xref: /titanic_52/usr/src/uts/common/inet/ip/ip_mroute.c (revision 1eee170a5f6cf875d905524fea524c7c5c870aa0)

/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License (the "License").
 * You may not use this file except in compliance with the License.
 *
 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 * or http://www.opensolaris.org/os/licensing.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
 * If applicable, add the following below this CDDL HEADER, with the
 * fields enclosed by brackets "[]" replaced with your own identifying
 * information: Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 */
/*
 * Copyright (c) 1991, 2010, Oracle and/or its affiliates. All rights reserved.
 */
/* Copyright (c) 1990 Mentat Inc. */

/*
 * Procedures for the kernel part of DVMRP,
 * a Distance-Vector Multicast Routing Protocol.
 * (See RFC-1075)
 * Written by David Waitzman, BBN Labs, August 1988.
 * Modified by Steve Deering, Stanford, February 1989.
 * Modified by Mark J. Steiglitz, Stanford, May, 1991
 * Modified by Van Jacobson, LBL, January 1993
 * Modified by Ajit Thyagarajan, PARC, August 1993
 * Modified by Bill Fenner, PARC, April 1995
 *
 * MROUTING 3.5
 */

/*
 * TODO
 * - function pointer field in vif, void *vif_sendit()
 */

#include <sys/types.h>
#include <sys/stream.h>
#include <sys/stropts.h>
#include <sys/strlog.h>
#include <sys/systm.h>
#include <sys/ddi.h>
#include <sys/cmn_err.h>
#include <sys/zone.h>

#include <sys/param.h>
#include <sys/socket.h>
#include <sys/vtrace.h>
#include <sys/debug.h>
#include <net/if.h>
#include <sys/sockio.h>
#include <netinet/in.h>
#include <net/if_dl.h>

#include <inet/ipsec_impl.h>
#include <inet/common.h>
#include <inet/mi.h>
#include <inet/nd.h>
#include <inet/tunables.h>
#include <inet/mib2.h>
#include <netinet/ip6.h>
#include <inet/ip.h>
#include <inet/snmpcom.h>

#include <netinet/igmp.h>
#include <netinet/igmp_var.h>
#include <netinet/udp.h>
#include <netinet/ip_mroute.h>
#include <inet/ip_multi.h>
#include <inet/ip_ire.h>
#include <inet/ip_ndp.h>
#include <inet/ip_if.h>
#include <inet/ipclassifier.h>

#include <netinet/pim.h>


/*
 * MT Design:
 *
 * There are three main data structures viftable, mfctable and tbftable that
 * need to be protected against MT races.
 *
 * vitable is a fixed length array of vif structs. There is no lock to protect
 * the whole array, instead each struct is protected by its own indiviual lock.
 * The value of v_marks in conjuction with the value of v_refcnt determines the
 * current state of a vif structure. One special state that needs mention
 * is when the vif is marked VIF_MARK_NOTINUSE but refcnt != 0. This indicates
 * that vif is being initalized.
 * Each structure is freed when the refcnt goes down to zero. If a delete comes
 * in when the recfnt is > 1, the vif structure is marked VIF_MARK_CONDEMNED
 * which prevents the struct from further use.  When the refcnt goes to zero
 * the struct is freed and is marked VIF_MARK_NOTINUSE.
 * vif struct stores a pointer to the ipif in v_ipif, to prevent ipif/ill
 * from  going away a refhold is put on the ipif before using it. see
 * lock_good_vif() and unlock_good_vif().
 *
 * VIF_REFHOLD and VIF_REFRELE macros have been provided to manipulate refcnts
 * of the vif struct.
 *
 * tbftable is also a fixed length array of tbf structs and is only accessed
 * via v_tbf.  It is protected by its own lock tbf_lock.
 *
 * Lock Ordering is
 * v_lock --> tbf_lock
 * v_lock --> ill_locK
 *
 * mfctable is a fixed size hash table of mfc buckets strcuts (struct mfcb).
 * Each mfc bucket struct (struct mfcb) maintains a refcnt for each walker,
 * it also maintains a state. These fields are protected by a lock (mfcb_lock).
 * mfc structs only maintain a state and have no refcnt. mfc_mutex is used to
 * protect the struct elements.
 *
 * mfc structs are dynamically allocated and are singly linked
 * at the head of the chain. When an mfc structure is to be deleted
 * it is marked condemned and so is the state in the bucket struct.
 * When the last walker of the hash bucket exits all the mfc structs
 * marked condemed are freed.
 *
 * Locking Hierarchy:
 * The bucket lock should be acquired before the mfc struct lock.
 * MFCB_REFHOLD and MFCB_REFRELE macros are provided for locking
 * operations on the bucket struct.
 *
 * last_encap_lock and numvifs_mutex should be acquired after
 * acquring vif or mfc locks. These locks protect some global variables.
 *
 * The statistics are not currently protected by a lock
 * causing the stats be be approximate, not exact.
 */

#define	NO_VIF	MAXVIFS 	/* from mrouted, no route for src */

/*
 * Timeouts:
 * 	Upcall timeouts - BSD uses boolean_t mfc->expire and
 *	nexpire[MFCTBLSIZE], the number of times expire has been called.
 *	SunOS 5.x uses mfc->timeout for each mfc.
 *	Some Unixes are limited in the number of simultaneous timeouts
 * 	that can be run, SunOS 5.x does not have this restriction.
 */

/*
 * In BSD, EXPIRE_TIMEOUT is how often expire_upcalls() is called and
 * UPCALL_EXPIRE is the nmber of timeouts before a particular upcall
 * expires. Thus the time till expiration is EXPIRE_TIMEOUT * UPCALL_EXPIRE
 */
#define		EXPIRE_TIMEOUT	(hz/4)	/* 4x / second	*/
#define		UPCALL_EXPIRE	6	/* number of timeouts	*/

/*
 * Hash function for a source, group entry
 */
#define	MFCHASH(a, g) MFCHASHMOD(((a) >> 20) ^ ((a) >> 10) ^ (a) ^ \
	((g) >> 20) ^ ((g) >> 10) ^ (g))

#define			TBF_REPROCESS	(hz / 100)	/* 100x /second	*/

/* Identify PIM packet that came on a Register interface */
#define	PIM_REGISTER_MARKER	0xffffffff

/* Function declarations */
static int	add_mfc(struct mfcctl *, ip_stack_t *);
static int	add_vif(struct vifctl *, conn_t *, ip_stack_t *);
static int	del_mfc(struct mfcctl *, ip_stack_t *);
static int	del_vif(vifi_t *, ip_stack_t *);
static void	del_vifp(struct vif *);
static void	encap_send(ipha_t *, mblk_t *, struct vif *, ipaddr_t);
static void	expire_upcalls(void *);
static void	fill_route(struct mfc *, struct mfcctl *, ip_stack_t *);
static void	free_queue(struct mfc *);
static int	get_assert(uchar_t *, ip_stack_t *);
static int	get_lsg_cnt(struct sioc_lsg_req *, ip_stack_t *);
static int	get_sg_cnt(struct sioc_sg_req *, ip_stack_t *);
static int	get_version(uchar_t *);
static int	get_vif_cnt(struct sioc_vif_req *, ip_stack_t *);
static int	ip_mdq(mblk_t *, ipha_t *, ill_t *,
		    ipaddr_t, struct mfc *);
static int	ip_mrouter_init(conn_t *, uchar_t *, int, ip_stack_t *);
static void	phyint_send(ipha_t *, mblk_t *, struct vif *, ipaddr_t);
static int	register_mforward(mblk_t *, ip_recv_attr_t *);
static void	register_send(ipha_t *, mblk_t *, struct vif *, ipaddr_t);
static int	set_assert(int *, ip_stack_t *);

/*
 * Token Bucket Filter functions
 */
static int  priority(struct vif *, ipha_t *);
static void tbf_control(struct vif *, mblk_t *, ipha_t *);
static int  tbf_dq_sel(struct vif *, ipha_t *);
static void tbf_process_q(struct vif *);
static void tbf_queue(struct vif *, mblk_t *);
static void tbf_reprocess_q(void *);
static void tbf_send_packet(struct vif *, mblk_t *);
static void tbf_update_tokens(struct vif *);
static void release_mfc(struct mfcb *);

static boolean_t is_mrouter_off(ip_stack_t *);
/*
 * Encapsulation packets
 */

#define	ENCAP_TTL	64

/* prototype IP hdr for encapsulated packets */
static ipha_t multicast_encap_iphdr = {
	IP_SIMPLE_HDR_VERSION,
	0,				/* tos */
	sizeof (ipha_t),		/* total length */
	0,				/* id */
	0,				/* frag offset */
	ENCAP_TTL, IPPROTO_ENCAP,
	0,				/* checksum */
};

/*
 * Rate limit for assert notification messages, in nsec.
 */
#define	ASSERT_MSG_TIME		3000000000


#define	VIF_REFHOLD(vifp) {			\
	mutex_enter(&(vifp)->v_lock);		\
	(vifp)->v_refcnt++;			\
	mutex_exit(&(vifp)->v_lock);		\
}

#define	VIF_REFRELE_LOCKED(vifp) {				\
	(vifp)->v_refcnt--;					\
	if ((vifp)->v_refcnt == 0 &&				\
		((vifp)->v_marks & VIF_MARK_CONDEMNED)) {	\
			del_vifp(vifp);				\
	} else {						\
		mutex_exit(&(vifp)->v_lock);			\
	}							\
}

#define	VIF_REFRELE(vifp) {					\
	mutex_enter(&(vifp)->v_lock);				\
	(vifp)->v_refcnt--;					\
	if ((vifp)->v_refcnt == 0 &&				\
		((vifp)->v_marks & VIF_MARK_CONDEMNED)) {	\
			del_vifp(vifp);				\
	} else {						\
		mutex_exit(&(vifp)->v_lock);			\
	}							\
}

#define	MFCB_REFHOLD(mfcb) {				\
	mutex_enter(&(mfcb)->mfcb_lock);		\
	(mfcb)->mfcb_refcnt++;				\
	ASSERT((mfcb)->mfcb_refcnt != 0);		\
	mutex_exit(&(mfcb)->mfcb_lock);			\
}

#define	MFCB_REFRELE(mfcb) {					\
	mutex_enter(&(mfcb)->mfcb_lock);			\
	ASSERT((mfcb)->mfcb_refcnt != 0);			\
	if (--(mfcb)->mfcb_refcnt == 0 &&			\
		((mfcb)->mfcb_marks & MFCB_MARK_CONDEMNED)) {	\
			release_mfc(mfcb);			\
	}							\
	mutex_exit(&(mfcb)->mfcb_lock);				\
}

/*
 * MFCFIND:
 * Find a route for a given origin IP address and multicast group address.
 * Skip entries with pending upcalls.
 * Type of service parameter to be added in the future!
 */
#define	MFCFIND(mfcbp, o, g, rt) { \
	struct mfc *_mb_rt = NULL; \
	rt = NULL; \
	_mb_rt = mfcbp->mfcb_mfc; \
	while (_mb_rt) { \
		if ((_mb_rt->mfc_origin.s_addr == o) && \
		    (_mb_rt->mfc_mcastgrp.s_addr == g) && \
		    (_mb_rt->mfc_rte == NULL) && \
		    (!(_mb_rt->mfc_marks & MFCB_MARK_CONDEMNED))) {        \
		    rt = _mb_rt; \
		    break; \
		} \
	_mb_rt = _mb_rt->mfc_next; \
	} \
}

/*
 * BSD uses timeval with sec and usec. In SunOS 5.x uniqtime() and gethrtime()
 * are inefficient. We use gethrestime() which returns a timespec_t with
 * sec and nsec, the resolution is machine dependent.
 * The following 2 macros have been changed to use nsec instead of usec.
 */
/*
 * Macros to compute elapsed time efficiently.
 * Borrowed from Van Jacobson's scheduling code.
 * Delta should be a hrtime_t.
 */
#define	TV_DELTA(a, b, delta) { \
	int xxs; \
 \
	delta = (a).tv_nsec - (b).tv_nsec; \
	if ((xxs = (a).tv_sec - (b).tv_sec) != 0) { \
		switch (xxs) { \
		case 2: \
		    delta += 1000000000; \
		    /*FALLTHROUGH*/ \
		case 1: \
		    delta += 1000000000; \
		    break; \
		default: \
		    delta += (1000000000 * xxs); \
		} \
	} \
}

#define	TV_LT(a, b) (((a).tv_nsec < (b).tv_nsec && \
	(a).tv_sec <= (b).tv_sec) || (a).tv_sec < (b).tv_sec)

/*
 * Handle MRT setsockopt commands to modify the multicast routing tables.
 */
int
ip_mrouter_set(int cmd, conn_t *connp, int checkonly, uchar_t *data,
    int datalen)
{
	ip_stack_t	*ipst = connp->conn_netstack->netstack_ip;

	mutex_enter(&ipst->ips_ip_g_mrouter_mutex);
	if (cmd != MRT_INIT && connp != ipst->ips_ip_g_mrouter) {
		mutex_exit(&ipst->ips_ip_g_mrouter_mutex);
		return (EACCES);
	}
	mutex_exit(&ipst->ips_ip_g_mrouter_mutex);

	if (checkonly) {
		/*
		 * do not do operation, just pretend to - new T_CHECK
		 * Note: Even routines further on can probably fail but
		 * this T_CHECK stuff is only to please XTI so it not
		 * necessary to be perfect.
		 */
		switch (cmd) {
		case MRT_INIT:
		case MRT_DONE:
		case MRT_ADD_VIF:
		case MRT_DEL_VIF:
		case MRT_ADD_MFC:
		case MRT_DEL_MFC:
		case MRT_ASSERT:
			return (0);
		default:
			return (EOPNOTSUPP);
		}
	}

	/*
	 * make sure no command is issued after multicast routing has been
	 * turned off.
	 */
	if (cmd != MRT_INIT && cmd != MRT_DONE) {
		if (is_mrouter_off(ipst))
			return (EINVAL);
	}

	switch (cmd) {
	case MRT_INIT:	return (ip_mrouter_init(connp, data, datalen, ipst));
	case MRT_DONE:	return (ip_mrouter_done(ipst));
	case MRT_ADD_VIF:  return (add_vif((struct vifctl *)data, connp, ipst));
	case MRT_DEL_VIF:  return (del_vif((vifi_t *)data, ipst));
	case MRT_ADD_MFC:  return (add_mfc((struct mfcctl *)data, ipst));
	case MRT_DEL_MFC:  return (del_mfc((struct mfcctl *)data, ipst));
	case MRT_ASSERT:   return (set_assert((int *)data, ipst));
	default:	   return (EOPNOTSUPP);
	}
}

/*
 * Handle MRT getsockopt commands
 */
int
ip_mrouter_get(int cmd, conn_t *connp, uchar_t *data)
{
	ip_stack_t	*ipst = connp->conn_netstack->netstack_ip;

	if (connp != ipst->ips_ip_g_mrouter)
		return (EACCES);

	switch (cmd) {
	case MRT_VERSION:	return (get_version((uchar_t *)data));
	case MRT_ASSERT:	return (get_assert((uchar_t *)data, ipst));
	default:		return (EOPNOTSUPP);
	}
}

/*
 * Handle ioctl commands to obtain information from the cache.
 * Called with shared access to IP. These are read_only ioctls.
 */
/* ARGSUSED */
int
mrt_ioctl(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
    ip_ioctl_cmd_t *ipip, void *if_req)
{
	mblk_t	*mp1;
	struct iocblk *iocp = (struct iocblk *)mp->b_rptr;
	conn_t		*connp = Q_TO_CONN(q);
	ip_stack_t	*ipst = connp->conn_netstack->netstack_ip;

	/* Existence verified in ip_wput_nondata */
	mp1 = mp->b_cont->b_cont;

	switch (iocp->ioc_cmd) {
	case (SIOCGETVIFCNT):
		return (get_vif_cnt((struct sioc_vif_req *)mp1->b_rptr, ipst));
	case (SIOCGETSGCNT):
		return (get_sg_cnt((struct sioc_sg_req *)mp1->b_rptr, ipst));
	case (SIOCGETLSGCNT):
		return (get_lsg_cnt((struct sioc_lsg_req *)mp1->b_rptr, ipst));
	default:
		return (EINVAL);
	}
}

