 11242 11243 /* 11244 * Allocate an mblk with enough room for the link-layer 11245 * header, the unfragmentable part of the datagram, and the 11246 * fragment header. This (or a copy) will be used as the 11247 * first mblk for each fragment we send. 11248 */ 11249 hmp = allocb(unfragmentable_len + sizeof (ip6_frag_t) + ip_wroff_extra, 11250 BPRI_HI); 11251 if (hmp == NULL) { 11252 BUMP_MIB(ill->ill_ip6_mib, ipv6OutFragFails); 11253 freemsg(mp); 11254 return; 11255 } 11256 hmp->b_rptr += ip_wroff_extra; 11257 hmp->b_wptr = hmp->b_rptr + unfragmentable_len + sizeof (ip6_frag_t); 11258 11259 fip6h = (ip6_t *)hmp->b_rptr; 11260 fraghdr = (ip6_frag_t *)(hmp->b_rptr + unfragmentable_len); 11261 11262 bcopy(ip6h, fip6h, unfragmentable_len); 11263 hmp->b_rptr[prev_nexthdr_offset] = IPPROTO_FRAGMENT; 11264 11265 ident = atomic_add_32_nv(&ire->ire_ident, 1); 11266 11267 fraghdr->ip6f_nxt = nexthdr; 11268 fraghdr->ip6f_reserved = 0; 11269 fraghdr->ip6f_offlg = 0; 11270 fraghdr->ip6f_ident = htonl(ident); 11271 11272 /* 11273 * len is the total length of the fragmentable data in this 11274 * datagram. For each fragment sent, we will decrement len 11275 * by the amount of fragmentable data sent in that fragment 11276 * until len reaches zero. 11277 */ 11278 len = ntohs(ip6h->ip6_plen) - (unfragmentable_len - IPV6_HDR_LEN); 11279 11280 /* 11281 * Move read ptr past unfragmentable portion, we don't want this part 11282 * of the data in our fragments. 11283 */ 11284 mp->b_rptr += unfragmentable_len; 11285 11286 while (len != 0) { 11287 mlen = MIN(len, max_chunk); 11288 len -= mlen; 11289 if (len != 0) { 11290 /* Not last */ 11291 hmp0 = copyb(hmp); 11292 if (hmp0 == NULL) { 11293 freeb(hmp); 11294 freemsg(mp); 11295 BUMP_MIB(ill->ill_ip6_mib, ipv6OutFragFails); 11296 ip1dbg(("ip_wput_frag_v6: copyb failed\n")); 11297 return; 11298 } 11299 off_flags = IP6F_MORE_FRAG; 11300 } else { 11301 /* Last fragment */ 11302 hmp0 = hmp; 11303 hmp = NULL; 11304 off_flags = 0; 11305 } 11306 fip6h = (ip6_t *)(hmp0->b_rptr); 11307 fraghdr = (ip6_frag_t *)(hmp0->b_rptr + unfragmentable_len); 11308 11309 fip6h->ip6_plen = htons((uint16_t)(mlen + 11310 unfragmentable_len - IPV6_HDR_LEN + sizeof (ip6_frag_t))); 11311 /* 11312 * Note: Optimization alert. 11313 * In IPv6 (and IPv4) protocol header, Fragment Offset 11314 * ("offset") is 13 bits wide and in 8-octet units. 11315 * In IPv6 protocol header (unlike IPv4) in a 16 bit field, 11316 * it occupies the most significant 13 bits. 11317 * (least significant 13 bits in IPv4). 11318 * We do not do any shifts here. Not shifting is same effect 11319 * as taking offset value in octet units, dividing by 8 and 11320 * then shifting 3 bits left to line it up in place in proper 11321 * place protocol header. 11322 */ 11323 fraghdr->ip6f_offlg = htons(offset) | off_flags; 11324 11325 if (!(dmp = ip_carve_mp(&mp, mlen))) { 11326 /* mp has already been freed by ip_carve_mp() */ 11327 if (hmp != NULL) 11328 freeb(hmp); 11329 freeb(hmp0); 11330 ip1dbg(("ip_carve_mp: failed\n")); 11331 BUMP_MIB(ill->ill_ip6_mib, ipv6OutFragFails); 11332 return; 11333 } 11334 hmp0->b_cont = dmp; 11335 /* Get the priority marking, if any */ 11336 hmp0->b_band = dmp->b_band; 11337 UPDATE_OB_PKT_COUNT(ire); 11338 ire->ire_last_used_time = lbolt; 11339 ip_xmit_v6(hmp0, ire, reachable | IP6_NO_IPPOLICY, connp, 11340 caller, NULL); 11341 reachable = 0; /* No need to redo state machine in loop */ 11342 BUMP_MIB(ill->ill_ip6_mib, ipv6OutFragCreates); 11343 offset += mlen; 11344 } 11345 BUMP_MIB(ill->ill_ip6_mib, ipv6OutFragOKs); 11346 } 11347 11348 /* 11349 * Determine if the ill and multicast aspects of that packets 11350 * "matches" the conn. 11351 */ 11352 boolean_t 11353 conn_wantpacket_v6(conn_t *connp, ill_t *ill, ip6_t *ip6h, int fanout_flags, 11354 zoneid_t zoneid) 11355 { 11356 ill_t *in_ill; 11357 boolean_t wantpacket = B_TRUE; 11358 in6_addr_t *v6dst_ptr = &ip6h->ip6_dst; 11359 in6_addr_t *v6src_ptr = &ip6h->ip6_src; 11360 11361 /* 11362 * conn_incoming_ill is set by IPV6_BOUND_IF which limits 11363 * unicast and multicast reception to conn_incoming_ill. 11364 * conn_wantpacket_v6 is called both for unicast and 11365 * multicast. 11366 * 11367 * 1) The unicast copy of the packet can come anywhere in 11368 * the ill group if it is part of the group. Thus, we 11369 * need to check to see whether the ill group matches 11370 * if in_ill is part of a group. 11371 * 11372 * 2) ip_rput does not suppress duplicate multicast packets. 11373 * If there are two interfaces in a ill group and we have 11374 * 2 applications (conns) joined a multicast group G on 11375 * both the interfaces, ilm_lookup_ill filter in ip_rput 11376 * will give us two packets because we join G on both the 11377 * interfaces rather than nominating just one interface 11378 * for receiving multicast like broadcast above. So, 11379 * we have to call ilg_lookup_ill to filter out duplicate 11380 * copies, if ill is part of a group, to supress duplicates. 11381 */ 11382 in_ill = connp->conn_incoming_ill; 11383 if (in_ill != NULL) { 11384 mutex_enter(&connp->conn_lock); 11385 in_ill = connp->conn_incoming_ill; 11386 mutex_enter(&ill->ill_lock); 11387 /* 11388 * No IPMP, and the packet did not arrive on conn_incoming_ill 11389 * OR, IPMP in use and the packet arrived on an IPMP group 11390 * different from the conn_incoming_ill's IPMP group. 