xref: /titanic_51/usr/src/uts/common/inet/ip/ip6_output.c (revision 0c240c64cf90f44c2fdf3439010f6e8b33d85e7d)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 /* Copyright (c) 1990 Mentat Inc. */
27 
28 #include <sys/types.h>
29 #include <sys/stream.h>
30 #include <sys/strsubr.h>
31 #include <sys/dlpi.h>
32 #include <sys/strsun.h>
33 #include <sys/zone.h>
34 #include <sys/ddi.h>
35 #include <sys/sunddi.h>
36 #include <sys/cmn_err.h>
37 #include <sys/debug.h>
38 #include <sys/atomic.h>
39 
40 #include <sys/systm.h>
41 #include <sys/param.h>
42 #include <sys/kmem.h>
43 #include <sys/sdt.h>
44 #include <sys/socket.h>
45 #include <sys/mac.h>
46 #include <net/if.h>
47 #include <net/if_arp.h>
48 #include <net/route.h>
49 #include <sys/sockio.h>
50 #include <netinet/in.h>
51 #include <net/if_dl.h>
52 
53 #include <inet/common.h>
54 #include <inet/mi.h>
55 #include <inet/mib2.h>
56 #include <inet/nd.h>
57 #include <inet/arp.h>
58 #include <inet/snmpcom.h>
59 #include <inet/kstatcom.h>
60 
61 #include <netinet/igmp_var.h>
62 #include <netinet/ip6.h>
63 #include <netinet/icmp6.h>
64 #include <netinet/sctp.h>
65 
66 #include <inet/ip.h>
67 #include <inet/ip_impl.h>
68 #include <inet/ip6.h>
69 #include <inet/ip6_asp.h>
70 #include <inet/tcp.h>
71 #include <inet/ip_multi.h>
72 #include <inet/ip_if.h>
73 #include <inet/ip_ire.h>
74 #include <inet/ip_ftable.h>
75 #include <inet/ip_rts.h>
76 #include <inet/optcom.h>
77 #include <inet/ip_ndp.h>
78 #include <inet/ip_listutils.h>
79 #include <netinet/igmp.h>
80 #include <netinet/ip_mroute.h>
81 #include <inet/ipp_common.h>
82 
83 #include <net/pfkeyv2.h>
84 #include <inet/sadb.h>
85 #include <inet/ipsec_impl.h>
86 #include <inet/ipdrop.h>
87 #include <inet/ip_netinfo.h>
88 
89 #include <sys/pattr.h>
90 #include <inet/ipclassifier.h>
91 #include <inet/sctp_ip.h>
92 #include <inet/sctp/sctp_impl.h>
93 #include <inet/udp_impl.h>
94 #include <sys/sunddi.h>
95 
96 #include <sys/tsol/label.h>
97 #include <sys/tsol/tnet.h>
98 
99 #ifdef	DEBUG
100 extern boolean_t skip_sctp_cksum;
101 #endif
102 
103 int
104 ip_output_simple_v6(mblk_t *mp, ip_xmit_attr_t *ixa)
105 {
106 	ip6_t		*ip6h;
107 	in6_addr_t	firsthop; /* In IP header */
108 	in6_addr_t	dst;	/* End of source route, or ip6_dst if none */
109 	ire_t		*ire;
110 	in6_addr_t	setsrc;
111 	int		error;
112 	ill_t		*ill = NULL;
113 	dce_t		*dce = NULL;
114 	nce_t		*nce;
115 	iaflags_t	ixaflags = ixa->ixa_flags;
116 	ip_stack_t	*ipst = ixa->ixa_ipst;
117 	uint8_t		*nexthdrp;
118 	boolean_t	repeat = B_FALSE;
119 	boolean_t	multirt = B_FALSE;
120 	uint_t		ifindex;
121 
122 	ip6h = (ip6_t *)mp->b_rptr;
123 	ASSERT(IPH_HDR_VERSION(ip6h) == IPV6_VERSION);
124 
125 	ASSERT(ixa->ixa_nce == NULL);
126 
127 	ixa->ixa_pktlen = ntohs(ip6h->ip6_plen) + IPV6_HDR_LEN;
128 	ASSERT(ixa->ixa_pktlen == msgdsize(mp));
129 	if (!ip_hdr_length_nexthdr_v6(mp, ip6h, &ixa->ixa_ip_hdr_length,
130 	    &nexthdrp)) {
131 		/* Malformed packet */
132 		BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsHCOutRequests);
133 		BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsOutDiscards);
134 		ip_drop_output("ipIfStatsOutDiscards", mp, NULL);
135 		freemsg(mp);
136 		return (EINVAL);
137 	}
138 	ixa->ixa_protocol = *nexthdrp;
139 
140 	/*
141 	 * Assumes that source routed packets have already been massaged by
142 	 * the ULP (ip_massage_options_v6) and as a result ip6_dst is the next
143 	 * hop in the source route. The final destination is used for IPsec
144 	 * policy and DCE lookup.
145 	 */
146 	firsthop = ip6h->ip6_dst;
147 	dst = ip_get_dst_v6(ip6h, mp, NULL);
148 
149 repeat_ire:
150 	error = 0;
151 	setsrc = ipv6_all_zeros;
152 	ire = ip_select_route_v6(&firsthop, ixa, NULL, &setsrc, &error,
153 	    &multirt);
154 	ASSERT(ire != NULL);	/* IRE_NOROUTE if none found */
155 	if (error != 0) {
156 		BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsHCOutRequests);
157 		BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsOutDiscards);
158 		ip_drop_output("ipIfStatsOutDiscards", mp, NULL);
159 		freemsg(mp);
160 		goto done;
161 	}
162 
163 	if (ire->ire_flags & (RTF_BLACKHOLE|RTF_REJECT)) {
164 		/* ire_ill might be NULL hence need to skip some code */
165 		if (ixaflags & IXAF_SET_SOURCE)
166 			ip6h->ip6_src = ipv6_loopback;
167 		ixa->ixa_fragsize = IP_MAXPACKET;
168 		ire->ire_ob_pkt_count++;
169 		BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsHCOutRequests);
170 		/* No dce yet; use default one */
171 		error = (ire->ire_sendfn)(ire, mp, ip6h, ixa,
172 		    &ipst->ips_dce_default->dce_ident);
173 		goto done;
174 	}
175 
176 	/* Note that ip6_dst is only used for IRE_MULTICAST */
177 	nce = ire_to_nce(ire, INADDR_ANY, &ip6h->ip6_dst);
178 	if (nce == NULL) {
179 		/* Allocation failure? */
180 		ip_drop_output("ire_to_nce", mp, ill);
181 		freemsg(mp);
182 		error = ENOBUFS;
183 		goto done;
184 	}
185 	if (nce->nce_is_condemned) {
186 		nce_t *nce1;
187 
188 		nce1 = ire_handle_condemned_nce(nce, ire, NULL, ip6h, B_TRUE);
189 		nce_refrele(nce);
190 		if (nce1 == NULL) {
191 			if (!repeat) {
192 				/* Try finding a better IRE */
193 				repeat = B_TRUE;
194 				ire_refrele(ire);
195 				goto repeat_ire;
196 			}
197 			/* Tried twice - drop packet */
198 			BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsOutDiscards);
199 			ip_drop_output("No nce", mp, ill);
200 			freemsg(mp);
201 			error = ENOBUFS;
202 			goto done;
203 		}
204 		nce = nce1;
205 	}
206 	/*
207 	 * For multicast with multirt we have a flag passed back from
208 	 * ire_lookup_multi_ill_v6 since we don't have an IRE for each
209 	 * possible multicast address.