/*
 * Returns the packet, byte, rpf-failure count for the source, group provided.
 */
static int
get_sg_cnt(struct sioc_sg_req *req, ip_stack_t *ipst)
{
	struct mfc *rt;
	struct mfcb *mfcbp;

	mfcbp = &ipst->ips_mfcs[MFCHASH(req->src.s_addr, req->grp.s_addr)];
	MFCB_REFHOLD(mfcbp);
	MFCFIND(mfcbp, req->src.s_addr, req->grp.s_addr, rt);

	if (rt != NULL) {
		mutex_enter(&rt->mfc_mutex);
		req->pktcnt   = rt->mfc_pkt_cnt;
		req->bytecnt  = rt->mfc_byte_cnt;
		req->wrong_if = rt->mfc_wrong_if;
		mutex_exit(&rt->mfc_mutex);
	} else
		req->pktcnt = req->bytecnt = req->wrong_if = 0xffffffffU;

	MFCB_REFRELE(mfcbp);
	return (0);
}

/*
 * Returns the packet, byte, rpf-failure count for the source, group provided.
 * Uses larger counters and IPv6 addresses.
 */
/* ARGSUSED XXX until implemented */
static int
get_lsg_cnt(struct sioc_lsg_req *req, ip_stack_t *ipst)
{
	/* XXX TODO SIOCGETLSGCNT */
	return (ENXIO);
}

/*
 * Returns the input and output packet and byte counts on the vif provided.
 */
static int
get_vif_cnt(struct sioc_vif_req *req, ip_stack_t *ipst)
{
	vifi_t vifi = req->vifi;

	if (vifi >= ipst->ips_numvifs)
		return (EINVAL);

	/*
	 * No locks here, an approximation is fine.
	 */
	req->icount = ipst->ips_vifs[vifi].v_pkt_in;
	req->ocount = ipst->ips_vifs[vifi].v_pkt_out;
	req->ibytes = ipst->ips_vifs[vifi].v_bytes_in;
	req->obytes = ipst->ips_vifs[vifi].v_bytes_out;

	return (0);
}

static int
get_version(uchar_t *data)
{
	int *v = (int *)data;

	*v = 0x0305;	/* XXX !!!! */

	return (0);
}

/*
 * Set PIM assert processing global.
 */
static int
set_assert(int *i, ip_stack_t *ipst)
{
	if ((*i != 1) && (*i != 0))
		return (EINVAL);

	ipst->ips_pim_assert = *i;

	return (0);
}

/*
 * Get PIM assert processing global.
 */
static int
get_assert(uchar_t *data, ip_stack_t *ipst)
{
	int *i = (int *)data;

	*i = ipst->ips_pim_assert;

	return (0);
}

/*
 * Enable multicast routing.
 */
static int
ip_mrouter_init(conn_t *connp, uchar_t *data, int datalen, ip_stack_t *ipst)
{
	int	*v;

	if (data == NULL || (datalen != sizeof (int)))
		return (ENOPROTOOPT);

	v = (int *)data;
	if (*v != 1)
		return (ENOPROTOOPT);

	mutex_enter(&ipst->ips_ip_g_mrouter_mutex);
	if (ipst->ips_ip_g_mrouter != NULL) {
		mutex_exit(&ipst->ips_ip_g_mrouter_mutex);
		return (EADDRINUSE);
	}

	/*
	 * MRT_INIT should only be allowed for RAW sockets, but we double
	 * check.
	 */
	if (!IPCL_IS_RAWIP(connp)) {
		mutex_exit(&ipst->ips_ip_g_mrouter_mutex);
		return (EINVAL);
	}

	ipst->ips_ip_g_mrouter = connp;
	connp->conn_multi_router = 1;
	/* In order for tunnels to work we have to turn ip_g_forward on */
	if (!WE_ARE_FORWARDING(ipst)) {
		if (ipst->ips_ip_mrtdebug > 1) {
			(void) mi_strlog(connp->conn_rq, 1, SL_TRACE,
			    "ip_mrouter_init: turning on forwarding");
		}
		ipst->ips_saved_ip_forwarding = ipst->ips_ip_forwarding;
		ipst->ips_ip_forwarding = IP_FORWARD_ALWAYS;
	}

	mutex_exit(&ipst->ips_ip_g_mrouter_mutex);
	return (0);
}

void
ip_mrouter_stack_init(ip_stack_t *ipst)
{
	mutex_init(&ipst->ips_ip_g_mrouter_mutex, NULL, MUTEX_DEFAULT, NULL);

	ipst->ips_vifs = kmem_zalloc(sizeof (struct vif) * (MAXVIFS+1),
	    KM_SLEEP);
	ipst->ips_mrtstat = kmem_zalloc(sizeof (struct mrtstat), KM_SLEEP);
	/*
	 * mfctable:
	 * Includes all mfcs, including waiting upcalls.
	 * Multiple mfcs per bucket.
	 */
	ipst->ips_mfcs = kmem_zalloc(sizeof (struct mfcb) * MFCTBLSIZ,
	    KM_SLEEP);
	/*
	 * Define the token bucket filter structures.
	 * tbftable -> each vif has one of these for storing info.
	 */
	ipst->ips_tbfs = kmem_zalloc(sizeof (struct tbf) * MAXVIFS, KM_SLEEP);

	mutex_init(&ipst->ips_last_encap_lock, NULL, MUTEX_DEFAULT, NULL);

	ipst->ips_mrtstat->mrts_vifctlSize = sizeof (struct vifctl);
	ipst->ips_mrtstat->mrts_mfcctlSize = sizeof (struct mfcctl);
}

/*
 * Disable multicast routing.
 * Didn't use global timeout_val (BSD version), instead check the mfctable.
 */
int
ip_mrouter_done(ip_stack_t *ipst)
{
	conn_t		*mrouter;
	vifi_t 		vifi;
	struct mfc	*mfc_rt;
	int		i;

	mutex_enter(&ipst->ips_ip_g_mrouter_mutex);
	if (ipst->ips_ip_g_mrouter == NULL) {
		mutex_exit(&ipst->ips_ip_g_mrouter_mutex);
		return (EINVAL);
	}

	mrouter = ipst->ips_ip_g_mrouter;

	if (ipst->ips_saved_ip_forwarding != -1) {
		if (ipst->ips_ip_mrtdebug > 1) {
			(void) mi_strlog(mrouter->conn_rq, 1, SL_TRACE,
			    "ip_mrouter_done: turning off forwarding");
		}
		ipst->ips_ip_forwarding = ipst->ips_saved_ip_forwarding;
		ipst->ips_saved_ip_forwarding = -1;
	}

	/*
	 * Always clear cache when vifs change.
	 * No need to get ipst->ips_last_encap_lock since we are running as
	 * a writer.
	 */
	mutex_enter(&ipst->ips_last_encap_lock);
	ipst->ips_last_encap_src = 0;
	ipst->ips_last_encap_vif = NULL;
	mutex_exit(&ipst->ips_last_encap_lock);
	mrouter->conn_multi_router = 0;

	mutex_exit(&ipst->ips_ip_g_mrouter_mutex);

	/*
	 * For each phyint in use,
	 * disable promiscuous reception of all IP multicasts.
	 */
	for (vifi = 0; vifi < MAXVIFS; vifi++) {
		struct vif *vifp = ipst->ips_vifs + vifi;

		mutex_enter(&vifp->v_lock);
		/*
		 * if the vif is active mark it condemned.
		 */
		if (vifp->v_marks & VIF_MARK_GOOD) {
			ASSERT(vifp->v_ipif != NULL);
			ipif_refhold(vifp->v_ipif);
			/* Phyint only */
			if (!(vifp->v_flags & (VIFF_TUNNEL | VIFF_REGISTER))) {
				ipif_t *ipif = vifp->v_ipif;
				ilm_t *ilm = vifp->v_ilm;

				vifp->v_ilm = NULL;
				vifp->v_marks &= ~VIF_MARK_GOOD;
				vifp->v_marks |= VIF_MARK_CONDEMNED;

				mutex_exit(&(vifp)->v_lock);
				if (ilm != NULL) {
					ill_t *ill = ipif->ipif_ill;

					(void) ip_delmulti(ilm);
					ASSERT(ill->ill_mrouter_cnt > 0);
					atomic_dec_32(&ill->ill_mrouter_cnt);
				}
				mutex_enter(&vifp->v_lock);
			}
			ipif_refrele(vifp->v_ipif);
			/*
			 * decreases the refcnt added in add_vif.
			 * and release v_lock.
			 */
			VIF_REFRELE_LOCKED(vifp);
		} else {
			mutex_exit(&vifp->v_lock);
			continue;
		}
	}

	mutex_enter(&ipst->ips_numvifs_mutex);
	ipst->ips_numvifs = 0;
	ipst->ips_pim_assert = 0;
	ipst->ips_reg_vif_num = ALL_VIFS;
	mutex_exit(&ipst->ips_numvifs_mutex);

	/*
	 * Free upcall msgs.
	 * Go through mfctable and stop any outstanding upcall
	 * timeouts remaining on mfcs.
	 */
	for (i = 0; i < MFCTBLSIZ; i++) {
		mutex_enter(&ipst->ips_mfcs[i].mfcb_lock);
		ipst->ips_mfcs[i].mfcb_refcnt++;
		ipst->ips_mfcs[i].mfcb_marks |= MFCB_MARK_CONDEMNED;
		mutex_exit(&ipst->ips_mfcs[i].mfcb_lock);
		mfc_rt = ipst->ips_mfcs[i].mfcb_mfc;
		while (mfc_rt) {
			/* Free upcalls */
			mutex_enter(&mfc_rt->mfc_mutex);
			if (mfc_rt->mfc_rte != NULL) {
				if (mfc_rt->mfc_timeout_id != 0) {
					/*
					 * OK to drop the lock as we have
					 * a refcnt on the bucket. timeout
					 * can fire but it will see that
					 * mfc_timeout_id == 0 and not do
					 * anything. see expire_upcalls().
					 */
					mfc_rt->mfc_timeout_id = 0;
					mutex_exit(&mfc_rt->mfc_mutex);
					(void) untimeout(
					    mfc_rt->mfc_timeout_id);
						mfc_rt->mfc_timeout_id = 0;
					mutex_enter(&mfc_rt->mfc_mutex);

					/*
					 * all queued upcall packets
					 * and mblk will be freed in
					 * release_mfc().
					 */
				}
			}

			mfc_rt->mfc_marks |= MFCB_MARK_CONDEMNED;

			mutex_exit(&mfc_rt->mfc_mutex);
			mfc_rt = mfc_rt->mfc_next;
		}
		MFCB_REFRELE(&ipst->ips_mfcs[i]);
	}

	mutex_enter(&ipst->ips_ip_g_mrouter_mutex);
	ipst->ips_ip_g_mrouter = NULL;
	mutex_exit(&ipst->ips_ip_g_mrouter_mutex);
	return (0);
}

void
ip_mrouter_stack_destroy(ip_stack_t *ipst)
{
	struct mfcb *mfcbp;
	struct mfc  *rt;
	int i;

	for (i = 0; i < MFCTBLSIZ; i++) {
		mfcbp = &ipst->ips_mfcs[i];

		while ((rt = mfcbp->mfcb_mfc) != NULL) {
			(void) printf("ip_mrouter_stack_destroy: free for %d\n",
			    i);

			mfcbp->mfcb_mfc = rt->mfc_next;
			free_queue(rt);
			mi_free(rt);
		}
	}
	kmem_free(ipst->ips_vifs, sizeof (struct vif) * (MAXVIFS+1));
	ipst->ips_vifs = NULL;
	kmem_free(ipst->ips_mrtstat, sizeof (struct mrtstat));
	ipst->ips_mrtstat = NULL;
	kmem_free(ipst->ips_mfcs, sizeof (struct mfcb) * MFCTBLSIZ);
	ipst->ips_mfcs = NULL;
	kmem_free(ipst->ips_tbfs, sizeof (struct tbf) * MAXVIFS);
	ipst->ips_tbfs = NULL;

	mutex_destroy(&ipst->ips_last_encap_lock);
	mutex_destroy(&ipst->ips_ip_g_mrouter_mutex);
}

static boolean_t
is_mrouter_off(ip_stack_t *ipst)
{
	conn_t	*mrouter;

	mutex_enter(&ipst->ips_ip_g_mrouter_mutex);
	if (ipst->ips_ip_g_mrouter == NULL) {
		mutex_exit(&ipst->ips_ip_g_mrouter_mutex);
		return (B_TRUE);
	}

	mrouter = ipst->ips_ip_g_mrouter;
	if (mrouter->conn_multi_router == 0) {
		mutex_exit(&ipst->ips_ip_g_mrouter_mutex);
		return (B_TRUE);
	}
	mutex_exit(&ipst->ips_ip_g_mrouter_mutex);
	return (B_FALSE);
}

static void
unlock_good_vif(struct vif *vifp)
{
	ASSERT(vifp->v_ipif != NULL);
	ipif_refrele(vifp->v_ipif);
	VIF_REFRELE(vifp);
}

static boolean_t
lock_good_vif(struct vif *vifp)
{
	mutex_enter(&vifp->v_lock);
	if (!(vifp->v_marks & VIF_MARK_GOOD)) {
		mutex_exit(&vifp->v_lock);
		return (B_FALSE);
	}

	ASSERT(vifp->v_ipif != NULL);
	mutex_enter(&vifp->v_ipif->ipif_ill->ill_lock);
	if (!IPIF_CAN_LOOKUP(vifp->v_ipif)) {
		mutex_exit(&vifp->v_ipif->ipif_ill->ill_lock);
		mutex_exit(&vifp->v_lock);
		return (B_FALSE);
	}
	ipif_refhold_locked(vifp->v_ipif);
	mutex_exit(&vifp->v_ipif->ipif_ill->ill_lock);
	vifp->v_refcnt++;
	mutex_exit(&vifp->v_lock);
	return (B_TRUE);
}

/*
 * Add a vif to the vif table.
 */
static int
add_vif(struct vifctl *vifcp, conn_t *connp, ip_stack_t *ipst)
{
	struct vif	*vifp = ipst->ips_vifs + vifcp->vifc_vifi;
	ipif_t		*ipif;
	int		error = 0;
	struct tbf	*v_tbf = ipst->ips_tbfs + vifcp->vifc_vifi;
	conn_t		*mrouter = ipst->ips_ip_g_mrouter;
	ilm_t		*ilm;
	ill_t		*ill;

	ASSERT(connp != NULL);

	if (vifcp->vifc_vifi >= MAXVIFS)
		return (EINVAL);

	if (is_mrouter_off(ipst))
		return (EINVAL);

	mutex_enter(&vifp->v_lock);
	/*
	 * Viftable entry should be 0.
	 * if v_marks == 0 but v_refcnt != 0 means struct is being
	 * initialized.
	 *
	 * Also note that it is very unlikely that we will get a MRT_ADD_VIF
	 * request while the delete is in progress, mrouted only sends add
	 * requests when a new interface is added and the new interface cannot
	 * have the same vifi as an existing interface. We make sure that
	 * ill_delete will block till the vif is deleted by adding a refcnt
	 * to ipif in del_vif().
	 */
	if (vifp->v_lcl_addr.s_addr != 0 ||
	    vifp->v_marks != 0 ||
	    vifp->v_refcnt != 0) {
		mutex_exit(&vifp->v_lock);
		return (EADDRINUSE);
	}

	/* Incoming vif should not be 0 */
	if (vifcp->vifc_lcl_addr.s_addr == 0) {
		mutex_exit(&vifp->v_lock);
		return (EINVAL);
	}

	vifp->v_refcnt++;
	mutex_exit(&vifp->v_lock);
	/* Find the interface with the local address */
	ipif = ipif_lookup_addr((ipaddr_t)vifcp->vifc_lcl_addr.s_addr, NULL,
	    IPCL_ZONEID(connp), ipst);
	if (ipif == NULL) {
		VIF_REFRELE(vifp);
		return (EADDRNOTAVAIL);
	}

	if (ipst->ips_ip_mrtdebug > 1) {
		(void) mi_strlog(mrouter->conn_rq, 1, SL_TRACE,
		    "add_vif: src 0x%x enter",
		    vifcp->vifc_lcl_addr.s_addr);
	}

	mutex_enter(&vifp->v_lock);
	/*
	 * Always clear cache when vifs change.
	 * Needed to ensure that src isn't left over from before vif was added.
	 * No need to get last_encap_lock, since we are running as a writer.
	 */

	mutex_enter(&ipst->ips_last_encap_lock);
	ipst->ips_last_encap_src = 0;
	ipst->ips_last_encap_vif = NULL;
	mutex_exit(&ipst->ips_last_encap_lock);

	if (vifcp->vifc_flags & VIFF_TUNNEL) {
		if ((vifcp->vifc_flags & VIFF_SRCRT) != 0) {
			cmn_err(CE_WARN,
			    "add_vif: source route tunnels not supported\n");
			VIF_REFRELE_LOCKED(vifp);
			ipif_refrele(ipif);
			return (EOPNOTSUPP);
		}
		vifp->v_rmt_addr  = vifcp->vifc_rmt_addr;