11391 * Reject the packet. 11392 */ 11393 if ((in_ill->ill_group == NULL && in_ill != ill) || 11394 (in_ill->ill_group != NULL && 11395 in_ill->ill_group != ill->ill_group)) { 11396 wantpacket = B_FALSE; 11397 } 11398 mutex_exit(&ill->ill_lock); 11399 mutex_exit(&connp->conn_lock); 11400 if (!wantpacket) 11401 return (B_FALSE); 11402 } 11403 11404 if (connp->conn_multi_router) 11405 return (B_TRUE); 11406 11407 if (!IN6_IS_ADDR_MULTICAST(v6dst_ptr) && 11408 !IN6_IS_ADDR_V4MAPPED_CLASSD(v6dst_ptr)) { 11409 /* 11410 * Unicast case: we match the conn only if it's in the specified 11411 * zone. 11412 */ 11413 return (connp->conn_zoneid == zoneid); 11414 } 11415 11416 if ((fanout_flags & IP_FF_NO_MCAST_LOOP) && 11417 connp->conn_zoneid == zoneid) { 11418 /* 11419 * Loopback case: the sending endpoint has IP_MULTICAST_LOOP 11420 * disabled, therefore we don't dispatch the multicast packet to 11421 * the sending zone. 11422 */ 11423 return (B_FALSE); 11424 } 11425 11426 if ((ill->ill_phyint->phyint_flags & PHYI_LOOPBACK) && 11427 connp->conn_zoneid != zoneid) { 11428 /* 11429 * Multicast packet on the loopback interface: we only match 11430 * conns who joined the group in the specified zone. 11431 */ 11432 return (B_FALSE); 11433 } 11434 11435 mutex_enter(&connp->conn_lock); 11436 wantpacket = 11437 ilg_lookup_ill_withsrc_v6(connp, v6dst_ptr, v6src_ptr, ill) != NULL; 11438 mutex_exit(&connp->conn_lock); 11439 11440 return (wantpacket); 11441 } 11442 11443 11444 /* 11445 * Transmit a packet and update any NUD state based on the flags 11446 * XXX need to "recover" any ip6i_t when doing putq! 11447 * 11448 * NOTE : This function does not ire_refrele the ire passed in as the 11449 * argument. 11450 */ 11451 void 11452 ip_xmit_v6(mblk_t *mp, ire_t *ire, uint_t flags, conn_t *connp, 11453 int caller, ipsec_out_t *io) 11454 { 11455 mblk_t *mp1; 11456 nce_t *nce = ire->ire_nce; 11457 ill_t *ill; 11458 uint64_t delta; 11459 ip6_t *ip6h; 11460 queue_t *stq = ire->ire_stq; 11461 ire_t *ire1 = NULL; 11462 ire_t *save_ire = ire; 11463 boolean_t multirt_send = B_FALSE; 11464 mblk_t *next_mp = NULL; 11465 11466 ip6h = (ip6_t *)mp->b_rptr; 11467 ASSERT(!IN6_IS_ADDR_V4MAPPED(&ire->ire_addr_v6)); 11468 ASSERT(ire->ire_ipversion == IPV6_VERSION); 11469 ASSERT(nce != NULL); 11470 ASSERT(mp->b_datap->db_type == M_DATA); 11471 ASSERT(stq != NULL); 11472 11473 ill = ire_to_ill(ire); 11474 if (!ill) { 11475 ip0dbg(("ip_xmit_v6: ire_to_ill failed\n")); 11476 freemsg(mp); 11477 return; 11478 } 11479 11480 /* 11481 * If a packet is to be sent out an interface that is a 6to4 11482 * tunnel, outgoing IPv6 packets, with a 6to4 addressed IPv6 11483 * destination, must be checked to have a 6to4 prefix 11484 * (2002:V4ADDR::/48) that is NOT equal to the 6to4 prefix of 11485 * address configured on the sending interface. Otherwise, 11486 * the packet was delivered to this interface in error and the 11487 * packet must be dropped. 11488 */ 11489 if ((ill->ill_is_6to4tun) && IN6_IS_ADDR_6TO4(&ip6h->ip6_dst)) { 11490 ipif_t *ipif = ill->ill_ipif; 11491 11492 if (IN6_ARE_6TO4_PREFIX_EQUAL(&ipif->ipif_v6lcl_addr, 11493 &ip6h->ip6_dst)) { 11494 if (ip_debug > 2) { 11495 /* ip1dbg */ 11496 pr_addr_dbg("ip_xmit_v6: attempting to " 11497 "send 6to4 addressed IPv6 " 11498 "destination (%s) out the wrong " 11499 "interface.\n", AF_INET6, 11500 &ip6h->ip6_dst); 11501 } 11502 BUMP_MIB(ill->ill_ip6_mib, ipv6OutDiscards); 11503 freemsg(mp); 11504 return; 11505 } 11506 } 11507 11508 /* Flow-control check has been done in ip_wput_ire_v6 */ 11509 if (IP_FLOW_CONTROLLED_ULP(ip6h->ip6_nxt) || caller == IP_WPUT || 11510 caller == IP_WSRV || canput(stq->q_next)) { 11511 uint32_t ill_index; 11512 11513 /* 11514 * In most cases, the emission loop below is entered only 11515 * once. Only in the case where the ire holds the 11516 * RTF_MULTIRT flag, do we loop to process all RTF_MULTIRT 11517 * flagged ires in the bucket, and send the packet 11518 * through all crossed RTF_MULTIRT routes. 11519 */ 11520 if (ire->ire_flags & RTF_MULTIRT) { 11521 /* 11522 * Multirouting case. The bucket where ire is stored 11523 * probably holds other RTF_MULTIRT flagged ires 11524 * to the destination. In this call to ip_xmit_v6, 11525 * we attempt to send the packet through all 11526 * those ires. Thus, we first ensure that ire is the 11527 * first RTF_MULTIRT ire in the bucket, 11528 * before walking the ire list. 11529 */ 11530 ire_t *first_ire; 11531 irb_t *irb = ire->ire_bucket; 11532 ASSERT(irb != NULL); 11533 multirt_send = B_TRUE; 11534 11535 /* Make sure we do not omit any multiroute ire. */ 11536 IRB_REFHOLD(irb); 11537 for (first_ire = irb->irb_ire; 11538 first_ire != NULL; 11539 first_ire = first_ire->ire_next) { 11540 if ((first_ire->ire_flags & RTF_MULTIRT) && 11541 (IN6_ARE_ADDR_EQUAL(&first_ire->ire_addr_v6, 11542 &ire->ire_addr_v6)) && 11543 !