210 	 * We also need a flag for multicast since we can't check
211 	 * whether RTF_MULTIRT is set in ixa_ire for multicast.
212 	 */
213 	if (multirt) {
214 		ixa->ixa_postfragfn = ip_postfrag_multirt_v6;
215 		ixa->ixa_flags |= IXAF_MULTIRT_MULTICAST;
216 	} else {
217 		ixa->ixa_postfragfn = ire->ire_postfragfn;
218 		ixa->ixa_flags &= ~IXAF_MULTIRT_MULTICAST;
219 	}
220 	ASSERT(ixa->ixa_nce == NULL);
221 	ixa->ixa_nce = nce;
222 
223 	/*
224 	 * Check for a dce_t with a path mtu.
225 	 */
226 	ifindex = 0;
227 	if (IN6_IS_ADDR_LINKSCOPE(&dst))
228 		ifindex = nce->nce_common->ncec_ill->ill_phyint->phyint_ifindex;
229 
230 	dce = dce_lookup_v6(&dst, ifindex, ipst, NULL);
231 	ASSERT(dce != NULL);
232 
233 	if (!(ixaflags & IXAF_PMTU_DISCOVERY)) {
234 		ixa->ixa_fragsize = IPV6_MIN_MTU;
235 	} else if (dce->dce_flags & DCEF_PMTU) {
236 		/*
237 		 * To avoid a periodic timer to increase the path MTU we
238 		 * look at dce_last_change_time each time we send a packet.
239 		 */
240 		if (TICK_TO_SEC(lbolt64) - dce->dce_last_change_time >
241 		    ipst->ips_ip_pathmtu_interval) {
242 			/*
243 			 * Older than 20 minutes. Drop the path MTU information.
244 			 */
245 			mutex_enter(&dce->dce_lock);
246 			dce->dce_flags &= ~(DCEF_PMTU|DCEF_TOO_SMALL_PMTU);
247 			dce->dce_last_change_time = TICK_TO_SEC(lbolt64);
248 			mutex_exit(&dce->dce_lock);
249 			dce_increment_generation(dce);
250 			ixa->ixa_fragsize = ip_get_base_mtu(nce->nce_ill, ire);
251 		} else {
252 			uint_t fragsize;
253 
254 			fragsize = ip_get_base_mtu(nce->nce_ill, ire);
255 			if (fragsize > dce->dce_pmtu)
256 				fragsize = dce->dce_pmtu;
257 			ixa->ixa_fragsize = fragsize;
258 		}
259 	} else {
260 		ixa->ixa_fragsize = ip_get_base_mtu(nce->nce_ill, ire);
261 	}
262 
263 	/*
264 	 * We use use ire_nexthop_ill (and not ncec_ill) to avoid the under ipmp
265 	 * interface for source address selection.
266 	 */
267 	ill = ire_nexthop_ill(ire);
268 
269 	if (ixaflags & IXAF_SET_SOURCE) {
270 		in6_addr_t	src;
271 
272 		/*
273 		 * We use the final destination to get
274 		 * correct selection for source routed packets
275 		 */
276 
277 		/* If unreachable we have no ill but need some source */
278 		if (ill == NULL) {
279 			src = ipv6_loopback;
280 			error = 0;
281 		} else {
282 			error = ip_select_source_v6(ill, &setsrc, &dst,
283 			    ixa->ixa_zoneid, ipst, B_FALSE,
284 			    ixa->ixa_src_preferences, &src, NULL, NULL);
285 		}
286 		if (error != 0) {
287 			BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCOutRequests);
288 			BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
289 			ip_drop_output("ipIfStatsOutDiscards - no source",
290 			    mp, ill);
291 			freemsg(mp);
292 			goto done;
293 		}
294 		ip6h->ip6_src = src;
295 	} else if (ixaflags & IXAF_VERIFY_SOURCE) {
296 		/* Check if the IP source is assigned to the host. */
297 		if (!ip_verify_src(mp, ixa, NULL)) {
298 			/* Don't send a packet with a source that isn't ours */
299 			BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsHCOutRequests);
300 			BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsOutDiscards);
301 			ip_drop_output("ipIfStatsOutDiscards - invalid source",
302 			    mp, ill);
303 			freemsg(mp);
304 			error = EADDRNOTAVAIL;
305 			goto done;
306 		}
307 	}
308 
309 	/*
310 	 * Check against global IPsec policy to set the AH/ESP attributes.
311 	 * IPsec will set IXAF_IPSEC_* and ixa_ipsec_* as appropriate.
312 	 */
313 	if (!(ixaflags & (IXAF_NO_IPSEC|IXAF_IPSEC_SECURE))) {
314 		ASSERT(ixa->ixa_ipsec_policy == NULL);
315 		mp = ip_output_attach_policy(mp, NULL, ip6h, NULL, ixa);
316 		if (mp == NULL) {
317 			/* MIB and ip_drop_packet already done */
318 			return (EHOSTUNREACH);	/* IPsec policy failure */
319 		}
320 	}
321 
322 	if (ill != NULL) {
323 		BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCOutRequests);
324 	} else {
325 		BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsHCOutRequests);
326 	}
327 
328 	/*
329 	 * We update the statistics on the most specific IRE i.e., the first
330 	 * one we found.
331 	 * We don't have an IRE when we fragment, hence ire_ob_pkt_count
332 	 * can only count the use prior to fragmentation. However the MIB
333 	 * counters on the ill will be incremented in post fragmentation.
334 	 */
335 	ire->ire_ob_pkt_count++;
336 
337 	/*
338 	 * Based on ire_type and ire_flags call one of:
339 	 *	ire_send_local_v6 - for IRE_LOCAL and IRE_LOOPBACK
340 	 *	ire_send_multirt_v6 - if RTF_MULTIRT
341 	 *	ire_send_noroute_v6 - if RTF_REJECT or RTF_BLACHOLE
342 	 *	ire_send_multicast_v6 - for IRE_MULTICAST
343 	 *	ire_send_wire_v6 - for the rest.
344 	 */
345 	error = (ire->ire_sendfn)(ire, mp, ip6h, ixa, &dce->dce_ident);
346 done:
347 	ire_refrele(ire);
348 	if (dce != NULL)
349 		dce_refrele(dce);
350 	if (ill != NULL)
351 		ill_refrele(ill);
352 	if (ixa->ixa_nce != NULL)
353 		nce_refrele(ixa->ixa_nce);
354 	ixa->ixa_nce = NULL;
355 	return (error);
356 }
357 
358 /*
359  * ire_sendfn() functions.
360  * These functions use the following xmit_attr:
361  *  - ixa_fragsize - read to determine whether or not to fragment
362  *  - IXAF_IPSEC_SECURE - to determine whether or not to invoke IPsec
363  *  - ixa_ipsec_*  are used inside IPsec
364  *  - IXAF_LOOPBACK_COPY - for multicast
365  */
366 
367 
368 /*
369  * ire_sendfn for IRE_LOCAL and IRE_LOOPBACK
370  *
371  * The checks for restrict_interzone_loopback are done in ire_route_recursive.