	} else {
		/* Phyint or Register vif */
		if (vifcp->vifc_flags & VIFF_REGISTER) {
			/*
			 * Note: Since all IPPROTO_IP level options (including
			 * MRT_ADD_VIF) are done exclusively via
			 * ip_optmgmt_writer(), a lock is not necessary to
			 * protect reg_vif_num.
			 */
			mutex_enter(&ipst->ips_numvifs_mutex);
			if (ipst->ips_reg_vif_num == ALL_VIFS) {
				ipst->ips_reg_vif_num = vifcp->vifc_vifi;
				mutex_exit(&ipst->ips_numvifs_mutex);
			} else {
				mutex_exit(&ipst->ips_numvifs_mutex);
				VIF_REFRELE_LOCKED(vifp);
				ipif_refrele(ipif);
				return (EADDRINUSE);
			}
		}

		/* Make sure the interface supports multicast */
		if ((ipif->ipif_ill->ill_flags & ILLF_MULTICAST) == 0) {
			VIF_REFRELE_LOCKED(vifp);
			ipif_refrele(ipif);
			if (vifcp->vifc_flags & VIFF_REGISTER) {
				mutex_enter(&ipst->ips_numvifs_mutex);
				ipst->ips_reg_vif_num = ALL_VIFS;
				mutex_exit(&ipst->ips_numvifs_mutex);
			}
			return (EOPNOTSUPP);
		}
		/* Enable promiscuous reception of all IP mcasts from the if */
		mutex_exit(&vifp->v_lock);

		ill = ipif->ipif_ill;
		if (IS_UNDER_IPMP(ill))
			ill = ipmp_ill_hold_ipmp_ill(ill);

		if (ill == NULL) {
			ilm = NULL;
		} else {
			ilm = ip_addmulti(&ipv6_all_zeros, ill,
			    ipif->ipif_zoneid, &error);
			if (ilm != NULL)
				atomic_inc_32(&ill->ill_mrouter_cnt);
			if (IS_UNDER_IPMP(ipif->ipif_ill)) {
				ill_refrele(ill);
				ill = ipif->ipif_ill;
			}
		}

		mutex_enter(&vifp->v_lock);
		/*
		 * since we released the lock lets make sure that
		 * ip_mrouter_done() has not been called.
		 */
		if (ilm == NULL || is_mrouter_off(ipst)) {
			if (ilm != NULL) {
				(void) ip_delmulti(ilm);
				ASSERT(ill->ill_mrouter_cnt > 0);
				atomic_dec_32(&ill->ill_mrouter_cnt);
			}
			if (vifcp->vifc_flags & VIFF_REGISTER) {
				mutex_enter(&ipst->ips_numvifs_mutex);
				ipst->ips_reg_vif_num = ALL_VIFS;
				mutex_exit(&ipst->ips_numvifs_mutex);
			}
			VIF_REFRELE_LOCKED(vifp);
			ipif_refrele(ipif);
			return (error?error:EINVAL);
		}
		vifp->v_ilm = ilm;
	}
	/* Define parameters for the tbf structure */
	vifp->v_tbf = v_tbf;
	gethrestime(&vifp->v_tbf->tbf_last_pkt_t);
	vifp->v_tbf->tbf_n_tok = 0;
	vifp->v_tbf->tbf_q_len = 0;
	vifp->v_tbf->tbf_max_q_len = MAXQSIZE;
	vifp->v_tbf->tbf_q = vifp->v_tbf->tbf_t = NULL;

	vifp->v_flags = vifcp->vifc_flags;
	vifp->v_threshold = vifcp->vifc_threshold;
	vifp->v_lcl_addr = vifcp->vifc_lcl_addr;
	vifp->v_ipif = ipif;
	ipif_refrele(ipif);
	/* Scaling up here, allows division by 1024 in critical code.	*/
	vifp->v_rate_limit = vifcp->vifc_rate_limit * (1024/1000);
	vifp->v_timeout_id = 0;
	/* initialize per vif pkt counters */
	vifp->v_pkt_in = 0;
	vifp->v_pkt_out = 0;
	vifp->v_bytes_in = 0;
	vifp->v_bytes_out = 0;
	mutex_init(&vifp->v_tbf->tbf_lock, NULL, MUTEX_DEFAULT, NULL);

	/* Adjust numvifs up, if the vifi is higher than numvifs */
	mutex_enter(&ipst->ips_numvifs_mutex);
	if (ipst->ips_numvifs <= vifcp->vifc_vifi)
		ipst->ips_numvifs = vifcp->vifc_vifi + 1;
	mutex_exit(&ipst->ips_numvifs_mutex);

	if (ipst->ips_ip_mrtdebug > 1) {
		(void) mi_strlog(mrouter->conn_rq, 1, SL_TRACE,
		    "add_vif: #%d, lcladdr %x, %s %x, thresh %x, rate %d",
		    vifcp->vifc_vifi,
		    ntohl(vifcp->vifc_lcl_addr.s_addr),
		    (vifcp->vifc_flags & VIFF_TUNNEL) ? "rmtaddr" : "mask",
		    ntohl(vifcp->vifc_rmt_addr.s_addr),
		    vifcp->vifc_threshold, vifcp->vifc_rate_limit);
	}

	vifp->v_marks = VIF_MARK_GOOD;
	mutex_exit(&vifp->v_lock);
	return (0);
}


/* Delete a vif from the vif table. */
static void
del_vifp(struct vif *vifp)
{
	struct tbf	*t = vifp->v_tbf;
	mblk_t  *mp0;
	vifi_t  vifi;
	ip_stack_t	*ipst = vifp->v_ipif->ipif_ill->ill_ipst;
	conn_t		*mrouter = ipst->ips_ip_g_mrouter;

	ASSERT(vifp->v_marks & VIF_MARK_CONDEMNED);
	ASSERT(t != NULL);

	if (ipst->ips_ip_mrtdebug > 1) {
		(void) mi_strlog(mrouter->conn_rq, 1, SL_TRACE,
		    "del_vif: src 0x%x\n", vifp->v_lcl_addr.s_addr);
	}

	if (vifp->v_timeout_id != 0) {
		(void) untimeout(vifp->v_timeout_id);
		vifp->v_timeout_id = 0;
	}

	/*
	 * Free packets queued at the interface.
	 * Mrouted takes care of cleaning up mfcs - makes calls to del_mfc.
	 */
	mutex_enter(&t->tbf_lock);
	while (t->tbf_q != NULL) {
		mp0 = t->tbf_q;
		t->tbf_q = t->tbf_q->b_next;
		mp0->b_prev = mp0->b_next = NULL;
		freemsg(mp0);
	}
	mutex_exit(&t->tbf_lock);

	/*
	 * Always clear cache when vifs change.
	 * No need to get last_encap_lock since we are running as a writer.
	 */
	mutex_enter(&ipst->ips_last_encap_lock);
	if (vifp == ipst->ips_last_encap_vif) {
		ipst->ips_last_encap_vif = NULL;
		ipst->ips_last_encap_src = 0;
	}
	mutex_exit(&ipst->ips_last_encap_lock);

	mutex_destroy(&t->tbf_lock);

	bzero(vifp->v_tbf, sizeof (*(vifp->v_tbf)));

	/* Adjust numvifs down */
	mutex_enter(&ipst->ips_numvifs_mutex);
	for (vifi = ipst->ips_numvifs; vifi != 0; vifi--) /* vifi is unsigned */
		if (ipst->ips_vifs[vifi - 1].v_lcl_addr.s_addr != 0)
			break;
	ipst->ips_numvifs = vifi;
	mutex_exit(&ipst->ips_numvifs_mutex);

	bzero(vifp, sizeof (*vifp));
}

static int
del_vif(vifi_t *vifip, ip_stack_t *ipst)
{
	struct vif	*vifp = ipst->ips_vifs + *vifip;

	if (*vifip >= ipst->ips_numvifs)
		return (EINVAL);

	mutex_enter(&vifp->v_lock);
	/*
	 * Not initialized
	 * Here we are not looking at the vif that is being initialized
	 * i.e vifp->v_marks == 0 and refcnt > 0.
	 */
	if (vifp->v_lcl_addr.s_addr == 0 ||
	    !(vifp->v_marks & VIF_MARK_GOOD)) {
		mutex_exit(&vifp->v_lock);
		return (EADDRNOTAVAIL);
	}

	/* Clear VIF_MARK_GOOD and set VIF_MARK_CONDEMNED. */
	vifp->v_marks &= ~VIF_MARK_GOOD;
	vifp->v_marks |= VIF_MARK_CONDEMNED;

	/* Phyint only */
	if (!(vifp->v_flags & (VIFF_TUNNEL | VIFF_REGISTER))) {
		ipif_t *ipif = vifp->v_ipif;
		ilm_t *ilm = vifp->v_ilm;

		vifp->v_ilm = NULL;

		ASSERT(ipif != NULL);
		/*
		 * should be OK to drop the lock as we
		 * have marked this as CONDEMNED.
		 */
		mutex_exit(&(vifp)->v_lock);
		if (ilm != NULL) {
			(void) ip_delmulti(ilm);
			ASSERT(ipif->ipif_ill->ill_mrouter_cnt > 0);
			atomic_dec_32(&ipif->ipif_ill->ill_mrouter_cnt);
		}
		mutex_enter(&(vifp)->v_lock);
	}

	if (vifp->v_flags & VIFF_REGISTER) {
		mutex_enter(&ipst->ips_numvifs_mutex);
		ipst->ips_reg_vif_num = ALL_VIFS;
		mutex_exit(&ipst->ips_numvifs_mutex);
	}

	/*
	 * decreases the refcnt added in add_vif.
	 */
	VIF_REFRELE_LOCKED(vifp);
	return (0);
}

/*
 * Add an mfc entry.
 */
static int
add_mfc(struct mfcctl *mfccp, ip_stack_t *ipst)
{
	struct mfc *rt;
	struct rtdetq *rte;
	ushort_t nstl;
	int i;
	struct mfcb *mfcbp;
	conn_t		*mrouter = ipst->ips_ip_g_mrouter;

	/*
	 * The value of vifi is NO_VIF (==MAXVIFS) if Mrouted
	 * did not have a real route for pkt.
	 * We want this pkt without rt installed in the mfctable to prevent
	 * multiiple tries, so go ahead and put it in mfctable, it will
	 * be discarded later in ip_mdq() because the child is NULL.
	 */

	/* Error checking, out of bounds? */
	if (mfccp->mfcc_parent > MAXVIFS) {
		ip0dbg(("ADD_MFC: mfcc_parent out of range %d",
		    (int)mfccp->mfcc_parent));
		return (EINVAL);
	}

	if ((mfccp->mfcc_parent != NO_VIF) &&
	    (ipst->ips_vifs[mfccp->mfcc_parent].v_ipif == NULL)) {
		ip0dbg(("ADD_MFC: NULL ipif for parent vif %d\n",
		    (int)mfccp->mfcc_parent));
		return (EINVAL);
	}

	if (is_mrouter_off(ipst)) {
		return (EINVAL);
	}

	mfcbp = &ipst->ips_mfcs[MFCHASH(mfccp->mfcc_origin.s_addr,
	    mfccp->mfcc_mcastgrp.s_addr)];
	MFCB_REFHOLD(mfcbp);
	MFCFIND(mfcbp, mfccp->mfcc_origin.s_addr,
	    mfccp->mfcc_mcastgrp.s_addr, rt);

	/* If an entry already exists, just update the fields */
	if (rt) {
		if (ipst->ips_ip_mrtdebug > 1) {
			(void) mi_strlog(mrouter->conn_rq, 1, SL_TRACE,
			    "add_mfc: update o %x grp %x parent %x",
			    ntohl(mfccp->mfcc_origin.s_addr),
			    ntohl(mfccp->mfcc_mcastgrp.s_addr),
			    mfccp->mfcc_parent);
		}
		mutex_enter(&rt->mfc_mutex);
		rt->mfc_parent = mfccp->mfcc_parent;

		mutex_enter(&ipst->ips_numvifs_mutex);
		for (i = 0; i < (int)ipst->ips_numvifs; i++)
			rt->mfc_ttls[i] = mfccp->mfcc_ttls[i];
		mutex_exit(&ipst->ips_numvifs_mutex);
		mutex_exit(&rt->mfc_mutex);

		MFCB_REFRELE(mfcbp);
		return (0);
	}

	/*
	 * Find the entry for which the upcall was made and update.
	 */
	for (rt = mfcbp->mfcb_mfc, nstl = 0; rt; rt = rt->mfc_next) {
		mutex_enter(&rt->mfc_mutex);
		if ((rt->mfc_origin.s_addr == mfccp->mfcc_origin.s_addr) &&
		    (rt->mfc_mcastgrp.s_addr == mfccp->mfcc_mcastgrp.s_addr) &&
		    (rt->mfc_rte != NULL) &&
		    !(rt->mfc_marks & MFCB_MARK_CONDEMNED)) {
			if (nstl++ != 0)
				cmn_err(CE_WARN,
				    "add_mfc: %s o %x g %x p %x",
				    "multiple kernel entries",
				    ntohl(mfccp->mfcc_origin.s_addr),
				    ntohl(mfccp->mfcc_mcastgrp.s_addr),
				    mfccp->mfcc_parent);

			if (ipst->ips_ip_mrtdebug > 1) {
				(void) mi_strlog(mrouter->conn_rq, 1,
				    SL_TRACE,
				    "add_mfc: o %x g %x p %x",
				    ntohl(mfccp->mfcc_origin.s_addr),
				    ntohl(mfccp->mfcc_mcastgrp.s_addr),
				    mfccp->mfcc_parent);
			}
			fill_route(rt, mfccp, ipst);

			/*
			 * Prevent cleanup of cache entry.
			 * Timer starts in ip_mforward.
			 */
			if (rt->mfc_timeout_id != 0) {
				timeout_id_t id;
				id = rt->mfc_timeout_id;
				/*
				 * setting id to zero will avoid this
				 * entry from being cleaned up in
				 * expire_up_calls().
				 */
				rt->mfc_timeout_id = 0;
				/*
				 * dropping the lock is fine as we
				 * have a refhold on the bucket.
				 * so mfc cannot be freed.
				 * The timeout can fire but it will see
				 * that mfc_timeout_id == 0 and not cleanup.
				 */
				mutex_exit(&rt->mfc_mutex);
				(void) untimeout(id);
				mutex_enter(&rt->mfc_mutex);
			}

			/*
			 * Send all pkts that are queued waiting for the upcall.
			 * ip_mdq param tun set to 0 -
			 * the return value of ip_mdq() isn't used here,
			 * so value we send doesn't matter.
			 */
			while (rt->mfc_rte != NULL) {
				rte = rt->mfc_rte;
				rt->mfc_rte = rte->rte_next;
				mutex_exit(&rt->mfc_mutex);
				(void) ip_mdq(rte->mp, (ipha_t *)
				    rte->mp->b_rptr, rte->ill, 0, rt);
				freemsg(rte->mp);
				mi_free((char *)rte);
				mutex_enter(&rt->mfc_mutex);
			}
		}
		mutex_exit(&rt->mfc_mutex);
	}