(first_ire->ire_marks & 11544 (IRE_MARK_CONDEMNED | IRE_MARK_HIDDEN))) 11545 break; 11546 } 11547 11548 if ((first_ire != NULL) && (first_ire != ire)) { 11549 IRE_REFHOLD(first_ire); 11550 /* ire will be released by the caller */ 11551 ire = first_ire; 11552 nce = ire->ire_nce; 11553 stq = ire->ire_stq; 11554 ill = ire_to_ill(ire); 11555 } 11556 IRB_REFRELE(irb); 11557 } else if (connp != NULL && IPCL_IS_TCP(connp) && 11558 connp->conn_mdt_ok && !connp->conn_tcp->tcp_mdt && 11559 ILL_MDT_USABLE(ill)) { 11560 /* 11561 * This tcp connection was marked as MDT-capable, but 11562 * it has been turned off due changes in the interface. 11563 * Now that the interface support is back, turn it on 11564 * by notifying tcp. We don't directly modify tcp_mdt, 11565 * since we leave all the details to the tcp code that 11566 * knows better. 11567 */ 11568 mblk_t *mdimp = ip_mdinfo_alloc(ill->ill_mdt_capab); 11569 11570 if (mdimp == NULL) { 11571 ip0dbg(("ip_xmit_v6: can't re-enable MDT for " 11572 "connp %p (ENOMEM)\n", (void *)connp)); 11573 } else { 11574 CONN_INC_REF(connp); 11575 squeue_fill(connp->conn_sqp, mdimp, tcp_input, 11576 connp, SQTAG_TCP_INPUT_MCTL); 11577 } 11578 } 11579 11580 do { 11581 boolean_t qos_done = B_FALSE; 11582 11583 if (multirt_send) { 11584 irb_t *irb; 11585 /* 11586 * We are in a multiple send case, need to get 11587 * the next ire and make a duplicate of the 11588 * packet. ire1 holds here the next ire to 11589 * process in the bucket. If multirouting is 11590 * expected, any non-RTF_MULTIRT ire that has 11591 * the right destination address is ignored. 11592 */ 11593 irb = ire->ire_bucket; 11594 ASSERT(irb != NULL); 11595 11596 IRB_REFHOLD(irb); 11597 for (ire1 = ire->ire_next; 11598 ire1 != NULL; 11599 ire1 = ire1->ire_next) { 11600 if (!(ire1->ire_flags & RTF_MULTIRT)) 11601 continue; 11602 if (!IN6_ARE_ADDR_EQUAL( 11603 &ire1->ire_addr_v6, 11604 &ire->ire_addr_v6)) 11605 continue; 11606 if (ire1->ire_marks & 11607 (IRE_MARK_CONDEMNED| 11608 IRE_MARK_HIDDEN)) 11609 continue; 11610 11611 /* Got one */ 11612 if (ire1 != save_ire) { 11613 IRE_REFHOLD(ire1); 11614 } 11615 break; 11616 } 11617 IRB_REFRELE(irb); 11618 11619 if (ire1 != NULL) { 11620 next_mp = copyb(mp); 11621 if ((next_mp == NULL) || 11622 ((mp->b_cont != NULL) && 11623 ((next_mp->b_cont = 11624 dupmsg(mp->b_cont)) == 11625 NULL))) { 11626 freemsg(next_mp); 11627 next_mp = NULL; 11628 ire_refrele(ire1); 11629 ire1 = NULL; 11630 } 11631 } 11632 11633 /* Last multiroute ire; don't loop anymore. */ 11634 if (ire1 == NULL) { 11635 multirt_send = B_FALSE; 11636 } 11637 } 11638 11639 ill_index = 11640 ((ill_t *)stq->q_ptr)->ill_phyint->phyint_ifindex; 11641 11642 /* 11643 * Check for fastpath, we need to hold nce_lock to 11644 * prevent fastpath update from chaining nce_fp_mp. 11645 */ 11646 mutex_enter(&nce->nce_lock); 11647 if ((mp1 = nce->nce_fp_mp) != NULL) { 11648 uint32_t hlen; 11649 uchar_t *rptr; 11650 11651 /* Initiate IPPF processing */ 11652 if (IP6_OUT_IPP(flags)) { 11653 /* 11654 * We have to release the nce lock since 11655 * IPPF components use 11656 * ill_lookup_on_ifindex(), 11657 * which takes the ill_g_lock and the 11658 * ill_lock locks. 11659 */ 11660 mutex_exit(&nce->nce_lock); 11661 ip_process(IPP_LOCAL_OUT, &mp, 11662 ill_index); 11663 if (mp == NULL) { 11664 BUMP_MIB( 11665 ill->ill_ip6_mib, 11666 ipv6OutDiscards); 11667 if (next_mp != NULL) 11668 freemsg(next_mp); 11669 if (ire != save_ire) { 11670 ire_refrele(ire); 11671 } 11672 return; 11673 } 11674 mutex_enter(&nce->nce_lock); 11675 if ((mp1 = nce->nce_fp_mp) == NULL) { 11676 /* 11677 * Probably disappeared during 11678 * IPQoS processing. 11679 */ 11680 qos_done = B_TRUE; 11681 goto prepend_unitdata; 11682 } 11683 } 11684 hlen = MBLKL(mp1); 11685 rptr = mp->b_rptr - hlen; 11686 /* 11687 * make sure there is room for the fastpath 11688 * datalink header 11689 */ 11690 if (rptr < mp->b_datap->db_base) { 11691 mp1 = copyb(mp1); 11692 if (mp1 == NULL) { 11693 mutex_exit(&nce->nce_lock); 11694 BUMP_MIB(ill->ill_ip6_mib, 11695 ipv6OutDiscards); 11696 freemsg(mp); 11697 if (next_mp != NULL) 11698 freemsg(next_mp); 11699 if (ire != save_ire) { 11700 ire_refrele(ire); 11701 } 11702 return; 11703 } 11704 mp1->b_cont = mp; 11705 11706 /* Get the priority marking, if any */ 11707 mp1->b_band = mp->b_band; 11708 mp = mp1; 11709 } else { 11710 mp->b_rptr = rptr; 11711 /* 11712 * fastpath - pre-pend datalink 11713 * header 11714 */ 11715 bcopy(mp1->b_rptr, rptr, hlen); 11716 } 11717 11718 mutex_exit(&nce->nce_lock); 11719 11720 } else { 11721 prepend_unitdata: 11722 mutex_exit(&nce->nce_lock); 11723 mp1 = nce->nce_res_mp; 11724 if (mp1 == NULL) { 11725 ip1dbg(("ip_xmit_v6: No resolution " 11726 "block ire = %p\n", (void *)ire)); 11727 freemsg(mp); 11728 if (next_mp != NULL) 11729 freemsg(next_mp); 11730 if (ire != save_ire) { 11731 ire_refrele(ire); 11732 } 11733 return; 11734 } 11735 /* 11736 * Prepend the DL_UNITDATA_REQ. 11737 */ 11738 mp1 = copyb(mp1); 11739 if (mp1 == NULL) { 11740 BUMP_MIB(ill->ill_ip6_mib, 11741 ipv6OutDiscards); 11742 freemsg(mp); 11743 if (next_mp != NULL) 11744 freemsg(next_mp); 11745 if (ire != save_ire) { 11746 ire_refrele(ire); 11747 } 11748 return; 11749 } 11750 mp1->b_cont = mp; 11751 mp = mp1; 11752 /* 11753 * Initiate IPPF processing, if it is 11754 * already done, bypass. 