372  */
373 /* ARGSUSED4 */
374 int
375 ire_send_local_v6(ire_t *ire, mblk_t *mp, void *iph_arg,
376     ip_xmit_attr_t *ixa, uint32_t *identp)
377 {
378 	ip6_t		*ip6h = (ip6_t *)iph_arg;
379 	ip_stack_t	*ipst = ixa->ixa_ipst;
380 	ill_t		*ill = ire->ire_ill;
381 	ip_recv_attr_t	iras;	/* NOTE: No bzero for performance */
382 	uint_t		pktlen = ixa->ixa_pktlen;
383 
384 	/*
385 	 * No fragmentation, no nce, and no application of IPsec.
386 	 *
387 	 *
388 	 * Note different order between IP provider and FW_HOOKS than in
389 	 * send_wire case.
390 	 */
391 
392 	/*
393 	 * DTrace this as ip:::send.  A packet blocked by FW_HOOKS will fire the
394 	 * send probe, but not the receive probe.
395 	 */
396 	DTRACE_IP7(send, mblk_t *, mp, conn_t *, NULL, void_ip_t *,
397 	    ip6h, __dtrace_ipsr_ill_t *, ill, ipha_t *, NULL, ip6_t *, ip6h,
398 	    int, 1);
399 
400 	DTRACE_PROBE4(ip6__loopback__out__start,
401 	    ill_t *, NULL, ill_t *, ill,
402 	    ip6_t *, ip6h, mblk_t *, mp);
403 
404 	if (HOOKS6_INTERESTED_LOOPBACK_OUT(ipst)) {
405 		int	error;
406 
407 		FW_HOOKS(ipst->ips_ip6_loopback_out_event,
408 		    ipst->ips_ipv6firewall_loopback_out,
409 		    NULL, ill, ip6h, mp, mp, 0, ipst, error);
410 
411 		DTRACE_PROBE1(ip6__loopback__out__end, mblk_t *, mp);
412 		if (mp == NULL)
413 			return (error);
414 
415 		/*
416 		 * Even if the destination was changed by the filter we use the
417 		 * forwarding decision that was made based on the address
418 		 * in ip_output/ip_set_destination.
419 		 */
420 		/* Length could be different */
421 		ip6h = (ip6_t *)mp->b_rptr;
422 		pktlen = ntohs(ip6h->ip6_plen) + IPV6_HDR_LEN;
423 	}
424 
425 	/*
426 	 * If a callback is enabled then we need to know the
427 	 * source and destination zoneids for the packet. We already
428 	 * have those handy.
429 	 */
430 	if (ipst->ips_ip6_observe.he_interested) {
431 		zoneid_t szone, dzone;
432 		zoneid_t stackzoneid;
433 
434 		stackzoneid = netstackid_to_zoneid(
435 		    ipst->ips_netstack->netstack_stackid);
436 
437 		if (stackzoneid == GLOBAL_ZONEID) {
438 			/* Shared-IP zone */
439 			dzone = ire->ire_zoneid;
440 			szone = ixa->ixa_zoneid;
441 		} else {
442 			szone = dzone = stackzoneid;
443 		}
444 		ipobs_hook(mp, IPOBS_HOOK_LOCAL, szone, dzone, ill, ipst);
445 	}
446 
447 	/* Handle lo0 stats */
448 	ipst->ips_loopback_packets++;
449 
450 	/*
451 	 * Update output mib stats. Note that we can't move into the icmp
452 	 * sender (icmp_output etc) since they don't know the ill and the
453 	 * stats are per ill.
454 	 */
455 	if (ixa->ixa_protocol == IPPROTO_ICMPV6) {
456 		icmp6_t		*icmp6;
457 
458 		icmp6 = (icmp6_t *)((uchar_t *)ip6h + ixa->ixa_ip_hdr_length);
459 		icmp_update_out_mib_v6(ill, icmp6);
460 	}
461 
462 	DTRACE_PROBE4(ip6__loopback__in__start,
463 	    ill_t *, ill, ill_t *, NULL,
464 	    ip6_t *, ip6h, mblk_t *, mp);
465 
466 	if (HOOKS6_INTERESTED_LOOPBACK_IN(ipst)) {
467 		int	error;
468 
469 		FW_HOOKS(ipst->ips_ip6_loopback_in_event,
470 		    ipst->ips_ipv6firewall_loopback_in,
471 		    ill, NULL, ip6h, mp, mp, 0, ipst, error);
472 
473 		DTRACE_PROBE1(ip6__loopback__in__end, mblk_t *, mp);
474 		if (mp == NULL)
475 			return (error);
476 
477 		/*
478 		 * Even if the destination was changed by the filter we use the
479 		 * forwarding decision that was made based on the address
480 		 * in ip_output/ip_set_destination.
481 		 */
482 		/* Length could be different */
483 		ip6h = (ip6_t *)mp->b_rptr;
484 		pktlen = ntohs(ip6h->ip6_plen) + IPV6_HDR_LEN;
485 	}
486 
487 	DTRACE_IP7(receive, mblk_t *, mp, conn_t *, NULL, void_ip_t *,
488 	    ip6h, __dtrace_ipsr_ill_t *, ill, ipha_t *, NULL, ip6_t *, ip6h,
489 	    int, 1);
490 
491 	/* Map ixa to ira including IPsec policies */
492 	ipsec_out_to_in(ixa, ill, &iras);
493 	iras.ira_pktlen = pktlen;
494 
495 	ire->ire_ib_pkt_count++;
496 	BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInReceives);
497 	UPDATE_MIB(ill->ill_ip_mib, ipIfStatsHCInOctets, pktlen);
498 
499 	/* Destined to ire_zoneid - use that for fanout */
500 	iras.ira_zoneid = ire->ire_zoneid;
501 
502 	if (is_system_labeled()) {
503 		iras.ira_flags |= IRAF_SYSTEM_LABELED;
504 
505 		/*
506 		 * This updates ira_cred, ira_tsl and ira_free_flags based
507 		 * on the label. We don't expect this to ever fail for
508 		 * loopback packets, so we silently drop the packet should it
509 		 * fail.
510 		 */
511 		if (!tsol_get_pkt_label(mp, IPV6_VERSION, &iras)) {
512 			BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
513 			ip_drop_input("tsol_get_pkt_label", mp, ill);
514 			freemsg(mp);
515 			return (0);
516 		}
517 		ASSERT(iras.ira_tsl != NULL);
518 
519 		/* tsol_get_pkt_label sometimes does pullupmsg */
520 		ip6h = (ip6_t *)mp->b_rptr;
521 	}
522 
523 	ip_fanout_v6(mp, ip6h, &iras);
524 
525 	/* We moved any IPsec refs from ixa to iras */
526 	ira_cleanup(&iras, B_FALSE);
527 	return (0);
528 }
529 
530 static void
531 multirt_check_v6(ire_t *ire, ip6_t *ip6h, ip_xmit_attr_t *ixa)
532 {
533 	ip_stack_t *ipst = ixa->ixa_ipst;
534 
535 	/* Limit the TTL on multirt packets. Do this even if IPV6_HOPLIMIT */
536 	if (ire->ire_type & IRE_MULTICAST) {
537 		if (ip6h->ip6_hops > 1) {
538 			ip2dbg(("ire_send_multirt_v6: forcing multicast "
539 			    "multirt TTL to 1 (was %d)\n", ip6h->ip6_hops));
540 			ip6h->ip6_hops = 1;
541 		}
542 		ixa->ixa_flags |= IXAF_NO_TTL_CHANGE;
543 	} else if ((ipst->ips_ip_multirt_ttl > 0) &&
544 	    (ip6h->ip6_hops > ipst->ips_ip_multirt_ttl)) {
545 		ip6h->ip6_hops = ipst->ips_ip_multirt_ttl;
546 		/*
547 		 * Need to ensure we don't increase the ttl should we go through
548 		 * ire_send_multicast.