	/*
	 * It is possible that an entry is being inserted without an upcall
	 */
	if (nstl == 0) {
		mutex_enter(&(mfcbp->mfcb_lock));
		if (ipst->ips_ip_mrtdebug > 1) {
			(void) mi_strlog(mrouter->conn_rq, 1, SL_TRACE,
			    "add_mfc: no upcall o %x g %x p %x",
			    ntohl(mfccp->mfcc_origin.s_addr),
			    ntohl(mfccp->mfcc_mcastgrp.s_addr),
			    mfccp->mfcc_parent);
		}
		if (is_mrouter_off(ipst)) {
			mutex_exit(&mfcbp->mfcb_lock);
			MFCB_REFRELE(mfcbp);
			return (EINVAL);
		}

		for (rt = mfcbp->mfcb_mfc; rt; rt = rt->mfc_next) {

			mutex_enter(&rt->mfc_mutex);
			if ((rt->mfc_origin.s_addr ==
			    mfccp->mfcc_origin.s_addr) &&
			    (rt->mfc_mcastgrp.s_addr ==
			    mfccp->mfcc_mcastgrp.s_addr) &&
			    (!(rt->mfc_marks & MFCB_MARK_CONDEMNED))) {
				fill_route(rt, mfccp, ipst);
				mutex_exit(&rt->mfc_mutex);
				break;
			}
			mutex_exit(&rt->mfc_mutex);
		}

		/* No upcall, so make a new entry into mfctable */
		if (rt == NULL) {
			rt = (struct mfc *)mi_zalloc(sizeof (struct mfc));
			if (rt == NULL) {
				ip1dbg(("add_mfc: out of memory\n"));
				mutex_exit(&mfcbp->mfcb_lock);
				MFCB_REFRELE(mfcbp);
				return (ENOBUFS);
			}

			/* Insert new entry at head of hash chain */
			mutex_enter(&rt->mfc_mutex);
			fill_route(rt, mfccp, ipst);

			/* Link into table */
			rt->mfc_next   = mfcbp->mfcb_mfc;
			mfcbp->mfcb_mfc = rt;
			mutex_exit(&rt->mfc_mutex);
		}
		mutex_exit(&mfcbp->mfcb_lock);
	}

	MFCB_REFRELE(mfcbp);
	return (0);
}

/*
 * Fills in mfc structure from mrouted mfcctl.
 */
static void
fill_route(struct mfc *rt, struct mfcctl *mfccp, ip_stack_t *ipst)
{
	int i;

	rt->mfc_origin		= mfccp->mfcc_origin;
	rt->mfc_mcastgrp	= mfccp->mfcc_mcastgrp;
	rt->mfc_parent		= mfccp->mfcc_parent;
	mutex_enter(&ipst->ips_numvifs_mutex);
	for (i = 0; i < (int)ipst->ips_numvifs; i++) {
		rt->mfc_ttls[i] = mfccp->mfcc_ttls[i];
	}
	mutex_exit(&ipst->ips_numvifs_mutex);
	/* Initialize pkt counters per src-grp */
	rt->mfc_pkt_cnt	= 0;
	rt->mfc_byte_cnt	= 0;
	rt->mfc_wrong_if	= 0;
	rt->mfc_last_assert.tv_sec = rt->mfc_last_assert.tv_nsec = 0;

}

static void
free_queue(struct mfc *mfcp)
{
	struct rtdetq *rte0;

	/*
	 * Drop all queued upcall packets.
	 * Free the mbuf with the pkt.
	 */
	while ((rte0 = mfcp->mfc_rte) != NULL) {
		mfcp->mfc_rte = rte0->rte_next;
		freemsg(rte0->mp);
		mi_free((char *)rte0);
	}
}
/*
 * go thorugh the hash bucket and free all the entries marked condemned.
 */
void
release_mfc(struct mfcb *mfcbp)
{
	struct mfc *current_mfcp;
	struct mfc *prev_mfcp;

	prev_mfcp = current_mfcp = mfcbp->mfcb_mfc;

	while (current_mfcp != NULL) {
		if (current_mfcp->mfc_marks & MFCB_MARK_CONDEMNED) {
			if (current_mfcp == mfcbp->mfcb_mfc) {
				mfcbp->mfcb_mfc = current_mfcp->mfc_next;
				free_queue(current_mfcp);
				mi_free(current_mfcp);
				prev_mfcp = current_mfcp = mfcbp->mfcb_mfc;
				continue;
			}
			ASSERT(prev_mfcp != NULL);
			prev_mfcp->mfc_next = current_mfcp->mfc_next;
			free_queue(current_mfcp);
			mi_free(current_mfcp);
			current_mfcp = NULL;
		} else {
			prev_mfcp = current_mfcp;
		}

		current_mfcp = prev_mfcp->mfc_next;

	}
	mfcbp->mfcb_marks &= ~MFCB_MARK_CONDEMNED;
	ASSERT(mfcbp->mfcb_mfc != NULL || mfcbp->mfcb_marks == 0);
}

/*
 * Delete an mfc entry.
 */
static int
del_mfc(struct mfcctl *mfccp, ip_stack_t *ipst)
{
	struct in_addr	origin;
	struct in_addr	mcastgrp;
	struct mfc 	*rt;
	uint_t		hash;
	conn_t		*mrouter = ipst->ips_ip_g_mrouter;

	origin = mfccp->mfcc_origin;
	mcastgrp = mfccp->mfcc_mcastgrp;
	hash = MFCHASH(origin.s_addr, mcastgrp.s_addr);

	if (ipst->ips_ip_mrtdebug > 1) {
		(void) mi_strlog(mrouter->conn_rq, 1, SL_TRACE,
		    "del_mfc: o %x g %x",
		    ntohl(origin.s_addr),
		    ntohl(mcastgrp.s_addr));
	}

	MFCB_REFHOLD(&ipst->ips_mfcs[hash]);

	/* Find mfc in mfctable, finds only entries without upcalls */
	for (rt = ipst->ips_mfcs[hash].mfcb_mfc; rt; rt = rt->mfc_next) {
		mutex_enter(&rt->mfc_mutex);
		if (origin.s_addr == rt->mfc_origin.s_addr &&
		    mcastgrp.s_addr == rt->mfc_mcastgrp.s_addr &&
		    rt->mfc_rte == NULL &&
		    !(rt->mfc_marks & MFCB_MARK_CONDEMNED))
			break;
		mutex_exit(&rt->mfc_mutex);
	}

	/*
	 * Return if there was an upcall (mfc_rte != NULL,
	 * or rt not in mfctable.
	 */
	if (rt == NULL) {
		MFCB_REFRELE(&ipst->ips_mfcs[hash]);
		return (EADDRNOTAVAIL);
	}


	/*
	 * no need to hold lock as we have a reference.
	 */
	ipst->ips_mfcs[hash].mfcb_marks |= MFCB_MARK_CONDEMNED;
	/* error checking */
	if (rt->mfc_timeout_id != 0) {
		ip0dbg(("del_mfc: TIMEOUT NOT 0, rte not null"));
		/*
		 * Its ok to drop the lock,  the struct cannot be freed
		 * since we have a ref on the hash bucket.
		 */
		rt->mfc_timeout_id = 0;
		mutex_exit(&rt->mfc_mutex);
		(void) untimeout(rt->mfc_timeout_id);
		mutex_enter(&rt->mfc_mutex);
	}

	ASSERT(rt->mfc_rte == NULL);


	/*
	 * Delete the entry from the cache
	 */
	rt->mfc_marks |= MFCB_MARK_CONDEMNED;
	mutex_exit(&rt->mfc_mutex);

	MFCB_REFRELE(&ipst->ips_mfcs[hash]);

	return (0);
}

#define	TUNNEL_LEN  12  /* # bytes of IP option for tunnel encapsulation  */

/*
 * IP multicast forwarding function. This function assumes that the packet
 * pointed to by ipha has arrived on (or is about to be sent to) the interface
 * pointed to by "ill", and the packet is to be relayed to other networks
 * that have members of the packet's destination IP multicast group.
 *
 * The packet is returned unscathed to the caller, unless it is
 * erroneous, in which case a -1 value tells the caller (IP)
 * to discard it.
 *
 * Unlike BSD, SunOS 5.x needs to return to IP info about
 * whether pkt came in thru a tunnel, so it can be discarded, unless
 * it's IGMP. In BSD, the ifp is bogus for tunnels, so pkt won't try
 * to be delivered.
 * Return values are 0 - pkt is okay and phyint
 *		    -1 - pkt is malformed and to be tossed
 *                   1 - pkt came in on tunnel
 */
int
ip_mforward(mblk_t *mp, ip_recv_attr_t *ira)
{
	ipha_t		*ipha = (ipha_t *)mp->b_rptr;
	ill_t		*ill = ira->ira_ill;
	struct mfc 	*rt;
	ipaddr_t	src, dst, tunnel_src = 0;
	static int	srctun = 0;
	vifi_t		vifi;
	boolean_t	pim_reg_packet = B_FALSE;
	struct mfcb	*mfcbp;
	ip_stack_t	*ipst = ill->ill_ipst;
	conn_t		*mrouter = ipst->ips_ip_g_mrouter;
	ill_t		*rill = ira->ira_rill;

	ASSERT(ira->ira_pktlen == msgdsize(mp));

	if (ipst->ips_ip_mrtdebug > 1) {
		(void) mi_strlog(mrouter->conn_rq, 1, SL_TRACE,
		    "ip_mforward: RECV ipha_src %x, ipha_dst %x, ill %s",
		    ntohl(ipha->ipha_src), ntohl(ipha->ipha_dst),
		    ill->ill_name);
	}

	dst = ipha->ipha_dst;
	if (ira->ira_flags & IRAF_PIM_REGISTER)
		pim_reg_packet = B_TRUE;
	else if (ira->ira_flags & IRAF_MROUTE_TUNNEL_SET)
		tunnel_src = ira->ira_mroute_tunnel;

	/*
	 * Don't forward a packet with time-to-live of zero or one,
	 * or a packet destined to a local-only group.
	 */
	if (CLASSD(dst) && (ipha->ipha_ttl <= 1 ||
	    (ipaddr_t)ntohl(dst) <= INADDR_MAX_LOCAL_GROUP)) {
		if (ipst->ips_ip_mrtdebug > 1) {
			(void) mi_strlog(mrouter->conn_rq, 1, SL_TRACE,
			    "ip_mforward: not forwarded ttl %d,"
			    " dst 0x%x ill %s",
			    ipha->ipha_ttl, ntohl(dst), ill->ill_name);
		}
		if (tunnel_src != 0)
			return (1);
		else
			return (0);
	}

	if ((tunnel_src != 0) || pim_reg_packet) {
		/*
		 * Packet arrived over an encapsulated tunnel or via a PIM
		 * register message.
		 */
		if (ipst->ips_ip_mrtdebug > 1) {
			if (tunnel_src != 0) {
				(void) mi_strlog(mrouter->conn_rq, 1,
				    SL_TRACE,
				    "ip_mforward: ill %s arrived via ENCAP TUN",
				    ill->ill_name);
			} else if (pim_reg_packet) {
				(void) mi_strlog(mrouter->conn_rq, 1,
				    SL_TRACE,
				    "ip_mforward: ill %s arrived via"
				    "  REGISTER VIF",
				    ill->ill_name);
			}
		}
	} else if ((ipha->ipha_version_and_hdr_length & 0xf) <
	    (uint_t)(IP_SIMPLE_HDR_LENGTH + TUNNEL_LEN) >> 2 ||
	    ((uchar_t *)(ipha + 1))[1] != IPOPT_LSRR) {
		/* Packet arrived via a physical interface. */
		if (ipst->ips_ip_mrtdebug > 1) {
			(void) mi_strlog(mrouter->conn_rq, 1, SL_TRACE,
			    "ip_mforward: ill %s arrived via PHYINT",
			    ill->ill_name);
		}

	} else {
		/*
		 * Packet arrived through a SRCRT tunnel.
		 * Source-route tunnels are no longer supported.
		 * Error message printed every 1000 times.
		 */
		if ((srctun++ % 1000) == 0) {
			cmn_err(CE_WARN,
			    "ip_mforward: received source-routed pkt from %x",
			    ntohl(ipha->ipha_src));
		}
		return (-1);
	}

	ipst->ips_mrtstat->mrts_fwd_in++;
	src = ipha->ipha_src;

	/* Find route in cache, return NULL if not there or upcalls q'ed. */

	/*
	 * Lock the mfctable against changes made by ip_mforward.
	 * Note that only add_mfc and del_mfc can remove entries and
	 * they run with exclusive access to IP. So we do not need to
	 * guard against the rt being deleted, so release lock after reading.
	 */

	if (is_mrouter_off(ipst))
		return (-1);

	mfcbp = &ipst->ips_mfcs[MFCHASH(src, dst)];
	MFCB_REFHOLD(mfcbp);
	MFCFIND(mfcbp, src, dst, rt);

	/* Entry exists, so forward if necessary */
	if (rt != NULL) {
		int ret = 0;
		ipst->ips_mrtstat->mrts_mfc_hits++;
		if (pim_reg_packet) {
			ASSERT(ipst->ips_reg_vif_num != ALL_VIFS);
			ret = ip_mdq(mp, ipha,
			    ipst->ips_vifs[ipst->ips_reg_vif_num].
			    v_ipif->ipif_ill,
			    0, rt);
		} else {
			ret = ip_mdq(mp, ipha, ill, tunnel_src, rt);
		}

		MFCB_REFRELE(mfcbp);
		return (ret);

		/*
		 * Don't forward if we don't have a cache entry.  Mrouted will
		 * always provide a cache entry in response to an upcall.
		 */
	} else {
		/*
		 * If we don't have a route for packet's origin, make a copy
		 * of the packet and send message to routing daemon.
		 */
		struct mfc	*mfc_rt	 = NULL;
		mblk_t		*mp0	 = NULL;
		mblk_t		*mp_copy = NULL;
		struct rtdetq	*rte	 = NULL;
		struct rtdetq	*rte_m, *rte1, *prev_rte;
		uint_t		hash;
		int		npkts;
		boolean_t	new_mfc = B_FALSE;
		ipst->ips_mrtstat->mrts_mfc_misses++;
		/* BSD uses mrts_no_route++ */
		if (ipst->ips_ip_mrtdebug > 1) {
			(void) mi_strlog(mrouter->conn_rq, 1, SL_TRACE,
			    "ip_mforward: no rte ill %s src %x g %x misses %d",
			    ill->ill_name, ntohl(src), ntohl(dst),
			    (int)ipst->ips_mrtstat->mrts_mfc_misses);
		}
		/*
		 * The order of the following code differs from the BSD code.
		 * Pre-mc3.5, the BSD code was incorrect and SunOS 5.x
		 * code works, so SunOS 5.x wasn't changed to conform to the
		 * BSD version.
		 */

		/* Lock mfctable. */
		hash = MFCHASH(src, dst);
		mutex_enter(&(ipst->ips_mfcs[hash].mfcb_lock));

		/*
		 * If we are turning off mrouted return an error
		 */
		if (is_mrouter_off(ipst)) {
			mutex_exit(&mfcbp->mfcb_lock);
			MFCB_REFRELE(mfcbp);
			return (-1);
		}

		/* Is there an upcall waiting for this packet? */
		for (mfc_rt = ipst->ips_mfcs[hash].mfcb_mfc; mfc_rt;
		    mfc_rt = mfc_rt->mfc_next) {
			mutex_enter(&mfc_rt->mfc_mutex);
			if (ipst->ips_ip_mrtdebug > 1) {
				(void) mi_strlog(mrouter->conn_rq, 1,
				    SL_TRACE,
				    "ip_mforward: MFCTAB hash %d o 0x%x"
				    " g 0x%x\n",
				    hash, ntohl(mfc_rt->mfc_origin.s_addr),
				    ntohl(mfc_rt->mfc_mcastgrp.s_addr));
			}
			/* There is an upcall */
			if ((src == mfc_rt->mfc_origin.s_addr) &&
			    (dst == mfc_rt->mfc_mcastgrp.s_addr) &&
			    (mfc_rt->mfc_rte != NULL) &&
			    !(mfc_rt->mfc_marks & MFCB_MARK_CONDEMNED)) {
				break;
			}
			mutex_exit(&mfc_rt->mfc_mutex);
		}
		/* No upcall, so make a new entry into mfctable */
		if (mfc_rt == NULL) {
			mfc_rt = (struct mfc *)mi_zalloc(sizeof (struct mfc));
			if (mfc_rt == NULL) {
				ipst->ips_mrtstat->mrts_fwd_drop++;
				ip1dbg(("ip_mforward: out of memory "
				    "for mfc, mfc_rt\n"));
				goto error_return;
			} else
				new_mfc = B_TRUE;
			/* Get resources */
			/* TODO could copy header and dup rest */
			mp_copy = copymsg(mp);
			if (mp_copy == NULL) {
				ipst->ips_mrtstat->mrts_fwd_drop++;
				ip1dbg(("ip_mforward: out of memory for "
				    "mblk, mp_copy\n"));
				goto error_return;
			}
			mutex_enter(&mfc_rt->mfc_mutex);
		}
		/* Get resources for rte, whether first rte or not first. */
		/* Add this packet into rtdetq */
		rte = (struct rtdetq *)mi_zalloc(sizeof (struct rtdetq));
		if (rte == NULL) {
			ipst->ips_mrtstat->mrts_fwd_drop++;
			mutex_exit(&mfc_rt->mfc_mutex);
			ip1dbg(("ip_mforward: out of memory for"
			    " rtdetq, rte\n"));
			goto error_return;
		}

		mp0 = copymsg(mp);
		if (mp0 == NULL) {
			ipst->ips_mrtstat->mrts_fwd_drop++;
			ip1dbg(("ip_mforward: out of memory for mblk, mp0\n"));
			mutex_exit(&mfc_rt->mfc_mutex);
			goto error_return;
		}
		rte->mp		= mp0;
		if (pim_reg_packet) {
			ASSERT(ipst->ips_reg_vif_num != ALL_VIFS);
			rte->ill =
			    ipst->ips_vifs[ipst->ips_reg_vif_num].
			    v_ipif->ipif_ill;
		} else {
			rte->ill = ill;
		}
		rte->rte_next	= NULL;