11755 */ 11756 if (!qos_done && IP6_OUT_IPP(flags)) { 11757 ip_process(IPP_LOCAL_OUT, &mp, 11758 ill_index); 11759 if (mp == NULL) { 11760 BUMP_MIB(ill->ill_ip6_mib, 11761 ipv6OutDiscards); 11762 if (next_mp != NULL) 11763 freemsg(next_mp); 11764 if (ire != save_ire) { 11765 ire_refrele(ire); 11766 } 11767 return; 11768 } 11769 } 11770 } 11771 11772 /* 11773 * Update ire counters; for save_ire, this has been 11774 * done by the caller. 11775 */ 11776 if (ire != save_ire) { 11777 UPDATE_OB_PKT_COUNT(ire); 11778 ire->ire_last_used_time = lbolt; 11779 } 11780 11781 /* 11782 * Send it down. XXX Do we want to flow control AH/ESP 11783 * packets that carry TCP payloads? We don't flow 11784 * control TCP packets, but we should also not 11785 * flow-control TCP packets that have been protected. 11786 * We don't have an easy way to find out if an AH/ESP 11787 * packet was originally TCP or not currently. 11788 */ 11789 if (io == NULL) { 11790 putnext(stq, mp); 11791 } else { 11792 /* 11793 * Safety Pup says: make sure this is 11794 * going to the right interface! 11795 */ 11796 if (io->ipsec_out_capab_ill_index != 11797 ill_index) { 11798 /* IPsec kstats: bump lose counter */ 11799 freemsg(mp1); 11800 } else { 11801 ipsec_hw_putnext(stq, mp); 11802 } 11803 } 11804 11805 if (nce->nce_flags & (NCE_F_NONUD|NCE_F_PERMANENT)) { 11806 if (ire != save_ire) { 11807 ire_refrele(ire); 11808 } 11809 if (multirt_send) { 11810 ASSERT(ire1 != NULL); 11811 /* 11812 * Proceed with the next RTF_MULTIRT 11813 * ire, also set up the send-to queue 11814 * accordingly. 11815 */ 11816 ire = ire1; 11817 ire1 = NULL; 11818 stq = ire->ire_stq; 11819 nce = ire->ire_nce; 11820 ill = ire_to_ill(ire); 11821 mp = next_mp; 11822 next_mp = NULL; 11823 continue; 11824 } 11825 ASSERT(next_mp == NULL); 11826 ASSERT(ire1 == NULL); 11827 return; 11828 } 11829 11830 ASSERT(nce->nce_state != ND_INCOMPLETE); 11831 11832 /* 11833 * Check for upper layer advice 11834 */ 11835 if (flags & IPV6_REACHABILITY_CONFIRMATION) { 11836 /* 11837 * It should be o.k. to check the state without 11838 * a lock here, at most we lose an advice. 11839 */ 11840 nce->nce_last = TICK_TO_MSEC(lbolt64); 11841 if (nce->nce_state != ND_REACHABLE) { 11842 11843 mutex_enter(&nce->nce_lock); 11844 nce->nce_state = ND_REACHABLE; 11845 nce->nce_pcnt = ND_MAX_UNICAST_SOLICIT; 11846 mutex_exit(&nce->nce_lock); 11847 (void) untimeout(nce->nce_timeout_id); 11848 if (ip_debug > 2) { 11849 /* ip1dbg */ 11850 pr_addr_dbg("ip_xmit_v6: state" 11851 " for %s changed to" 11852 " REACHABLE\n", AF_INET6, 11853 &ire->ire_addr_v6); 11854 } 11855 } 11856 if (ire != save_ire) { 11857 ire_refrele(ire); 11858 } 11859 if (multirt_send) { 11860 ASSERT(ire1 != NULL); 11861 /* 11862 * Proceed with the next RTF_MULTIRT 11863 * ire, also set up the send-to queue 11864 * accordingly. 11865 */ 11866 ire = ire1; 11867 ire1 = NULL; 11868 stq = ire->ire_stq; 11869 nce = ire->ire_nce; 11870 ill = ire_to_ill(ire); 11871 mp = next_mp; 11872 next_mp = NULL; 11873 continue; 11874 } 11875 ASSERT(next_mp == NULL); 11876 ASSERT(ire1 == NULL); 11877 return; 11878 } 11879 11880 delta = TICK_TO_MSEC(lbolt64) - nce->nce_last; 11881 ip1dbg(("ip_xmit_v6: delta = %" PRId64 11882 " ill_reachable_time = %d \n", delta, 11883 ill->ill_reachable_time)); 11884 if (delta > (uint64_t)ill->ill_reachable_time) { 11885 nce = ire->ire_nce; 11886 mutex_enter(&nce->nce_lock); 11887 switch (nce->nce_state) { 11888 case ND_REACHABLE: 11889 case ND_STALE: 11890 /* 11891 * ND_REACHABLE is identical to 11892 * ND_STALE in this specific case. If 11893 * reachable time has expired for this 11894 * neighbor (delta is greater than 11895 * reachable time), conceptually, the 11896 * neighbor cache is no longer in 11897 * REACHABLE state, but already in 11898 * STALE state. So the correct 11899 * transition here is to ND_DELAY. 11900 */ 11901 nce->nce_state = ND_DELAY; 11902 mutex_exit(&nce->nce_lock); 11903 NDP_RESTART_TIMER(nce, 11904 delay_first_probe_time); 11905 if (ip_debug > 3) { 11906 /* ip2dbg */ 11907 pr_addr_dbg("ip_xmit_v6: state" 11908 " for %s changed to" 11909 " DELAY\n", AF_INET6, 11910 &ire->ire_addr_v6); 11911 } 11912 break; 11913 case ND_DELAY: 11914 case ND_PROBE: 11915 mutex_exit(&nce->nce_lock); 11916 /* Timers have already started */ 11917 break; 11918 case ND_UNREACHABLE: 11919 /* 11920 * ndp timer has detected that this nce 11921 * is unreachable and initiated deleting 11922 * this nce and all its associated IREs. 11923 * This is a race where we found the 11924 * ire before it was deleted and have 11925 * just sent out a packet using this 11926 * unreachable nce. 11927 */ 11928 mutex_exit(&nce->nce_lock); 11929 break; 11930 default: 11931 ASSERT(0); 11932 } 11933 } 11934 11935 if (multirt_send) { 11936 ASSERT(ire1 != NULL); 11937 /* 11938 * Proceed with the next RTF_MULTIRT ire, 11939 * Also set up the send-to queue accordingly. 11940 */ 11941 if (ire != save_ire) { 11942 ire_refrele(ire); 11943 } 11944 ire = ire1; 11945 ire1 = NULL; 11946 stq = ire->ire_stq; 11947 nce = ire->ire_nce; 11948 ill = ire_to_ill(ire); 11949 mp = next_mp; 11950 next_mp = NULL; 11951 } 11952 } while (multirt_send); 11953 /* 11954 * In the multirouting case, release the last ire used for 11955 * emission. save_ire will be released by the caller. 11956 */ 11957 if (ire != save_ire) { 11958 ire_refrele(ire); 11959 } 11960 } else { 11961 /* 11962 * Queue packet if we have an conn to give back pressure. 