549 		 */
550 		ixa->ixa_flags |= IXAF_NO_TTL_CHANGE;
551 	}
552 
553 	/* For IPv6 this also needs to insert a fragment header */
554 	ixa->ixa_flags |= IXAF_IPV6_ADD_FRAGHDR;
555 }
556 
557 /*
558  * ire_sendfn for IRE_MULTICAST
559  *
560  * Note that we do path MTU discovery by default for IPv6 multicast. But
561  * since unconnected UDP and RAW sockets don't set IXAF_PMTU_DISCOVERY
562  * only connected sockets get this by default.
563  */
564 int
565 ire_send_multicast_v6(ire_t *ire, mblk_t *mp, void *iph_arg,
566     ip_xmit_attr_t *ixa, uint32_t *identp)
567 {
568 	ip6_t		*ip6h = (ip6_t *)iph_arg;
569 	ip_stack_t	*ipst = ixa->ixa_ipst;
570 	ill_t		*ill = ire->ire_ill;
571 	iaflags_t	ixaflags = ixa->ixa_flags;
572 
573 	/*
574 	 * The IRE_MULTICAST is the same whether or not multirt is in use.
575 	 * Hence we need special-case code.
576 	 */
577 	if (ixaflags & IXAF_MULTIRT_MULTICAST)
578 		multirt_check_v6(ire, ip6h, ixa);
579 
580 	/*
581 	 * Check if anything in ip_input_v6 wants a copy of the transmitted
582 	 * packet (after IPsec and fragmentation)
583 	 *
584 	 * 1. Multicast routers always need a copy unless SO_DONTROUTE is set
585 	 *    RSVP and the rsvp daemon is an example of a
586 	 *    protocol and user level process that
587 	 *    handles it's own routing. Hence, it uses the
588 	 *    SO_DONTROUTE option to accomplish this.
589 	 * 2. If the sender has set IP_MULTICAST_LOOP, then we just
590 	 *    check whether there are any receivers for the group on the ill
591 	 *    (ignoring the zoneid).
592 	 * 3. If IP_MULTICAST_LOOP is not set, then we check if there are
593 	 *    any members in other shared-IP zones.
594 	 *    If such members exist, then we indicate that the sending zone
595 	 *    shouldn't get a loopback copy to preserve the IP_MULTICAST_LOOP
596 	 *    behavior.
597 	 *
598 	 * When we loopback we skip hardware checksum to make sure loopback
599 	 * copy is checksumed.
600 	 *
601 	 * Note that ire_ill is the upper in the case of IPMP.
602 	 */
603 	ixa->ixa_flags &= ~(IXAF_LOOPBACK_COPY | IXAF_NO_HW_CKSUM);
604 	if (ipst->ips_ip_g_mrouter && ill->ill_mrouter_cnt > 0 &&
605 	    !(ixaflags & IXAF_DONTROUTE)) {
606 		ixa->ixa_flags |= IXAF_LOOPBACK_COPY | IXAF_NO_HW_CKSUM;
607 	} else if (ixaflags & IXAF_MULTICAST_LOOP) {
608 		/*
609 		 * If this zone or any other zone has members then loopback
610 		 * a copy.
611 		 */
612 		if (ill_hasmembers_v6(ill, &ip6h->ip6_dst))
613 			ixa->ixa_flags |= IXAF_LOOPBACK_COPY | IXAF_NO_HW_CKSUM;
614 	} else if (ipst->ips_netstack->netstack_numzones > 1) {
615 		/*
616 		 * This zone should not have a copy. But there are some other
617 		 * zones which might have members.
618 		 */
619 		if (ill_hasmembers_otherzones_v6(ill, &ip6h->ip6_dst,
620 		    ixa->ixa_zoneid)) {
621 			ixa->ixa_flags |= IXAF_NO_LOOP_ZONEID_SET;
622 			ixa->ixa_no_loop_zoneid = ixa->ixa_zoneid;
623 			ixa->ixa_flags |= IXAF_LOOPBACK_COPY | IXAF_NO_HW_CKSUM;
624 		}
625 	}
626 
627 	/*
628 	 * Unless IPV6_HOPLIMIT or ire_send_multirt_v6 already set a ttl,
629 	 * force the ttl to the IP_MULTICAST_TTL value
630 	 */
631 	if (!(ixaflags & IXAF_NO_TTL_CHANGE)) {
632 		ip6h->ip6_hops = ixa->ixa_multicast_ttl;
633 	}
634 
635 	return (ire_send_wire_v6(ire, mp, ip6h, ixa, identp));
636 }
637 
638 /*
639  * ire_sendfn for IREs with RTF_MULTIRT
640  */
641 int
642 ire_send_multirt_v6(ire_t *ire, mblk_t *mp, void *iph_arg,
643     ip_xmit_attr_t *ixa, uint32_t *identp)
644 {
645 	ip6_t		*ip6h = (ip6_t *)iph_arg;
646 
647 	multirt_check_v6(ire, ip6h, ixa);
648 
649 	if (ire->ire_type & IRE_MULTICAST)
650 		return (ire_send_multicast_v6(ire, mp, ip6h, ixa, identp));
651 	else
652 		return (ire_send_wire_v6(ire, mp, ip6h, ixa, identp));
653 }
654 
655 /*
656  * ire_sendfn for IREs with RTF_REJECT/RTF_BLACKHOLE, including IRE_NOROUTE
657  */
658 /* ARGSUSED4 */
659 int
660 ire_send_noroute_v6(ire_t *ire, mblk_t *mp, void *iph_arg,
661     ip_xmit_attr_t *ixa, uint32_t *identp)
662 {
663 	ip6_t		*ip6h = (ip6_t *)iph_arg;
664 	ip_stack_t	*ipst = ixa->ixa_ipst;
665 	ill_t		*ill;
666 	ip_recv_attr_t	iras;
667 	boolean_t	dummy;
668 
669 	BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsOutNoRoutes);
670 
671 	if (ire->ire_type & IRE_NOROUTE) {
672 		/* A lack of a route as opposed to RTF_REJECT|BLACKHOLE */
673 		ip_rts_change_v6(RTM_MISS, &ip6h->ip6_dst, 0, 0, 0, 0, 0, 0,
674 		    RTA_DST, ipst);
675 	}
676 
677 	if (ire->ire_flags & RTF_BLACKHOLE) {
678 		ip_drop_output("ipIfStatsOutNoRoutes RTF_BLACKHOLE", mp, NULL);
679 		freemsg(mp);
680 		/* No error even for local senders - silent blackhole */
681 		return (0);
682 	}
683 	ip_drop_output("ipIfStatsOutNoRoutes RTF_REJECT", mp, NULL);
684 
685 	/*
686 	 * We need an ill_t for the ip_recv_attr_t even though this packet
687 	 * was never received and icmp_unreachable doesn't currently use
688 	 * ira_ill.