		/*
		 * Determine if upcall q (rtdetq) has overflowed.
		 * mfc_rt->mfc_rte is null by mi_zalloc
		 * if it is the first message.
		 */
		for (rte_m = mfc_rt->mfc_rte, npkts = 0; rte_m;
		    rte_m = rte_m->rte_next)
			npkts++;
		if (ipst->ips_ip_mrtdebug > 1) {
			(void) mi_strlog(mrouter->conn_rq, 1, SL_TRACE,
			    "ip_mforward: upcalls %d\n", npkts);
		}
		if (npkts > MAX_UPQ) {
			ipst->ips_mrtstat->mrts_upq_ovflw++;
			mutex_exit(&mfc_rt->mfc_mutex);
			goto error_return;
		}

		if (npkts == 0) {	/* first upcall */
			int i = 0;
			/*
			 * Now finish installing the new mfc! Now that we have
			 * resources!  Insert new entry at head of hash chain.
			 * Use src and dst which are ipaddr_t's.
			 */
			mfc_rt->mfc_origin.s_addr = src;
			mfc_rt->mfc_mcastgrp.s_addr = dst;

			mutex_enter(&ipst->ips_numvifs_mutex);
			for (i = 0; i < (int)ipst->ips_numvifs; i++)
				mfc_rt->mfc_ttls[i] = 0;
			mutex_exit(&ipst->ips_numvifs_mutex);
			mfc_rt->mfc_parent = ALL_VIFS;

			/* Link into table */
			if (ipst->ips_ip_mrtdebug > 1) {
				(void) mi_strlog(mrouter->conn_rq, 1,
				    SL_TRACE,
				    "ip_mforward: NEW MFCTAB hash %d o 0x%x "
				    "g 0x%x\n", hash,
				    ntohl(mfc_rt->mfc_origin.s_addr),
				    ntohl(mfc_rt->mfc_mcastgrp.s_addr));
			}
			mfc_rt->mfc_next = ipst->ips_mfcs[hash].mfcb_mfc;
			ipst->ips_mfcs[hash].mfcb_mfc = mfc_rt;
			mfc_rt->mfc_rte = NULL;
		}

		/* Link in the upcall */
		/* First upcall */
		if (mfc_rt->mfc_rte == NULL)
			mfc_rt->mfc_rte = rte;
		else {
			/* not the first upcall */
			prev_rte = mfc_rt->mfc_rte;
			for (rte1 = mfc_rt->mfc_rte->rte_next; rte1;
			    prev_rte = rte1, rte1 = rte1->rte_next)
				;
			prev_rte->rte_next = rte;
		}

		/*
		 * No upcalls waiting, this is first one, so send a message to
		 * routing daemon to install a route into kernel table.
		 */
		if (npkts == 0) {
			struct igmpmsg	*im;
			/* ipha_protocol is 0, for upcall */
			ASSERT(mp_copy != NULL);
			im = (struct igmpmsg *)mp_copy->b_rptr;
			im->im_msgtype	= IGMPMSG_NOCACHE;
			im->im_mbz = 0;
			mutex_enter(&ipst->ips_numvifs_mutex);
			if (pim_reg_packet) {
				im->im_vif = (uchar_t)ipst->ips_reg_vif_num;
				mutex_exit(&ipst->ips_numvifs_mutex);
			} else {
				/*
				 * XXX do we need to hold locks here ?
				 */
				for (vifi = 0;
				    vifi < ipst->ips_numvifs;
				    vifi++) {
					if (ipst->ips_vifs[vifi].v_ipif == NULL)
						continue;
					if (ipst->ips_vifs[vifi].
					    v_ipif->ipif_ill == ill) {
						im->im_vif = (uchar_t)vifi;
						break;
					}
				}
				mutex_exit(&ipst->ips_numvifs_mutex);
				ASSERT(vifi < ipst->ips_numvifs);
			}

			ipst->ips_mrtstat->mrts_upcalls++;
			/* Timer to discard upcalls if mrouted is too slow */
			mfc_rt->mfc_timeout_id = timeout(expire_upcalls,
			    mfc_rt, EXPIRE_TIMEOUT * UPCALL_EXPIRE);
			mutex_exit(&mfc_rt->mfc_mutex);
			mutex_exit(&(ipst->ips_mfcs[hash].mfcb_lock));
			/* Pass to RAWIP */
			ira->ira_ill = ira->ira_rill = NULL;
			(mrouter->conn_recv)(mrouter, mp_copy, NULL, ira);
			ira->ira_ill = ill;
			ira->ira_rill = rill;
		} else {
			mutex_exit(&mfc_rt->mfc_mutex);
			mutex_exit(&(ipst->ips_mfcs[hash].mfcb_lock));
			BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
			ip_drop_input("ip_mforward - upcall already waiting",
			    mp_copy, ill);
			freemsg(mp_copy);
		}

		MFCB_REFRELE(mfcbp);
		if (tunnel_src != 0)
			return (1);
		else
			return (0);
	error_return:
		mutex_exit(&(ipst->ips_mfcs[hash].mfcb_lock));
		MFCB_REFRELE(mfcbp);
		if (mfc_rt != NULL && (new_mfc == B_TRUE))
			mi_free((char *)mfc_rt);
		if (rte != NULL)
			mi_free((char *)rte);
		if (mp_copy != NULL) {
			BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
			ip_drop_input("ip_mforward error", mp_copy, ill);
			freemsg(mp_copy);
		}
		if (mp0 != NULL)
			freemsg(mp0);
		return (-1);
	}
}

/*
 * Clean up the mfctable cache entry if upcall is not serviced.
 * SunOS 5.x has timeout per mfc, unlike BSD which has one timer.
 */
static void
expire_upcalls(void *arg)
{
	struct mfc *mfc_rt = arg;
	uint_t hash;
	struct mfc *prev_mfc, *mfc0;
	ip_stack_t	*ipst;
	conn_t		*mrouter;

	if (mfc_rt->mfc_rte == NULL || mfc_rt->mfc_rte->ill != NULL) {
		cmn_err(CE_WARN, "expire_upcalls: no ILL\n");
		return;
	}
	ipst = mfc_rt->mfc_rte->ill->ill_ipst;
	mrouter = ipst->ips_ip_g_mrouter;

	hash = MFCHASH(mfc_rt->mfc_origin.s_addr, mfc_rt->mfc_mcastgrp.s_addr);
	if (ipst->ips_ip_mrtdebug > 1) {
		(void) mi_strlog(mrouter->conn_rq, 1, SL_TRACE,
		    "expire_upcalls: hash %d s %x g %x",
		    hash, ntohl(mfc_rt->mfc_origin.s_addr),
		    ntohl(mfc_rt->mfc_mcastgrp.s_addr));
	}
	MFCB_REFHOLD(&ipst->ips_mfcs[hash]);
	mutex_enter(&mfc_rt->mfc_mutex);
	/*
	 * if timeout has been set to zero, than the
	 * entry has been filled, no need to delete it.
	 */
	if (mfc_rt->mfc_timeout_id == 0)
		goto done;
	ipst->ips_mrtstat->mrts_cache_cleanups++;
	mfc_rt->mfc_timeout_id = 0;

	/* Determine entry to be cleaned up in cache table. */
	for (prev_mfc = mfc0 = ipst->ips_mfcs[hash].mfcb_mfc; mfc0;
	    prev_mfc = mfc0, mfc0 = mfc0->mfc_next)
		if (mfc0 == mfc_rt)
			break;

	/* del_mfc takes care of gone mfcs */
	ASSERT(prev_mfc != NULL);
	ASSERT(mfc0 != NULL);

	/*
	 * Delete the entry from the cache
	 */
	ipst->ips_mfcs[hash].mfcb_marks |= MFCB_MARK_CONDEMNED;
	mfc_rt->mfc_marks |= MFCB_MARK_CONDEMNED;

	/*
	 * release_mfc will drop all queued upcall packets.
	 * and will free the mbuf with the pkt, if, timing info.
	 */
done:
	mutex_exit(&mfc_rt->mfc_mutex);
	MFCB_REFRELE(&ipst->ips_mfcs[hash]);
}

/*
 * Packet forwarding routine once entry in the cache is made.
 */
static int
ip_mdq(mblk_t *mp, ipha_t *ipha, ill_t *ill, ipaddr_t tunnel_src,
    struct mfc *rt)
{
	vifi_t vifi;
	struct vif *vifp;
	ipaddr_t dst = ipha->ipha_dst;
	size_t  plen = msgdsize(mp);
	vifi_t num_of_vifs;
	ip_stack_t	*ipst = ill->ill_ipst;
	conn_t		*mrouter = ipst->ips_ip_g_mrouter;
	ip_recv_attr_t	iras;

	if (ipst->ips_ip_mrtdebug > 1) {
		(void) mi_strlog(mrouter->conn_rq, 1, SL_TRACE,
		    "ip_mdq: SEND src %x, ipha_dst %x, ill %s",
		    ntohl(ipha->ipha_src), ntohl(ipha->ipha_dst),
		    ill->ill_name);
	}

	/* Macro to send packet on vif */
#define	MC_SEND(ipha, mp, vifp, dst) { \
	if ((vifp)->v_flags & VIFF_TUNNEL) \
		encap_send((ipha), (mp), (vifp), (dst)); \
	else if ((vifp)->v_flags & VIFF_REGISTER) \
		register_send((ipha), (mp), (vifp), (dst)); \
	else \
		phyint_send((ipha), (mp), (vifp), (dst)); \
}

	vifi = rt->mfc_parent;

	/*
	 * The value of vifi is MAXVIFS if the pkt had no parent, i.e.,
	 * Mrouted had no route.
	 * We wanted the route installed in the mfctable to prevent multiple
	 * tries, so it passed add_mfc(), but is discarded here. The v_ipif is
	 * NULL so we don't want to check the ill. Still needed as of Mrouted
	 * 3.6.
	 */
	if (vifi == NO_VIF) {
		ip1dbg(("ip_mdq: no route for origin ill %s, vifi is NO_VIF\n",
		    ill->ill_name));
		if (ipst->ips_ip_mrtdebug > 1) {
			(void) mi_strlog(mrouter->conn_rq, 1, SL_TRACE,
			    "ip_mdq: vifi is NO_VIF ill = %s", ill->ill_name);
		}
		return (-1);	/* drop pkt */
	}

	if (!lock_good_vif(&ipst->ips_vifs[vifi]))
		return (-1);
	/*
	 * The MFC entries are not cleaned up when an ipif goes
	 * away thus this code has to guard against an MFC referencing
	 * an ipif that has been closed. Note: reset_mrt_vif_ipif
	 * sets the v_ipif to NULL when the ipif disappears.
	 */
	ASSERT(ipst->ips_vifs[vifi].v_ipif != NULL);

	if (vifi >= ipst->ips_numvifs) {
		cmn_err(CE_WARN, "ip_mdq: illegal vifi %d numvifs "
		    "%d ill %s viftable ill %s\n",
		    (int)vifi, (int)ipst->ips_numvifs, ill->ill_name,
		    ipst->ips_vifs[vifi].v_ipif->ipif_ill->ill_name);
		unlock_good_vif(&ipst->ips_vifs[vifi]);
		return (-1);
	}
	/*
	 * Don't forward if it didn't arrive from the parent vif for its
	 * origin.
	 */
	if ((ipst->ips_vifs[vifi].v_ipif->ipif_ill != ill) ||
	    (ipst->ips_vifs[vifi].v_rmt_addr.s_addr != tunnel_src)) {
		/* Came in the wrong interface */
		ip1dbg(("ip_mdq: arrived wrong if, vifi %d "
			"numvifs %d ill %s viftable ill %s\n",
			(int)vifi, (int)ipst->ips_numvifs, ill->ill_name,
			ipst->ips_vifs[vifi].v_ipif->ipif_ill->ill_name));
		if (ipst->ips_ip_mrtdebug > 1) {
			(void) mi_strlog(mrouter->conn_rq, 1, SL_TRACE,
			    "ip_mdq: arrived wrong if, vifi %d ill "
			    "%s viftable ill %s\n",
			    (int)vifi, ill->ill_name,
			    ipst->ips_vifs[vifi].v_ipif->ipif_ill->ill_name);
		}
		ipst->ips_mrtstat->mrts_wrong_if++;
		rt->mfc_wrong_if++;

		/*
		 * If we are doing PIM assert processing and we are forwarding
		 * packets on this interface, and it is a broadcast medium
		 * interface (and not a tunnel), send a message to the routing.
		 *
		 * We use the first ipif on the list, since it's all we have.
		 * Chances are the ipif_flags are the same for ipifs on the ill.
		 */
		if (ipst->ips_pim_assert && rt->mfc_ttls[vifi] > 0 &&
		    (ill->ill_ipif->ipif_flags & IPIF_BROADCAST) &&
		    !(ipst->ips_vifs[vifi].v_flags & VIFF_TUNNEL)) {
			mblk_t		*mp_copy;
			struct igmpmsg	*im;

			/* TODO could copy header and dup rest */
			mp_copy = copymsg(mp);
			if (mp_copy == NULL) {
				ipst->ips_mrtstat->mrts_fwd_drop++;
				ip1dbg(("ip_mdq: out of memory "
				    "for mblk, mp_copy\n"));
				unlock_good_vif(&ipst->ips_vifs[vifi]);
				return (-1);
			}

			im = (struct igmpmsg *)mp_copy->b_rptr;
			im->im_msgtype = IGMPMSG_WRONGVIF;
			im->im_mbz = 0;
			im->im_vif = (ushort_t)vifi;
			/* Pass to RAWIP */

			bzero(&iras, sizeof (iras));
			iras.ira_flags = IRAF_IS_IPV4;
			iras.ira_ip_hdr_length =
			    IPH_HDR_LENGTH(mp_copy->b_rptr);
			iras.ira_pktlen = msgdsize(mp_copy);
			(mrouter->conn_recv)(mrouter, mp_copy, NULL, &iras);
			ASSERT(!(iras.ira_flags & IRAF_IPSEC_SECURE));
		}
		unlock_good_vif(&ipst->ips_vifs[vifi]);
		if (tunnel_src != 0)
			return (1);
		else
			return (0);
	}
	/*
	 * If I sourced this packet, it counts as output, else it was input.
	 */
	if (ipha->ipha_src == ipst->ips_vifs[vifi].v_lcl_addr.s_addr) {
		ipst->ips_vifs[vifi].v_pkt_out++;
		ipst->ips_vifs[vifi].v_bytes_out += plen;
	} else {
		ipst->ips_vifs[vifi].v_pkt_in++;
		ipst->ips_vifs[vifi].v_bytes_in += plen;
	}
	mutex_enter(&rt->mfc_mutex);
	rt->mfc_pkt_cnt++;
	rt->mfc_byte_cnt += plen;
	mutex_exit(&rt->mfc_mutex);
	unlock_good_vif(&ipst->ips_vifs[vifi]);
	/*
	 * For each vif, decide if a copy of the packet should be forwarded.
	 * Forward if:
	 *		- the vif threshold ttl is non-zero AND
	 *		- the pkt ttl exceeds the vif's threshold
	 * A non-zero mfc_ttl indicates that the vif is part of
	 * the output set for the mfc entry.
	 */
	mutex_enter(&ipst->ips_numvifs_mutex);
	num_of_vifs = ipst->ips_numvifs;
	mutex_exit(&ipst->ips_numvifs_mutex);
	for (vifp = ipst->ips_vifs, vifi = 0;
	    vifi < num_of_vifs;
	    vifp++, vifi++) {
		if (!lock_good_vif(vifp))
			continue;
		if ((rt->mfc_ttls[vifi] > 0) &&
		    (ipha->ipha_ttl > rt->mfc_ttls[vifi])) {
			/*
			 * lock_good_vif should not have succedded if
			 * v_ipif is null.
			 */
			ASSERT(vifp->v_ipif != NULL);
			vifp->v_pkt_out++;
			vifp->v_bytes_out += plen;
			MC_SEND(ipha, mp, vifp, dst);
			ipst->ips_mrtstat->mrts_fwd_out++;
		}
		unlock_good_vif(vifp);
	}
	if (tunnel_src != 0)
		return (1);
	else
		return (0);
}