11963 * We can't queue packets intended for hardware acceleration 11964 * since we've tossed that state already. If the packet is 11965 * being fed back from ire_send_v6, we don't know the 11966 * position in the queue to enqueue the packet and we discard 11967 * the packet. 11968 */ 11969 if (ip_output_queue && (connp != NULL) && (io == NULL) && 11970 (caller != IRE_SEND)) { 11971 if (caller == IP_WSRV) { 11972 connp->conn_did_putbq = 1; 11973 (void) putbq(connp->conn_wq, mp); 11974 conn_drain_insert(connp); 11975 /* 11976 * caller == IP_WSRV implies we are 11977 * the service thread, and the 11978 * queue is already noenabled. 11979 * The check for canput and 11980 * the putbq is not atomic. 11981 * So we need to check again. 11982 */ 11983 if (canput(stq->q_next)) 11984 connp->conn_did_putbq = 0; 11985 } else { 11986 (void) putq(connp->conn_wq, mp); 11987 } 11988 return; 11989 } 11990 BUMP_MIB(ill->ill_ip6_mib, ipv6OutDiscards); 11991 freemsg(mp); 11992 return; 11993 } 11994 } 11995 11996 /* 11997 * pr_addr_dbg function provides the needed buffer space to call 11998 * inet_ntop() function's 3rd argument. This function should be 11999 * used by any kernel routine which wants to save INET6_ADDRSTRLEN 12000 * stack buffer space in it's own stack frame. This function uses 12001 * a buffer from it's own stack and prints the information. 12002 * Example: pr_addr_dbg("func: no route for %s\n ", AF_INET, addr) 12003 * 12004 * Note: This function can call inet_ntop() once. 12005 */ 12006 void 12007 pr_addr_dbg(char *fmt1, int af, const void *addr) 12008 { 12009 char buf[INET6_ADDRSTRLEN]; 12010 12011 if (fmt1 == NULL) { 12012 ip0dbg(("pr_addr_dbg: Wrong arguments\n")); 12013 return; 12014 } 12015 12016 /* 12017 * This does not compare debug level and just prints 12018 * out. Thus it is the responsibility of the caller 12019 * to check the appropriate debug-level before calling 12020 * this function. 12021 */ 12022 if (ip_debug > 0) { 12023 printf(fmt1, inet_ntop(af, addr, buf, sizeof (buf))); 12024 } 12025 12026 12027 } 12028 12029 12030 /* 12031 * Return the length in bytes of the IPv6 headers (base header, ip6i_t 12032 * if needed and extension headers) that will be needed based on the 12033 * ip6_pkt_t structure passed by the caller. 12034 * 12035 * The returned length does not include the length of the upper level 12036 * protocol (ULP) header. 12037 */ 12038 int 12039 ip_total_hdrs_len_v6(ip6_pkt_t *ipp) 12040 { 12041 int len; 12042 12043 len = IPV6_HDR_LEN; 12044 if (ipp->ipp_fields & IPPF_HAS_IP6I) 12045 len += sizeof (ip6i_t); 12046 if (ipp->ipp_fields & IPPF_HOPOPTS) { 12047 ASSERT(ipp->ipp_hopoptslen != 0); 12048 len += ipp->ipp_hopoptslen; 12049 } 12050 if (ipp->ipp_fields & IPPF_RTHDR) { 12051 ASSERT(ipp->ipp_rthdrlen != 0); 12052 len += ipp->ipp_rthdrlen; 12053 } 12054 /* 12055 * En-route destination options 12056 * Only do them if there's a routing header as well 12057 */ 12058 if ((ipp->ipp_fields & (IPPF_RTDSTOPTS|IPPF_RTHDR)) == 12059 (IPPF_RTDSTOPTS|IPPF_RTHDR)) { 12060 ASSERT(ipp->ipp_rtdstoptslen != 0); 12061 len += ipp->ipp_rtdstoptslen; 12062 } 12063 if (ipp->ipp_fields & IPPF_DSTOPTS) { 12064 ASSERT(ipp->ipp_dstoptslen != 0); 12065 len += ipp->ipp_dstoptslen; 12066 } 12067 return (len); 12068 } 12069 12070 /* 12071 * All-purpose routine to build a header chain of an IPv6 header 12072 * followed by any required extension headers and a proto header, 12073 * preceeded (where necessary) by an ip6i_t private header. 12074 * 12075 * The fields of the IPv6 header that are derived from the ip6_pkt_t 12076 * will be filled in appropriately. 12077 * Thus the caller must fill in the rest of the IPv6 header, such as 12078 * traffic class/flowid, source address (if not set here), hoplimit (if not 12079 * set here) and destination address. 12080 * 12081 * The extension headers and ip6i_t header will all be fully filled in. 12082 */ 12083 void 12084 ip_build_hdrs_v6(uchar_t *ext_hdrs, uint_t ext_hdrs_len, 12085 ip6_pkt_t *ipp, uint8_t protocol) 12086 { 12087 uint8_t *nxthdr_ptr; 12088 uint8_t *cp; 12089 ip6i_t *ip6i; 12090 ip6_t *ip6h = (ip6_t *)ext_hdrs; 12091 12092 /* 12093 * If sending private ip6i_t header down (checksum info, nexthop, 12094 * or ifindex), adjust ip header pointer and set ip6i_t header pointer, 12095 * then fill it in. (The checksum info will be filled in by icmp). 12096 */ 12097 if (ipp->ipp_fields & IPPF_HAS_IP6I) { 12098 ip6i = (ip6i_t *)ip6h; 12099 ip6h = (ip6_t *)&ip6i[1]; 12100 12101 ip6i->ip6i_flags = 0; 12102 ip6i->ip6i_vcf = IPV6_DEFAULT_VERS_AND_FLOW; 12103 if (ipp->ipp_fields & IPPF_IFINDEX || 12104 ipp->ipp_fields & IPPF_SCOPE_ID) { 12105 ASSERT(ipp->ipp_ifindex != 0); 12106 ip6i->ip6i_flags |= IP6I_IFINDEX; 12107 ip6i->ip6i_ifindex = ipp->ipp_ifindex; 12108 } 12109 if (ipp->ipp_fields & IPPF_ADDR) { 12110 /* 12111 * Enable per-packet source address verification if 12112 * IPV6_PKTINFO specified the source address. 12113 * ip6_src is set in the transport's _wput function. 12114 */ 12115 ASSERT(!IN6_IS_ADDR_UNSPECIFIED( 12116 &ipp->ipp_addr)); 12117 ip6i->ip6i_flags |= IP6I_VERIFY_SRC; 12118 } 12119 if (ipp->ipp_fields & IPPF_UNICAST_HOPS) { 12120 ip6h->ip6_hops = ipp->ipp_unicast_hops; 12121 /* 12122 * We need to set this flag so that IP doesn't 12123 * rewrite the IPv6 header's hoplimit with the 12124 * current default value. 