689 	 */
690 	ill = ill_lookup_on_name("lo0", B_FALSE,
691 	    !(ixa->ixa_flags & IRAF_IS_IPV4), &dummy, ipst);
692 	if (ill == NULL) {
693 		freemsg(mp);
694 		return (EHOSTUNREACH);
695 	}
696 
697 	bzero(&iras, sizeof (iras));
698 	/* Map ixa to ira including IPsec policies */
699 	ipsec_out_to_in(ixa, ill, &iras);
700 
701 	icmp_unreachable_v6(mp, ICMP6_DST_UNREACH_NOROUTE, B_FALSE, &iras);
702 	/* We moved any IPsec refs from ixa to iras */
703 	ira_cleanup(&iras, B_FALSE);
704 
705 	ill_refrele(ill);
706 	return (EHOSTUNREACH);
707 }
708 
709 /*
710  * Calculate a checksum ignoring any hardware capabilities
711  *
712  * Returns B_FALSE if the packet was too short for the checksum. Caller
713  * should free and do stats.
714  */
715 static boolean_t
716 ip_output_sw_cksum_v6(mblk_t *mp, ip6_t *ip6h, ip_xmit_attr_t *ixa)
717 {
718 	ip_stack_t	*ipst = ixa->ixa_ipst;
719 	uint_t		pktlen = ixa->ixa_pktlen;
720 	uint16_t	*cksump;
721 	uint32_t	cksum;
722 	uint8_t		protocol = ixa->ixa_protocol;
723 	uint16_t	ip_hdr_length = ixa->ixa_ip_hdr_length;
724 
725 #define	iphs    ((uint16_t *)ip6h)
726 
727 	/* Just in case it contained garbage */
728 	DB_CKSUMFLAGS(mp) &= ~HCK_FLAGS;
729 
730 	/*
731 	 * Calculate ULP checksum
732 	 */
733 	if (protocol == IPPROTO_TCP) {
734 		cksump = IPH_TCPH_CHECKSUMP(ip6h, ip_hdr_length);
735 		cksum = IP_TCP_CSUM_COMP;
736 	} else if (protocol == IPPROTO_UDP) {
737 		cksump = IPH_UDPH_CHECKSUMP(ip6h, ip_hdr_length);
738 		cksum = IP_UDP_CSUM_COMP;
739 	} else if (protocol == IPPROTO_SCTP) {
740 		sctp_hdr_t	*sctph;
741 
742 		ASSERT(MBLKL(mp) >= (ip_hdr_length + sizeof (*sctph)));
743 		sctph = (sctp_hdr_t *)(mp->b_rptr + ip_hdr_length);
744 		/*
745 		 * Zero out the checksum field to ensure proper
746 		 * checksum calculation.
747 		 */
748 		sctph->sh_chksum = 0;
749 #ifdef	DEBUG
750 		if (!skip_sctp_cksum)
751 #endif
752 			sctph->sh_chksum = sctp_cksum(mp, ip_hdr_length);
753 		return (B_TRUE);
754 	} else if (ixa->ixa_flags & IXAF_SET_RAW_CKSUM) {
755 		/*
756 		 * icmp has placed length and routing
757 		 * header adjustment in the checksum field.
758 		 */
759 		cksump = (uint16_t *)(((uint8_t *)ip6h) + ip_hdr_length +
760 		    ixa->ixa_raw_cksum_offset);
761 		cksum = htons(protocol);
762 	} else if (protocol == IPPROTO_ICMPV6) {
763 		cksump = IPH_ICMPV6_CHECKSUMP(ip6h, ip_hdr_length);
764 		cksum = IP_ICMPV6_CSUM_COMP;	/* Pseudo-header cksum */
765 	} else {
766 		return (B_TRUE);
767 	}
768 
769 	/* ULP puts the checksum field is in the first mblk */
770 	ASSERT(((uchar_t *)cksump) + sizeof (uint16_t) <= mp->b_wptr);
771 
772 	/*
773 	 * We accumulate the pseudo header checksum in cksum.
774 	 * This is pretty hairy code, so watch close.  One
775 	 * thing to keep in mind is that UDP and TCP have
776 	 * stored their respective datagram lengths in their
777 	 * checksum fields.  This lines things up real nice.
778 	 */
779 	cksum += iphs[4] + iphs[5] + iphs[6] + iphs[7] +
780 	    iphs[8] + iphs[9] + iphs[10] + iphs[11] +
781 	    iphs[12] + iphs[13] + iphs[14] + iphs[15] +
782 	    iphs[16] + iphs[17] + iphs[18] + iphs[19];
783 	cksum = IP_CSUM(mp, ip_hdr_length, cksum);
784 
785 	/*
786 	 * For UDP/IPv6 a zero UDP checksum is not allowed.
787 	 * Change to 0xffff
788 	 */
789 	if (protocol == IPPROTO_UDP && cksum == 0)
790 		*cksump = ~cksum;
791 	else
792 		*cksump = cksum;
793 
794 	IP6_STAT(ipst, ip6_out_sw_cksum);
795 	IP6_STAT_UPDATE(ipst, ip6_out_sw_cksum_bytes, pktlen);
796 
797 	/* No IP header checksum for IPv6 */
798 
799 	return (B_TRUE);
800 #undef	iphs
801 }
802 
803 /* There are drivers that can't do partial checksum for ICMPv6 */
804 int nxge_cksum_workaround = 1;
805 
806 /*
807  * Calculate the ULP checksum - try to use hardware.
808  * In the case of MULTIRT or multicast the
809  * IXAF_NO_HW_CKSUM is set in which case we use software.
810  *
811  * Returns B_FALSE if the packet was too short for the checksum. Caller
812  * should free and do stats.
813  */
814 static boolean_t
815 ip_output_cksum_v6(iaflags_t ixaflags, mblk_t *mp, ip6_t *ip6h,
816     ip_xmit_attr_t *ixa, ill_t *ill)
817 {
818 	uint_t		pktlen = ixa->ixa_pktlen;
819 	uint16_t	*cksump;
820 	uint16_t	hck_flags;
821 	uint32_t	cksum;
822 	uint8_t		protocol = ixa->ixa_protocol;
823 	uint16_t	ip_hdr_length = ixa->ixa_ip_hdr_length;
824 
825 #define	iphs    ((uint16_t *)ip6h)
826 
827 	if ((ixaflags & IXAF_NO_HW_CKSUM) || !ILL_HCKSUM_CAPABLE(ill) ||
828 	    !dohwcksum) {
829 		return (ip_output_sw_cksum_v6(mp, ip6h, ixa));
830 	}
831 
832 	/*
833 	 * Calculate ULP checksum. Note that we don't use cksump and cksum
834 	 * if the ill has FULL support.
835 	 */
836 	if (protocol == IPPROTO_TCP) {
837 		cksump = IPH_TCPH_CHECKSUMP(ip6h, ip_hdr_length);
838 		cksum = IP_TCP_CSUM_COMP;	/* Pseudo-header cksum */
839 	} else if (protocol == IPPROTO_UDP) {
840 		cksump = IPH_UDPH_CHECKSUMP(ip6h, ip_hdr_length);
841 		cksum = IP_UDP_CSUM_COMP;	/* Pseudo-header cksum */
842 	} else if (protocol == IPPROTO_SCTP) {
843 		sctp_hdr_t	*sctph;
844 
845 		ASSERT(MBLKL(mp) >= (ip_hdr_length + sizeof (*sctph)));
846 		sctph = (sctp_hdr_t *)(mp->b_rptr + ip_hdr_length);
847 		/*
848 		 * Zero out the checksum field to ensure proper
849 		 * checksum calculation.