/*
 * Send the packet on physical interface.
 * Caller assumes can continue to use mp on return.
 */
/* ARGSUSED */
static void
phyint_send(ipha_t *ipha, mblk_t *mp, struct vif *vifp, ipaddr_t dst)
{
	mblk_t 	*mp_copy;
	ip_stack_t	*ipst = vifp->v_ipif->ipif_ill->ill_ipst;
	conn_t		*mrouter = ipst->ips_ip_g_mrouter;

	/* Make a new reference to the packet */
	mp_copy = copymsg(mp);	/* TODO could copy header and dup rest */
	if (mp_copy == NULL) {
		ipst->ips_mrtstat->mrts_fwd_drop++;
		ip1dbg(("phyint_send: out of memory for mblk, mp_copy\n"));
		return;
	}
	if (vifp->v_rate_limit <= 0)
		tbf_send_packet(vifp, mp_copy);
	else  {
		if (ipst->ips_ip_mrtdebug > 1) {
			(void) mi_strlog(mrouter->conn_rq, 1, SL_TRACE,
			    "phyint_send: tbf_contr rate %d "
			    "vifp 0x%p mp 0x%p dst 0x%x",
			    vifp->v_rate_limit, (void *)vifp, (void *)mp, dst);
		}
		tbf_control(vifp, mp_copy, (ipha_t *)mp_copy->b_rptr);
	}
}

/*
 * Send the whole packet for REGISTER encapsulation to PIM daemon
 * Caller assumes it can continue to use mp on return.
 */
/* ARGSUSED */
static void
register_send(ipha_t *ipha, mblk_t *mp, struct vif *vifp, ipaddr_t dst)
{
	struct igmpmsg	*im;
	mblk_t		*mp_copy;
	ipha_t		*ipha_copy;
	ill_t		*ill = vifp->v_ipif->ipif_ill;
	ip_stack_t	*ipst = ill->ill_ipst;
	conn_t		*mrouter = ipst->ips_ip_g_mrouter;
	ip_recv_attr_t	iras;

	if (ipst->ips_ip_mrtdebug > 1) {
		(void) mi_strlog(mrouter->conn_rq, 1, SL_TRACE,
		    "register_send: src %x, dst %x\n",
		    ntohl(ipha->ipha_src), ntohl(ipha->ipha_dst));
	}

	/*
	 * Copy the old packet & pullup its IP header into the new mblk_t so we
	 * can modify it.  Try to fill the new mblk_t since if we don't the
	 * ethernet driver will.
	 */
	mp_copy = allocb(sizeof (struct igmpmsg) + sizeof (ipha_t), BPRI_MED);
	if (mp_copy == NULL) {
		++ipst->ips_mrtstat->mrts_pim_nomemory;
		if (ipst->ips_ip_mrtdebug > 3) {
			(void) mi_strlog(mrouter->conn_rq, 1, SL_TRACE,
			    "register_send: allocb failure.");
		}
		return;
	}

	/*
	 * Bump write pointer to account for igmpmsg being added.
	 */
	mp_copy->b_wptr = mp_copy->b_rptr + sizeof (struct igmpmsg);

	/*
	 * Chain packet to new mblk_t.
	 */
	if ((mp_copy->b_cont = copymsg(mp)) == NULL) {
		++ipst->ips_mrtstat->mrts_pim_nomemory;
		if (ipst->ips_ip_mrtdebug > 3) {
			(void) mi_strlog(mrouter->conn_rq, 1, SL_TRACE,
			    "register_send: copymsg failure.");
		}
		freeb(mp_copy);
		return;
	}

	/*
	 * icmp_input() asserts that IP version field is set to an
	 * appropriate version. Hence, the struct igmpmsg that this really
	 * becomes, needs to have the correct IP version field.
	 */
	ipha_copy = (ipha_t *)mp_copy->b_rptr;
	*ipha_copy = multicast_encap_iphdr;

	/*
	 * The kernel uses the struct igmpmsg header to encode the messages to
	 * the multicast routing daemon. Fill in the fields in the header
	 * starting with the message type which is IGMPMSG_WHOLEPKT
	 */
	im = (struct igmpmsg *)mp_copy->b_rptr;
	im->im_msgtype = IGMPMSG_WHOLEPKT;
	im->im_src.s_addr = ipha->ipha_src;
	im->im_dst.s_addr = ipha->ipha_dst;

	/*
	 * Must Be Zero. This is because the struct igmpmsg is really an IP
	 * header with renamed fields and the multicast routing daemon uses
	 * an ipha_protocol (aka im_mbz) of 0 to distinguish these messages.
	 */
	im->im_mbz = 0;

	++ipst->ips_mrtstat->mrts_upcalls;
	if (IPCL_IS_NONSTR(mrouter) ? mrouter->conn_flow_cntrld :
	    !canputnext(mrouter->conn_rq)) {
		++ipst->ips_mrtstat->mrts_pim_regsend_drops;
		if (ipst->ips_ip_mrtdebug > 3) {
			(void) mi_strlog(mrouter->conn_rq, 1, SL_TRACE,
			    "register_send: register upcall failure.");
		}
		BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
		ip_drop_input("mrts_pim_regsend_drops", mp_copy, ill);
		freemsg(mp_copy);
	} else {
		/* Pass to RAWIP */
		bzero(&iras, sizeof (iras));
		iras.ira_flags = IRAF_IS_IPV4;
		iras.ira_ip_hdr_length = sizeof (ipha_t);
		iras.ira_pktlen = msgdsize(mp_copy);
		(mrouter->conn_recv)(mrouter, mp_copy, NULL, &iras);
		ASSERT(!(iras.ira_flags & IRAF_IPSEC_SECURE));
	}
}

/*
 * pim_validate_cksum handles verification of the checksum in the
 * pim header.  For PIM Register packets, the checksum is calculated
 * across the PIM header only.  For all other packets, the checksum
 * is for the PIM header and remainder of the packet.
 *
 * returns: B_TRUE, if checksum is okay.
 *          B_FALSE, if checksum is not valid.
 */
static boolean_t
pim_validate_cksum(mblk_t *mp, ipha_t *ip, struct pim *pimp)
{
	mblk_t *mp_dup;

	if ((mp_dup = dupmsg(mp)) == NULL)
		return (B_FALSE);

	mp_dup->b_rptr += IPH_HDR_LENGTH(ip);
	if (pimp->pim_type == PIM_REGISTER)
		mp_dup->b_wptr = mp_dup->b_rptr + PIM_MINLEN;
	if (IP_CSUM(mp_dup, 0, 0)) {
		freemsg(mp_dup);
		return (B_FALSE);
	}
	freemsg(mp_dup);
	return (B_TRUE);
}

/*
 * Process PIM protocol packets i.e. IP Protocol 103.
 * Register messages are decapsulated and sent onto multicast forwarding.
 *
 * Return NULL for a bad packet that is discarded here.
 * Return mp if the message is OK and should be handed to "raw" receivers.
 * Callers of pim_input() may need to reinitialize variables that were copied
 * from the mblk as this calls pullupmsg().
 */
mblk_t *
pim_input(mblk_t *mp, ip_recv_attr_t *ira)
{
	ipha_t		*eip, *ip;
	int		iplen, pimlen, iphlen;
	struct pim	*pimp;	/* pointer to a pim struct */
	uint32_t	*reghdr;
	ill_t		*ill = ira->ira_ill;
	ip_stack_t	*ipst = ill->ill_ipst;
	conn_t		*mrouter = ipst->ips_ip_g_mrouter;

	/*
	 * Pullup the msg for PIM protocol processing.
	 */
	if (pullupmsg(mp, -1) == 0) {
		++ipst->ips_mrtstat->mrts_pim_nomemory;
		BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
		ip_drop_input("mrts_pim_nomemory", mp, ill);
		freemsg(mp);
		return (NULL);
	}

	ip = (ipha_t *)mp->b_rptr;
	iplen = ip->ipha_length;
	iphlen = IPH_HDR_LENGTH(ip);
	pimlen = ntohs(iplen) - iphlen;

	/*
	 * Validate lengths
	 */
	if (pimlen < PIM_MINLEN) {
		++ipst->ips_mrtstat->mrts_pim_malformed;
		if (ipst->ips_ip_mrtdebug > 1) {
			(void) mi_strlog(mrouter->conn_rq, 1, SL_TRACE,
			    "pim_input: length not at least minlen");
		}
		BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
		ip_drop_input("mrts_pim_malformed", mp, ill);
		freemsg(mp);
		return (NULL);
	}

	/*
	 * Point to the PIM header.
	 */
	pimp = (struct pim *)((caddr_t)ip + iphlen);

	/*
	 * Check the version number.
	 */
	if (pimp->pim_vers != PIM_VERSION) {
		++ipst->ips_mrtstat->mrts_pim_badversion;
		if (ipst->ips_ip_mrtdebug > 1) {
			(void) mi_strlog(mrouter->conn_rq, 1, SL_TRACE,
			    "pim_input: unknown version of PIM");
		}
		BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
		ip_drop_input("mrts_pim_badversion", mp, ill);
		freemsg(mp);
		return (NULL);
	}

	/*
	 * Validate the checksum
	 */
	if (!pim_validate_cksum(mp, ip, pimp)) {
		++ipst->ips_mrtstat->mrts_pim_rcv_badcsum;
		if (ipst->ips_ip_mrtdebug > 1) {
			(void) mi_strlog(mrouter->conn_rq, 1, SL_TRACE,
			    "pim_input: invalid checksum");
		}
		BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
		ip_drop_input("pim_rcv_badcsum", mp, ill);
		freemsg(mp);
		return (NULL);
	}

	if (pimp->pim_type != PIM_REGISTER)
		return (mp);

	reghdr = (uint32_t *)(pimp + 1);
	eip = (ipha_t *)(reghdr + 1);

	/*
	 * check if the inner packet is destined to mcast group
	 */
	if (!CLASSD(eip->ipha_dst)) {
		++ipst->ips_mrtstat->mrts_pim_badregisters;
		if (ipst->ips_ip_mrtdebug > 1) {
			(void) mi_strlog(mrouter->conn_rq, 1, SL_TRACE,
			    "pim_input: Inner pkt not mcast .. !");
		}
		BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
		ip_drop_input("mrts_pim_badregisters", mp, ill);
		freemsg(mp);
		return (NULL);
	}
	if (ipst->ips_ip_mrtdebug > 1) {
		(void) mi_strlog(mrouter->conn_rq, 1, SL_TRACE,
		    "register from %x, to %x, len %d",
		    ntohl(eip->ipha_src),
		    ntohl(eip->ipha_dst),
		    ntohs(eip->ipha_length));
	}
	/*
	 * If the null register bit is not set, decapsulate
	 * the packet before forwarding it.
	 * Avoid this in no register vif
	 */
	if (!(ntohl(*reghdr) & PIM_NULL_REGISTER) &&
	    ipst->ips_reg_vif_num != ALL_VIFS) {
		mblk_t *mp_copy;
		uint_t saved_pktlen;

		/* Copy the message */
		if ((mp_copy = copymsg(mp)) == NULL) {
			++ipst->ips_mrtstat->mrts_pim_nomemory;
			BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
			ip_drop_input("mrts_pim_nomemory", mp, ill);
			freemsg(mp);
			return (NULL);
		}

		/*
		 * Decapsulate the packet and give it to
		 * register_mforward.
		 */
		mp_copy->b_rptr += iphlen + sizeof (pim_t) + sizeof (*reghdr);
		saved_pktlen = ira->ira_pktlen;
		ira->ira_pktlen -= iphlen + sizeof (pim_t) + sizeof (*reghdr);
		if (register_mforward(mp_copy, ira) != 0) {
			/* register_mforward already called ip_drop_input */
			freemsg(mp);
			ira->ira_pktlen = saved_pktlen;
			return (NULL);
		}
		ira->ira_pktlen = saved_pktlen;
	}

	/*
	 * Pass all valid PIM packets up to any process(es) listening on a raw
	 * PIM socket. For Solaris it is done right after pim_input() is
	 * called.
	 */
	return (mp);
}

/*
 * PIM sparse mode hook.  Called by pim_input after decapsulating
 * the packet. Loop back the packet, as if we have received it.
 * In pim_input() we have to check if the destination is a multicast address.
 */
static int
register_mforward(mblk_t *mp, ip_recv_attr_t *ira)
{
	ire_t		*ire;
	ipha_t		*ipha = (ipha_t *)mp->b_rptr;
	ill_t		*ill = ira->ira_ill;
	ip_stack_t	*ipst = ill->ill_ipst;
	conn_t		*mrouter = ipst->ips_ip_g_mrouter;

	ASSERT(ipst->ips_reg_vif_num <= ipst->ips_numvifs);

	if (ipst->ips_ip_mrtdebug > 3) {
		(void) mi_strlog(mrouter->conn_rq, 1, SL_TRACE,
		    "register_mforward: src %x, dst %x\n",
		    ntohl(ipha->ipha_src), ntohl(ipha->ipha_dst));
	}
	/*
	 * Need to pass in to ip_mforward() the information that the
	 * packet has arrived on the register_vif. We mark it with
	 * the IRAF_PIM_REGISTER attribute.
	 * pim_input verified that the (inner) destination is multicast,
	 * hence we skip the generic code in ip_input.
	 */
	ira->ira_flags |= IRAF_PIM_REGISTER;
	++ipst->ips_mrtstat->mrts_pim_regforwards;

	if (!CLASSD(ipha->ipha_dst)) {
		ire = ire_route_recursive_v4(ipha->ipha_dst, 0, NULL, ALL_ZONES,
		    ira->ira_tsl, MATCH_IRE_SECATTR, IRR_ALLOCATE, 0, ipst,
		    NULL, NULL, NULL);
	} else {
		ire = ire_multicast(ill);
	}
	ASSERT(ire != NULL);
	/* Normally this will return the IRE_MULTICAST */
	if (ire->ire_flags & (RTF_REJECT|RTF_BLACKHOLE)) {
		BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
		ip_drop_input("mrts_pim RTF_REJECT", mp, ill);
		freemsg(mp);
		ire_refrele(ire);
		return (-1);
	}
	ASSERT(ire->ire_type & IRE_MULTICAST);
	(*ire->ire_recvfn)(ire, mp, ipha, ira);
	ire_refrele(ire);

	return (0);
}

/*
 * Send an encapsulated packet.
 * Caller assumes can continue to use mp when routine returns.
 */
/* ARGSUSED */
static void
encap_send(ipha_t *ipha, mblk_t *mp, struct vif *vifp, ipaddr_t dst)
{
	mblk_t 	*mp_copy;
	ipha_t 	*ipha_copy;
	size_t	len;
	ip_stack_t	*ipst = vifp->v_ipif->ipif_ill->ill_ipst;
	conn_t		*mrouter = ipst->ips_ip_g_mrouter;

	if (ipst->ips_ip_mrtdebug > 1) {
		(void) mi_strlog(mrouter->conn_rq, 1, SL_TRACE,
		    "encap_send: vif %ld enter",
		    (ptrdiff_t)(vifp - ipst->ips_vifs));
	}
	len = ntohs(ipha->ipha_length);