12125 */ 12126 ip6i->ip6i_flags |= IP6I_HOPLIMIT; 12127 } 12128 if (ipp->ipp_fields & IPPF_NEXTHOP) { 12129 ASSERT(!IN6_IS_ADDR_UNSPECIFIED( 12130 &ipp->ipp_nexthop)); 12131 ip6i->ip6i_flags |= IP6I_NEXTHOP; 12132 ip6i->ip6i_nexthop = ipp->ipp_nexthop; 12133 } 12134 /* 12135 * tell IP this is an ip6i_t private header 12136 */ 12137 ip6i->ip6i_nxt = IPPROTO_RAW; 12138 } 12139 /* Initialize IPv6 header */ 12140 ip6h->ip6_vcf = IPV6_DEFAULT_VERS_AND_FLOW; 12141 if (ipp->ipp_fields & IPPF_TCLASS) { 12142 ip6h->ip6_vcf = (ip6h->ip6_vcf & ~IPV6_FLOWINFO_TCLASS) | 12143 (ipp->ipp_tclass << 20); 12144 } 12145 if (ipp->ipp_fields & IPPF_ADDR) 12146 ip6h->ip6_src = ipp->ipp_addr; 12147 12148 nxthdr_ptr = (uint8_t *)&ip6h->ip6_nxt; 12149 cp = (uint8_t *)&ip6h[1]; 12150 /* 12151 * Here's where we have to start stringing together 12152 * any extension headers in the right order: 12153 * Hop-by-hop, destination, routing, and final destination opts. 12154 */ 12155 if (ipp->ipp_fields & IPPF_HOPOPTS) { 12156 /* Hop-by-hop options */ 12157 ip6_hbh_t *hbh = (ip6_hbh_t *)cp; 12158 12159 *nxthdr_ptr = IPPROTO_HOPOPTS; 12160 nxthdr_ptr = &hbh->ip6h_nxt; 12161 12162 bcopy(ipp->ipp_hopopts, cp, ipp->ipp_hopoptslen); 12163 cp += ipp->ipp_hopoptslen; 12164 } 12165 /* 12166 * En-route destination options 12167 * Only do them if there's a routing header as well 12168 */ 12169 if ((ipp->ipp_fields & (IPPF_RTDSTOPTS|IPPF_RTHDR)) == 12170 (IPPF_RTDSTOPTS|IPPF_RTHDR)) { 12171 ip6_dest_t *dst = (ip6_dest_t *)cp; 12172 12173 *nxthdr_ptr = IPPROTO_DSTOPTS; 12174 nxthdr_ptr = &dst->ip6d_nxt; 12175 12176 bcopy(ipp->ipp_rtdstopts, cp, ipp->ipp_rtdstoptslen); 12177 cp += ipp->ipp_rtdstoptslen; 12178 } 12179 /* 12180 * Routing header next 12181 */ 12182 if (ipp->ipp_fields & IPPF_RTHDR) { 12183 ip6_rthdr_t *rt = (ip6_rthdr_t *)cp; 12184 12185 *nxthdr_ptr = IPPROTO_ROUTING; 12186 nxthdr_ptr = &rt->ip6r_nxt; 12187 12188 bcopy(ipp->ipp_rthdr, cp, ipp->ipp_rthdrlen); 12189 cp += ipp->ipp_rthdrlen; 12190 } 12191 /* 12192 * Do ultimate destination options 12193 */ 12194 if (ipp->ipp_fields & IPPF_DSTOPTS) { 12195 ip6_dest_t *dest = (ip6_dest_t *)cp; 12196 12197 *nxthdr_ptr = IPPROTO_DSTOPTS; 12198 nxthdr_ptr = &dest->ip6d_nxt; 12199 12200 bcopy(ipp->ipp_dstopts, cp, ipp->ipp_dstoptslen); 12201 cp += ipp->ipp_dstoptslen; 12202 } 12203 /* 12204 * Now set the last header pointer to the proto passed in 12205 */ 12206 *nxthdr_ptr = protocol; 12207 ASSERT((int)(cp - ext_hdrs) == ext_hdrs_len); 12208 } 12209 12210 /* 12211 * Return a pointer to the routing header extension header 12212 * in the IPv6 header(s) chain passed in. 12213 * If none found, return NULL 12214 * Assumes that all extension headers are in same mblk as the v6 header 12215 */ 12216 ip6_rthdr_t * 12217 ip_find_rthdr_v6(ip6_t *ip6h, uint8_t *endptr) 12218 { 12219 ip6_dest_t *desthdr; 12220 ip6_frag_t *fraghdr; 12221 uint_t hdrlen; 12222 uint8_t nexthdr; 12223 uint8_t *ptr = (uint8_t *)&ip6h[1]; 12224 12225 if (ip6h->ip6_nxt == IPPROTO_ROUTING) 12226 return ((ip6_rthdr_t *)ptr); 12227 12228 /* 12229 * The routing header will precede all extension headers 12230 * other than the hop-by-hop and destination options 12231 * extension headers, so if we see anything other than those, 12232 * we're done and didn't find it. 12233 * We could see a destination options header alone but no 12234 * routing header, in which case we'll return NULL as soon as 12235 * we see anything after that. 12236 * Hop-by-hop and destination option headers are identical, 12237 * so we can use either one we want as a template. 12238 */ 12239 nexthdr = ip6h->ip6_nxt; 12240 while (ptr < endptr) { 12241 /* Is there enough left for len + nexthdr? */ 12242 if (ptr + MIN_EHDR_LEN > endptr) 12243 return (NULL); 12244 12245 switch (nexthdr) { 12246 case IPPROTO_HOPOPTS: 12247 case IPPROTO_DSTOPTS: 12248 /* Assumes the headers are identical for hbh and dst */ 12249 desthdr = (ip6_dest_t *)ptr; 12250 hdrlen = 8 * (desthdr->ip6d_len + 1); 12251 nexthdr = desthdr->ip6d_nxt; 12252 break; 12253 12254 case IPPROTO_ROUTING: 12255 return ((ip6_rthdr_t *)ptr); 12256 12257 case IPPROTO_FRAGMENT: 12258 fraghdr = (ip6_frag_t *)ptr; 12259 hdrlen = sizeof (ip6_frag_t); 12260 nexthdr = fraghdr->ip6f_nxt; 12261 break; 12262 12263 default: 12264 return (NULL); 12265 } 12266 ptr += hdrlen; 12267 } 12268 return (NULL); 12269 } 12270 12271 /* 12272 * Called for source-routed packets originating on this node. 12273 * Manipulates the original routing header by moving every entry up 12274 * one slot, placing the first entry in the v6 header's v6_dst field, 12275 * and placing the ultimate destination in the routing header's last 12276 * slot. 12277 * 12278 * Returns the checksum diference between the ultimate destination 12279 * (last hop in the routing header when the packet is sent) and 12280 * the first hop (ip6_dst when the packet is sent) 12281 */ 12282 uint32_t 12283 ip_massage_options_v6(ip6_t *ip6h, ip6_rthdr_t *rth) 12284 { 12285 uint_t numaddr; 12286 uint_t i; 12287 in6_addr_t *addrptr; 12288 in6_addr_t tmp; 12289 ip6_rthdr0_t *rthdr = (ip6_rthdr0_t *)rth; 12290 uint32_t cksm; 12291 uint32_t addrsum = 0; 12292 uint16_t *ptr; 12293 12294 /* 12295 * Perform any processing needed for source routing. 