850 		 */
851 		sctph->sh_chksum = 0;
852 #ifdef	DEBUG
853 		if (!skip_sctp_cksum)
854 #endif
855 			sctph->sh_chksum = sctp_cksum(mp, ip_hdr_length);
856 		goto ip_hdr_cksum;
857 	} else if (ixa->ixa_flags & IXAF_SET_RAW_CKSUM) {
858 		/*
859 		 * icmp has placed length and routing
860 		 * header adjustment in the checksum field.
861 		 */
862 		cksump = (uint16_t *)(((uint8_t *)ip6h) + ip_hdr_length +
863 		    ixa->ixa_raw_cksum_offset);
864 		cksum = htons(protocol);
865 	} else if (protocol == IPPROTO_ICMPV6) {
866 		cksump = IPH_ICMPV6_CHECKSUMP(ip6h, ip_hdr_length);
867 		cksum = IP_ICMPV6_CSUM_COMP;	/* Pseudo-header cksum */
868 	} else {
869 	ip_hdr_cksum:
870 		/* No IP header checksum for IPv6 */
871 		return (B_TRUE);
872 	}
873 
874 	/* ULP puts the checksum field is in the first mblk */
875 	ASSERT(((uchar_t *)cksump) + sizeof (uint16_t) <= mp->b_wptr);
876 
877 	/*
878 	 * Underlying interface supports hardware checksum offload for
879 	 * the payload; leave the payload checksum for the hardware to
880 	 * calculate.  N.B: We only need to set up checksum info on the
881 	 * first mblk.
882 	 */
883 	hck_flags = ill->ill_hcksum_capab->ill_hcksum_txflags;
884 
885 	DB_CKSUMFLAGS(mp) &= ~HCK_FLAGS;
886 	if (hck_flags & HCKSUM_INET_FULL_V6) {
887 		/*
888 		 * Hardware calculates pseudo-header, header and the
889 		 * payload checksums, so clear the checksum field in
890 		 * the protocol header.
891 		 */
892 		*cksump = 0;
893 		DB_CKSUMFLAGS(mp) |= HCK_FULLCKSUM;
894 		return (B_TRUE);
895 	}
896 	if (((hck_flags) & HCKSUM_INET_PARTIAL) &&
897 	    (protocol != IPPROTO_ICMPV6 || !nxge_cksum_workaround)) {
898 		/*
899 		 * Partial checksum offload has been enabled.  Fill
900 		 * the checksum field in the protocol header with the
901 		 * pseudo-header checksum value.
902 		 *
903 		 * We accumulate the pseudo header checksum in cksum.
904 		 * This is pretty hairy code, so watch close.  One
905 		 * thing to keep in mind is that UDP and TCP have
906 		 * stored their respective datagram lengths in their
907 		 * checksum fields.  This lines things up real nice.
908 		 */
909 		cksum += iphs[4] + iphs[5] + iphs[6] + iphs[7] +
910 		    iphs[8] + iphs[9] + iphs[10] + iphs[11] +
911 		    iphs[12] + iphs[13] + iphs[14] + iphs[15] +
912 		    iphs[16] + iphs[17] + iphs[18] + iphs[19];
913 		cksum += *(cksump);
914 		cksum = (cksum & 0xFFFF) + (cksum >> 16);
915 		*(cksump) = (cksum & 0xFFFF) + (cksum >> 16);
916 
917 		/*
918 		 * Offsets are relative to beginning of IP header.
919 		 */
920 		DB_CKSUMSTART(mp) = ip_hdr_length;
921 		DB_CKSUMSTUFF(mp) = (uint8_t *)cksump - (uint8_t *)ip6h;
922 		DB_CKSUMEND(mp) = pktlen;
923 		DB_CKSUMFLAGS(mp) |= HCK_PARTIALCKSUM;
924 		return (B_TRUE);
925 	}
926 	/* Hardware capabilities include neither full nor partial IPv6 */
927 	return (ip_output_sw_cksum_v6(mp, ip6h, ixa));
928 #undef	iphs
929 }
930 
931 /*
932  * ire_sendfn for offlink and onlink destinations.
933  * Also called from the multicast, and multirt send functions.
934  *
935  * Assumes that the caller has a hold on the ire.
936  *
937  * This function doesn't care if the IRE just became condemned since that
938  * can happen at any time.
939  */
940 /* ARGSUSED */
941 int
942 ire_send_wire_v6(ire_t *ire, mblk_t *mp, void *iph_arg,
943     ip_xmit_attr_t *ixa, uint32_t *identp)
944 {
945 	ip_stack_t	*ipst = ixa->ixa_ipst;
946 	ip6_t		*ip6h = (ip6_t *)iph_arg;
947 	iaflags_t	ixaflags = ixa->ixa_flags;
948 	ill_t		*ill;
949 	uint32_t	pktlen = ixa->ixa_pktlen;
950 
951 	ASSERT(ixa->ixa_nce != NULL);
952 	ill = ixa->ixa_nce->nce_ill;
953 
954 	/*
955 	 * Update output mib stats. Note that we can't move into the icmp
956 	 * sender (icmp_output etc) since they don't know the ill and the
957 	 * stats are per ill.
958 	 *
959 	 * With IPMP we record the stats on the upper ill.
960 	 */
961 	if (ixa->ixa_protocol == IPPROTO_ICMPV6) {
962 		icmp6_t		*icmp6;
963 
964 		icmp6 = (icmp6_t *)((uchar_t *)ip6h + ixa->ixa_ip_hdr_length);
965 		icmp_update_out_mib_v6(ixa->ixa_nce->nce_common->ncec_ill,
966 		    icmp6);
967 	}
968 
969 	if (ixaflags & IXAF_DONTROUTE)
970 		ip6h->ip6_hops = 1;
971 
972 	/*
973 	 * This might set b_band, thus the IPsec and fragmentation
974 	 * code in IP ensures that b_band is updated in the first mblk.
975 	 */
976 	if (IPP_ENABLED(IPP_LOCAL_OUT, ipst)) {
977 		/* ip_process translates an IS_UNDER_IPMP */
978 		mp = ip_process(IPP_LOCAL_OUT, mp, ill, ill);
979 		if (mp == NULL) {
980 			/* ip_drop_packet and MIB done */
981 			return (0);	/* Might just be delayed */
982 		}
983 	}
984 
985 	/*
986 	 * To handle IPsec/iptun's labeling needs we need to tag packets
987 	 * while we still have ixa_tsl
988 	 */
989 	if (is_system_labeled() && ixa->ixa_tsl != NULL &&
990 	    (ill->ill_mactype == DL_6TO4 || ill->ill_mactype == DL_IPV4 ||
991 	    ill->ill_mactype == DL_IPV6)) {
992 		cred_t *newcr;
993 
994 		newcr = copycred_from_tslabel(ixa->ixa_cred, ixa->ixa_tsl,
995 		    KM_NOSLEEP);
996 		if (newcr == NULL) {
997 			BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
998 			ip_drop_output("ipIfStatsOutDiscards - newcr",
999 			    mp, ill);
1000 			freemsg(mp);
1001 			return (ENOBUFS);
1002 		}
1003 		mblk_setcred(mp, newcr, NOPID);
1004 		crfree(newcr);	/* mblk_setcred did its own crhold */
1005 	}
1006 
1007 	/*
1008 	 * IXAF_IPV6_ADD_FRAGHDR is set for CGTP so that we will add a
1009 	 * fragment header without fragmenting. CGTP on the receiver will
1010 	 * filter duplicates on the ident field.