	/*
	 * Copy the old packet & pullup it's IP header into the
	 * new mbuf so we can modify it.  Try to fill the new
	 * mbuf since if we don't the ethernet driver will.
	 */
	mp_copy = allocb(32 + sizeof (multicast_encap_iphdr), BPRI_MED);
	if (mp_copy == NULL)
		return;
	mp_copy->b_rptr += 32;
	mp_copy->b_wptr = mp_copy->b_rptr + sizeof (multicast_encap_iphdr);
	if ((mp_copy->b_cont = copymsg(mp)) == NULL) {
		freeb(mp_copy);
		return;
	}

	/*
	 * Fill in the encapsulating IP header.
	 * Remote tunnel dst in rmt_addr, from add_vif().
	 */
	ipha_copy = (ipha_t *)mp_copy->b_rptr;
	*ipha_copy = multicast_encap_iphdr;
	ASSERT((len + sizeof (ipha_t)) <= IP_MAXPACKET);
	ipha_copy->ipha_length = htons(len + sizeof (ipha_t));
	ipha_copy->ipha_src = vifp->v_lcl_addr.s_addr;
	ipha_copy->ipha_dst = vifp->v_rmt_addr.s_addr;
	ASSERT(ipha_copy->ipha_ident == 0);

	/* Turn the encapsulated IP header back into a valid one. */
	ipha = (ipha_t *)mp_copy->b_cont->b_rptr;
	ipha->ipha_ttl--;
	ipha->ipha_hdr_checksum = 0;
	ipha->ipha_hdr_checksum = ip_csum_hdr(ipha);

	ipha_copy->ipha_ttl = ipha->ipha_ttl;

	if (ipst->ips_ip_mrtdebug > 1) {
		(void) mi_strlog(mrouter->conn_rq, 1, SL_TRACE,
		    "encap_send: group 0x%x", ntohl(ipha->ipha_dst));
	}
	if (vifp->v_rate_limit <= 0)
		tbf_send_packet(vifp, mp_copy);
	else
		/* ipha is from the original header */
		tbf_control(vifp, mp_copy, ipha);
}

/*
 * De-encapsulate a packet and feed it back through IP input if it
 * matches one of our multicast tunnels.
 *
 * This routine is called whenever IP gets a packet with prototype
 * IPPROTO_ENCAP and a local destination address and the packet didn't
 * match one of our configured IP-in-IP tunnels.
 */
void
ip_mroute_decap(mblk_t *mp, ip_recv_attr_t *ira)
{
	ipha_t		*ipha = (ipha_t *)mp->b_rptr;
	ipha_t		*ipha_encap;
	int		hlen = IPH_HDR_LENGTH(ipha);
	int		hlen_encap;
	ipaddr_t	src;
	struct vif	*vifp;
	ire_t		*ire;
	ill_t		*ill = ira->ira_ill;
	ip_stack_t	*ipst = ill->ill_ipst;
	conn_t		*mrouter = ipst->ips_ip_g_mrouter;

	/* Make sure we have all of the inner header */
	ipha_encap = (ipha_t *)((char *)ipha + hlen);
	if (mp->b_wptr - mp->b_rptr < hlen + IP_SIMPLE_HDR_LENGTH) {
		ipha = ip_pullup(mp, hlen + IP_SIMPLE_HDR_LENGTH, ira);
		if (ipha == NULL) {
			ipst->ips_mrtstat->mrts_bad_tunnel++;
			BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
			ip_drop_input("ip_mroute_decap: too short", mp, ill);
			freemsg(mp);
			return;
		}
		ipha_encap = (ipha_t *)((char *)ipha + hlen);
	}
	hlen_encap = IPH_HDR_LENGTH(ipha_encap);
	if (mp->b_wptr - mp->b_rptr < hlen + hlen_encap) {
		ipha = ip_pullup(mp, hlen + hlen_encap, ira);
		if (ipha == NULL) {
			ipst->ips_mrtstat->mrts_bad_tunnel++;
			BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
			ip_drop_input("ip_mroute_decap: too short", mp, ill);
			freemsg(mp);
			return;
		}
		ipha_encap = (ipha_t *)((char *)ipha + hlen);
	}

	/*
	 * Dump the packet if it's not to a multicast destination or if
	 * we don't have an encapsulating tunnel with the source.
	 * Note:  This code assumes that the remote site IP address
	 * uniquely identifies the tunnel (i.e., that this site has
	 * at most one tunnel with the remote site).
	 */
	if (!CLASSD(ipha_encap->ipha_dst)) {
		ipst->ips_mrtstat->mrts_bad_tunnel++;
		ip1dbg(("ip_mroute_decap: bad tunnel\n"));
		BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
		ip_drop_input("mrts_bad_tunnel", mp, ill);
		freemsg(mp);
		return;
	}
	src = (ipaddr_t)ipha->ipha_src;
	mutex_enter(&ipst->ips_last_encap_lock);
	if (src != ipst->ips_last_encap_src) {
		struct vif *vife;

		vifp = ipst->ips_vifs;
		vife = vifp + ipst->ips_numvifs;
		ipst->ips_last_encap_src = src;
		ipst->ips_last_encap_vif = 0;
		for (; vifp < vife; ++vifp) {
			if (!lock_good_vif(vifp))
				continue;
			if (vifp->v_rmt_addr.s_addr == src) {
				if (vifp->v_flags & VIFF_TUNNEL)
					ipst->ips_last_encap_vif = vifp;
				if (ipst->ips_ip_mrtdebug > 1) {
					(void) mi_strlog(mrouter->conn_rq,
					    1, SL_TRACE,
					    "ip_mroute_decap: good tun "
					    "vif %ld with %x",
					    (ptrdiff_t)(vifp - ipst->ips_vifs),
					    ntohl(src));
				}
				unlock_good_vif(vifp);
				break;
			}
			unlock_good_vif(vifp);
		}
	}
	if ((vifp = ipst->ips_last_encap_vif) == 0) {
		mutex_exit(&ipst->ips_last_encap_lock);
		ipst->ips_mrtstat->mrts_bad_tunnel++;
		BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
		ip_drop_input("mrts_bad_tunnel", mp, ill);
		freemsg(mp);
		ip1dbg(("ip_mroute_decap: vif %ld no tunnel with %x\n",
		    (ptrdiff_t)(vifp - ipst->ips_vifs), ntohl(src)));
		return;
	}
	mutex_exit(&ipst->ips_last_encap_lock);

	/*
	 * Need to pass in the tunnel source to ip_mforward (so that it can
	 * verify that the packet arrived over the correct vif.)
	 */
	ira->ira_flags |= IRAF_MROUTE_TUNNEL_SET;
	ira->ira_mroute_tunnel = src;
	mp->b_rptr += hlen;
	ira->ira_pktlen -= hlen;
	ira->ira_ip_hdr_length = hlen_encap;

	/*
	 * We don't redo any of the filtering in ill_input_full_v4 and we
	 * have checked that all of ipha_encap and any IP options are
	 * pulled up. Hence we call ire_recv_multicast_v4 directly.
	 * However, we have to check for RSVP as in ip_input_full_v4
	 * and if so we pass it to ire_recv_broadcast_v4 for local delivery
	 * to the rsvpd.
	 */
	if (ipha_encap->ipha_protocol == IPPROTO_RSVP &&
	    ipst->ips_ipcl_proto_fanout_v4[IPPROTO_RSVP].connf_head != NULL) {
		ire = ire_route_recursive_v4(INADDR_BROADCAST, 0, ill,
		    ALL_ZONES, ira->ira_tsl, MATCH_IRE_ILL|MATCH_IRE_SECATTR,
		    IRR_ALLOCATE, 0, ipst, NULL, NULL, NULL);
	} else {
		ire = ire_multicast(ill);
	}
	ASSERT(ire != NULL);
	/* Normally this will return the IRE_MULTICAST or IRE_BROADCAST */
	if (ire->ire_flags & (RTF_REJECT|RTF_BLACKHOLE)) {
		BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
		ip_drop_input("ip_mroute_decap: RTF_REJECT", mp, ill);
		freemsg(mp);
		ire_refrele(ire);
		return;
	}
	ire->ire_ib_pkt_count++;
	ASSERT(ire->ire_type & (IRE_MULTICAST|IRE_BROADCAST));
	(*ire->ire_recvfn)(ire, mp, ipha_encap, ira);
	ire_refrele(ire);
}

/*
 * Remove all records with v_ipif == ipif.  Called when an interface goes away
 * (stream closed).  Called as writer.
 */
void
reset_mrt_vif_ipif(ipif_t *ipif)
{
	vifi_t vifi, tmp_vifi;
	vifi_t num_of_vifs;
	ip_stack_t	*ipst = ipif->ipif_ill->ill_ipst;

	/* Can't check vifi >= 0 since vifi_t is unsigned! */

	mutex_enter(&ipst->ips_numvifs_mutex);
	num_of_vifs = ipst->ips_numvifs;
	mutex_exit(&ipst->ips_numvifs_mutex);

	for (vifi = num_of_vifs; vifi != 0; vifi--) {
		tmp_vifi = vifi - 1;
		if (ipst->ips_vifs[tmp_vifi].v_ipif == ipif) {
			(void) del_vif(&tmp_vifi, ipst);
		}
	}
}

/* Remove pending upcall msgs when ill goes away.  Called by ill_delete.  */
void
reset_mrt_ill(ill_t *ill)
{
	struct mfc	*rt;
	struct rtdetq	*rte;
	int		i;
	ip_stack_t	*ipst = ill->ill_ipst;
	conn_t		*mrouter = ipst->ips_ip_g_mrouter;
	timeout_id_t	id;

	for (i = 0; i < MFCTBLSIZ; i++) {
		MFCB_REFHOLD(&ipst->ips_mfcs[i]);
		if ((rt = ipst->ips_mfcs[i].mfcb_mfc) != NULL) {
			if (ipst->ips_ip_mrtdebug > 1) {
				(void) mi_strlog(mrouter->conn_rq, 1,
				    SL_TRACE,
				    "reset_mrt_ill: mfctable [%d]", i);
			}
			while (rt != NULL) {
				mutex_enter(&rt->mfc_mutex);
				while ((rte = rt->mfc_rte) != NULL) {
					if (rte->ill == ill &&
					    (id = rt->mfc_timeout_id) != 0) {
						/*
						 * Its ok to drop the lock,  the
						 * struct cannot be freed since
						 * we have a ref on the hash
						 * bucket.
						 */
						mutex_exit(&rt->mfc_mutex);
						(void) untimeout(id);
						mutex_enter(&rt->mfc_mutex);
					}
					if (rte->ill == ill) {
						if (ipst->ips_ip_mrtdebug > 1) {
						(void) mi_strlog(
						    mrouter->conn_rq,
						    1, SL_TRACE,
						    "reset_mrt_ill: "
						    "ill 0x%p", (void *)ill);
						}
						rt->mfc_rte = rte->rte_next;
						freemsg(rte->mp);
						mi_free((char *)rte);
					}
				}
				mutex_exit(&rt->mfc_mutex);
				rt = rt->mfc_next;
			}
		}
		MFCB_REFRELE(&ipst->ips_mfcs[i]);
	}
}

/*
 * Token bucket filter module.
 * The ipha is for mcastgrp destination for phyint and encap.
 */
static void
tbf_control(struct vif *vifp, mblk_t *mp, ipha_t *ipha)
{
	size_t 	p_len =  msgdsize(mp);
	struct tbf	*t    = vifp->v_tbf;
	timeout_id_t id = 0;
	ill_t		*ill = vifp->v_ipif->ipif_ill;
	ip_stack_t	*ipst = ill->ill_ipst;
	conn_t		*mrouter = ipst->ips_ip_g_mrouter;

	/* Drop if packet is too large */
	if (p_len > MAX_BKT_SIZE) {
		ipst->ips_mrtstat->mrts_pkt2large++;
		BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
		ip_drop_output("tbf_control - too large", mp, ill);
		freemsg(mp);
		return;
	}
	if (ipst->ips_ip_mrtdebug > 1) {
		(void) mi_strlog(mrouter->conn_rq, 1, SL_TRACE,
		    "tbf_ctrl: SEND vif %ld, qlen %d, ipha_dst 0x%x",
		    (ptrdiff_t)(vifp - ipst->ips_vifs), t->tbf_q_len,
		    ntohl(ipha->ipha_dst));
	}

	mutex_enter(&t->tbf_lock);

	tbf_update_tokens(vifp);

	/*
	 * If there are enough tokens,
	 * and the queue is empty, send this packet out.
	 */
	if (ipst->ips_ip_mrtdebug > 1) {
		(void) mi_strlog(mrouter->conn_rq, 1, SL_TRACE,
		    "tbf_control: vif %ld, TOKENS  %d, pkt len  %lu, qlen  %d",
		    (ptrdiff_t)(vifp - ipst->ips_vifs), t->tbf_n_tok, p_len,
		    t->tbf_q_len);
	}
	/* No packets are queued */
	if (t->tbf_q_len == 0) {
		/* queue empty, send packet if enough tokens */
		if (p_len <= t->tbf_n_tok) {
			t->tbf_n_tok -= p_len;
			mutex_exit(&t->tbf_lock);
			tbf_send_packet(vifp, mp);
			return;
		} else {
			/* Queue packet and timeout till later */
			tbf_queue(vifp, mp);
			ASSERT(vifp->v_timeout_id == 0);
			vifp->v_timeout_id = timeout(tbf_reprocess_q, vifp,
			    TBF_REPROCESS);
		}
	} else if (t->tbf_q_len < t->tbf_max_q_len) {
		/* Finite queue length, so queue pkts and process queue */
		tbf_queue(vifp, mp);
		tbf_process_q(vifp);
	} else {
		/* Check that we have UDP header with IP header */
		size_t hdr_length = IPH_HDR_LENGTH(ipha) +
		    sizeof (struct udphdr);

		if ((mp->b_wptr - mp->b_rptr) < hdr_length) {
			if (!pullupmsg(mp, hdr_length)) {
				BUMP_MIB(ill->ill_ip_mib,
				    ipIfStatsOutDiscards);
				ip_drop_output("tbf_control - pullup", mp, ill);
				freemsg(mp);
				ip1dbg(("tbf_ctl: couldn't pullup udp hdr, "
				    "vif %ld src 0x%x dst 0x%x\n",
				    (ptrdiff_t)(vifp - ipst->ips_vifs),
				    ntohl(ipha->ipha_src),
				    ntohl(ipha->ipha_dst)));
				mutex_exit(&vifp->v_tbf->tbf_lock);
				return;
			} else
				/* Have to reassign ipha after pullupmsg */
				ipha = (ipha_t *)mp->b_rptr;
		}
		/*
		 * Queue length too much,
		 * try to selectively dq, or queue and process
		 */
		if (!tbf_dq_sel(vifp, ipha)) {
			ipst->ips_mrtstat->mrts_q_overflow++;
			BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
			ip_drop_output("mrts_q_overflow", mp, ill);
			freemsg(mp);
		} else {
			tbf_queue(vifp, mp);
			tbf_process_q(vifp);
		}
	}
	if (t->tbf_q_len == 0) {
		id = vifp->v_timeout_id;
		vifp->v_timeout_id = 0;
	}
	mutex_exit(&vifp->v_tbf->tbf_lock);
	if (id != 0)
		(void) untimeout(id);
}

/*
 * Adds a packet to the tbf queue at the interface.
 * The ipha is for mcastgrp destination for phyint and encap.
 */
static void
tbf_queue(struct vif *vifp, mblk_t *mp)
{
	struct tbf	*t = vifp->v_tbf;
	ip_stack_t	*ipst = vifp->v_ipif->ipif_ill->ill_ipst;
	conn_t		*mrouter = ipst->ips_ip_g_mrouter;

	if (ipst->ips_ip_mrtdebug > 1) {
		(void) mi_strlog(mrouter->conn_rq, 1, SL_TRACE,
		    "tbf_queue: vif %ld", (ptrdiff_t)(vifp - ipst->ips_vifs));
	}
	ASSERT(MUTEX_HELD(&t->tbf_lock));

	if (t->tbf_t == NULL) {
		/* Queue was empty */
		t->tbf_q = mp;
	} else {
		/* Insert at tail */
		t->tbf_t->b_next = mp;
	}
	/* set new tail pointer */
	t->tbf_t = mp;

	mp->b_next = mp->b_prev = NULL;

	t->tbf_q_len++;
}

/*
 * Process the queue at the vif interface.
 * Drops the tbf_lock when sending packets.
 *
 * NOTE : The caller should quntimeout if the queue length is 0.
 */
static void
tbf_process_q(struct vif *vifp)
{
	mblk_t	*mp;
	struct tbf	*t = vifp->v_tbf;
	size_t	len;
	ip_stack_t	*ipst = vifp->v_ipif->ipif_ill->ill_ipst;
	conn_t		*mrouter = ipst->ips_ip_g_mrouter;

	if (ipst->ips_ip_mrtdebug > 1) {
		(void) mi_strlog(mrouter->conn_rq, 1, SL_TRACE,
		    "tbf_process_q 1: vif %ld qlen = %d",
		    (ptrdiff_t)(vifp - ipst->ips_vifs), t->tbf_q_len);
	}