12296 * We know that all extension headers will be in the same mblk 12297 * as the IPv6 header. 12298 */ 12299 12300 /* 12301 * If no segments left in header, or the header length field is zero, 12302 * don't move hop addresses around; 12303 * Checksum difference is zero. 12304 */ 12305 if ((rthdr->ip6r0_segleft == 0) || (rthdr->ip6r0_len == 0)) 12306 return (0); 12307 12308 ptr = (uint16_t *)&ip6h->ip6_dst; 12309 cksm = 0; 12310 for (i = 0; i < (sizeof (in6_addr_t) / sizeof (uint16_t)); i++) { 12311 cksm += ptr[i]; 12312 } 12313 cksm = (cksm & 0xFFFF) + (cksm >> 16); 12314 12315 /* 12316 * Here's where the fun begins - we have to 12317 * move all addresses up one spot, take the 12318 * first hop and make it our first ip6_dst, 12319 * and place the ultimate destination in the 12320 * newly-opened last slot. 12321 */ 12322 addrptr = (in6_addr_t *)((char *)rthdr + sizeof (*rthdr)); 12323 numaddr = rthdr->ip6r0_len / 2; 12324 tmp = *addrptr; 12325 for (i = 0; i < (numaddr - 1); addrptr++, i++) { 12326 *addrptr = addrptr[1]; 12327 } 12328 *addrptr = ip6h->ip6_dst; 12329 ip6h->ip6_dst = tmp; 12330 12331 /* 12332 * From the checksummed ultimate destination subtract the checksummed 12333 * current ip6_dst (the first hop address). Return that number. 12334 * (In the v4 case, the second part of this is done in each routine 12335 * that calls ip_massage_options(). We do it all in this one place 12336 * for v6). 12337 */ 12338 ptr = (uint16_t *)&ip6h->ip6_dst; 12339 for (i = 0; i < (sizeof (in6_addr_t) / sizeof (uint16_t)); i++) { 12340 addrsum += ptr[i]; 12341 } 12342 cksm -= ((addrsum >> 16) + (addrsum & 0xFFFF)); 12343 if ((int)cksm < 0) 12344 cksm--; 12345 cksm = (cksm & 0xFFFF) + (cksm >> 16); 12346 12347 return (cksm); 12348 } 12349 12350 /* 12351 * See if the upper-level protocol indicated by 'proto' will be able 12352 * to do something with an ICMP_FRAGMENTATION_NEEDED (IPv4) or 12353 * ICMP6_PACKET_TOO_BIG (IPv6). 12354 */ 12355 static boolean_t 12356 ip_ulp_cando_pkt2big(int proto) 12357 { 12358 /* 12359 * For now, only TCP can handle this. 12360 * Tunnels may be able to also, but since tun isn't working over 12361 * IPv6 yet, don't worry about it for now. 12362 */ 12363 return (proto == IPPROTO_TCP); 12364 } 12365 12366 12367 /* 12368 * Propagate a multicast group membership operation (join/leave) (*fn) on 12369 * all interfaces crossed by the related multirt routes. 12370 * The call is considered successful if the operation succeeds 12371 * on at least one interface. 12372 * The function is called if the destination address in the packet to send 12373 * is multirouted. 12374 */ 12375 int 12376 ip_multirt_apply_membership_v6(int (*fn)(conn_t *, boolean_t, 12377 const in6_addr_t *, int, mcast_record_t, const in6_addr_t *, mblk_t *), 12378 ire_t *ire, conn_t *connp, boolean_t checkonly, const in6_addr_t *v6grp, 12379 mcast_record_t fmode, const in6_addr_t *v6src, mblk_t *first_mp) 12380 { 12381 ire_t *ire_gw; 12382 irb_t *irb; 12383 int index, error = 0; 12384 opt_restart_t *or; 12385 12386 irb = ire->ire_bucket; 12387 ASSERT(irb != NULL); 12388 12389 ASSERT(DB_TYPE(first_mp) == M_CTL); 12390 or = (opt_restart_t *)first_mp->b_rptr; 12391 12392 IRB_REFHOLD(irb); 12393 for (; ire != NULL; ire = ire->ire_next) { 12394 if ((ire->ire_flags & RTF_MULTIRT) == 0) 12395 continue; 12396 if (!IN6_ARE_ADDR_EQUAL(&ire->ire_addr_v6, v6grp)) 12397 continue; 12398 12399 ire_gw = ire_ftable_lookup_v6(&ire->ire_gateway_addr_v6, 0, 0, 12400 IRE_INTERFACE, NULL, NULL, ALL_ZONES, 0, 12401 MATCH_IRE_RECURSIVE | MATCH_IRE_TYPE); 12402 /* No resolver exists for the gateway; skip this ire. */ 12403 if (ire_gw == NULL) 12404 continue; 12405 index = ire_gw->ire_ipif->ipif_ill->ill_phyint->phyint_ifindex; 12406 /* 12407 * A resolver exists: we can get the interface on which we have 12408 * to apply the operation. 12409 */ 12410 error = fn(connp, checkonly, v6grp, index, fmode, v6src, 12411 first_mp); 12412 if (error == 0) 12413 or->or_private = CGTP_MCAST_SUCCESS; 12414 12415 if (ip_debug > 0) { 12416 ulong_t off; 12417 char *ksym; 12418 12419 ksym = kobj_getsymname((uintptr_t)fn, &off); 12420 ip2dbg(("ip_multirt_apply_membership_v6: " 12421 "called %s, multirt group 0x%08x via itf 0x%08x, " 12422 "error %d [success %u]\n", 12423 ksym ? ksym : "?", 12424 ntohl(V4_PART_OF_V6((*v6grp))), 12425 ntohl(V4_PART_OF_V6(ire_gw->ire_src_addr_v6)), 12426 error, or->or_private)); 12427 } 12428 12429 ire_refrele(ire_gw); 12430 if (error == EINPROGRESS) { 12431 IRB_REFRELE(irb); 12432 return (error); 12433 } 12434 } 12435 IRB_REFRELE(irb); 12436 /* 12437 * Consider the call as successful if we succeeded on at least 12438 * one interface. Otherwise, return the last encountered error. 12439 */ 12440 return (or->or_private == CGTP_MCAST_SUCCESS ? 0 : error); 12441 } 12442 12443 void 12444 ip6_kstat_init(void) 12445 { 12446 if ((ip6_kstat = kstat_create("ip", 0, "ip6stat", 12447 "net", KSTAT_TYPE_NAMED, 12448 sizeof (ip6_statistics) / sizeof (kstat_named_t), 12449 KSTAT_FLAG_VIRTUAL)) != NULL) { 12450 ip6_kstat->ks_data = &ip6_statistics; 12451 kstat_install(ip6_kstat); 12452 } 12453 } 12454 12455 /* 12456 * The following two functions set and get the value for the 12457 * IPV6_SRC_PREFERENCES socket option. 