1011 	 */
1012 	if (pktlen > ixa->ixa_fragsize ||
1013 	    (ixaflags & (IXAF_IPSEC_SECURE|IXAF_IPV6_ADD_FRAGHDR))) {
1014 		uint32_t ident;
1015 
1016 		if (ixaflags & IXAF_IPSEC_SECURE)
1017 			pktlen += ipsec_out_extra_length(ixa);
1018 
1019 		if (pktlen > IP_MAXPACKET)
1020 			return (EMSGSIZE);
1021 
1022 		if (ixaflags & IXAF_SET_ULP_CKSUM) {
1023 			/*
1024 			 * Compute ULP checksum using software
1025 			 */
1026 			if (!ip_output_sw_cksum_v6(mp, ip6h, ixa)) {
1027 				BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
1028 				ip_drop_output("ipIfStatsOutDiscards", mp, ill);
1029 				freemsg(mp);
1030 				return (EINVAL);
1031 			}
1032 			/* Avoid checksum again below if we only add fraghdr */
1033 			ixaflags &= ~IXAF_SET_ULP_CKSUM;
1034 		}
1035 
1036 		/*
1037 		 * If we need a fragment header, pick the ident and insert
1038 		 * the header before IPsec to we have a place to store
1039 		 * the ident value.
1040 		 */
1041 		if ((ixaflags & IXAF_IPV6_ADD_FRAGHDR) ||
1042 		    pktlen > ixa->ixa_fragsize) {
1043 			/*
1044 			 * If this packet would generate a icmp_frag_needed
1045 			 * message, we need to handle it before we do the IPsec
1046 			 * processing. Otherwise, we need to strip the IPsec
1047 			 * headers before we send up the message to the ULPs
1048 			 * which becomes messy and difficult.
1049 			 */
1050 			if ((pktlen > ixa->ixa_fragsize) &&
1051 			    (ixaflags & IXAF_DONTFRAG)) {
1052 				/* Generate ICMP and return error */
1053 				ip_recv_attr_t	iras;
1054 
1055 				DTRACE_PROBE4(ip6__fragsize__fail,
1056 				    uint_t, pktlen, uint_t, ixa->ixa_fragsize,
1057 				    uint_t, ixa->ixa_pktlen,
1058 				    uint_t, ixa->ixa_pmtu);
1059 
1060 				bzero(&iras, sizeof (iras));
1061 				/* Map ixa to ira including IPsec policies */
1062 				ipsec_out_to_in(ixa, ill, &iras);
1063 
1064 				ip_drop_output("ICMP6_PKT_TOO_BIG", mp, ill);
1065 				icmp_pkt2big_v6(mp, ixa->ixa_fragsize, B_TRUE,
1066 				    &iras);
1067 				/* We moved any IPsec refs from ixa to iras */
1068 				ira_cleanup(&iras, B_FALSE);
1069 				return (EMSGSIZE);
1070 			}
1071 			DTRACE_PROBE4(ip6__fragsize__ok, uint_t, pktlen,
1072 			    uint_t, ixa->ixa_fragsize, uint_t, ixa->ixa_pktlen,
1073 			    uint_t, ixa->ixa_pmtu);
1074 			/*
1075 			 * Assign an ident value for this packet. There could
1076 			 * be other threads targeting the same destination, so
1077 			 * we have to arrange for a atomic increment.
1078 			 * Normally ixa_extra_ident is 0, but in the case of
1079 			 * LSO it will be the number of TCP segments  that the
1080 			 * driver/hardware will extraly construct.
1081 			 *
1082 			 * Note that cl_inet_ipident has only been used for
1083 			 * IPv4. We don't use it here.
1084 			 */
1085 			ident = atomic_add_32_nv(identp, ixa->ixa_extra_ident +
1086 			    1);
1087 #ifndef _BIG_ENDIAN
1088 			ident = htonl(ident);
1089 #endif
1090 			ixa->ixa_ident = ident;	/* In case we do IPsec */
1091 		}
1092 		if (ixaflags & IXAF_IPSEC_SECURE) {
1093 			/*
1094 			 * Pass in sufficient information so that
1095 			 * IPsec can determine whether to fragment, and
1096 			 * which function to call after fragmentation.
1097 			 */
1098 			return (ipsec_out_process(mp, ixa));
1099 		}
1100 
1101 		mp = ip_fraghdr_add_v6(mp, ident, ixa);
1102 		if (mp == NULL) {
1103 			/* MIB and ip_drop_output already done */
1104 			return (ENOMEM);
1105 		}
1106 		ASSERT(pktlen == ixa->ixa_pktlen);
1107 		pktlen += sizeof (ip6_frag_t);
1108 
1109 		if (pktlen > ixa->ixa_fragsize) {
1110 			return (ip_fragment_v6(mp, ixa->ixa_nce, ixaflags,
1111 			    pktlen, ixa->ixa_fragsize,
1112 			    ixa->ixa_xmit_hint, ixa->ixa_zoneid,
1113 			    ixa->ixa_no_loop_zoneid, ixa->ixa_postfragfn,
1114 			    &ixa->ixa_cookie));
1115 		}
1116 	}
1117 	if (ixaflags & IXAF_SET_ULP_CKSUM) {
1118 		/* Compute ULP checksum and IP header checksum */
1119 		/* An IS_UNDER_IPMP ill is ok here */
1120 		if (!ip_output_cksum_v6(ixaflags, mp, ip6h, ixa, ill)) {
1121 			BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
1122 			ip_drop_output("ipIfStatsOutDiscards", mp, ill);
1123 			freemsg(mp);
1124 			return (EINVAL);
1125 		}
1126 	}
1127 	return ((ixa->ixa_postfragfn)(mp, ixa->ixa_nce, ixaflags,
1128 	    pktlen, ixa->ixa_xmit_hint, ixa->ixa_zoneid,
1129 	    ixa->ixa_no_loop_zoneid, &ixa->ixa_cookie));
1130 }
1131 
1132 /*
1133  * Post fragmentation function for RTF_MULTIRT routes.
1134  * Since IRE_MULTICASTs might have RTF_MULTIRT, this function
1135  * checks IXAF_LOOPBACK_COPY.
1136  *
1137  * If no packet is sent due to failures then we return an errno, but if at
1138  * least one succeeded we return zero.
1139  */
1140 int
1141 ip_postfrag_multirt_v6(mblk_t *mp, nce_t *nce, iaflags_t ixaflags,
1142     uint_t pkt_len, uint32_t xmit_hint, zoneid_t szone, zoneid_t nolzid,
1143     uintptr_t *ixacookie)
1144 {
1145 	irb_t		*irb;
1146 	ip6_t		*ip6h = (ip6_t *)mp->b_rptr;
1147 	ire_t		*ire;
1148 	ire_t		*ire1;
1149 	mblk_t		*mp1;
1150 	nce_t		*nce1;
1151 	ill_t		*ill = nce->nce_ill;
1152 	ill_t		*ill1;
1153 	ip_stack_t	*ipst = ill->ill_ipst;
1154 	int		error = 0;
1155 	int		num_sent = 0;
1156 	int		err;
1157 	uint_t		ire_type;
1158 	in6_addr_t	nexthop;
1159 
1160 	ASSERT(!(ixaflags & IXAF_IS_IPV4));
1161 
1162 	/* Check for IXAF_LOOPBACK_COPY */
1163 	if (ixaflags & IXAF_LOOPBACK_COPY) {
1164 		mblk_t *mp1;
1165 
1166 		mp1 = copymsg(mp);
1167 		if (mp1 == NULL) {
1168 			/* Failed to deliver the loopback copy. */
1169 			BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
1170 			ip_drop_output("ipIfStatsOutDiscards", mp, ill);
1171 			error = ENOBUFS;
1172 		} else {
1173 			ip_postfrag_loopback(mp1, nce, ixaflags, pkt_len,
1174 			    nolzid);
1175 		}
1176 	}
1177 
1178 	/*
1179 	 * Loop over RTF_MULTIRT for ip6_dst in the same bucket. Send
1180 	 * a copy to each one.