	/*
	 * Loop through the queue at the interface and send
	 * as many packets as possible.
	 */
	ASSERT(MUTEX_HELD(&t->tbf_lock));

	while (t->tbf_q_len > 0) {
		mp = t->tbf_q;
		len = (size_t)msgdsize(mp); /* length of ip pkt */

		/* Determine if the packet can be sent */
		if (len <= t->tbf_n_tok) {
			/*
			 * If so, reduce no. of tokens, dequeue the packet,
			 * send the packet.
			 */
			t->tbf_n_tok -= len;

			t->tbf_q = mp->b_next;
			if (--t->tbf_q_len == 0) {
				t->tbf_t = NULL;
			}
			mp->b_next = NULL;
			/* Exit mutex before sending packet, then re-enter */
			mutex_exit(&t->tbf_lock);
			tbf_send_packet(vifp, mp);
			mutex_enter(&t->tbf_lock);
		} else
			break;
	}
}

/* Called at tbf timeout to update tokens, process q and reset timer.  */
static void
tbf_reprocess_q(void *arg)
{
	struct vif *vifp = arg;
	ip_stack_t	*ipst = vifp->v_ipif->ipif_ill->ill_ipst;
	conn_t		*mrouter = ipst->ips_ip_g_mrouter;

	mutex_enter(&vifp->v_tbf->tbf_lock);
	vifp->v_timeout_id = 0;
	tbf_update_tokens(vifp);

	tbf_process_q(vifp);

	if (vifp->v_tbf->tbf_q_len > 0) {
		vifp->v_timeout_id = timeout(tbf_reprocess_q, vifp,
		    TBF_REPROCESS);
	}
	mutex_exit(&vifp->v_tbf->tbf_lock);

	if (ipst->ips_ip_mrtdebug > 1) {
		(void) mi_strlog(mrouter->conn_rq, 1, SL_TRACE,
		    "tbf_reprcess_q: vif %ld timeout id = %p",
		    (ptrdiff_t)(vifp - ipst->ips_vifs), vifp->v_timeout_id);
	}
}

/*
 * Function that will selectively discard a member of the tbf queue,
 * based on the precedence value and the priority.
 *
 * NOTE : The caller should quntimeout if the queue length is 0.
 */
static int
tbf_dq_sel(struct vif *vifp, ipha_t *ipha)
{
	uint_t		p;
	struct tbf		*t = vifp->v_tbf;
	mblk_t		**np;
	mblk_t		*last, *mp;
	ill_t		*ill = vifp->v_ipif->ipif_ill;
	ip_stack_t	*ipst = ill->ill_ipst;
	conn_t		*mrouter = ipst->ips_ip_g_mrouter;

	if (ipst->ips_ip_mrtdebug > 1) {
		(void) mi_strlog(mrouter->conn_rq, 1, SL_TRACE,
		    "dq_sel: vif %ld dst 0x%x",
		    (ptrdiff_t)(vifp - ipst->ips_vifs), ntohl(ipha->ipha_dst));
	}

	ASSERT(MUTEX_HELD(&t->tbf_lock));
	p = priority(vifp, ipha);

	np = &t->tbf_q;
	last = NULL;
	while ((mp = *np) != NULL) {
		if (p > (priority(vifp, (ipha_t *)mp->b_rptr))) {
			*np = mp->b_next;
			/* If removing the last packet, fix the tail pointer */
			if (mp == t->tbf_t)
				t->tbf_t = last;
			mp->b_prev = mp->b_next = NULL;
			BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
			ip_drop_output("tbf_dq_send", mp, ill);
			freemsg(mp);
			/*
			 * It's impossible for the queue to be empty, but
			 * we check anyway.
			 */
			if (--t->tbf_q_len == 0) {
				t->tbf_t = NULL;
			}
			ipst->ips_mrtstat->mrts_drop_sel++;
			return (1);
		}
		np = &mp->b_next;
		last = mp;
	}
	return (0);
}

/* Sends packet, 2 cases - encap tunnel, phyint.  */
static void
tbf_send_packet(struct vif *vifp, mblk_t *mp)
{
	ipif_t		*ipif = vifp->v_ipif;
	ill_t		*ill = ipif->ipif_ill;
	ip_stack_t	*ipst = ill->ill_ipst;
	conn_t		*mrouter = ipst->ips_ip_g_mrouter;
	ipha_t		*ipha;

	ipha = (ipha_t *)mp->b_rptr;
	/* If encap tunnel options */
	if (vifp->v_flags & VIFF_TUNNEL)  {
		ip_xmit_attr_t	ixas;

		if (ipst->ips_ip_mrtdebug > 1) {
			(void) mi_strlog(mrouter->conn_rq, 1, SL_TRACE,
			    "tbf_send_packet: ENCAP tunnel vif %ld",
			    (ptrdiff_t)(vifp - ipst->ips_vifs));
		}
		bzero(&ixas, sizeof (ixas));
		ixas.ixa_flags =
		    IXAF_IS_IPV4 | IXAF_NO_TTL_CHANGE | IXAF_VERIFY_SOURCE;
		ixas.ixa_ipst = ipst;
		ixas.ixa_ifindex = 0;
		ixas.ixa_cred = kcred;
		ixas.ixa_cpid = NOPID;
		ixas.ixa_tsl = NULL;
		ixas.ixa_zoneid = GLOBAL_ZONEID; /* Multicast router in GZ */
		ixas.ixa_pktlen = ntohs(ipha->ipha_length);
		ixas.ixa_ip_hdr_length = IPH_HDR_LENGTH(ipha);

		/*
		 * Feed into ip_output_simple which will set the ident field
		 * and checksum the encapsulating header.
		 * BSD gets the cached route vifp->v_route from ip_output()
		 * to speed up route table lookups. Not necessary in SunOS 5.x.
		 * One could make multicast forwarding faster by putting an
		 * ip_xmit_attr_t in each vif thereby caching the ire/nce.
		 */
		(void) ip_output_simple(mp, &ixas);
		ixa_cleanup(&ixas);
		return;

		/* phyint */
	} else {
		/* Need to loop back to members on the outgoing interface. */
		ipaddr_t	dst;
		ip_recv_attr_t	iras;
		nce_t		*nce;

		bzero(&iras, sizeof (iras));
		iras.ira_flags = IRAF_IS_IPV4;
		iras.ira_ill = iras.ira_rill = ill;
		iras.ira_ruifindex = ill->ill_phyint->phyint_ifindex;
		iras.ira_zoneid = GLOBAL_ZONEID; /* Multicast router in GZ */
		iras.ira_pktlen = ntohs(ipha->ipha_length);
		iras.ira_ip_hdr_length = IPH_HDR_LENGTH(ipha);

		dst = ipha->ipha_dst;
		if (ill_hasmembers_v4(ill, dst)) {
			iras.ira_flags |= IRAF_LOOPBACK_COPY;
		}
		if (ipst->ips_ip_mrtdebug > 1) {
			(void) mi_strlog(mrouter->conn_rq, 1, SL_TRACE,
			    "tbf_send_pkt: phyint forward  vif %ld dst = 0x%x",
			    (ptrdiff_t)(vifp - ipst->ips_vifs), ntohl(dst));
		}
		/*
		 * Find an NCE which matches the nexthop.
		 * For a pt-pt interface we use the other end of the pt-pt
		 * link.
		 */
		if (ipif->ipif_flags & IPIF_POINTOPOINT) {
			dst = ipif->ipif_pp_dst_addr;
			nce = arp_nce_init(ill, dst, ill->ill_net_type);
		} else {
			nce = arp_nce_init(ill, dst, IRE_MULTICAST);
		}
		if (nce == NULL) {
			BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
			ip_drop_output("tbf_send_packet - no nce", mp, ill);
			freemsg(mp);
			return;
		}

		/*
		 * We don't remeber the incoming ill. Thus we
		 * pretend the  packet arrived on the outbound ill. This means
		 * statistics for input errors will be increased on the wrong
		 * ill but that isn't a big deal.
		 */
		ip_forward_xmit_v4(nce, ill, mp, ipha, &iras, ill->ill_mc_mtu,
		    0);
		ASSERT(!(iras.ira_flags & IRAF_IPSEC_SECURE));

		nce_refrele(nce);
	}
}

/*
 * Determine the current time and then the elapsed time (between the last time
 * and time now).  Update the no. of tokens in the bucket.
 */
static void
tbf_update_tokens(struct vif *vifp)
{
	timespec_t	tp;
	hrtime_t	tm;
	struct tbf	*t = vifp->v_tbf;
	ip_stack_t	*ipst = vifp->v_ipif->ipif_ill->ill_ipst;
	conn_t		*mrouter = ipst->ips_ip_g_mrouter;

	ASSERT(MUTEX_HELD(&t->tbf_lock));

	/* Time in secs and nsecs, rate limit in kbits/sec */
	gethrestime(&tp);

	/*LINTED*/
	TV_DELTA(tp, t->tbf_last_pkt_t, tm);

	/*
	 * This formula is actually
	 * "time in seconds" * "bytes/second".  Scaled for nsec.
	 * (tm/1000000000) * (v_rate_limit * 1000 * (1000/1024) /8)
	 *
	 * The (1000/1024) was introduced in add_vif to optimize
	 * this divide into a shift.
	 */
	t->tbf_n_tok += (tm/1000) * vifp->v_rate_limit / 1024 / 8;
	t->tbf_last_pkt_t = tp;

	if (t->tbf_n_tok > MAX_BKT_SIZE)
		t->tbf_n_tok = MAX_BKT_SIZE;
	if (ipst->ips_ip_mrtdebug > 1) {
		(void) mi_strlog(mrouter->conn_rq, 1, SL_TRACE,
		    "tbf_update_tok: tm %lld tok %d vif %ld",
		    tm, t->tbf_n_tok, (ptrdiff_t)(vifp - ipst->ips_vifs));
	}
}

/*
 * Priority currently is based on port nos.
 * Different forwarding mechanisms have different ways
 * of obtaining the port no. Hence, the vif must be
 * given along with the packet itself.
 *
 */
static int
priority(struct vif *vifp, ipha_t *ipha)
{
	int prio;
	ip_stack_t	*ipst = vifp->v_ipif->ipif_ill->ill_ipst;
	conn_t		*mrouter = ipst->ips_ip_g_mrouter;

	/* Temporary hack; may add general packet classifier some day */

	ASSERT(MUTEX_HELD(&vifp->v_tbf->tbf_lock));

	/*
	 * The UDP port space is divided up into four priority ranges:
	 * [0, 16384)	: unclassified - lowest priority
	 * [16384, 32768)	: audio - highest priority
	 * [32768, 49152)	: whiteboard - medium priority
	 * [49152, 65536)	: video - low priority
	 */

	if (ipha->ipha_protocol == IPPROTO_UDP) {
		struct udphdr *udp =
		    (struct udphdr *)((char *)ipha + IPH_HDR_LENGTH(ipha));
		switch (ntohs(udp->uh_dport) & 0xc000) {
		case 0x4000:
			prio = 70;
			break;
		case 0x8000:
			prio = 60;
			break;
		case 0xc000:
			prio = 55;
			break;
		default:
			prio = 50;
			break;
		}
		if (ipst->ips_ip_mrtdebug > 1) {
			(void) mi_strlog(mrouter->conn_rq, 1, SL_TRACE,
			    "priority: port %x prio %d\n",
			    ntohs(udp->uh_dport), prio);
		}
	} else
		prio = 50;  /* default priority */
	return (prio);
}

/*
 * End of token bucket filter modifications
 */



/*
 * Produces data for netstat -M.
 */
int
ip_mroute_stats(mblk_t *mp, ip_stack_t *ipst)
{
	ipst->ips_mrtstat->mrts_vifctlSize = sizeof (struct vifctl);
	ipst->ips_mrtstat->mrts_mfcctlSize = sizeof (struct mfcctl);
	if (!snmp_append_data(mp, (char *)ipst->ips_mrtstat,
		sizeof (struct mrtstat))) {
		ip0dbg(("ip_mroute_stats: failed %ld bytes\n",
		    (size_t)sizeof (struct mrtstat)));
		return (0);
	}
	return (1);
}

/*
 * Sends info for SNMP's MIB.
 */
int
ip_mroute_vif(mblk_t *mp, ip_stack_t *ipst)
{
	struct vifctl 	vi;
	vifi_t		vifi;

	mutex_enter(&ipst->ips_numvifs_mutex);
	for (vifi = 0; vifi < ipst->ips_numvifs; vifi++) {
		if (ipst->ips_vifs[vifi].v_lcl_addr.s_addr == 0)
			continue;
		/*
		 * No locks here, an approximation is fine.
		 */
		vi.vifc_vifi = vifi;
		vi.vifc_flags = ipst->ips_vifs[vifi].v_flags;
		vi.vifc_threshold = ipst->ips_vifs[vifi].v_threshold;
		vi.vifc_rate_limit	= ipst->ips_vifs[vifi].v_rate_limit;
		vi.vifc_lcl_addr	= ipst->ips_vifs[vifi].v_lcl_addr;
		vi.vifc_rmt_addr	= ipst->ips_vifs[vifi].v_rmt_addr;
		vi.vifc_pkt_in		= ipst->ips_vifs[vifi].v_pkt_in;
		vi.vifc_pkt_out		= ipst->ips_vifs[vifi].v_pkt_out;

		if (!snmp_append_data(mp, (char *)&vi, sizeof (vi))) {
			ip0dbg(("ip_mroute_vif: failed %ld bytes\n",
			    (size_t)sizeof (vi)));
			mutex_exit(&ipst->ips_numvifs_mutex);
			return (0);
		}
	}
	mutex_exit(&ipst->ips_numvifs_mutex);
	return (1);
}

/*
 * Called by ip_snmp_get to send up multicast routing table.
 */
int
ip_mroute_mrt(mblk_t *mp, ip_stack_t *ipst)
{
	int			i, j;
	struct mfc		*rt;
	struct mfcctl	mfcc;

	/*
	 * Make sure multicast has not been turned off.
	 */
	if (is_mrouter_off(ipst))
		return (1);

	/* Loop over all hash buckets and their chains */
	for (i = 0; i < MFCTBLSIZ; i++) {
		MFCB_REFHOLD(&ipst->ips_mfcs[i]);
		for (rt = ipst->ips_mfcs[i].mfcb_mfc; rt; rt = rt->mfc_next) {
			mutex_enter(&rt->mfc_mutex);
			if (rt->mfc_rte != NULL ||
			    (rt->mfc_marks & MFCB_MARK_CONDEMNED)) {
				mutex_exit(&rt->mfc_mutex);
				continue;
			}
			mfcc.mfcc_origin = rt->mfc_origin;
			mfcc.mfcc_mcastgrp = rt->mfc_mcastgrp;
			mfcc.mfcc_parent = rt->mfc_parent;
			mfcc.mfcc_pkt_cnt = rt->mfc_pkt_cnt;
			mutex_enter(&ipst->ips_numvifs_mutex);
			for (j = 0; j < (int)ipst->ips_numvifs; j++)
				mfcc.mfcc_ttls[j] = rt->mfc_ttls[j];
			for (j = (int)ipst->ips_numvifs; j < MAXVIFS; j++)
				mfcc.mfcc_ttls[j] = 0;
			mutex_exit(&ipst->ips_numvifs_mutex);

			mutex_exit(&rt->mfc_mutex);
			if (!snmp_append_data(mp, (char *)&mfcc,
			    sizeof (mfcc))) {
				MFCB_REFRELE(&ipst->ips_mfcs[i]);
				ip0dbg(("ip_mroute_mrt: failed %ld bytes\n",
				    (size_t)sizeof (mfcc)));
				return (0);
			}
		}
		MFCB_REFRELE(&ipst->ips_mfcs[i]);
	}
	return (1);
}