12458 */ 12459 int 12460 ip6_set_src_preferences(conn_t *connp, uint32_t prefs) 12461 { 12462 /* 12463 * We only support preferences that are covered by 12464 * IPV6_PREFER_SRC_MASK. 12465 */ 12466 if (prefs & ~IPV6_PREFER_SRC_MASK) 12467 return (EINVAL); 12468 12469 /* 12470 * Look for conflicting preferences or default preferences. If 12471 * both bits of a related pair are clear, the application wants the 12472 * system's default value for that pair. Both bits in a pair can't 12473 * be set. 12474 */ 12475 if ((prefs & IPV6_PREFER_SRC_MIPMASK) == 0) { 12476 prefs |= IPV6_PREFER_SRC_MIPDEFAULT; 12477 } else if ((prefs & IPV6_PREFER_SRC_MIPMASK) == 12478 IPV6_PREFER_SRC_MIPMASK) { 12479 return (EINVAL); 12480 } 12481 if ((prefs & IPV6_PREFER_SRC_TMPMASK) == 0) { 12482 prefs |= IPV6_PREFER_SRC_TMPDEFAULT; 12483 } else if ((prefs & IPV6_PREFER_SRC_TMPMASK) == 12484 IPV6_PREFER_SRC_TMPMASK) { 12485 return (EINVAL); 12486 } 12487 if ((prefs & IPV6_PREFER_SRC_CGAMASK) == 0) { 12488 prefs |= IPV6_PREFER_SRC_CGADEFAULT; 12489 } else if ((prefs & IPV6_PREFER_SRC_CGAMASK) == 12490 IPV6_PREFER_SRC_CGAMASK) { 12491 return (EINVAL); 12492 } 12493 12494 connp->conn_src_preferences = prefs; 12495 return (0); 12496 } 12497 12498 size_t 12499 ip6_get_src_preferences(conn_t *connp, uint32_t *val) 12500 { 12501 *val = connp->conn_src_preferences; 12502 return (sizeof (connp->conn_src_preferences)); 12503 } 12504 12505 int 12506 ip6_set_pktinfo(cred_t *cr, conn_t *connp, struct in6_pktinfo *pkti, mblk_t *mp) 12507 { 12508 ill_t *ill; 12509 ire_t *ire; 12510 int error; 12511 12512 /* 12513 * Verify the source address and ifindex. Privileged users can use 12514 * any source address. For ancillary data the source address is 12515 * checked in ip_wput_v6. 12516 */ 12517 if (pkti->ipi6_ifindex != 0) { 12518 ASSERT(connp != NULL); 12519 ill = ill_lookup_on_ifindex(pkti->ipi6_ifindex, B_TRUE, 12520 CONNP_TO_WQ(connp), mp, ip_restart_optmgmt, &error); 12521 if (ill == NULL) { 12522 /* 12523 * We just want to know if the interface exists, we 12524 * don't really care about the ill pointer itself. 12525 */ 12526 if (error != EINPROGRESS) 12527 return (error); 12528 error = 0; /* Ensure we don't use it below */ 12529 } else { 12530 ill_refrele(ill); 12531 } 12532 } 12533 if (!IN6_IS_ADDR_UNSPECIFIED(&pkti->ipi6_addr) && 12534 secpolicy_net_rawaccess(cr) != 0) { 12535 ire = ire_route_lookup_v6(&pkti->ipi6_addr, 0, 0, 12536 (IRE_LOCAL|IRE_LOOPBACK), NULL, NULL, 12537 connp->conn_zoneid, MATCH_IRE_TYPE); 12538 if (ire != NULL) 12539 ire_refrele(ire); 12540 else 12541 return (ENXIO); 12542 } 12543 return (0); 12544 } 12545 12546 /* 12547 * Get the size of the IP options (including the IP headers size) 12548 * without including the AH header's size. If till_ah is B_FALSE, 12549 * and if AH header is present, dest options beyond AH header will 12550 * also be included in the returned size. 12551 */ 12552 int 12553 ipsec_ah_get_hdr_size_v6(mblk_t *mp, boolean_t till_ah) 12554 { 12555 ip6_t *ip6h; 12556 uint8_t nexthdr; 12557 uint8_t *whereptr; 12558 ip6_hbh_t *hbhhdr; 12559 ip6_dest_t *dsthdr; 12560 ip6_rthdr_t *rthdr; 12561 int ehdrlen; 12562 int size; 12563 ah_t *ah; 12564 12565 ip6h = (ip6_t *)mp->b_rptr; 12566 size = IPV6_HDR_LEN; 12567 nexthdr = ip6h->ip6_nxt; 12568 whereptr = (uint8_t *)&ip6h[1]; 12569 for (;;) { 12570 /* Assume IP has already stripped it */ 12571 ASSERT(nexthdr != IPPROTO_FRAGMENT && nexthdr != IPPROTO_RAW); 12572 switch (nexthdr) { 12573 case IPPROTO_HOPOPTS: 12574 hbhhdr = (ip6_hbh_t *)whereptr; 12575 nexthdr = hbhhdr->ip6h_nxt; 12576 ehdrlen = 8 * (hbhhdr->ip6h_len + 1); 12577 break; 12578 case IPPROTO_DSTOPTS: 12579 dsthdr = (ip6_dest_t *)whereptr; 12580 nexthdr = dsthdr->ip6d_nxt; 12581 ehdrlen = 8 * (dsthdr->ip6d_len + 1); 12582 break; 12583 case IPPROTO_ROUTING: 12584 rthdr = (ip6_rthdr_t *)whereptr; 12585 nexthdr = rthdr->ip6r_nxt; 12586 ehdrlen = 8 * (rthdr->ip6r_len + 1); 12587 break; 12588 default : 12589 if (till_ah) { 12590 ASSERT(nexthdr == IPPROTO_AH); 12591 return (size); 12592 } 12593 /* 12594 * If we don't have a AH header to traverse, 12595 * return now. This happens normally for 12596 * outbound datagrams where we have not inserted 12597 * the AH header. 12598 */ 12599 if (nexthdr != IPPROTO_AH) { 12600 return (size); 12601 } 12602 12603 /* 12604 * We don't include the AH header's size 12605 * to be symmetrical with other cases where 12606 * we either don't have a AH header (outbound) 12607 * or peek into the AH header yet (inbound and 12608 * not pulled up yet). 12609 */ 12610 ah = (ah_t *)whereptr; 12611 nexthdr = ah->ah_nexthdr; 12612 ehdrlen = (ah->ah_length << 2) + 8; 12613 12614 if (nexthdr == IPPROTO_DSTOPTS) { 12615 if (whereptr + ehdrlen >= mp->b_wptr) { 12616 /* 12617 * The destination options header 12618 * is not part of the first mblk. 12619 */ 12620 whereptr = mp->b_cont->b_rptr; 12621 } else { 12622 whereptr += ehdrlen; 12623 } 12624 12625 dsthdr = (ip6_dest_t *)whereptr; 12626 ehdrlen = 8 * (dsthdr->ip6d_len + 1); 12627 size += ehdrlen; 12628 } 12629 return (size); 12630 } 12631 whereptr += ehdrlen; 12632 size += ehdrlen; 12633 } 12634 } 12635