1181 	 * Use the nce (nexthop) and ip6_dst to find the ire.
1182 	 *
1183 	 * MULTIRT is not designed to work with shared-IP zones thus we don't
1184 	 * need to pass a zoneid or a label to the IRE lookup.
1185 	 */
1186 	if (IN6_ARE_ADDR_EQUAL(&nce->nce_addr, &ip6h->ip6_dst)) {
1187 		/* Broadcast and multicast case */
1188 		ire = ire_ftable_lookup_v6(&ip6h->ip6_dst, 0, 0, 0, NULL,
1189 		    ALL_ZONES, NULL, MATCH_IRE_DSTONLY, 0, ipst, NULL);
1190 	} else {
1191 		/* Unicast case */
1192 		ire = ire_ftable_lookup_v6(&ip6h->ip6_dst, 0, &nce->nce_addr,
1193 		    0, NULL, ALL_ZONES, NULL, MATCH_IRE_GW, 0, ipst, NULL);
1194 	}
1195 
1196 	if (ire == NULL ||
1197 	    (ire->ire_flags & (RTF_REJECT|RTF_BLACKHOLE)) ||
1198 	    !(ire->ire_flags & RTF_MULTIRT)) {
1199 		/* Drop */
1200 		ip_drop_output("ip_postfrag_multirt didn't find route",
1201 		    mp, nce->nce_ill);
1202 		if (ire != NULL)
1203 			ire_refrele(ire);
1204 		return (ENETUNREACH);
1205 	}
1206 
1207 	irb = ire->ire_bucket;
1208 	irb_refhold(irb);
1209 	for (ire1 = irb->irb_ire; ire1 != NULL; ire1 = ire1->ire_next) {
1210 		if (IRE_IS_CONDEMNED(ire1) ||
1211 		    !(ire1->ire_flags & RTF_MULTIRT))
1212 			continue;
1213 
1214 		/* Note: When IPv6 uses radix tree we don't need this check */
1215 		if (!IN6_ARE_ADDR_EQUAL(&ire->ire_addr_v6, &ire1->ire_addr_v6))
1216 			continue;
1217 
1218 		/* Do the ire argument one after the loop */
1219 		if (ire1 == ire)
1220 			continue;
1221 
1222 		ill1 = ire_nexthop_ill(ire1);
1223 		if (ill1 == NULL) {
1224 			/*
1225 			 * This ire might not have been picked by
1226 			 * ire_route_recursive, in which case ire_dep might
1227 			 * not have been setup yet.
1228 			 * We kick ire_route_recursive to try to resolve
1229 			 * starting at ire1.
1230 			 */
1231 			ire_t *ire2;
1232 
1233 			ire2 = ire_route_recursive_impl_v6(ire1,
1234 			    &ire1->ire_addr_v6, ire1->ire_type, ire1->ire_ill,
1235 			    ire1->ire_zoneid, NULL, MATCH_IRE_DSTONLY,
1236 			    B_TRUE, 0, ipst, NULL, NULL, NULL);
1237 			if (ire2 != NULL)
1238 				ire_refrele(ire2);
1239 			ill1 = ire_nexthop_ill(ire1);
1240 		}
1241 		if (ill1 == NULL) {
1242 			BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
1243 			ip_drop_output("ipIfStatsOutDiscards - no ill",
1244 			    mp, ill);
1245 			error = ENETUNREACH;
1246 			continue;
1247 		}
1248 		/* Pick the addr and type to use for ndp_nce_init */
1249 		if (nce->nce_common->ncec_flags & NCE_F_MCAST) {
1250 			ire_type = IRE_MULTICAST;
1251 			nexthop = ip6h->ip6_dst;
1252 		} else {
1253 			ire_type = ire1->ire_type;	/* Doesn't matter */
1254 			nexthop = ire1->ire_gateway_addr_v6;
1255 		}
1256 
1257 		/* If IPMP meta or under, then we just drop */
1258 		if (ill1->ill_grp != NULL) {
1259 			BUMP_MIB(ill1->ill_ip_mib, ipIfStatsOutDiscards);
1260 			ip_drop_output("ipIfStatsOutDiscards - IPMP",
1261 			    mp, ill1);
1262 			ill_refrele(ill1);
1263 			error = ENETUNREACH;
1264 			continue;
1265 		}
1266 
1267 		nce1 = ndp_nce_init(ill1, &nexthop, ire_type);
1268 		if (nce1 == NULL) {
1269 			BUMP_MIB(ill1->ill_ip_mib, ipIfStatsOutDiscards);
1270 			ip_drop_output("ipIfStatsOutDiscards - no nce",
1271 			    mp, ill1);
1272 			ill_refrele(ill1);
1273 			error = ENOBUFS;
1274 			continue;
1275 		}
1276 		mp1 = copymsg(mp);
1277 		if (mp1 == NULL) {
1278 			BUMP_MIB(ill1->ill_ip_mib, ipIfStatsOutDiscards);
1279 			ip_drop_output("ipIfStatsOutDiscards", mp, ill1);
1280 			nce_refrele(nce1);
1281 			ill_refrele(ill1);
1282 			error = ENOBUFS;
1283 			continue;
1284 		}
1285 		/* Preserve HW checksum for this copy */
1286 		DB_CKSUMSTART(mp1) = DB_CKSUMSTART(mp);
1287 		DB_CKSUMSTUFF(mp1) = DB_CKSUMSTUFF(mp);
1288 		DB_CKSUMEND(mp1) = DB_CKSUMEND(mp);
1289 		DB_CKSUMFLAGS(mp1) = DB_CKSUMFLAGS(mp);
1290 		DB_LSOMSS(mp1) = DB_LSOMSS(mp);
1291 
1292 		ire1->ire_ob_pkt_count++;
1293 		err = ip_xmit(mp1, nce1, ixaflags, pkt_len, xmit_hint, szone,
1294 		    0, ixacookie);
1295 		if (err == 0)
1296 			num_sent++;
1297 		else
1298 			error = err;
1299 		nce_refrele(nce1);
1300 		ill_refrele(ill1);
1301 	}
1302 	irb_refrele(irb);
1303 	ire_refrele(ire);
1304 	/* Finally, the main one */
1305 	err = ip_xmit(mp, nce, ixaflags, pkt_len, xmit_hint, szone, 0,
1306 	    ixacookie);
1307 	if (err == 0)
1308 		num_sent++;
1309 	else
1310 		error = err;
1311 	if (num_sent > 0)
1312 		return (0);
1313 	else
1314 		return (error);
1315 }
1316